简介

前置条件 :

1. 可以栈溢出
2. 溢出长度足够覆盖到函数的返回地址
3. 栈代码具有执行权限

功能 :

快速计算应该填充多少字节 junk 数据 , 计算以后可以直接在数据后追加返回地址
这样就可以接管程序的执行流程
64 位 / 32 位通用

演示视频 :

https://www.youtube.com/watch?v=7plB3z6dKDY

仓库地址 :

https://github.com/wangyihang/GetJunkSize.git

代码实现 :

getJunk.py

#!/usr/bin/env python
# coding:utf-8

import sys

start = ord("0")

def getJunk(length):
    global start
    result = ""
    size = (length / 4)
    padding = length - size * 4
    for i in range(size):
        result += chr(start + i) * 2 + "\x00\x00"
    return result + "@@\x00\x00"[0:padding]

def main():
    if len(sys.argv) != 2:
        print "Usage : "
        print "        python getJunk.py [LENGTH]"
        exit(1)
    junk = getJunk(int(sys.argv[1]))
    print junk
    with open("junk.dat","w") as f:
        f.write(junk)

if __name__ == "__main__":
    main()

getSize.py

#!/usr/bin/env python
# coding:utf-8

import sys

start = ord("0")

def getSize(address):
    global start
    flag1 = int(address[-6:-4], 16)
    flag2 = int(address[-4:-2], 16)
    flag3 = int(address[-2:], 16)
    result = 0
    if flag1 != 0 and flag2 != 0 and flag3 == 0:
        result = (flag1 - start) * 4 - 1
    elif flag1 != 0 and flag2 == 0 and flag3 == 0:
        result = (flag1 - start) * 4 - 2
    elif flag1 == 0 and flag2 == 0 and flag3 != 0:
        result = (flag3 - start) * 4 + 1
    elif flag1 == 0 and flag2 != 0 and flag3 != 0:
        result = (flag3 - start) * 4
    else:
        print "Illegal Address!"
        exit(2)
    return result

def main():
    if len(sys.argv) != 2:
        print "Usage : "
        print "        python getSize.py [OVERWRITED_RIP]"
        exit(1)
    size = getSize(sys.argv[1])
    print "[Length] : [%d]" % size

if __name__ == "__main__":
    main()