running shellcode + vs2010

2020-02-13 04:42发布

问题:

I just tried the following code snippet for shellcode testing purposes:-

#include<iostream>

using namespace std;

char sc[] = ""; #i've removed the shellcode
int main() {
    int (*func)();
    func = (int(*)())sc;
    (int)(*func)();
}

I get a build error on compilation :-

------ Build started: Project: shellcoderunner, Configuration: Debug Win32 ------
Build started 10/15/2011 12:51:16 PM.
InitializeBuildStatus:
  Touching "Debug\shellcoderunner.unsuccessfulbuild".
ClCompile:
  blah.cpp
c:\users\reverser\documents\visual studio 2010\projects\shellcoderunner\shellcoderunner\blah.cpp(7): error C2440: 'type cast' : cannot convert from 'char [149]' to 'int (__cdecl *)(void)'
          There is no context in which this conversion is possible

Build FAILED.

Time Elapsed 00:00:01.99
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

Something obvious that I'm doing wrong?

回答1:

To execute a shellcode in your C/C++ program with VS, the simplest way is embedding an Assembly code like this example below:

char* buffer="blah blah blah";
int main() {
    __asm{
        lea eax, buffer
        call    eax
    }
}

Hope this help!



回答2:

[
At the time I am answering the question is about why compilation fails for …

#include<iostream>

using namespace std;

char sc[] = ""; #i've removed the shellcode
int main() {
    int (*func)();
    func = (int(*)())sc;
    (int)(*func)();
}

This code is an attempt to execute data bytes as machine code. However, the OP calls this a “code snippet for shellcode testing purposes”, which is unrelated. And so I am including this original context.
]

You may have success using a void* as intermediary.

In the formal even that should not compile, because in the formal a data pointer cannot be converted to a function pointer or vice versa.

However, reportedly Posix requires the ability to do that conversion, and it's old existing practice, so I believe most if not all compilers support it.

Note that you are in UB-land as regarding effects.

Also, note that anti-virus software and page level execute permission checking may disagree a bit with trying to execute the bytes in a string as machine code, so at that higher level yes you're doing something obviously wrong. ;-)

By the way, if what you are trying to achieve is to execute a shell script, then look into the system function.

What command to pass in the system call would depend on your system, so if you change your question be sure to include information about that.

Cheers & hth.,



回答3:

I think the following should work:

char sc[] = ""; // i've removed the shellcode

int main()
{
    int (*func)() = (int(*)())sc;   // C++
    int (*func)() = sc;             /* C  */
    func();
}

It's technically undefined behaviour, but then again that's the whole point of shellcode.



回答4:

You cannot cast an array to a function pointer. You have to first acquire a pointer to the array, which then can be cast:

func = (int(*)())&sc;