ShellCode溢出入门 例子 完整源码
这是刚进公司那几天研究的照着自己以前买的黑防溢出的书弄的
附上书和光盘里没有的代码 或我亲自修正的代码
vul1.c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[]="k8test";
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;
//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);
//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);
//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//=========================================
//vul2.c (黑防的书 不完整 根本没有 vul2.c的代码 光盘更加内容和书不一样)
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;
int i;
for(i=0;i<240;i++)
{
mybuf[i]='A';
}
//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);
//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);
//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//======================================
//vul3.c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;
int i;
for(i=0;i<240;i++)
{
mybuf[i]=100+i%10; //不停的加上100-109 就是十六进制的 0x64-0x6D
//printf("%d\n",i%10);
}
//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);
//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);
//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//=========================================
//vul4.c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;
int i;
for(i=0;i<240;i++)
{
mybuf[i]=100+i/10;
//printf("%d\n",i/10);//每10个数为一断 分别从0-23
}
//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);
//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);
//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//======================================
//vul5.c 计算出错点的位置
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char mybuf[240];
int main(int argc,char *argv[])
{
HANDLE hHeap;
char *buf1,*buf2;
int i;
for(i=0;i<240;i++)
{
mybuf[i]='A';
}
//第一次溢出报错是0x66 因为是后进先出
//此时数组中只有0x64-0x6D 在循环
//所以我们可以推断尾数为 0x66-0x64=2
//第二次溢出报错是79
//0x79-0x64 = 0x15 =21
//即溢出地址在 第21个段
//每10个数为一段
//所以我们可以大胆的计算出 出错点的位置
//(0x79-0x64)*10+(0x66-0x64)
//=21*10+2
//=212
mybuf[212]='B';
mybuf[213]='B';
mybuf[214]='B';
mybuf[215]='B';
mybuf[216]='B';
mybuf[127]='B';
//编译后我们会看到报措提示为0x42424242 说明我们猜测准确
//自己建立一HEAP
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS,0x1000,0xffff);
printf("mybuf addr=%p\n",mybuf);
//动态分配buf1
buf1=HeapAlloc(hHeap,0,200);
strcpy(buf1,mybuf);
printf("buf1=%s\n",buf1);
//动态分配buf2
buf2 = HeapAlloc(hHeap,0,16);
HeapFree(hHeap,0,buf1);
HeapFree(hHeap,0,buf2);
return 0;
}
//===========================================
补充:综合编程 , 安全编程 ,