碼上快樂

相關內容    簡體    繁體

ShellCode入門(提取ShellCode)

本文轉載自   查看原文   2017-05-16 19:42   5312    ShellCode/ C/C++/ 匯編學習/ Kernel|Windows/ Windows/ 逆向工程

 

什么是ShellCode:

  • 在計算機安全中,shellcode是一小段代碼,可以用於軟件漏洞利用的載荷。被稱為“shellcode”是因為它通常啟動一個命令終端,攻擊者可以通過這個終端控制受害的計算機,但是所有執行類似任務的代碼片段都可以稱作shellcode。Shellcode通常是以機器碼形式編寫的,所以我們要學習硬編碼。
char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
                   "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
                   "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
                       "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
                   "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
                   "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
                           "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
                   "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; int main(int argc, char **argv) { _asm { lea eax,shellcode call eax } }
  • 上面的就是ShellCode,是匯編對應的機器碼,通過反編譯就可以看到此機器碼。

  • 彈出計算機ShellCode。
char shellcode[] = { 0x55,0x8B,0xEC,0x83,0xEC,0x14,0xC7,0x45,0xF8,0x63,0x61,0x6C,0x63,0xC7,0x45,0xFC, 0x00,0x00,0x00,0x00,0xE8,0x67,0x00,0x00,0x00,0x89,0x45,0xEC,0x68,0xB9,0x6B,0xFF, 0xCB,0x8B,0x45,0xEC,0x50,0xE8,0x06,0x01,0x00,0x00,0x83,0xC4,0x08,0x89,0x45,0xF4, 0x68,0x13,0xB9,0xE6,0x25,0x8B,0x4D,0xEC,0x51,0xE8,0xF2,0x00,0x00,0x00,0x83,0xC4, 0x08,0x89,0x45,0xF0,0x6A,0x01,0x8D,0x55,0xF8,0x52,0xFF,0x55,0xF0,0x6A,0x00,0xFF, 0x55,0xF4,0x8B,0xE5,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 0x55,0x8B,0xEC,0x64,0xA1,0x18,0x00,0x00,0x00,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC, 0x55,0x8B,0xEC,0xE8,0xE8,0xFF,0xFF,0xFF,0x8B,0x40,0x30,0x5D,0xC3,0xCC,0xCC,0xCC, 0x55,0x8B,0xEC,0x83,0xEC,0x10,0xE8,0xE5,0xFF,0xFF,0xFF,0x89,0x45,0xF4,0x8B,0x45, 0xF4,0x8B,0x48,0x0C,0x8B,0x51,0x1C,0x89,0x55,0xF8,0xC7,0x45,0xFC,0x00,0x00,0x00, 0x00,0xEB,0x09,0x8B,0x45,0xFC,0x83,0xC0,0x01,0x89,0x45,0xFC,0x83,0x7D,0xFC,0x02, 0x7D,0x26,0x8B,0x4D,0xF8,0x8B,0x11,0x83,0xEA,0x10,0x89,0x55,0xF0,0x8B,0x45,0xF0, 0x8B,0x48,0x30,0x0F,0xB7,0x51,0x10,0x83,0xFA,0x2E,0x75,0x02,0xEB,0x0A,0x8B,0x45, 0xF8,0x8B,0x08,0x89,0x4D,0xF8,0xEB,0xCB,0x8B,0x55,0xF0,0x8B,0x42,0x18,0x8B,0xE5, 0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 0x55,0x8B,0xEC,0x51,0xC7,0x45,0xFC,0x00,0x00,0x00,0x00,0x8B,0x45,0x08,0x0F,0xBE, 0x08,0x85,0xC9,0x74,0x1F,0x8B,0x55,0xFC,0xC1,0xE2,0x05,0x03,0x55,0xFC,0x8B,0x45, 0x08,0x0F,0xBE,0x08,0x03,0xD1,0x89,0x55,0xFC,0x8B,0x55,0x08,0x83,0xC2,0x01,0x89, 0x55,0x08,0xEB,0xD7,0x8B,0x45,0xFC,0x8B,0xE5,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC, 0x55,0x8B,0xEC,0x83,0xEC,0x24,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0x8B,0x45,0x08, 0x89,0x45,0xFC,0x8B,0x4D,0xFC,0x8B,0x55,0x08,0x03,0x51,0x3C,0x89,0x55,0xE4,0x8B, 0x45,0xE4,0x8B,0x4D,0x08,0x03,0x48,0x78,0x89,0x4D,0xF0,0x8B,0x55,0xF0,0x8B,0x45, 0x08,0x03,0x42,0x20,0x89,0x45,0xF4,0xC7,0x45,0xF8,0x00,0x00,0x00,0x00,0xEB,0x09, 0x8B,0x4D,0xF8,0x83,0xC1,0x01,0x89,0x4D,0xF8,0x8B,0x55,0xF0,0x8B,0x45,0xF8,0x3B, 0x42,0x18,0x73,0x30,0x8B,0x4D,0xF4,0x8B,0x55,0x08,0x03,0x11,0x89,0x55,0xE0,0x8B, 0x45,0xE0,0x50,0xE8,0x58,0xFF,0xFF,0xFF,0x83,0xC4,0x04,0x3B,0x45,0x0C,0x75,0x09, 0xC7,0x45,0xE8,0x01,0x00,0x00,0x00,0xEB,0x0B,0x8B,0x4D,0xF4,0x83,0xC1,0x04,0x89, 0x4D,0xF4,0xEB,0xBC,0x83,0x7D,0xE8,0x00,0x74,0x2F,0x8B,0x55,0xF0,0x8B,0x45,0x08, 0x03,0x42,0x24,0x8B,0x4D,0xF8,0x66,0x8B,0x14,0x48,0x66,0x89,0x55,0xDC,0x8B,0x45, 0xF0,0x8B,0x4D,0x08,0x03,0x48,0x1C,0x0F,0xB7,0x55,0xDC,0x8B,0x45,0x08,0x03,0x04, 0x91,0x89,0x45,0xEC,0x8B,0x45,0xEC,0xEB,0x02,0x33,0xC0,0x8B,0xE5,0x5D,0xC3,0xCC };
  •  提取ShellCode。
  •  先用匯編或者C語言編寫我們想要的程序,然后OD發編譯,進去提取硬編碼,就是我們的ShellCode。
  •  細節注意:如果我們先定義了字符串,那么編譯器會自動加載字符串的地址而不是它本身,所以我們要顯示的加載字符串的Ascii碼。
  •  例子:
  •  我們的ShellCode是這個Msg彈窗。
MessageBox(NULL,"ONDragon","ONDragon",0);
  • 它的字符串要自己手動用匯編處理而不是直接用OD反匯編的代碼,因為它加載的是字符串的地址,而不是內容,所以我們要稍微修改一下。

  •  

    char shellcode[] = "\x33\xDB"
                   "\x53"                   
                   "\x68\x61\x67\x6F\x6E"
                   "\x68\x4F\x4E\x44\x72"
                   "\x8B\xC4"
                   "\x53"
                   "\x50"
                   "\x50"
                   "\x53"
                   "\xB8\x11\xEA\xAC\x76"
                   "\xFF\xD0";

     

  • 就可以彈出我們的ShellCode啦。

 

  • 提取ShellCode 總結:
  • 先正向寫出我們想要的代碼。
  • 用反編譯軟件,找到對應的硬編碼。
  • 適當修改硬編碼。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 shell腳本之shellcode自動提取工具 shellcode CTF必備技能丨Linux Pwn入門教程——ShellCode Window環境下編寫Shellcode(入門篇) 二進制入門-打造Linux shellcode基礎篇 pwn入門實驗1:緩沖區溢出(return2shellcode和jmp esp) 通用shellcode 使用MSF生成shellcode Linux下shellcode的編寫 shellcode超級免殺
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM