当前位置:编程学习 > 网站相关 >>

ShellCode溢出入门 例子 完整源码

这是刚进公司那几天研究的  

照着自己以前买的黑防溢出的书弄的

附上书和光盘里没有的代码 或我亲自修正的代码

vul1.c

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[]="k8test";
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;

//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);

//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);

//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}

//========================================= 

//vul2.c (黑防的书 不完整 根本没有 vul2.c的代码 光盘更加内容和书不一样)

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;

int i;
for(i=0;i<240;i++)
{
    mybuf[i]='A';
}

//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);

//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);

//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//====================================== 
//vul3.c

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;

int i;
for(i=0;i<240;i++)
{
    mybuf[i]=100+i%10; //不停的加上100-109 就是十六进制的 0x64-0x6D
    //printf("%d\n",i%10);
}

//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);

//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);

//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}

//========================================= 

//vul4.c

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;

int i;
for(i=0;i<240;i++)
{
    mybuf[i]=100+i/10;
    //printf("%d\n",i/10);//每10个数为一断 分别从0-23
}

//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);

//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);

//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}

//====================================== 

//vul5.c 计算出错点的位置

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;

int i;
for(i=0;i<240;i++)
{
    mybuf[i]='A';
}
//第一次溢出报错是0x66 因为是后进先出
//此时数组中只有0x64-0x6D 在循环
//所以我们可以推断尾数为 0x66-0x64=2

//第二次溢出报错是79
//0x79-0x64 = 0x15 =21
//即溢出地址在 第21个段
//每10个数为一段

//所以我们可以大胆的计算出 出错点的位置
//(0x79-0x64)*10+(0x66-0x64)
//=21*10+2
//=212

mybuf[212]='B';
mybuf[213]='B';
mybuf[214]='B';
mybuf[215]='B';
mybuf[216]='B';
mybuf[127]='B';

//编译后我们会看到报措提示为0x42424242 说明我们猜测准确

//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);

//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);

//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}

//=========================================== 
补充:综合编程 , 安全编程 ,
CopyRight © 2012 站长网 编程知识问答 www.zzzyk.com All Rights Reserved
部份技术文章来自网络,