[原创] 一个跨cpu架构的shellcode模板-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创] 一个跨cpu架构的shellcode模板

发表于: 2017-9-23 02:51 3090

[原创] 一个跨cpu架构的shellcode模板

malokch

2017-9-23 02:51

3090

用汇编写shellcode实在太累，于是弄了个c的shellcode模板。没什么特别的功能，也就是将字符串用点技巧编译到函数代码里。

测试用clang编译通过。在osx x86_64上运行通过，ios arm64上运行通过。理论上也支持别的处理器架构。

要注意的是编译的时候要关掉栈保护-fno-stack-protector。

有些情况下会编译失败。原因是代码中的数据或其他地方没有对齐，解决办法是在

__asm__ __volatile__(".asciz \"aa#$\"\n" c); \

中，aa#$中增减若干个a直到对齐即可。










#include <stdio.h>

#include <stdlib.h>

#include <dlfcn.h>

#include <sys/mman.h>


typedef void* (*dlopen_t)(const char* path, int mode);

typedef void* (*dlsym_t)(void* handle, const char* symbol);

typedefint (*puts_t)(constchar *);


void _dump_memory(const void *src, size_t len) {


char *start = (char*)src;

char *end = (char*)src + len;


if (len == 0) {

return;

}


char *fp = NULL;


do {

printf("%p: ", start);

fp = start;

for (int i = 0; i < 16; i++) {

if (fp < end) {

printf("%.2hhx ", *fp);

}else{

printf(" ");

}

fp ++;

}


fp = start;


printf("|");


for (int i = 0; i < 16; i ++) {

if (fp < end) {

if (*fp < 0x20 || *fp > 0x7e) {

printf(".");

}else{

printf("%c", *fp);

}

}else{

printf(" ");

}

fp ++;

}

start = fp;

printf("\n");


}while(fp < end);


printf("\n");

}


#define SHELLCODE_BEGIN(c) \

volatile int__HOLD_DATA = 0; \

goto START; \

NO_SKIP: \

__asm__ __volatile__(".asciz \"aa#$\"\n" c); \

goto __end; \

START:


#define SHELLCODE_END() if (__HOLD_DATA) goto NO_SKIP;__end:


#define FIND_STRINGS(...) \

{ \

char **sp[] = {__VA_ARGS__}; \

char *strings = (char*)shellcode; \

while (! (*strings == '#' && *(strings+1) == '$')) strings ++; \

strings += 2; \

\

for (int i = 0; i < sizeof(sp)/sizeof(void*); i++) { \

while (*strings == 0) strings++; \

*sp[i] = strings; \

while (*strings != 0) strings++; \

} \

}


typedef void (*shellcode_t)(dlopen_t dlopen_, dlsym_t dlsym_);

__attribute__ ((noinline)) void shellcode(dlopen_t dlopen_, dlsym_t dlsym_) {

SHELLCODE_BEGIN(

".asciz \"Hello ShellCodeFramework!\"\n"

".asciz \"puts\"\n"

".asciz \"libSystem.dylib\"\n"

);


char *s_hello;

char *s_puts;

char *s_libsystem;

FIND_STRINGS(

&s_hello,

&s_puts,

&s_libsystem);


puts_t puts_ = dlsym_(dlopen_(0, 0), s_puts);


puts_(s_hello);


SHELLCODE_END();

}


constchar *shellcode_example = "\x55\x48\x89\xe5\x53\x48\x83\xec\x38\x48\x89\xf3\x48\x89\xf8\xc7\x45\xf4\x00\x00\x00\x00\x48\x8d\x4d\xd8\x48\x89\x4d\xc0\x48\x8d\x4d\xe0\x48\x89\x4d\xc8\x48\x8d\x4d\xe8\x48\x89\x4d\xd0\x48\x8d\x0d\xcd\xff\xff\xff\xeb\x03\x48\xff\xc1\x80\x79\xfe\x23\x75\xf7\x80\x79\xff\x24\x75\xf1\x31\xd2\x48\xff\xc9\x48\x89\xce\x48\x89\xf1\x48\x8d\x71\x01\x80\x79\x01\x00\x74\xf3\x48\x8b\x7c\xd5\xc0\x48\x89\x37\x80\x79\x01\x00\x48\x8d\x49\x01\x75\xf6\x48\xff\xc2\x48\x83\xfa\x03\x75\xd2\x48\x8b\x7d\xe8\x31\xf6\xff\xd0\x48\x8b\x75\xe0\x48\x89\xc7\xff\xd3\x48\x8b\x7d\xd8\xff\xd0\x83\x7d\xf4\x00\x74\x32\x23\x24\x00\x48\x65\x6c\x6c\x6f\x20\x53\x68\x65\x6c\x6c\x43\x6f\x64\x65\x46\x72\x61\x6d\x65\x77\x6f\x72\x6b\x21\x00\x70\x75\x74\x73\x00\x6c\x69\x62\x53\x79\x73\x74\x65\x6d\x2e\x64\x79\x6c\x69\x62\x00\x48\x83\xc4\x38\x5b\x5d\xc3";


int main(int argc, char *argv[]) {

shellcode(dlopen, dlsym);

_dump_memory(shellcode, 204);


void *mem = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);

memcpy(mem, shellcode_example, 204);


if(mprotect(mem, 4096, PROT_EXEC|PROT_READ)){

printf("mprotect failed\n");

return -1;

}


((shellcode_t)mem)(dlopen, dlsym);

}

代码运行结果是：












Hello ShellCodeFramework!

0x100000ccf: 55 48 89 e5 53 48 83 ec 48 48 89 f3 48 89 f8 c7 |UH..SH..HH..H...

0x100000cdf: 45 f4 00 00 00 00 48 8d 4d e0 48 89 4d c0 48 8d |E.....H.M.H.M.H.

0x100000cef: 4d e8 48 89 4d c8 48 8d 4d b8 48 89 4d d0 48 8d |M.H.M.H.M.H.M.H.

0x100000cff: 0d cd ff ff ff eb 03 48 ff c1 80 79 fe 23 75 f7 |.......H...y.#u.

0x100000d0f: 80 79 ff 24 75 f1 31 d2 48 ff c9 48 89 ce 48 89 |.y.$u.1.H..H..H.

0x100000d1f: f1 48 8d 71 01 80 79 01 00 74 f3 48 8b 7c d5 c0 |.H.q..y..t.H.|..

0x100000d2f: 48 89 37 80 79 01 00 48 8d 49 01 75 f6 48 ff c2 |H.7.y..H.I.u.H..

0x100000d3f: 48 83 fa 03 75 d2 31 ff 31 f6 ff d0 48 8b 75 e8 |H...u.1.1...H.u.

0x100000d4f: 48 89 c7 ff d3 48 8b 7d e0 ff d0 83 7d f4 00 74 |H....H.}....}..t

0x100000d5f: 34 61 61 23 24 00 48 65 6c 6c 6f 20 53 68 65 6c |4aa#$.Hello Shel

0x100000d6f: 6c 43 6f 64 65 46 72 61 6d 65 77 6f 72 6b 21 00 |lCodeFramework!.

0x100000d7f: 70 75 74 73 00 6c 69 62 53 79 73 74 65 6d 2e 64 |puts.libSystem.d

0x100000d8f: 79 6c 69 62 00 48 83 c4 48 5b 5d c3 |ylib.H..H[]. 


Hello ShellCodeFramework!

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・6

免费・0

支持