信号处理程序中的Shellcode

时间:2018-10-12 10:36:24

标签: c signals shellcode

为什么我的shellcode(int3)不会被信号处理程序击中?

除了不喜欢在处理程序中使用printf()之外,我还在乎 有关如何传递shellcode(不作为内联汇编程序) 在信号处理程序中,在运行时执行。

但是,我在这里展示了一个更长的gdb会话,该会话显示了注册 状态和回溯。

    templateRepository.findActiveTemplate(tenantId)
            .flatMap(bo -> {
                bo.setStatus(TemplateStatusEnum.DEACTIVATED);
                return Mono.just(bo);
            })
            .flatMap(templateRepository::updateTemplate)
            .flatMap(templateBo -> templateVersionRepository.findPublishedByTemplateId(templateBo.getId())
                    .flatMap(version -> {
                        version.setStatus(TemplateVersionStatusEnum.MODIFIED);
                        return Mono.just(version);
                    })
                    .flatMap(templateVersionRepository::updateVersion))
            .subscribe()

1 个答案:

答案 0 :(得分:0)

So this uses mprotect(), but still does not lead to the shell. We really need to update
radare2 shellcode sources :)    

<code>
    #include "errno.h"
    #include "signal.h"
    #include "stdio.h"
    #include "stdlib.h"
    #include "string.h"
    #include "unistd.h"
    #include "sys/mman.h"

    void sigusr1(int signo, siginfo_t *si, void *data) {
        (void)signo;
        (void)data;

        unsigned char sc[] = \
                       "\xcc";
        mprotect(sc,strlen(sc),PROT_EXEC|PROT_READ|PROT_WRITE);
        int (*r)() = (int(*)())sc; /* Thanks, maybe change to define? */
            r();
    }

    int main(void) {
        struct sigaction sa;
        memset(&sa, 0, sizeof(sa));
        sa.sa_flags = 5; /* SIGTRAP via Sil... */
        sa.sa_sigaction = sigusr1;
        if (sigaction(SIGUSR1, &sa, 0) == -1) {
            fprintf(stderr, "%s: %s\n", "sigaction", strerror(errno));
        }
        printf("Pid %lu waiting for SIGUSR1\n", (unsigned long)getpid());
        for (;;) {
            sleep(10);
        }

        return 0;
    }
</code>
相关问题
最新问题