Ichi chinyorwa chikamu cheiyo Fileless Malware series. Zvimwe zvikamu zvese zvenhevedzano:
- Iyo Adventures yeElusive Malware, Chikamu IV: DDE uye Shoko Document Minda (tiri pano)
Muchinyorwa ichi, ini ndaizonyura mune yakatoomesesa yakawanda-nhanho faira isina kurwisa mamiriro nepinning pane system. Asi ndakazosangana neinoshamisa yakapusa, isina-kodhi kurwisa-hapana Shoko kana Excel macros inodiwa! Uye izvi zvinosimbisa zvakanyanya fungidziro yangu yekutanga iri pasi peiyi nhevedzano yezvinyorwa: kutyora yekunze perimeter yechero sangano harisi basa rakaoma zvachose.
Kurwiswa kwekutanga kwandichatsanangura kunoshandisa kusagadzikana kweMicrosoft Word kwakavakirwa pairi zvechinyakare (DDE). Akanga atova . Yechipiri inoshandisa kusazvibata kwakawanda muMicrosoft COM uye kugona kutamisa chinhu.
Kudzokera kune ramangwana neDDE
Pane mumwe munhu anorangarira DDE? Pamwe havasi vazhinji. Yakanga iri imwe yekutanga inter-process kutaurirana mapuroteni aibvumira maapplication nemidziyo kutumira data.
Ndiri kujairana nazvo ini nekuti ndaimbotarisa nekuyedza midziyo yenharembozha. Panguva iyoyo, DDE yakabvumira, semuenzaniso, vafambisi venzvimbo yekufona kuendesa ID yekufona kune CRM application, iyo yakazovhura kadhi revatengi. Kuti uite izvi, waifanira kubatanidza tambo yeRS-232 pakati pefoni yako nekombuta yako. Ndiwo aiva mazuva!
Sezvazvinoitika, Microsoft Word ichiri DDE.
Chii chinoita kuti kurwiswa uku kushande pasina kodhi ndeyekuti iwe unokwanisa kuwana iyo DDE protocol zvakananga kubva kuminda otomatiki mugwaro reIzwi (heti inoenda kuSensePost ye nezvazvo).
Field codes chimwe chekare cheMS Word chimiro chinokutendera kuti uwedzere mavara ane simba uye zvishoma zvehurongwa kugwaro rako. Muenzaniso uri pachena ndewe nhamba yepeji ndima, inogona kuiswa mujinga uchishandisa kukosha {PAGE *MERGEFORMAT}. Izvi zvinobvumira nhamba dzepeji kuti dzigadzirwe otomatiki.
Zano: Unogona kuwana iyo Munda menyu chinhu pasi Insert.
Ndinorangarira kuti pandakatanga kuwana chinhu ichi muShoko, ndakashamiswa. Uye kusvikira chigamba chachiremadza, Shoko richiri kutsigira DDE minda sarudzo. Pfungwa yaive yekuti DDE yaizobvumira Shoko kuti ritaure zvakananga nechishandiso, kuitira kuti ikwanise kupfuudza zvakabuda muchirongwa kuita gwaro. Yakanga iri diki tekinoroji panguva iyoyo - tsigiro yekutsinhana kwedata nemashandisirwo ekunze. Yakazogadziridzwa kuita tekinoroji yeCOM, yatichatarisawo pazasi.
Pakupedzisira, matsotsi akazoona kuti iyi DDE application yaigona kunge iri goko rekuraira, iro rakatanga PowerShell, uye kubva ipapo vapambi vaigona kuita chero chavanoda.
Mufananidzo uri pazasi unoratidza mashandisiro andakaita iyi nzira yekubira: diki PowerShell script (inozonzi PS) kubva kumunda weDDE inotakura imwe PS script, iyo inotanga chikamu chechipiri chekurwisa.
Kutenda kuWindows kune yambiro yepop-up kuti iyo yakavakirwa-mukati DDEAUTO munda iri kuyedza pachivande kutanga goko.
Nzira inosarudzika yekushandisa njodzi ndeyekushandisa mutsauko nendima yeDDEAUTO, iyo inomhanyisa script. pakuvhura Shoko gwaro.
Ngatifungei pamusoro pezvatingaita pamusoro peizvi.
Semunhu anotanga kubhejera, unogona, semuenzaniso, kutumira email yekubira, uchinyepedzera kuti uri kubva kuFederal Tax Service, uye kunyudza iyo DDEAUTO ndima neiyo PS script yedanho rekutanga (anodonhedza, zvakanyanya). Uye iwe hautombodi kuita chero chaiyo coding yemacros, nezvimwe, sezvandakaita mukati
Akabatwa anovhura gwaro rako, script yakamisikidzwa inogadziriswa, uye hacker inopera mukati mekombuta. Mune yangu, iyo iri kure PS script inongodhinda meseji, asi inogona kungovhura zviri nyore iyo PS Empire mutengi, iyo ichapa kure kure shell.
Uye munhu akabatwa asati awana nguva yekutaura chero chinhu, matsotsi anozove vechidiki vakapfuma mumusha.
Goko rakavhurwa pasina kana kadiki kekodhi. Kunyange mwana anogona kuzviita!
DDE neminda
Microsoft yakazodzima DDE muIzwi, asi kwete kambani isati yataura kuti chimiro chakangoshandiswa zvisizvo. Kusada kwavo kuchinja chero chinhu kunonzwisisika. Mune ruzivo rwangu, ini pachangu ndaona muenzaniso uko kusimudzira minda pakuvhura gwaro kwakagoneswa, asi Shoko macros rakaremara neIT (asi kuratidza chiziviso). Nenzira, iwe unogona kuwana zvigadziriso zvinoenderana muchikamu cheShoko rezvigadziro.
Nekudaro, kunyangwe kukwidziridzwa kwemunda kuchigoneswa, Microsoft Word inozivisawo mushandisi kana munda uchikumbira kuwana data rakadzimwa, sezvazvakaita neDDE pamusoro. Microsoft iri kukuyambira chaizvo.
Asi kazhinji, vashandisi vacharamba vachifuratira yambiro iyi uye voita kuti minda igadzirise muIzwi. Iyi ndeimwe yemikana isingawanzo yekutenda Microsoft nekudzima iyo ine njodzi DDE chimiro.
Zvakaoma sei kuwana isina kuvharwa Windows system nhasi?
Pakuyedzwa uku, ndakashandisa AWS Workspaces kuwana chaiyo desktop. Nenzira iyi ndakawana isina kuvharwa MS Office chaiyo muchina wakandibvumira kuisa iyo DDEAUTO munda. Ini handina kupokana kuti nenzira yakafanana iwe unogona kuwana mamwe makambani asati aisa anodiwa ekuchengetedza zvigamba.
Chakavanzika chezvinhu
Kunyangwe iwe wakaisa chigamba ichi, kune mamwe maburi ekuchengetedza muMS Office anobvumira matsotsi kuita chimwe chinhu chakafanana nezvatakaita neShoko. Muchiitiko chinotevera tichadzidza shandisa Excel sechirauro chekurwisa phishing pasina kunyora chero kodhi.
Kuti tinzwisise mamiriro ezvinhu aya, ngatirangarirei Microsoft Component Object Model, kana kwenguva pfupi COM (Component Object Model).
COM yanga iripo kubva kuma1990s, uye inotsanangurwa se "mutauro-usina kwawakarerekera, chinhu-chakatarisana nechikamu modhi" zvichibva paRPC kure maitiro ekufona. Kuti uwane nzwisiso yakazara yeCOM terminology, verenga paStackOverflow.
Chaizvoizvo, iwe unogona kufunga nezve COM application seExcel kana Shoko rinoitwa, kana imwe bhinari faira inomhanya.
Zvinoitika kuti COM application inogona zvakare kumhanya mamiriro -JavaScript kana VBScript. Nehunyanzvi inonzi scriptlet. Iwe unogona kunge wakaona iyo .sct yekuwedzera yemafaira muWindows - iyi ndiyo yepamutemo yekuwedzera yezvinyorwa. Chaizvoizvo, iwo script kodhi yakaputirwa muXML wrapper:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Hackers uye mapentester vakaona kuti kune zvakasiyana zvinoshandiswa uye maapplication muWindows anogamuchira zvinhu zveCOM uye, maererano, zvinyorwa zvakare.
Ini ndinogona kupfuudza scriptlet kune Windows utility yakanyorwa muVBS inozivikanwa se pubprn. Inowanikwa pakadzika peC:Windowssystem32Printing_Admin_Scripts. Nenzira, kune zvimwe zvishandiso zveWindows zvinogamuchira zvinhu sema parameter. Ngatitarisei muenzaniso uyu kutanga.
Izvo zvakajairika kuti goko rinogona kutangwa kunyangwe kubva kuprint script. Enda Microsoft!
Semuyedzo, ndakagadzira scriptlet iri kure inovhura goko uye inodhinda meseji inosekesa, "Uchangobva kunyorwa!" Chaizvoizvo, pubprn inosimbisa scriptlet chinhu, ichibvumira VBScript kodhi kuti imhanye wrapper. Iyi nzira inopa mukana wakajeka kune hackers vanoda kunyura mukati uye kuvanda pane yako system.
Muchikamu chinotevera, ini ndichatsanangura kuti COM scriptlets inogona kushandiswa sei nevanokuvadza vachishandisa Excel spreadsheets.
Zvebasa rako remumba, tarisa kubva kuDerbycon 2016, iyo inotsanangura chaizvo mashandisirwo akaitwa scriptlets nematsotsi. Uyewo verenga nezve scriptlets uye imwe mhando ye moniker.
Source: www.habr.com