After the code framework is written, we can start constructing our undetectable malicious code.
To upload our C2 server via keyboard input, there are two approaches. Either use PowerShell commands to upload, or download the malicious file via the command line and then upload it.
File download upload
Considering the issue of evading detection, common commands like certutil are almost blocked by all antivirus software. Publicly available bypass methods (such as double-writing certutil) can bypass Firewall, but not 360 Antivirus.
After the file is successfully downloaded, the undetectability of the malicious file also has certain limitations. Therefore, if we consider evading detection, it is very difficult to implement BadUsb upload through the file download mode.
To upload our C2 server via keyboard input, there are two approaches. Either use PowerShell commands to upload, or download the malicious file via the command line and then upload it.
File download upload
Considering the issue of evading detection, common commands like certutil are almost blocked by all antivirus software. Publicly available bypass methods (such as double-writing certutil) can bypass Firewall, but not 360 Antivirus.
After the file is successfully downloaded, the undetectability of the malicious file also has certain limitations. Therefore, if we consider evading detection, it is very difficult to implement BadUsb upload through the file download mode.
Detecting the Merlin Agent Trojan
In order to achieve automated detection of the Merlin Agent Trojan, the author attempted to search the internet and found the YARA rule for the Merlin Agent Trojan at the address /Neo23x0/signature-base/blob/38d1f4f0f87c009289a1aef111af9d89d75ed260/yara/gen_merlin_agent.yar.
Although this YARA rule is indeed quite old, it can still successfully detect the latest version of the Merlin Agent Trojan.
In order to achieve automated detection of the Merlin Agent Trojan, the author attempted to search the internet and found the YARA rule for the Merlin Agent Trojan at the address /Neo23x0/signature-base/blob/38d1f4f0f87c009289a1aef111af9d89d75ed260/yara/gen_merlin_agent.yar.
Although this YARA rule is indeed quite old, it can still successfully detect the latest version of the Merlin Agent Trojan.
Zabbix SQL Injection
This vulnerability exists in the httpmon.php script and can be accessed by unlogged-in users.
This is because Zabbix has predefined a guest user, and unlogged-in users are all set to the access rights of the guest user.
If the guest user is disabled, it will not be able to access the httpmon.php script and exploit this vulnerability.
The guest user can be disabled in the administrator's management panel.
It can be seen from the figure below that the applications parameter has SQL injection.
Enter the $application variable and trace the add2favorites function
Enter the value_id of the $values array, and then trace down to find that the variable has not been filtered before entering the SQL statement
The variable has been filtered by the mysql_real_escape_string function once.
In the above vulnerability, the following statement can read the MD5 hash value of the administrator's username and password
This vulnerability exists in the httpmon.php script and can be accessed by unlogged-in users.
This is because Zabbix has predefined a guest user, and unlogged-in users are all set to the access rights of the guest user.
If the guest user is disabled, it will not be able to access the httpmon.php script and exploit this vulnerability.
The guest user can be disabled in the administrator's management panel.
It can be seen from the figure below that the applications parameter has SQL injection.
Enter the $application variable and trace the add2favorites function
Enter the value_id of the $values array, and then trace down to find that the variable has not been filtered before entering the SQL statement
The variable has been filtered by the mysql_real_escape_string function once.
In the above vulnerability, the following statement can read the MD5 hash value of the administrator's username and password
SQL injection is a code injection technique that was often used to attack data-driven applications in the past, such as injecting malicious SQL code into specific fields to carry out database dumping attacks. The success of SQL injection relies on application security vulnerabilities, such as user input not being properly filtered (for certain specific strings) or the lack of special type emphasis, which can easily lead to abnormal execution of SQL statements. SQL injection is the most commonly used attack technique in website penetration, but in fact, SQL injection can be used to attack all SQL databases. In this guide, I will show you how to use SQLMAP on Kali Linux to penetrate a website (or more accurately, a database) and extract user name and password information.
By analyzing the ShellCode code in the aut.png image, its function is consistent with that in the view.png image, but the decrypted PayLoad is different. Through analysis, it is found that the PayLoad references the code of an injection tool and will inject the ShellCode code into the explore.exe process.
The ShellCode codes contained in the two PNG images. First, let's look at the ShellCode code in view.png. It allocates corresponding memory space.
The injected ShellCode code is consistent with the logic of the above two ShellCode codes. It allocates corresponding memory space and then copies the encrypted data into the memory space.
Finally, the decrypted PayLoad queries relevant registry entries and sets up shortcuts, etc.
The ShellCode codes contained in the two PNG images. First, let's look at the ShellCode code in view.png. It allocates corresponding memory space.
The injected ShellCode code is consistent with the logic of the above two ShellCode codes. It allocates corresponding memory space and then copies the encrypted data into the memory space.
Finally, the decrypted PayLoad queries relevant registry entries and sets up shortcuts, etc.
Vulnerability Analysis of WebLogic Coherence UniversalExtractor Deserialization (CVE-2020-14645)
This vulnerability is a bypass of the patch for CVE-2020-2883. The patch for CVE-2020-2883 blacklists MvelExtractor and ReflectionExtractor, so we need to find another class that contains extract and malicious operations in its methods. The class used here is com.tangosol.util.extractor.UniversalExtractor, which is located in the Coherence component.
Essentially, it involves calling arbitrary methods through ReflectionExtractor to execute the exec method of the Runtime object to execute arbitrary commands. However, the patch has now blacklisted ReflectionExtractor, so we can only use UniversalExtractor to reconstruct an exploitation chain. Here, we use the entry point of the Commons Collections 4 chain in poc2 to construct it.
This vulnerability is a bypass of the patch for CVE-2020-2883. The patch for CVE-2020-2883 blacklists MvelExtractor and ReflectionExtractor, so we need to find another class that contains extract and malicious operations in its methods. The class used here is com.tangosol.util.extractor.UniversalExtractor, which is located in the Coherence component.
Essentially, it involves calling arbitrary methods through ReflectionExtractor to execute the exec method of the Runtime object to execute arbitrary commands. However, the patch has now blacklisted ReflectionExtractor, so we can only use UniversalExtractor to reconstruct an exploitation chain. Here, we use the entry point of the Commons Collections 4 chain in poc2 to construct it.
When running a virtual machine, you may be prompted that the CPU cannot be virtualized. This situation generally has the following three reasons:
The CPU is indeed unable to be virtualized (which cannot be resolved)
The CPU is not enabled in the BIOS settings
Hyper-V is enabled, preventing VMware from directly accessing the physical layer (this was the reason for me. I previously used WSL and enabled Hyper-V, which resulted in CPU virtualization not being possible in VMware)
When the emulator starts, the following error will occur. If you do not modify the ADB_PORT in the startup script, it will lead to an inability to establish an HTTP connection after obtaining the flag.
The CPU is indeed unable to be virtualized (which cannot be resolved)
The CPU is not enabled in the BIOS settings
Hyper-V is enabled, preventing VMware from directly accessing the physical layer (this was the reason for me. I previously used WSL and enabled Hyper-V, which resulted in CPU virtualization not being possible in VMware)
When the emulator starts, the following error will occur. If you do not modify the ADB_PORT in the startup script, it will lead to an inability to establish an HTTP connection after obtaining the flag.
OWASP ZAP is pre-installed on Kali Linux, so make sure to update it using the following commands in your terminal:
sudo apt update
sudo apt upgrade
From the application menu or by entering "zaproxy" in the terminal, launch the application and configure necessary settings, such as the target URL and proxy settings (consider using plugins like FoxyProxy to easily change proxies).
Scan the target web application:
Click the "Attack" button or select the "Spider" option from the "Tools" menu to start the scan. This will initiate the process of crawling the web application and identifying potential vulnerabilities.
View the results:
After the scan completes, OWASP ZAP will display a list of identified vulnerabilities in the "Alerts" tab. You can click on each alert to view more details, such as the vulnerability type, severity (easily visualized with color-coded flags), and a brief description.
sudo apt update
sudo apt upgrade
From the application menu or by entering "zaproxy" in the terminal, launch the application and configure necessary settings, such as the target URL and proxy settings (consider using plugins like FoxyProxy to easily change proxies).
Scan the target web application:
Click the "Attack" button or select the "Spider" option from the "Tools" menu to start the scan. This will initiate the process of crawling the web application and identifying potential vulnerabilities.
View the results:
After the scan completes, OWASP ZAP will display a list of identified vulnerabilities in the "Alerts" tab. You can click on each alert to view more details, such as the vulnerability type, severity (easily visualized with color-coded flags), and a brief description.
JSP code running under Tomcat
This code is a simple web script written in JSP (JavaServer Pages). Its main function is to execute Windows system commands and return the output results to the web page. The following is a line-by-line explanation of the code:
Page directives:
This code is a simple web script written in JSP (JavaServer Pages). Its main function is to execute Windows system commands and return the output results to the web page. The following is a line-by-line explanation of the code:
Page directives:
Vulnerability Analysis of WebLogic Coherence UniversalExtractor Deserialization (CVE-2020-14645)
This vulnerability is a bypass of the patch for CVE-2020-2883. The patch for CVE-2020-2883 blacklists MvelExtractor and ReflectionExtractor, so we need to find another class that contains extract and malicious operations in its methods. The class used here is com.tangosol.util.extractor.UniversalExtractor, which is located in the Coherence component.
Essentially, it involves calling arbitrary methods through ReflectionExtractor to execute the exec method of the Runtime object to execute arbitrary commands. However, the patch has now blacklisted ReflectionExtractor, so we can only use UniversalExtractor to reconstruct an exploitation chain. Here, we use the entry point of the Commons Collections 4 chain in poc2 to construct it.
This vulnerability is a bypass of the patch for CVE-2020-2883. The patch for CVE-2020-2883 blacklists MvelExtractor and ReflectionExtractor, so we need to find another class that contains extract and malicious operations in its methods. The class used here is com.tangosol.util.extractor.UniversalExtractor, which is located in the Coherence component.
Essentially, it involves calling arbitrary methods through ReflectionExtractor to execute the exec method of the Runtime object to execute arbitrary commands. However, the patch has now blacklisted ReflectionExtractor, so we can only use UniversalExtractor to reconstruct an exploitation chain. Here, we use the entry point of the Commons Collections 4 chain in poc2 to construct it.