在Python中执行外壳代码

2024-06-17 13:46:09 发布

您现在位置:Python中文网/ 问答频道 /正文
6391 3

下面的代码在C中工作,但是在Python中是否可以执行类似的操作?它可以是2.7.x或3.x

char bytes[] = "\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x1a\x5e\x31\xc0"
               "\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
               "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff"
               "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x20";

int main() {
   ((int (*)())bytes)();
}

我尝试了以下方法:

#!/usr/bin/python
import ctypes
from subprocess import call

lib = ctypes.cdll.LoadLibrary(None)

shellcode = (b"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x1a\x5e\x31\xc0"
              "\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
              "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff"
              "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x20")

code = ctypes.create_string_buffer(shellcode)
addr = id(shellcode)

# Test Shellcode
functype = ctypes.CFUNCTYPE(ctypes.c_int)
func = functype(addr)
func()

我一直得到Segmentation fault (core dumped)


Tags: bytesctypesintxffx1ax0cx46x8d
1条回答
网友
1楼 · 发布于 2024-06-17 13:46:09

create_string_buffer无法工作的原因是内存地址未标记为可执行文件。您需要有一个带有RX的内存页来执行外壳代码。一个简单的方法是使用mmap

以下代码将在Python3上运行外壳代码(在Python3.8.11上测试)

import ctypes
import mmap

# This shellcode will print "Hello World from shellcode!"
shellcode = b"hed \x0b\x814$\x01\x01\x01\x01H\xb8 shellcoPH\xb8rld fromPH\xb8Hello WoPj\x01Xj\x01_j\x1cZH\x89\xe6\x0f\x05XXXX\xc3"

# Allocate an executable memory and write shellcode to it
mem = mmap.mmap(
    -1,
    mmap.PAGESIZE,
    mmap.MAP_SHARED,
    mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
)
mem.write(shellcode)

# Get actuall mmap address (I don't know the proper way to get the address sorry...)
# Assuming x64
addr = int.from_bytes(ctypes.string_at(id(mem) + 16, 8), "little")
print(hex(addr))

# Create the function
functype = ctypes.CFUNCTYPE(ctypes.c_void_p)
fn = functype(addr)

# Run shellcode
fn()

print("Back to python!")

输出如下所示:

0x7fd6ed4c2000
Hello World from shellcode!
Back to python!

相关问题 更多 >

    编程相关推荐