Python 3版本pattern_create.rb工具,用于计算溢出发生时被覆盖元素偏移地址。
#!/usr/bin/env python
# Replicates msf pattern_create.rb
import sys
try:length=int(sys.argv[1])
except:print("[+] Usage: %s <length> [set a] [set b] [set c]" % sys.argv[0]); sys.exit(1)
try:seta=sys.argv[2]
except:seta="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
try:setb=sys.argv[3]
except:setb="abcdefghijklmnopqrstuvwxyz"
try:setc=sys.argv[4]
except:setc="0123456789"
string="" ; a=0 ; b=0 ; c=0
while len(string) < length:
if len(sys.argv) == 2:
string += seta[a] + setb[b] + setc[c]
c+=1
if c == len(setc):c=0;b+=1
if b == len(setb):b=0;a+=1
if a == len(seta):a=0
elif len(sys.argv) == 3:
print("[!] Error, cannot work with just one set!")
print("[+] Usage: %s <length> [set a] [set b] [set c]" % sys.argv[0]); sys.exit(1)
sys.exit(1)
elif len(sys.argv) == 4:
string += seta[a] + setb[b]
b+=1
if b == len(setb):b=0;a+=1
if a == len(seta):a=0
elif len(sys.argv) == 5:
string += seta[a] + setb[b] + setc[c]
c+=1
if c == len(setc):c=0;b+=1
if b == len(setb):b=0;a+=1
if a == len(seta):a=0
else:
print("[+] Usage: %s <length> [set a] [set b] [set c]" % sys.argv[0]); sys.exit(1)
print(string[:length])
print("-------------------------------------------------------------------------")
print("Length: %i" % length)
print("[+] SetA: ‘%s‘" % seta)
print("[+] SetB: ‘%s‘" % setb)
if len(sys.argv) != 4: print("[+] SetC: ‘%s‘" % setc)
print("-------------------------------------------------------------------------")
用法(假设需要5000个字符): pattern_create.py 5000>1.txt
然后从1.txt里面复制出来即可。
确定位置:
假设异常时,EIP=426b3742 ,反过来就是Bk7B,使用UltraEdit之类的工具打开1.txt,搜索Bk7B,光标移到Bk7B前面,下面显示的列数为(1102),由于从1开始计数,需要减去1,结果就是1101,再加上之前的区间值(假设为25000),则EIP填充位置就是25000+1101=16101之后的那4个字节(X86平台)。
时间: 2024-11-08 00:15:23