我试图在c中使用AES加密shellcode来构建我自己的crypter。现在我已经在一个程序中制作了一个程序的PoC,可以在下面找到:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
* MCrypt API available online:
* http://linux.die.net/man/3/mcrypt
*/
#include <mcrypt.h>
#include <math.h>
#include <stdint.h>
#include <stdlib.h>
int encrypt(
void* buffer,
int buffer_len, /* Because the plaintext could include null bytes*/
char* IV,
char* key,
int key_len
){
MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
int blocksize = mcrypt_enc_get_block_size(td);
if( buffer_len % blocksize != 0 ){return 1;}
mcrypt_generic_init(td, key, key_len, IV);
mcrypt_generic(td, buffer, buffer_len);
mcrypt_generic_deinit (td);
mcrypt_module_close(td);
return 0;
}
int decrypt(
void* buffer,
int buffer_len,
char* IV,
char* key,
int key_len
){
MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
int blocksize = mcrypt_enc_get_block_size(td);
if( buffer_len % blocksize != 0 ){return 1;}
mcrypt_generic_init(td, key, key_len, IV);
mdecrypt_generic(td, buffer, buffer_len);
mcrypt_generic_deinit (td);
mcrypt_module_close(td);
return 0;
}
int main()
{
{
MCRYPT td, td2;
unsigned char * plaintext = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
char* IV = "AAAAAAAAAAAAAAAA";
char *key = "0123456789abcdef";
int keysize = 16; /* 128 bits */
unsigned char buffer[32];
int counter;
int buffer_len = 32;
for ( counter = 0; counter < buffer_len; counter++){
buffer[counter]=0x90;
}
strncpy(buffer, plaintext, buffer_len);
int plain_len = strlen(plaintext);
printf("==Plain Binary==\n");
for ( counter = 0; counter < plain_len; counter++){
printf("%02x",plaintext[counter]);
}
encrypt(buffer, buffer_len, IV, key, keysize);
printf("\n==Encrypted Binary==\n");
for ( counter = 0; counter < buffer_len; counter++){
printf("\\x%02x",buffer[counter]);
}
decrypt(buffer, buffer_len, IV, key, keysize);
printf("\n==decrypted Binary==\n");
for ( counter = 0; counter < buffer_len; counter++){
if (buffer[counter] == 0){
buffer[counter] = 0x90;
}
printf("\\x%02x",buffer[counter]);
}
printf("\n");
printf("Shellcode Length: %d\n", strlen(buffer));
int (*ret)() = (int(*)())buffer;
ret();
return 0;
}
我的目标是获取加密的shellcode,解密并运行它。但是,当我尝试使用mcrypt_generic_init(td, key, key_len, IV);
函数初始化mcrypt时,我似乎遇到了分段错误。我真的不确定导致分段错误的原因。如果有人有想法?
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
* MCrypt API available online:
* http://linux.die.net/man/3/mcrypt
*/
#include <mcrypt.h>
#include <math.h>
#include <stdint.h>
#include <stdlib.h>
int decrypt(
void* buffer,
int buffer_len,
char* IV,
char* key,
int key_len
){
MCRYPT td = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
int blocksize = mcrypt_enc_get_block_size(td);
if( buffer_len % blocksize != 0 ){return 1;}
printf("proceeding to mcrypt\n");
mcrypt_generic_init(td, key, key_len, IV);
printf("initiated mcrypt") ;
mdecrypt_generic(td, buffer, buffer_len);
printf("proceeding to mcrypt\n");
mcrypt_generic_deinit (td);
printf("proceeding to mcrypt\n");
mcrypt_module_close(td);
printf("returning from mcrypt\n");
return 0;
}
int main()
{
MCRYPT td,td2;
char* IV = "AAAAAAAAAAAAAAAA";
char *key = "0123456789abcdef";
int keysize = 16; /* 128 bits */
unsigned char* buffer = "\x5c\xd8\xcf\x9e\x8f\x3a\x9f\x52\x2e\x3d\x51\x06\x00\xde\xa6\x64\x45\x5f\x62\x53\x75\xab\xbd\xe1\x33\xc1\x69\xbf\xed\xc8\x5c\xaa";
int buffer_len = 32;
int counter;
decrypt(buffer, buffer_len, IV, key, keysize);
for ( counter = 0; counter < buffer_len; counter++){
printf("0x%02x",buffer[counter]);
}
printf("\n");
printf("Shellcode Length: %d\n", strlen(buffer));
int (*ret)() = (int(*)())buffer;
ret();
return 0;
}
答案 0 :(得分:3)
您正在尝试使用文字字符串进行书写。这是错误的,因为允许编译器在只读内存中分配文字字符串(他们确实这样做了。)
改变这个:
char *buffer = "..."
进入这个:
char buffer[] = "..."
后者将在堆栈上分配一个数组(因此可以修改)并使用文字字符串中的数据动态填充它(每次输入函数时重新完成)。