[原创]揭示《shellcoder's handbook》中一个函数的运行机制-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
supertyj 雪币： 1121 活跃值： (722) 能力值： ( LV5，RANK：66 ) 在线值：发帖 3 回帖 241 粉丝 2 关注私信	supertyj 1 2 楼不了解这个有什么实际的意义，免杀吗？能执行到你自己的函数，直接放Shellcode跑就是了 2014-1-2 09:21 0
LeavesBNW 雪币： 29 活跃值： (40) 能力值： ( LV5，RANK：60 ) 在线值：发帖 2 回帖 31 粉丝 0 关注私信	LeavesBNW 1 3 楼它确实没什么实际的意义，不过，我倒觉着它有创造性，值得去学习。对于一般人来讲，我觉着还真写不出来这样的函数。所以，才发表的它目的只是想让大家观摩一下人家的写代码的思路以及创意性。 2014-1-2 09:35 1
仙果雪币： 1491 活跃值： (985) 能力值： (RANK：860 ) 在线值：发帖 68 回帖 1507 粉丝 67 关注私信	仙果 19 4 楼提升为优秀贴，希望楼主带来更精彩的文章 2014-1-3 09:50 0
永远的神话雪币： 8 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 87 粉丝 0 关注私信	永远的神话 5 楼看着就像是自牵引。刚开始还以为是内核中probe类型的代码。 2014-1-3 17:43 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 6 楼 GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>. (gdb) file test Reading symbols from /home/lhy/Desktop/test...done. (gdb) list 8 上面的shellcode的意思就是： 9 movl $2,%ebx 10 movl $1,%eax 11 int $0x80 12 该功能就是调用exit(2) 13 / 14 int main() 15 { 16 int ret; 17 ret=(int )&ret+2; (gdb) disassemble $pc No registers. (gdb) b main Breakpoint 1 at 0x80483ba: file test.c, line 17. (gdb) c The program is not being run. (gdb) r Starting program: /home/lhy/Desktop/test Breakpoint 1, main () at test.c:17 17 ret=(int )&ret+2; (gdb) list 0 1 /shellcode_tester.c/ 2 #include <stdio.h> 3 4 char shellcode[]="\xbb\x02\x00\x00\x00" 5 "\xb8\x01\x00\x00\x00" 6 "\xcd\x80"; 7 /* 8 上面的shellcode的意思就是： 9 movl $2,%ebx 10 movl $1,%eax (gdb) 11 int $0x80 12 该功能就是调用exit(2) 13 / 14 int main() 15 { 16 int ret; 17 ret=(int )&ret+2; 18 (ret)=(int)shellcode; 19 } (gdb) d $pc Convenience variable must have integer value. warning: bad breakpoint number at or near '$pc' (gdb) disassemble $pc Dump of assembler code for function main: 0x080483b4 <+0>: push %ebp 0x080483b5 <+1>: mov %esp,%ebp 0x080483b7 <+3>: sub $0x10,%esp => 0x080483ba <+6>: lea -0x4(%ebp),%eax 0x080483bd <+9>: add $0x8,%eax 0x080483c0 <+12>: mov %eax,-0x4(%ebp) 0x080483c3 <+15>: mov -0x4(%ebp),%eax 0x080483c6 <+18>: mov $0x804a010,%edx 0x080483cb <+23>: mov %edx,(%eax) 0x080483cd <+25>: leave 0x080483ce <+26>: ret End of assembler dump. (gdb) ni 0x080483bd 17 ret=(int )&ret+2; (gdb) ni 0x080483c0 17 ret=(int )&ret+2; (gdb) ni 18 (ret)=(int)shellcode; (gdb) ni 0x080483c6 18 (ret)=(int)shellcode; (gdb) ni 0x080483cb 18 (*ret)=(int)shellcode; (gdb) ni 19 } (gdb) ni 0x080483ce 19 } (gdb) ni 0x0804a010 in shellcode () (gdb) disassemble $pc Dump of assembler code for function shellcode: => 0x0804a010 <+0>: mov $0x2,%ebx 0x0804a015 <+5>: mov $0x1,%eax 0x0804a01a <+10>: int $0x80 0x0804a01c <+12>: add %al,(%eax) End of assembler dump. (gdb) ni Program received signal SIGSEGV, Segmentation fault. 0x0804a010 in shellcode () (gdb) 2014-1-7 11:38 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 7 楼 obviously it doesn't work @ all...... 2014-1-7 11:39 0
LeavesBNW 雪币： 29 活跃值： (40) 能力值： ( LV5，RANK：60 ) 在线值：发帖 2 回帖 31 粉丝 0 关注私信	LeavesBNW 1 8 楼现在的编译器好多为了防范栈溢出，都进行了一些设置以防止栈的溢出，如果要演示需要去掉编译器的这个功能，你可以使用这个来验证：gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 2014-1-7 12:00 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 9 楼 thanks Breakpoint 1, 0x080483cb in main () (gdb) disassemble $pc Dump of assembler code for function main: 0x080483b4 <+0>: push %ebp 0x080483b5 <+1>: mov %esp,%ebp 0x080483b7 <+3>: sub $0x10,%esp 0x080483ba <+6>: lea -0x4(%ebp),%eax 0x080483bd <+9>: add $0x8,%eax 0x080483c0 <+12>: mov %eax,-0x4(%ebp) 0x080483c3 <+15>: mov -0x4(%ebp),%eax 0x080483c6 <+18>: mov $0x804a010,%edx => 0x080483cb <+23>: mov %edx,(%eax) 0x080483cd <+25>: leave 0x080483ce <+26>: ret End of assembler dump. (gdb) n Single stepping until exit from function main, which has no line number information. 0x0804a010 in shellcode () (gdb) disassemble $pc Dump of assembler code for function shellcode: => 0x0804a010 <+0>: mov $0x2,%ebx 0x0804a015 <+5>: mov $0x1,%eax 0x0804a01a <+10>: int $0x80 0x0804a01c <+12>: add %al,(%eax) End of assembler dump. (gdb) ni 0x0804a015 in shellcode () (gdb) ni 0x0804a01a in shellcode () (gdb) ni [Inferior 1 (process 3150) exited with code 02] (gdb) ni The program is not being run. (gdb) now it works well 2014-1-7 12:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (8)
supertyj 雪币： 1121 活跃值： (722) 能力值： ( LV5，RANK：66 ) 在线值：发帖 3 回帖 241 粉丝 2 关注私信	supertyj 1 2 楼不了解这个有什么实际的意义，免杀吗？能执行到你自己的函数，直接放Shellcode跑就是了 2014-1-2 09:21 0
LeavesBNW 雪币： 29 活跃值： (40) 能力值： ( LV5，RANK：60 ) 在线值：发帖 2 回帖 31 粉丝 0 关注私信	LeavesBNW 1 3 楼它确实没什么实际的意义，不过，我倒觉着它有创造性，值得去学习。对于一般人来讲，我觉着还真写不出来这样的函数。所以，才发表的它目的只是想让大家观摩一下人家的写代码的思路以及创意性。 2014-1-2 09:35 1
仙果雪币： 1491 活跃值： (985) 能力值： (RANK：860 ) 在线值：发帖 68 回帖 1507 粉丝 67 关注私信	仙果 19 4 楼提升为优秀贴，希望楼主带来更精彩的文章 2014-1-3 09:50 0
永远的神话雪币： 8 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 87 粉丝 0 关注私信	永远的神话 5 楼看着就像是自牵引。刚开始还以为是内核中probe类型的代码。 2014-1-3 17:43 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 6 楼 GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>. (gdb) file test Reading symbols from /home/lhy/Desktop/test...done. (gdb) list 8 上面的shellcode的意思就是： 9 movl $2,%ebx 10 movl $1,%eax 11 int $0x80 12 该功能就是调用exit(2) 13 / 14 int main() 15 { 16 int ret; 17 ret=(int )&ret+2; (gdb) disassemble $pc No registers. (gdb) b main Breakpoint 1 at 0x80483ba: file test.c, line 17. (gdb) c The program is not being run. (gdb) r Starting program: /home/lhy/Desktop/test Breakpoint 1, main () at test.c:17 17 ret=(int )&ret+2; (gdb) list 0 1 /shellcode_tester.c/ 2 #include <stdio.h> 3 4 char shellcode[]="\xbb\x02\x00\x00\x00" 5 "\xb8\x01\x00\x00\x00" 6 "\xcd\x80"; 7 /* 8 上面的shellcode的意思就是： 9 movl $2,%ebx 10 movl $1,%eax (gdb) 11 int $0x80 12 该功能就是调用exit(2) 13 / 14 int main() 15 { 16 int ret; 17 ret=(int )&ret+2; 18 (ret)=(int)shellcode; 19 } (gdb) d $pc Convenience variable must have integer value. warning: bad breakpoint number at or near '$pc' (gdb) disassemble $pc Dump of assembler code for function main: 0x080483b4 <+0>: push %ebp 0x080483b5 <+1>: mov %esp,%ebp 0x080483b7 <+3>: sub $0x10,%esp => 0x080483ba <+6>: lea -0x4(%ebp),%eax 0x080483bd <+9>: add $0x8,%eax 0x080483c0 <+12>: mov %eax,-0x4(%ebp) 0x080483c3 <+15>: mov -0x4(%ebp),%eax 0x080483c6 <+18>: mov $0x804a010,%edx 0x080483cb <+23>: mov %edx,(%eax) 0x080483cd <+25>: leave 0x080483ce <+26>: ret End of assembler dump. (gdb) ni 0x080483bd 17 ret=(int )&ret+2; (gdb) ni 0x080483c0 17 ret=(int )&ret+2; (gdb) ni 18 (ret)=(int)shellcode; (gdb) ni 0x080483c6 18 (ret)=(int)shellcode; (gdb) ni 0x080483cb 18 (*ret)=(int)shellcode; (gdb) ni 19 } (gdb) ni 0x080483ce 19 } (gdb) ni 0x0804a010 in shellcode () (gdb) disassemble $pc Dump of assembler code for function shellcode: => 0x0804a010 <+0>: mov $0x2,%ebx 0x0804a015 <+5>: mov $0x1,%eax 0x0804a01a <+10>: int $0x80 0x0804a01c <+12>: add %al,(%eax) End of assembler dump. (gdb) ni Program received signal SIGSEGV, Segmentation fault. 0x0804a010 in shellcode () (gdb) 2014-1-7 11:38 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 7 楼 obviously it doesn't work @ all...... 2014-1-7 11:39 0
LeavesBNW 雪币： 29 活跃值： (40) 能力值： ( LV5，RANK：60 ) 在线值：发帖 2 回帖 31 粉丝 0 关注私信	LeavesBNW 1 8 楼现在的编译器好多为了防范栈溢出，都进行了一些设置以防止栈的溢出，如果要演示需要去掉编译器的这个功能，你可以使用这个来验证：gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 2014-1-7 12:00 0
acqqer 雪币： 123 活跃值： (144) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 119 粉丝 8 关注私信	acqqer 1 9 楼 thanks Breakpoint 1, 0x080483cb in main () (gdb) disassemble $pc Dump of assembler code for function main: 0x080483b4 <+0>: push %ebp 0x080483b5 <+1>: mov %esp,%ebp 0x080483b7 <+3>: sub $0x10,%esp 0x080483ba <+6>: lea -0x4(%ebp),%eax 0x080483bd <+9>: add $0x8,%eax 0x080483c0 <+12>: mov %eax,-0x4(%ebp) 0x080483c3 <+15>: mov -0x4(%ebp),%eax 0x080483c6 <+18>: mov $0x804a010,%edx => 0x080483cb <+23>: mov %edx,(%eax) 0x080483cd <+25>: leave 0x080483ce <+26>: ret End of assembler dump. (gdb) n Single stepping until exit from function main, which has no line number information. 0x0804a010 in shellcode () (gdb) disassemble $pc Dump of assembler code for function shellcode: => 0x0804a010 <+0>: mov $0x2,%ebx 0x0804a015 <+5>: mov $0x1,%eax 0x0804a01a <+10>: int $0x80 0x0804a01c <+12>: add %al,(%eax) End of assembler dump. (gdb) ni 0x0804a015 in shellcode () (gdb) ni 0x0804a01a in shellcode () (gdb) ni [Inferior 1 (process 3150) exited with code 02] (gdb) ni The program is not being run. (gdb) now it works well 2014-1-7 12:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复