Eli nqaku yinxalenye yothotho lweFayileless Malware. Zonke ezinye iindawo zolu thotho:
- I-Adventures ye-Elusive Malware, iCandelo IV: DDE kunye neWord Document Fields (silapha)
Kweli nqaku, bendiza kuntywila kwindawo enzima nangakumbi yohlaselo olungenafayile olunamanqanaba amaninzi ngokuphina kwinkqubo. Kodwa ke ndiye ndadibana nohlaselo olulula ngokumangalisayo, olungenakhowudi-akukho Lizwi okanye iimacros ze-Excel ezifunekayo! Kwaye oku kungqina ngokunempumelelo ngakumbi ingqikelelo yam yantlandlolo ephantsi kolu ngcelele lwamanqaku: ukwaphula iperimeter yangaphandle yawo nawuphi na umbutho ayingomsebenzi unzima kwaphela.
Uhlaselo lokuqala endiza kuluchaza lusebenzisa ukuba semngciphekweni kweMicrosoft Word esekwe kubo iphelelwe lixesha (DDE). Ebesele ekhona . Eyesibini isebenzisa ukuba sesichengeni ngokubanzi kuMicrosoft COM kunye nesakhono sokudlulisa into.
Buyela kwikamva ngeDDE
Ngubani omnye okhumbula iDDE? Mhlawumbi ababaninzi. Yayiyeyokuqala Iiprothokholi zonxibelelwano phakathi kwenkqubo ezivumela usetyenziso kunye nezixhobo ukudlulisa idatha.
Ndiqhelene nayo ngokwam kuba bendikhe ndijonge kwaye ndivavanye izixhobo ze-telecom. Ngelo xesha, i-DDE ivumele, umzekelo, abaqhubi beziko locingo ukuba badlulisele i-ID yomnxeba kwisicelo seCRM, ekugqibeleni savula ikhadi lomthengi. Ukwenza oku, kufuneka uqhagamshele intambo ye-RS-232 phakathi kwefowuni yakho kunye nekhompyuter yakho. Yayiziintsuku ezo!
Njengoko kuvela, iMicrosoft Word isekho DDE.
Yintoni eyenza olu hlaselo lusebenze ngaphandle kwekhowudi kukuba unokufikelela kwiprotocol yeDDE ngqo ukusuka kwiindawo ezizenzekelayo kuxwebhu lweLizwi (umnqwazi uye kwiSensePost ye ngayo).
Iikhowudi zendawo Lelinye inqaku lakudala le-MS Word elikuvumela ukuba wongeze isicatshulwa esiguqukayo kunye nentwana yenkqubo kuxwebhu lwakho. Owona mzekelo ucacileyo licandelo lenombolo yephepha, elinokuthi lifakwe kumbhalo osemazantsi usebenzisa ixabiso {PAGE *MERGEFORMAT}. Oku kuvumela amanani ephepha ukuba aveliswe ngokuzenzekelayo.
Ingcebiso: Ungafumana into yemenyu yeNdawo phantsi kwaFaka.
Ndikhumbula ukuba xa ndiqala ukufumanisa eli nqaku kwi-Word, ndamangaliswa. Kwaye de isiziba sikhubazeke, uLizwi lisaxhasa imimandla yeDDE ukhetho. Uluvo yayikukuba i-DDE izakuvumela i-Word ukuba inxibelelane ngokuthe ngqo nesicelo, ukuze igqithise imveliso yenkqubo ibe kuxwebhu. Yayibuchwephesha obuncinci kakhulu ngelo xesha - inkxaso yotshintshiselwano lwedatha kunye nezicelo zangaphandle. Yaphuhliswa kamva kwitekhnoloji ye-COM, esiza kuyijonga ngezantsi.
Ekugqibeleni, abahlaseli baqonda ukuba esi sicelo se-DDE sinokuba yigobolondo lomyalelo, owathi wasungula i-PowerShell, kwaye ukusuka apho abahlaseli bangenza nantoni na abayifunayo.
Umfanekiso weskrini ongezantsi ubonisa indlela endisebenzise ngayo obu buchwephesha: iskripthi esincinci se-PowerShell (emva koko sibizwa ngokuba yi-PS) ukusuka kwintsimi ye-DDE ilayisha enye iscript ye-PS, eqalisa isigaba sesibini sohlaselo.
Enkosi kwiiWindows ngesilumkiso esizivelelayo sokuba indawo eyakhelwe-ngaphakathi yeDDEAUTO izama ngokufihlakeleyo ukuqala iqokobhe.
Indlela ekhethwayo yokuxhaphaza ukuba sesichengeni kukusebenzisa umahluko kunye nomhlaba weDDEAUTO, osebenzisa ngokuzenzekela okushicilelweyo. xa kuvulwa Uxwebhu lwegama.
Makhe sicinge ngento esinokuyenza ngale nto.
Njenge-hacker ye-novice, unako, umzekelo, ukuthumela i-imeyile ye-phishing, uzenza ngathi uvela kwiNkonzo yeRhafu ye-Federal, kwaye udibanise intsimi ye-DDEAUTO kunye neskripthi se-PS kwisigaba sokuqala (i-dropper, ngokuyimfuneko). Kwaye awudingi ukwenza nayiphi na ikhowudi yokwenyani yeemakhro, njl., njengoko ndenzayo
Ixhoba livula uxwebhu lwakho, iskripthi esifakwe ngaphakathi siyasebenza, kwaye i-hacker iphela ngaphakathi kwikhompyuter. Kwimeko yam, iskripthi esikude se-PS siprinta nje umyalezo, kodwa sinokuqalisa ngokulula umthengi we-PS Empire, oya kubonelela ngofikelelo olude lweqokobhe.
Kwaye phambi kokuba ixhoba libe nexesha lokuthetha nantoni na, abaqweqwedisi baya kuba ngabona bakwishumi elivisayo abazizityebi elalini.
Iqokobhe laqaliswa ngaphandle kwesuntswana lekhowudi. Nomntwana ungayenza!
DDE kunye namasimi
UMicrosoft kamva wayicima i-DDE kwiLizwi, kodwa hayi ngaphambi kokuba inkampani ichaze ukuba eli nqaku lisetyenziswe kakubi. Ukungafuni kwabo ukutshintsha nantoni na kuyaqondakala. Kumava am, mna ngokwam ndibone umzekelo apho uhlaziyo lwamasimi xa uvula uxwebhu lunikwe amandla, kodwa i-Word macros ikhutshaziwe yi-IT (kodwa ibonisa isaziso). Ngendlela, unokufumana useto oluhambelanayo kwicandelo le-Word settings.
Nangona kunjalo, nokuba uhlaziyo lwendawo luvuliwe, iMicrosoft Word iphinda yazise umsebenzisi xa indawo icela ukufikelela kwidatha ecinyiweyo, njengoko kunjalo ngeDDE engentla. UMicrosoft uyakulumkisa ngenene.
Kodwa kunokwenzeka ukuba, abasebenzisi baya kuhlala bengasihoyi esi silumkiso kwaye bavule uhlaziyo lwamasimi kwiLizwi. Eli lelinye lamathuba anqabileyo okubulela iMicrosoft ngokuvala inqaku leDDE eliyingozi.
Kunzima kangakanani ukufumana isixokelelwano seWindows esingapakishwanga namhlanje?
Kolu vavanyo, ndisebenzise i-AWS Workspaces ukufikelela kwidesktop ebonakalayo. Ngale ndlela ndiye ndafumana umatshini wenyani we-MS Office ongabhalwanga owandivumela ukuba ndifake indawo yeDDEAUTO. Andithandabuzi ukuba ngendlela efanayo unokufumana ezinye iinkampani ezingekafaki iipatches zokhuseleko eziyimfuneko.
Imfihlelo yezinto
Nokuba usifakile esi siqwenga, kukho eminye imingxunya yokhuseleko kwiOfisi ye-MS evumela abahlaseli ukuba benze into efana kakhulu nale siyenzileyo ngeLizwi. Kwimeko elandelayo siza kufunda sebenzisa i-Excel njengesithiyelo sohlaselo lobuqhetseba ngaphandle kokubhala nayiphi na ikhowudi.
Ukuqonda le meko, masikhumbule iModeli yeNto yecandelo leMicrosoft, okanye ngokufutshane I-COM (Imodeli Yento Yecandelo).
I-COM ikhona ukusukela ngoo-1990s, kwaye ichazwa "njengenxalenye yolwimi-ingathathi hlangothi, imodeli yecandelo elijolise kwinto" esekwe kwiinkqubo ezikude ze-RPC. Ukuqonda ngokubanzi isigama se-COM, funda kwiStackOverflow.
Ngokusisiseko, unokucinga ngesicelo seCOM njenge-Excel okanye i-Word ephunyeziweyo, okanye enye ifayile yokubini esebenzayo.
Kuyavela ukuba isicelo se-COM sinokusebenza Iskripthi -IJavaScript okanye iVBScript. Ngobuchule ibizwa ngokuba umbhalo. Usenokuba ulubonile .sct ulwandiso lweefayile kwiWindows - olu lulongezo olusemthethweni lwescriptlets. Ngokusisiseko, ziyikhowudi yeskripthi esongelwe kwisisongelo se-XML:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
IiHackers kunye neepentesters zifumanise ukuba kukho izinto eziluncedo ezahlukeneyo kunye nezicelo kwiWindows ezamkela izinto zeCOM kwaye, ngokufanelekileyo, iscriptlets nazo.
Ndiyakwazi ukudlulisa i-scriptlet kusetyenziso lweWindows olubhalwe kwiVBS eyaziwa ngokuba yi-pubprn. Ibekwe kubunzulu beC:Windowssystem32Printing_Admin_Scripts. Ngendlela, kukho ezinye izixhobo zeWindows ezamkela izinto njengeeparamitha. Makhe sijonge lo mzekelo kuqala.
Kungokwemvelo ukuba iqokobhe linokuqaliswa nakwiskripthi esishicilelweyo. Yiya kuMicrosoft!
Njengovavanyo, ndenze iskripthi esilula esikude esivula iqokobhe kwaye siprinte umyalezo ohlekisayo, "Usanda kubhalwa!" Ngokusisiseko, i-pubprn iqinisekisa into ebhalwe phantsi, ivumela ikhowudi ye-VBScript ukuba iqhube isisongelo. Le ndlela inika inzuzo ecacileyo kubaduni abafuna ukungena kwaye bafihle kwinkqubo yakho.
Kwisithuba esilandelayo, ndiya kuchaza ukuba i-COM scriptlets ingasetyenziswa njani ngabaduni besebenzisa i-Excel spreadsheets.
Ngomsebenzi wakho wasekhaya, jonga ukusuka eDerbycon 2016, echaza ngokuthe ngqo indlela abahlaseli abasebenzisa ngayo i-scriptlets. Kwaye ufunde kwakhona malunga ne-scriptlets kunye nolunye uhlobo lwe-moniker.
umthombo: www.habr.com