基本shellcode提取方法

這裡，我們將編寫一個非常簡單的shellcode，它的功能是得到一個命令行。我們將從該shellcode的C程序源碼開始，逐步構造並提取shellcode。

該shellcode的C程序源碼為：

1. root@linux:~/pentest# cat shellcode.c
2. #include <stdio.h>
4. int main(int argc, char **argv) {
6. char *name[2];
7. name[0] = "/bin/bash";
8. name[1] = NULL;
10. execve(name[0], name, NULL);
12. return 0;
13. }

為了避免鏈接干擾，靜態編譯該shellcode，命令為：

root@linux:~/pentest# gcc -static -g -o shellcode shellcode.c

下面使用gdb調試並分析一下shellcode程序：

1. root@linux:~/pentest# gdb shellcode
2. GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
3. Copyright (C) 2010 Free Software Foundation, Inc.
4. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
5. This is free software: you are free to change and redistribute it.
6. There is NO WARRANTY, to the extent permitted by law. Type "show copying"
7. and "show warranty" for details.
8. This GDB was configured as "i686-linux-gnu".
9. For bug reporting instructions, please see:
10. <http://www.gnu.org/software/gdb/bugs/>...
11. Reading symbols from /root/pentest/shellcode...done.
12. (gdb) disass main
13. Dump of assembler code for function main:
14. 0x080482c0 <+0>: push %ebp
15. 0x080482c1 <+1>: mov %esp,%ebp
16. 0x080482c3 <+3>: and {1}xfffffff0,%esp
17. 0x080482c6 <+6>: sub {1}x20,%esp
18. 0x080482c9 <+9>: movl {1}x80ae428,0x18(%esp)
19. 0x080482d1 <+17>: movl {1}x0,0x1c(%esp)
20. 0x080482d9 <+25>: mov 0x18(%esp),%eax
21. 0x080482dd <+29>: movl {1}x0,0x8(%esp)
22. 0x080482e5 <+37>: lea 0x18(%esp),%edx
23. 0x080482e9 <+41>: mov %edx,0x4(%esp)
24. 0x080482ed <+45>: mov %eax,(%esp)
25. 0x080482f0 <+48>: call 0x8052f10 <execve>
26. 0x080482f5 <+53>: mov {1}x0,%eax
27. 0x080482fa <+58>: leave
28. 0x080482fb <+59>: ret
29. End of assembler dump.

根據程序反匯編得到的代碼分析，在call指令執行之前，函數堆棧的使用情況如下圖所示：

我們用gdb調試運行shellcode，看我們上面的分析是否完全正確。

1. (gdb) b main
2. Breakpoint 1 at 0x80482c9: file shellcode.c, line 6.
3. (gdb) b *main+48
4. Breakpoint 2 at 0x80482f0: file shellcode.c, line 9.
5. (gdb) r
6. Starting program: /root/pentest/shellcode
8. Breakpoint 1, main (argc=1, argv=0xbffff474) at shellcode.c:6
9. 6 name[0] = "/bin/bash";
10. (gdb) x/s 0x80ae428
11. 0x80ae428: "/bin/bash"
12. (gdb) c
13. Continuing.
15. Breakpoint 2, 0x080482f0 in main (argc=1, argv=0xbffff474) at shellcode.c:9
16. 9 execve(name[0], name, NULL);
17. (gdb) x/4bx $ebp-40
18. 0xbffff3b0: 0x28 0xe4 0x0a 0x08
19. (gdb) x/4bx $ebp-36
20. 0xbffff3b4: 0xc8 0xf3 0xff 0xbf
21. (gdb) x/4bx $ebp-32
22. 0xbffff3b8: 0x00 0x00 0x00 0x00
23. (gdb) x/4bx $ebp-12
24. 0xbffff3cc: 0x00 0x00 0x00 0x00
25. (gdb) x/4bx $ebp-16
26. 0xbffff3c8: 0x28 0xe4 0x0a 0x08
27. (gdb)