Cainiao local shellcode Compiling Technology

I haven't written a blog for a long time. Today I am writing a topic that I have never written before, and the Buffer Overflow Shellcode is written.

I am a cainiao and have never written shellcode before. Recently, I have been busy with network penetration. Stack Overflow is also fragmented and I have seen some knowledge. I am a newbie, and cainiao's remarks are only for entertainment.

You can also look at cainiao. I wrote this article from the perspective of beginners, so it should be easier for beginners to understand.

For some complex shellcodet, we will not talk about it for the moment. Let's take a look at writing a shellcode that opens the CMD window. In fact, a great hacker wrote a series of exploit writing on the black line of defense. If you are interested, go and check it on your own.

First, we need to understand the operating mechanism of windows. First, we will write a simple program to open the local cmd window:

 # Include <windows. h> <br/> void main () <br/> {<br/> winexec(cmd.exe ", 1); <br/>}< br/>

Press F10 on Visual C ++ to enter the disassembly code:

 

1: # include "windows. h "<br/> 2: void main () <br/> 3: {<br/> 00401010 push EBP <br/> 00401011 mov EBP, ESP <br/> 00401013 sub ESP, 40 h <br/> 00401016 push EBX <br/> 00401017 push ESI <br/> 00401018 push EDI <br/> 00401019 Lea EDI, [ebp-40h] <br/> 0040101c mov ECx, 10 h <br/> 00401021 mov eax, 0 cccccccch <br/> 00401026 rep STOs dword ptr [EDI] <br/> 4: winexec ("cmd.exe", 1); <br/> 00401028 mov ESI, ESP <br/> 0040102a Push 1 <br/> 0040102c push offset string "cmd.exe" (0041f01c) <br/> 00401031 call dword ptr [_ imp _ winexec @ 8 (0020.13c)] <br/> 00401037 cmp esi, ESP <br/> 00401039 call _ chkesp (00401070) <br/> 5 :}< br/>

 

Through this program, we can clearly see that when the computer calls the winexec function, it first pushes the two parameters from right to left into the stack, and then calls the call function to go to The winexec address. However, note that in addition to address redirection, the call function also pushes the current EIP to the stack.

Shellcode is a machine code, and most people will see it dizzy, but don't worry. What we have to do is not to use the machine code to write this pile of things. These computers have done a good job for us, all we have to do is write down the code we want to implement in assembly or even advanced languages.

 

However, the purpose is already very clear. To call the winexec function, we need to know the address of the winexec function in different systems. How can we know the address of this function? Here I will introduce a very simple way to use the depends tool that comes with VC. Open depends and drag a PE file as follows:

 

 

 

 

 

We can see that the entry address of kernel. dll is 0x7c800000, And the winexec entry address is 0x0006250d. Then the winexec address is added to get 0x7c86250d. Is this simple? In addition, the cainiao may use different windows xp sp3 systems.

With the entry address, we can compile our shellcode using assembler,

# Include <windows. h> <br/> void main () <br/>{< br/> _ ASM <br/>{< br/> push EBP <br/> mov EBP, ESP <br/> xor edi, EDI <br/> push EDI <br/> sub ESP, 04 H <br/> mov [ebp-08h], 63 H <br/> mov [ebp-07h], 6DH <br/> mov [ebp-06h], 64 h <br/> mov [ebp-05h], 2EH <br/> mov [ebp-04h], 65 h <br/> mov [ebp-03h], 78 H <br/> mov [ebp-02h], 65 h <br/> Push 1 // press the first parameter <br/> Lea eax, [ebp-08h] <br/> push eax // press the second parameter <br/> mov edX, 0x7c86250d <br/> call edX // call winexec <br/> Leave <br/>}; <br/>}< br/>

Press F10 to enter the disassembly debugger and press Alt + 8 to see the Assembly Code. There is no machine code at this time. Don't worry, right-click the blank area and select "code Byte" from the drop-down menu. See what appears? The machine code is displayed before each line of assembly code! For example

The following task is to copy these machine codes. This is physical activity. Directly copy them together, for example, 558bec83ec ...... Do we need to manually add/X before every two letters? Of course not. Write a small program. once and for all:

# Include "stdio. H "<br/> # include" stdlib. H "<br/> int main () <br/>{< br/> file * FP1 = NULL, * fp2 = NULL; <br/> char CH, filename [20] = {0}; <br/> printf ("Enter the file path: (Note character escaping)/n "); <br/> scanf ("% s", filename); <br/> If (FP1 = fopen (filename, "rb") = NULL) <br/>{< br/> printf ("file cannot be read! /N "); <br/> exit (0); <br/>}< br/> If (fp2 = fopen (" D: // shellcode.txt ", "W +") = NULL) <br/>{< br/> printf ("file cannot be written! /N "); <br/> exit (0); <br/>}< br/> while (! Feof (FP1) <br/>{< br/> CH = fgetc (FP1); <br/> fputc ('//', fp2 ); <br/> fputc ('x', fp2); <br/> fputc (CH, fp2); <br/> CH = fgetc (FP1 ); <br/> fputc (CH, fp2); <br/>}< br/> printf ("conversion successful! "); <Br/> fclose (FP1); <br/> fclose (fp2); <br/> return 0; </P> <p >}< br/>

The final shellcode to be converted is

/X55/x8b/xex/x83/xec/X40/x53/x56/x57/x8d/x7d/xc0/xb9/x10/X11/X11/X11/xb8/Xcc /Xcc/xf3/x1b/x55/x8b/xec/x33/xFF/x57/x83/xec/x04/xc6/x45/xf8/x63/xc6/x45/xf9 /x6d/xc6/x45/xfa/x64/xc6/x45/xfb/x2e/xc6/x45/xfc/X65/xc6/x45/XFD/x78/xc6/x45/xfe /X65/x6a/x01/x8d/x45/xf8/x50/Xba/x0d/x25/x86/x7c/xFF/xd2/xc9

Now I have finished talking about all the things here. It's still a sentence like that, cainiao's remarks...