"Metasploit Penetration test Devil training camp" target drone walkthrough of the fifth chapter of the actual case Kingview 6.53 version cve-2011-0406 vulnerability

Source: Internet
Author: User
Tags cve


Tag:ext   sdn    directive    alt   msf    and     machine     information     own    


In a notebook to open two virtual machine a bit card, and too much trouble, put Metasploit target target drone on another machine, IP itself configured a bit, target host: 192.168.137.254 intrusion Machine : 192.168.137.253 on target: Kingview 6.53 version cve-2011-0406 vulnerability, System Win2003 SP0 under the:  in the  the target host opened 777 ports, Baidu found that This port is running a Kingview service, and there is a vulnerability. Directly in MSF in search of the exploit module of this vulnerability ... No AH so, the Internet search an exp, put in/exploits/windows/scada, look at the source code, found inside target no win2003 SP0. No way, first try WinXP SP3 see if you can use it. Configuration process: See if you can bounce the connection: ok ... Not decisive. Go back to the target host and debug it, through just one attack, Found that HistorySvr.exe stopped running, indicating that the vulnerability was triggered, but did not execute shellcode, then, should be the point of the jump to the address is not shellcode address, and finally called the system default exception handler function. Open ollydbg, select "Just-in-time debugging" in the option menu, and then exit by selecting "Make OllyDbg just-in-time debugger". Restart the HISTORYSVR service, and then attack again, ollydbg truncation of exception handling, the program terminates at the exception of the instruction.   The reason is that the eax+0x0c address of the call is not being used, triggering an exception.   Back to the source code of the module, locate target, find target win XP SP3 en return address ret is exactly the value of the EAX register 0x00a1fb84, obviously, after the overflow occurs, the data packet ret covers the EAX, But did not successfully point to the address of Shellcode, next, only need to modify the value of RET can be. Need to locate the location of the Shellcode, in which the infiltration module adds a new Target,ret scribble, when constructing overflow packets of the exploit function, plus special positioning characters, but keep the total length unchanged.      shut down the ollydbg, restart the service, attack again: Back to the target target drone, ollydbg again intercept the exception, directly in memory to locate the character "ABAC", in 0x00b404c0 search for characters,corresponding to find the address of Shellcode 0X00B404C4 Next, modify the RET and exploit function can be:  reload, attack again, success.


Metasploit penetration Test Devil Training camp Target drone walkthrough fifth chapter Kingview 6.53 version cve-2011-0406 vulnerability


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.