- A+
三好学生 (:) | 2015-07-30 17:57
在泄露的数据库中发现一个捆绑项目,很是有趣。
0x00项目地址
Hacking Team下载链接:
http://pan.baidu.com/s/1i3lHQRF
感谢drops蒸米提供,http://drops.wooyun.org/news/6977
项目名称:
vector-exploit-master\ht-2014-002-FakeWin
0x01项目功能
伪造成常见文件格式的图标,一旦用户点击该程序,程序做如下操作:
1、程序自删除
2、释放同名正常文件
3、打开该正常文件
4、释放payload,复制到startup目录下
已支持文件格式如图:
0x02参数说明
-i: installer -> empty installer to be filled with the agent and the do
c
-a: agent -> full path of the file to drop into startup folder
-e: document extension -> extension of the document (es: pdf)
-n: fakedoc_name -> new fake document name
-s: scout_name -> scout name to be copied into startup folder
-d: document -> full path of the document to embed into the installer
(optional)
-r: run_agent -> 0=dont't run the agent file, 1=run the agent file (opt
ional, default=1)
0x03实例测试
fakedoc.exe -i installer.exe -a C:\test1\calc.exe -e jpg -n good.exe -s bad -d C:\test1\1.jpg -r 0
参数说明:
-a C:\test1\calc.exe: 需要预先准备好,此为程序运行后释放的payload
-e jpg:程序伪造的文件格式
-n good.exe:捆绑后生成的文件名称
-s bad:释放到startup文件夹下的exe名称
-d C:\test1\1.jpg:伪造的图片
-r 0:不执行释放的payload,执行设为1
如图,执行后生成good.exe
点击测试:
0x04补充
杀毒检测:VirSCAN.org Scanned Report :
Scanner results: 15%的杀软(6/39)报告发现病毒
Scanner Engine Ver Sig Ver Sig Date Time Scan result
ahnlab 9.9.9 9.9.9 2013-05-28 4 Found nothing
antivir 1.9.2.0 1.9.159.0 7.11.251.140 12 Found nothing
antiy AVL SDK 3.0 2014112615531100 2014-11-26 1 Found nothing
arcavir 1.0 2011 2014-05-30 21 Found nothing
asquared 9.0.0.4453 9.0.0.4453 2014-07-03 2 Found nothing
avast 150729-0 4.7.4 2015-07-29 55 Win32:Malware-gen
avg 2109/8526 10.0.1405 2015-01-30 6 Found nothing
baidu 2.0.1.0 4.1.3.52192 2.0.1.0 4 Found nothing
baidusd 1.0 1.0 2014-04-02 2 Found nothing
bitdefender 7.58879 7.90123 2015-01-16 1 Found nothing
clamav 20735 0.97.5 2015-07-29 1 PUA.Win32.Packer.SetupExeSecti
comodo 15023 5.1 2015-04-26 3 Found nothing
ctch 4.6.5 5.3.14 2013-12-01 1 Found nothing
drweb 5.0.2.3300 5.0.1.1 2015-07-30 46 Trojan.DownLoad3.37956
fortinet 27.041, 27.041 5.1.158 2015-07-30 1 Found nothing
fprot 4.6.2.117 6.5.1.5418 2015-07-29 1 Found nothing
fsecure 2014-04-02-01 9.13 2014-04-02 5 Gen:Variant.Graftor.227065
gdata 25.1280 25.1280 2015-04-27 8 Found nothing
hauri 2.73 2.73 2015-01-30 1 Found nothing
ikarus 1.06.01 V1.32.31.0 2015-07-29 15 Found nothing
jiangmin 16.0.100 1.0.0.0 2015-04-22 37 Found nothing
kaspersky 5.5.33 5.5.33 2014-04-01 24 Found nothing
kingsoft 2.1 2.1 2013-09-22 3 Found nothing
mcafee 7638 5400.1158 2014-11-30 7 Found nothing
nod32 1777 3.0.21 2015-06-12 1 Found nothing
panda 9.05.01 9.05.01 2015-04-27 4 Found nothing
pcc 11.820.07 9.500-1005 2015-07-29 1 Found nothing
qh360 1.0.1 1.0.1 1.0.1 6 Found nothing
qqphone 1.0.0.0 1.0.0.0 2015-07-30 2 Found nothing
quickheal 14.00 14.00 2015-04-17 3 Found nothing
rising 25.63.06.04 25.63.06.04 2015-04-26 4 Found nothing
sophos 5.08 3.55.0 2014-12-01 7 Found nothing
sunbelt 3.9.2632.2 3.9.2632.2 2015-04-24 4 Found nothing
symantec 20150727.003 1.3.0.24 2015-07-27 1 Found nothing
tachyon 9.9.9 9.9.9 2013-12-27 3 Found nothing
thehacker 6.8.0.5 6.8.0.5 2015-04-25 1 Found nothing
tws 17.47.17308 1.0.2.2108 2015-04-27 6 Suspicious:Packed.Krap.c.zxgd.
vba 3.12.26.4 3.12.26.4 2015-07-29 6 TrojanDownloader.Agent
virusbuster 15.0.985.0 5.5.2.13 2014-12-05 21 Found nothing
程序bug:
细心的同学会发现在startup文件夹下的exe只有0kb,程序没有正常释放
这是该项目的一个bug,但是修改起来应该不难;D
---
仅作测试,不许抄作业,后果自负
$("img").load(function(){ if($(this).attr("width")>640) $(this).attr("width",640); });