Wannan labarin wani bangare ne na jerin Malware mara Fayil. Duk sauran sassan jerin:
- Abubuwan Kasada na Malware mara kyau, Sashe na IV: DDE da Filin Takardun Kalma (Muna Nan)
A cikin wannan labarin, ina shirin zurfafa cikin wani yanayi mai rikitarwa mai rikitarwa marar fayil marar fayil tare da dagewa. Amma sai na yi tuntuɓe a kan wani hari mai sauƙi, mara ƙima-babu Kalma ko macros na Excel da ake buƙata! Kuma wannan ya fi dacewa ya tabbatar da hasashe na farko da ke ƙarƙashin wannan silsilar: kutsawa cikin kewayen kowace ƙungiya ba aiki ba ne mai wahala.
Harin farko da zan kwatanta yana cin gajiyar raunin Microsoft Word wanda ya dogara da shi m (DDE)Ta riga ta can. Na biyu yana amfani da ƙarin rauni gabaɗaya a cikin Microsoft COM da ikon wucewar abinsa.
Komawa gaba tare da DDE
Shin akwai wanda ya tuna DDE? Wataƙila ba su da yawa. Yana daya daga cikin na farko interprotocol na sadarwa wanda ke ba da damar aikace-aikace da na'urori don musayar bayanai.
Na ɗan saba da shi da kaina, kamar yadda na saba dubawa da gwada kayan aikin sadarwa. A lokacin, DDE ta ƙyale masu aikin cibiyar kira, misali, su aika ID na mai kira zuwa aikace-aikacen CRM, wanda a ƙarshe ya buɗe bayanin martabar abokin ciniki. Don yin wannan, dole ne ka haɗa kebul na RS-232 tsakanin wayar da kwamfutar. Waɗannan kwanaki ne!
Kamar yadda ya fito, Microsoft Word yana nan DDE.
Abin da ke sa wannan harin ya yi tasiri ba tare da lamba ba shine cewa za ku iya samun dama ga ka'idar DDE kai tsaye daga filayen atomatik na takaddar Kalma (huluna zuwa SensePost don game da wannan).
Lambobin filin - Wannan wata tsohuwar sigar MS Word ce wacce ke ba ku damar ƙara rubutu mai ƙarfi da ɗan shirye-shirye zuwa takaddar ku. Misali mafi bayyane shine filin "lambar shafi", wanda za'a iya saka shi a cikin ƙafar ta amfani da ƙimar {PAGE *MERGEFORMAT}. Wannan yana ba da damar ƙirƙira ta atomatik na lambobin shafi.
Alamomi: Kuna iya nemo abin menu na Filin ƙarƙashin sashin Saka.
Na tuna ina mamakin lokacin da na fara gano wannan fasalin a cikin Word. Har sai wani faci ya kashe shi, Word ya ci gaba da tallafawa zaɓin filayen DDE. Manufar ita ce DDE zai ba da damar Word don sadarwa kai tsaye tare da aikace-aikacen, yana ba ta damar shigar da bayanan fitar da shirin a cikin takaddar. Wannan fasaha ce ta matashi a lokacin-tallafi don musayar bayanai tare da aikace-aikacen waje. Daga baya an haɓaka shi zuwa fasahar COM, wanda kuma za mu tattauna a ƙasa.
Daga ƙarshe, masu kutse sun fahimci cewa wannan aikace-aikacen DDE na iya zama harsashi na umarni, wanda, ba shakka, yana gudanar da PowerShell, kuma daga nan masu satar za su iya yin duk abin da suke so.
Hoton da ke ƙasa yana nuna yadda na yi amfani da wannan fasaha mai ɓoyewa: ƙaramin rubutun PowerShell (wanda ake kira PS) daga filin DDE yana ɗaukar wani rubutun PS, wanda ke ƙaddamar da kashi na biyu na harin.
Godiya ga Windows don fitar da gargadi cewa ginanniyar filin DDEAUTO yana ƙoƙarin ƙaddamar da harsashi a asirce.
Hanyar da aka fi so na cin gajiyar raunin ita ce amfani da filin DDEAUTO, wanda ke gudanar da rubutun ta atomatik. lokacin budewa Takardun kalmomi.
Bari mu yi tunanin abin da za a iya yi game da wannan.
A matsayinka na dan gwanin kwamfuta novice, zaka iya, alal misali, aika imel na phishing, yin riya daga Sabis na Haraji na Tarayya, kuma ka shigar da filin DDEAUTO tare da rubutun PS don mataki na farko (mahimmanci mai saukewa). Kuma ba kwa buƙatar yin wani ainihin macro code ko wani abu kamar na yi a ciki
Wanda aka azabtar ya buɗe daftarin aiki, rubutun da aka saka yana kunna, kuma ɗan hacker yana cikin kwamfutar. A cikin yanayina, rubutun PS mai nisa yana buga saƙo ne kawai, amma yana iya kamar sauƙin ƙaddamar da abokin ciniki na PS Empire, wanda zai ba da damar harsashi mai nisa.
Kuma kafin wanda abin ya shafa ya ce uffan, masu kutse za su kasance matasa mafi arziki a kauyen.
An harba harsashi ba tare da wani codeing ba. Ko da yaro zai iya yi!
DDE da filayen
A ƙarshe Microsoft ya kashe DDE a cikin Kalma, amma ba kafin ya yi iƙirarin cewa an yi amfani da fasalin kawai ba. Rashin son canza wani abu abu ne mai fahimta. Ni da kaina na lura da wani yanayi inda aka kunna sabunta filin akan buɗe takardu, amma sabis ɗin IT ya kashe macros Word (ko da yake an nuna sanarwar). Ba zato ba tsammani, kuna iya samun saitunan da suka dace a cikin saitunan Word.
Duk da haka, ko da an kunna sabunta filin, Microsoft Word kuma yana sanar da mai amfani lokacin da filin ya buƙaci samun dama ga bayanan nesa, kamar na DDE a sama. Microsoft yana faɗakar da ku.
Amma masu amfani za su yi watsi da wannan gargaɗin kuma su ba da damar sabunta filin a cikin Word. Wannan shine ɗayan damar da ba kasafai ba don godewa Microsoft don kashe fasalin DDE mai haɗari.
Yaya wuya a sami tsarin Windows wanda ba a buɗe ba a kwanakin nan?
Don wannan gwajin, na yi amfani da mahallin AWS Workspaces don samun dama ga tebur mai kama-da-wane. Wannan ya ba ni injin kama-da-wane da ba a buɗe ba wanda ke aiki da MS Office, wanda ya ba ni damar saka filin DDEAUTO. Ba ni da shakka cewa za a iya yin irin wannan ƙoƙarin don nemo wasu kamfanoni waɗanda har yanzu ba su shigar da facin da ake buƙata ba.
Sirrin Abubuwan
Ko da kun shigar da wannan facin, akwai wasu ramukan tsaro a cikin MS Office waɗanda ke ba da damar hackers su yi wani abu mai kama da abin da muka yi da Word. A cikin labari na gaba, za mu koyi yadda Yi amfani da Excel azaman koto don harin phishing ba tare da rubuta lambar ba.
Don fahimtar wannan yanayin, bari mu tuna Samfurin Abubuwan Abun Kaya na Microsoft, ko Samfurin Abubuwan Abun Kaya a takaice. COM (Model Abun Abun Abu).
COM ya kasance tun daga 1990s kuma an ayyana shi a matsayin "tsakiyar harshe, ƙirar abubuwan da ke da alaƙa da abu" dangane da kiran tsarin nesa (RPCs). Don ƙarin fahimtar kalmomin COM, karanta a kan StackOverflow.
Ainihin, zaku iya tunanin aikace-aikacen COM azaman Excel ko Word executable, ko wani fayil ɗin binary mai gudana.
Ya bayyana cewa aikace-aikacen COM shima yana iya aiki labari - JavaScript ko VBScript. A zahiri ana kiran shi rubutunWataƙila kun ga tsawo na .sct akan fayilolin Windows-wannan shine ƙarin ƙarin aikin rubutun. Su ne ainihin lambar rubutun da aka nannade cikin XML:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Hackers da pentesters sun gano cewa akwai abubuwan amfani da aikace-aikace daban-daban a cikin Windows waɗanda ke karɓar abubuwan COM kuma, don haka, rubutun ma.
Zan iya aika rubutun zuwa kayan aikin Windows da aka rubuta a cikin VBS da aka sani da pubprn. Yana cikin zurfin C:\Windows\system32Printing_Admin_Scripts. Ba zato ba tsammani, akwai wasu kayan aikin Windows waɗanda ke karɓar abubuwa azaman sigogi. Bari mu fara da wannan misalin.
Yana da dabi'a cewa harsashi ma ana iya harba shi daga rubutun bugawa. Ci gaba, Microsoft!
Don dalilai na gwaji, na ƙirƙiri wani rubutun nesa mai sauƙi wanda ya ƙaddamar da harsashi kuma ya buga saƙo mai ban dariya: "An riga an rubuta ku!" Mahimmanci, pubprn yana ƙirƙira misalin abin rubutun, yana barin lambar VBScript ta ƙaddamar da harsashi. Wannan hanyar tana ba da fa'idodi masu fa'ida ga masu kutse da ke neman shiga da ɓoye akan tsarin ku.
A rubutu na gaba, zan yi bayanin yadda masu kutse za su iya amfani da rubutun COM ta hanyar amfani da maƙunsar bayanai na Excel.
Don aikin gida, kalli wannan daga Derbycon 2016, wanda ya bayyana daidai yadda masu satar bayanai ke amfani da rubutun. Hakanan karanta game da litattafan rubutu da wasu nau'ikan moniker.
source: www.habr.com
