Wannan labarin wani bangare ne na jerin Malware mara Fayil. Duk sauran sassan jerin:
- Abubuwan Kasadar Malware na Elusive, Sashe na IV: DDE da Filin Takardun Kalma (muna nan)
A cikin wannan labarin, zan nutse cikin wani mahimmin yanayin harin da ba shi da fayil ɗin matakai da yawa tare da liƙa akan tsarin. Amma sai na ci karo da wani abu mai sauƙi mai sauƙi, harin code-babu Kalma ko Excel macros da ake buƙata! Kuma wannan yana tabbatar da ingantaccen hasashe na na asali wanda ke ƙarƙashin wannan jerin kasidu: karya kewayen kowace ƙungiya ba aiki ba ne mai wahala ko kaɗan.
Harin farko da zan kwatanta yana cin gajiyar raunin Microsoft Word wanda ya dogara da shi m (DDE). Ta kasance . Na biyu yana amfani da ƙarin rauni gabaɗaya a cikin Microsoft COM da ikon canja wurin abu.
Koma zuwa gaba tare da DDE
Akwai wanda ya tuna DDE? Wataƙila ba su da yawa. Yana daya daga cikin na farko ka'idojin sadarwa tsakanin-tsari wanda ya ba da damar aikace-aikace da na'urori don canja wurin bayanai.
Ni da kaina na saba da shi saboda na kasance ina dubawa da gwada kayan aikin sadarwa. A wancan lokacin, DDE ta ƙyale, alal misali, masu aikin cibiyar kira don canja wurin ID na mai kira zuwa aikace-aikacen CRM, wanda a ƙarshe ya buɗe katin abokin ciniki. Don yin wannan, dole ne ka haɗa kebul na RS-232 tsakanin wayarka da kwamfutarka. Waɗannan kwanaki ne!
Kamar yadda ya fito, Microsoft Word yana nan DDE.
Abin da ke sa wannan harin ya yi tasiri ba tare da lamba ba shine cewa za ku iya samun dama ga ka'idar DDE kai tsaye daga filayen atomatik a cikin takaddar Kalma (huluna zuwa SensePost don game da shi).
Lambobin filin wani tsohuwar sigar MS Word ce wacce ke ba ku damar ƙara rubutu mai ƙarfi da ɗan shirye-shirye zuwa takaddun ku. Misali mafi bayyane shine filin lambar shafi, wanda za'a iya saka shi cikin ƙafar ƙafa ta amfani da ƙimar {SHAFI *MERGEFORMAT}. Wannan yana ba da damar ƙirƙirar lambobin shafi ta atomatik.
Alamomi: Kuna iya nemo abin menu na Filin ƙarƙashin Saka.
Na tuna cewa lokacin da na fara gano wannan fasalin a cikin Word, na yi mamaki. Kuma har sai facin ya kashe shi, Word har yanzu yana goyan bayan zaɓin filayen DDE. Manufar ita ce DDE za ta ba da damar Word don sadarwa kai tsaye tare da aikace-aikacen, ta yadda za ta iya shigar da fitar da shirin a cikin takarda. Wata fasaha ce ta matashi a wancan lokacin - tallafi don musayar bayanai tare da aikace-aikacen waje. Daga baya aka samar da ita zuwa fasahar COM, wacce kuma za mu duba a kasa.
A ƙarshe, masu kutse sun fahimci cewa wannan aikace-aikacen DDE na iya zama harsashi na umarni, wanda ba shakka ya ƙaddamar da PowerShell, kuma daga nan hackers na iya yin duk abin da suke so.
Hoton da ke ƙasa yana nuna yadda na yi amfani da wannan fasaha ta ɓoye: ƙaramin rubutun PowerShell (wanda ake kira PS) daga filin DDE yana ɗaukar wani rubutun PS, wanda ke ƙaddamar da kashi na biyu na harin.
Godiya ga Windows don faɗakarwar faɗakarwa cewa ginanniyar filin DDEAUTO yana ƙoƙarin fara harsashi a asirce
Hanyar da aka fi so na cin gajiyar raunin ita ce amfani da bambance-bambancen tare da filin DDEAUTO, wanda ke gudanar da rubutun ta atomatik. a bude Takardun kalmomi.
Bari mu yi tunanin abin da za mu iya yi game da wannan.
A matsayinka na dan gwanin kwamfuta novice, zaka iya, alal misali, aika imel na phishing, yin riya cewa kai daga Ma'aikatar Haraji ta Tarayya ne, kuma ka shigar da filin DDEAUTO tare da rubutun PS don mataki na farko (digo, da gaske). Kuma ba kwa buƙatar yin wani ainihin coding na macros, da sauransu, kamar yadda na yi a ciki
Wanda aka azabtar ya buɗe daftarin aiki, rubutun da aka saka yana kunna, kuma mai satar bayanai ya ƙare a cikin kwamfutar. A cikin akwati na, rubutun PS mai nisa yana buga saƙo ne kawai, amma yana iya kamar sauƙin ƙaddamar da abokin ciniki na PS Empire, wanda zai ba da damar harsashi mai nisa.
Kuma kafin wanda aka azabtar ya sami lokacin cewa komai, masu kutse za su zama mafi kyawun samari a ƙauyen.
An harba harsashi ba tare da ƙaramar coding ba. Ko da yaro zai iya yi!
DDE da filayen
Daga baya Microsoft ya kashe DDE a cikin Kalma, amma ba kafin kamfanin ya bayyana cewa an yi amfani da fasalin kawai ba. Rashin son canza wani abu abu ne mai fahimta. A cikin gwaninta, ni da kaina na ga misali inda ake sabunta filayen lokacin buɗe daftarin aiki, amma IT macros ya kashe ta (amma yana nuna sanarwa). Af, zaku iya samun saitunan da suka dace a cikin sashin saitunan Word.
Duk da haka, ko da an kunna sabunta filin, Microsoft Word kuma yana sanar da mai amfani lokacin da filin yana buƙatar samun dama ga bayanan da aka goge, kamar yadda yake tare da DDE a sama. Microsoft yana gargadinku da gaske.
Amma mafi mahimmanci, masu amfani za su yi watsi da wannan gargaɗin kuma su kunna sabunta filayen a cikin Word. Wannan shine ɗayan damar da ba kasafai ba don godewa Microsoft don kashe fasalin DDE mai haɗari.
Yaya wuya a sami tsarin Windows wanda ba a buɗe ba a yau?
Don wannan gwajin, na yi amfani da AWS Workspaces don samun dama ga tebur mai kama-da-wane. Ta wannan hanyar na sami injin kama-da-wane na MS Office wanda ya ba ni damar saka filin DDEAUTO. Ba ni da shakka cewa ta irin wannan hanya za ku iya samun wasu kamfanoni waɗanda ba su riga sun shigar da facin da suka dace ba.
Sirrin abubuwa
Ko da kun shigar da wannan facin, akwai wasu ramukan tsaro a cikin MS Office waɗanda ke ba masu kutse damar yin wani abu mai kama da abin da muka yi da Word. A labari na gaba za mu koya Yi amfani da Excel azaman koto don harin phishing ba tare da rubuta kowane lamba ba.
Don fahimtar wannan yanayin, bari mu tuna Samfurin Abubuwan Abun Kaya na Microsoft, ko a takaice COM (Model Abun Abun Abu).
COM ya kasance tun a shekarun 1990s, kuma an ayyana shi a matsayin "tsakiyar harshe, ƙirar abubuwan da ke da alaƙa da abu" dangane da kiran tsarin nesa na RPC. Don ƙarin fahimtar kalmomin COM, karanta a kan StackOverflow.
Ainihin, zaku iya tunanin aikace-aikacen COM azaman Excel ko Word executable, ko wasu fayilolin binary waɗanda ke gudana.
Ya bayyana cewa aikace-aikacen COM shima yana iya aiki labari - JavaScript ko VBScript. A fasaha ana kiran shi rubutun. Wataƙila kun ga tsawo na .sct don fayiloli a cikin Windows - wannan shine ƙarin ƙarin aikin rubutun. Ainihin, su ne lambar rubutun da aka nannade a cikin abin rufewa na XML:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Hackers da pentesters sun gano cewa akwai abubuwan amfani daban-daban da aikace-aikace a cikin Windows waɗanda ke karɓar abubuwan COM kuma, don haka, rubutun ma.
Zan iya aika rubutun zuwa kayan aikin Windows da aka rubuta a cikin VBS da aka sani da pubprn. Yana cikin zurfin C:Windowssystem32Printing_Admin_Scripts. Af, akwai wasu kayan aikin Windows waɗanda ke karɓar abubuwa azaman sigogi. Bari mu fara duba wannan misalin.
Yana da dabi'a cewa ana iya harba harsashi ko da daga rubutun bugawa. Go Microsoft!
A matsayin gwaji, na ƙirƙiri wani rubutun nesa mai sauƙi wanda ya ƙaddamar da harsashi kuma ya buga saƙo mai ban dariya, “An riga an rubuta ku!” Mahimmanci, pubprn yana aiwatar da abu na rubutun, yana ba da damar lambar VBScript don gudanar da abin rufewa. Wannan hanyar tana ba da fa'ida bayyananne ga hackers waɗanda ke son shiga ciki da ɓoye akan tsarin ku.
A rubutu na gaba, zan yi bayanin yadda masu kutse za su iya amfani da rubutun COM ta hanyar amfani da maƙunsar bayanai na Excel.
Don aikin gida, duba daga Derbycon 2016, wanda ya bayyana daidai yadda masu satar bayanai ke amfani da rubutun. Kuma kuma karanta game da litattafan rubutu da wasu nau'ikan moniker.
source: www.habr.com