Nkhaniyi ndi gawo la mndandanda wa Fileless Malware. Magawo ena onse amndandanda:
- The Adventures of the Elusive Malware, Gawo IV: DDE ndi Word Document Fields (tili pano)
M'nkhaniyi, ndimati ndilowerere muzochitika zovuta kwambiri zopanda mafayilo zopanda pake ndikulemba padongosolo. Koma kenako ndidakumana ndi njira yosavuta kwambiri, yopanda code - palibe mawu kapena ma Excel macros ofunikira! Ndipo izi zikutsimikizira bwino lomwe lingaliro langa loyambirira lomwe lili patsamba lino: kuswa gawo lakunja la bungwe lililonse si ntchito yovuta nkomwe.
Kuwukira koyamba komwe ndifotokoza kumagwiritsa ntchito chiwopsezo cha Microsoft Word chomwe chimakhazikitsidwa zachikale (DDE). Iye anali kale . Yachiwiri imagwiritsa ntchito chiwopsezo chambiri mu Microsoft COM ndi kuthekera kosinthira zinthu.
Bwererani kumtsogolo ndi DDE
Ndani wina akukumbukira DDE? Mwina si ambiri. Icho chinali chimodzi mwa zoyamba njira zoyankhulirana zapakati-njira zomwe zimalola mapulogalamu ndi zida kutumiza deta.
Ineyo ndikuzidziwa pang'ono chifukwa ndimakonda kuyang'ana ndikuyesa zida za telecom. Panthawiyo, DDE inalola, mwachitsanzo, oyendetsa mafoni kuti asamutsire ID yoyimbira ku CRM application, yomwe pamapeto pake idatsegula khadi lamakasitomala. Kuti muchite izi, mumayenera kulumikiza chingwe cha RS-232 pakati pa foni yanu ndi kompyuta yanu. Amenewo anali masiku!
Zotsatira zake, Microsoft Word ikadali DDE.
Chomwe chimapangitsa kuti kuukiraku kugwire bwino popanda code ndikuti mutha kupeza protocol ya DDE mwachindunji kuchokera kumagawo odziwikiratu mu chikalata cha Mawu (chipewa kupita ku SensePost for za izi).
Minda kodi ndi chinthu china chakale cha MS Word chomwe chimakupatsani mwayi wowonjezera mawu osinthika komanso mapulogalamu pang'ono palemba lanu. Chitsanzo chodziwikiratu ndi gawo la nambala yatsamba, lomwe lingathe kuikidwa pansi pogwiritsa ntchito mtengo wa {PAGE *MERGEFORMAT}. Izi zimathandiza kuti manambala atsamba apangidwe okha.
Chidziwitso: Mutha kupeza chinthu cha menyu ya Field pansi pa Insert.
Ndikukumbukira kuti pamene ndinapeza mbali imeneyi mu Mawu, ndinadabwa. Ndipo mpaka chigambacho chidayimitsa, Mawu adathandizirabe gawo la DDE. Lingaliro linali loti DDE ilola Mawu kuti azilankhulana mwachindunji ndi pulogalamuyi, kuti athe kupititsa pulogalamuyo kukhala chikalata. Inali teknoloji yaying'ono kwambiri panthawiyo - kuthandizira kusinthana kwa deta ndi ntchito zakunja. Pambuyo pake idapangidwa kukhala ukadaulo wa COM, womwe tiwonanso pansipa.
Pambuyo pake, obera adazindikira kuti ntchito ya DDE iyi ikhoza kukhala chipolopolo cholamula, chomwe chinayambitsa PowerShell, ndipo kuchokera pamenepo owononga amatha kuchita chilichonse chomwe akufuna.
Chithunzi chomwe chili m'munsimu chikuwonetsa momwe ndinagwiritsira ntchito njira yowonongeka iyi: script yaing'ono ya PowerShell (yomwe imatchedwa PS) kuchokera kumunda wa DDE imanyamula script ina ya PS, yomwe imayambitsa gawo lachiwiri la kuukira.
Tithokoze Windows chifukwa cha chenjezo la pop-up kuti gawo la DDEAUTO lomwe linamangidwa likuyesera kuyambitsa chipolopolo mwachinsinsi.
Njira yabwino yopezera chiwopsezo ndikugwiritsa ntchito mtundu wina wokhala ndi gawo la DDEAUTO, lomwe limangoyendetsa script. potsegula Mawu chikalata.
Tiyeni tikambirane zimene tingachite pa nkhaniyi.
Monga owononga novice, mungathe, mwachitsanzo, kutumiza imelo yachinyengo, kunyengerera kuti mukuchokera ku Federal Tax Service, ndikuyika gawo la DDEAUTO ndi PS script pa gawo loyamba (wotsitsa, makamaka). Ndipo simukufunikanso kupanga zolemba zenizeni za macros, ndi zina zotero, monga ndidachitiramo
Wozunzidwayo amatsegula chikalata chanu, script yophatikizidwa imatsegulidwa, ndipo wowononga amathera mkati mwa kompyuta. Kwa ine, script yakutali ya PS imangosindikiza uthenga, koma imatha kuyambitsa kasitomala wa PS Empire, yomwe ipereka mwayi wofikira kutali.
Ndipo wozunzidwayo asanakhale ndi nthawi yoti anene kalikonse, achifwambawo amasanduka achinyamata olemera kwambiri mβmudzimo.
Chigobacho chinayambika popanda kulembera ngakhale pang'ono. Ngakhale mwana akhoza kuchita zimenezi!
DDE ndi minda
Pambuyo pake Microsoft idalepheretsa DDE mu Mawu, koma kampaniyo isananene kuti mawonekedwewo adangogwiritsidwa ntchito molakwika. Kusafuna kwawo kusintha chilichonse ndikomveka. M'zochitika zanga, ine ndekha ndawona chitsanzo pamene kukonzanso minda potsegula chikalata kunayatsidwa, koma ma macros a Mawu adayimitsidwa ndi IT (koma akuwonetsa zidziwitso). Mwa njira, mutha kupeza zokonda zofananira mu gawo la Zokonda za Mawu.
Komabe, ngakhale kusinthidwa kwa gawo kuli koyatsidwa, Microsoft Word imadziwitsanso wogwiritsa ntchito ngati gawo likupempha mwayi wopeza deta yochotsedwa, monga momwe zilili ndi DDE pamwambapa. Microsoft ikuchenjezanidi.
Koma mwina, ogwiritsa ntchito anyalanyazabe chenjezoli ndikuyambitsa zosintha zamasamba mu Mawu. Uwu ndi mwayi umodzi wosowa wothokoza Microsoft chifukwa choletsa mawonekedwe owopsa a DDE.
Ndizovuta bwanji kupeza Windows yosasinthika masiku ano?
Pakuyesa uku, ndidagwiritsa ntchito AWS Workspaces kuti ndipeze pakompyuta. Chifukwa chake ndidamaliza ndi MS Office VM yosasinthika yomwe idandilola kuyika gawo la DDEAUTO. Sindikukayika kuti mofananamo mungapeze makampani ena omwe sanayikepo zigamba zofunikira zotetezera.
Chinsinsi cha zinthu
Ngakhale mutayika chigambachi, pali mabowo ena achitetezo ku MS Office omwe amalola obera kuchita zofanana ndi zomwe tidachita ndi Mawu. Mβchitsanzo chotsatira tiphunzira gwiritsani ntchito Excel ngati nyambo pakuwopseza kwachinyengo osalemba nambala iliyonse.
Kuti timvetse nkhaniyi, tiyeni tikumbukire Chitsanzo cha Microsoft Component Object Model, kapena mwachidule COM (Chitsanzo Chachigawo).
COM yakhalapo kuyambira zaka za m'ma 1990, ndipo imatanthauzidwa ngati "gawo losalowerera ndale, loyang'ana zinthu" kutengera ma RPC akutali. Kuti mumve zambiri za terminology ya COM, werengani pa StackOverflow.
Kwenikweni, mutha kuganiza za pulogalamu ya COM ngati Excel kapena Mawu, kapena fayilo ina ya binary yomwe imayenda.
Zikuwonekeranso kuti pulogalamu ya COM imathanso kuthamanga chochitika - JavaScript kapena VBScript. Mwaukadaulo amatchedwa scriptlet. Mwinamwake mwawonapo .sct yowonjezera ya mafayilo mu Windows - uku ndiko kuwonjezereka kwa scriptlets. Kwenikweni, iwo ndi script code wokutidwa mu XML wrapper:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Ma hackers ndi ma pentesters apeza kuti pali zida ndi mapulogalamu osiyana mu Windows omwe amavomereza zinthu za COM ndipo, molingana, ma scriptlets nawonso.
Nditha kupereka scriptlet ku Windows utility yolembedwa mu VBS yotchedwa pubprn. Ili mu kuya kwa C:Windowssystem32Printing_Admin_Scripts. Mwa njira, pali zida zina za Windows zomwe zimavomereza zinthu ngati magawo. Tiyeni tione chitsanzo ichi poyamba.
Ndizodabwitsa kuti chipolopolocho chikhoza kukhazikitsidwa ngakhale kuchokera ku script script. Pitani ku Microsoft!
Monga kuyesa, ndidapanga cholembera chakutali chomwe chimatsegula chipolopolo ndikusindikiza uthenga woseketsa, "Mwangolembedwa kumene!" Kwenikweni, pubprn imakhazikitsa chinthu cha scriptlet, kulola khodi ya VBScript kuti iyambe kukulunga. Njirayi imapereka mwayi womveka bwino kwa obera omwe akufuna kuzembera ndikubisala padongosolo lanu.
Mu positi yotsatira, ndifotokoza momwe zolemba za COM zingagwiritsidwire ntchito ndi obera pogwiritsa ntchito Excel spreadsheets.
Kwa homuweki yanu, yang'anani kuchokera ku Derbycon 2016, yomwe imafotokoza ndendende momwe owononga amagwiritsira ntchito scriptlets. Komanso werengani za scriptlets ndi mtundu wina wa moniker.
Source: www.habr.com