linux64位shellcode代码注入

最新推荐文章于 2023-08-31 10:26:37 发布

玄岳

最新推荐文章于 2023-08-31 10:26:37 发布

阅读量1.8k

点赞数

分类专栏：汇编文章标签： linux 64位 shellcode 注入代码

汇编专栏收录该内容

1 篇文章

订阅专栏

【测试环境】
CentOS 5.4 （Final）x86_64
Linux version 2.6.18-164.el5. x86_64
GCC version 4.4.2 20080704
【汇编编译环境】
CentOS 7 x86_64
Linux 3.10.0-229.7.2.el7.x86_64
NASM 2.10.07 x86_64

【A程序：counter.c】与先前一致

#include <sys/time.h>
#include <stdio.h>

long long timeum(){
    struct timeval tim; 
    gettimeofday (&tim , NULL);
    return (long long)tim.tv_sec*1000000+tim.tv_usec;
}

int main()
{
    int i;
    long long start,tmp;
    start = timeum();
    for(i = 0; i < 60; ++i){
        printf("My Counter: %d\n", i);
        sleep(1);
        tmp = timeum();
        printf("Time Interval: %lld\n",tmp-start);
        start = tmp;
    }
    return 0;
}

gcc -o counter counter.c
【C程序：hello64.asm】

global _start
_start:
    jmp short string

code:
    pop rsi
    mov rax,1
    mov rdi,1
    mov rdx,13
    syscall

    int3

string:
    call code
    db 'Hello world!',0x0a

编译hello64.asm：

nasm -f elf64 hello64.asm -o hello64.o
ld -s -o hello64 hello64.o

命令提取Shellcode：

for i in $(objdump -d hello64 |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo

\xeb\x13\x5e\xb8\x01\x00\x00\x00\xbf\x01\x00\x00\x00\xba\x0d\x00\x00\x00\x0f\x05\xcc\xe8\xe8\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x21\x0a

【B程序：injecthello64.c】

相比于x86平台 B程序，x86_64平台下的B程序进行了如下修改：

一是头文件由 sys/user.h 改成 linux/user.h；

二是getdata/putdata函数中涉及地址的位置由 *4 改成 *8；

三是user_regs_struct结构体的指令寄存器由 eip 改成 rip；

四是shellcode修改适用于x86_64平台。

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <linux/user.h>
#include <stdio.h>
#include <string.h>

const int long_size = sizeof(long);

void getdata(pid_t child, long addr, char *str, int len)
{
    char *laddr;
    int i,j;
    union u{
        long val;
        char chars[long_size];
    }data;

    i = 0;
    j = len / long_size;
    laddr = str;

    while(i < j){
        data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);
        memcpy(laddr, data.chars, long_size);
        ++i;
        laddr += long_size;
    }
    j = len % long_size;
    if(j != 0){
        data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);
        memcpy(laddr, data.chars, j);
    }
    str[len] = ' ';
}

void putdata(pid_t child, long addr, char *str, int len)
{
    char *laddr;
    int i,j;
    union u{
        long val;
        char chars[long_size];
    }data;

    long rst; 

    i = 0;
    j = len / long_size;
    laddr = str;
    while(i < j){
        memcpy(data.chars, laddr, long_size);
        rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);
        if (rst < 0) {
            printf("Putdata Failed! \n");
            return;
        }
        ++i;
        laddr += long_size;
    }
    j = len % long_size;
    if(j != 0){
        memcpy(data.chars, laddr, j);
        rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);
        if (rst < 0) {
            printf("Putdata Failed! \n");
            return;
        }
    }
}

int main(int argc, char *argv[])
{
    pid_t traced_process;
    struct user_regs_struct regs;
    int len = 39;

    /* hello world */
    char code[] =
        "\xeb\x13\x5e\xb8\x01\x00\x00\x00"
        "\xbf\x01\x00\x00\x00\xba\x0d\x00"
        "\x00\x00\x0f\x05\xcc\xe8\xe8\xff"
        "\xff\xff\x48\x65\x6c\x6c\x6f\x20"
        "\x77\x6f\x72\x6c\x64\x21\x0a";

    char backup[len+1];

    if(argc != 2) {
        printf("PID?\n");
        return 1;
    }
    traced_process = atoi(argv[1]);
    ptrace(PTRACE_ATTACH, traced_process, NULL, NULL);
    int pid = wait(NULL);
    printf("Attach Pid: %d\n",pid);
    ptrace(PTRACE_GETREGS, traced_process, NULL, ®s);
    /* Copy instructions into a backup variable */
    getdata(traced_process, regs.rip, backup, len);
    /* Put the shellcode & int3 */
    putdata(traced_process, regs.rip, code, len);
    /* Let the process continue and execute 
        the int3 instruction */
    ptrace(PTRACE_CONT, traced_process, NULL, NULL);
    wait(NULL);
    putdata(traced_process, regs.rip, backup, len);
    /* Setting the rip back to the original 
        instruction to let the process continue */
    ptrace(PTRACE_SETREGS, traced_process, NULL, ®s);
    ptrace(PTRACE_DETACH, traced_process, NULL, NULL);
    return 0;
}

gcc -o injecthello64 injecthello64.c

【执行】

1. run counter

./counter

2. find pid of counter

ps aux | grep counter

3. run injecthello64(root)

./injecthello64 %pid%

【结果】

A进程部分输出如下，输出helloworld证明B进程代码注入成功。

My Counter: 0 

1001261 

My Counter: 1 

1000606 

My Counter: 2 

1001603 

My Counter: 3 

1001570 

My Counter: 4 

1000590 

My Counter: 5 

Hello world! 

1001774 

My Counter: 6 

1000391 

My Counter: 7 

Hello world! 

1001757