Kuv paub me ntsis ntawm kuv tus kheej vim kuv tau siv los kuaj thiab ntsuas cov khoom siv xov tooj cua. Nyob rau lub sijhawm ntawd, DDE tau tso cai, piv txwv li, hu xov tooj rau cov tswv lag luam kom hloov tus neeg hu xov tooj mus rau CRM daim ntawv thov, uas thaum kawg qhib daim npav neeg siv khoom. Txhawm rau ua qhov no, koj yuav tsum txuas RS-232 cable ntawm koj lub xov tooj thiab koj lub computer. Cov hnub ntawd!
Raws li nws hloov tawm, Microsoft Word tseem yog txhawb nqa DDE.
Dab tsi ua rau qhov kev tawm tsam no tsis muaj cai yog tias koj tuaj yeem nkag mus rau DDE raws tu qauv ncaj qha los ntawm cov teb tsis siv neeg hauv cov ntaub ntawv Lo Lus (kaum tawm mus rau SensePost rau tshawb fawb thiab luam tawm txog nws).
Teb chaws lis dej num yog lwm yam qub MS Word feature uas tso cai rau koj ntxiv cov ntawv nyeem dynamic thiab me ntsis programming rau koj daim ntawv. Qhov piv txwv pom tseeb tshaj plaws yog nplooj ntawv tus lej teb, uas tuaj yeem muab tso rau hauv lub footer siv tus nqi {PAGE *MERGEFORMAT}. Qhov no tso cai rau cov nplooj ntawv tus lej raug tsim tawm.
Kuv nco qab tias thaum kuv xub pom qhov no hauv Lo Lus, kuv xav tsis thoob. Thiab kom txog thaum lub thaj ua tsis taus nws, Lo Lus tseem txhawb DDE teb kev xaiv. Lub tswv yim yog tias DDE yuav tso cai rau Word sib txuas lus ncaj qha nrog daim ntawv thov, yog li ntawd nws tuaj yeem dhau qhov kev pab cuam tso tawm rau hauv ib daim ntawv. Nws yog ib qho kev siv thev naus laus zis thaum lub sijhawm ntawd - kev txhawb nqa cov ntaub ntawv sib pauv nrog cov ntawv thov sab nraud. Tom qab ntawd nws tau tsim los rau hauv COM thev naus laus zis, uas peb tseem yuav saib hauv qab no.
Thaum kawg, cov hackers pom tau hais tias daim ntawv thov DDE no tuaj yeem yog lub plhaub hais kom ua, uas tau pib PowerShell, thiab los ntawm qhov ntawd cov hackers tuaj yeem ua txhua yam lawv xav tau.
Lub screenshot hauv qab no qhia tau hais tias kuv siv cov txheej txheem stealth li cas: ib tsab ntawv PowerShell me me (tom qab no hu ua PS) los ntawm DDE teb thauj lwm tsab ntawv PS, uas pib lub sijhawm thib ob ntawm kev tawm tsam.
Ua tsaug rau Windows rau cov lus ceeb toom pop-up tias qhov built-in DDEAUTO yog zais cia sim pib lub plhaub
Txoj kev nyiam ntawm kev siv qhov tsis zoo yog siv qhov sib txawv nrog DDEAUTO teb, uas cia li khiav cov ntawv. thaum qhib Cov ntaub ntawv lo lus.
Cia peb xav txog peb yuav ua li cas txog qhov no.
Raws li ib tug novice hacker, koj muaj peev xwm, piv txwv li, xa ib tug phishing email, ua txuj tias koj yog los ntawm Tsoom Fwv Teb Chaws Tax Service, thiab embed lub DDEAUTO teb nrog cov ntawv PS rau thawj theem (ib tug dropper, qhov tseem ceeb). Thiab koj tsis tas yuav ua cov coding tiag tiag ntawm macro, thiab lwm yam, zoo li kuv tau ua hauv tsab xov xwm dhau los.
Tus neeg raug tsim txom qhib koj cov ntaub ntawv, cov ntawv sau tau qhib, thiab tus neeg nyiag nkag mus rau hauv lub computer. Hauv kuv qhov xwm txheej, cov ntawv PS tej thaj chaw deb tsuas yog luam tawm cov lus, tab sis nws tuaj yeem yooj yim tso tawm PS Empire tus neeg siv khoom, uas yuav muab cov chaw taws teeb nkag mus.
Thiab ua ntej tus neeg raug tsim txom muaj sij hawm los hais dab tsi, cov neeg nyiag nkas yuav dhau los ua cov hluas tshaj plaws hauv lub zos.
Lub plhaub tau pib tsis muaj me ntsis ntawm coding. Txawm ib tug me nyuam ua tau!
DDE thiab teb
Microsoft tom qab ntawd tau lov tes taw DDE hauv Lo Lus, tab sis tsis yog ua ntej lub tuam txhab tau hais tias cov yam ntxwv tsuas yog siv tsis raug. Lawv tsis kam hloov txhua yam yog nkag siab. Hauv kuv qhov kev paub dhau los, kuv tus kheej tau pom ib qho piv txwv uas hloov kho thaj chaw thaum qhib cov ntaub ntawv tau qhib, tab sis Lo Lus macros tau ua tsis taus los ntawm IT (tab sis qhia kev ceeb toom). Los ntawm txoj kev, koj tuaj yeem pom cov teeb tsa sib raug hauv Lo Lus ntu ntu.
Txawm li cas los xij, txawm tias kev hloov kho teb tau qhib, Microsoft Word tseem ceeb toom rau tus neeg siv thaum lub teb thov nkag mus rau cov ntaub ntawv tshem tawm, ib yam li DDE saum toj no. Microsoft yeej ceeb toom koj.
Tab sis feem ntau yuav, cov neeg siv tseem yuav tsis quav ntsej cov lus ceeb toom no thiab qhib cov teb hloov tshiab hauv Word. Qhov no yog ib qho ntawm cov cib fim uas tsis tshua muaj ua tsaug rau Microsoft rau kev cuam tshuam qhov txaus ntshai DDE feature.
Nws nyuaj npaum li cas los nrhiav qhov tsis tau hloov kho Windows niaj hnub no?
Rau qhov kev sim no, kuv siv AWS Workspaces kom nkag mus rau lub desktop virtual. Txoj kev no kuv tau txais ib lub tshuab tsis muaj MS Office virtual uas tso cai rau kuv ntxig rau DDEAUTO teb. Kuv tsis muaj qhov tsis ntseeg tias zoo ib yam li koj tuaj yeem nrhiav lwm lub tuam txhab uas tseem tsis tau teeb tsa qhov tsim nyog kev ruaj ntseg thaj ua rau thaj.
Paub tsis meej ntawm cov khoom
Txawm hais tias koj tau teeb tsa lub thaj no, muaj lwm qhov kev nyab xeeb hauv MS Office uas tso cai rau cov neeg nyiag nkas ua qee yam zoo ib yam li peb tau ua nrog Word. Hauv qhov xwm txheej tom ntej peb yuav kawm siv Excel raws li kab nuv ntses rau phishing nres yam tsis tau sau cov lej.
Txhawm rau nkag siab qhov xwm txheej no, cia peb nco qab Microsoft Component Object Model, lossis luv luv COM (Component Object Model).
COM tau nyob ib puag ncig txij li xyoo 1990s, thiab tau txhais tias yog "lus-nruab nrab, cov khoom-oriented tivthaiv qauv" raws li RPC cov txheej txheem hu xov tooj. Rau kev nkag siab dav dav ntawm COM terminology, nyeem tsab ntawv no ntawm StackOverflow.
Yeej, koj tuaj yeem xav txog COM daim ntawv thov ua Excel lossis Lo Lus executable, lossis qee cov ntaub ntawv binary uas khiav.
Nws hloov tawm tias daim ntawv thov COM tuaj yeem ua haujlwm xwm txheej - JavaScript lossis VBScript. Technically nws hu ua tsab ntawv. Tej zaum koj yuav tau pom .sct txuas ntxiv rau cov ntaub ntawv hauv Windows - qhov no yog qhov txuas ntxiv rau cov ntawv sau. Qhov tseem ceeb, lawv yog tsab ntawv sau hauv XML wrapper:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Hackers thiab pentesters tau tshawb pom tias muaj cov khoom siv sib cais thiab cov ntawv thov hauv Windows uas lees txais COM cov khoom thiab, raws li, cov ntawv sau ib yam nkaus.
Kuv tuaj yeem dhau ib daim ntawv sau rau Windows utility sau hauv VBS hu ua pubprn. Nws nyob hauv qhov tob ntawm C: Windowssystem32Printing_Admin_Scripts. Los ntawm txoj kev, muaj lwm cov khoom siv Windows uas lees txais cov khoom ua tsis tau. Cia peb saib qhov piv txwv no ua ntej.