소스
#include <stdio.h>
int main ()
{
char *name[2];
name[0]="/bin/sh";
name[1]=0;
execve(name[0], name, NULL);
}
메모리맵
(gdb) shell cat /proc/2484/maps
00400000-00401000 r-xp 00000000 08:01 529142 /home/mk_shellcode/execve
00410000-00411000 rw-p 00000000 08:01 529142 /home/mk_shellcode/execve
77e3a000-77fa7000 r-xp 00000000 08:01 265575 /lib/mipsel-linux-gnu/libc-2.13.so
77fa7000-77fb6000 ---p 0016d000 08:01 265575 /lib/mipsel-linux-gnu/libc-2.13.so
77fb6000-77fbf000 r--p 0016c000 08:01 265575 /lib/mipsel-linux-gnu/libc-2.13.so
77fbf000-77fc1000 rw-p 00175000 08:01 265575 /lib/mipsel-linux-gnu/libc-2.13.so
77fc1000-77fc4000 rw-p 00000000 00:00 0
77fc4000-77fe7000 r-xp 00000000 08:01 265572 /lib/mipsel-linux-gnu/ld-2.13.so
77fef000-77ff1000 rw-p 00000000 00:00 0
77ff5000-77ff6000 rw-p 00000000 00:00 0
77ff6000-77ff7000 r--p 00022000 08:01 265572 /lib/mipsel-linux-gnu/ld-2.13.so
77ff7000-77ff8000 rw-p 00023000 08:01 265572 /lib/mipsel-linux-gnu/ld-2.13.so
7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack]
7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
objdump로 디스어셈블
addiu sp,sp,-40 ( = esp - 40 )
sw ra,36(sp) ( = push ret )
sw s8,32(sp) ( = push ebp )
move s8,sp ( =at&t 문법으로 보면 mov %esp, %ebp )
lui v0,0x40
addiu v0,v0,2096(0x830) => (v0 = 0x00400830)
sw v0,24(s8) => Memory[fp+24] = v0
sw zero,28(s8) => Memory[fp+28] = 0
lw v0,24(s8) => v0 = Memory[fp+24]
move a0,v0 => a0 = v0
addiu v0,s8,24 => v0 = fp + 24
move a1,v0 => a1 = v0
move a2,zero => a2 = 0
jal 400500 <execve@plt>
move at,at
move sp,s8 ( =at&t 문법으로 보면 mov %ebp, %esp)
lw ra,36(sp) ( = pop ret )
lw s8,32(sp) ( = pop ebp )
addiu sp,sp,40 ( = esp + 40 )
jr ra ( goto ret )
'List > Embedded' 카테고리의 다른 글
| [mipsel] 기본 bof 취약점 공격 (0) | 2015.01.11 |
|---|---|
| [mipsel] shellcode 제작 - execve("/bin/sh", [/bin/sh, 0], 0) , 56byte (0) | 2015.01.11 |
| [mipsel] add(a, b) 분석 (0) | 2014.12.26 |
| [mipsel] printf("Helloworld") 분석 (0) | 2014.12.26 |
| 임베디드 공부 계획[cd80] (0) | 2014.12.25 |
