Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hosch3n/msmap

Msmap is a Memory WebShell Generator.
https://github.com/hosch3n/msmap

Last synced: 3 days ago
JSON representation

Msmap is a Memory WebShell Generator.

Host: GitHub
URL: https://github.com/hosch3n/msmap
Owner: hosch3n
License: gpl-3.0
Created: 2022-08-08T02:06:40.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-04-22T13:26:31.000Z (over 1 year ago)
Last Synced: 2024-08-02T15:36:07.140Z (3 months ago)
Language: Python
Size: 4.88 MB
Stars: 537
Watchers: 13
Forks: 86
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

StarryDivineSky - hosch3n/msmap

README

        # MSMAP

Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, *WebShell / Proxy / Killer* and Management Clients. [简体中文](README_CN.md)

[The idea behind I](https://hosch3n.github.io/2022/08/08/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%B8%80%EF%BC%89/), [The idea behind II](https://hosch3n.github.io/2022/08/09/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%BA%8C%EF%BC%89/), [The idea behind III](https://hosch3n.github.io/2022/10/29/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%B8%89%EF%BC%89/)

![](img/a.png)

![](img/b.png)

![](img/c.png)

Feature [WIP]

### Function

- [x] Dynamic Menu

- [x] Automatic Compilation

- [x] Generate Script

- [ ] Lite Mode

- [ ] Graphical Interface

### Container

- Java

  - [x] Tomcat7

  - [x] Tomcat8

  - [x] Tomcat9

  - [x] Tomcat10

  - [x] Resin3

  - [x] Resin4

  - [ ] WebSphere

  - [ ] GlassFish

  - [x] WebLogic

  - [ ] JBoss

  - [x] Spring*

  - [ ] Jetty

  - [ ] Netty

  - [x] JVM*

- .NET

  - [ ] IIS

- PHP

- Python

*: SpringHandler only support for JDK8+

*: JVM Default support for `Linux Tomcat 8/9`, more versions can be adapted according to the advanced guide.

### WebShell / Proxy / Killer

- WebShell

  - [x] CMD / SH

  - [x] AntSword

  - [x] JSPJS

  - [x] Behinder

  - [x] Godzilla

- No need for modularity

~~Proxy: Neo-reGeorg, wsproxy~~

~~Killer: java-memshell-scanner, ASP.NET-Memshell-Scanner~~

### Decoder / Decryptor / Hasher

- Decoder

  - [x] Base64

  - [ ] Hex

- Decryptor

  - [x] XOR

  - [x] RC4

  - [x] AES128

  - [x] AES256

  - [ ] RSA

- Hasher

  - [x] MD5

  - [x] SHA128

  - [x] SHA256

## Usage

``` bash

git clone [email protected]:hosch3n/msmap.git

cd msmap

python generator.py

```

> [Warning] MUST set a unique password, Options are case sensitive.

### Advanced

Edit `config/environment.py`

``` python

# Auto Compile

auto_build = True

# Base64 Encode Class File

b64_class = True

# Generate Script File

generate_script = True

# Compiler Absolute Path

java_compiler_path = r"~/jdk1.6.0_04/bin/javac"

dotnet_compiler_path = r"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"

```

Edit `gist/java/container/tomcat/servlet.py`

``` java

// Servlet Path Pattern

private static String pattern = "*.xml";

```

If an encryption encoder is used in WsFilter, the password needs to be the same as the path (eg `/passwd`)

`gist/java/container/jdk/javax.py` with `lib/servlet-api.jar` can be replaced depending on the target container.

`pip3 install pyperclip` to support automatic copying to clipboard.

## Example

CMD / SH

**Command** with **Base64** Encoder | Inject Tomcat Valve

`python generator.py Java Tomcat Valve Base64 CMD passwd`

AntSword

Type **JSP** with **default** Encoder | Inject Tomcat Valve

`python generator.py Java Tomcat Valve RAW AntSword passwd`

Type **JSP** with **[aes_128_ecb_pkcs7_padding_md5](extend/AntSword/encoder/aes_128_ecb_pkcs7_padding_md5.js)** Encoder | Inject Tomcat Listener

`python generator.py Java Tomcat Listener AES128 AntSword passwd`

Type **JSP** with **[rc_4_sha256](extend/AntSword/encoder/rc_4_sha256.js)** Encoder | Inject Tomcat Servlet

`python generator.py Java Tomcat Servlet RC4 AntSword passwd`

Type **JSP**  with **[xor_md5](extend/AntSword/encoder/xor_md5.js)** Encoder | AgentFiless Inject HttpServlet

`python generator.py Java JDK JavaX XOR AntSword passwd`

Type **JSPJS** with **[aes_128_ecb_pkcs7_padding_md5](extend/AntSword/encoder/aes_128_ecb_pkcs7_padding_md5.js)** Encoder | Inject Tomcat WsFilter

`python generator.py Java Tomcat WsFilter AES128 JSPJS passwd`

Type **JSPJS** with **[xor_md5](extend/AntSword/encoder/xor_md5.js)** Encoder | Inject Spring Handler

`python generator.py Java Spring Handler XOR JSPJS passwd`

Behinder

Type **default_aes** | Inject Tomcat Valve

`python generator.py Java Tomcat Valve AES128 Behinder rebeyond`

Type **default_xor_base64** | Inject Spring Interceptor

`python generator.py Java Spring Interceptor XOR Behinder rebeyond`

Godzilla

Type **JAVA_AES_BASE64** | Inject Tomcat Valve

`python generator.py Java Tomcat Valve AES128 Godzilla superidol`

Type **JAVA_AES_BASE64** | AgentFiless Inject HttpServlet

`python generator.py Java JDK JavaX AES128 Godzilla superidol`

Type **JAVA_AES_BASE64** | Inject Spring Handler

`python generator.py Java Spring Handler AES128 Godzilla superidol`

> [Known issue](https://github.com/BeichenDream/Godzilla/issues/76)

## Reference

[GodzillaMemoryShellProject](https://github.com/BeichenDream/GodzillaMemoryShellProject)

[AntSword-JSP-Template](https://github.com/AntSwordProject/AntSword-JSP-Template)

[As-Exploits memshell_manage](https://github.com/yzddmr6/As-Exploits/tree/master/core/memshell_manage)

[Behinder](https://github.com/rebeyond/Behinder) | [wsMemShell](https://github.com/veo/wsMemShell) | [ysomap](https://github.com/wh1t3p1g/ysomap)

Extended Reading

[利用“进程注入”实现无文件复活 WebShell](https://www.freebuf.com/articles/web/172753.html)

[基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/)

[利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/)

[linux下java反序列化通杀回显方法的低配版实现](https://xz.aliyun.com/t/7307)

[Tomcat中一种半通用回显方法](https://xz.aliyun.com/t/7348)

[基于tomcat的内存 Webshell 无文件攻击技术](https://xz.aliyun.com/t/7388)

[基于全局储存的新思路 | Tomcat的一种通用回显方法研究](https://mp.weixin.qq.com/s?__biz=MzIwNDA2NDk5OQ==&mid=2651374294&idx=3&sn=82d050ca7268bdb7bcf7ff7ff293d7b3)

[tomcat不出网回显连续剧第六集](https://xz.aliyun.com/t/7535)

[中间件内存马注入&冰蝎连接](https://paper.seebug.org/1441/#2mbeancontext)

[Java内存马：一种Tomcat全版本获取StandardContext的新方法](https://xz.aliyun.com/t/9914)

[Java内存攻击技术漫谈](https://xz.aliyun.com/t/10075)

[Linux下内存马进阶植入技术](https://xz.aliyun.com/t/10186)

[Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/)

[CVE-2022-22947 注入哥斯拉内存马](https://blog.wanghw.cn/tech-share/cve-2022-22947-inject-godzilla-memshell.html)

[Linux下无文件Java agent探究](https://tttang.com/archive/1525/)

[论如何优雅的注入Java Agent内存马](https://xz.aliyun.com/t/11640)