读0day第三章开发shellcode艺术Jmp esp

56 阅读 0 评论 37 点赞

我是靠谱客的博主平常小白菜，最近开发中收集的这篇文章主要介绍读0day第三章开发shellcode艺术Jmp esp，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

环境:XP sp2 中文版

老规矩，上代码

(代码来自0day2电子资料->02栈溢出原理与实践->2_4_overflow_code_exec.c)

/*****************************************************************************
      To be the apostrophe which changed "Impossible" into "I'm possible"!
		
POC code of chapter 2.4 in book "Vulnerability Exploit and Analysis Technique"
 
file name	: stack_overflow_exec.c
author		: failwest  
date		: 2006.10.1
description	: demo show how to redirect EIP to executed extra binary code in buffer
Noticed		: should be complied with VC6.0 and build into debug version
				the address of MessageboxA and the start of machine code in buffer
				have to be make sure in file "password.txt" via runtime debugging
version		: 1.0
E-mail		: failwest@gmail.com
		
	Only for educational purposes    enjoy the fun from exploiting :)
******************************************************************************/
#include <stdio.h>
#include <windows.h>
#define PASSWORD "1234567"
int verify_password (char *password)
{
	int authenticated;
	char buffer[44];
	authenticated=strcmp(password,PASSWORD);
	strcpy(buffer,password);//over flowed here!	
	return authenticated;
}
main()
{
	int valid_flag=0;
	char password[1024];
	FILE * fp;
	LoadLibrary("user32.dll");//prepare for messagebox
	if(!(fp=fopen("password.txt","rw+")))
	{
		exit(0);
	}
//	fscanf(fp,"%s",password);//遇到0B就断了
	fread(password,1,sizeof(password),fp);
	valid_flag = verify_password(password);
	if(valid_flag)
	{
		printf("incorrect password!n");
	}
	else
	{
		printf("Congratulation! You have passed the verification!n");
	}
	fclose(fp);
}

---------------------------------------------------------------------------------------------------

这里说明下，原版作者读入password用的fscanf,但因为我的环境里有0的bad chars(0B 05 05),所以读到一部分就读不了了。于是我换成了fread