简介
前置条件 :
1. 可以栈溢出
2. 溢出长度足够覆盖到函数的返回地址
3. 栈代码具有执行权限
功能 :
快速计算应该填充多少字节 junk 数据 , 计算以后可以直接在数据后追加返回地址
这样就可以接管程序的执行流程
64 位 / 32 位通用
演示视频 :
https://www.youtube.com/watch?v=7plB3z6dKDY
仓库地址 :
https://github.com/wangyihang/GetJunkSize.git
代码实现 :
getJunk.py
#!/usr/bin/env python
# coding:utf-8
import sys
start = ord("0")
def getJunk(length):
global start
result = ""
size = (length / 4)
padding = length - size * 4
for i in range(size):
result += chr(start + i) * 2 + "\x00\x00"
return result + "@@\x00\x00"[0:padding]
def main():
if len(sys.argv) != 2:
print "Usage : "
print " python getJunk.py [LENGTH]"
exit(1)
junk = getJunk(int(sys.argv[1]))
print junk
with open("junk.dat","w") as f:
f.write(junk)
if __name__ == "__main__":
main()
getSize.py
#!/usr/bin/env python
# coding:utf-8
import sys
start = ord("0")
def getSize(address):
global start
flag1 = int(address[-6:-4], 16)
flag2 = int(address[-4:-2], 16)
flag3 = int(address[-2:], 16)
result = 0
if flag1 != 0 and flag2 != 0 and flag3 == 0:
result = (flag1 - start) * 4 - 1
elif flag1 != 0 and flag2 == 0 and flag3 == 0:
result = (flag1 - start) * 4 - 2
elif flag1 == 0 and flag2 == 0 and flag3 != 0:
result = (flag3 - start) * 4 + 1
elif flag1 == 0 and flag2 != 0 and flag3 != 0:
result = (flag3 - start) * 4
else:
print "Illegal Address!"
exit(2)
return result
def main():
if len(sys.argv) != 2:
print "Usage : "
print " python getSize.py [OVERWRITED_RIP]"
exit(1)
size = getSize(sys.argv[1])
print "[Length] : [%d]" % size
if __name__ == "__main__":
main()
网友评论