众所周知,堆喷雾模型就像:
var shellCode = "XXXXXXXXXXX"; //shellcode
var nops = 0x0a0a0a0a; //slide code
while (nops.length < 0x100000)
nops += nops;
nops = nops.substring(...);
nops = nops+shellcode;
var memory = new Array();
for (var i=0; i < 200; i++)
memory[i] += nops
var str = '';
while(str.length < 256) str+= '\x0a\x0a\x0a\x0a';
str = str + "\x0c\x0c\x0c\x0c";
bufferOverFlow(str);
但为什么我们这样做呢?只需使用已分配堆的地址来设置我们的shellCode。
var shellCode = "XXXXXXXXXXX"; //shellcode
shellCode = shellCode.substring(...);
var str = '';
while(str.length < 256) str+= '\x0a\x0a\x0a\x0a';
str = str + &shellCode;
bufferOverFlow(str);