第三十课:解决msfvenom命令自动补全
本课是针对前第1-20课时的msfvenom生成payload的自动补全命令补充。虽msfvenom强大,同样有着非常繁琐的参数,参数强大,意味着会增加工作效率,但它并不像MSF有命令补全功能,故本课吸取前20课经验,自动补全msfvenom的参数。

需要zsh的支持:

1
[email protected]:~# cat /etc/shells
2
# /etc/shells: valid login shells
3
/bin/sh
4
/bin/dash
5
/bin/bash
6
/bin/rbash
7
/usr/bin/screen
8
/bin/zsh
9
/usr/bin/zsh
10
/usr/bin/tmux
11
[email protected]:~# echo $SHELL
12
/bin/bash
Copied!
复制附录A到~/.oh-my-zsh/custom/plugins/msfvenom文件夹下(注:没有msfvenom目录,创建即可)
1
[email protected]:~/.oh‐my‐zsh/custom/plugins/msfvenom# pwd
2
/root/.oh‐my‐zsh/custom/plugins/msfvenom
3
[email protected]:~/.oh‐my‐zsh/custom/plugins/msfvenom# ls
4
_msfvenom
Copied!
编辑~/.zshrc文件:
1
[email protected]:~# nano ~/.zshrc
Copied!
1
[email protected]:~# nano ~/.zshrc
2
[email protected]:~# cat ~/.zshrc
3
plugins=(msfvenom)
Copied!
更新:
1
[email protected]:~# source ~/.zshrc
Copied!
效果如下:

附录A:

1
#compdef msfvenom
2
#autoload
3
#
4
# zsh completion for msfvenom in Metasploit Framework Project (https://www.metasploit.com)
5
#
6
# github: https://github.com/Green‐m/msfvenom‐zsh‐completion
7
#
8
# author: Green‐m ([email protected])
9
#
10
# license: GNU General Public License v3.0
11
#
12
# Copyright (c) 2018, Green‐m
13
# All rights reserved.
14
#
15
16
VENOM_CACHE_FILE=~/.zsh/venom‐cache
17
18
venom‐clear‐cache() {
19
rm $VENOM_CACHE_FILE
20
}
21
22
venom‐cache‐payloads() {
23
24
if [ ‐x "$(command ‐v msfvenom)" ]
25
then
26
VENOM="msfvenom"
27
elif [ ‐n "$_comp_command1" ]
28
then
29
VENOM=$_comp_command1
30
else
31
echo "Cound not find msfvenom path in system env, please run msfvenom with path."
32
fi
33
34
if [[ ! ‐d ${VENOM_CACHE_FILE:h} ]]; then
35
mkdir ‐p ${VENOM_CACHE_FILE:h}
36
fi
37
38
if [[ ! ‐f $VENOM_CACHE_FILE ]]; then
39
echo ‐n "(...caching Metasploit Payloads...)"
40
$VENOM ‐‐list payload|grep ‐e "^.*\/" | awk '{print $1}' >>
41
$VENOM_CA CHE_FILE
42
fi
43
}
44
45
_msfvenom() {
46
47
local curcontext="$curcontext" state line
48
typeset ‐A opt_args
49
50
_arguments ‐C \
51
'(‐h ‐‐help)'{‐h,‐‐help}'[show help]' \
52
'(‐l ‐‐list)'{‐l,‐‐list}'[List all modules for type. Types are: paylo
53
ads, encoders, nops, platforms, archs, encrypt, formats, all]' \
54
'(‐p ‐‐payload)'{‐p,‐‐payload}'[Payload to use (‐‐list payloads to list,
55
‐‐list‐options for arguments). Specify ‐ or STDIN for custom]' \
56
'(‐‐list‐options)‐‐list‐options[List ‐‐payload <value> standard, adva
57
nced and evasion options]' \
58
'(‐f ‐‐format)'{‐f,‐‐format}'[Output format (use ‐‐list formats to li
59
st)]' \
60
'(‐e ‐‐encoder)'{‐e,‐‐encoder}'[The encoder to use (use ‐‐list encoders
61
to list)]' \
62
'(‐‐smallest)‐‐smallest[Generate the smallest possible payload using all
63
available encoders]' \
64
'(‐‐encrypt)‐‐encrypt[The type of encryption or encoding to apply to the
65
shellcode (use ‐‐list encrypt to list)]' \
66
'(‐‐encrypt‐key)‐‐encrypt‐key[A key to be used for ‐‐encrypt]' \
67
'(‐‐encrypt‐iv)‐‐encrypt‐iv[An initialization vector for ‐‐encrypt]' \
68
'(‐a ‐‐arch)'{‐a,‐‐arch}'[the architecture to use for ‐‐payload and ‐
69
‐encoders (use ‐‐list archs to list)]' \
70
'(‐‐platform)‐‐platform[The platform for ‐‐payload (use ‐‐list platfo rms
71
to list)]' \
72
'(‐o ‐‐out)'{‐o,‐‐out}'[Save the payload to a file]' \
73
'(‐b ‐‐bad‐chars)'{‐b,‐‐bad‐chars}'[Characters to avoid example: "\x0
74
0\xff"]' \
75
'(‐n ‐‐nopsled)'{‐n,‐‐nopsled}'[Prepend a nopsled of \[length\] size on
76
to the payload]' \
77
'(‐‐encoder‐space)‐‐encoder‐space[The maximum size of the encoded pay
78
load (defaults to the ‐s value)]' \
79
'(‐i ‐‐iterations)'{‐i,‐‐iterations}'[The number of times to encode t he
80
payload]' \
81
'(‐c ‐‐add‐code)'{‐c,‐‐add‐code}'[Specify an additional win32 shellcode
82
file to include]' \
83
'(‐x ‐‐template)'{‐x,‐‐template}'[Specify a custom executable file to use
84
as a template]' \
85
'(‐k ‐‐keep)'{‐k,‐‐keep}'[Preserve the ‐‐template behaviour and inject
86
the payload as a new thread]' \
87
'(‐v ‐‐var‐name)'{‐v,‐‐var‐name}'[Specify a custom variable name to use
88
for certain output formats]' \
89
'(‐t ‐‐timeout)'{‐t,‐‐timeout}'[The number of seconds to wait when re
90
ading the payload from STDIN (default 30, 0 to disable)]' \
91
'*: :($(__msfvenom_options))' && ret=0
92
93
lastword=${words[${#words[@]}‐1]}
94
95
case "$lastword" in
96
(‐p|‐‐payload)
97
_values 'payload' $(__msfvenom_payloads)
98
;;
99
100
(‐l|‐‐list)
101
local lists=('payloads' 'encoders' 'nops' 'platforms' 'archs' 'encrypt'
102
'formats' 'all')
103
104
_values 'list' $lists
105
;;
106
107
(‐encrypt)
108
local encrypts=('aes256' 'base64' 'rc4' 'xor')
109
_values 'encrypt' $encrypts
110
;;
111
112
(‐a|‐‐arch)
113
_values 'arch' $(__msfvenom_archs)
114
;;
115
116
(‐platform)
117
_values 'platform' $(__msfvenom_platforms)
118
;;
119
120
(‐f|‐‐format)
121
_values 'format' $(__msfvenom_formats)
122
;;
123
124
(‐e|‐‐encoder)
125
_values 'encoder' $(__msfvenom_encoders)
126
;;
127
128
(‐o|‐‐out|‐x|‐‐template|‐c|‐‐add‐code)
129
_files
130
;;
131
132
(*)
133
134
;;
135
136
esac
137
}
138
139
__msfvenom_payloads(){
140
local msf_payloads
141
142
# we cache the list of packages (originally from the macports plugin)
143
venom‐cache‐payloads
144
msf_payloads=`cat $VENOM_CACHE_FILE`
145
146
for line in $msf_payloads; do
147
echo "$line"
148
done
149
}
150
151
__msfvenom_archs(){
152
local archs
153
archs=(
154
'aarch64'
155
'armbe'
156
'armle'
157
'cbea'
158
'cbea64'
159
'cmd'
160
'dalvik'
161
'firefox'
162
'java'
163
'mips'
164
'mips64'
165
'mips64le'
166
'mipsbe'
167
'mipsle'
168
'nodejs'
169
'php'
170
'ppc'
171
'ppc64'
172
'ppc64le'
173
'ppce500v2'
174
'python'
175
'r'
176
'ruby'
177
'sparc'
178
'sparc64'
179
'tty'
180
'x64'
181
'x86'
182
'x86_64'
183
'zarch'
184
)
185
186
for line in $archs; do
187
echo "$line"
188
done
189
190
}
191
192
__msfvenom_encoders(){
193
local encoders
194
encoders=(
195
'cmd/brace'
196
'cmd/echo'
197
'cmd/generic_sh'
198
'cmd/ifs'
199
'cmd/perl'
200
'cmd/powershell_base64'
201
'cmd/printf_php_mq'
202
'generic/eicar'
203
'generic/none'
204
'mipsbe/byte_xori'
205
'mipsbe/longxor'
206
'mipsle/byte_xori'
207
'mipsle/longxor'
208
'php/base64'
209
'ppc/longxor'
210
'ppc/longxor_tag'
211
'ruby/base64'
212
'sparc/longxor_tag'
213
'x64/xor'
214
'x64/xor_dynamic'
215
'x64/zutto_dekiru'
216
'x86/add_sub'
217
'x86/alpha_mixed'
218
'x86/alpha_upper'
219
'x86/avoid_underscore_tolower'
220
'x86/avoid_utf8_tolower'
221
'x86/bloxor'
222
'x86/bmp_polyglot'
223
'x86/call4_dword_xor'
224
'x86/context_cpuid'
225
'x86/context_stat'
226
'x86/context_time'
227
'x86/countdown'
228
'x86/fnstenv_mov'
229
'x86/jmp_call_additive'
230
'x86/nonalpha'
231
'x86/nonupper'
232
'x86/opt_sub'
233
'x86/service'
234
'x86/shikata_ga_nai'
235
'x86/single_static_bit'
236
'x86/unicode_mixed'
237
'x86/unicode_upper'
238
'x86/xor_dynamic'
239
)
240
241
for line in $encoders; do
242
echo "$line"
243
done
244
}
245
246
__msfvenom_platforms(){
247
local platforms
248
platforms=(
249
'aix'
250
'android'
251
'apple_ios'
252
'bsd'
253
'bsdi'
254
'cisco'
255
'firefox'
256
'freebsd'
257
'hardware'
258
'hpux'
259
'irix'
260
'java'
261
'javascript'
262
'juniper'
263
'linux'
264
'mainframe'
265
'multi'
266
'netbsd'
267
'netware'
268
'nodejs'
269
'openbsd'
270
'osx'
271
'php'
272
'python'
273
'r'
274
'ruby'
275
'solaris'
276
'unix'
277
'unknown'
278
'windows'
279
)
280
281
for line in $platforms; do
282
echo "$line"
283
done
284
}
285
286
__msfvenom_formats(){
287
local formats
288
formats=(
289
'asp'
290
'aspx'
291
'aspx‐exe'
292
'axis2'
293
'dll'
294
'elf'
295
'elf‐so'
296
'exe'
297
'exe‐only'
298
'exe‐service'
299
'exe‐small'
300
'hta‐psh'
301
'jar'
302
'jsp'
303
'loop‐vbs'
304
'macho'
305
'msi'
306
'msi‐nouac'
307
'osx‐app'
308
'psh'
309
'psh‐cmd'
310
'psh‐net'
311
'psh‐reflection'
312
'vba'
313
'vba‐exe'
314
'vba‐psh'
315
'vbs'
316
'war'
317
'bash'
318
'c'
319
'csharp'
320
'dw'
321
'dword'
322
'hex'
323
'java'
324
'js_be'
325
'js_le'
326
'num'
327
'perl'
328
'pl'
329
'powershell'
330
'ps1'
331
'py'
332
'python'
333
'raw'
334
'rb'
335
'ruby'
336
'sh'
337
'vbapplication'
338
'vbscript'
339
)
340
341
for line in $formats; do
342
echo "$line"
343
done
344
}
345
346
# For most common options, not accurately
347
__msfvenom_options(){
348
local options
349
options=(
350
LHOST= \
351
LPORT= \
352
EXITFUNC= \
353
RHOST= \
354
StageEncoder= \
355
AutoLoadStdapi= \
356
AutoRunScript= \
357
AutoSystemInfo= \
358
AutoVerifySession= \
359
AutoVerifySessionTimeout= \
360
EnableStageEncoding= \
361
EnableUnicodeEncoding= \
362
HandlerSSLCert= \
363
InitialAutoRunScript= \
364
PayloadBindPort= \
365
PayloadProcessCommandLine= \
366
PayloadUUIDName= \
367
PayloadUUIDRaw= \
368
PayloadUUIDSeed= \
369
PayloadUUIDTracking= \
370
PrependMigrate= \
371
PrependMigrateProc= \
372
ReverseAllowProxy= \
373
ReverseListenerBindAddress= \
374
ReverseListenerBindPort= \
375
ReverseListenerComm= \
376
ReverseListenerThreaded= \
377
SessionCommunicationTimeout= \
378
SessionExpirationTimeout= \
379
SessionRetryTotal= \
380
SessionRetryWait= \
381
StageEncoder= \
382
StageEncoderSaveRegisters= \
383
StageEncodingFallback= \
384
StagerRetryCount= \
385
StagerRetryWait= \
386
VERBOSE= \
387
WORKSPACE=
388
)
389
390
echo $options
391
}
392
393
#_msfvenom "[email protected]"
Copied!
Micropoor
Last modified 2yr ago