问题
I want to use my own shellcode for a buffer overflow exploit so for that I have written a script in C language[shellcode script].
I have used the following commands.:
gcc -c file.c -o file.o
objdump -sS -D file.o
root@kali:~/shellcode# cat file.c
#include<stdio.h>
int main()
{
printf("Hi");
}
The above code is of 'file.c'.
I expect the output of the 'objdump -sS -D file.o' to be free from null-bytes, but actually this is my output after typing that command:
file.o: file format elf64-x86-64
Contents of section .text:
0000 554889e5 488d3d00 000000b8 00000000 UH..H.=.........
0010 e8000000 00b80000 00005dc3 ..........].
Contents of section .rodata:
0000 486900 Hi.
Contents of section .comment:
0000 00474343 3a202844 65626961 6e20382e .GCC: (Debian 8.
0010 332e302d 36292038 2e332e30 00 3.0-6) 8.3.0.
Contents of section .eh_frame:
0000 14000000 00000000 017a5200 01781001 .........zR..x..
0010 1b0c0708 90010000 1c000000 1c000000 ................
0020 00000000 1c000000 00410e10 8602430d .........A....C.
0030 06570c07 08000000 .W......
Disassembly of section .text:
0000000000000000 <main>:
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 8d 3d 00 00 00 00 lea 0x0(%rip),%rdi # b <main+0xb>
b: b8 00 00 00 00 mov $0x0,%eax
10: e8 00 00 00 00 callq 15 <main+0x15>
15: b8 00 00 00 00 mov $0x0,%eax
1a: 5d pop %rbp
1b: c3 retq
Disassembly of section .rodata:
0000000000000000 <.rodata>:
0: 48 rex.W
1: 69 .byte 0x69
...
Disassembly of section .comment:
0000000000000000 <.comment>:
0: 00 47 43 add %al,0x43(%rdi)
3: 43 3a 20 rex.XB cmp (%r8),%spl
6: 28 44 65 62 sub %al,0x62(%rbp,%riz,2)
a: 69 61 6e 20 38 2e 33 imul $0x332e3820,0x6e(%rcx),%esp
11: 2e 30 2d 36 29 20 38 xor %ch,%cs:0x38202936(%rip) # 3820294e <main+0x3820294e>
18: 2e 33 2e xor %cs:(%rsi),%ebp
1b: 30 00 xor %al,(%rax)
Disassembly of section .eh_frame:
0000000000000000 <.eh_frame>:
0: 14 00 adc $0x0,%al
2: 00 00 add %al,(%rax)
4: 00 00 add %al,(%rax)
6: 00 00 add %al,(%rax)
8: 01 7a 52 add %edi,0x52(%rdx)
b: 00 01 add %al,(%rcx)
d: 78 10 js 1f <.eh_frame+0x1f>
f: 01 1b add %ebx,(%rbx)
11: 0c 07 or $0x7,%al
13: 08 90 01 00 00 1c or %dl,0x1c000001(%rax)
19: 00 00 add %al,(%rax)
1b: 00 1c 00 add %bl,(%rax,%rax,1)
1e: 00 00 add %al,(%rax)
20: 00 00 add %al,(%rax)
22: 00 00 add %al,(%rax)
24: 1c 00 sbb $0x0,%al
26: 00 00 add %al,(%rax)
28: 00 41 0e add %al,0xe(%rcx)
2b: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi)
31: 57 push %rdi
32: 0c 07 or $0x7,%al
34: 08 00 or %al,(%rax)
...
Can somebody please explain me how I can remove null-bytes from this program, or if possible write the output in assembly so that I can learn what to change and how
P.S - I know mov $0x0, $rsp can be done by xor $rsp, $rsp but I don't know about movq, lea, add, sub, etc.
Thank you for your precious time.
回答1:
Removing nullbytes (\x00) from shellcode is only necessary if you are using functions that depend on a trailing \x00, such as strcpy:
char * strcpy ( char * destination, const char * source );
which copies the C string pointed by source into the array pointed by destination, including the terminating null character (and stopping at that point).
However strncpy copies the first num characters of source to destination, padding it with zeros until num characters have been written to destination.
char * strncpy ( char * destination, const char * source, size_t num );
This means if you pass your shellcode size/length to the parameter num, it will copy all characters into the buffer, without the hassle of removing nullbytes as they aren't terminating copying from source to destination.
To get the length of the shellcode:
#include <stdio.h>
#include <string.h>
int main()
{
char* evil="\x90\x83\xc8\xff\xf7\xd0\x50";
printf("%d",strlen(evil));
}
will return:
7
来源:https://stackoverflow.com/questions/57542464/how-can-i-remove-null-bytes-from-my-object-code