Tag:ext sdn directive alt msf and machine information own
In a notebook to open two virtual machine a bit card, and too much trouble, put Metasploit target target drone on another machine, IP itself configured a bit, target host: 192.168.137.254 intrusion Machine : 192.168.137.253 on target: Kingview 6.53 version cve-2011-0406 vulnerability, System Win2003 SP0 under the: in the the target host opened 777 ports, Baidu found that This port is running a Kingview service, and there is a vulnerability. Directly in MSF in search of the exploit module of this vulnerability ... No AH so, the Internet search an exp, put in/exploits/windows/scada, look at the source code, found inside target no win2003 SP0. No way, first try WinXP SP3 see if you can use it. Configuration process: See if you can bounce the connection: ok ... Not decisive. Go back to the target host and debug it, through just one attack, Found that HistorySvr.exe stopped running, indicating that the vulnerability was triggered, but did not execute shellcode, then, should be the point of the jump to the address is not shellcode address, and finally called the system default exception handler function. Open ollydbg, select "Just-in-time debugging" in the option menu, and then exit by selecting "Make OllyDbg just-in-time debugger". Restart the HISTORYSVR service, and then attack again, ollydbg truncation of exception handling, the program terminates at the exception of the instruction. The reason is that the eax+0x0c address of the call is not being used, triggering an exception. Back to the source code of the module, locate target, find target win XP SP3 en return address ret is exactly the value of the EAX register 0x00a1fb84, obviously, after the overflow occurs, the data packet ret covers the EAX, But did not successfully point to the address of Shellcode, next, only need to modify the value of RET can be. Need to locate the location of the Shellcode, in which the infiltration module adds a new Target,ret scribble, when constructing overflow packets of the exploit function, plus special positioning characters, but keep the total length unchanged. shut down the ollydbg, restart the service, attack again: Back to the target target drone, ollydbg again intercept the exception, directly in memory to locate the character "ABAC", in 0x00b404c0 search for characters,corresponding to find the address of Shellcode 0X00B404C4 Next, modify the RET and exploit function can be: reload, attack again, success.
Metasploit penetration Test Devil Training camp Target drone walkthrough fifth chapter Kingview 6.53 version cve-2011-0406 vulnerability