当题目执行流程会跳转到可读写执行的地址时,我们就需要构造合适的 shellcode 来实现我们的目的。
|
“/bin”->rdi |
“/sh\0” |
syscall 机器码 |
execve 调用号 - rax |
rsi |
rdx |
| 编码 |
\x2f\x62\x69\x6e |
\x2f\x7c\x68\x00 |
\x0f\x05 |
\x3b |
0 |
0 |
| 16 进制 |
0x6e69622f |
0x68732f |
0x50f |
0x3b |
0 |
0 |
| xor |
31 30 30 36 |
31 30 30 5a |
41 30 |
39 |
|
|
| xor |
48 52 59 58 |
48 53 58 5a |
4e 35 |
32 |
|
|
|
41 |
41 |
|
30 |
|
|
# 无字符输入限制
# 无沙盒
# 工具构造
| context.arch='amd64' |
| payload = asm(shellcraft.sh()) |
手工构造
# 有沙盒
# 有字符输入限制
alphanumeric shellcode
# x64
Numeric
| ASCII |
Hex |
Assembler Instruction |
| 0 |
0x30 |
xor %{16bit}, (%{64bit}) |
| 1 |
0x31 |
xor %{32bit}, (%{64bit}) |
| 2 |
0x32 |
xor (%{64bit}), % |
| 3 |
0x33 |
xor (%{64bit}), % |
| 4 |
0x34 |
xor [byte], %al |
| 5 |
0x35 |
xor [dword], %eax |
| 6 |
0x36 |
%ss segment register |
| 7 |
0x37 |
Bad Instruction! |
| 8 |
0x38 |
cmp %{16bit}, (%{64bit}) |
| 9 |
0x39 |
cmp %{32bit}, (%{64bit}) |
Uppercase
| ASCII |
Hex |
Assembler Instruction |
| A |
0x41 |
64 bit reserved prefix |
| B |
0x42 |
64 bit reserved prefix |
| C |
0x43 |
64 bit reserved prefix |
| D |
0x44 |
64 bit reserved prefix |
| E |
0x45 |
64 bit reserved prefix |
| F |
0x46 |
64 bit reserved prefix |
| G |
0x47 |
64 bit reserved prefix |
| H |
0x48 |
64 bit reserved prefix |
| I |
0x49 |
64 bit reserved prefix |
| J |
0x4a |
64 bit reserved prefix |
| K |
0x4b |
64 bit reserved prefix |
| L |
0x4c |
64 bit reserved prefix |
| M |
0x4d |
64 bit reserved prefix |
| N |
0x4e |
64 bit reserved prefix |
| O |
0x4f |
64 bit reserved prefix |
| P |
0x50 |
push %rax |
| Q |
0x51 |
push %rcx |
| R |
0x52 |
push %rdx |
| S |
0x53 |
push %rbx |
| T |
0x54 |
push %rsp |
| U |
0x55 |
push %rbp |
| V |
0x56 |
push %rsi |
| W |
0x57 |
push %rdi |
| X |
0x58 |
pop %rax |
| Y |
0x59 |
pop %rcx |
| Z |
0x5a |
pop %rdx |
Lowercase
| ASCII |
Hex |
Assembler Instruction |
| a |
0x61 |
Bad Instruction! |
| b |
0x62 |
Bad Instruction! |
| c |
0x63 |
movslq (%{64bit}), % |
| d |
0x64 |
%fs segment register |
| e |
0x65 |
%gs segment register |
| f |
0x66 |
16 bit operand override |
| g |
0x67 |
16 bit ptr override |
| h |
0x68 |
push [dword] |
| i |
0x69 |
imul [dword], (%{64bit}), % |
| j |
0x6a |
push [byte] |
| k |
0x6b |
imul [byte], (%{64bit}), % |
| l |
0x6c |
insb (%dx),%es:(%rdi) |
| m |
0x6d |
insl (%dx),%es:(%rdi) |
| n |
0x6e |
outsb %ds:(%rsi),(%dx) |
| o |
0x6f |
outsl %ds:(%rsi),(%dx) |
| p |
0x70 |
jo [byte] |
| q |
0x71 |
jno [byte] |
| r |
0x72 |
jb [byte] |
| s |
0x73 |
jae [byte] |
| t |
0x74 |
je [byte] |
| u |
0x75 |
jne [byte] |
| v |
0x76 |
jbe [byte] |
| w |
0x77 |
ja [byte] |
| x |
0x78 |
js [byte] |
| y |
0x79 |
jns [byte] |
| z |
0x7a |
jp [byte] |
# Push: Alphanumeric x86_64 data
| Assembly |
Hexadecimal |
Alphanumeric ASCII |
| pushw [word] |
\x66\x68\x##\x## |
fh?? |
| pushq [byte] |
\x6a\x## |
j? |
| pushq [dword] |
\x68\x##\x##\x##\x## |
h??? |
# Push: x86_64 16 bit Registers
| Assembly |
Hexadecimal |
Alphanumeric ASCII |
| push %ax |
\x66\x50 |
fP |
| push %cx |
\x66\x51 |
fQ |
| push %dx |
\x66\x52 |
fR |
| push %bx |
\x66\x53 |
fS |
| push %sp |
\x66\x54 |
fT |
| push %bp |
\x66\x55 |
fU |
| push %si |
\x66\x56 |
fV |
| push %di |
\x66\x57 |
fW |
# Pop: x86_64 Extended Registers
| Assembly |
Hexadecimal |
Alphanumeric ASCII |
| pop %rax |
\x58 |
X |
| pop %rcx |
\x59 |
Y |
| pop %rax |
\x5a |
Z |
# x86_64 16 bit registers
| Assembly |
Hexadecimal |
Alphanumeric ASCII |
| pop %ax |
\x66\x58 |
fX |
| pop %cx |
\x66\x59 |
fY |
| pop %dx |
\x66\x5a |
fZ |
| pop *%r8w |
\x66\x41\x58 |
fAX |
| pop *%r9w |
\x66\x41\x59 |
fAY |
| pop *%r10w |
\x66\x41\x5a |
fAZ |
Alphanumeric opcode
这是那篇怎么搜都出现两三遍的文章
https://nets.ec/Alphanumeric_shellcode
https://www.anquanke.com/post/id/85871
