- MetaSploit">MetaSploit
- rapid7/metasploit-framework/external/source/shellcode">rapid7/metasploit-framework/external/source/shellcode
- apple_ios/aarch64">apple_ios/aarch64
- bsd">bsd
- bsdi/ia32">bsdi/ia32
- generic">generic
- linux">linux
- mainframe">mainframe
- osx">osx
- solaris/sparc">solaris/sparc
- windows">windows
- midstager.asm">midstager.asm
- multi_arch_kernel_queue_apc.asm">multi_arch_kernel_queue_apc.asm
- single_adduser.asm">single_adduser.asm
- single_exec.asm">single_exec.asm
- single_shell_bind_tcp.asm">single_shell_bind_tcp.asm
- single_shell_bind_tcp_xpfw.asm">single_shell_bind_tcp_xpfw.asm
- single_shell_reverse_tcp.asm">single_shell_reverse_tcp.asm
- Stage">Stage
- stage_shell.asm">stage_shell.asm
- stage_upexec.asm">stage_upexec.asm
- stager_bind_ipv6_tcp_nx.asm">stager_bind_ipv6_tcp_nx.asm
- stager_bind_tcp.asm">stager_bind_tcp.asm
- stager_bind_tcp_nx.asm">stager_bind_tcp_nx.asm
- stager_find_tag.asm">stager_find_tag.asm
- stager_reverse_http.asm">stager_reverse_http.asm
- stager_reverse_ipv6_tcp_nx.asm">stager_reverse_ipv6_tcp_nx.asm
- stager_reverse_ord_tcp.asm">stager_reverse_ord_tcp.asm
- stager_reverse_tcp.asm">stager_reverse_tcp.asm
- stager_reverse_tcp_nx.asm">stager_reverse_tcp_nx.asm
- x86 kernels will safely ret instead of BSOD">x86 kernels will safely ret instead of BSOD
- msf2">msf2
- win32_stage_api.asm">win32_stage_api.asm
- win32_stage_boot_bind.asm">win32_stage_boot_bind.asm
- win32_stage_boot_bind_inlineegg.asm">win32_stage_boot_bind_inlineegg.asm
- win32_stage_boot_bind_read.asm">win32_stage_boot_bind_read.asm
- win32_stage_boot_bind_shell.asm">win32_stage_boot_bind_shell.asm
- win32_stage_boot_reverse.asm">win32_stage_boot_reverse.asm
- win32_stage_boot_reverse_inlineegg.asm">win32_stage_boot_reverse_inlineegg.asm
- win32_stage_boot_reverse_read.asm">win32_stage_boot_reverse_read.asm
- win32_stage_boot_reverse_shell.asm">win32_stage_boot_reverse_shell.asm
- win32_stage_boot_reverse_shell_revert.asm">win32_stage_boot_reverse_shell_revert.asm
- win32_stage_boot_reverse_udp.asm">win32_stage_boot_reverse_udp.asm
- win32_stage_boot_winsock_bind.asm">win32_stage_boot_winsock_bind.asm
- win32_stage_boot_winsock_conn.asm">win32_stage_boot_winsock_conn.asm
- win32_stage_boot_winsock_conn_udp.asm">win32_stage_boot_winsock_conn_udp.asm
- win32_stage_inlineegg.asm">win32_stage_inlineegg.asm
- win32_stage_revert.asm">win32_stage_revert.asm
- win32_stage_shell.asm">win32_stage_shell.asm
- win32_stage_uploadexec.asm">win32_stage_uploadexec.asm
- win32_stage_winexec.asm">win32_stage_winexec.asm
- x64">x64
- x86">x86
- src">src
- block🙋♀️🙋♀️🙋♀️">🙋♀️🙋♀️🙋♀️block🙋♀️🙋♀️🙋♀️
- block_api.asm">block_api.asm
- block_bind_tcp.asm">block_bind_tcp.asm
- block_create_remote_process.asm">block_create_remote_process.asm
- block_exitfunk.asm">block_exitfunk.asm
- block_get_pstore_creds.asm">block_get_pstore_creds.asm
- block_hidden_bind_ipknock.asm">block_hidden_bind_ipknock.asm
- block_hidden_bind_tcp.asm">block_hidden_bind_tcp.asm
- block_rc4.asm">block_rc4.asm
- block_recv.asm">block_recv.asm
- block_recv_rc4.asm">block_recv_rc4.asm
- reverse
- block_reverse_https_proxy.asm">block_reverse_https_proxy.asm
- block_reverse_ipv6_tcp.asm">block_reverse_ipv6_tcp.asm
- block_reverse_tcp.asm">block_reverse_tcp.asm
- block_reverse_tcp_allports.asm">block_reverse_tcp_allports.asm
- block_reverse_tcp_dns.asm">block_reverse_tcp_dns.asm
- block_reverse_winhttp.asm">block_reverse_winhttp.asm
- block_service.asm">block_service.asm
- block_service_change_description.asm">block_service_change_description.asm
- block_service_stopped.asm">block_service_stopped.asm
- block_shell.asm">block_shell.asm
- block🙋♀️🙋♀️🙋♀️">🙋♀️🙋♀️🙋♀️block🙋♀️🙋♀️🙋♀️
- src">src
- Makefile">Makefile
- Makefile.incl">Makefile.incl
MetaSploit
rapid7/metasploit-framework/external/source/shellcode
apple_ios/aarch64
bsd
bsdi/ia32
generic
linux
mainframe
osx
solaris/sparc
windows
midstager.asm
multi_arch_kernel_queue_apc.asm
single_adduser.asm
single_exec.asm
single_shell_bind_tcp.asm
single_shell_bind_tcp_xpfw.asm
single_shell_reverse_tcp.asm
Stage
stager 是有效负载用来在目标机器和运行在服务器上的有效负载处理程序之间建立网络连接的工具。stager 使您能够使用较小的有效负载来加载和注入称为阶段的更大、更复杂的有效负载。
选择以下阶段之一:
- 反向 TCP(Reverse TCP)
- 通过 TCP 创建从目标计算机返回到服务器的连接。
- 绑定 TCP(Bind TCP)
- 将命令提示符绑定到目标计算机上的侦听端口,以便服务器可以连接到它。
- 反向 HTTP(Reverse HTTP)
- 通过 HTTP 创建从目标计算机返回到服务器的连接。
反向 HTTPS(Reverse HTTPS)
- 通过 HTTPS 创建从目标计算机返回到服务器的连接。
stage_shell.asm
stage_upexec.asm
stager_bind_ipv6_tcp_nx.asm
stager_bind_tcp.asm
stager_bind_tcp_nx.asm
stager_find_tag.asm
stager_reverse_http.asm
stager_reverse_ipv6_tcp_nx.asm
stager_reverse_ord_tcp.asm
stager_reverse_tcp.asm
stager_reverse_tcp_nx.asm
x86 kernels will safely ret instead of BSOD
msf2
win32_stage_api.asm
win32_stage_boot_bind.asm
win32_stage_boot_bind_inlineegg.asm
win32_stage_boot_bind_read.asm
win32_stage_boot_bind_shell.asm
win32_stage_boot_reverse.asm
win32_stage_boot_reverse_inlineegg.asm
win32_stage_boot_reverse_read.asm
win32_stage_boot_reverse_shell.asm
win32_stage_boot_reverse_shell_revert.asm
win32_stage_boot_reverse_udp.asm
- 通过 HTTPS 创建从目标计算机返回到服务器的连接。
recv
- send
- accept
- bind
-
win32_stage_boot_winsock_bind.asm
WSASocketA
-
win32_stage_boot_winsock_conn.asm
win32_stage_boot_winsock_conn_udp.asm
win32_stage_inlineegg.asm
win32_stage_revert.asm
win32_stage_shell.asm
win32_stage_uploadexec.asm
GetProcAddress
- LoadLibraryA
- socket
- CreateFileA
- WriteFile
- CloseHandle
-
win32_stage_winexec.asm
x64
x86
src
🙋♀️🙋♀️🙋♀️block🙋♀️🙋♀️🙋♀️
block_api.asm
block_bind_tcp.asm
绑定TCP连接:
WSAStartup
- WSASocketA
- bind
- listen
- accept
-
block_create_remote_process.asm
创建远程线程的进程
VirtualAlloc
- CreatProcessA
- VirtualAllocEx
- WriteProcessMemory
- CreateRemoteThread
- CloseHandle
-
block_exitfunk.asm
block_get_pstore_creds.asm
好像是获取IE里保存的用户名和密码:
VirtualAlloc
- LoadLibraryA( “pstorec” )
- PStoreCreateInstance
- IPStore::EnumTypes
- EnumPStoreTypes::raw_Next
- IPStore::EnumSubtypes
- EnumSubtypes.raw_Next
- IPStore::Enumitems
-
block_hidden_bind_ipknock.asm
LoadLibraryA( “ws2_32” )
- WSAStartup
- WSASocketA
- bind
- setsockopt(隐藏的 ipknock)
- setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 );
- listen
- wsaaccept
-
block_hidden_bind_tcp.asm
和block_hidden_bind_ipknock.asm区别在73行,逻辑小有不同,具体API一致
block_rc4.asm
block_recv.asm
VirtualAlloc
-
block_recv_rc4.asm
VirtualAlloc
- recv
-
reverse
block_reverse_http.asm
InternetOpenA
- InternetConnectA
- HttpOpenRequestA
- InternetSetOptionA
- HttpSendRequestA
- VirtualAlloc
-
block_reverse_http_use_proxy_creds.asm
block_reverse_https_proxy.asm
block_reverse_ipv6_tcp.asm
connect( s, &sockaddr_in6, 28 );
block_reverse_tcp.asm
WSAStartup
- WSASocketA
-
block_reverse_tcp_allports.asm
connect( s, &sockaddr, 16 );
设置的端口不一样block_reverse_tcp_dns.asm
WSAStartup
- WSASocketA
- gethostbyname
-
block_reverse_winhttp.asm
WinHttpOpen
- WinHttpConnect
- WinHttpOpenRequest
- WinHttpSendRequest
- WinHttpReceiveResponse
- VirtualAlloc
- VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
-
block_service.asm
StartServiceCtrlDispatcherA
- RegisterServiceCtrlHandlerExA
-
block_service_change_description.asm
OpenSCManagerA
- OpenServiceA
-
block_service_stopped.asm
RegisterServiceCtrlHandlerExA
SetServiceStatus
- SetServiceStatus(hServiceStatus, SERVICE_STOPPED)
block_shell.asm
- SetServiceStatus(hServiceStatus, SERVICE_STOPPED)
CreateProcessA
- CreateProcessA(0, &”cmd”, 0, 0, TRUE, 0, 0, 0, &si, &pi);
- WaitForSingleObject
- WaitForSingleObject(pi.hProcess, INFINITE);
Makefile
Makefile.incl
- WaitForSingleObject(pi.hProcess, INFINITE);