Fixed Invoke-Obfuscation command token error during agent negotiation process

2017-06-19 00:28:21 -05:00 · 2017-06-19 00:28:21 -05:00 · 76f1e85375
parent 4c8495144d
commit 76f1e85375
4 changed files with 64 additions and 28 deletions
--- a/lib/common/helpers.py
+++ b/lib/common/helpers.py
@ -795,10 +795,8 @@ def obfuscate(psScript, obfuscationCommand):
    toObfuscateFile = open(toObfuscateFilename, 'w')
    toObfuscateFile.write(psScript)
    toObfuscateFile.close()
-    
    # Obfuscate using Invoke-Obfuscation w/ PowerShell
    subprocess.call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, convert_obfuscation_command(obfuscationCommand), obfuscatedFilename), shell=True)
-
    obfuscatedFile = open(obfuscatedFilename , 'r')
    # Obfuscation writes a newline character to the end of the file, ignoring that character
    psScript = obfuscatedFile.read()[0:-1]
@ -820,13 +818,13 @@ def obfuscate_module(moduleSource, obfuscationCommand="", forceReobfuscation=Fal
    f.close()

    # obfuscate and write to obfuscated source path
+    obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
    obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
    try:
        f = open(obfuscatedSource, 'w')
    except:
        print color("[!] Could not read obfuscated module source path at: " + obfuscatedSource)
        return ""
-    obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
    f.write(obfuscatedCode)
    f.close()
    
--- a/lib/listeners/http.py
+++ b/lib/listeners/http.py
@ -404,7 +404,6 @@ class Listener:
            
            if obfuscate:
                randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
-            print randomizedStager
            # base64 encode the stager and return it
            if encode:
                return helpers.enc_powershell(randomizedStager)
--- a/lib/powershell/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1
+++ b/lib/powershell/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1
@ -128,7 +128,7 @@ http://www.danielbohannon.com
        # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions.
        $ObfuscationTypeOrder += 'Comment'
        # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings.
-        # $ObfuscationTypeOrder += 'String'
+        $ObfuscationTypeOrder += 'String'
        $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count)

        # Apply each randomly-ordered $ObfuscationType from above step.
@ -691,11 +691,35 @@ http://www.danielbohannon.com
                default {Write-Error "An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation."; Exit}
            }
        }
-
        # Evenly trim leading/trailing parentheses.
        While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
        {
-            $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
+            $TrimmedObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
+            # Check if the parentheses are balanced before permenantly trimming
+            $Balanced = $True
+            $Counter = 0
+            ForEach($char in $TrimmedObfuscatedToken.ToCharArray()) {
+                If($char -eq '(') {
+                    $Counter = $Counter + 1
+                }
+                ElseIf($char -eq ')') {
+                    If($Counter -eq 0) {
+                        $Balanced = $False
+                        break
+                    }
+                    Else {
+                        $Counter = $Counter - 1
+                    }
+                }
+            }
+            # If parantheses are balanced, we can safely trim the parentheses
+            If($Balanced -and $Counter -eq 0) {
+                $ObfuscatedToken = $TrimmedObfuscatedToken
+            }
+            # If parentheses cannot be trimmed, break out of loop
+            Else {
+                break
+            }
        }
    }

@ -1157,6 +1181,9 @@ http://www.danielbohannon.com
    $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString)
    
    If(($Token.Content.ToLower() -eq 'invoke') `
+    -OR ($Token.Content.ToLower() -eq 'computehash') `
+    -OR ($Token.Content.ToLower() -eq 'tobase64string') `
+    -OR ($Token.Content.ToLower() -eq 'getstring') `
    -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
    -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
    -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))
--- a/setup/install.sh
+++ b/setup/install.sh
@ -42,17 +42,17 @@ elif lsb_release -d | grep -q "Kali"; then
 	pip install zlib_wrapper
 	pip install netifaces
        if ! which powershell > /dev/null; then
-            curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
-            curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
-            wget http://ftp.debian.org/debian/pool/main/i/icu/libicu52_52.1-8+deb8u5_amd64.deb
+            wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
            wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
-            dpkg -i libicu52_52.1-8+deb8u5_amd64.deb
+            wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -y libunwind8
+            dpkg -i libicu55_55.1-7_amd64.deb
            dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
-            apt-get install -y apt-transport-https
-            apt-get update
-            apt-get install -y powershell
-            rm libicu52_52.1-8+deb8u5_amd64.deb
+            dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -f -y
+            rm libicu55_55.1-7_amd64.deb
            rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
        fi
        mkdir -p /usr/local/share/powershell/Modules
        cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
@ -72,14 +72,20 @@ elif lsb_release -d | grep -q "Ubuntu"; then
 	pip install zlib_wrapper
 	pip install netifaces
        if ! which powershell > /dev/null; then
-            curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
-            curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
-            apt-get install -y apt-transport-https
-            apt-get update
-            apt-get install -y powershell
-         fi
-         mkdir -p /usr/local/share/powershell/Modules
-         cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
+            wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
+            wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -y libunwind8
+            dpkg -i libicu55_55.1-7_amd64.deb
+            dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -f -y
+            rm libicu55_55.1-7_amd64.deb
+            rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+        fi
+        mkdir -p /usr/local/share/powershell/Modules
+        cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
 else
 	echo "Unknown distro - Debian/Ubuntu Fallback"
 	 apt-get install -y make g++ python-dev python-m2crypto swig python-pip libxml2-dev default-jdk libffi-dev libssl-dev
@ -96,11 +102,17 @@ else
 	 pip install zlib_wrapper
 	 pip install netifaces
         if ! which powershell > /dev/null; then
-            curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
-            curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
-            apt-get install -y apt-transport-https
-            apt-get update
-            apt-get install -y powershell
+            wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
+            wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -y libunwind8
+            dpkg -i libicu55_55.1-7_amd64.deb
+            dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
+            apt-get install -f -y
+            rm libicu55_55.1-7_amd64.deb
+            rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
+            rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
         fi
         mkdir -p /usr/local/share/powershell/Modules
         cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules