52ky 发表于 2022-9-22 09:41:24

由foxmail漏洞定位shellcode位置的方法

由FoxMail漏洞演示,如何断定溢出的回来点方位。在这里我们首要使用FoxMail漏洞来操练一下缓冲区溢出的第一步精华,如何断定溢出回来点的方位。具体请参考:xfocus/articles/200403/683.html首要简单的介绍一下FoxMail漏洞,问题出在PunyLib.dll里边的UrlToLocal函数,当一封邮件被判定为垃圾邮件以后,就会调用UrlToLocal来管理邮件体的“From:”字段,管理过程中生成仓库溢出,可以致使履行任意代码。这里因为发送的字节数不能超过0x200,所以我们测试的时候先发送一个0x150个A,发送代码如下:Memset(buffer,0x41,0x150);Sprint(temp,”Form:%s\r\n”,buffer);Send(sock,temp,strlen(temp),0);检测回来成果为:“Accessviolationataddress02FA1BABinmodule‘punylib.dll’,Writeofaddress41414141”这里需求解释一下,一般我们要使用一个溢出点回来我们的ShellCode是需求我们的程序去(read)读EIP的数据。而这里是(write)写,说明我们刚才提交的数据可能过长,不仅覆盖过了EIP的数据,并且还覆盖了其他一些程序要用的参数,如果在程序回来前,要对那些参数进行改写,但参数的地址为改成了”41414141”,是底层不能写的,所以就造成了上面的(write)写错误。那么接下来我们需求做的就是把字段覆盖短一点,要覆盖到回来地
由FoxMail漏洞演示定位ShellCode方位的方法.pdf

(Demonstrated by the FoxMail vulnerability, how to determine the location of the return point of the overflow. Here we first use the FoxMail vulnerability to practice the essence of the first step of buffer overflow, how to determine the location of the overflow return point. For details, please refer to: xfocus/articles/200403/683.html First, briefly introduce the FoxMail vulnerability. The problem lies in the UrlToLocal function in PunyLib.dll. When an email is judged as spam, it will call UrlToLocal to manage the email. The "From:" field of the body, the warehouse overflow is generated during the management process, which can cause the execution of arbitrary code. Here, because the number of bytes sent cannot exceed 0x200, we first send a 0x150 A when testing, and the sending code is as follows: Memset(buffer, 0x41, 0x150); Sprint(temp, "Form:%s\r\n" ,buffer);Send(sock,temp,strlen(temp),0); The detected result is: "Accessviolationataddress02FA1BABinmodule'punylib.dll',Writeofaddress41414141" Here we need to explain, generally we need to use an overflow point to return our ShellCode is We need our program to read the data of EIP. And here is the (write) write, indicating that the data we just submitted may be too long, not only covering the data of EIP, but also covering the parameters used by other programs. If the parameters are rewritten before the program returns , but the address of the parameter is changed to "41414141", which cannot be written by the bottom layer, so the above (write) write error is caused. Then what we need to do next is to make the field coverage shorter and cover it to the back.
The method of locating ShellCode position by FoxMail vulnerability demonstration.pdf)




页: [1]
查看完整版本: 由foxmail漏洞定位shellcode位置的方法