-- date: 2020-01-07 description: 'ShellCodeを書いてみる' tags:

• CTF

---

ShellCodeを書いてみる

environment

$ uname -a
Linux localhost 5.3.0-kali3-amd64 #1 SMP Debian 5.3.15-1kali1 (2019-12-09) x86_64 GNU/Linux

syscall

• 32bit binary & x86 assembly
• syscall
  • each syscall has a particular syscall number
  • then all other syscall parameters are loaded into other registers
  • lastly, CPU in kernel mode executes the syscall function by calling 0x80

shellcode in C

• use execve(), which executes the program pointed to by filename
• we'll need to pass the filename "/bin/sh"
  • also argv which is an array of argument strings with the first string as "/bin/sh".
  • after that, we need not prepare other parameters, so let's set NULL
• the program is below

#include <unistd.h>

int main() {
  char* argv = {"/bin/sh", NULL};
  execve(argv[0], argv, NULL);
  return 0;
}

• let's run

# ./vuln
# id 
uid=0(root) gid=0(root) groups=0(root)
# tty 
/dev/pts/2
# exit

• it works!

shellcode in assembly

ref

• Writing your own shellcode (opens new window)