Linux Shellcode“你好，世界！”

注入此shellpre时，您不知道位置

message

mov ecx, message

在注入的过程中，它可以是任何东西，但不会如此，

"Helloworld!rn"

"Hello world!rn"

"xb8x04x00x00x00""xbbx01x00x00x00""xb9x00x00x00x00""xbax0fx00x00x00""xcdx80xb8x01x00""x00x00xbbx00x00""x00x00xcdx80";

这是Shellpre开发中的常见问题，解决方法是这样的：

global _startsection .text_start:    jmp MESSAGE      ; 1) lets jump to MESSAGEGOBACK:    mov eax, 0x4    mov ebx, 0x1    pop ecx          ; 3) we are poping into `ecx`, now we have the          ; address of "Hello, World!rn"     mov edx, 0xF    int 0x80    mov eax, 0x1    mov ebx, 0x0    int 0x80MESSAGE:    call GOBACK       ; 2) we are going back, since we used `call`, that means; the return address, which is in this case the address ; of "Hello, World!rn", is pushed into the stack.    db "Hello, World!", 0dh, 0ahsection .data

现在转储文本部分：

$ nasm -f elf shellpre.asm$ ld shellpre.o -o shellpre$ ./shellpre Hello, World!$ objdump -d shellpreshellpre:     file format elf32-i386Disassembly of section .text:08048060 <_start>: 8048060:   e9 1e 00 00 00   jmp    8048083 <MESSAGE>08048065 <GOBACK>: 8048065:   b8 04 00 00 00   mov    $0x4,%eax 804806a:   bb 01 00 00 00   mov    $0x1,%ebx 804806f:   59    pop    %ecx 8048070:   ba 0f 00 00 00   mov    $0xf,%edx 8048075:   cd 80 int    $0x80 8048077:   b8 01 00 00 00   mov    $0x1,%eax 804807c:   bb 00 00 00 00   mov    $0x0,%ebx 8048081:   cd 80 int    $0x8008048083 <MESSAGE>: 8048083:   e8 dd ff ff ff   call   8048065 <GOBACK> 8048088:   48    dec    %eax         <-+ 8048089:   65    gs         | 804808a:   6c    insb   (%dx),%es:(%edi)          | 804808b:   6c    insb   (%dx),%es:(%edi)          | 804808c:   6f    outsl  %ds:(%esi),(%dx)          | 804808d:   2c 20 sub    $0x20,%al      | 804808f:   57    push   %edi| 8048090:   6f    outsl  %ds:(%esi),(%dx)          | 8048091:   72 6c jb     80480ff <MESSAGE+0x7c>    | 8048093:   64    fs         | 8048094:   21    .byte 0x21 | 8048095:   0d    .byte 0xd  | 8048096:   0a    .byte 0xa<-+$

我标记的行是我们的

"Hello, World!rn"

$ printf "x48x65x6cx6cx6fx2cx20x57x6fx72x6cx64x21x0dx0a"Hello, World!$

因此，我们的C包装器将是：

char pre[] =    "xe9x1ex00x00x00"  //          jmp    8048083 <MESSAGE>    "xb8x04x00x00x00"  //          mov    $0x4,%eax    "xbbx01x00x00x00"  //          mov    $0x1,%ebx    "x59"       //          pop    %ecx    "xbax0fx00x00x00"  //          mov    $0xf,%edx    "xcdx80"   //          int    $0x80    "xb8x01x00x00x00"  //          mov    $0x1,%eax    "xbbx00x00x00x00"  //          mov    $0x0,%ebx    "xcdx80"   //          int    $0x80    "xe8xddxffxffxff"  //          call   8048065 <GOBACK>    "Hello wolrd!rn";     // OR       "x48x65x6cx6cx6fx2cx20x57"      //          "x6fx72x6cx64x21x0dx0a"int main(int argc, char **argv){    (*(void(*)())pre)();    return 0;}

让我们测试一下：

$ gcc test.c -o test$ ./test Hello wolrd!$

有用。