在处理字符串的时候未对字符串大小检测,造成栈缓冲区溢出。可以淹没SEH链表,执行任意想执行的程序。
lstrcat时候未对大小进行检测(具体见图)
poc偏移为156H的地方就是SE处理程序的地址 该程序OEP为0040BDE0
poc代码(我这里把SE处理程序地址修改成程序的OEP,也就是让程序再打开一次自己)
www.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com/嘟@
修复方案:
检测大小