Shellcode测试出错 [英] Shellcode testing gone wrong

问题描述

嘿，我使用的是一些你们大多数人都熟悉的代码.它基本上接受一个字符数组，并将其强制转换为函数指针.使用此代码，您可以从理论上使用它测试任何shellcode的功能，如果它能表现出来的话，它将是一个对我的工作非常有价值的程序...我正在Windows XP SP3上进行此操作，并且正在使用MinGW的gcc进行编译和gdb调试该死的东西.

Hey I'm using a bit of code most of you are familiar with. It basically takes an array of characters and casts it as a function pointer. With this code you can theoretically test any shellcode's functionality with it, and it would be a very valuable program for my work, if it would behave... I'm doing this on Windows XP SP3, and am using MinGW's gcc to compile and gdb to debug the damn thing.

这就是我所拥有的...

Here's what I've got...

unsigned char code[] =
"\x90\x90\x90\x90\x90\x90\x90\x90";
main()
{
  printf("Code length = %i...\n",sizeof(code)-1);
  int (*ret)()=(int(*)())code;
  ret();
}

因此，我决定将nops用作"shellcode"，因为它在眼睛和大脑上都很容易使用，并且无论如何都可能起作用.不幸的是，不是.

So I decided to use nops as the "shellcode" because it's easy on the eye and brain and would probably work no matter what. Unfortunately it doesn't.

当我编译并运行程序时，我得到...

When I compile and run the program I get...

An unhandled win32 exception occurred in horsefile.exe[3612].

...当我在gdb中运行它时，我得到...

...and when I run it in gdb I get...

Program received signal SIGSEV, Segmentation fault.
0x00409000 in code()

...其中0x00409000是shellcode函数ret()的入口地址.

...where 0x00409000 is the entry point address of the shellcode function ret().

我已经关闭了DEP，因为我想转换字符数组，我认为它在堆栈中(实际上可能在.data节中)，并且堆栈上没有执行代码(转换处理了字符数组数据作为堆栈上的代码).因此我关闭了DEP，但它仍然无法正常工作.

I've turned off DEP, as I thought casting the character array, which I thought was on the stack (probably in .data section in reality), and that there was no executing code on the stack (the casting treating the character array data as code on the stack). So I turned DEP off and it's still misbehaving.

有什么想法吗?记住，我正在Windows XP SP3上使用Windows的MinGW编译器/调试器套件.

Any thoughts? Remember, I'm using the MinGW compiler/debugger suite for Windows on Windows XP SP3.

编辑-unsigned char code[]而不是char *code[] ...仍然不起作用... 编辑-在末尾添加了ret (\xc3)，仍然没有乐趣...

EDIT - unsigned char code[] instead of char *code[] ... still doesn't work... EDIT - Added the ret (\xc3) at the end of the "shellcode", still no joy...

推荐答案

我知道了.毕竟，我的Windows XP SP3 VM的DEP(数据执行保护)实际上是打开的.

I figured it out. DEP (Data Execution Prevention) for my Windows XP SP3 VM was actually on after all.

要在Windows XP上将其关闭，请遵循这些步骤.

To shut it off on Windows XP follow these steps.

对于Windows Vista-Windows 10，下载并安装增强的缓解体验工具包 ，运行它，然后指定所需的安全设置.

For Windows Vista - Windows 10 download and install the Enhanced Mitigation Experience Toolkit, run it, and specify which security settings you want.

这篇关于Shellcode测试出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！