2024-07-19 10:11:43 +00:00
|
|
|
{% hint style="success" %}
|
|
|
|
学习和实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
学习和实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
<details>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
<summary>支持 HackTricks</summary>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 分享黑客技巧。
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
</details>
|
2024-07-19 10:11:43 +00:00
|
|
|
{% endhint %}
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2022-05-01 16:32:23 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
来自 [原始代码](https://github.com/OALabs/BlobRunner) 的唯一修改行是第 10 行。\
|
|
|
|
为了编译它,只需 **在 Visual Studio Code 中创建一个 C/C++ 项目,复制并粘贴代码并构建它**。
|
2021-08-24 22:57:45 +00:00
|
|
|
```c
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <windows.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
|
|
#ifdef _WIN64
|
|
|
|
#include <WinBase.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
// Define bool
|
|
|
|
#pragma warning(disable:4996)
|
|
|
|
#define true 1
|
|
|
|
#define false 0
|
|
|
|
|
|
|
|
const char* _version = "0.0.5";
|
|
|
|
|
|
|
|
const char* _banner = " __________.__ ___. __________\n"
|
|
|
|
" \\______ \\ | ____\\_ |__\\______ \\__ __ ____ ____ ___________ \n"
|
|
|
|
" | | _/ | / _ \\| __ \\| _/ | \\/ \\ / \\_/ __ \\_ __ \\ \n"
|
|
|
|
" | | \\ |_( <_> ) \\_\\ \\ | \\ | / | \\ | \\ ___/| | \\/ \n"
|
|
|
|
" |______ /____/\\____/|___ /____|_ /____/|___| /___| /\\___ >__| \n"
|
|
|
|
" \\/ \\/ \\/ \\/ \\/ \\/ \n\n"
|
|
|
|
" %s \n\n";
|
|
|
|
|
|
|
|
|
|
|
|
void banner() {
|
2023-08-03 19:12:22 +00:00
|
|
|
system("cls");
|
|
|
|
printf(_banner, _version);
|
|
|
|
return;
|
2021-08-24 22:57:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
|
2023-08-03 19:12:22 +00:00
|
|
|
LPVOID lpvBase;
|
|
|
|
FILE* file;
|
|
|
|
unsigned long fileLen;
|
|
|
|
char* buffer;
|
|
|
|
DWORD dummy;
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
file = fopen(inputfile_name, "rb");
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
if (!file) {
|
|
|
|
printf(" [!] Error: Unable to open %s\n", inputfile_name);
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
return (LPVOID)NULL;
|
|
|
|
}
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Reading file...\n");
|
|
|
|
fseek(file, 0, SEEK_END);
|
|
|
|
fileLen = ftell(file); //Get Length
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] File Size: 0x%04x\n", fileLen);
|
|
|
|
fseek(file, 0, SEEK_SET); //Reset
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
fileLen += 1;
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
buffer = (char*)malloc(fileLen); //Create Buffer
|
|
|
|
fread(buffer, fileLen, 1, file);
|
|
|
|
fclose(file);
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Allocating Memory...");
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(".Allocated!\n");
|
|
|
|
printf(" [*] |-Base: 0x%08x\n", (int)(size_t)lpvBase);
|
|
|
|
printf(" [*] Copying input data...\n");
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
CopyMemory(lpvBase, buffer, fileLen);
|
|
|
|
return lpvBase;
|
2021-08-24 22:57:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
|
|
|
|
{
|
2023-08-03 19:12:22 +00:00
|
|
|
LPVOID shell_entry;
|
2021-08-24 22:57:45 +00:00
|
|
|
|
|
|
|
#ifdef _WIN64
|
2023-08-03 19:12:22 +00:00
|
|
|
DWORD thread_id;
|
|
|
|
HANDLE thread_handle;
|
|
|
|
const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
|
2021-08-24 22:57:45 +00:00
|
|
|
#else
|
2023-08-03 19:12:22 +00:00
|
|
|
const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
|
2021-08-24 22:57:45 +00:00
|
|
|
#endif
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
shell_entry = (LPVOID)((UINT_PTR)base + offset);
|
2021-08-24 22:57:45 +00:00
|
|
|
|
|
|
|
#ifdef _WIN64
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Creating Suspended Thread...\n");
|
|
|
|
thread_handle = CreateThread(
|
|
|
|
NULL, // Attributes
|
|
|
|
0, // Stack size (Default)
|
|
|
|
shell_entry, // Thread EP
|
|
|
|
NULL, // Arguments
|
|
|
|
0x4, // Create Suspended
|
|
|
|
&thread_id); // Thread identifier
|
|
|
|
|
|
|
|
if (thread_handle == NULL) {
|
|
|
|
printf(" [!] Error Creating thread...");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
printf(" [*] Created Thread: [%d]\n", thread_id);
|
|
|
|
printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
|
2021-08-24 22:57:45 +00:00
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
if (nopause == false) {
|
|
|
|
printf("%s", msg);
|
|
|
|
getchar();
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
if (jit == true) {
|
|
|
|
// Force an exception by making the first byte not executable.
|
|
|
|
// This will cause
|
|
|
|
DWORD oldp;
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Removing EXECUTE access to trigger exception...\n");
|
2021-08-24 22:57:45 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
|
|
|
|
}
|
|
|
|
}
|
2021-08-24 22:57:45 +00:00
|
|
|
|
|
|
|
#ifdef _WIN64
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Resuming Thread..\n");
|
|
|
|
ResumeThread(thread_handle);
|
2021-08-24 22:57:45 +00:00
|
|
|
#else
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
|
|
|
|
printf(" [*] Jumping to shellcode\n");
|
|
|
|
__asm jmp shell_entry;
|
2021-08-24 22:57:45 +00:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
void print_help() {
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [!] Error: No file!\n\n");
|
|
|
|
printf(" Required args: <inputfile>\n\n");
|
|
|
|
printf(" Optional Args:\n");
|
|
|
|
printf(" --offset <offset> The offset to jump into.\n");
|
|
|
|
printf(" --nopause Don't pause before jumping to shellcode. Danger!!! \n");
|
|
|
|
printf(" --jit Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
|
|
|
|
printf(" --debug Verbose logging.\n");
|
|
|
|
printf(" --version Print version and exit.\n\n");
|
2021-08-24 22:57:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, char* argv[])
|
|
|
|
{
|
2023-08-03 19:12:22 +00:00
|
|
|
LPVOID base;
|
|
|
|
int i;
|
|
|
|
int offset = 0;
|
|
|
|
bool nopause = false;
|
|
|
|
bool debug = false;
|
|
|
|
bool jit = false;
|
|
|
|
char* nptr;
|
|
|
|
|
|
|
|
banner();
|
|
|
|
|
|
|
|
if (argc < 2) {
|
|
|
|
print_help();
|
|
|
|
return -1;
|
2021-08-24 22:57:45 +00:00
|
|
|
}
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
printf(" [*] Using file: %s \n", argv[1]);
|
2022-05-01 16:32:23 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
for (i = 2; i < argc; i++) {
|
|
|
|
if (strcmp(argv[i], "--offset") == 0) {
|
|
|
|
printf(" [*] Parsing offset...\n");
|
|
|
|
i = i + 1;
|
|
|
|
if (strncmp(argv[i], "0x", 2) == 0) {
|
|
|
|
offset = strtol(argv[i], &nptr, 16);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
offset = strtol(argv[i], &nptr, 10);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (strcmp(argv[i], "--nopause") == 0) {
|
|
|
|
nopause = true;
|
|
|
|
}
|
|
|
|
else if (strcmp(argv[i], "--jit") == 0) {
|
|
|
|
jit = true;
|
|
|
|
nopause = true;
|
|
|
|
}
|
|
|
|
else if (strcmp(argv[i], "--debug") == 0) {
|
|
|
|
debug = true;
|
|
|
|
}
|
|
|
|
else if (strcmp(argv[i], "--version") == 0) {
|
|
|
|
printf("Version: %s", _version);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
printf("[!] Warning: Unknown arg: %s\n", argv[i]);
|
|
|
|
}
|
|
|
|
}
|
2022-05-01 16:32:23 +00:00
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
base = process_file(argv[1], jit, offset, debug);
|
|
|
|
if (base == NULL) {
|
|
|
|
printf(" [!] Exiting...");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
printf(" [*] Using offset: 0x%08x\n", offset);
|
|
|
|
execute(base, offset, nopause, jit, debug);
|
|
|
|
printf("Pausing - Press any key to quit.\n");
|
|
|
|
getchar();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
```
|
2024-07-19 10:11:43 +00:00
|
|
|
{% hint style="success" %}
|
|
|
|
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
<details>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
<summary>支持 HackTricks</summary>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
</details>
|
2024-07-19 10:11:43 +00:00
|
|
|
{% endhint %}
|