-- date: 2020-01-07 description: 'ShellCodeを書いてみる' tags:
- CTF
# ShellCodeを書いてみる
# environment
$ uname -a
Linux localhost 5.3.0-kali3-amd64 #1 SMP Debian 5.3.15-1kali1 (2019-12-09) x86_64 GNU/Linux
# syscall
- 32bit binary & x86 assembly
- syscall
- each syscall has a particular syscall number
- then all other syscall parameters are loaded into other registers
- lastly, CPU in kernel mode executes the syscall function by calling
0x80
# shellcode in C
- use
execve()
, which executes the program pointed to by filename - we'll need to pass the filename "/bin/sh"
- also argv which is an array of argument strings with the first string as "/bin/sh".
- after that, we need not prepare other parameters, so let's set
NULL
- the program is below
#include <unistd.h>
int main() {
char* argv = {"/bin/sh", NULL};
execve(argv[0], argv, NULL);
return 0;
}
- let's run
# ./vuln
# id
uid=0(root) gid=0(root) groups=0(root)
# tty
/dev/pts/2
# exit
- it works!