目錄

介紹 ------------------------------------------------------------------------------- 01
SHELLCODE 基礎 --------------------------------------------------------------- 03
一個有弱點的 C 程式 ----------------------------------------------------------- 05
手法一 ---------------------------------------------------------------------------- 06
手法二 ---------------------------------------------------------------------------- 08
手法三 ---------------------------------------------------------------------------- 11
結論 ------------------------------------------------------------------------------- 14
銘謝 ------------------------------------------------------------------------------- 14

Introduction
介紹

This is not just another paper describing basics of buffer overflows. There are lots of publications about this topic; therefore it does not make any sense to describe it again. If you are familiar with exploiting buffer overflows on Windows platform, do not think that this article has nothing to offer you in this article. It shows some interesting methods, which can be used during writing an exploit (for example: where to put shellcode when stack is non-executable). Basic knowledge of x86 processors, Assembly and C languages and buffer overflows exploitation are required.
這並非另一篇描述溢出基礎的文章。 對於這個課題已存在眾多公開文件；因此該處沒必要老調重彈。 假如熟悉 Windows 平台下溢出技術的人，也別認為該文對妳毫無助益。 文中將示範於撰寫攻擊程式（exploit）期間數種會被使用的有趣手法（例如：當堆疊不可執行代碼時，應放置 Shellcode 之處）。 至於對 x86 微處理器、組合語言、C 語言與緩衝溢出原理的認知為最低需求。

Acquiring the ability to overflow a buffer on the stack, gives us through the obtaining full control over the EIP register of x86 Processor. Yep!!! This is great!!! We can load this register with arbitrary address every address we want , and then force a vulnerable program to jump there and to and execute code that is at that address.
透過完全掌握 x86 微處理機中的 EIP 暫存器，就有進行堆疊溢出的能力。 吔～這很棒！ 我們可以載入任意位址的內容到記憶體中，然後強迫有弱點的程式碼跳躍至該位址執行構造的代碼。

Theoretically, we could implement in which aforementioned. But the problem occurred when we want to execute the code, in which WE want to be executed and not the code, which we desired is not actual in the memory. To achieve it, we have got to place OUR code in the memory of process we are attacked. This code is known as shellcode and it consists of a set of instructions for processor, additionally encoded in their hex values.
理論上可以實現上文所提及的方法，但是問題發生於當我們要執行的代碼並非真得存在記憶體中。 想逆轉致勝，就得把構造的代碼放入欲攻擊行程的記憶體中。 該代碼稱作 shellcode 其中包含一組微處理器的指令集，此外以十六進制編碼表示。

In this paper, I will discuss three possible locations in memory, where we can put our shellcode and then, how to force the vulnerable application to execute it. During this tutorial we will be using two shellcodes, of which are different sizes.
於該篇章中，筆者將探討三種可能放置 shellcode 的記憶體位置，然後強迫有弱點的應用程式去執行。 於本次教學，筆者將使用兩個大小相異的 shellcode 程式碼。

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)