Home > Developer > Web Develop

"Metasploit Penetration test Devil training camp" target drone walkthrough of the fifth chapter of the actual case Kingview 6.53 version cve-2011-0406 vulnerability

Source: Internet
Author: User
Tags cve
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >


Tag:ext   sdn    directive    alt   msf    and     machine     information     own    


In a notebook to open two virtual machine a bit card, and too much trouble, put Metasploit target target drone on another machine, IP itself configured a bit, target host: 192.168.137.254 intrusion Machine : 192.168.137.253 on target: Kingview 6.53 version cve-2011-0406 vulnerability, System Win2003 SP0 under the:  in the  the target host opened 777 ports, Baidu found that This port is running a Kingview service, and there is a vulnerability. Directly in MSF in search of the exploit module of this vulnerability ... No AH so, the Internet search an exp, put in/exploits/windows/scada, look at the source code, found inside target no win2003 SP0. No way, first try WinXP SP3 see if you can use it. Configuration process: See if you can bounce the connection: ok ... Not decisive. Go back to the target host and debug it, through just one attack, Found that HistorySvr.exe stopped running, indicating that the vulnerability was triggered, but did not execute shellcode, then, should be the point of the jump to the address is not shellcode address, and finally called the system default exception handler function. Open ollydbg, select "Just-in-time debugging" in the option menu, and then exit by selecting "Make OllyDbg just-in-time debugger". Restart the HISTORYSVR service, and then attack again, ollydbg truncation of exception handling, the program terminates at the exception of the instruction.   The reason is that the eax+0x0c address of the call is not being used, triggering an exception.   Back to the source code of the module, locate target, find target win XP SP3 en return address ret is exactly the value of the EAX register 0x00a1fb84, obviously, after the overflow occurs, the data packet ret covers the EAX, But did not successfully point to the address of Shellcode, next, only need to modify the value of RET can be. Need to locate the location of the Shellcode, in which the infiltration module adds a new Target,ret scribble, when constructing overflow packets of the exploit function, plus special positioning characters, but keep the total length unchanged.      shut down the ollydbg, restart the service, attack again: Back to the target target drone, ollydbg again intercept the exception, directly in memory to locate the character "ABAC", in 0x00b404c0 search for characters,corresponding to find the address of Shellcode 0X00B404C4 Next, modify the RET and exploit function can be:  reload, attack again, success.


Metasploit penetration Test Devil Training camp Target drone walkthrough fifth chapter Kingview 6.53 version cve-2011-0406 vulnerability


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
get the permalink season 4 of camp camp last of ps4 walkthrough fifth root of 32768 test mobile version of website example of actual self project management body of knowledge fifth edition

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More