전 게시물에서 어셈블리언어로 쉘코드를 만들어 보았다.
어셈블리언어를 많이 접해볼 일이 없기 때문에 생소해서 어려움이 많았는데 Kali Linux에서는 쉘코드를 스스로 만들어준다.
- 사용 시스템
Kali Linux
[주의] msfvenom
Kali Linux 2.대 버전에서는 msfvenom을 사용합니다. ( msfpayload 명령어 사라지고 합쳐짐 )
Kali Linux 1.대 버전에서는 msfpayload를 사용합니다.
- 실습
/bin/ls의 쉘코드를 만들어 본다.
# msfvenom -h
|
MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options] <var=val> Options: -p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads --payload-options List the payload's standard options -l, --list [type] List a module type. Options are: payloads, encoders, nops, all -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload -f, --format <format> Output format (use --help-formats for a list) --help-formats List available formats -e, --encoder <encoder> The encoder to use -a, --arch <arch> The architecture to use --platform <platform> The platform of the payload --help-platforms List available platforms -s, --space <length> The maximum size of the resulting payload --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -b, --bad-chars <list> The list of characters to avoid example: '\x00\xff' -i, --iterations <count> The number of times to encode the payload -c, --add-code <path> Specify an additional win32 shellcode file to include -x, --template <path> Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -o, --out <path> Save the payload -v, --var-name <name> Specify a custom variable name to use for certain output formats --smallest Generate the smallest possible payload -h, --help Show this message |
|
# msfvenom -l
# msfvenom -l | grep linux/x64/exec
|
linux/x64/exec Execute an arbitrary command |
|
> 실습하고자하는 환경에 실행할 수 있는 것이 있는지 검색
# msfvenom -p linux/x64/exec --payload-options
|
Options for payload/linux/x64/exec: Name: Linux Execute Command Module: payload/linux/x64/exec Platform: Linux Arch: x64 Needs Admin: No Total size: 40 Rank: Normal Provided by: ricky Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute Description: Execute an arbitrary command Advanced options for payload/linux/x64/exec: Name Current Setting Required Description ---- --------------- -------- ----------- AppendExit false no Append a stub that executes the exit(0) system call PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) PrependFork false no Prepend a stub that executes: if (fork()) { exit(0); } PrependSetgid false no Prepend a stub that executes the setgid(0) system call PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call PrependSetuid false no Prepend a stub that executes the setuid(0) system call VERBOSE false no Enable detailed status messages WORKSPACE no Specify the workspace for this module Evasion options for payload/linux/x64/exec: Name Current Setting Required Description ---- --------------- -------- ----------- |
|
# msfvenom --help-formats
|
Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript |
|
# msfvenom -p linux/x64/exec CMD=/bin/ls -f c -o myshellcode.c
|
No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 47 bytes Final size of c file: 224 bytes Saved as: myshellcode.c |
|
# vi myshellcode.c
|
unsigned char buf[] = "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" "\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x08\x00" "\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x00\x56\x57\x48\x89\xe6" "\x0f\x05"; |
|
> 쉘 코드가 만들어 졌다.
# vi myshellcode.c
|
#include <stdio.h> unsigned char buf[] = "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53" "\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x08\x00" "\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x00\x56\x57\x48\x89\xe6" "\x0f\x05"; int main() { int (*shell)(); shell=(int (*)()) buf; (int)(*shell)(); return 0; } |
|
> 실행 하는 구문을 추가한다.
# gcc -fno-stack-protector -z execstack -o myshellcode myshellcode.c
> 칼리리눅스는 강력한 보안 정책이 적용되어 있다. 쉘코드는 스택에 올려서 바로 실행하도록 하는 것이기 때문에 위험하다.
> 때문에 스택에 올릴 수는 있지만 실행은 안되게 되어있다. 옵션으로 풀어준다. ( 스택에서 실행 가능 / 스택 방어 풀기 )
# ./myshellcode
> ls가 실행되는 것과 같다.
CMD에 ls -l 과 같이 옵션을 붙혀도 잘 작동합니다.
쉘코드를 보면 전 게시물에서 /bin//sh를 어셈블리언어로 만든 것 보다 확실히 긴 것을 확인 할 수 있습니다.
'Security > 리버싱' 카테고리의 다른 글
| Level12 문제 해결 ( Bof , 버퍼 오버플로우 ) (0) | 2017.12.06 |
|---|---|
| Level11 문제 해결 (포맷 스트링 버그) (0) | 2017.12.05 |
| 쉘코드 (shellcode) 만들기 (1) | 2017.12.04 |
| 포맷스트링 버그 (Format String Bug) (0) | 2017.12.01 |
| Level10 분석 (공유 메모리) (0) | 2017.12.01 |
